ThreatMetrix Advanced

Overview

The ThreatMetrix (TMX) Advanced Service Offering (SO) is based on our existing TMX verification, but offers more in-depth and refined information from a user and their device. These new assertions are highly recommended for fraud detection and prevention. For more information about what attributes need to be supplied to this SO, please refer to our TMX documentation on the topic.

Assertions

Assertions in TMX are certain conditions that return a pass/fail. A pass means the condition was met, a fail means that TMX detected that the condition was not met. If an attribute required for detection is not configured for a service, the assertion will pass by default.

Assertion

Description

whitelist.localCheckDetected

Allows known trusted entities, reducing friction for legitimate users

  • FuzzyDeviceID Whitelist

  • Input IP whitelist

  • Input IP Org whitelist

  • TrueIP Whitelist

blacklist.localCheckDetected

Prevents access for known bad actors, enhancing security

  • FuzzyDeviceID Blacklist

  • Input IP Blacklist

  • Input IP Org Blacklist

  • TrueIP Blacklist

watchlist.localCheckDetected

Flags suspicious entities for closer inspection, improving threat detection

  • True IP Watchlisted

  • Proxy IP Watchlisted

  • DNS IP Watchlisted

  • Input IP Watchlisted

Generally used to obligate users

detect.browserAnomalyCheck

Detects unusual browser behavior that may indicate bot or fraud activity

  • Same Session ID used multiple times

  • Session Cloaking - JS disabled

  • Anomalies related to browser language settings

  • Screen resolution Anomalies

detect.attributeAnomaly

Identifies identity inconsistency

  • 3 Proxy per ID

  • ID is used with 3 or 5 different email addresses with higher risk weights for 5 or more

  • New GeoIP per login

  • New True IP less than a month

detect.entityReputationCheck

Helps block access for known malicious actors based on past behavior

  • Input IP, True IP, Fuzzy Device ID have negative reputation or on blacklist

detect.emailBehaviorCheck

Warns about potential fraudulent email addresses

  • New email age is less than an hour

  • New email age is less than one day

  • Evaluates if an email address is potentially machine-generated

detect.trustTagBehavior

Detects risky devices and bot-like behavior

  • Device/IP is tagged as risky 2x in 7 days

detect.proxyTorVPN

Detects use of anonymizing services

  • Tor Detected

  • VPN Detected

  • Potential Virtual Machine

  • Hidden Proxy Detected

detect.proxyGEO/TRUEGEOMismatch

Detects geo-location inconsistencies

  • Detects mismatches between proxy and device locations

  • Detects mismatches between proxy and true geo locations

  • Identify Dialup Proxies

detect.sessionCloaking

User attempted to hide device or session details

  • Images or content not loading as expected

  • Compare True IP to WebRTC external IP

  • Compare True IP to Input IP address

  • Flash, OS, session, or Remote Desktop Anomalies

detect.malware

Blocks access from malware-infected devices

  • Malware infected Device

  • Malware detected

test.entityVelocityCheck

Checks for automated bot attacks or rapid fraud attempts

  • Input IP, True IP, Input ID or Device ID velocity

test.distanceTraveledCheck

Looks to see if the device's location rapidly changes

  • Detects True IP differences or 500mi/hr or 200mi/hr

test.trustedPersona1MTH, test.trustedPersona2MTH, test.trustedPersona3MTH

Checks if user has been trusted in the past 1, 2, or 3 months

  • Establishes trust for legitimate users over time

  • Users that are active and classified as trusted for at least a month, 2 months, and 3 months

detect.personaAnomalies3MTH

Identifies potential fraud through excessive persona changes

detect.ATOCheck

Prevents account takeovers

  • Determine if complex expression conditions are met involving virtual machines, distribution patterns, or bot-detected ATO

  • For example, login attempts from many locations, unusual spread of failed logins across accounts, or multiple accounts accessed from the same IP

detect.bot

Identifies bots

  • A device or IP is flagged as a bot if it has been identified as such three or more times within the past 12 months, based on Presented IP, Device ID, and True IP.

  • The rule evaluates whether persona rules are triggered by entities previously marked as bots.

  • ThreatMetrix Tagging: Devices and IPs may also be labeled as bots by ThreatMetrix, using device attributes, behavioral signals, and prior evaluations where the entity was explicitly classified as a “bot.”

detect.jailbreakORRoot

Prevents jailbroken or rooted devices from authenticating

  • Detects if a device is either jailbroken or rooted

detect.entityINGlobalBlocklist

Verify if the device is listed in the ExactID Global Blacklist.

  • If a fuzzy_device_id is used, confirm whether it appears on the global blacklist.

  • If a proxy_IP is used, check if it is listed on the global blacklist.

  • Check if the True_IP is listed on the global blacklist.

  • Determine whether the organization associated with the True_IP is listed on the global blacklist.

detect.entityINGlobalWhitelist

Reduces friction for globally trusted entities

  • Verify if the device is listed in the ExactID Global Whitelist

  • If a fuzzy_device_id is used, confirm whether it appears on the global whitelist.

  • If a proxy_IP is used, check if it is listed on the global whitelist.

  • Check if the True_IP is listed on the global whitelist.

  • Determine whether the organization associated with the True_IP is listed on the global whitelist. Reduces friction for globally trusted entities

detect.aggregator

Detects potential aggregator attacks

detect.proxyTorVPN

Blocks access through TOR networks