Recommendations
You can get a risk recommendation for a sensitive action your users want to perform in a risk moment in order to assess the risk level and respond with the suggested mitigation strategy when needed. Detection and Response code snippets are used to report telemetry and user actions, and you can obtain a recommendation for any action you reported using the Recommendations API. This describes the various recommendations that may be returned, and how you'd use them to protect accounts based on the use case.
Action types
You can ask for recommendations for the following types of actions, performed as part of the customer journey:
-
login
-
register
-
transaction
-
checkout
-
password_reset
-
logout
-
account_details_change
-
account_auth_change
-
withdraw
-
credits_change
Recommendation types
Recommendations tell you how to respond to your user's request to access your application. We create them in real-time by applying our advanced, ML-driven detection capabilities to the given context. This allows us to suggest an accurate approach that protects both your application and the user experience. It also means that we handle all the complexity, so all you need to do is act according to the recommendation we provide.
The following types of recommendations may be returned:
Type | Description |
---|---|
trust |
Trust the activity, extend the session and lower friction (e.g., by not requiring two-factor authentication). This isn't returned in the context of unknown users and devices (e.g., password reset or registration) since it usually relies on data collected over time. |
allow |
Low risk and so no risk mitigation is needed; proceed with the regular flow. |
challenge |
Risk mitigation is required by providing an appropriate challenge based on the use case |
deny |
There's a high risk of malicious activity. Don't proceed with the action, and return a generic error message since you don't want to provide any info the attacker can use to adapt their approach or further their attack. |
Challenges
Risk mitigation can be performed by providing a challenge to the user that elevates the trust. Different challenges are more suitable for different use cases. Below are some examples of how you can challenge users based on the action they want to perform.
Action | Challenge |
---|---|
login |
Second-factor authentication (preferably using strong biometrics). |
register |
Additional means such as ID verification or even an offline manual review. |
checkout |
Second-factor authentication (preferably using strong biometrics), revoke payment method for credit cards or third-party payment providers, re-enter CVV for cards on file, 3DS for transactions based on credit cards, ID verification for high-security cases, or manual review for high-cost checkout |
password_reset |
Email or SMS verification, or have the user contact a Call Center to manually review |
Reasons
Along with the recommendation, reasons are provided to explain why the recommendation was returned and provide transparency. The prefix of the reason indicates the category of reason, and not every reason is applicable to each action and use case. The reasons are relevant for all platforms (Web, Android, iOS) unless stated otherwise.
Note
Recommendations are all you need to make your decisions. You don't need to act on the reasons.
Here are some examples of reasons that may be provided (which may change over time):
Reason | Description |
---|---|
ACTION_IS_LEGIT |
The user's action appears legitimate. |
ACTION_IS_SUSPECTED_FRAUD |
This action is assumed to be fraudulent with high confidence (most commonly associated with new account fraud). |
BEHAVIOR_BOT_TYPING |
Indicates typing by the user matches known typing patterns by bots and automated tools. |
BEHAVIOR_BOT |
Indicates bot activity, such as very fast typing speed or no mouse movement before clicks. |
BEHAVIOR_INHUMAN_INPUT |
Indicates a non-human interaction has been detected due to either fast typing speed or very low variance between typing actions. |
BEHAVIOR_SUSPICIOUS_INPUT |
Indicates suspicious user input before action is taken, such as no input at all or pasting only on account registration. |
BEHAVIOR_SUSPICIOUS_MOVEMENT |
Indicates suspicious mouse movement before mouse click, such as no movement at all or only short movement. |
