ThreatMetrix

Overview

Global digital businesses are prioritizing mobile-first strategies that cater to the needs of a growing, tech savvy consumer base that demands slick, frictionless access to online goods and services. Yet the threat of cybercrime looms large as fraudsters trade stolen identity data to perpetrate global attacks.

ThreatMetrix gives businesses the ability to genuinely recognize good, returning customers by piecing together their digital identity from the complex digital DNA users create as they transact online. High-risk behavior can be pinpointed in real time, whether at new account applications, logins or payments, reducing friction and unnecessary step-ups.

This is underpinned by dynamic shared intelligence which is crowdsourced from over 5,000 global companies, giving individual organizations the exponential strength of an unrivalled network.

However, market-leading intelligence is only useful if it is actionable, which is why ThreatMetrix takes a holistic approach to fraud and authentication management, helping businesses to prioritize a single view of their customers and prevent operational silos. This is facilitated by the analytics, integration and orchestration and case management functions of the Dynamic Decision Platform and Smart Authentication framework, supporting businesses to make the best trust decisions across the entire customer journey.

Countries

International

Attributes (input)

device profile (javascript link)
International Address
Email
International Telephone

Acquired Attributes

Acquired attributes for tmx are environmental variables that are detected when the code runs in the user's browser. Items like IP, device, etc are sometimes more accurate than what is seen by the web server, and harder to spoof. The AXN detects these attributes and adds them to the endpoint information.

True IP

True IP is different from the server IP because it is the IP detected when the code runs in the users browser, rather than whatever the user's device chooses to tell the server. This IP is a generalized location (typically ISP) being used by the machine regardless of VPN or Proxy.

True IP Geo Country Code

This is the alpha-2 country code from the True IP detected.

Platform / agent type (will be either browser_computer or browser_mobile)

Platform is the detected type of device that the user is browsing from. This will be more accurate than standard device checks.

Fuzzy device id (also called smart id in some tmx docs)

The ThreatMetrix device ID that relies on the unique fingerprint of the device. Rather than using tokens/cookies to identify a computer “ThreatMetrix SmartID®” takes advantage of the many attributes of a device that ThreatMetrix collects to assign an independent device ID to a particular device. This technique allows ThreatMetrix to identify the device even if the cookies/persistent objects have been deleted, or if a user has invoked “Private Browsing Mode” now available on all web browsers. ThreatMetrix SmartID® also allows ThreatMetrix to re-identify devices even if they have been intentionally altered by a cybercriminal or if they are suppressing cookies or flash.

Fuzzy device id confidence

The probability of this being the same device. This attribute ranges from 0 to 100%.

Digital id

Probabilistic matching approach is used to match each event to a Digital ID. Depending on the entities involved in the event, there could be more than one Digital ID that could be a potential match. The best match is returned using a proprietary matching algorithm.

Digital id confidence

The confidence score returned signifies the level of confidence that the event appears to be matching the behavior from the returned Digital ID. Confidence scores raw values range from 0 to 10000.
A value below 25% (i.e 2500) should be interpreted as very low confidence.
A value about 70% (7000) generally indicates high confidence.

Personas

Personas are a system of detecting consistent combinations of attributes. For example, a 3-month Name and Address persona would exist when a user had passed in the same name and address combination at least three times over a 3 month period.

Neat persona age

This means that Name, Email, Address, Telephone were seen with this credential at least 3 times over this timeframe.
Values: 0 (not seen), 1 (month), 2 (months), 3 (months)

ExactID IP persona

This means that the exact ID (a very restrictive device id) was seen at this IP at least 3 times over this time frame
Values: 0 (not seen), 1 (month), 2 (months), 3 (months)

SmartID Browserstring persona

This means that this smartID (flexible device) was seen with this browser and browser hash at least 3 times over this time period
Values: 0 (not seen), 1 (month), 2 (months), 3 (months)

Assertions

Assertions in tmx are certain conditions that return a pass/fail. A pass means the condition was met, a fail means that TMX detected that the condition was not met. If an attribute required for detection is not configured for a service, the assertion will pass by default.

AssertionDescription
test.apSessionIDNotReplaySees if the session ID was used twice. If it was, the assertion fails
test.nameAgeGTE30dChecks if an (optionally) passed Name has been registered in threatmetrix for <= 30 days (Not currently in use)
test.emailAgeGTE30dChecks if an (optionally) passed Email has been registered in threatmetrix for <= 30 days (Not currently in use)
test.addressAgeGTE30dChecks if an (optionally) passed Address has been registered in threatmetrix for <= 30 days (Not currently in use)
test.telephoneAgeGTE30dChecks if an (optionally) passed Phone # has been registered in threatmetrix for <= 30 days (Not currently in use)
test.exactIDAgeGTE7dExactID is threatmetrix's device identifier that uses persistent markers to ID the device (cookies, Adobe Flash LSO, HTML5 Persistent markers, and Silverlight cookies). This test checks the tenure of a device by examining its persistent markers. The exhaustive list is proprietary.
test.smartIDAgeGTE7dSmartID is threametrix's device identifier that uses device attributes to ID the device (screen resolution, device name, flash_guid etc).
test.lte3CredentialsDevice7dChecks if this Exact ID has logged in > 3 times today
test.expectedLanguageChecks if the language set in the browser does not match the language expected for the device's location
test.credentialLTE500mi1hrChecks if the device's True IP has exceeded geophysical limitations
link.addressCountry_TrueGeoCountryCheck the given address against the device's geo location (requires location services)
link.timeZone_TrueGeoChecks the time zone of the device against the device's geo location time zone (requires location services)
test.trueIPLTE500miInputIPChecks if an (optionally) passed IP is >= 500 miles from the device's IP (Not currently in use)
blacklist.emailCheck if the (optionally) passed Email is blacklisted (list is managed manually) (Not currently in use)
blacklist.telephoneCheck if the (optionally) passed Phone # is blacklisted (list is managed manually) (Not currently in use)
blacklist.ipCheck if the device's IP is blacklisted (list is managed manually) (Not currently in use)
blacklist.deviceCheck if the device's ExactID or SmartID is blacklisted (list is managed manually)
blacklist.ofacIPCheck if the (optionally) passed IP, DNS IP, Proxy IP or True IP is from a country US-government blacklist.

