Smart Signals Overview
Fingerprint is not just an identity platform but also helps fight fraud by providing actionable device intelligence called Smart Signals. Read on to get basic understanding of individual Smart Signal components and its applications.
Setup and Usage
Typical integration into a project consists of those steps:
- Add the JavaScript agent on the frontend part of your web application. If you are an existing customer and already deployed Fingerprint, you can skip this step.
- Get the
requestIdfrom the JavaScript agent response and pass it to your server. - Call GET /events endpoint from your server-side environment to retrieve the Smart Signals in the API response.
- Use the information about fraud in your business logic.
Availability
Because Smart Signals are focused on fraud detection, we only made them available through our Server API, Webhooks, and Sealed Client Results so we can ensure that you receive those results unaltered.
Smart Signals are available in our Pro Plus and Enterprise plans. If you are an Enterprise plan customer interested in one or more of these signals, then please contact our support team to enable them for you. Signing up for an Enterprise plan does not automatically enable these signals.
Suspect Score
Suspect Score combines all Smart Signals into a weighted integer value based on their global probability. You can read more about the weights and the mechanisms behind Suspect Score in a dedicated section.
"suspectScore": {
"data": {
"result": 0
}
}
Browser Smart Signals
Each individual Smart Signal contributes with a unique piece of information about the device. Most of our Smart Signals are independent from the source of the request (browser vs. native mobile application) but there are some signals that are not available if the data was collected through our official mobile SDKs.
See the tags under each title or our Smart Signals Cheat Sheet to determine whether you should expect to see the Smart Signal output in Server API and Webhooks based on its source.
Browser Bot Detection
Get information about good and bad bots allowing to block or filter them from your regular traffic and stop automated abuse attempts.
The bot.result field contains one of notDetected, bad or good values where
notDetectedmeans that we haven't detected a bot and the payload should belong to a regular visitorgoodindicates that the bot is a well-known web crawler or other search engine botbadis an automated tool that doesn't have legitimate uses and assumes fraudulent activity
"botd": {
"data": {
"bot": {
"result": "bad",
"type": "headless"
},
"url": "https://example.com/",
"ip": "193.165.141.254",
"time": "2024-04-12T09:29:59.588Z",
"userAgent": "Headless",
"requestId": "1712914199539.K1EXmu"
}
}
"botd": {
"data": {
"bot": {
"result": "notDetected"
},
"url": "https://example.com/",
"ip": "94.142.239.124",
"time": "2023-08-29T21:48:17.351Z",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36",
"requestId": "1693345697334.YKOdT5"
}
}
Browser Incognito Detection
Detects incognito mode in major browsers. It provides additional information about the visitor that might suggest they are trying to hide their identity.
"incognito": {
"data": {
"result": true
}
}
"incognito": {
"data": {
"result": false
}
}
IP Geolocation
Provides information about the physical location of the originating IP address.
We deploy several mechanisms to detect the IP address of the original client which allows us to correctly determine visitor's location, even when using anonymizing tools. The geolocation field then shows the estimated physical location of the client.
The asn and datacenter field can be used to group ranges of IP addresses that belong to the same owner to apply protection rules against a whole block of IP addresses. They could also indicate that the visitor connects through an intermediate server instead of connecting through an ISP directly.
"ipInfo": {
"data": {
"v4": {
"address": "94.142.239.124",
"geolocation": {
"accuracyRadius": 20,
"latitude": 50.05,
"longitude": 14.4,
"postalCode": "150 00",
"timezone": "Europe/Prague",
"city": {
"name": "Prague"
},
"country": {
"code": "CZ",
"name": "Czechia"
},
"continent": {
"code": "EU",
"name": "Europe"
},
"subdivisions": [
{
"isoCode": "10",
"name": "Prague"
}
]
},
"asn": {
"asn": "7922",
"name": "COMCAST-7922",
"network": "73.136.0.0/13"
},
"datacenter": {
"result": true,
"name": "DediPath"
}
},
"v6": {
"address": "::ffff:5e8e:ef7c",
"geolocation": {
"accuracyRadius": 20,
"latitude": 50.05,
"longitude": 14.4,
"postalCode": "150 00",
"timezone": "Europe/Prague",
"city": {
"name": "Prague"
},
"country": {
"code": "CZ",
"name": "Czechia"
},
"continent": {
"code": "EU",
"name": "Europe"
},
"subdivisions": [
{
"isoCode": "10",
"name": "Prague"
}
]
},
"asn": {
"asn": "7922",
"name": "COMCAST-7922",
"network": "::ffff:5e8e:ef7c/110"
},
"datacenter": {
"result": true,
"name": "DediPath"
}
}
}
}
VPN Detection for browsers
Fingerprint's VPN detection is capable of detecting whether the user is in a different timezone compared to their originating IP address (timezoneMismatch field). It can also provide information about whether an IP address has been known to belong to one of the public VPN providers through the publicVPN field.
