API Reference

Signal Summary - v4.1

Signal NameAccount OpeningAccount DefenseWebiOSAndroidFeature Set
Automated ActivityYesYesYesYesYesBehavior Analytics
Bot FrameworkYesYesYes- -- -Device & Network Intelligence
Combined Digital IntentYesYesYesYesYesBehavior Analytics
Custom AttributesYes- -YesYesYesBehavior Analytics
Device ReputationYesYesYesYesYesDevice & Network Intelligence
Device VelocityYesYesYesYesYesDevice & Network Intelligence
Factory ResetYesYes- -YesYesDevice & Network Intelligence
Familiarity (v2)Yes- -YesYesYesBehavior Analytics
Familiarity (v3)Yes- -YesYesYesBehavior Analytics
Fraud Ring IndicatorYes- -YesYesYesBehavior Analytics
GPS SpoofingYesYes- -YesYesDevice & Network Intelligence
IncognitoYesYesYesYesYesDevice & Network Intelligence
IP Address AssociationYesYesYesYesYesDevice & Network Intelligence
IP BlocklistYesYesYesYesYesDevice & Network Intelligence
Multiple IDs per DeviceYesYesYesYesYesDevice & Network Intelligence
Multiple Users per Device- -YesYesYesYesDevice & Network Intelligence
Public ProxyYesYesYesYesYesDevice & Network Intelligence
Rapid Location Change- -YesYesYesYesDevice & Network Intelligence
Risky DeviceYes- -YesYesYesBehavior Analytics
Suspicious DeviceYesYesYesYesYesDevice & Network Intelligence
TOR Exit NodeYesYesYesYesYesDevice & Network Intelligence
VPNYesYesYesYes- -Device & Network Intelligence

Behavior Analytics

Automated Activity

The automated_activity signal flags that this session has automated behaviors.

The label field is boolean, where:

  • A true value means the user is exhibiting behavior associated with a malicious bot.
  • A false value means the user is not exhibiting behavior associated with a malicious bot.

There are no attributes for automated activity.

Additional details about the session are reflected in the customer portal using the Activity Types listed below.

Automated Activity TypeDescription
Unusual ActivityAn Unusual Activity label will trigger on TRUE if malicious bot activity was observed within the navigation of the browser or application.
Suspicious BrowserA Suspicious Browser label will trigger on TRUE, if configurations within the browser being used are indicative of malicious bot activity.
Automated Data EntryAn Automated Data entry label will trigger on TRUE if malicious bot activity is observed in how data is being entered.
Not AutomatedA Not Automated label will trigger on FALSE if no malicious bot activity was observed.
Legitimate BotA Legitimate Bot label is specific to version 2.0 and will trigger on FALSE, if legitimate bot activity from web crawlers, web scrapers, and search engine bots was observed.
{
  "version": "1.0",
  "model": "automated_activity",
  "label": "false",
  "attributes": {
  },
  "score": 0
}

Combined Digital Intent

The combined_digital_intent signal is a classification of the user’s intent based on the outcomes of Familiarity, Fraud Ring Indicator, and Automated Activity.

The label field contains one of genuine, neutral ,risky , insufficient data values where:

  • genuine means the user exhibited behavior reflective of pulling their personal information from their long-term memory.
  • neutral means the user has not exhibited behavior that could be classified as Genuine or Risky.
  • risky means the user has demonstrated suspicious behavior across the application.
  • insufficient data means the user has not interacted with enough of the application to make a decision.

There are no attributes for combined_digital_intent.

{
 "version": "1.0.0",
 "model": "combined_digital_intent",
 "label": "genuine",
 "attributes": {
},
 "score": 0.0
}

Custom Attributes

These attributes are configured to be specific to your mobile/web application. These attributes require configuration in your application's site-config. These attributes are tied to specific targets on your mobile/web application.

❗️

Important note on target names in regards to custom attributes

If target names change on your mobile/web application, that are configured for custom attributes, they will no longer be available in the API response. You must update your backend application that consumes these attributes to consume the newly named targets.

The version field contains the version of the configured attributes. This is set your application's site-config when attributes are configured and is incremented as custom_attributes are updated on your site. This field follows the pattern: major.minor.patch

The attributes field contains a dictionary of attributes. The key of the dictionary is the target name configured in your application's site-config.


