A.2 - Advanced Fraud Tools Triggered Rules
This section provides definitions of the triggered rules returned in the Advanced Fraud Results (advancedFraudResults element) section of the response message (see Example below). ThreatMetrix uses the rules triggered by each advanced fraud check to determine the device reputation score, which in turn determines the final review status: Pass, Review, or Fail.
The rules/descriptions in this document reflect those used in the generic merchant policy. Depending upon the policy configured in your merchant profile, some rules may not apply to you, or additional rules, not defined here, may appear in your results.
Example: advancedFraudResults Structure
<advancedFraudResults>
<deviceReviewStatus>pass, fail, review, etc.</deviceReviewStatus>
<deviceReputationScore>Score Returned from ThreatMetrix</deviceReputationScore>
<triggeredRule>Triggered Rule #1</triggeredRule>
.
.
.
<triggeredRule>Triggered Rule #N</triggeredRule>
</advancedFraudResults>
TABLE A-6 Triggered Rules Definitions
|
Triggered Rule Name |
Description |
|---|---|
|
10PaymentsOnDeviceLocalDay |
This device submitted 10 or more payments in the previous 24 hours. This is atypical and may be an indicator of misuse. |
|
10PaymentsOnDeviceLocalHour |
This device has submitted 10 or more payments in the previous hour. This is atypical and may be an indicator of misuse. |
|
10PaymentsOnFuzzyDeviceLocalDay |
This device appears to have submitted 10 or more payments in the previous 24 hours. This is atypical and may be an indicator of misuse. |
|
10PaymentsOnFuzzyDeviceLocalHour |
This device appears to have submitted 10 or more payments in the previous hour. This is atypical and may be an indicator of misuse. |
|
10PaymentsOnTrueIPLocalDay |
This True IP submitted 10 or more payments in the previous day. This is atypical and may be an indicator of misuse. |
|
10PaymentsOnTrueIPLocalHour |
This True IP submitted 10 or more payments in the previous hour. This is atypical and may be an indicator of misuse. |
|
10PaymentsWithEmailAddressLocalDay |
This email address submitted 10 or more payments in the previous day. This is atypical and may be an indicator of misuse. |
|
15PaymentsWithCustomerIDLocalDay |
This customer ID submitted 15 or more payments in the previous day. This is atypical and may be an indicator of misuse. |
|
15PaymentsWithPaymentCardLocalDay |
This payment card submitted 15 or more payments in the previous day. This is atypical and may be an indicator of misuse. |
|
100PaymentsOnDeviceLocalMonth |
This device submitted 100 or more payments in the previous month. This is atypical and may be an indicator of misuse. |
|
100PaymentsOnFuzzyDeviceLocalMonth |
This device appears to have submitted 100 or more payments in the previous month. This is atypical and may be an indicator of misuse. |
|
100PaymentsOnTrueIPLocalMonth |
This True IP submitted 100 or more payments in the previous month. This is atypical and may be an indicator of misuse. |
|
2ScreenResolutionsPerDeviceGlobalDay |
This device used 2 or more screen resolutions in the past day. This is atypical and may indicate misuse. |
|
20PaymentsOnDeviceLocalDay |
This device submitted 20 or more payments in the previous 24 hours. This is atypical and may be an indicator of misuse. |
|
20PaymentsOnFuzzyDeviceLocalDay |
This device appears to have submitted 20 or more payments in the previous 24 hours. This is atypical and may be an indicator of misuse. |
|
20PaymentsOnTrueIPLocalDay |
This True IP submitted 20 or more payments in the previous day. This is atypical and may be an indicator of misuse. |
|
20PaymentsWithCustomerIDLocalWeek |
This customer ID submitted 20 or more payments in the previous week. This is atypical and may be an indicator of misuse. |
|
20PaymentsWithPaymentCardLocalWeek |
This payment card submitted 20 or more payments in the previous week. This is atypical and may be an indicator of misuse. |
|
3CustomerIDsPerDeviceLocalDay |
This device submitted transactions using 3 or more distinct customer IDs in the previous 24 hours. This is abnormal and may be an indicator of a card-testing attack or free-trial abuse. |
|
3CustomerIDsPerDeviceLocalWeek |
