Recommendations

You can get a risk recommendation for a sensitive action your users want to perform in a risk moment in order to assess the risk level and respond with the suggested mitigation strategy when needed. Detection and Response code snippets are used to report telemetry and user actions, and you can obtain a recommendation for any action you reported using the Recommendations API. This describes the various recommendations that may be returned, and how you'd use them to protect accounts based on the use case.

Action types

You can ask for recommendations for the following types of actions, performed as part of the customer journey:

  • login
  • register
  • transaction
  • checkout
  • password_reset
  • logout
  • account_details_change
  • account_auth_change
  • withdraw
  • credits_change

Recommendation types

Recommendations tell you how to respond to your user's request to access your application. We create them in real-time by applying our advanced, ML-driven detection capabilities to the given context. This allows us to suggest an accurate approach that protects both your application and the user experience. It also means that we handle all the complexity, so all you need to do is act according to the recommendation we provide.

The following types of recommendations may be returned:

Type Description
trust Trust the activity, extend the session and lower friction (e.g., by not requiring two-factor authentication). This isn't returned in the context of unknown users and devices (e.g., password reset or registration) since it usually relies on data collected over time.
allow Low risk and so no risk mitigation is needed; proceed with the regular flow.
challenge Risk mitigation is required by providing an appropriate challenge based on the use case
deny There's a high risk of malicious activity. Don't proceed with the action, and return a generic error message since you don't want to provide any info the attacker can use to adapt their approach or further their attack.

Challenges

Risk mitigation can be performed by providing a challenge to the user that elevates the trust. Different challenges are more suitable for different use cases. Below are some examples of how you can challenge users based on the action they want to perform.

Action Challenge
login Second-factor authentication (preferably using strong biometrics).
register Additional means such as ID verification or even an offline manual review.
checkout Second-factor authentication (preferably using strong biometrics), revoke payment method for credit cards or third-party payment providers, re-enter CVV for cards on file, 3DS for transactions based on credit cards, ID verification for high-security cases, or manual review for high-cost checkout
password_reset Email or SMS verification, or have the user contact a Call Center to manually review

Reasons

Along with the recommendation, reasons are provided to explain why the recommendation was returned and provide transparency. The prefix of the reason indicates the category of reason, and not every reason is applicable to each action and use case. The reasons are relevant for all platforms (Web, Android, iOS) unless stated otherwise.

Note

Recommendations are all you need to make your decisions. You don't need to act on the reasons.

Here are some examples of reasons that may be provided (which may change over time):