If either of those detection methods return positive results, we return the final result as true.
"vpn": {
"data": {
"result": true,
"originTimezone": "Europe/Prague",
"originCountry": "unknown" // Not yet supported for browsers
"methods": {
"timezoneMismatch": true,
"publicVPN": true,
"auxiliaryMobile": false // Irrelevant for browsers, mobile SDKs only
}
}
"vpn": {
"data": {
"result": false,
"originTimezone": "Europe/Prague",
"originCountry": "unknown" // Not yet supported for browsers
"methods": {
"timezoneMismatch": false,
"publicVPN": false,
"auxiliaryMobile": false // Irrelevant for browsers, mobile SDKs only
}
}
result
resulttrueif we detect a VPN through eithertimezoneMismatchorpublicVPNmethods. The field can be used as a standalone flag for VPN detection. Alternatively, fields in themethodssection (documented below) can be used in specific use-cases to improve the granularity of the detectionfalseif none of themethodsbelow returned a positive result
originTimezone
originTimezoneThis field exposes the timezone that is available through the system settings. Since the presence of VPN does not affect the value of this field, it can be used as a true timezone of origin (physical location) of the user.
- Example:
originTimezone: "Europe/Prague"
originCountry
originCountryThis field is populated only when the request came from our iOS and Android native SDKs and is always set to "unknown" for browsers. See the detailed description in VPN Detection for mobile devices .
methods
methodsMore granular VPN detection methods that contribute to the final VPN detection result.
timezoneMismatch
timezoneMismatchtruewhen we detect that the geolocated IP address of the device does not matchoriginTimezoneread from the system settingsfalsewhenoriginTimezonematches the location of the IP address from which we receive the traffic
publicVPN
publicVPNDetects whether the IP address of the event matches any publicly known VPN providers like NordVPN, Surfshark , ExpressVPN, ProtonVPN and others.
truewhen our database of public VPN provider IP addresses contains the IP address of the eventfalseif we did not find a match in our public VPN provider database
auxiliaryMobile
auxiliaryMobileThis field is populated only when the request came from our iOS and Android native SDKs and is always set to false for browsers. See the detailed description in VPN Detection for mobile devices .
Browser Tamper Detection
There are very simple techniques to confuse less sophisticated fingerprinting algorithms through User Agent spoofing or trying to change the output of selected signals that are collected from the browser.
While our visitorID remains stable in those cases, tampering detection helps detect this behavior and flag visitors that have tried applying such techniques by comparing their browser signature to our statistical model.
The output of this model is captured as anomalyScore, a number indicating how improbable is the signature of the visitor's browser. Values close to 1 signify highly anomalous browsers and we consider anything above the threshold of 0.5 to be actionable (the result field conveniently captures that fact).
"tampering": {
"data": {
"result": true,
"anomalyScore": 0.97 // close to 1 = high level of confidence
}
}
"tampering": {
"data": {
"result": false,
"anomalyScore": 0
}
}
Virtual Machine Detection
Detects if the browser is running inside a virtualization software like VirtualBox by examining the browser configuration.
"virtualMachine": {
"data": {
"result": true
}
}
"virtualMachine": {
"data": {
"result": false
}
}
Privacy-Focused Settings
Firefox, Brave, and other privacy focused browsers actively fight fingerprinting and expose user settings that have the ability to randomize and obfuscate signal output. Privacy-focused settings Smart Signal detects if those settings are enabled and reports it.
"privacySettings": {
"data": {
"result": true
}
}
"privacySettings": {
"data": {
"result": false
}
}
IP Blocklist Matching
Block IP addresses based on their presence in different public and proprietary blocklists.
The feature uses a combination of our and vendor IP databases to determine whether
- The IP address is a known tor exit node (
torpayload) - The IP address has been part of a network attack or email spam attack (
ipBlocklist.detailspayload) - The IP address belongs to a public proxy provider (
proxypayload)
torandproxypayloads do not utilize active Tor or proxy detection mechanisms.
"ipBlocklist": {
"data": {
"result": false,
"details": {
"emailSpam": false,
"attackSource": false
}
}
}
"tor": {
"data": {
"result": false
}
}
"proxy": {
"data": {
"result": false
}
}
High-Activity Device
High-Activity Device searches for spikes in traffic connected to a single visitorID. It computes the amount of visits in the past 24 hours for each visitorID every five minutes and reports data.result as true if the number of visits for the past 24 hours surpasses a threshold.
High-Activity Device Threshold
The threshold is calculated for each customer separately and is determined through a normal traffic distribution. If the returned visitorID does more requests than 98% of other daily visitors, the High-Activity Smart Signal returns a positive result. If the traffic doesn't pass the threshold, data.result returns false and dailyRequests field isn't provided.
"highActivity": {
"data": {
"result": true,
"dailyRequests": 42
}
}
"highActivity": {
"data": {
"result": false
}
}
Raw Device Attributes
Raw Device Attributes exposes additional data points we normally collect through our JavaScript agent.
