Skip to main content
Version: v6

Understanding risk assessments

Risk assessment types

Incognia's risk assessments are always one of the three results below:

  • high_risk: Incognia deems the action (e.g. signup, login) performed by the device to be potentially fraudulent, and advises you to take preventive actions for the given action;
  • low_risk: Incognia considers this action performed by the device to be safe to accept;
  • unknown_risk: Incognia is unable to provide a precise assessment at the time of the request.
important
Subsequent requests for the same action and/or device may result in different assessments depending on the time passed since Incognia's algorithms improve over time.

Risk assessment reasons

Incognia's risk assessment is explained by a list of reasons, which describes what heuristics contributed to that judgment. Each reason is an object with the following fields:

Reason fieldDescriptionType
codeThe code that identifies the reason.enum (see Understanding assessment reason codes)
sourceThe source of the data that was used for the computation of the risk assessment associated with this reason.enum (see Understanding assessment reason sources)

Understanding assessment reason codes

The reason code identifies different heuristics that contribute to a given risk assessment. The following table contains all possible reason codes. It describes their associated risk, their meaning, in which use cases each reason is applicable, and whether their source can be global (see Understanding assessment reason sources). When the reason source is global, it can be factored in the computation of risk assessments in use cases other than those specified below.

warning
Some of these codes might not be enabled for your organization.
CodeRisk assessmentDescriptionUse casesCan be global?
address_verificationhigh_riskNo reliable events were found near the informed address.OnboardingNo
address_verificationlow_riskReliable events were found near the informed address.OnboardingNo
multiple_address_citieshigh_riskMultiple declared addresses containing different cities in the last few days.OnboardingNo
multiple_address_streetshigh_riskMultiple declared addresses containing different street names in the last few days.OnboardingNo
multiple_address_zip_codeshigh_riskMultiple declared addresses containing different zip codes in the last few days.OnboardingNo
high_density_locationhigh_riskThe device has been at a high-density location.LoginNo
multi_device_accounthigh_riskThe account was accessed by multiple devices in the last few days.LoginNo
recent_high_risk_accounthigh_riskThe account is locked for logins from new devices.LoginNo
trusted_locationhigh_riskThe device is far from a trusted location.LoginNo
trusted_locationlow_riskThe device is near a trusted location.LoginNo
machine_learning_modelhigh_riskThe model classified the transaction as suspicious.Login / PaymentNo
machine_learning_modellow_riskThe model classified the transaction as allowed.Login / PaymentNo
device_integrityhigh_riskThe device has integrity issues.AllNo
device_integritylow_riskThe device does not have integrity issues.AllNo
multiple_accountshigh_riskMultiple accounts were accessed by this device in the last few days.AllNo
multiple_installationshigh_riskThe application was reinstalled multiple times on this device in the last few days.AllNo
sdk_tamperinghigh_riskThe device is associated with tampered requests, i.e, with data that does not match the cryptographic signature.AllNo
account_takeoverhigh_riskThe device is associated with an account takeover feedback.LoginYes
chargebackhigh_riskThe device is associated with a feedback of a chargeback issued by the credit card acquirer for the account.PaymentYes
chargeback_notificationhigh_riskThe device is associated with a feedback of a chargeback issued by an external provider for the account.PaymentYes
device_linked_to_mpos_fraudhigh_riskThe device is associated with an mPOS fraud feedback for another device.Login / PaymentYes
environment_linked_to_mpos_fraudhigh_riskThe device has been in an environment associated with an mPOS fraud feedback.LoginYes
mpos_fraudhigh_riskThe device is associated with an mPOS fraud feedback.Login / PaymentYes
identity_fraudhigh_riskThe device is associated with an identity fraud feedback.Onboarding / LoginYes
signup_declinedhigh_riskThe device is associated with a declined signup feedback.OnboardingYes
reporthigh_riskThe device is associated with a feedback of bad behavior that was received prior to the reasons field being available.AllYes
verifiedlow_riskThe device is associated with a feedback that the account is legitimate.Onboarding / LoginYes

Understanding assessment reason sources

The data used to compute the heuristics of each reason can come from the following sources:

SourceDescription
localData from the devices and feedbacks in your organization.
globalData from the devices and feedbacks across Incognia's network.

