ThreatMetrix Advanced
Overview
The ThreatMetrix (TMX) Advanced Service Offering (SO) is based on our existing TMX verification, but offers more in-depth and refined information from a user and their device. These new assertions are highly recommended for fraud detection and prevention. For more information about what attributes need to be supplied to this SO, please refer to our TMX documentation on the topic.
Assertions
Assertions in TMX are certain conditions that return a pass/fail. A pass means the condition was met, a fail means that TMX detected that the condition was not met. If an attribute required for detection is not configured for a service, the assertion will pass by default.
| assertion | description |
|---|---|
| blacklist.localcheckdetected | Indicates the entity matched a locally maintained blacklist, which is used to block known malicious devices, IP addresses, IP organizations, or fuzzy device identifiers. |
| blacklist.ofacip | Checks whether the input IP address is associated with OFAC-sanctioned entities, supporting regulatory and compliance enforcement. |
| detect.3dimgoodlclpersonacheck | Evaluates whether a persona meets a positive local reputation threshold across three behavioral or identity dimensions. |
| detect.4dimgoodlclpersonacheck | Evaluates whether a persona meets a positive local reputation threshold across four behavioral or identity dimensions. |
| detect.5dimgoodlclpersonacheck | Evaluates whether a persona meets a positive local reputation threshold across five behavioral or identity dimensions. |
| detect.aggregator | Detects traffic patterns consistent with aggregator behavior, which may indicate coordinated or automated activity. |
| detect.androidrootcloak | Detects Android devices attempting to conceal root status through cloaking techniques. |
| detect.atocheck | Identifies potential account takeover activity by evaluating complex patterns such as distributed login attempts, abnormal access locations, or coordinated failed logins across accounts. |
| detect.attributeanomaly | Identifies inconsistencies or risky changes in identity attributes, such as excessive proxy usage per ID, frequent email changes, or new geographic or true IP associations. |
| detect.bot | Identifies bot activity based on repeated historical bot classifications, behavioral signals, device and IP reputation, and ThreatMetrix bot tagging. |
| detect.browseranomalycheck | Detects abnormal browser behavior that may indicate automation or fraud, including session reuse, disabled JavaScript, language inconsistencies, or unusual screen resolution patterns. |
| detect.emailbehaviorcheck | Evaluates email behavior risk, including very new email creation, short email age thresholds, and indicators of machine-generated email addresses. |
| detect.entityinglobalblocklist | Verifies whether the device, IP address, IP organization, or fuzzy device identifier is listed in the ExactID global blacklist. |
| detect.entityinglobalwhitelist | Verifies whether the device, IP address, IP organization, or fuzzy device identifier is listed in the ExactID global whitelist to reduce friction for trusted entities. |
| detect.entityreputationcheck | Assesses overall entity reputation by evaluating whether associated IPs or device identifiers have negative reputation or are blacklisted. |
| detect.jailbreakorroot | Detects whether a device is jailbroken or rooted and prevents authentication from compromised devices. |
| detect.malware | Detects malware-infected devices or active malware signals and blocks access accordingly. |
| detect.personaanomalies3mth | Identifies excessive or abnormal persona changes observed over a three-month period that may indicate fraud. |
| detect.personavariationscheck | Detects unusual variations in persona attributes that deviate from established behavioral norms. |
| detect.proximitycheck | Evaluates geographic consistency by checking whether access locations align with expected proximity patterns. |
| detect.proxygeomismatch | Detects mismatches between proxy geography and true device location, including identification of dial-up proxies. |
| detect.proxytypematch | Checks for consistency between observed proxy characteristics and expected proxy types. |
| detect.proxytorvpn | Detects the use of anonymization services such as Tor, VPNs, hidden proxies, or virtual machine-based access. |
| detect.sessioncloaking | Identifies attempts to hide or manipulate session or device characteristics by comparing IP sources, WebRTC data, content loading behavior, and OS or remote session anomalies. |
