The Decision engine view consists of 2 parts:
On the view, you can see all lists configured in your application. Each list should be connected to some "List-based rule". Here you can find the information on what recommendation produce connected rules in case of a match. Depending on the connected rule, we can distinguish three main types of lists:
Refuse list is a list connected to a List-based rule that generates refuse recommendation on a match.
Review list is a list connected to a List-based rule that generates review recommendation on a match.
Accept list is a list connected to a List-based rule that generates either overriding_accept or accept recommendation on a match. This ensures that the transaction will always be accepted and the results of other rules will be ignored.
|
By clicking ‘Create a new list’ you can add a new list.
To create a new list it is necessary to input:
You can also create a list when creating a list-based rule, for details, please check List-based rule.
By clicking on a list, you can go directly to the list details and view:
You can inspect both active and expired elements of lists by navigating between corresponding tabs. You can also delete a single item from the list or use the Batch deleting functionality, which lets you delete multiple points at once. Search bar helps you find specific items.
You can also delete items from lists by clicking ‘Delete button’ on the right. You will be asked for confirmation, before deleting an element.
In the top right corner, you can find the “Add element” button.
You can add multiple items at once. The elements could be also provided to Panel by pasting it from the clipboard, separated by a new line.
The types of data that can be added to a list depends on your platform’s API integration. Typically, they include:
The view shows all Rule Sets configured in your application with basic information:
You can edit these rule set parameters by clicking the Edit button on the rule set view. It will open the following edit pane:
For adding a new rule set just click 'Add new rule set' button on the bottom of the view.
After clicking the 'Add new rule set' button the window for adding a new rule set will open:
Put a name for created rule set, choose an initial state and strategy, add also some rule set run conditions.
You can add more run conditions by clicking the '+ AND' button:
The rule set will be created immediately after clicking 'Save' button.
Rule set states can take the following values:
If at least one rule returns overriding_accept the final recommendation is always accept (all other are overridden) regardless the configured strategy.
System gives the final recommendation based on sets' recommendations. Applied strategy is always the 'worst case' strategy (however "overriding_accept" still overrides).
You can see the results of decision engine in the Decision Logic widget in the inquiry view.
Run conditions are simple selectors which indicate when one should run the rule set. If you want to launch different sets of rules for different use cases (e.g. different country, origin), selectors make it possible. They are based on tags assigned to an inquiry and there are two types of the condition configuration:
A rule set will be executed when all tags-based conditions will be fulfilled.
By pressing the icon with the number of rules in a specific rule set, you can go directly to the rule set summary.
The view shows a list of rules configured in this set. You can also see the deactivated rules in 'Deactivated rules' tab. Note that these rules will not be triggered.
If you'd like to try out a rule, you can set it to 'Simulation Mode'. The rule icon will turn grey. It will be executed, however, the rule outcome will not be taken into account when calculating the final result.
You may edit a rule by clicking on it or create a new one using 'Add rule' button.
The first step in rule creation is to select a rule type. Rule types are grouped into two categories: Basic and Advanced.
The basic group contains the most frequently used rule types. Each of those types has a dedicated, user-friendly interface.
The advanced group contains a catalog of all other rules available in the system. Those rules have names in a technical format and the edit interface is based on a simple text editor.
There are 4 types of basic rules:
Each rule can be set as:
Please note that the rule set state takes priority over a single rule state.
| Rule Set/Rule | Inactive | Active | Simulation |
|---|---|---|---|
| Inactive | Inactive | Inactive | Inactive |
| Active | Inactive | Active | Simulation |
| Simulation | Inactive | Simulation | Simulation |
Click 'Create Now' to open Logical Statement Rule creator. This powerful tool allows you to build complex expressions in an easy way. You can connect multiple expressions using logical operators: AND and OR with an unlimited level of nesting.