This device submitted transactions using 3 or more distinct customer IDs in the previous 7 days. This is abnormal and may be an indicator of a card-testing attack or free-trial abuse. |
|
3DevicesPerCustomerIDLocalDay |
Three or more devices have been used to submit transactions with this customer ID in the previous 24 hours. This may be an indicator of misuse. |
|
3DevicesPerCustomerIDLocalWeek |
Three or more devices have been used to submit transactions with this customer ID in the previous 7 days. This may be an indicator of misuse. |
|
3DevicesPerEmailGlobalDay |
Three or more devices have been used to submit transactions with this email address in the previous 24 hours. This may be an indicator of misuse. |
|
3DevicesPerEmailGlobalWeek |
Three or more devices have been used to submit transactions with this email address in the previous 7 days. This may be an indicator of misuse. |
|
3DevicesPerPaymentCardGlobalDay |
Three or more devices have been used to submit transactions with this payment card in the previous 24 hours. This may be an indicator of misuse. |
|
3DevicesPerPaymentCardGlobalWeek |
Three or more devices have been used to submit transactions with this payment card in the previous 7 days. This may be an indicator of misuse. |
|
3EmailsPerDeviceGlobalDay |
This device has submitted transactions using 3 or more distinct email addresses in the previous 24 hours. This is abnormal and may be an indicator of a card-testing attack or free-trial abuse. |
|
3EmailsPerDeviceGlobalWeek |
This device has submitted transactions using 3 or more distinct email addresses in the previous 7 days. This is abnormal and may be an indicator of a card-testing attack or free-trial abuse. |
|
3EmailsPerFuzzyDeviceLocalHour |
This device appears to have submitted transactions using 3 or more distinct email addresses in the previous 60 minutes. This is abnormal and may be an indicator of a card-testing attack or free-trial abuse. |
|
3PaymentCardsPerDeviceGlobalDay |
This device has submitted transactions using 3 or more distinct payment cards in the previous 24 hours. This is abnormal and may be an indicator of a card-testing attack or free-trial abuse. |
|
3PaymentCardsPerDeviceGlobalWeek |
This device has submitted transactions using 3 or more distinct payment cards in the previous 7 days. This is abnormal and may be an indicator of a card-testing attack or free-trial abuse. |
|
3PaymentsOnDeviceLocalHour |
This device has submitted 3 or more payments in the previous hour. This is atypical and may be an indicator of misuse. |
|
3PaymentsOnFuzzyDeviceLocalHour |
This device appears to have submitted 3 or more payments in the previous hour. This is atypical and may be an indicator of misuse. |
|
3PaymentsOnTrueIPLocalHour |
This True IP submitted 3 or more payments in the previous hour. This is atypical and may be an indicator of misuse. |
|
3ProxiesPerDeviceGlobalDay |
This device submitted transactions through 3 or more distinct IP proxies in the previous 24 hours. This is atypical and may be an indicator of misuse. |
|
4ScreenResolutionsPerDeviceGlobalDay |
This device has used 4 or more screen resolutions in the past day. This is atypical and may indicate misuse. |
|
5PaymentsOnDeviceLocalDay |
This device has submitted 5 or more payments in the previous 24 hours. This is atypical and may be an indicator of misuse. |
|
5PaymentsOnDeviceLocalHour |
This device has submitted 5 or more payments in the previous hour. This is atypical and may be an indicator of misuse. |
|
5PaymentsOnFuzzyDeviceLocalDay |
This device appears to have submitted 5 or more payments in the previous 24 hours. This is atypical and may be an indicator of misuse. |
|
5PaymentsOnFuzzyDeviceLocalHour |
This device appears to have submitted 5 or more payments in the previous hour. This is atypical and may be an indicator of misuse. |
|
5PaymentsOnTrueIPLocalDay |
This True IP has submitted 5 or more payments in the previous day. This is atypical and may be an indicator of misuse. |
|
5PaymentsOnTrueIPLocalHour |
This True IP submitted 5 or more payments in the previous hour. This is atypical and may be an indicator of misuse. |
|
5PaymentsWithCustomerIDLocalHour |
This customer ID submitted 5 or more payments in the previous hour. This is atypical and may be an indicator of misuse. |