Reason Description
ACTION_IS_LEGIT The user's action appears legitimate.
ACTION_IS_SUSPECTED_FRAUD This action is assumed to be fraudulent with high confidence (most commonly associated with new account fraud).
BEHAVIOR_BOT_TYPING Indicates typing by the user matches known typing patterns by bots and automated tools.
BEHAVIOR_BOT Indicates bot activity, such as very fast typing speed or no mouse movement before clicks.
BEHAVIOR_INHUMAN_INPUT Indicates a non-human interaction has been detected due to either fast typing speed or very low variance between typing actions.
BEHAVIOR_SUSPICIOUS_INPUT Indicates suspicious user input before action is taken, such as no input at all or pasting only on account registration.
BEHAVIOR_SUSPICIOUS_MOVEMENT Indicates suspicious mouse movement before mouse click, such as no movement at all or only short movement.
DEVICE_BOT Indicates bot activity, such as use of a headless web browser or automated interactions.
DEVICE_COOKIE_REUSED Indicates cookie hijacking as an identical device ID was sent from more than one device.
DEVICE_EMULATED_GPU Indicates suspicious graphical card attributes have been detected by either emulation or generation.
DEVICE_EMULATOR Indicates that a device emulator is being used, such as unexpected mobile attributes or the browser attributes do not match the device's OS.
DEVICE_HISTORY_SUSPICIOUS_FINGERPRINT Indicates use of a device fingerprint that was associated with a fraudulent activity in the past.
DEVICE_IMPOSSIBLE_TRAVEL The device's location changed faster than possible, for example, a device is located in the UK 15 minutes after it was located in the US.
DEVICE_INCOGNITO_BROWSER Indicates usage of an incognito browsing session.
DEVICE_OLD_VERSION An old, less secure browser version is being used.
DEVICE_ORIGIN_ANOMALY Indicates browsing to an unknown, hence high risk, URL address. Commonly associated with phishing website activity.
DEVICE_PAYEE_VELOCITY This device was used to make payments to an unusually high number of different payees in a short period of time.
DEVICE_PAYER_VELOCITY This device was used by an unusually high number of different users to make payments in a short period of time.
DEVICE_PLATFORM_ANOMALY An unexpected platform attributes were reported by the device which may indicate a possible fraudulent activity.
DEVICE_PLATFORM_AUTOMATION Indicates an automation framework was detected on the device, such as Appium.
DEVICE_PRIVATE_BROWSER Indicates usage of a private browser.
DEVICE_PROFILE_VELOCITY Indicates an abnormally high rate of events coming from the same device within a short period of time, these could be across multiple user accounts.
DEVICE_RISKY_REPUTATION Indicates a device that has previously been associated with fraud.
DEVICE_ROOTED (iOS and Android only) Indicates an unlocked and jailbroken device, this introduces risk as it allows access to sensitive configuration.
DEVICE_SPOOFED The device is being spoofed (trying to hide its real identity), as indicated by the use of a modified user agent.
DEVICE_SUSPECTED_BOT The activity is assumed, with high probability, to originate by a bot or an automated tool .
DEVICE_SUSPICIOUS_CPU_CORE Indicates suspicious CPU attributes, such as odd CPU cores number while a power of 2 is expected.
DEVICE_SUSPICIOUS_DISPLAY Indicates suspicious device display settings related to resolution, color depth, fonts, or else.
DEVICE_SUSPICIOUS_LANGUAGE Indicates a device that uses an anomalous language, e.g., an uncommon language or one that was never seen before.
DEVICE_SUSPICIOUS_NETWORK Indicates suspicious network configuration on the browser or application, such as disabled WebRTC on browsers.
DEVICE_SUSPICIOUS_PLATFORM Indicates a suspicious device or operating system configuration was detected, for example, the operating system doesn't match the physical device type.
DEVICE_SUSPICIOUS_TIMEZONE Indicates a suspicious timezone since it doesn't match either the IP location or application history.
DEVICE_SUSPICIOUS_USERAGENT Indicates that a user agent is associated with an automated tool that is likely to be utilized by a bot.
DEVICE_SUSPICIOUS_VELOCITY Two or more users are using the same device.
DEVICE_TAKEOVER Indicates a device is being controlled remotely, such as anomalies in user interactions.
DEVICE_TAMPERED (iOS and Android only) Indicates a device's software or hardware has been modified, for example, cloning apps are deployed or a device has been rooted.
DEVICE_VM Indicates use of a VM, such as when an emulated GPU is detected, there are an odd number of device cores, or the device's screen resolution is unusual.
IP_ACTION_VELOCITY Indicates an abnormally high rate of events coming from the same IP in a short period of time .
IP_COUNTRY_BLOCKED The originating IP is from a blocked country.
IP_IS_BIZ The originating IP is registered to a business organization.
IP_IS_GOV The originating IP is owned by a government organization.
IP_IS_MIL The originating IP is owned by a military organization.
IP_IS_VPN The originating IP is masked by a VPN.
IP_PAYER_VELOCITY The originating IP was used by an unusually high number of different users to make payments within a short period of time.
IP_RISKY_ANONYMIZE The originating IP is associated with a high risk network, such as proxy, VPN, TOR, anonymous networks, etc.
IP_RISKY_REPUTATION The originating IP is suspicious, such as use of the Tor network or IPs regarded as unsafe.
IP_TRUSTED The originating IP has previously been listed with a high reputation by Transmit Security.
PROFILE_ACTION_VELOCITY Indicates an abnormally high rate of events coming from the same user profile within a short period of time, these can be from multiple action types.
PROFILE_ACTIVITY_ANOMALY The user activity is considered anomalous for the user’s profile.
PROFILE_DEVICE_ANOMALY The device attributes are considered anomalous for the user’s profile.
PROFILE_DEVICE_FAMILIAR_MODEL The device model (for example, iPhone 13) is considered to be familiar, such as a new device that is the same model as a known previous device for this user.
PROFILE_DEVICE_FAMILIAR The device is considered to be familiar for this user profile.
PROFILE_DEVICE_NEW The device is considered to be new for this user profile.
PROFILE_DEVICE_VELOCITY Indicates an abnormally high rate of events coming from multiple devices connecting to a single, likely breached, user profile in a short period of time.
PROFILE_FAMILIAR A previously established user profile aligns with the observed behavior of the user.
PROFILE_IMPOSSIBLE_TRAVEL The device's location changed faster than possible, for example, a device is located in the UK 15 minutes after it was located in the US.
PROFILE_IMPOSSIBLE_TRAVEL The user's location changed faster than possible, for example, a device is located in the UK 15 minutes after it was located in the US.
PROFILE_IP_FAMILIAR The originating IP is considered to be familiar for the user profile.
PROFILE_LOCATION_ANOMALY The user location is considered anomalous for the user’s profile.
PROFILE_LOCATION_NEW The device's location (determined by IP) is considered to be new.
PROFILE_NETWORK_ANOMALY The user network is considered anomalous for the user’s profile.
PROFILE_TRUSTED The user's action appears legitimate considering historical user profile and activity.
USER_PROFILE_ANOMALY Indicates there has been anomalous behavior compared to the user's historical profile.
USER_TRUSTED The user profile has previously been listed with a high reputation by Transmit Security.