Provide the Rule Name and select the state
Click 'Configure expression'
Each expression consists of:
The possible elements that you can input under Value A are:
Possible elements that you can input under Value B vary depending on what was selected as Value A, you can choose from:
The operators used to in the comparison in the expression are:
Relational operators: =, !=, <, <=, >, >=
matches (REGEX) and not matches (REGEX) - this operator will compare the value of the attribute, that was selected in Value A with the input that you will provide as Value B. The input under Value B should keep the format of the regular expression, you can use meta characters:
in and not in - this operator compares the value of the attribute, that was selected in Value A with the various inputs that you will provide as Value B
is substring and is not substring - this operator checks if the value of the attribute under Value A is a substring of the value of the attribute or user input under Value B
contains and not contains - this operator checks if the value of the attribute under Value A is a contains the value of the attribute or user input under Value B
Once you create the expression, you can add another one. You can connect multiple expressions using logical operators: AND and OR with an unlimited level of nesting, e.g:
As a last step, select the recommendation that should be provided in case all the conditions from the rule are met and what should happen otherwise, e.g.:
To configure a List-based Rule you need to follow 3 steps:
Select one or more attributes that will be searched on the list.
Select an existing list or create a new one. The list you choose must have a valid structure for the selected match conditions.
If you decide to create a list, it will automatically assign the same fields as the rule. Confirm list creation by clicking “Add list”. The unique name of the list is validated and the newly-created list is selected. If the name of the list is duplicated, you will be asked to change it.
If you created a new list while creating the rule, the list will be visible in Accept/Refuse lists view.
Choose what the rule should return either on match or miss. Thanks to it, you can create multiple scenarios using only one type of rule.
To configure a Rule on Signals, you need to follow 2 steps:
Platform-agnostic signals
| Name | Description |
|---|---|
| Tor Network | Tor is a software for enabling anonymous communication. Using Tor makes it more difficult for internet activity to be traced back to the user. Using Tor in daily web surfing is extremely suspicious. |
| Network address on VPN blacklist | The network address appeared on a list of known VPNs. This signal tells that the observed IP address was from VPN; it does not tell if such VPN was used for fraud or has bad reputation. |
| Data center network address | Network address seems to belong to a data center. |
| Network address on anonymizers blacklist | Network address appeared on a possible anonymizers blacklist. |
| Network address on bots blacklist | Network address appeared on possible bot blacklist. |
| Server infrastructure provider network address | Network address seems to belong to a server infrastructure provider. |
| Network address related to VPN | Network address is related to VPN. In the given network some premises indicating VPN have been observed. |
| Network address related to proxy | Network address is related to proxy. In the given network some premises indicating proxy have been observed. |
| Network address related to Apple Private Relay | Network address is related to Apple Private Relay. In the given network some premises indicating Apple's Private Relay have been observed. |
| Country mismatch | There's a discrepancy between countries obtained from IPs addresses. Different region could potentially indicate usage of proxy or VPN. |
| AnyDesk detected based on network properties | This signal detects Anydesk usage based on network properties. |
Web signals
| Name | Description |
|---|---|
| No JavaScript | JavaScript code has been downloaded but it has not been executed. It might mean that JavaScript has been disabled. |
| No User-Agent | There was no User-Agent header. All standard browsers should send it. |
| No headers | No headers were sent with the request. All standard browsers should send them. |
| Incomplete data | There were a few missing data parts. It might have been caused by a poor network connection or by an extremely slow machine. It may be a deliberate action as well. |
| No plugins | Many basic functionalities of web browsers are typically implemented as plugins. A legitimate browser should have at least some of them. The opposite is suspicious. |
| No WebGL | WebGL allows browsers to render 2D and 3D graphics within it. It's widely used in web design and gaming. WebGL is integrated completely in all modern browsers. And it's enabled by default. |
| Virtual Machine | A Virtual Machine is an emulation of a computer system. It might be helpful when someone needs to run different operating systems on the same computer. But Virtual Machines are not used by an average web surfer. |
| Virtual Machine GPU | A Virtual Machine is an emulation of a computer system. It might be helpful when someone needs to run different operating systems on the same computer. But Virtual Machines are not used by an average web surfer. |
| Mobile emulation | Someone pretends to be using a mobile device. In fact, the real device is a desktop computer and the mobile device is just emulated. It's a common technique of identity hiding. |