List (as of 9/20)
burma mm (myanmar)
cuba cu
iran ir
north korea kp
somalia so
sudan sd
south sudan ss
syria sy
venezuela ve
urkaine/russia ua/ru
detect.unusualActivityChecks if the user spends <.2 seconds on the page or if the "system state" (last reboot date) has changed more than 2 times in the last hour. The exhaustive list is proprietary.
detect.malwareDetects harmful malware by using the following tactics:

JavaScript Only ("Man in the Browser Detection")
-Honeypot - Passive technology designed to bait malware into attempting web injections
-Targeted Malware – Identifies specific markers associated with targeted threats
-Storage Monitoring – Looks for malware indicators dropped on the local machine

- RAT / Remote Desktop – Monitors for remote access trojans being used on a local machine
-Page Fingerprinting – (not enabled by default) Requires you to establish a "fingerprint" of your web page which ThreatMetrix can recalculate during run-time to ensure the fingerprint ThreatMetrix calculates matches the fingerprint you've established.SDK Only

- Device Security Health (Android SDK only) – (Requires specific add-on to be enabled in SDK and can take 10-60s to run) - The Device Security Health module "TMXDeviceSecurityHealth" provides customers with real-time insight into the overall security health of a mobile device during device profiling. It enables customers to perform an evaluation of either applications currently running in memory while their application is being used, or all applications that are installed on the device. Each application evaluated on the device is compared against a set of signatures in the ThreatMetrix Platform. As an example, rules can be created to detect the presence of applications categorized as malware in real-time, and associate a negative score to these sessions.
- Mobile Application Integrity (iOS + Android SDK) – (not enabled by default) Requires you to establish a "fingerprint" of the Mobile App which ThreatMetrix runs within. ThreatMetrix can recalculate this fingerprint during run-time to ensure the application has not been modified.Other Checks:

- Biometrics for Bot Detection – Examines user behavioral activity to identify bots (this is already covered by detect.aggregator)
- Proxy Piercing – Designed to identify the true IP address of a device hidden behind a proxy (this is already covered by the 4 proxy assertions)
detect.aggregatorDetects if the device is coming from an aggregator (ex. Mint attempting to log in on a customer's behalf)
detect.browserAnomalyChecks if a device's screen resolutions has changed > 4 times per Day, if the screen Color Depth is unusually low, if the flash Browser Language does not match the device's expected language or if cookie copying is suspected
detect.vpnDetects if device is using a VPN
detect.proxyHiddenDetects if the device is using a proxy with "hidden" proxy type. This is the most risky proxy
detect.proxyAnonymousDetects if the user is using a proxy with "anonymous" proxy type. An anonymous proxy does not send your real IP address in the HTTP_X_FORWARDED_FOR header, instead it submits the IP address of the proxy or is just blank.
The HTTP_VIA header is sent with a transparent proxy, also revealing that you are using a proxy server.
detect.proxyOpenTransparentDetects if the user is using a proxy with "open" proxy type. This is the least risky proxy. A transparent proxy sends your real IP address in the HTTP_X_FORWARDED_FOR header, this means a website that does not only determine your REMOTE_ADDR but also check for specific proxy headers will still know your real IP address.
test.lte3ProxyTodayDetects if the ExactID has changed Proxy > 3 times in 1 day
link.proxyGeo_TrueGeo"Detects if this device is connecting through a proxy server that didn’t
match the devices geo-location (requires location services)"
link.proxyOrg_TrueOrg"Detects if the Proxy information and True ISP information for this
source do not match"
link.proxyISP_TrueISP"Detects if the device is connecting through a proxy server that
doesn’t match the true IP address of the device"
test.emailAgeGT30dChecks if an (optionally) passed Email has been registered in threatmetrix for <= 30 days (Not currently in use
test.trustedDeviceChecks if a device (phone/laptop/tablet) has been previously trusted for this user. Passing this will dramatically boost a user's score. Trust lasts for 12months.
test.trustedDevice28daysChecks if a device (phone/laptop/tablet/computer) has been previously trusted for this user. Passing this will dramatically boost a user's score. Trust lasts for 28 days.
test.trustedDevice6monChecks if a device (phone/laptop/tablet/computer) has been previously trusted for this user. Passing this will dramatically boost a user's score. Trust lasts for 6 months.
test.gte5Device1dChecks if a device (phone/laptop/tablet/computer) has been seen >= 5 times in the last 24 hours.
test.gte5Credential1dChecks if a credential (username) has been seen >= 5 times in the last 24 hours.
test.gte5CredentialDevice1dChecks if a credential (username) has been seen on the same device >= 5 times in the last 24 hours.
detect.torDetects if device is routed from the TOR network
detect.torNodeDetects if device's IP is a tor exit node
detect.jailbreak(SDK only - Android and iOS) Detects if the device has been jailbroken/root kitted