Custom Attribute Example Response

{
  "version": "1.0.0",
  "model": "custom_attributes",
  "label": "",
  "attributes": {
    "context": {
      "is_pc": true
    },
    "#your_app_field_target_2": {
      "interaction_count": 1,
      "transition_to_entry_ratio": 0.2616580310880829,
      "left_window": 0,
      "transition_type__is_in_page_copy": 0,
      "transition_type__is_flip": 0,
      "transition_type__is_autofill": 0,
      "transition_type__is_auto_advance": 0,
      "transition_type__is_kbd": 0,
      "transition_type__is_back": 0,
      "transition_type__is_tap": 0,
      "transition_type__is_mouse": 1,
      "transition_type__is_other": 0,
      "transition_pause_to_movement_ratio": 0,
      "transition_is_suspicious": 0,
      "transition_deviation": 1.1518665435331068,
      "entry_type__is_paste": 0,
      "entry_type__is_assist": 0,
      "entry_type__is_autofill": 0,
      "entry_type__is_kbd": 0,
      "entry_type__is_transcribe": 0,
      "entry_type__is_slow": 0,
      "entry_type__is_fast": 0,
      "entry_type__is_type": 1,
      "entry_type__is_no_change": 0,
      "entry_type__is_unknown": 0,
      "entry_type__is_password": 0,
      "entry_type__is_click": 0,
      "entry_type__is_flip": 0,
      "entry_type__is_other": 0,
      "entry_has_support": 0,
      "entry_shortcut_cnt": 0,
      "entry_pause_to_interacting_ratio": 0,
      "entry_typing_fluency": null,
      "entry_has_edits": 0,
      "entry_pause_cnt": 0
    },
    "#your_app_field_target_1": {
      "interaction_count": 1,
      "transition_to_entry_ratio": 0.25,
      "left_window": 0,
      "transition_type__is_in_page_copy": 0,
      "transition_type__is_flip": 0,
      "transition_type__is_autofill": 0,
      "transition_type__is_auto_advance": 0,
      "transition_type__is_kbd": 0,
      "transition_type__is_back": 0,
      "transition_type__is_tap": 0,
      "transition_type__is_mouse": 1,
      "transition_type__is_other": 0,
      "transition_pause_to_movement_ratio": 0,
      "transition_is_suspicious": 0,
      "transition_deviation": 1.2082106550915572,
      "entry_type__is_paste": 0,
      "entry_type__is_assist": 0,
      "entry_type__is_autofill": 0,
      "entry_type__is_kbd": 0,
      "entry_type__is_transcribe": 0,
      "entry_type__is_slow": 0,
      "entry_type__is_fast": 0,
      "entry_type__is_type": 1,
      "entry_type__is_no_change": 0,
      "entry_type__is_unknown": 0,
      "entry_type__is_password": 0,
      "entry_type__is_click": 0,
      "entry_type__is_flip": 0,
      "entry_type__is_other": 0,
      "entry_has_support": 0,
      "entry_shortcut_cnt": 0,
      "entry_pause_to_interacting_ratio": 0,
      "entry_typing_fluency": null,
      "entry_has_edits": 0,
      "entry_pause_cnt": 0
    }
  }
}

Custom Attribute Data Dictionary

Attribute NameFeature TypeTypeDefinition
is_pcContextboolIndicates if the target was interacted with on a desktop device
interaction_countGeneralintCount of how many times the user interacted with the field
left_windowGeneralintDiscrete categorical indicating whether the user left the browser/app while interacting with the field and whether they were gone for more than 10 seconds:
-0: user did not leave window
-1: user left window and returned in under 10 seconds
-2: user left window for more than 10 seconds
transition_to_entry_ratioGeneralfloatRatio between the total time spent transitioning into the field compared to the total time spent interacting with the field
transition_typeTransitionstringHow the user transitioned into the field; values include tap, mouse, autofill, auto_advance, kbd, flip, in_page_copy, back, and other
transition_is_suspiciousTransitionbinary Binary indicating the transition type was suspicious and correlated to fraudster efficiency techniques.
-0: transition is not suspicious
-1: transition is suspicious
transition_pause_to_movement_ratioTransitionfloatRatio between how much time the user spent processing/pausing vs moving to the field.
transition_deviationTransitionfloatMeasure of how much a user deviates in their trajectory to the field - only relevant for PC devices
entry_typeEntrystringHow the user supplied data into the field; values include type, transcribe, slow, fast, autofill, assist, kbd, paste, no_change, password, click, flip, unknown, and other
entry_has_supportEntryintDiscrete categorical indicating whether the user had browser assistance in completing their entry - whether it be through:

- 0: predictive text
- 1: format masking
- 2: autofilling
entry_has_editsEntryintDiscrete categorical indicating whether the user had minor or major entry changes
-0: Entry did not have edits
-1: Entry had minor edits
-2: Entry had major edits
-3: Entry had both major and minor edits
entry_shortcut_cntEntryintCount of times the user leveraged shortcuts like cutting, copying, or pasting to supply data
entry_pause_cntEntryintCount of times the user took more than a 2 second break while interacting with the field
entry_typing_fluencyEntryfloatMeasure of the user’s typing rhythm and speed
entry_pause_to_interacting_ratioEntryfloatRatio between how much time the user spent processing/pausing vs actively interacting with the field

Familiarity (v2)

The version 2 familiarity models provide information on how familiar a user is with the Personal Information data that they enter into your mobile/web application.

The version field contains the version of the model. This can be 2.5.0 or 2.7.0 based on your application's site-config.

The label field contains one of high, medium, low, or insufficient data values where

  • high means the user is very familiar with the Personal Information data they are entering into the application.
  • medium means the user is somewhat familiar with the Personal Information data they are entering into the application.
  • low means the user is not familiar with the Personal Information data they are entering into the application.
  • insufficient data means the user has not interacted with enough of the application to make a decision on the user's familiarity.

The score field, if purchased, contains the raw value used in the label field.

The attributes field, if purchased, contains the raw attributes that contributed to the outcome of the model. 

{
  "version": "2.5.0",
  "model": "familiarity",
  "label": "medium"
}

{
  "version": "2.5.0",
  "model": "familiarity",
  "label": "medium",
  "attributes": {
    "other__timing__feature_2": 1,
    "other__timing__feature_1": 0.4711393170142037,
    "other__timing__feature_4": null,
    "other__timing__feature_3": 0.3517169614984391,
    "pii__method_of_entry__feature_3": 0.6,
    "pii__method_of_entry__feature_1": 0,
    "pii__method_of_entry__feature_2": 0,
    "device_type__is_pc": 0,
    "other__typing_patterns__feature_9": null,
    "other__typing_patterns__feature_8": null,
    "other__typing_patterns__feature_7": null,
    "other__typing_patterns__feature_6": null,
    "other__typing_patterns__feature_5": 51.364365971107546,
    "other__typing_patterns__feature_4": 0.48948194662480377,
    "all_text__typing_patterns__feature_2": 0.48948194662480377,
    "all_text__typing_patterns__feature_1": 175.1922488983861,
    "other__interaction_patterns__feature_5": null,
    "other__typing_patterns__feature_3": 272.9413856490071,
    "other__interaction_patterns__feature_6": null,
    "other__typing_patterns__feature_2": 23.5,
    "other__typing_patterns__feature_1": 320.3333333333333,
    "other__interaction_patterns__feature_1": 1,
    "other__interaction_patterns__feature_2": null,
    "other__interaction_patterns__feature_3": null,
    "other__interaction_patterns__feature_4": null,
    "pii__timing__feature_1": 0.783121916842847,
    "pii__timing__feature_2": null,
    "pii__interaction_patterns__feature_5": null,
    "all_text__method_of_entry__feature_1": 6,
    "other__method_of_entry__feature_1": null,
    "pii__interaction_patterns__feature_2": 2,
    "pii__interaction_patterns__feature_1": 0,
    "pii__interaction_patterns__feature_4": 0,
    "all_text__method_of_entry__feature_2": 0,
    "pii__interaction_patterns__feature_3": 0,
    "all_text__method_of_entry__feature_3": 0,
    "pii__typing_patterns__feature_5": 0.5811942230632509,
    "pii__typing_patterns__feature_4": 234.7151656087466,
    "pii__typing_patterns__feature_7": 48.74086108854589,
    "pii__typing_patterns__feature_6": 0.48948194662480377,
    "pii__typing_patterns__feature_9": -0.014812456896697216,
    "pii__typing_patterns__feature_8": 0.0966871369294604,
    "all_text__timing__feature_1": 1.5,
    "other__typing_patterns__feature_11": null,
    "pii__typing_patterns__feature_1": 34,
    "all_text__timing__feature_4": 0,
    "other__typing_patterns__feature_10": null,
    "all_text__timing__feature_5": 0,
    "pii__typing_patterns__feature_3": 102.25849597955174,
    "all_text__timing__feature_2": 1864,
    "pii__typing_patterns__feature_2": 313.8378732543909,
    "all_text__timing__feature_3": 0.2620955039500008,
    "pii__transitions__feature_2": 1,
    "pii__transitions__feature_1": 0
  },
  "score": 77.2
}

