ThreatMetrix

Overview

Global digital businesses are prioritizing mobile-first strategies that cater to the needs of a growing, tech savvy consumer base that demands slick, frictionless access to online goods and services. Yet the threat of cybercrime looms large as fraudsters trade stolen identity data to perpetrate global attacks.

ThreatMetrix gives businesses the ability to genuinely recognize good, returning customers by piecing together their digital identity from the complex digital DNA users create as they transact online. High-risk behavior can be pinpointed in real time, whether at new account applications, logins or payments, reducing friction and unnecessary step-ups.

This is underpinned by dynamic shared intelligence which is crowdsourced from over 5,000 global companies, giving individual organizations the exponential strength of an unrivalled network.

However, market-leading intelligence is only useful if it is actionable, which is why ThreatMetrix takes a holistic approach to fraud and authentication management, helping businesses to prioritize a single view of their customers and prevent operational silos. This is facilitated by the analytics, integration and orchestration and case management functions of the Dynamic Decision Platform and Smart Authentication framework, supporting businesses to make the best trust decisions across the entire customer journey.

Countries

International

Attributes (input)

device profile (javascript link)
International Address
Email
International Telephone

Acquired Attributes

Acquired attributes for tmx are environmental variables that are detected when the code runs in the user's browser. Items like IP, device, etc are sometimes more accurate than what is seen by the web server, and harder to spoof. The AXN detects these attributes and adds them to the endpoint information.

True IP

True IP is different from the server IP because it is the IP detected when the code runs in the users browser, rather than whatever the user's device chooses to tell the server. This should be the true IP actually being used by the machine. It may or may not match the user's given IP.

True IP Geo Country Code

This is the alpha-2 country code from the True IP detected.

Platform / agent type (will be either browser_computer or browser_mobile)

Platform is the detected type of device that the user is browsing from. This will be more accurate than standard device checks.

Fuzzy device id (also called smart id in some tmx docs)

The ThreatMetrix device ID that relies on the unique fingerprint of the device. Rather than using tokens/cookies to identify a computer “Smart ID” takes advantage of the many attributes of a device that ThreatMetrix collects to assign an independent device ID to a particular device. This technique allows ThreatMetrix to dentify the device even if the cookies/persistent objects have been deleted, or if a user has invoked “Private Browsing Mode” now available on all web browsers. Fuzzy ID also allows ThreatMetrix to re-identify devices even if they have been intentionally altered by a cybercriminal or if they are suppressing cookies or flash.

Fuzzy device id confidence

The probability of this being the same device. This attribute ranges from 0 to 100%.

Digital id

Probabilistic matching approach is used to match each event to a Digital ID. Depending on the entities involved in the event, there could be more than one Digital ID that could be a potential match. The best match is returned using a proprietary matching algorithm.

Digital id confidence

The confidence score returned signifies the level of confidence that the event appears to be matching the behavior from the returned Digital ID. Confidence scores raw values range from 0 to 10000.
A value below 25% (i.e 2500) should be interpreted as very low confidence.
A value about 70% (7000) generally indicates high confidence.

Personas

Personas are a system of detecting consistent combinations of attributes. For example, a 3-month Name and Address persona would exist when a user had passed in the same name and address combination at least three times over a 3 month period.

Neat persona age

This means that Name, Email, Address, Telephone were seen with this credential at least 3 times over this timeframe.
Values: 0 (not seen), 1 (month), 2 (months), 3 (months)

ExactID IP persona

This means that the exact ID (a very restrictive device id) was seen at this IP at least 3 times over this time frame
Values: 0 (not seen), 1 (month), 2 (months), 3 (months)

SmartID Browserstring persona

This means that this smartID (flexible device) was seen with this browser and browser hash at least 3 times over this time period
Values: 0 (not seen), 1 (month), 2 (months), 3 (months)

Assertions

Assertions in tmx are certain conditions that return a pass/fail. A pass means the condition was met, a fail means that TMX detected that the condition was not met. If an attribute required for detection is not configured for a service, the assertion will pass by default.

Assertion

Description

test.nameAgeGTE30d

Checks if an (optionally) passed Name has been registered in threatmetrix for <= 30 days (Not currently in use)

test.emailAgeGTE30d

Checks if an (optionally) passed Email has been registered in threatmetrix for <= 30 days (Not currently in use)

test.addressAgeGTE30d

Checks if an (optionally) passed Address has been registered in threatmetrix for <= 30 days (Not currently in use)

test.telephoneAgeGTE30d

Checks if an (optionally) passed Phone # has been registered in threatmetrix for <= 30 days (Not currently in use)

test.exactIDAgeGTE7d

ExactID is threatmetrix's device identifier that uses persistent markers to ID the device (cookies, Adobe Flash LSO, HTML5 Persistent markers, and Silverlight cookies). This test checks the tenure of a device by examining its persistent markers. The exhaustive list is proprietary but you can read more here: https://kb.threatmetrix.com/index.php?View=entry&EntryID=1276