| User-Agent spoofing | User-Agent is how a browser introduces itself. It contains information about the operating system, the browser and sometimes even about the device model. Thus, User-Agent spoofing is a way of avoiding being identified. |
| No flash | Flash is a popular multimedia platform for production of animations, internet applications or games. Some browsers have it enabled by default. 'No flash' signal occurs only when the browser should have flash enabled by default, but it has been disabled purposely. |
| Language mismatch | Language settings are present in many places inside the browser. Typically, they should be consistent with each other. Otherwise, this signal will be present. |
| Clipboard used on sensitive fields | When entering credit card details, a typical user will just take out the card from their wallet and start typing. It is uncommon to copy-paste data which is marked as sensitive. |
| Clipboard used on nonsensitive fields | User was pasting data to non-sensitive fields like name or address. Criminals are often pasting basic data to speed up the fraud process. |
| Incognito mode | 'Incognito mode' or 'private browsing' is a feature available in the most popular browsers. It disables browsing history and web cache. |
| Keyboard not used | There were no keyboard events recorded. It is uncommon, because even typing with on-screen keyboard (for example on mobile devices with touch screen) emits keyboard events. |
| Only positive flight time | Flight time is the term denoting the interval between depressing a key and pressing another one. Two-handed typing usually causes at least some negative flight times. The presence of this signal may indicate really slow typing or the use of automated scripts. |
| Mouse not used | There were no mouse events recorded. It should be mentioned that actions on touch screens like tapping and sliding emit mouse events as well. Therefore, lack of mouse events is suspicious. |
| No canvas fonts | Different applications and operating systems use different sets of fonts. Some consider it a threat to their privacy and block the use of non-basic fonts. On the other hand, it worsens user experience, so font blocking is unusual for an average user. |
| No touches on mobile | The device looks like a mobile and its User-Agent indicates that, but touch events were not present. This may indicate the use of scripts. |
| Submit on hidden page | When the form was submitted, the corresponding browser tab or window was not visible. This may indicate the use of scripts. |
| Proxy used | A proxy server is a server that acts as an intermediary for requests from clients seeking resources from other servers. Fraudsters may use proxies to hide their real network address. |
| No origin | This signal indicates an anomaly where the Origin header is not present. This may be caused by a bot. |
| Single-core CPU | Today a single-core CPU in a desktop PC or mobile device is very unusual. It could indicate that a virtual machine is being used. |
| No mime types | Mime types tell you about types of files supported by browser plugins. A legitimate browser should have at least some of them. The opposite is suspicious. |
| Fraud tool used | Fraudsters are creating specially crafted tools to trick anti-fraud systems. This signal indicates that such a tool was trying to modify the browser's behaviour. |
| Server OS | This signal indicates that a server class system was used in this attempt. Criminals use such systems to automate frauds. |
| Crawler activity | Known automatic tool was used to create this attempt. |
| Outdated browser | Today every browser has an auto-update feature, so really old versions are very unusual. There is a high chance that old browsers have serious security vulnerabilities that were already exploited by a malware or botnets. |
| OS mismatch | It seems that the Operating System looks different at the network level and browser level. There may be plenty of reasons why — using a web proxy or a Virtual Private Network or working in a Virtual Machine — just to mention the most common. |
| Network - User-Agent mismatch | Declarations from User-Agent and observed values from the network stack seem different. |
| WebRTC disabled | WebRTC is a feature that enables real-time communication within the browser. Disabling it might be suspicious. |
| Plugins related to VM | Plugins that may indicate Virtual Machine usage have been detected. |
| Plugins related to VPN | Plugins that may indicate VPN use have been detected. |
| Plugins related to malware | Plugins that may indicate malware have been detected. |
| Screen resolution anomaly | Device reports screen resolution in pixels as well as so called available resolution which is the amount of horizontal/vertical space available for a window that is screen resolution with subtracted space used by e.g. OS's bars. Having available resolution bigger than the screen resolution is therefore contradictory with definitions. |
| WebGL anomaly | WebGL properties returned by the browser look abnormal. Such a situation may be caused e.g. by privacy enhancing plugins commonly used by fraudsters. |
| Performance measurement anomaly | Performance metrics reported by the browser look unusual. It may mean that the browser works in a special anti-fingerprinting mode or privacy plugins has been installed. |
| VPN-like network characteristics | Network characteristics may indicate VPN use. |
| Incorrect system time | System date & time settings are incorrect. It should be set up automatically, therefore, this signal indicates manual changes. |
| Headers - JavaScript User-Agent declaration mismatch | User-Agent declaration in JavaScript does not match with HTTP headers |