Familiarity (v3)

The version 3 familiarity model provides information on how familiar a user is with the Personal Information data that they enter into your mobile/web application.

The version field contains the version of the model. The version can be 3.0.m or 3.0.nm.

  • 3.0.m means the user interacted with the application on a mobile device, and the 3.0 mobile model was used.
  • 3.0.nm means the user interacted with the application on a non-mobile (desktop) device, and the 3.0 non-mobile model was used

The label field contains one of high, medium, low, or insufficient data values where

  • high means the user is very familiar with the Personal Information data they are entering into the application.
  • medium means the user is somewhat familiar with the Personal Information data they are entering into the application.
  • low means the user is not familiar with the Personal Information data they are entering into the application.
  • insufficient data means the user has not interacted with enough of the application to make a decision on the user's familiarity.

The model field contains the name of the model. Currently this field has the prefix challenger_ meaning that this model should be a challenger model your existing familiarity v2 model. You will need to evaluate the familiarity v3 model to determine if it is right for you.

The score field, if purchased, contains the raw value used in the label field.

The reasonCodes field, if purchased, contains the codes associated to the decisioning that resulted in the score of the model. 

{
  "version": "3.0.nm",
  "model": "familiarity",
  "label": "medium",
  "reasonCodes": [
    "A1300",
    "A1800",
    "A1100"
  ],
  "score": 74.225929
}

When there a new version becomes available, you can activate challenger_famliarity for comparison purposes.

{
  "version": "3.0.nm",
  "model": "challenger_familiarity",
  "label": "medium",
  "reasonCodes": [
    "N1300",
    "N1800",
    "N1100"
  ],
  "score": 72.885929
}

Fraud Ring Indicator

The fraud_ring_indicator signal flags that this session has behavior associated to fraud ring activities.

The label field is a boolean.

  • A true value means the applicant has behavior associated to fraud ring activities.
  • A false value means the applicant did not have behavior associated to fraud ring activities.

There are no attributes for Fraud Ring Indicator. 

{
  "version": "1.0",
  "model": "fraud_ring_indicator",
  "label": "false",
  "attributes": {
  },
  "score": 0
}

Risky Device

The risky_device signal flags that this device has previous sessions that have low familiarity.

The label field is a boolean.

  • A true value means the device of the applicant has previous applications with low familiarity.
  • A false value means the device of the applicant does not have previous sessions with low familiarity.

The attributes field has the following values:

  • risky_application_count - A numeric value representing the count of previous sessions on the users device that had low familiarity
{
  "version": "1.0",
  "model": "risky_device",
  "label": "false",
  "attributes": {
    "risky_application_count": 0
  },
  "score": 0
}

There are no attributes for automated activity.

{
  "version": "1.0",
  "model": "automated_activity",
  "label": "false",
  "attributes": {
  },
  "score": 0
}

Device & Network Intelligence

The following signals are available to all sites configured for device and network intelligence. Some signals are only available on certain device types, and this is reflected in the documentation by the capsules below each signal name:

The capsules above represent a signal that's available for users on web, iOS, or Android.

Note: These capsules reflect the device type, not the SDK type. For example, a mobile SDK using React Native will generate signals for iOS and/or Android.

Bot Framework

The bot_framework signal identifies if a device has properties that are typically associated with automation tools.

The label field is a string.

