Understanding risk assessments
Risk assessment types
Incognia's risk assessments are always one of the three results below:
high_risk: Incognia deems the action (e.g. signup, login) performed by the device to be potentially fraudulent, and advises you to take preventive actions for the given action;low_risk: Incognia considers this action performed by the device to be safe to accept;unknown_risk: Incognia is unable to provide a precise assessment at the time of the request.
important
Subsequent requests for the same action and/or device may result in different assessments depending on the time passed since Incognia's algorithms improve over time.
Risk assessment reasons
Incognia's risk assessment is explained by a list of reasons, which describes what heuristics contributed to that judgment. Each reason is an object with the following fields:
| Reason field | Description | Type |
|---|---|---|
| code | The code that identifies the reason. | enum (see Understanding assessment reason codes) |
| source | The source of the data that was used for the computation of the risk assessment associated with this reason. | enum (see Understanding assessment reason sources) |
Understanding assessment reason codes
The reason code identifies different heuristics that contribute to a given risk assessment. The following table contains all possible reason codes. It describes their associated risk, their meaning, in which use cases each reason is applicable, and whether their source can be global (see Understanding assessment reason sources). When the reason source is global, it can be factored in the computation of risk assessments in use cases other than those specified below.
warning
Some of these codes might not be enabled for your organization.
| Code | Risk assessment | Description | Use cases | Can be global? |
|---|---|---|---|---|
address_verification | high_risk | No reliable events were found near the informed address. | Onboarding | No |
address_verification | low_risk | Reliable events were found near the informed address. | Onboarding | No |
multiple_address_cities | high_risk | Multiple declared addresses containing different cities in the last few days. | Onboarding | No |
multiple_address_streets | high_risk | Multiple declared addresses containing different street names in the last few days. | Onboarding | No |
multiple_address_zip_codes | high_risk | Multiple declared addresses containing different zip codes in the last few days. | Onboarding | No |
high_density_location | high_risk | The device has been at a high-density location. | Login | No |
multi_device_account | high_risk | The account was accessed by multiple devices in the last few days. | Login | No |
recent_high_risk_account | high_risk | The account is locked for logins from new devices. | Login | No |
trusted_location | high_risk | The device is far from a trusted location. | Login | No |
trusted_location | low_risk | The device is near a trusted location. | Login | No |
machine_learning_model | high_risk | The model classified the transaction as suspicious. | Login / Payment | No |
machine_learning_model | low_risk | The model classified the transaction as allowed. | Login / Payment | No |
device_integrity | high_risk | The device has integrity issues. | All | No |
device_integrity | low_risk | The device does not have integrity issues. | All | No |
multiple_accounts | high_risk | Multiple accounts were accessed by this device in the last few days. | All | No |
multiple_installations | high_risk | The application was reinstalled multiple times on this device in the last few days. | All | No |
sdk_tampering | high_risk | The device is associated with tampered requests, i.e, with data that does not match the cryptographic signature. | All | No |
account_takeover | high_risk | The device is associated with an account takeover feedback. | Login | Yes |
chargeback | high_risk | The device is associated with a feedback of a chargeback issued by the credit card acquirer for the account. | Payment | Yes |
chargeback_notification | high_risk | The device is associated with a feedback of a chargeback issued by an external provider for the account. | Payment | Yes |
device_linked_to_mpos_fraud | high_risk | The device is associated with an mPOS fraud feedback for another device. | Login / Payment | Yes |
environment_linked_to_mpos_fraud | high_risk | The device has been in an environment associated with an mPOS fraud feedback. | Login | Yes |
mpos_fraud | high_risk | The device is associated with an mPOS fraud feedback. | Login / Payment | Yes |
identity_fraud | high_risk | The device is associated with an identity fraud feedback. | Onboarding / Login | Yes |
signup_declined | high_risk | The device is associated with a declined signup feedback. | Onboarding | Yes |
report | high_risk | The device is associated with a feedback of bad behavior that was received prior to the reasons field being available. | All | Yes |
verified | low_risk | The device is associated with a feedback that the account is legitimate. | Onboarding / Login | Yes |
Understanding assessment reason sources
The data used to compute the heuristics of each reason can come from the following sources:
| Source | Description |
|---|---|
local | Data from the devices and feedbacks in your organization. |
global | Data from the devices and feedbacks across Incognia's network. |
Risk assessment evidence
Incognia's risk assessments are supported by evidence. It is returned as an object where each field contains an evidence that was considered in the assessment's computation. Note that some evidence is applicable to all use cases, while others are only relevant for specific use cases, e.g. since chargeback is a payment-related procedure, all chargeback evidence is only considered during the computation of payment assessments.
warning
When parsing API responses, you should consider all evidence optional. New evidence can be added at any time, so consider parsing each evidence field as a generic JSON object, unless you are using a specific field for making a decision.