|
5PaymentsWithEmailAddressLocalHour |
This email address has submitted 5 or more payments in the previous hour. This is atypical and may be an indicator of misuse. |
|
5PaymentsWithPaymentCardLocalHour |
This payment card submitted 5 or more payments in the previous hour. This is atypical and may be an indicator of misuse. |
|
50PaymentsOnDeviceLocalWeek |
This device has submitted 50 or more payments in the previous week. This is atypical and may be an indicator of misuse. |
|
50PaymentsOnFuzzyDeviceLocalWeek |
This device appears to have submitted 50 or more payments in the previous week. This is atypical and may be an indicator of misuse. |
|
50PaymentsOnTrueIPLocalMonth |
This True IP has submitted 50 or more payments in the previous month. This is atypical and may be an indicator of misuse. |
|
20PaymentsWithCustomerIDLocalMonth |
This customer ID submitted 20 or more payments in the previous month. This is atypical and may be an indicator of misuse. |
|
20PaymentsWithPaymentCardLocalWeek |
This payment card submitted 20 or more payments in the previous week. This is atypical and may be an indicator of misuse. |
|
AnonymousProxy |
This transaction was submitted through an anonymous web proxy, a method that is sometimes employed when trying to cloak one's identity. |
|
AnonymousProxyIP |
This transaction was submitted through an anonymous proxy IP Address, a method that is sometimes employed when trying to cloak one's identity. |
|
BINCustomerAddressGeolocationMismatch |
The customer's bill-to address country does not match that of the payment card's issuing bank. This may be an indicator of a fraud attack. |
|
ComputerGeneratedEmail |
This email address may have been automatically generated by a computer. Fraudsters frequently employ automated bots that create email addresses programmatically to enable their fraud attacks. |
|
CookiesDisabled |
The browser used to submit this transaction has disabled cookies. This is common to fraud attacks and may be an indicator of misuse. |
|
CookiesJavascriptDisabled |
The browser used to submit this transaction has disabled cookies and JavaScript. This is common to fraud attacks and may be an indicator of misuse. |
|
CustomAttribute1OnLocalBlacklist |
Custom attribute 1 for this transaction is on Worldpay's ThreatMetrix-hosted blacklist. |
|
CustomAttribute1OnLocalWhitelist |
Custom attribute 1 for this transaction is on Worldpay's ThreatMetrix-hosted whitelist. |
|
CustomAttribute2OnLocalBlacklist |
Custom attribute 2 for this transaction is on Worldpay's ThreatMetrix-hosted blacklist. |
|
CustomAttribute2OnLocalWhitelist |
Custom attribute 2 for this transaction is on Worldpay's ThreatMetrix-hosted whitelist. |
|
CustomAttribute3OnLocalBlacklist |
Custom attribute 3 for this transaction is on Worldpay's ThreatMetrix-hosted blacklist. |
|
CustomAttribute3OnLocalWhitelist |
Custom attribute 3 for this transaction is on Worldpay's ThreatMetrix-hosted whitelist. |
|
CustomAttribute4OnLocalBlacklist |
Custom attribute 4 for this transaction is on Worldpay's ThreatMetrix-hosted blacklist. |
|
CustomAttribute4OnLocalWhitelist |
Custom attribute 4 for this transaction is on Worldpay's ThreatMetrix-hosted whitelist. |
|
CustomAttribute5OnLocalBlacklist |
Custom attribute 5 for this transaction is on Worldpay's ThreatMetrix-hosted blacklist. |
|
CustomAttribute5OnLocalWhitelist |
Custom attribute 5 for this transaction is on Worldpay's ThreatMetrix-hosted whitelist. |
|
CustomerIDOnLocalBlacklist |
The customer ID for this transaction is on Worldpay's ThreatMetrix-hosted blacklist. |
|
CustomerIDOnLocalWhitelist |
The customer ID for this transaction is on Worldpay's ThreatMetrix-hosted whitelist. |
|
CustomerNameOnLocalBlacklist |
The customer name for this transaction is on Worldpay's ThreatMetrix-hosted blacklist. |
|
CustomerNameOnLocalWhitelist |
The customer name for this transaction is on Worldpay's ThreatMetrix-hosted whitelist. |
|
DeviceCountriesNotAllowed |
This transaction originated from an IP address located in a country on ThreatMetrix-hosted blacklist. |
|
DeviceIDOnThreatMetrixGlobalBlacklist |
The originating device is on the ThreatMetrix global blacklist. |