  • A true value means the device of the applicant has properties associated with automation tools.
  • A false value means the device of the applicant does not have properties associated with automation tools.
{
  "model": "bot_framework",
  "label": "string"
}

Device Reputation

The device_reputation signal identifies if the device is associated with a blocklist you have provided or one of the available NeuroID blocklists. See Device and IP Blocklisting for more information about how blocklisting works.

The label field is a string.

  • A true value means the device is associated to a blocklist.
  • A false value means the device is not associated to a blocklist.
  • customer_blocklist - A boolean signaling the deviceId for a device was identified on a blocklist that you have provided.
  • global_blocklist - A boolean signaling the deviceId for a device was found on the NeuroID blocklist of known fraudulent devices.
{
  "model": "device_reputation",
  "label": "string",
  "attributes": {
    "customer_blocklist": "boolean",
    "global_blocklist": "boolean"
  }
}

Device Velocity

The device_velocity signal identifies the number of sessions associated with a device.

The label field is a string.

  • A true value means the device of the applicant is associated with more sessions than the device_velocity_threshold.
  • A false value means the device of the applicant is associated with fewer sessions than the device_velocity_threshold.
  • The device_velocity_threshold is configured by NeuroID based on the application type and has a default of 5 sessions.

The attributes field has the following values:

  • sessions_per_device_count_1_day - A numeric value representing the count of total sessions on the user's device in the last 24 hours.
  • sessions_per_device_count_1_week - A numeric value representing the count of total sessions on the user's device in the last week.
  • sessions_per_device_count_4_week - A numeric value representing the count of total sessions on the user's device in the last 4 weeks.
  • multiple_sessions_per_device_count_12_week - A numeric value representing the count of total sessions on the user's device in the last 12 weeks.
{
  "model": "device_velocity",
  "label": "string",
  "attributes": {
    "sessions_per_device_count_1_day": "number",
    "sessions_per_device_count_1_week": "number",
    "sessions_per_device_count_4_week": "number",
    "sessions_per_device_count_12_week": "number",
  }
}

Factory Reset

The factory_reset signal identifies if a mobile device has been reset to the default factory settings. If a device has been reset to default factory settings, this signal also provides the time in which that occurred.

The label field is a string.

  • A true value means the device has been reset to default factory settings at some point.
  • A false value means the device has never been reset to default factory settings.
{
  "model": "factory_reset",
  "label": "string",
  "attributes": {
    "time": "string",
    "timestamp": "number",
  }
}

GPS Spoofing

The gps_spoofing signal identifies if the location of a mobile device has been spoofed. Location spoofing is a common practice among fraudsters to fool fraud detection systems.

Note: this signal requires the host app to be granted Location Permission for iOS.

The label field is a string.

  • A true value means the location of the mobile device has been spoofed.
  • A false value means the location of the mobile device has not been spoofed.
{
  "model": "gps_spoofing",
  "label": "string",
}

Incognito

The incognito signal identifies if the web browser accessing your web application is being run in incognito mode.

The label field is a string.

  • A true value means the web browser accessing your web application is being run in incognito mode.
  • A false value means the web browser accessing your web application is not being run in incognito mode.
{
  "model": "incognito",
  "label": "string"
}

IP Address Association

The ip_address_association signal identifies if the public IP of the user is associated with known IP address of various cloud providers.

The label field is a string.

  • A true value means the public IP of the user is associated with a known IP address of various cloud providers.
  • A false value means the public IP of the user is not associated with a known IP address of various cloud providers.

The attributes field has the following values:

  • aws_ip_set - A boolean signaling the public IP address of the user is associated with the AWS (Amazon Web Services) public IP list.
  • azure_* - A boolean signaling the public IP address of the user is associated with one of Microsoft Azure's public IP lists. The different lists from Microsoft Azure are: China, Germany, Government, and Public.
  • digital_ocean_ip_set - A boolean signaling the public IP address of the user is associated with the Digital Ocean public IP list.
  • google_ip_set - A boolean signaling the public IP address of the user is associated with the Google Cloud public IP list.
  • vultr_ip_set - A boolean signaling the public IP address of the user is associated with the Vultr public IP list.
  • oracle_ip_set - A boolean signaling the public IP address of the user is associated with the Oracle public IP list.
{
  "model": "ip_address_association",
  "label": "string",
  "attributes": {
    "aws_ip_set": "boolean",
    "azure_china_ip_set": "boolean",
    "azure_germany_ip_set": "boolean",
    "azure_government_ip_set": "boolean",
    "azure_public_ip_set": "boolean",
    "digital_ocean_ip_set": "boolean",
    "google_ip_set": "boolean",
    "oracle_ip_set": "boolean",
    "vultr_ip_set": "boolean",
  }
}