| Unusual User-Agent | Declared User-Agent is uncommon. It may be an unusual device or someone tried to manually replace User-Agent and just mistyped the value. |
| Open ports related to RDP | Open ports detected on this machine are used usually by Windows Remote Desktop Service. This protocol has security vulnerabilities and it's widely used by fraudsters. |
| Open ports related to AnyPlaceControl | Open ports detected on this machine are used usually by a popular remote desktop software called AnyPlaceControl. This application is sometimes used by fraudsters to access a hacked computer. |
| Open ports related to VNC | Open ports detected on this machine are used usually by a popular remote desktop software called VNC. This application is sometimes used by fraudsters to access a hacked computer. |
| Open ports related to TeamViewer | Open ports detected on this machine are used usually by a popular remote desktop software called TeamViewer. This application is sometimes used by fraudsters to access a hacked computer. TeamViewer recently exceeded 2 billion installations on devices all over the world, what can make this signal occur frequently in the population. |
| Open ports related to AnyDesk | Open ports detected on this machine are used usually by a popular remote desktop software called AnyDesk. This application is sometimes used by fraudsters to access a hacked computer. |
| Open ports related to Other remote desktop software | Open ports detected on this machine are used usually by other popular remote dekstop software. These kinds of applications are sometimes used by fraudsters to access a hacked computer. |
| Selenium usage detected | Selenium is one of the most popular browser automation tools. This browser appears to have been controlled by Selenium. |
| Automated browser | Browser automation provided e.g. by Selenium helps in web apps' testing or in performing repetitive tasks. It could be also used in an undesired manner e.g. auto-filling forms using stolen credentials. |
| Hiding automated browser | Some modern browsers report that automated tools control them using built-in browser API. In this case, the aforementioned API was manipulated to report incorrect values indicating that an automated browser was not used. |
| Headless browser | Headless browsers provide automated control of a web page in an environment similar to popular web browsers, but without a graphical user interface. They were intended for test automation or websites' scraping. On the other hand they are often used in ad fraud, performing DDoS attacks, or to automate websites (e.g. filling forms using stolen credentials) in unintended ways. |
| Timezone mismatch | There's a discrepancy between time settings in OS and timezone obtained from IP address. It may indicate e.g. using VPN or proxy from different region. |
| WebRTC hooking | WebRTC is a mechanism which may leak original IP addresses even if you use a VPN or proxy. This fact is known by more experienced fraudsters. Carders often try to use browser extensions or even dedicated fraud programs to spoof the WebRTC data. This signal detects such behaviour. |
| Mime types hooking | Mime types tell you about the types of files supported by browser plugins. A legitimate browser should have at least some of them. It is often used to fingerprint browsers. This fact is known by more experienced fraudsters. Carders often try to use browser extensions or even dedicated fraud programs to spoof mime-types data. This signal detects such behaviour. |
| Screen hooking | Screen data contains various pieces of information about screen properties - width, height, etc. This API is often used for fingerprinting purposes, which some fraudsters are aware of. This data is often spoofed by privacy plugins, specialized fraud tools, or by various types of bots. This signal detects such behaviour. |
| Plugins hooking | Plugins installed in browsers are often used by antifraud systems to fingerprint users. This fact is known by more experienced fraudsters. Carders often try to use browser extensions or even dedicated fraud programs to spoof browser plugins. This signal detects such behaviour. |
| Storage API hooking | A typical browser offers multiple APIs that can be used for storing information. Anti-fraud systems use APIs to save information about the identity of a user. This fact is known by more experienced fraudsters. Carders often try to use browser extensions or even dedicated fraud programs to modify the behaviour of such APIs to remove anti-fraud cookies. This signal detects such behaviour. |
| Incognito detection hooking | Carders use Incognito mode to delete cookies saved by antifraud systems. Some fraudsters are aware that such systems detect Incognito mode, therefore they use browser extensions or even dedicated fraud programs to alter the behavior of APIs used for this purpose. This signal detects such modifications. |
| Geolocation hooking | Antifraud systems use geolocation data from various sources to find different inconsistencies between user location and data declared by a browser. Those inconsistencies often are a sign of using VPNs or proxies. Some fraudsters are aware of this fact and try to use browser extensions or even dedicated fraud programs to modify the behavior of such APIs to hide such facts. This signal detects such modifications. |
| HTML object creation hooking | Antifraud systems are often using behavioral data to detect fraud. Some fraudsters are aware of this and tamper with browser API to feed the antifraud system with the wrong data. Such tampering can be achieved using browser extensions or dedicated fraud tools. Some malware and bots are also using this technique. This signal detects such modifications. |