|
DeviceGlobalAgeLessThanOneHour |
The originating device was first seen across the entire ThreatMetrix global network within the past hour. This is uncommon and may point to a fraudster simulating a new device through advanced techniques in an attempt to avoid detection. |
|
DeviceLocalAgeLessThanOneHour |
The originating device was first seen by Worldpay within the past hour. This may point to a fraudster simulating a new device through advanced techniques in an attempt to avoid detection. |
|
DeviceNotFingerprinted |
ThreatMetrix could not fingerprint the originating device. This is atypical and may indicate a deliberate attempt by the user to cloak his or her identity. |
|
DeviceOnLocalBlacklist |
The originating device is on ThreatMetrix-hosted blacklist. |
|
DeviceOnLocalWhitelist |
The originating device is on ThreatMetrix-hosted whitelist. |
|
DeviceOnThreatMetrixGlobalBlacklist |
The originating device is on the ThreatMetrix global blacklist. |
|
DeviceRejectedByNetwork10Times |
The originating device has been rejected by one of ThreatMetrix's customers and/or partners 10 or more times on the suspicion of fraud. |
|
DeviceRejectedByNetwork25Times |
The originating device has been rejected by one of ThreatMetrix's customers and/or partners 25 or more times on the suspicion of fraud. |
|
DeviceRejectedByNetwork5Times |
The originating device has been rejected by one of ThreatMetrix's customers and/or partners 5 or more times on the suspicion of fraud. |
|
DeviceRejectedByNetworkInLastWeek |
The originating device has been rejected by one of ThreatMetrix's customers and/or partners in the last week on the suspicion of fraud. |
|
DeviceReviewedByNetwork5Times |
The originating device has been reviewed by one of ThreatMetrix's customers and/or partners 5 or more times on the suspicion of fraud. |
|
DeviceReviewedByNetwork10Times |
The originating device has been reviewed by one of ThreatMetrix's customers and/or partners 10 or more times on the suspicion of fraud. |
|
DeviceReviewedByNetwork25Times |
The originating device has been reviewed by one of ThreatMetrix's customers and/or partners 25 or more times on the suspicion of fraud. |
|
EmailDistanceTraveled |
This email address has been associated with transactions originating from locations at least 1,000 miles apart in the last hour. This is a red flag and warrants caution. |
|
EmailHostnameTooLong |
The hostname portion (i.e. to the right of "@") of this email address exceeds 30 characters. Email addresses associated with suspicious domain names are often used as part of attacks. Overly long hostnames are a common marker of such domains. |
|
EmailHostnameWithNonLetters |
The hostname portion (i.e. to the right of "@") of this email address contains non-letter characters (e.g. numbers and special characters). Email addresses associated with suspicious domain names are often used as part of attacks. Hostnames with non-letter characters are a common marker of such domains. |
|
EmailOnLocalBlacklist |
The customer email address for this transaction is on Worldpay's ThreatMetrix-hosted blacklist. |
|
EmailOnLocalWhitelist |
The customer email address for this transaction is on Worldpay's ThreatMetrix-hosted whitelist. |
|
EmailOnThreatMetrixGlobalBlacklist |
This email address is on the ThreatMetrix global blacklist. |
|
EmailRejectedByNetwork10TimesInLastDay |
The associated email address has been rejected by one of ThreatMetrix's customers and/or partners 10 or more times in the last day on the suspicion of fraud. |
|
EmailRejectedByNetworkInLastWeek |
A transaction using this email address has been rejected by one of ThreatMetrix's customers and/or partners in the last week on the suspicion of fraud. |
|
EmailUsernameTooLong |
The name portion (i.e. to the left of "@") of this email address exceeds 30 characters. Email addresses associated with suspicious user names are often used as part of attacks. Overly long user names are a common marker of such domains. |
|
EmailUsernameWithNonLetters |
The name portion (i.e. to the left of "@") of this email address contains non-letter characters (e.g. numbers and special characters). Email addresses associated with suspicious usernames are often used as part of attacks. Usernames with non-letter characters are a common marker of such domains. |