IP Blocklist

The ip_blocklist signal identifies if the public IP of the user is associated with a blocklist you have provided or one of the available NeuroID blocklists.

The label field is a string.

  • A true value means the public IP of the user is found on a blocklist
  • A false value means the public IP of the user is not found on a blocklist

The attributes field has the following values:

  • customer_blocklist - A boolean signaling the public IP address of the user was found on a blocklist that you provided.
  • global_blocklist - A boolean signaling the public IP address of the user was found on the NeuroID blocklist of known fraudulent IP addresses.
  • partner_blocklist - A boolean signaling the public IP address of the user was found on a blocklist provided by third party partners.
{
  "model": "ip_blocklist",
  "label": "string",
  "attributes": {
    "customer_blocklist": "boolean",
    "global_blocklist": "boolean",
    "partner_blocklist": "boolean",
  }
}

Blocklisting from a Known List

The Device & Network capabilities support blocklisting based on IP Addresses and/or Device IDs. NeuroID generally recommends using these lists to inform High Risk operations, although your specific situation, risk appetite, or decisioning may vary.

During initial setup or when upgrading your relationship to include Device & Network features, you can discuss your blocklist operations/maintenance with your support representative, Subsequently you’ll be able to send a file to your representative with the necessary data to ensure the Blocklisted IP Address signal operates optimally from Day 1.

File Requirements

  • The file should be a .CSV.
  • The file should contain a single column named ‘ip_address’ that should include all IP Addresses to be blocked.
  • The IP Addresses may include IPv4 or IPv6 formatted values.
  • The file should be sent via email or slack.

Note: NeuroID will assume the most recently received blocklist to be the source of truth. That means updated lists should include the full set of IP addresses and/or Device IDs to block, and not a list of items to append to previously sent lists.

This same process can be used to block Device IDs. To do so, use the column header “device_id’ and send the list in a separate file.

Multiple IDs per Device

The multiple_ids_per_device signal identifies the number of sessions associated with a device.

The label field is a string.

  • A true value means the device of the applicant is associated with more set identifiers than the multiple_ids_per_device_threshold.
  • A false value means the device of the applicant is associated with fewer set identifiers than the multiple_ids_per_device_threshold.
  • The multiple_ids_per_device_threshold is configured by NeuroID based on the application type and has a default of 5 identifiers.

The attributes field has the following values:

  • multiple_ids_per_device_count_1_day - A numeric value representing the count of total identifiers on the user's device in the last 24 hours.
  • multiple_ids_per_device_count_1_week - A numeric value representing the count of total identifiers on the user's device in the last week.
  • multiple_ids_per_device_count_4_week - A numeric value representing the count of total identifiers on the user's device in the last 4 weeks.
  • multiple_ids_per_device_count_12_week - A numeric value representing the count of total identifiers on the user's device in the last 12 weeks.
{
  "model": "multiple_ids_per_device",
  "label": "string",
  "attributes": {
    "multiple_ids_per_device_count_1_day": "number",
    "multiple_ids_per_device_count_1_week": "number",
    "multiple_ids_per_device_count_4_week": "number",
    "multiple_ids_per_device_count_12_week": "number",
  }
}

Multiple Users Per Device

Web iOS Android Profile Required

The multiple_users_per_device signal identifies if multiple userIDs are associated with a single device.

The label field is a string.

  • A true value indicates the number of userIDs associated with a device exceeds the thresholds.
  • A false value indicates the number of userIDs associated with a device does not exceed the threshold.
  • The multiple_users_per_device_threshold is configured by NeuroID based on the application type and has a default of 5 sessions.
  • An error value either indicates that there was an error processing the signal for the session. If the value of label is error there will be an additional error field inside the object. No "insufficient data" errors are expected for this signal.