| Clipboard hooking | Most beginner-level fraudsters are using a clipboard to paste cardholder data. Some advanced carders are aware of monitoring this behavior by antifraud systems and try to tamper with browser APIs to hide the clipboard usage. This signal detects such modifications. |
| Generic fingerprinting API hooking | Antifraud systems use various minor browser APIs to fingerprint users. More experienced fraudsters know this fact and try to use browser extensions or even dedicated fraud programs to replace the content of those APIs. This signal detects such behavior. |
| Webkit specific API hooking | Browsers are built upon something called an engine. One of many browser engines is Webkit. Chrome browser is using Webkit successor as its own engine. Some popular fraud tools are built using Firefox engine (Gecko). Such tools have to fool anti-fingerprint systems that use a different engine. One way to do that is to hook browser functions to look like a different browser. This signal detects such modifications. |
| Battery API hooking | Browsers provide information about the device's battery level. Antifraud systems often use this function to fingerprint users. More experienced fraudsters know this fact. Carders often try to use browser extensions or even dedicated fraud programs to spoof the results of this API. This signal detects such behavior. |
| HTML canvas hooking | HTML canvas fingerprinting is one of the best and most popular ways to fingerprint users. Carders are very aware of this technique. Many browser extensions or even dedicated fraud software are used to tamper with the result of such fingerprinting just before it is sent to the anti-fraud system. This signal detects such behavior. |
| Gamepads API hooking | Browsers provide information about gamepads connected to device. Antifraud systems often use this function to fingerprint users. More experienced fraudsters know this fact. Carders often try to use browser extensions or even dedicated fraud programs to spoof the results of this API. This signal detects such behavior. |
| Service Worker API hooking | Service workers are specialized JavaScript assets used for enhancing offline experience on websites. Carders often try to use browser extensions or even dedicated fraud programs to spoof the results of this API to pose as different browser. This signal detects such behavior. |
| Media API hooking | Media API allows to list media devices like microphones, cameras, headsets connected to device. Antifraud systems often use this function to fingerprint users. More experienced fraudsters know this fact. Carders often try to use browser extensions or even dedicated fraud programs to spoof the results of this API. This signal detects such behavior. |
| Communication API hooking | Some tools used by fraudsters try to replace APIs used for sending data with their own code. This allow them to modify or even stop some data from sending. This signal detects such behavior. |
| WebGL hooking | WebGL fingerprinting is one of the best and most popular ways to fingerprint users. Carders are very aware of this technique. Many browser extensions or even dedicated fraud software are used to tamper with the result of such fingerprinting just before it is sent to the anti-fraud system. This signal detects such behavior. |
| WebGL spoofing | WebGL fingerprinting is one of the best and most popular ways to fingerprint users. Carders are very aware of this technique. Many browser extensions or even dedicated fraud software are used to tamper with the result of such fingerprinting just before it is sent to the anti-fraud system. This signal detects such behavior, focusing on the most sophisticated tools. |
| HTML canvas spoofing | HTML canvas fingerprinting is one of the best and most popular ways to fingerprint users. This signal is sensitive to common fingerprinting protection techniques, such as those used by Firefox resistFingerprinting mode or Brave fingerprint protection mode, but can also indicate use of anonymizing browser extensions and fraud tools. |
| Cookies disabled | Anti-fraud systems store information about the identity of a users in their browsers using cookies. Carders might want to disable cookie mechanism entirely in order to prevent tracking. However, cookies are needed for the proper websites operation, so legitimate don't disable them. |
| Behavioral pattern looks like TeamViewer | Device and behavioral data tells that TeamViewer is used. TeamViewer may used by fraudsters to access a computer remotely. It's often associated with social engineering attacks. |
| User-Agent hooking | User-Agent is a characteristic string that lets servers and network peers identify the application, operating system, vendor etc. Antifraud systems often use this property to fingerprint users. Both fraudsters and creators of bots are aware of that and often try to tamper with this field. This signal detects such behavior. |
| Vendor information hooking | Vendor field contains information about manufacturer of browser. Antifraud systems often use this property to fingerprint users. Both fraudsters and creators of bots are aware of that and often try to tamper with this field. This signal detects such behavior. |
| App version hooking | App version field contains information about version of the browser. Antifraud systems often use this property to fingerprint users. Both fraudsters and creators of bots are aware of that and often try to tamper with this field. This signal detects such behavior. |
