Release Notes - AXN 6.0
Today, we announce the release of 4 new significant features:
- Environmental Risk - ThreatMetrix enhancements
- Government Issued ID Verification - AuthenticID enhancements
- Desktop to Mobile Service for Gov-ID Image Collection & Verification
- Enhancements to Verify API - OTP, Gov-ID support
Environmental Risk - ThreatMetrix enhancements
A significant improvement is being introduced for ThreatMetrix today. This includes the following:
Acquired Attributes
Acquired attributes for tmx are environmental variables that are detected when the code runs in the user's browser. Items like IP, device, etc are sometimes more accurate than what is seen by the web server, and harder to spoof. The AXN detects these attributes and adds them to the endpoint information.
True IP
True IP is different from the server IP because it is the IP detected when the code runs in the users browser, rather than whatever the user's device chooses to tell the server. This should be the true IP actually being used by the machine. It may or may not match the user's given IP.
True IP Geo Country Code
This is the alpha-2 country code from the True IP detected.
Platform / agent type (will be either browser_computer or browser_mobile)
Platform is the detected type of device that the user is browsing from. This will be more accurate than standard device checks.
Fuzzy device id (also called smart id in some tmx docs)
The ThreatMetrix device ID that relies on the unique fingerprint of the device. Rather than using tokens/cookies to identify a computer “Smart ID” takes advantage of the many attributes of a device that ThreatMetrix collects to assign an independent device ID to a particular device. This technique allows ThreatMetrix to dentify the device even if the cookies/persistent objects have been deleted, or if a user has invoked “Private Browsing Mode” now available on all web browsers. Fuzzy ID also allows ThreatMetrix to re-identify devices even if they have been intentionally altered by a cybercriminal or if they are suppressing cookies or flash.
Fuzzy device id confidence
The probability of this being the same device. This attribute ranges from 0 to 100%.
Digital id
Probabilistic matching approach is used to match each event to a Digital ID. Depending on the entities involved in the event, there could be more than one Digital ID that could be a potential match. The best match is returned using a proprietary matching algorithm.
Digital id confidence
The confidence score returned signifies the level of confidence that the event appears to be matching the behavior from the returned Digital ID. Confidence scores raw values range from 0 to 10000.
A value below 25% (i.e 2500) should be interpreted as very low confidence.
A value about 70% (7000) generally indicates high confidence.
Personas
Personas are a system of detecting consistent combinations of attributes. For example, a 3-month Name and Address persona would exist when a user had passed in the same name and address combination at least three times over a 3 month period.
Neat persona age
This means that Name, Email, Address, Telephone were seen with this credential at least 3 times over this timeframe.
Values: 0 (not seen), 1 (month), 2 (months), 3 (months)
ExactID IP persona
This means that the exact ID (a very restrictive device id) was seen at this IP at least 3 times over this time frame
Values: 0 (not seen), 1 (month), 2 (months), 3 (months)
SmartID Browserstring persona
This means that this smartID (flexible device) was seen with this browser and browser hash at least 3 times over this time period
Values: 0 (not seen), 1 (month), 2 (months), 3 (months)
Assertions
Assertions in tmx are certain conditions that return a pass/fail. A pass means the condition was met, a fail means that TMX detected that the condition was not met. If an attribute required for detection is not configured for a service, the assertion will pass by default.
Attribute Age
test.nameAgeGTE30d
This assertion pass means that if there was a name attribute present, it was first seen in the tmx system greater than or equal to 30 days ago.
test.emailAgeGTE30d
This assertion pass means that if there was an email attribute present, it was first seen in the tmx system greater than or equal to 30 days ago.
test.addressAgeGTE30d
This assertion pass means that if there was an address attribute present, it was first seen in the tmx system greater than or equal to 30 days ago.
test.telephoneAgeGTE30d
This assertion pass means that if there was a telephone attribute present, it was first seen in the tmx system greater than or equal to 30 days ago.