The attributes object contains the following fields:

  • registered_user_id_count_1_day - A numeric value representing the total count of userIDs associated with the device in the past 24 hours.
  • registered_user_id_count_1_week - A numeric value representing the total count of userIDs associated with the device in the past 1 week.
  • registered_user_id_count_4_week - A numeric value representing the total count of userIDs associated with the device in the past 4 weeks.
  • registered_user_id_count_12_week - A numeric value representing the total count of userIDs associated with the device in the past 12 weeks.
{
  "model": "multiple_users_per_device",
  "label": "string",
  "version": "string",
  "attributes": {
    "registered_user_id_count_1_day": "number",
    "registered_user_id_count_1_week": "number",
    "registered_user_id_count_4_week": "number",
    "registered_user_id_count_12_week": "number",
  }
}

Public Proxy

The public_proxy signal identifies if the public IP of the user is associated with a proxy server. A proxy server acts as an intermediary server separating end users from web pages they visit.

The label field is a string.

  • A true value means the public IP of the user is associated with a proxy network provider.
  • A false value means the public IP of the user is not associated with a proxy network provider.
{
  "model": "public_proxy",
  "label": "string"
}

Rapid Location Change

Web iOS Android Profile Required

The rapid_location_change signal determines the distance a user has traveled since their most recent session.

The max_travel_speed_km_h is configured to 1059 kilometers per hour. This speed corresponds with the max speed of a Boeing 747-8, which is the fastest commercial airplane today.

The label field is a string.

  • A true value indicates the user has traveled an unrealistic distance since the last session. The user's distance over time since the last session exceeds the max_travel_speed_km_h.
  • A false value indicates the user has not traveled an unrealistic distance since the last session. The user's distance over time since the last session does not exceed the max_travel_speed_km_h.
  • An error value either indicates that there's insufficient data to generate the signal or there was an error processing the signal for the session. If the value of label is error there will be an additional error field inside the object.

The error field is an optional string where the value is one of the following:

  • Insufficient data: First observed session for user: This signifies the current session is the first observed session for the user; therefore there is no previous session to compare against.
  • Insufficient data: Previous session missing signal information: This signifies the previous session is missing data for this signal; therefore the signal change cannot be identified.
  • Internal error evaluating rule: This represents a server-side error in the signal generation. In this case the attributes object will be empty, or the attribute values will be null.

The attributes object contains the following fields:

  • distance_km_between_sessions - A numeric value representing the total distance in kilometers between the user's current session and the user's most recent previous session.
  • time_hr_between_sessions - A numeric value representing the total time in hours between the user's current session and the user's most recent previous session.
{
  "model": "rapid_location_change",
  "label": "string",
  "version": "string",
  "attributes": {
      "distance_km_between_sessions": "number",
      "time_hr_between_sessions": "number",
  },
}

{
  "model": "rapid_location_change",
  "label": "string",
  "version": "string",
  "attributes": {
      "distance_km_between_sessions": "null",
      "time_hr_between_sessions": "null",
  },
  "error": "string"
}

Suspicious Device

The suspicious_device signal identifies if a device has properties that suggest the device has been modified in a way that indicates the device is being used for fraudulent or bot activity.

The label field is a string.

  • A true value means the device of the applicant has suspicious or missing properties.
  • A false value means the device of the applicant does not have suspicious or missing properties.

The attributes field contains the following values:

  • emulator - A boolean flagging if the device is running in simulator mode
  • jailbroken - A boolean flagging if the device has jailbroken applications installed on the device. This suggests the device has been jailbroken. This attribute will always be false for non-mobile sessions.
  • missing_expected_properties - A boolean flagging if the web browser used to access your web application is missing standard web properties. This suggests the browser has been modified for web application scripting. This attribute will always be false for non-web sessions. The NeuroID JavaScript library examines the values of many web properties. A few examples of risky values are:
    • canvas property is not supported
    • languages list is empty
    • plugins list is empty
    • localStorage and sessionStorage are not available
  • frida- A boolean flagging if Frida is being used to instrument the app. Frida is a toolkit that fraudsters use to spoof an app at runtime and change its behavior. Note: this signal will always be false for web sessions.
  • high_risk_plugins- A boolean flagging if the browser has risky plugins installed. For example, the Shockwave Flash plugin would trigger this signal because it has known vulnerabilities, and it was discontinued in 2019.
{
  "model": "suspicious_device",
  "label": "string",
  "attributes": {
    "emulator": "boolean",
    "jailbroken": "boolean",
    "missing_expected_properties": "boolean",
    "frida": "boolean",
    "high_risk_plugins": "boolean",
  }
}

TOR Exit Node

The tor_exit_node signal identifies if the public IP of the user is associated with a TOR (The Onion Router) exit node.

