ThreatMetrix
Overview
Global digital businesses are prioritizing mobile-first strategies that cater to the needs of a growing, tech savvy consumer base that demands slick, frictionless access to online goods and services. Yet the threat of cybercrime looms large as fraudsters trade stolen identity data to perpetrate global attacks.
ThreatMetrix gives businesses the ability to genuinely recognize good, returning customers by piecing together their digital identity from the complex digital DNA users create as they transact online. High-risk behavior can be pinpointed in real time, whether at new account applications, logins or payments, reducing friction and unnecessary step-ups.
This is underpinned by dynamic shared intelligence which is crowdsourced from over 5,000 global companies, giving individual organizations the exponential strength of an unrivalled network.
However, market-leading intelligence is only useful if it is actionable, which is why ThreatMetrix takes a holistic approach to fraud and authentication management, helping businesses to prioritize a single view of their customers and prevent operational silos. This is facilitated by the analytics, integration and orchestration and case management functions of the Dynamic Decision Platform and Smart Authentication framework, supporting businesses to make the best trust decisions across the entire customer journey.
Countries
International
Attributes (input)
device profile (javascript link)
International Address
Email
International Telephone
Acquired Attributes
Acquired attributes for tmx are environmental variables that are detected when the code runs in the user's browser. Items like IP, device, etc are sometimes more accurate than what is seen by the web server, and harder to spoof. The AXN detects these attributes and adds them to the endpoint information.
True IP
True IP is different from the server IP because it is the IP detected when the code runs in the users browser, rather than whatever the user's device chooses to tell the server. This IP is a generalized location (typically ISP) being used by the machine regardless of VPN or Proxy.
True IP Geo Country Code
This is the alpha-2 country code from the True IP detected.
Platform / agent type (will be either browser_computer or browser_mobile)
Platform is the detected type of device that the user is browsing from. This will be more accurate than standard device checks.
Fuzzy device id (also called smart id in some tmx docs)
The ThreatMetrix device ID that relies on the unique fingerprint of the device. Rather than using tokens/cookies to identify a computer “ThreatMetrix SmartID®” takes advantage of the many attributes of a device that ThreatMetrix collects to assign an independent device ID to a particular device. This technique allows ThreatMetrix to identify the device even if the cookies/persistent objects have been deleted, or if a user has invoked “Private Browsing Mode” now available on all web browsers. ThreatMetrix SmartID® also allows ThreatMetrix to re-identify devices even if they have been intentionally altered by a cybercriminal or if they are suppressing cookies or flash.
Fuzzy device id confidence
The probability of this being the same device. This attribute ranges from 0 to 100%.
Digital id
Probabilistic matching approach is used to match each event to a Digital ID. Depending on the entities involved in the event, there could be more than one Digital ID that could be a potential match. The best match is returned using a proprietary matching algorithm.
Digital id confidence
The confidence score returned signifies the level of confidence that the event appears to be matching the behavior from the returned Digital ID. Confidence scores raw values range from 0 to 10000.
A value below 25% (i.e 2500) should be interpreted as very low confidence.
A value about 70% (7000) generally indicates high confidence.
Personas
Personas are a system of detecting consistent combinations of attributes. For example, a 3-month Name and Address persona would exist when a user had passed in the same name and address combination at least three times over a 3 month period.
Neat persona age
This means that Name, Email, Address, Telephone were seen with this credential at least 3 times over this timeframe.
Values: 0 (not seen), 1 (month), 2 (months), 3 (months)
ExactID IP persona
This means that the exact ID (a very restrictive device id) was seen at this IP at least 3 times over this time frame
Values: 0 (not seen), 1 (month), 2 (months), 3 (months)
SmartID Browserstring persona
This means that this smartID (flexible device) was seen with this browser and browser hash at least 3 times over this time period
Values: 0 (not seen), 1 (month), 2 (months), 3 (months)
Assertions
Assertions in tmx are certain conditions that return a pass/fail. A pass means the condition was met, a fail means that TMX detected that the condition was not met. If an attribute required for detection is not configured for a service, the assertion will pass by default.