| OS information hooking | This property contains version information about the browser. Antifraud systems often use this property to fingerprint users. Both fraudsters and creators of bots are aware of that and often try to tamper with this field. This signal detects such behavior. |
| Platform type hooking | Platform field contains information about both operating system and CPU architecture. Antifraud systems often use this property to fingerprint users. Both fraudsters and creators of bots are aware of that and often try to tamper with this field. This signal detects such behavior. |
| User-Agent inconsistent | User-Agent value has been tampered with. Different sources of information about User-Agent indicate different values. |
| Device parameters inconsistent | Device parameter values have been tampered with. Different sources of information about device parameters indicate different values. |
| Preferred language inconsistent | The most preferred language has been tampered with. Different sources of information about the most preferred language indicate different values. |
| Languages inconsistent | Languages preferred by the user have been tampered with. Different sources of information about preferred languages indicate different values. |
| Privacy extension | Pattern related to the privacy extension has been spotted in the data. Because not all of the extensions leave characteristic patterns, not all extensions will be detected. |
| Hiding automated browser using hooking | Some modern browsers report that automated tools control them using built-in browser API. In this case, the aforementioned API was manipulated to report incorrect values indicating that an automated browser was not used. |
| WebRTC private mode | WebRTC technology allows anti-fraud systems to detect situations where a profiled person uses a proxy or VPN by leaking their IP addresses. Some fraudsters are aware of this fact and use the private mode of WebRTC to prevent those leaks. This signal detects the aforementioned WebRTC private mode. |
| Browser version mismatch | Browser version declared in the User-Agent does not match the version identified from the data. This may mean hiding the true version of the browser, or enabling/disabling browser features by the user. |
| Timezone hooking | Antifraud systems often use timezone for the detection of proxies or VPNs. Fraudsters and bot creators know that fact and often try to tamper with this field. This signal detects such behavior. |
| Time API hooking | This signal detects tampering with various browser APIs reporting the time or date. Antifraud systems use those fields to gather information about the behavior of users on the site. For example, the keystroke timing. |
| Suspicious mobile behaviour | Fraudsters are using remote desktop tools to use many fraud techniques for example: account takeover, impersonate someone else action or trick victim to make other harmful actions. Fraudsters are using remote desktop tools, simulators and emulators to act like if they were using a mobile browser. |
| Inconsistent mobile behaviour | Fraudsters are using remote desktop tools or other harmful programs to conduct account takeovers or to impersonate someone else action. This signal detects this techniques using behavioral data. |
| Network classified as proxy | Detected characteristics in network traffic that are commonly associated with proxy use. |
| Network classified as VPN | Detected characteristics in network traffic that are commonly associated with VPN use. |
| Software Renderer | Sometimes GPU fails to load drivers or is not present in the system. Then a fallback mechanism to software renderer is done. This might indicate either a virtual machine, a poorly configured workstation - especially when one does not pay attention to such details while setting up the machines automatically, an emulator or just a problem with GPU driver. Some of this cases are directly connected to bot and fraudsters activity. |
iOS signals
| Name | Description |
|---|---|
| Emulator | The device that was used seems to be an emulator instead of a real mobile phone or tablet. |
| Jailbreak | The device seems to be jailbroken. It means that software restrictions imposed by Apple have been removed by the user. It allows to install software unavailable in the App Store that can be used in fraudulent activity. |
| Short uptime | The uptime is short. It means that the device was turned on very recently. Fraudsters often change SIM cards in their devices and hard reset them to wipe all identifiers. |
| Debugger | The application seems to be running in debug mode. Debugging helps programmers improve quality of their code but ordinary users should never use it. |
| Jailbreak hiding software | Jailbreak hiding software has been detected on the user's device. Jailbreak means that software restrictions imposed by Apple have been removed by the user. It's often needed for installation of third party application which are used to various fraud activities. And this signal means that someone is trying to hide this fact. |
| Hooking software | Hooking software has been detected on the user's device. This software allows manipulation of application execution such as bypassing security or data spoofing. |
| GPS spoofing software | GPS spoofing software has been detected on the user's device. |
| In-App purchase unauthorized software | In-App purchase unauthorized software has been detected on the user's device. Such software can be used to hack and bypass the Apple In-App purchase system and thus the user can be a threat. |