The label field is a string.

  • A true value means the public IP of the user is associated with a TOR exit node.
  • A false value means the public IP of the user is not associated with a TOR exit node.
{
  "model": "tor_exit_node",
  "label": "string"
}

VPN

The vpn signal identifies if the public IP of the user is associated with a VPN (Virtual Private Network) Provider. A VPN creates an encrypted tunnel for your customers that hides their IP address, and encrypts the data sent across the web.

The label field is a string.

  • A true value means the public IP of the user is associated with a VPN provider.
  • A false value means the public IP of the user is not associated with a VPN provider.
{
  "model": "vpn",
  "label": "string"
}

Example API Response

{
    "status": "SUCCESS",
    "message": "success",
    "moreInfo": null,
    "profile": {
        "siteId": "form_neuro500",
        "funnel": "unknown",
        "clientId": "CCAD7576-6FFD-4188-87C9-0EB037FEDCEF",
        "deviceId": "bzdVIJWBB79bnzRGjdrm",
        "signals": [
            {
                "version": "2.7",
                "model": "familiarity",
                "label": "medium",
                "score": 48.05
            },
            {
                "version": "1.0",
                "model": "fraud_ring_indicator",
                "label": "false",
                "score": 0.0
            },
            {
                "version": "1.0",
                "model": "automated_activity",
                "label": "false",
                "score": 0.0
            },
            {
                "version": "1.0",
                "model": "combined_digital_intent",
                "label": "neutral",
                "score": 0.5
            },
            {
                "version": "1.0",
                "model": "risky_device",
                "label": "false",
                "score": 0.0
            },
            {
                "version": "1.0",
                "model": "bot_framework",
                "label": "false",
                "attributes": {}
            },
            {
                "version": "1.0",
                "model": "device_reputation",
                "label": "false",
                "attributes": {
                    "customer_blocklist": false,
                    "global_blocklist": false
                }
            },
            {
                "version": "1.0",
                "model": "device_velocity",
                "label": "false",
                "attributes": {
                    "sessions_per_device_count_1_day": 1,
                    "sessions_per_device_count_1_week": 1,
                    "sessions_per_device_count_4_week": 1,
                    "sessions_per_device_count_12_week": 1
                }
            },
            {
                "version": "1.0",
                "model": "incognito",
                "label": "false",
                "attributes": {}
            },
            {
                "version": "1.0",
                "model": "public_proxy",
                "label": "false",
                "attributes": {}
            },
            {
                "version": "1.0",
                "model": "suspicious_device",
                "label": "false",
                "attributes": {
                    "emulator": false,
                    "jailbroken": false,
                    "missing_expected_properties": false
                }
            },
            {
                "version": "1.0",
                "model": "tor_exit_node",
                "label": "false",
                "attributes": {}
            },
            {
                "version": "1.0",
                "model": "vpn",
                "label": "false",
                "attributes": {}
            },
            {
                "version": "1.0",
                "model": "ip_address_association",
                "label": "false",
                "attributes": {
                    "aws_ip_set": false,
                    "azure_china_ip_set": false,
                    "azure_germany_ip_set": false,
                    "azure_government_ip_set": false,
                    "azure_public_ip_set": false,
                    "digital_ocean_ip_set": false,
                    "google_ip_set": false,
                  	"oracle_ip_set": false,
                    "vultr_ip_set": false
                }
            },
            {
                "version": "1.0",
                "model": "ip_blocklist",
                "label": "false",
                "attributes": {
                    "customer_blocklist": false,
                    "global_blocklist": false,
                    "partner_blocklist": false
                }
            }
        ],
        "id": "example-response-1"
    }
}