Guides

API Signal Definitions (v6)

Suggest Edits

ATO Risk

The ato_risk signal is a heuristic signal that indicates the risk of a login being tied to an account takeover attempt. This signal leverages behavior, device, and network data features to analyze new and returning users.

  • High indicates high likelihood that a login is associated with an account takeover attempt.
  • Medium indicates moderate likelihood that a login is associated with an account takeover attempt.
  • Low indicates low likelihood that a login is associated with an account takeover attempt.
  • Insufficient data indicates that this is the first observed session for a user or, that the current session didn't have enough user interaction to determine account takeover risk.

The score field is a numeric value representing whether or not a session is associated with an account takeover attempt.

A value of 0.0 indicates the session is not likely to be related to an account takeover, and a value of 1.0 indicates high risk that the session is related to an account takeover.

Automated Activity

The automated_activity signal indicates if a session contains automated behaviors.

  • True means the user is exhibiting behavior associated with a malicious bot.
  • False means the user is not exhibiting behavior associated with a malicious bot.

Additional details about the session are reflected in the customer portal using the Activity Types listed below:

  • Unusual Activity - An Unusual Activity label will trigger on true if malicious bot activity was observed within the navigation of the browser or application.
  • Suspicious Browser - A Suspicious Browser label will trigger on true, if configurations within the browser being used are indicative of malicious bot activity.
  • Automated Data Entry - An Automated Data entry label will trigger on True if malicious bot activity is observed in how data is being entered.
  • Not Automated - A Not Automated label will trigger on False if no malicious bot activity was observed.
  • Legitimate Bot - A Legitimate Bot label is specific to signal version 2.0 and will trigger on false, if legitimate bot activity from web crawlers, web scrapers, and search engine bots was observed.

Behavioral Analytics Recognition

The behavioral_analytics_recognition signal identifies sets of behavioral features (typing, swiping, etc.) that establish a profile to analyze sessions against. The label field is a string containing one of the following:

  • High indicates different observed behavior.
  • Low indicates similar behavior to what was previously observed.
  • Neutral indicates a session with no behavior indicating risky or genuine interaction.

The score field represents a numeric value with a value between 0 - 100.

A score of 0 indicates that the current login behavior is not the same as previous logins, and a score of 100 indicates that the current login behavior is the same as previous logins.

Bot Framework

The bot_framework signal indicates if a device has properties that are typically associated with automation tools.

  • True means the device of the applicant has properties associated with automation tools.
  • False means the device of the applicant does not have properties associated with automation tools.

Changed Device

The changed_device signal indicates if the device used by a user has changed from the one observed previously.

  • True means the device has not previously been used by this user.
  • False means the device has been previously used by this user.
  • Insufficient Data means this is the first time we have seen this user.

Cloned App

The cloned_app signal indicates cloned application detection.

  • True means app cloners were detected.
  • False means no app cloners were detected.

This signal is for Android only.

Combined Digital Intent

The combined_digital_intent signal classifies the user’s intent based on the outcomes of Familiarity, Fraud Ring Indicator, and Automated Activity.

The label field is a string.

  • Genuine means the user exhibited behavior reflective of someone recalling personal information from their long-term memory.
  • Neutral means the user has not exhibited behavior that could be classified as Genuine or Risky.
  • Risky means the user has demonstrated suspicious behavior across the application.
  • Insufficient Data means the user has not interacted with enough of the application to make a decision.

Device Blocklist

The device_blocklist signal indicates if the device is associated with a blocklist you have provided or one of the available NeuroID blocklists.

  • True means the device is associated to a blocklist.
  • False means the device is not associated to a blocklist.

The attributes field has the following values:

  • customer_blocklist indicates if the observed device ID was found on a blocklist that you have provided.
  • global_blocklist indicates if the observed device ID was found on the NeuroID blocklist of known fraudulent devices.

Emulator

The emulator signal indicates if the device is running in simulator mode.

  • True means an emulator was detected.
  • False means an emulator was not detected.

This signal will always be false for web sessions.

Familiarity

The familiarity model indicates how familiar a user is with the Personal Information data they enter into your mobile/web application.

The label field contains one value of high, medium, low, or insufficient data.

  • High indicates the user is very familiar with the Personal Information data they are entering into the application.
  • Medium indicates the user is somewhat familiar with the Personal Information data they are entering into the application.
  • Low indicates the user is not familiar with the Personal Information data they are entering into the application.
  • Insufficient Data indicates the user has not interacted with enough of the application to make a decision on the user's familiarity.

The score field contains the raw value used in the label field (if purchased).

The reasonCodes field contains the codes associated with the decisioning that resulted in the score of the model (if purchased).

Fraud Ring Indicator

The fraud_ring_indicator signal indicates if the session contains behavior associated with fraud ring activities.

The label field is a string.

  • True means the applicant has behavior associated to fraud ring activities.
  • False means the applicant did not have behavior associated to fraud ring activities.

Frida

The frida signal indicates if Frida is being used to instrument the app. Frida is a toolkit that fraudsters use to spoof an app at runtime and change its behavior.

  • True means Frida was detected.
  • False means Frida was not detected.

This signal will always be false for web sessions.

GPS Spoofing

The gps_spoofing signal indicates if the location of a mobile device has been spoofed. Location spoofing is a common practice among fraudsters to fool fraud detection systems.