Format Stability
Raw Device Attributes contents can change at any time in the future (includes complete scoped field removal) and we advise against setting dependencies on concrete field names inside of the
datafield.
"rawDeviceAttributes": {
"data": {
"<field_name>": {
"value": 127
}
}
Smart Signals for mobile devices
The smart signals listed below are applicable only to mobile devices. These signals provide valuable intelligence about the integrity of the device as well as the app. These smart signals are available as part of our Pro Plus and Enterprise plans. If you are interested in one or more of these signals, then please contact our support team to enable them for you.
When your app is integrated with Fingerprint (using either our native mobile SDKs or our multi-platform SDKs), you will start receiving these signals as part of our Server API and/or Webhooks responses.
Android Emulator Detection
Prevent spam and protect against nefarious Android emulator farms by ensuring the request is coming from a physical device. To detect emulators, several additional device attributes have to be collected and this increases the time to get a visitorId. The latency can be anywhere between 300 and 1500ms.
"emulator": {
"data": {
"result": false
}
}
Android Tamper Detection
Ensure a safe Android mobile application environment by detecting rooted devices.
"rootApps": {
"data": {
"result": false
}
}
Cloned App Detection
Identify if a request is coming from a cloned application. Making multiple clones of an app on the same device can be used to abuse promotions and get around app restrictions. (Android only)
"clonedApp": {
"data": {
"result": false
}
}
Factory Reset Detection
Resetting a mobile device to default factory settings is a common technique that fraudsters use to pose their device as a new device and thus evade fraud detection mechanisms. With this smart signal, you will know the exact time a device was factory reset.
"factoryReset": {
"data": {
"time": "1970-01-01T00:00:00Z",
"timestamp": 0
}
}
Frida Detection
In simple terms, app hooking is a process where the behavior of a mobile app is changed by intercepting the app at runtime. Frida is a dynamic instrumentation toolkit that several tech-savvy fraudsters use to spoof an app at runtime and change its behavior. With this smart signal, you will know if Frida is being used to dynamically instrument the app.
"frida": {
"data": {
"result": false
}
}
Geolocation Spoofing Detection
Fraudsters spoof the location of their mobile devices to fool fraud detection systems. With this smart signal, you will know if the location of the mobile device has been spoofed or not. For iOS only, this signal requires the host app to be granted Location Permission.
"locationSpoofing": {
"data": {
"result": false
}
}
Jailbroken Device Detection
An iPhone or an iPad is labeled jailbroken when unauthorized modifications are made to the underlying operating system (iOS). Jailbreaking weakens a device’s built-in security features and makes it easy to steal sensitive information stored on the device. See Unauthorized modification of iOS for more information.
Fraudsters employ phishing mechanisms to trick users into installing jailbreak software on their devices and then take control of their devices. Your app (e.g. banking, e-commerce, etc) will not be able to distinguish the transactions made using jailbroken devices from those made using genuine devices. Honoring these fraudulent transactions will lead to financial losses (caused by chargeback expenses, account takeover, etc) and loss of trust among your customers.
The Jailbroken Smart Signal will help you detect if your app is being used from an iPhone/iPad that has been jailbroken and enable you to proactively act upon it.
"jailbroken": {
"data": {
"result": false
}
}
VPN Detection for mobile devices
VPN apps for mobile devices are popular with both legit users and fraudsters. These VPN apps
- Protect their users’ privacy by encrypting all their traffic
- Allow their users to remain anonymous by giving them the ability to hide their real location
The VPN Detection Smart Signal for mobile devices will help you detect if your app is being used by a mobile device with an active VPN connection.
"vpn": {
"data": {
"result": false,
"originTimezone": "Europe/Berlin",
"originCountry": "DE" // country code string in the ISO 3166 format
"methods": {
"timezoneMismatch": false,
"publicVPN": false,
"auxiliaryMobile": false
}
}
result
resultFor mobile devices, result is true when either of the three listed methods is true:
timezoneMismatch-truewhen the device is in a different timezone compared to the timezone of the originating IP address.publicVPN-truewhen the IP address matches one of the known IP addresses that belong to public VPN providers.auxiliaryMobile-truewhen other proprietary detection methods indicate the presence of a VPN.
originTimezone
originTimezoneThis field indicates the timezone that is currently set for the mobile device. In situations where a VPN is enabled, this timezone can be different from the timezone associated with the IP address.
This field is supported for both Android and iOS devices.
originCountry
originCountryThis field indicates the country in which the mobile device is currently located. In situations where a VPN is enabled, this field can be very useful to know the real location of a device.
- For Android devices, this field is populated with the origin country only when your app is integrated with SDK v2.4.0 and higher. For lower versions of the SDK, the value is set to
unknown. This field does not require Location Permissions to be enabled for your app. - For iOS devices,
originCountryis not yet supported and the value is set tounknown.
Updated 1 day ago