Overview

The ThreatMetrix (TMX) Advanced Service Offering (SO) is based on our existing TMX verification, but offers more in-depth and refined information from a user and their device. These new assertions are highly recommended for fraud detection and prevention. For more information about what attributes need to be supplied to this SO, please refer to our TMX documentation on the topic.

Assertions

Assertions in TMX are certain conditions that return a pass/fail. A pass means the condition was met, a fail means that TMX detected that the condition was not met. If an attribute required for detection is not configured for a service, the assertion will pass by default.

Assertion	Description
whitelist.localCheckDetected	Allows known trusted entities, reducing friction for legitimate users FuzzyDeviceID Whitelist Input IP whitelist Input IP Org whitelist TrueIP Whitelist
blacklist.localCheckDetected	Prevents access for known bad actors, enhancing security FuzzyDeviceID Blacklist Input IP Blacklist Input IP Org Blacklist TrueIP Blacklist
watchlist.localCheckDetected	Flags suspicious entities for closer inspection, improving threat detection True IP Watchlisted Proxy IP Watchlisted DNS IP Watchlisted Input IP Watchlisted Generally used to obligate users
detect.browserAnomalyCheck	Detects unusual browser behavior that may indicate bot or fraud activity Same Session ID used multiple times Session Cloaking - JS disabled Anomalies related to browser language settings Screen resolution Anomalies
detect.attributeAnomaly	Identifies identity inconsistency 3 Proxy per ID ID is used with 3 or 5 different email addresses with higher risk weights for 5 or more New GeoIP per login New True IP less than a month
detect.entityReputationCheck	Helps block access for known malicious actors based on past behavior Input IP, True IP, Fuzzy Device ID have negative reputation or on blacklist
detect.emailBehaviorCheck	Warns about potential fraudulent email addresses New email age is less than an hour New email age is less than one day Evaluates if an email address is potentially machine-generated
detect.trustTagBehavior	Detects risky devices and bot-like behavior Device/IP is tagged as risky 2x in 7 days
detect.proxyTorVPN	Detects use of anonymizing services Tor Detected VPN Detected Potential Virtual Machine Hidden Proxy Detected
detect.proxyGEO/TRUEGEOMismatch	Detects geo-location inconsistencies Detects mismatches between proxy and device locations Detects mismatches between proxy and true geo locations Identify Dialup Proxies
detect.sessionCloaking	User attempted to hide device or session details Images or content not loading as expected Compare True IP to WebRTC external IP Compare True IP to Input IP address Flash, OS, session, or Remote Desktop Anomalies
detect.malware	Blocks access from malware-infected devices Malware infected Device Malware detected
test.entityVelocityCheck	Checks for automated bot attacks or rapid fraud attempts Input IP, True IP, Input ID or Device ID velocity
test.distanceTraveledCheck	Looks to see if the device's location rapidly changes Detects True IP differences or 500mi/hr or 200mi/hr
test.trustedPersona1MTH, test.trustedPersona2MTH, test.trustedPersona3MTH	Checks if user has been trusted in the past 1, 2, or 3 months Establishes trust for legitimate users over time Users that are active and classified as trusted for at least a month, 2 months, and 3 months
detect.personaAnomalies3MTH	Identifies potential fraud through excessive persona changes
detect.ATOCheck	Prevents account takeovers Determine if complex expression conditions are met involving virtual machines, distribution patterns, or bot-detected ATO For example, login attempts from many locations, unusual spread of failed logins across accounts, or multiple accounts accessed from the same IP
detect.bot	Identifies bots A device or IP is flagged as a bot if it has been identified as such three or more times within the past 12 months, based on Presented IP, Device ID, and True IP. The rule evaluates whether persona rules are triggered by entities previously marked as bots. ThreatMetrix Tagging: Devices and IPs may also be labeled as bots by ThreatMetrix, using device attributes, behavioral signals, and prior evaluations where the entity was explicitly classified as a “bot.”
detect.jailbreakORRoot	Prevents jailbroken or rooted devices from authenticating Detects if a device is either jailbroken or rooted
detect.entityINGlobalBlocklist	Verify if the device is listed in the ExactID Global Blacklist. If a fuzzy_device_id is used, confirm whether it appears on the global blacklist. If a proxy_IP is used, check if it is listed on the global blacklist. Check if the True_IP is listed on the global blacklist. Determine whether the organization associated with the True_IP is listed on the global blacklist.
detect.entityINGlobalWhitelist	Reduces friction for globally trusted entities Verify if the device is listed in the ExactID Global Whitelist If a fuzzy_device_id is used, confirm whether it appears on the global whitelist. If a proxy_IP is used, check if it is listed on the global whitelist. Check if the True_IP is listed on the global whitelist. Determine whether the organization associated with the True_IP is listed on the global whitelist. Reduces friction for globally trusted entities
detect.aggregator	Detects potential aggregator attacks
detect.proxyTorVPN	Blocks access through TOR networks