| Unauthorized apps installation software | Unauthorized apps installation software has been detected on the user's device. Such software can be used to install modified versions of the application or forbidden applications in the AppStore. |
| Low usage of storage space | The storage space usage is very low. This may be a sign that the device system has been reinstalled. Fraudsters frequently clean their devices to avoid fingerprinting. |
| Screen capture | Screen capture was detected during profiling. The screen capture function is used during screen recording and by applications such as TeamViewer QuickSupport, which can be used during fraud-related activities. |
| Timezone mismatch | There's a discrepancy between time settings in OS and timezone obtained from IP address. It may indicate e.g. using VPN or proxy from different region. |
| Virtual network interfaces on the device | Virtual network interfaces have been detected on the user's device. |
| Active call | Active call was detected during profiling |
| Battery charged and plugged | Charging a fully charged device during the profiling might indicate that this device is a part of some device farm. |
| Open ports related to Frida | Open ports detected on this machine may indicate usage of a popular hooking software called Frida. This application is used to dynamically change behavior of the application, could be used by fraudsters |
| Open ports related to Needle | Open ports detected on this machine may indicate usage of a popular hooking software called Needle. This application is used to dynamically change behavior of the application, could be used by fraudsters |
| Open ports related to SSH | Open ports detected on this machine may indicate usage of a SSH protocol. This protocol is used to remotely controls the device, could be used by fraudsters |
| No significant device movement | No significant device movement observed during profiling |
| No SIM card or not configured | The device does not have a physical SIM card or the configuration of cellular functions such as SMS has not been completed. |
| Proxy configuration on the device | Proxy configuration detected on the user's device. Fraudsters use proxies to hide their true IP address, which makes it difficult to track and identify them. |
| Clipboard used on sensitive fields based on behavioral data | A signal triggered based on the user's behavioral data and how they interact with the application and sensitive text fields |
| Clipboard used on nonsensitive fields based on behavioral data | A signal triggered based on the user's behavioral data and how they interact with the application and nonsensitive text fields |
| Autofill used based on behavioral data | A signal generated based on the user's behavioral data and their interaction with the application and text fields |
Android signals
| Name | Description |
|---|---|
| Emulator | The device that was used seems to be an emulator instead of a real mobile phone or tablet. |
| Short uptime | The uptime is short. It means that the device was turned on very recently. Fraudsters often change SIM cards in their devices and hard reset them to wipe all identifiers. |
| Root | Rooting is the process of allowing users of smartphones, tablets and other devices running the Android mobile operating system to attain privileged control over various Android subsystems. Root allows to change system properties, overwrite files in /system directory, remount partitions, etc. |
| Root hiding application | Application that tries to hide root has been detected on the device. These apps are able to hide root without disabling it. They hide super user binary, processes run by root and many more. In order to do this, they can utilize a hooking framework. |
| Root permissions requiring application | Application that needs root access to operate (fully or just partially - e.g. certain functions would not be available without root) has been detected on the device. Some of the apps allow to change system properties, remount directories, flash custom recovery, etc. |
| Remote access tool application | These tools allow to control the PC or mobile device from another device, capture and record screen activity, transfer files. This signal focuses only on the case of mobile remote access from another device or PC. This signal informs that one of such tools is installed on the device, what does not necessarily mean that it was being used during the profiling. |
| Timezone mismatch | There's a discrepancy between time settings in OS and timezone obtained from IP address. It may indicate e.g. using VPN or proxy from different region. |
| Virtual network interfaces on the device | Network settings indicating VPN is used. |
| Battery charged and plugged | Charging a fully charged device during the profiling might indicate that this device is a part of some device farm. |
| No SIM card | It is uncommon for normal users to have a phone without a SIM card, while fraudsters may use real devices (so to avoid detecting them as emulators) and do not bother buying a SIM card, as that device won't be used for making phone calls. |
| First boot | This indicates first boot after factory reset. Fraudsters may use factory reset often to wipe all the identifiers and other data that can be used to identify the device. |
| Presentation display | At least one presentation display was found on the device. This kind of display can be used to present applications' content somewhere else than device's primary screen or by some remote access tools, like TeamViewer or AnyDesk. |