|
ExcessivePaymentsOnDeviceHour |
An abnormally high number of transactions have been submitted from this device in the last hour. This is a common indicator of fraudulent payment. |
|
ExcessivePaymentsOnDeviceDay |
An abnormally high number of transactions have been submitted from this device in the last 24 hours. This is a common indicator of fraudulent payment. |
|
ExcessivePaymentsOnFuzzyDeviceHour |
An abnormally high number of transactions appear to have been submitted from this device in the last hour. This is a common indicator of fraudulent payment. |
|
ExcessivePaymentsOnFuzzyDeviceDay |
An abnormally high number of transactions appear to have been submitted from this device in the last 24 hours. This is a common indicator of fraudulent payment. |
|
FlashBrowserLanguageMismatch |
The language used by the web browser used to submit this transaction does not match the language used by the Flash plug-in. This is atypical and may be an indicator of misuse. |
|
FlashCook1esJavascriptDisabled |
The browser used to submit this transaction has disabled Flash objects, cookies, and JavaScript. This is common to fraud attacks and may be an indicator of misuse. |
|
FlashCookiesDisabled |
The browser used to submit this transaction has disabled Flash objects and cookies. This is common to fraud attacks and may be an indicator of misuse. |
|
FlashDisabled |
The browser used to submit this transaction has disabled Flash objects. This is common to fraud attacks and may be an indicator of misuse. |
|
FlashImagesCookiesDisabled |
The browser used to submit this transaction has disabled Flash objects, images, and cookies. This is common to fraud attacks and may be an indicator of misuse. |
|
FlashImagesCookiesJavascriptDisabled |
The browser used to submit this transaction has disabled Flash objects, images, cookies, and JavaScript. This is common to fraud attacks and may be an indicator of misuse. |
|
FlashImagesDisabled |
The browser used to submit this transaction has disabled Flash objects and images. This is common to fraud attacks and may be an indicator of misuse. |
|
FlashImagesJavascriptDisabled |
The browser used to submit this transaction has disabled Flash objects, images, and JavaScript. This is common to fraud attacks and may be an indicator of misuse. |
|
FlashJavascriptDisabled |
The browser used to submit this transaction has disabled Flash objects and JavaScript. This is common to fraud attacks and may be an indicator of misuse. |
|
FuzzyDeviceLocalAgeLessThanOneHour |
The originating device appears to have been seen by Worldpay for the first time within the past hour. This may point to a fraudster simulating a new device through advanced techniques in an attempt to avoid detection. |
|
FuzzyDeviceOnLocalBlacklist |
The originating device appears to be on Worldpay's ThreatMetrix-hosted blacklist. |
|
FuzzyDeviceOnLocalWhitelist |
The originating device appears to be on Worldpay's ThreatMetrix-hosted whitelist. |
|
FuzzyDeviceOnThreatMetrixGlobalBlacklist |
The originating device appears to be on the ThreatMetrix global blacklist. |
|
FuzzyDeviceRejectedByNetworkInLastWeek |
The originating device appears to have been rejected by one of ThreatMetrix's customers and/or partners in the last week on the suspicion of fraud. |
|
GeolocationLanguageMismatch |
The language detected from the originating web browser is not appropriate for the location. This is atypical and may be an indicator of misuse. |
|
HiddenProxy |
This transaction was submitted through a hidden web proxy, a method that is sometimes employed when trying to cloak one's identity. |
|
ImagesCookiesDisabled |
The browser used to submit this transaction has disabled images and cookies. This is common to fraud attacks and may be an indicator of misuse. |
|
ImagesCookiesJavascriptDisabled |
The browser used to submit this transaction has disabled images, cookies, and JavaScript. This is common to fraud attacks and may be an indicator of misuse. |
|
ImagesDisabled |
The browser used to submit this transaction has disabled images. This is common to fraud attacks and may be an indicator of misuse. |
|