Risk signals

Risk signals provide insights on specific indicators such as a proxy or VPN connection being used. You can check what indicators have been verified as well as their state. Unlike reasons that take into account a combination of telemetry data, signals are discrete and focus on specific risk factors.

Note

Recommendations are all you need to make your decisions. You don't need to act on the risk signals.

Example

Here's an example of a challenge recommendation:

Copy
Copied
{
  "id": "385cd06b527a974982e0560b67123fe2b1b5a39fd98d8d32cdbaca8ec16fd62d",
  "issued_at": 1648028118123,
  "recommendation": {
    "type": "challenge"
  },
  "risk_score": 73.2,
  "context": {
    "action_id": "885cd06b527a97498200560b67123fe221b5a39fd98d8d22cdb7ca8ec16ed62d",
    "action_type": "login",
    "action_performed_at": 1648028118123,
    "device_id": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIwZGE4ZmZjYy01NmE1LTRmMjgtYThkZi04NDY5MmYwYThmYTAiLCJ2ZXJzaW9uIjoxLCJpYXQiOjE2NTU3OTYzODQ1MzF9.TeGoqlCe_6eWzl9a3-vAumG4Xap8WjwsgcO2-DzGtLg",
    "device_fingerprint": "a3c8f5ea75cb65fcdc3d0452b985f957a46e24afdc912e93dac1e115ecf408e5",
    "user_id": "5c4afa75c",
    "application_id": "ece93f4",
    "device_timezone": "America/Los_Angeles",
    "device_platform": "desktop",
    "os_name": "macOS",
    "browser_name": "Chrome"
  },
  "risk_signals": {
    "device": {
      "incognito": false,
      "tampered": false,
      "emulated": true,
      "spoofed": false,
      "tz_mismatch": true
    },
    "network": {
      "vpn": false,
      "tor": true,
      "hosting": false,
      "proxy": true,
      "anonymizer": false
    },
    "behavior": {
      "typing_velocity": 0.867,
      "input_method": [
        "is_paste"
      ],
      "no_user_interaction": true
    }
  },
  "reasons": [
    "BEHAVIOR_BOT",
    "IP_RISKY_REPUTATION",
    "DEVICE_SUSPICIOUS_PLATFORM",
    "PROFILE_DEVICE_NEW"
  ]
}