DEVICE_BOT |
Indicates bot activity, such as use of a headless web browser or automated interactions. |
DEVICE_COOKIE_REUSED |
Indicates cookie hijacking as an identical device ID was sent from more than one device. |
DEVICE_EMULATED_GPU |
Indicates suspicious graphical card attributes have been detected by either emulation or generation. |
DEVICE_EMULATOR |
Indicates that a device emulator is being used, such as unexpected mobile attributes or the browser attributes do not match the device's OS. |
DEVICE_HISTORY_SUSPICIOUS_FINGERPRINT |
Indicates use of a device fingerprint that was associated with a fraudulent activity in the past. |
DEVICE_IMPOSSIBLE_TRAVEL |
The device's location changed faster than possible, for example, a device is located in the UK 15 minutes after it was located in the US. |
DEVICE_INCOGNITO_BROWSER |
Indicates usage of an incognito browsing session. |
DEVICE_OLD_VERSION |
An old, less secure browser version is being used. |
DEVICE_ORIGIN_ANOMALY |
Indicates browsing to an unknown, hence high risk, URL address. Commonly associated with phishing website activity. |
DEVICE_PAYEE_VELOCITY |
This device was used to make payments to an unusually high number of different payees in a short period of time. |
DEVICE_PAYER_VELOCITY |
This device was used by an unusually high number of different users to make payments in a short period of time. |
DEVICE_PLATFORM_ANOMALY |
An unexpected platform attributes were reported by the device which may indicate a possible fraudulent activity. |
DEVICE_PLATFORM_AUTOMATION |
Indicates an automation framework was detected on the device, such as Appium. |
DEVICE_PRIVATE_BROWSER |
Indicates usage of a private browser. |
DEVICE_PROFILE_VELOCITY |
Indicates an abnormally high rate of events coming from the same device within a short period of time, these could be across multiple user accounts. |
DEVICE_RISKY_REPUTATION |
Indicates a device that has previously been associated with fraud. |
DEVICE_ROOTED |
(iOS and Android only) Indicates an unlocked and jailbroken device, this introduces risk as it allows access to sensitive configuration. |
DEVICE_SPOOFED |
The device is being spoofed (trying to hide its real identity), as indicated by the use of a modified user agent. |
DEVICE_SUSPECTED_BOT |
The activity is assumed, with high probability, to originate by a bot or an automated tool . |
DEVICE_SUSPICIOUS_CPU_CORE |
Indicates suspicious CPU attributes, such as odd CPU cores number while a power of 2 is expected. |
DEVICE_SUSPICIOUS_DISPLAY |
Indicates suspicious device display settings related to resolution, color depth, fonts, or else. |
DEVICE_SUSPICIOUS_LANGUAGE |
Indicates a device that uses an anomalous language, e.g., an uncommon language or one that was never seen before. |
DEVICE_SUSPICIOUS_NETWORK |
Indicates suspicious network configuration on the browser or application, such as disabled WebRTC on browsers. |
DEVICE_SUSPICIOUS_PLATFORM |
Indicates a suspicious device or operating system configuration was detected, for example, the operating system doesn't match the physical device type. |
DEVICE_SUSPICIOUS_TIMEZONE |
Indicates a suspicious timezone since it doesn't match either the IP location or application history. |
DEVICE_SUSPICIOUS_USERAGENT |
Indicates that a user agent is associated with an automated tool that is likely to be utilized by a bot. |
DEVICE_SUSPICIOUS_VELOCITY |
Two or more users are using the same device. |
DEVICE_TAKEOVER |
Indicates a device is being controlled remotely, such as anomalies in user interactions. |
DEVICE_TAMPERED |
(iOS and Android only) Indicates a device's software or hardware has been modified, for example, cloning apps are deployed or a device has been rooted. |
DEVICE_VM |
Indicates use of a VM, such as when an emulated GPU is detected, there are an odd number of device cores, or the device's screen resolution is unusual. |
IP_ACTION_VELOCITY |
Indicates an abnormally high rate of events coming from the same IP in a short period of time . |
IP_COUNTRY_BLOCKED |
The originating IP is from a blocked country. |
IP_IS_BIZ |
The originating IP is registered to a business organization. |
IP_IS_GOV |
The originating IP is owned by a government organization. |
IP_IS_MIL |
The originating IP is owned by a military organization. |