test.exactIDAgeGTE7d
This assertion pass means that if there was a detectable exact ID (An ID detected generally by using browser cookies), it was first seen in the tmx system greater than or equal to 7 days ago.
test.smartIDAgeGTE7d
This assertion pass means that if there was a detectable smart ID (An ID derived from a complex set of system variables), it was first seen in the tmx system greater than or equal to 7 days ago.
test.lte3CredentialsDevice7d
This assertion pass means there have been three or less user credentials seen for this device in 7 days
Geographic
test.expectedLanguage
This assertion pass means the language detected as actually running in the browser matched the expected language for this True IP country.
test.credentialLTE500mi1hr
This assertion pass means that in the past hour, this credential has only been seen from regions less than 500 miles apart.
link.addressCountry_TrueGeoCountry
This assertion pass means that if an address was given, it was in the same country as the True IP was detected.
link.timeZone_TrueGeo
This assertion pass means that the timezone the user has configured matches the timezone for their True IP location.
test.trueIPLTE500miInputIP
This assertion pass means that the True IP location is less than or equal to 500mi away from the Input IP given. (Input IP is the IP seen by the server)
Blacklist
blacklist.email
This assertion pass means that an email attribute, if provided, is not on the blacklist.
blacklist.telephone
This assertion pass means that a telephone attribute, if provided, is not on the blacklist.
blacklist.ip
This assertion pass means that the ip is not on the blacklist.
blacklist.device
This assertion pass means that a device id, if provided, is not on the blacklist.
blacklist.ofacIP
This assertion pass means that the IP detected does not come from an OFAC country.
Network
detect.malware
This assertion pass means that the TMX algorithms that run to try and detect hidden malware in the user's machine, did not detect any.
detect.aggregator
This assertion pass means that the page visit did not come from an aggregator.
detect.tor
This assertion pass means that the session detected was not suspected of running on the tor network.
detect.torNode
This assertion pass means that the True IP detected is not a Tor exit node. A tor exit node may or may not be on the tor network.
detect.vpn
This assertion pass means that tmx did not detect this to be vpn traffic.
Proxy
detect.proxyHidden
This assertion pass means that tmx did not detect this to be a hidden or suspicious proxy.
detect.proxyAnonymous
An anonymous proxy does not send your real IP address in the HTTP_X_FORWARDED_FOR header, instead it submits the IP address of the proxy or is just blank.
The HTTP_VIA header is sent with a transparent proxy, also revealing that you are using a proxy server.
detect.proxyOpenTransparent
A transparent proxy sends your real IP address in the HTTP_X_FORWARDED_FOR header, this means a website that does not only determine your REMOTE_ADDR but also check for specific proxy headers will still know your real IP address.
test.lte3ProxyToday
This assertion pass means that if multiple proxies were seen, it was still less than or equal to 3 proxies today.
link.proxyGeo_TrueGeo
This assertion pass means that the country of the proxy matched the location of the user's True IP.
link.proxyOrg_TrueOrg
This assertion pass means that the organization of the proxy matched the organization of the user's True IP.
link.proxyISP_TrueISP
This assertion pass means that the ISP of the proxy matched the ISP detected.
Anomalies
detect.browserAnomaly
This assertion pass means that there were no cookie or browser session anomalies detected. Anomalies include things like, screen resolution of 1x1, Low screen colors, time on page <150ms, etc.
detect.unusualActivity
This assertion pass means no unusual threatmetrix interaction was detected, like duplicate sessions.
Government Issued ID Verification - AuthenticID enhancements
Significant updates have been made to our government issued ID scanning capabilities for US Driver’s Licenses and International Passports.
AuthenticID – Driver’s License
Verification of front and back of a valid US Driver’s License. Includes a selfie for facial comparison.