The table below describes possible evidence fields, their meaning, and which use cases they impact.
| Evidence field | Description | Type | Use Cases |
|---|---|---|---|
device_model | Model of the device used to perform the given action. | string | All |
location_events_quantity | Amount of recent location events associated with the device. | integer | All |
location_services | Whether or not the device has enabled location gathering, withlocation_permissions_enabled , and the location sensors, withlocation_sensors_enabled. | object with boolean flags | All |
device_integrity | Indicates if the device is probably rooted (probable_root ), if an emulator has been used (emulator), if GPS data is being faked (gps_spoofing ), and if your app was downloaded from official stores (from_official_store). | object with boolean flags | All |
geocode_quality | Indicates if a declared address was able to be successfully geocoded by Incognia. | enum (good, poor) | Onboarding / Payment |
address_quality | Indicates if the address declared by the user matches a real address. | enum (good, medium, poor) | Onboarding / Payment |
address_match | Indicates how well the declared address matches with the users' previous locations. | enum (see Understanding address match) | Onboarding / Payment |
location_events_near_address | Amount of location events near the declared address. | integer | Onboarding / Payment |
chargeback_rate_near_150_meters | Indicates the ratio between the total number of payment transactions and the total number of chargebacks up to 150 meters away from the declared address. | double | Payment |
chargeback_rate_near_1500_meters | Indicates the ratio between the total number of payment transactions and the total number of chargebacks up to 1500 meters away from the declared address. | double | Payment |
chargeback_rate_near_5000_meters | Indicates the ratio between the total number of payment transactions and the total number of chargebacks up to 5000 meters away from the declared address. | double | Payment |
device_transaction_sum | Indicates the total sum of values in payment transactions reported by the customer in that given device, grouped by currency code (ISO 4217). | double | Payment |
device_fraud_reputation | Indicates if the device appears in any kind of watchlist or allowlist built with client reports. | enum (unknown, confirmed_fraud, allowed | All |
device_behavior_reputation | Indicates if the device appears in a dynamic allowlist or watchlist built by Incognia's models. | enum (unknown ,allowed, suspect ) | All |
activity_evidence | Datetimes indicating the device's first and last locations known by Incognia near this address (first_known_address_activityand last_known_address_activity) and the first assessment made by Incognia for this sign up (first_addres_verification ) | object with datetimes | Onboarding |
known_account | Whether we have information about this Account ID provided via Feedback API | boolean | Login / Payment |
distance_to_trusted_location | Distance between the device's current location to it's past frequent locations. | double | Login / Payment |
last_location_ts | Date and time of the last location event associated with the device. | datetime | Login / Payment |
sensor_match_type | Indicates which type of matching strategy was used to produce a result. | enum (see Understanding sensor match types ) | Login / Payment |
accessed_accounts | Indicates the number of accounts accessed on the device in the last 30 days. | integer | All |
app_reinstallations | Indicates the number of application reinstallations done on the device in the last 30 days. | integer | All |
different_declared_addresses | Indicates the number of different declared addresses by street level in the given organization apps in the last 30 days. | integer | Onboarding |
account_integrity | Indicates if the account received a high_risk assessment in the last 30 minutes (recent_high_risk_assessment) and how many milliseconds remain before this assessment is considered stale (risk_window_remaining). | object | Login |
first_device_login | Indicates if this is the first time that we associate the given device with the given account. | boolean | Login / Payment |
first_device_login_at | Date and time indicating when we have associated the given device with the given account. If the first_device_login field is true, this field will be omitted. | datetime | Login / Payment |
distance_from_nearest_location_to_declared_address | Distance between the nearest location to the declared address | double | Onboarding |
distance_from_last_location_to_declared_address | Distance between the last location to the declared address | double | Onboarding |
Understanding sensor match types
| Match type | Description |
|---|---|
gps | When Incognia is able to perform comparisons by GPS data. |
wifi_scan | When Incognia is able to perform comparisons by Wi-Fi sensors but no matching connected networks are found. |
wifi_connection | When Incognia is able to perform comparisons by connected Wi-Fi networks. |
Understanding address match
The match is done by comparing the address provided with Incognia's location database for the user in this order, from worst to best, the matching stops at the last successful match level.
postal_codecountrystatecityneighborhoodstreetnumber