IP_IS_VPN |
The originating IP is masked by a VPN. |
IP_PAYER_VELOCITY |
The originating IP was used by an unusually high number of different users to make payments within a short period of time. |
IP_RISKY_ANONYMIZE |
The originating IP is associated with a high risk network, such as proxy, VPN, TOR, anonymous networks, etc. |
IP_RISKY_REPUTATION |
The originating IP is suspicious, such as use of the Tor network or IPs regarded as unsafe. |
IP_TRUSTED |
The originating IP has previously been listed with a high reputation by Transmit Security. |
PROFILE_ACTION_VELOCITY |
Indicates an abnormally high rate of events coming from the same user profile within a short period of time, these can be from multiple action types. |
PROFILE_ACTIVITY_ANOMALY |
The user activity is considered anomalous for the user’s profile. |
PROFILE_DEVICE_ANOMALY |
The device attributes are considered anomalous for the user’s profile. |
PROFILE_DEVICE_FAMILIAR_MODEL |
The device model (for example, iPhone 13) is considered to be familiar, such as a new device that is the same model as a known previous device for this user. |
PROFILE_DEVICE_FAMILIAR |
The device is considered to be familiar for this user profile. |
PROFILE_DEVICE_NEW |
The device is considered to be new for this user profile. |
PROFILE_DEVICE_VELOCITY |
Indicates an abnormally high rate of events coming from multiple devices connecting to a single, likely breached, user profile in a short period of time. |
PROFILE_FAMILIAR |
A previously established user profile aligns with the observed behavior of the user. |
PROFILE_IMPOSSIBLE_TRAVEL |
The device's location changed faster than possible, for example, a device is located in the UK 15 minutes after it was located in the US. |
PROFILE_IMPOSSIBLE_TRAVEL |
The user's location changed faster than possible, for example, a device is located in the UK 15 minutes after it was located in the US. |
PROFILE_IP_FAMILIAR |
The originating IP is considered to be familiar for the user profile. |
PROFILE_LOCATION_ANOMALY |
The user location is considered anomalous for the user’s profile. |
PROFILE_LOCATION_NEW |
The device's location (determined by IP) is considered to be new. |
PROFILE_NETWORK_ANOMALY |
The user network is considered anomalous for the user’s profile. |
PROFILE_TRUSTED |
The user's action appears legitimate considering historical user profile and activity. |
USER_PROFILE_ANOMALY |
Indicates there has been anomalous behavior compared to the user's historical profile. |
USER_TRUSTED |
The user profile has previously been listed with a high reputation by Transmit Security. |
Risk signals
Risk signals provide insights on specific indicators such as a proxy or VPN connection being used. You can check what indicators have been verified as well as their state. Unlike reasons that take into account a combination of telemetry data, signals are discrete and focus on specific risk factors.
Note
Recommendations are all you need to make your decisions. You don't need to act on the risk signals.
Example
Here's an example of a challenge
recommendation:
{
"id": "385cd06b527a974982e0560b67123fe2b1b5a39fd98d8d32cdbaca8ec16fd62d",
"issued_at": 1648028118123,
"recommendation": {
"type": "challenge"
},
"risk_score": 73.2,
"context": {
"action_id": "885cd06b527a97498200560b67123fe221b5a39fd98d8d22cdb7ca8ec16ed62d",
"action_type": "login",
"action_performed_at": 1648028118123,
"device_id": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIwZGE4ZmZjYy01NmE1LTRmMjgtYThkZi04NDY5MmYwYThmYTAiLCJ2ZXJzaW9uIjoxLCJpYXQiOjE2NTU3OTYzODQ1MzF9.TeGoqlCe_6eWzl9a3-vAumG4Xap8WjwsgcO2-DzGtLg",
"device_fingerprint": "a3c8f5ea75cb65fcdc3d0452b985f957a46e24afdc912e93dac1e115ecf408e5",
"user_id": "5c4afa75c",
"application_id": "ece93f4",
"device_timezone": "America/Los_Angeles",
"device_platform": "desktop",
"os_name": "macOS",
"browser_name": "Chrome"
},
"risk_signals": {
"device": {
"incognito": false,
"tampered": false,
"emulated": true,
"spoofed": false,
"tz_mismatch": true
},
"network": {
"vpn": false,
"tor": true,
"hosting": false,
"proxy": true,
"anonymizer": false
},
"behavior": {
"typing_velocity": 0.867,
"input_method": [
"is_paste"
],
"no_user_interaction": true
}
},
"reasons": [
"BEHAVIOR_BOT",
"IP_RISKY_REPUTATION",
"DEVICE_SUSPICIOUS_PLATFORM",
"PROFILE_DEVICE_NEW"
]
}