ImagesJavascriptDisabled |
The browser used to submit this transaction has disabled images and JavaScript. This is common to fraud attacks and may be an indicator of misuse. |
|
IPHasNegativeReputation |
The originating IP address is a potential threat based upon analysis of its activity across the ThreatMetrix network. |
|
IPOnLocalBlacklist |
The originating IP address is on ThreatMetrix-hosted blacklist. |
|
IPOnLocalWhitelist |
The originating IP address is on ThreatMetrix-hosted whitelist. |
|
IPOnThreatMetrixGlobalBlacklist |
The originating IP address is on the ThreatMetrix global blacklist. |
|
IPRejectedByNetwork10Times |
The originating IP address has been rejected by one of ThreatMetrix's customers and/or partners 10 or more times on the suspicion of fraud. |
|
IPRejectedByNetwork25Times |
The originating IP address has been rejected by one of ThreatMetrix's customers and/or partners 25 or more times on the suspicion of fraud. |
|
IPRejectedByNetwork5Times |
The originating IP address has been rejected by one of ThreatMetrix's customers and/or partners 5 or more times on the suspicion of fraud. |
|
JavascriptDisabled |
The browser used to submit this transaction has disabled JavaScript. This is common to fraud attacks and may be an indicator of misuse. |
|
KnownVPNISP |
This transaction was submitted through a known Virtual Private Network (VPN), a method that is sometimes employed when trying to cloak one's identity. |
|
MalwareDetectedOnDevice |
The originating device appears have to been infected with malware. |
|
OpenProxy |
This transaction was submitted through an open web proxy, a method that is sometimes employed when trying to cloak one's identity. |
|
PaymentCardBINShippingAddressGeolocation Mismatch |
The customer's ship-to address country does not match that of the payment card's issuing bank. This may be an indicator of a fraud attack. |
|
PaymentCardBINTrueIPGeolocationMismatch |
The geolocation of the True IP address does not match that of the payment card's issuing bank. This may be an indicator of a fraud attack. |
|
PaymentCardDistanceTraveled |
This payment card has been associated with transactions originating from locations at least 1,000 miles apart in the last hour. This is a red flag and warrants caution. |
|
PaymentCardOnThreatMetrixGlobalBlacklist |
This payment card is on the ThreatMetrix global blacklist. |
|
PaymentCardRejectedByNetworkInLastWeek |
A transaction using this payment card has been rejected by one of ThreatMetrix's customers and/or partners in the last week on the suspicion of fraud. |
|
PhoneNumberOnLocalBlacklist |
The customer telephone number for this transaction is on Worldpay's ThreatMetrix-hosted blacklist. |
|
PhoneNumberOnLocalWhitelist |
The customer telephone number for this transaction is on Worldpay's ThreatMetrix-hosted whitelist. |
|
PossibleCookieWipingDay |
The user appears to have cleared his or her browser's cookies 3 or more times in the last day. This is common to fraud attacks and may be an indicator of misuse. |
|
PossibleCookieWipingHour |
The user appears to have cleared his or her browser's cookies 3 or more times in the last hour. This is common to fraud attacks and may be an indicator of misuse. |
|
PossibleCookieWipingWeek |
The user appears to have cleared his or her browser's cookies 3 or more times in the last week. This is common to fraud attacks and may be an indicator of misuse. |
|
PossibleVPNOrTunnel |
This transaction may have been submitted through a Virtual Private Network (VPN), a method that is sometimes employed when trying to cloak one's identity. |
|
PossibleVPNConnection |
This transaction may have been submitted through a Virtual Private Network (VPN), a method that is sometimes employed when trying to cloak one's identity. |
|
PotentialVirtualMachine |
This transaction may have been submitted using a Virtual Machine, a method that is sometimes employed when trying to cloak one's identity. |
|
ProxyHasNegativeReputation |
The originating IP proxy is a potential threat based upon an analysis of its activity across the ThreatMetrix network. |
|
ProxyIPHasNegativeReputation |
The originating IP address is a potential threat based upon analysis of its activity across the ThreatMetrix network. |