Assertions
test.driversLicenseVerified
Pass if the overall verification of the driver’s license was successful. Will return Fail if any significant tests return FAIL below.
test.driversLicenseExpiryDateVerified
Pass if driver’s license is not currently expired. Fail if the driver’s license is expired.
test.selfieCredentialDetectorCheck
Pass if selfie is naturally captured. Fail if there is an indication of a selfie spoof (unnaturally captured selfie, altered in any way.)
test.driversLicenseTinyOcclusionCheck
Pass if no modifications were made to the text on the ID. Fail if small modifications were made to the text, for example DOB or Full Name.
test.driversLicenseFrontColorVerified
Pass if the colors detected on the front of the license match that which is on record for the input state and year.
test.driversLicenseIssueDateVerified
Pass if the issue date in reasonable in comparison with the other dates on the card. Will Fail if it appears the date has been altered.
test.driversLicenseVisualAuthenticityVerified
Pass if the driver’s license appears to be an authentic document without spoofing or alteration. Will fail if alterations are detected.
test.driversLicenseFacialPhotoUsable
Pass if the picture of the face was submitted, passes face detection, and can be compared against the driver’s license image.
test.selfieImageRecieved
Pass if the selfie image was received to the system. Fail if there was an issue getting the image to the system.
test.driversLicenseDigitalReproductionCheck
Pass if the image was not determined to contain a digital reproduction of a driver’s license (manipulated in any way.)
test.driversLicenseFrontScreenPhotoCheck
Pass if image of driver’s license was captured naturally. Fail if transaction is either a digital, reproduced or paper submission. Will also fail if the image is a picture of a screen.
test.selfieNaturalCaptureVerified
Pass if the selfie is naturally captured. Will fail if it is photoshopped, cropped, filtered or doctored in any way.
test.driversLicenseBiographicTamperCheck
Pass if no modifications were made to the photo or the data on the image. Will fail if it appears modifications have been made to the text or the face picture.
test.driversLicenseDOBVerified
Pass if DOB on document is reasonable compared to the other dates on the document. Will Fail if the DOB does not make sense in comparison with the other dates.
test.driversLicenseFrontDPIResolutionVerified
Pass if the input image meets the minimum requirements for “dots per inch”, aka DPI. Fail if the image does not meet minimum quality requirements.
test.driversLicenseBiometricSpliceCheck
Pass if no changes have been made to the person’s image on the ID. Fail if it appears that the image has been swapped out or altered in any way.
test.selfieMinimumSizeCheck
Pass if the images submitted meet the minimum required size for the image.
test.driversLicenseBarcodeVerified
Pass if image of back of license barcode was usable by the OCR engine. Fail if there was an issue with the image.
test.driversLicenseBiometricTamperCheck
Pass if no changes have been made to the person’s image on the ID. Fail if it appears that the image has been swapped out or altered in any way.
test.selfieColorAnalysisVerified
Pass if the color analysis of the document matches that of the country and year on record. Will fail if grayscale, or if the image has been altered.
test.driversLicenseNotExpired
Pass if driver’s license is not currently expired. Fail if the driver’s license is expired.
test.driversLicenseBiographicSpliceCheck
Pass if no changes have been made to the person’s image on the ID. Fail if it appears that the image has been swapped out or altered in any way.
test.driversLicenseBlurOrOcclusionCheck
Pass if no blur or blockage of the image are detected. Will fail if image is overly blurry, or if there are foreign objects in the image (for example, a finger blocking some of the document.)
test.idFacialComparisonVerified
Pass if the face on the driver’s license front image matches the submitted selfie.
test.driversLicenseBackDPIResolutionVerified
Pass if the input image meets the minimum requirements for “dots per inch”, aka DPI. Fail if the image does not meet minimum quality requirements.
test.driversLicenseRearIDRecieved
Pass if an image was submitted for the back of the driver’s license.
test.selfiePhotoIntegrityVerified
Pass if the selfie image has not been altered or adjusted. Fail if there are any issues detected.
link.dOB_driversLicense
Pass if the input DOB (entered by user or federated from the identity provider) matches that which is extracted from the front/barcode of the Driver’s license.
link.fullName_driversLicense
Pass if the input Full Name (entered by user or federated from the identity provider) matches that which is extracted from the front/barcode of the Driver’s license.