test.smartIDAgeGTE7d

SmartID is threametrix's device identifier that uses device attributes to ID the device (screen resolution, device name, flash_guid etc). The exhaustive list is proprietary but you can read more here: https://kb.threatmetrix.com/index.php?View=entry&EntryID=1276

test.lte3CredentialsDevice7d

Checks if this Exact ID has logged in > 3 times today

test.expectedLanguage

Checks if the language set in the browser does not match the language expected for the device's location

test.credentialLTE500mi1hr

Checks if the device's True IP has exceeded geophysical limitations

link.addressCountry_TrueGeoCountry

Check the given address against the device's geo location (requires location services)

link.timeZone_TrueGeo

Checks the time zone of the device against the device's geo location time zone (requires location services)

test.trueIPLTE500miInputIP

Checks if an (optionally) passed IP is >= 500 miles from the device's IP (Not currently in use)

blacklist.email

Check if the (optionally) passed Email is blacklisted (list is managed manually) (Not currently in use)

blacklist.telephone

Check if the (optionally) passed Phone # is blacklisted (list is managed manually) (Not currently in use)

blacklist.ip

Check if the device's IP is blacklisted (list is managed manually) (Not currently in use)

blacklist.device

Check if the device's ExactID or SmartID is blacklisted (list is managed manually)

blacklist.ofacIP

Check if the (optionally) passed IP, DNS IP, Proxy IP or True IP is from a country US-government blacklist.

List (as of 9/20)

  • burma mm (myanmar)
  • cuba cu
  • iran ir
  • north korea kp
  • somalia so
  • sudan sd
  • south sudan ss
  • syria sy
  • venezuela ve
  • urkaine/russia ua/ru

detect.unusualActivity

Checks if the user spends <.2 seconds on the page or if the "system state" (last reboot date) has changed more than 2 times in the last hour. The exhaustive list is proprietary but you can read more here https://kb.threatmetrix.com/index.php?View=entry&EntryID=1225

detect.malware

"Detects harmful malware by using the following tactics:
Honeypot - Passive technology designed to bait malware into attempting web injections
Page Fingerprinting – Active monitoring to identify modified code running in browser
Targeted Malware – Identifies specific markers associated with targeted threats
Storage Monitoring – Looks for malware indicators dropped on the local machine
Application Reputation (Android SDK only) – Identifies nefarious and/or malicious applications
Application Integrity (iOS + Android SDK) – Identifies modified versions of ‘real’ applications
RAT / Remote Desktop – Monitors for remote access trojans being used on a local machine
Biometrics for Bot Detection – Examines user behavioral activity to identify bots
Proxy Piercing – Designed to identify the true IP address of a device hidden behind a proxy".

List of malware that ThreatMetrix is effective at finding: Zeus, Ramnit, Gootkit, Cridex, Dridex, Dyre, Neverquest, Tinba, Trickbot, ATS_

detect.aggregator

Detects if the device is coming from an aggregator (ex. Mint attempting to log in on a customer's behalf)

detect.vpn

Detects if device is using a VPN

detect.proxyHidden

Detects if the device is using a proxy with "hidden" proxy type. This is the most risky proxy

detect.proxyAnonymous

Detects if the user is using a proxy with "anonymous" proxy type. An anonymous proxy does not send your real IP address in the HTTP_X_FORWARDED_FOR header, instead it submits the IP address of the proxy or is just blank.
The HTTP_VIA header is sent with a transparent proxy, also revealing that you are using a proxy server.

detect.proxyOpenTransparent

Detects if the user is using a proxy with "open" proxy type. This is the least risky proxy. A transparent proxy sends your real IP address in the HTTP_X_FORWARDED_FOR header, this means a website that does not only determine your REMOTE_ADDR but also check for specific proxy headers will still know your real IP address.

test.lte3ProxyToday

Detects if the ExactID has changed Proxy > 3 times in 1 day

link.proxyGeo_TrueGeo

"Detects if this device is connecting through a proxy server that didn’t
match the devices geo-location (requires location services)"

link.proxyOrg_TrueOrg

"Detects if the Proxy information and True ISP information for this
source do not match"

link.proxyISP_TrueISP

"Detects if the device is connecting through a proxy server that
doesn’t match the true IP address of the device"

test.emailAgeGT30d

Checks if an (optionally) passed Email has been registered in threatmetrix for <= 30 days (Not currently in use

test.trustedDevice

Checks if a device (phone/laptop/tablet) has been previously trusted for this user. Passing this will dramatically boost a user's score. Trust lasts for 12months.

test.trustedDevice28days

Checks if a device (phone/laptop/tablet/computer) has been previously trusted for this user. Passing this will dramatically boost a user's score. Trust lasts for 28 days.

test.gte5Device1d

Checks if a device (phone/laptop/tablet/computer) has been seen >= 5 times in the last 24 hours.

test.gte5Credential1d

Checks if a credential (username) has been seen >= 5 times in the last 24 hours.

test.gte5CredentialDevice1d

Checks if a credential (username) has been seen on the same device >= 5 times in the last 24 hours.

detect.tor

Detects if device is routed from the TOR network

detect.torNode

Detects if device's IP is a tor exit node