|
ProxyIPOnLocalBlacklist |
The originating proxy IP address is on Worldpay's ThreatMetrix-hosted blacklist. |
|
ProxyIPOnLocalWhitelist |
The originating proxy IP address is on Worldpay's ThreatMetrix-hosted whitelist. |
|
ProxyIPOnThreatMetrixGlobalBlacklist |
The originating proxy IP address is on the ThreatMetrix global blacklist. |
|
SatelliteISP |
This transaction was submitted through a Satellite Internet Service Provider, a method that is sometimes employed when trying to cloak one's identity. |
|
SatelliteProxyISP |
This transaction was submitted through a Satellite Proxy Internet Service Provider, a method that is sometimes employed when trying to cloak one's identity. |
|
SessionAnomaly |
Characteristics of the originating device appear to have been modified during the course of the user's web session. This is atypical and may indicate misuse. |
|
ShippingAddressTrueIPGeolocationMismatch |
The shipping address country does not match that of the True IP address. This may be an indicator of a package redirection/interception/forwarding or re-shipping fraudster attack. |
|
SuspectedSessionCloaking |
The characteristics of the originating browser are consistent with common fraud attacks, and may be an indicator of a fraudster's deliberate attempt to cloak his or her identity. |
|
SuspectedTORNetwork |
This transactions appears to have originated from a TOR network, a common source of fraud attacks. |
|
SystemStateAnomaly |
The system state of the originating device has changed two or more times within the past hour. This is atypical and may indicate misuse. |
|
TimeZoneTrueGeolocationMismatch |
The time zone setting on the originating device does not match to the true geolocation of the customer. This is atypical and may be an indicator of misuse. |
|
TransparentProxy |
This transaction was submitted through a transparent web proxy, a method that is most often used in corporate environments, though also employed when trying to cloak one's identity. |
|
TrueIPDNSGeolocationMismatch |
The geolocation of the True IP address does not match that of the DNS provider. This may be an indicator of a fraudster's attempt to cloak his or her identity. |
|
TrueIPHasNegativeReputation |
The originating IP address is a potential threat based upon analysis of its activity across the ThreatMetrix network. |
|
TrueIPOnLocalBlacklist |
The originating true IP address is on Worldpay's ThreatMetrix-hosted blacklist. |
|
TrueIPOnLocalWhitelist |
The originating true IP address is on Worldpay's ThreatMetrix-hosted whitelist. |
|
TrueIPOnThreatMetrixGlobalBlacklist |
The originating true IP address is on the ThreatMetrix global blacklist. |
|
TrueIPProxyIPCityMismatch |
The city of the True IP address does not match that of the Proxy IP address. This may be an indicator of a fraudster's attempt to cloak his or her identity. |
|
TrueIPProxyIPGeolocationMismatch |
The geolocation of the True IP address does not match that of the Proxy IP address. This may be an indicator of a fraudster's attempt to cloak his or her identity. |
|
TrueIPProxyIPISPMismatch |
The Internet Service Provider of the True IP address does not match that of the Proxy IP address. This may be an indicator of a fraudster's attempt to cloak his or her identity. |
|
TrueIPProxyIPOrganizationMismatch |
The organization of the True IP address does not match that of the Proxy IP address. This may be an indicator of a fraudster's attempt to cloak his or her identity. |
|
TrueIPProxyIPRegionMismatch |
The region of the True IP address does not match that of the Proxy IP address. This may be an indicator of a fraudster's attempt to cloak his or her identity. |
|
TrueIPRejectedByNetwork10TimesInLastDay |
The originating IP address has been rejected by one of ThreatMetrix's customers and/or partners 10 or more times in the last day on the suspicion of fraud. |
|
TrueIPRejectedByNetworkInLastWeek |
The originating true IP has been rejected by one of ThreatMetrix's customers and/or partners in the last week on the suspicion of fraud. |
|
UnusualProxyAttributes |
This web proxy used to submit the transaction has unusual attributes (e.g. dialup), which may indicate an attempt to cloak one's identity. |