Risk assessment evidence

Incognia's risk assessments are supported by evidence. It is returned as an object where each field contains an evidence that was considered in the assessment's computation. Note that some evidence is applicable to all use cases, while others are only relevant for specific use cases, e.g. since chargeback is a payment-related procedure, all chargeback evidence is only considered during the computation of payment assessments.

warning
When parsing API responses, you should consider all evidence optional. New evidence can be added at any time, so consider parsing each evidence field as a generic JSON object, unless you are using a specific field for making a decision.

The table below describes possible evidence fields, their meaning, and which use cases they impact.

Evidence fieldDescriptionTypeUse Cases
device_modelModel of the device used to perform the given action.stringAll
location_events_quantityAmount of recent location events associated with the device.integerAll
location_servicesWhether or not the device has enabled location gathering, withlocation_permissions_enabled , and the location sensors, withlocation_sensors_enabled.object with boolean flagsAll
device_integrityIndicates if the device is probably rooted (probable_root ), if an emulator has been used (emulator), if GPS data is being faked (gps_spoofing ), and if your app was downloaded from official stores (from_official_store).object with boolean flagsAll
geocode_qualityIndicates if a declared address was able to be successfully geocoded by Incognia.enum (good, poor)Onboarding / Payment
address_qualityIndicates if the address declared by the user matches a real address.enum (good, medium, poor)Onboarding / Payment
address_matchIndicates how well the declared address matches with the users' previous locations.enum (see Understanding address match)Onboarding / Payment
location_events_near_addressAmount of location events near the declared address.integerOnboarding / Payment
chargeback_rate_near_150_metersIndicates the ratio between the total number of payment transactions and the total number of chargebacks up to 150 meters away from the declared address.doublePayment
chargeback_rate_near_1500_metersIndicates the ratio between the total number of payment transactions and the total number of chargebacks up to 1500 meters away from the declared address.doublePayment
chargeback_rate_near_5000_metersIndicates the ratio between the total number of payment transactions and the total number of chargebacks up to 5000 meters away from the declared address.doublePayment
device_transaction_sumIndicates the total sum of values in payment transactions reported by the customer in that given device, grouped by currency code (ISO 4217).doublePayment
device_fraud_reputationIndicates if the device appears in any kind of watchlist or allowlist built with client reports.enum (unknown, confirmed_fraud, allowedAll
device_behavior_reputationIndicates if the device appears in a dynamic allowlist or watchlist built by Incognia's models.enum (unknown ,allowed, suspect )All
activity_evidenceDatetimes indicating the device's first and last locations known by Incognia near this address (first_known_address_activityand last_known_address_activity) and the first assessment made by Incognia for this sign up (first_addres_verification )object with datetimesOnboarding
known_accountWhether we have information about this Account ID provided via Feedback APIbooleanLogin / Payment
distance_to_trusted_locationDistance between the device's current location to it's past frequent locations.doubleLogin / Payment
last_location_tsDate and time of the last location event associated with the device.datetimeLogin / Payment
sensor_match_typeIndicates which type of matching strategy was used to produce a result.enum (see Understanding sensor match types )Login / Payment
accessed_accountsIndicates the number of accounts accessed on the device in the last 30 days.integerAll
app_reinstallationsIndicates the number of application reinstallations done on the device in the last 30 days.integerAll
different_declared_addressesIndicates the number of different declared addresses by street level in the given organization apps in the last 30 days.integerOnboarding
account_integrityIndicates if the account received a high_risk assessment in the last 30 minutes (recent_high_risk_assessment) and how many milliseconds remain before this assessment is considered stale (risk_window_remaining).objectLogin
first_device_loginIndicates if this is the first time that we associate the given device with the given account.booleanLogin / Payment
first_device_login_atDate and time indicating when we have associated the given device with the given account. If the first_device_login field is true, this field will be omitted.datetimeLogin / Payment
distance_from_nearest_location_to_declared_addressDistance between the nearest location to the declared addressdoubleOnboarding
distance_from_last_location_to_declared_addressDistance between the last location to the declared addressdoubleOnboarding

Understanding sensor match types

Match typeDescription
gpsWhen Incognia is able to perform comparisons by GPS data.
wifi_scanWhen Incognia is able to perform comparisons by Wi-Fi sensors but no matching connected networks are found.
wifi_connectionWhen Incognia is able to perform comparisons by connected Wi-Fi networks.

Understanding address match

The match is done by comparing the address provided with Incognia's location database for the user in this order, from worst to best, the matching stops at the last successful match level.

  1. postal_code
  2. country
  3. state
  4. city
  5. neighborhood
  6. street
  7. number