| detect.tor | Detects traffic associated with the Tor network. |
| detect.tornode | Identifies known Tor exit nodes. |
| detect.trusttagbehavior | Detects repeated risky tagging of devices or IPs over time, indicating elevated bot or fraud risk. |
| test.apsessionidnotreplay | Ensures session identifiers are not reused, helping prevent replay or session-fixation attacks. |
| test.distancetraveledcheck | Detects improbable location changes by evaluating excessive travel velocity between true IP locations. |
| test.entityvelocitycheck | Measures the rate of activity across IPs, devices, or identifiers to detect automation or rapid fraud attempts. |
| test.trusteddevice | Indicates whether a device meets trust criteria based on prior activity history. |
| test.trusteddevice6mo | Indicates a device has maintained trusted status for at least six months. |
| test.trustedpersona1mth | Indicates a persona has maintained trusted status for at least one month. |
| test.trustedpersona2mth | Indicates a persona has maintained trusted status for at least two months. |
| test.trustedpersona3mth | Indicates a persona has maintained trusted status for at least three months. |
| watchlist.localcheckdetected | Indicates the entity matched a local watchlist, flagging it for monitoring or step-up actions without immediate blocking. |
| whitelist.localcheckdetected | Indicates the entity matched a local whitelist, allowing trusted devices, IPs, or organizations to proceed with reduced friction. |
Acquired Attributes
| Acquired Attribute | Description |
|---|---|
| TrueIP | Observed external IP address |
| Platform | Platform type used (e.g., browser on computer) |
| TrueIPLatitude | Latitude derived from IP |
| AttributeAnomalyChecksReasonCodes | Reasons for attribute anomaly results |
| TrueIPCity | City derived from IP |
| OperatingSystemVersion | OS version detected |
| BiometricReasonCode | Reason biometric data was unavailable or flagged |
| TrueIPStateOrRegion | State or region derived from IP |
| BrowserLanguage | Browser language settings |
| ExactIDIPPersonaAgeMonths | Age of IP persona in months |
| TrustedPersona3MthChecksReasonCodes | Reason codes for 3-month persona trust |
| SocialEngineeringScore | Social engineering risk score |
| BiometricBotScore | Bot likelihood score from biometrics |
| EmailBehaviorChecksReasonCodes | Reason codes from email behavior analysis |
| HTMLLocationLatitude | Latitude from HTML geolocation |
| TimeZoneName | Detected time zone name |
| EntityVelocityChecksReasonCodes | Reason codes for velocity checks |
| BiometricAssessmentScore | Overall biometric assessment score |
| FuzzyDeviceID | Probabilistic device identifier |
| TrueIPGeoCountry | Country derived from IP |
| HoneypotFingerprintMatch | Honeypot fingerprint detection result |
| ScreenResolution | Screen resolution of the device |
| SessionProcessingVerdict | Processing status of the session |
| DeviceType | Type of device (e.g., desktop) |
| TrueIPRoutingType | Routing classification of IP |
| WorkflowTransactionStage | Workflow stage identifier |
| WebRTCExternalIP | External IP detected via WebRTC |
| NEATPersonaAgeMonths | NEAT persona age in months |
| TrueIPConnectionType | Network connection type |
| FuzzyDeviceIDConfidence | Confidence level of device ID |
| SmartIDBrowserstringPersonaAgeMonths | Browser string persona age |
| OperatingSystem | Detected operating system |
| TrueIPLineSpeed | Estimated IP line speed |
| BiometricAnomalyScore | Anomaly score from biometric signals |
| ProxyScore | Likelihood of proxy usage |
| SubmissionTimestamp | Timestamp of transaction submission |
| SessionVerdict | Overall session outcome |
| WorkflowTransactionStageAttempt | Attempt count for workflow stage |
| DigitalIDConfidence | Confidence score for digital ID |
| HTMLLocationLongitude | Longitude from HTML geolocation |
| TrueIPLongitude | Longitude derived from IP |
| TMXScore | ThreatMetrix risk score |
| TrueIPHostingFacility | Indicator of hosting/data center IP |
| SessionRiskRatingVerdict | Overall session risk classification |
| BrowserSpoofReason | Reason for browser spoofing detection |
| DigitalID | Unique digital identifier |
| HTMLLocationAccuracy | Accuracy of HTML geolocation |
| BatteryStatus | Device battery state |
| TimeZoneCode | Time zone offset code |
| OperatingSystemAnomaly | OS anomaly detection result |
| BiometricFraudScore | Biometric fraud risk score |
| TrueIPPostalCode | Postal code derived from IP |
Updated about 16 hours ago