Assertion | Description |
---|---|
test.apSessionIDNotReplay | Sees if the session ID was used twice. If it was, the assertion fails |
test.nameAgeGTE30d | Checks if an (optionally) passed Name has been registered in threatmetrix for <= 30 days (Not currently in use) |
test.emailAgeGTE30d | Checks if an (optionally) passed Email has been registered in threatmetrix for <= 30 days (Not currently in use) |
test.addressAgeGTE30d | Checks if an (optionally) passed Address has been registered in threatmetrix for <= 30 days (Not currently in use) |
test.telephoneAgeGTE30d | Checks if an (optionally) passed Phone # has been registered in threatmetrix for <= 30 days (Not currently in use) |
test.exactIDAgeGTE7d | ExactID is threatmetrix's device identifier that uses persistent markers to ID the device (cookies, Adobe Flash LSO, HTML5 Persistent markers, and Silverlight cookies). This test checks the tenure of a device by examining its persistent markers. The exhaustive list is proprietary. |
test.smartIDAgeGTE7d | SmartID is threametrix's device identifier that uses device attributes to ID the device (screen resolution, device name, flash_guid etc). |
test.lte3CredentialsDevice7d | Checks if this Exact ID has logged in > 3 times today |
test.expectedLanguage | Checks if the language set in the browser does not match the language expected for the device's location |
test.credentialLTE500mi1hr | Checks if the device's True IP has exceeded geophysical limitations |
link.addressCountry_TrueGeoCountry | Check the given address against the device's geo location (requires location services) |
link.timeZone_TrueGeo | Checks the time zone of the device against the device's geo location time zone (requires location services) |
test.trueIPLTE500miInputIP | Checks if an (optionally) passed IP is >= 500 miles from the device's IP (Not currently in use) |
blacklist.email | Check if the (optionally) passed Email is blacklisted (list is managed manually) (Not currently in use) |
blacklist.telephone | Check if the (optionally) passed Phone # is blacklisted (list is managed manually) (Not currently in use) |
blacklist.ip | Check if the device's IP is blacklisted (list is managed manually) (Not currently in use) |
blacklist.device | Check if the device's ExactID or SmartID is blacklisted (list is managed manually) |
blacklist.ofacIP | Check if the (optionally) passed IP, DNS IP, Proxy IP or True IP is from a country US-government blacklist. List (as of 9/20) burma mm (myanmar) cuba cu iran ir north korea kp somalia so sudan sd south sudan ss syria sy venezuela ve urkaine/russia ua/ru |
detect.unusualActivity | Checks if the user spends <.2 seconds on the page or if the "system state" (last reboot date) has changed more than 2 times in the last hour. The exhaustive list is proprietary. |
detect.malware | Detects harmful malware by using the following tactics: JavaScript Only ("Man in the Browser Detection") -Honeypot - Passive technology designed to bait malware into attempting web injections -Targeted Malware – Identifies specific markers associated with targeted threats -Storage Monitoring – Looks for malware indicators dropped on the local machine - RAT / Remote Desktop – Monitors for remote access trojans being used on a local machine -Page Fingerprinting – (not enabled by default) Requires you to establish a "fingerprint" of your web page which ThreatMetrix can recalculate during run-time to ensure the fingerprint ThreatMetrix calculates matches the fingerprint you've established.SDK Only - Device Security Health (Android SDK only) – (Requires specific add-on to be enabled in SDK and can take 10-60s to run) - The Device Security Health module "TMXDeviceSecurityHealth" provides customers with real-time insight into the overall security health of a mobile device during device profiling. It enables customers to perform an evaluation of either applications currently running in memory while their application is being used, or all applications that are installed on the device. Each application evaluated on the device is compared against a set of signatures in the ThreatMetrix Platform. As an example, rules can be created to detect the presence of applications categorized as malware in real-time, and associate a negative score to these sessions. - Mobile Application Integrity (iOS + Android SDK) – (not enabled by default) Requires you to establish a "fingerprint" of the Mobile App which ThreatMetrix runs within. ThreatMetrix can recalculate this fingerprint during run-time to ensure the application has not been modified.Other Checks: - Biometrics for Bot Detection – Examines user behavioral activity to identify bots (this is already covered by detect.aggregator) - Proxy Piercing – Designed to identify the true IP address of a device hidden behind a proxy (this is already covered by the 4 proxy assertions) |
detect.aggregator | Detects if the device is coming from an aggregator (ex. Mint attempting to log in on a customer's behalf) |
detect.browserAnomaly | Checks if a device's screen resolutions has changed > 4 times per Day, if the screen Color Depth is unusually low, if the flash Browser Language does not match the device's expected language or if cookie copying is suspected |
detect.vpn | Detects if device is using a VPN |
detect.proxyHidden | Detects if the device is using a proxy with "hidden" proxy type. This is the most risky proxy |
detect.proxyAnonymous | Detects if the user is using a proxy with "anonymous" proxy type. An anonymous proxy does not send your real IP address in the HTTP_X_FORWARDED_FOR header, instead it submits the IP address of the proxy or is just blank. The HTTP_VIA header is sent with a transparent proxy, also revealing that you are using a proxy server. |
detect.proxyOpenTransparent | Detects if the user is using a proxy with "open" proxy type. This is the least risky proxy. A transparent proxy sends your real IP address in the HTTP_X_FORWARDED_FOR header, this means a website that does not only determine your REMOTE_ADDR but also check for specific proxy headers will still know your real IP address. |
test.lte3ProxyToday | Detects if the ExactID has changed Proxy > 3 times in 1 day |
link.proxyGeo_TrueGeo | "Detects if this device is connecting through a proxy server that didn’t match the devices geo-location (requires location services)" |
link.proxyOrg_TrueOrg | "Detects if the Proxy information and True ISP information for this source do not match" |
link.proxyISP_TrueISP | "Detects if the device is connecting through a proxy server that doesn’t match the true IP address of the device" |
test.emailAgeGT30d | Checks if an (optionally) passed Email has been registered in threatmetrix for <= 30 days (Not currently in use |
test.trustedDevice | Checks if a device (phone/laptop/tablet) has been previously trusted for this user. Passing this will dramatically boost a user's score. Trust lasts for 12months. |
test.trustedDevice28days | Checks if a device (phone/laptop/tablet/computer) has been previously trusted for this user. Passing this will dramatically boost a user's score. Trust lasts for 28 days. |
test.trustedDevice6mon | Checks if a device (phone/laptop/tablet/computer) has been previously trusted for this user. Passing this will dramatically boost a user's score. Trust lasts for 6 months. |
test.gte5Device1d | Checks if a device (phone/laptop/tablet/computer) has been seen >= 5 times in the last 24 hours. |
test.gte5Credential1d | Checks if a credential (username) has been seen >= 5 times in the last 24 hours. |
test.gte5CredentialDevice1d | Checks if a credential (username) has been seen on the same device >= 5 times in the last 24 hours. |
detect.tor | Detects if device is routed from the TOR network |
detect.torNode | Detects if device's IP is a tor exit node |
detect.jailbreak | (SDK only - Android and iOS) Detects if the device has been jailbroken/root kitted |
Updated 4 months ago