  • True means the location of the mobile device has been spoofed.
  • False means the location of the mobile device has not been spoofed.

Note: This signal requires the host app to be granted Location Permission for iOS.

Incognito

The incognito signal indicates if the web browser accessing your web application is being run in incognito mode.

  • True means the web browser accessing your web application is being run in incognito mode.
  • False means the web browser accessing your web application is not being run in incognito mode.

IP Address Association

The ip_address_association signal indicates if the public IP of the user is associated with known IP address of various cloud providers.

  • True means the public IP of the user is associated with a known IP address of various cloud providers.
  • False means the public IP of the user is not associated with a known IP address of various cloud providers.

The attributes field has the following values:

  • aws_ip_set is indicates if the public IP address of the user is associated with the AWS (Amazon Web Services) public IP list.
  • azure_* indicates if the public IP address of the user is associated with one of Microsoft Azure's public IP lists. The different lists from Microsoft Azure are: China, Germany, Government, and Public.
  • digital_ocean_ip_set indicates if the public IP address of the user is associated with the Digital Ocean public IP list.
  • google_ip_set indicates if the public IP address of the user is associated with the Google Cloud public IP list.
  • vultr_ip_set indicates if the public IP address of the user is associated with the Vultr public IP list.
  • oracle_ip_set indicates if the public IP address of the user is associated with the Oracle public IP list.

IP Blocklist

The ip_blocklist signal indicates if the public IP of the user is associated with a blocklist you have provided or one of the available NeuroID blocklists.

  • True means the public IP of the user is found on a blocklist.
  • False means the public IP of the user is not found on a blocklist

The attributes field has the following values:

  • customer_blocklist indicates if the public IP address of the user was found on a blocklist that you provided.
  • global_blocklist indicates if the public IP address of the user was found on the NeuroID blocklist of known fraudulent IP addresses.
  • partner_blocklist indicates if the public IP address of the user was found on a blocklist provided by third party partners.

Jailbroken

The jailbroken signal indicates if the device has jailbroken applications installed (suggestsing the device has been jailbroken).

  • True means a jailbroken device was detected.
  • False means a jailbroken device was not detected.

This attribute will always be false for non-mobile sessions.

Multiple Users Per Device

The multiple_users_per_device signal indicates if multiple users are associated with a single device.

  • True indicates the number of userIDs associated with a device exceeds the threshold.
  • False indicates the number of userIDs associated with a device does not exceed the threshold.

The multiple_users_per_device_threshold is configured by NeuroID based on the application type and has a default of 3 sessions.

Public Proxy

The public_proxy signal indicates if the public IP of the user is associated with a proxy server. A proxy server acts as an intermediary server separating end users from web pages they visit.

  • True means the public IP of the user is associated with a proxy network provider.
  • Falsemeans the public IP of the user is not associated with a proxy network provider.

Recent Factory Reset

The recent_factory_reset signal indicates if a mobile device was recently reset to the default factory settings. If a reset is detected, the signal also provides the time the reset occurred.

  • True means the device has been reset to default factory settings recently.
  • False value means the device has not been set default factory settings recently.

Remote Access

The remote_access signal indicates if behaviors associated with a browser-based session are being controlled by remote access. This is a leading indicator of risk associated with scams and social engineering attacks.

  • True indicates that remote access behaviors were detected.
  • False indicates that remote access behaviors were not present.
  • Insufficient Data indicates that the user has not interacted with enough of the application to make a decision on remote access behaviors.
  • The score field is a numeric value representing whether or not remote access behaviors were detected.
  • A value of 0.0 indicates the current session is not associated with remote access behaviors, and a value of 1.0 indicates remote access behaviors are present.

TOR Exit Node

The tor_exit_node signal identifies if the public IP of the user is associated with a TOR (The Onion Router) exit node.

  • True means the public IP of the user is associated with a TOR exit node.
  • False means the public IP of the user is not associated with a TOR exit node.

Transaction Risk

The transaction_risk signal is a heuristic signal that indicates the risk of the active session being tied to an account takeover attempt. This signal leverages behavior, device, and network data features to analyze new and returning users. This signal should be called after the user has logged in, before a transaction occurs.

  • High indicates high likelihood that the transaction occurring is associated with an account takeover attempt.
  • Medium indicates moderate likelihood that the transaction occurring is associated with an account takeover attempt.
  • Low indicates low likelihood that the transaction occurring is associated with an account takeover attempt.
  • Insufficient Data indicates that this is the first observed session for a user or the current session doesn't have enough user interaction to determine account takeover risk.

The score field is a numeric value representing whether or not a session is associated with an account takeover attempt.

A value of 0.0 indicates the session is not likely to be related to an account takeover, and a value of 1.0 indicates high risk that the session is related to an account takeover.

VPN

The VPN signal indicates if the public IP of the user is associated with a VPN (Virtual Private Network) provider. A VPN creates an encrypted tunnel for your customers that hides their IP address, and encrypts the data sent across the web.

  • True means the public IP of the user is associated with a VPN provider.
  • False means the public IP of the user is not associated with a VPN provider.

Informational attributes are provided indicating the properties of the VPN connection. These are dependent on the Device Type.

Updated 6 days ago