AuthenticID – International Passport
Verification of the identification page of an International Passport. Includes a selfie for facial comparison.
Assertions supported:
test.passportVerified
Pass if the overall verification of the passport was successful. Will return Fail if any significant tests return FAIL below.
test.selfieCredentialDetectorCheck
Pass if selfie is naturally captured. Fail if there is an indication of a selfie spoof (unnaturally captured selfie, altered in any way.)
test.selfieMinimumSizeCheck
Pass if the images submitted meet the minimum required size for the image.
test.passportDigitalReproductionCheck
Pass if the image was not determined to contain a digital reproduction of a passport (manipulated in any way.)
test.passportScreenPhotoCheck
Pass if image of passport was captured naturally. Fail if transaction is either a digital, reproduced or paper submission. Will also fail if the image is a picture of a screen.
test.selfieColorAnalysisVerified
Pass if the color analysis of the document matches that of the country and year on record. Will fail if grayscale, or if the image has been altered.
test.passportTinyOcclusionCheck
Pass if no modifications were made to the text on the ID. Fail if small modifications were made to the text, for example DOB or Full Name.
test.passportBiometricSpliceCheck
Pass if no changes have been made to the person’s image on the ID. Fail if it appears that the image has been swapped out or altered in any way.
test.passportFacialPhotoUsable
Pass if the picture of the face was submitted, passes face detection, and can be compared against the passport image.
test.passportBlurOrOcclusionCheck
Pass if no blur or blockage of the image are detected. Will fail if image is overly blurry, or if there are foreign objects in the image (for example, a finger blocking some of the full identification page.)
test.selfieImageRecieved
Pass if the selfie image was received to the system. Fail if there was an issue getting the image to the system.
test.passportFacialComparisonVerified
Pass if the face on the passport’s identification page matches the submitted selfie.
test.selfieNaturalCaptureVerified
Pass if the selfie is naturally captured. Will fail if it is photoshopped, cropped, filtered or doctored in any way.
test.passportDOBVerified
Pass if the DOB could be read and verified on the document.
test.passportColorVerified
Pass if the colors on the passport match to the pattern on file for the country and year. Fail if this has been altered or changed (Grayscale, photoshop.)
test.selfiePhotoIntegrityVerified
Pass if the selfie image has not been altered or adjusted. Fail if there are any issues detected.
test.passportDPIResolutionVerified
Pass if the input image meets the minimum requirements for “dots per inch”, aka DPI. Fail if the image does not meet minimum quality requirements.
link.dOB_passport
Pass if the input DOB (entered by user or federated from the identity provider) matches that which is on the identification page of the Passport.
Desktop to Mobile Service for Gov-ID Image Collection & Verification
The Desktop to Mobile flow allows user’s of the Government Issued ID verification service to provide their end users a simple way to capture high quality pictures of their documents through a hosted, interactive mobile experience.
If enabled, the user is asked to continue verification on their mobile device. At this point, they will be sent a text message, which initiates the government issued ID capture process.
Throughout this experience, the user will be challenged to take pictures of the appropriate pictures for the policy, including front & back of driver’s license, identification page of passport, and selfie.
As the user’s take the images, the DCUI application performs “post-processing” on the images, including:
- Face detection – determines if there is a human face present in the front of driver’s license, passport identification page, and selfie images.
- Orientation check – determines if the images are captured in the correct orientation.
- Blur check – determines if there is blur detected in the images.
Once complete, the images are re-uploaded to the user’s desktop session, where they can complete their verification.
Enhancements to Verify API - OTP, Gov-ID support
New features have been introduced for the Verify API. This helps deliver feature parity between the federated gateway and the Verify API.
Updates:
- send and verify OTP (one time pin) challenges for SMS, Email and Voice
- Initiate Government Issued ID capture & verification using the AXN Desktop to Mobile application (DCUI)
- Directly submit images captured in your own application for verification