Understanding behavioral data signals with Device Intelligence

Behavioral biometrics and device intelligence are advanced techniques that analyze unique user behavior patterns and device characteristics, playing a crucial role in modern fraud prevention. By monitoring how users interact with digital platforms, SEON can identify potentially fraudulent activities and mitigate unauthorized access attempts.
SEON integrates behavioral data signals into its Device Intelligence solution, enhancing security measures across various platforms, including web (via JavaScript SDK) and native Android and iOS apps. This comprehensive approach to monitoring helps ensure more robust fraud detection across an even larger variety of applications.

Understanding behavioral analysis

SEON's SDKs (for web, Android, and iOS) use a multi-layered approach to detect potential fraud by analyzing a combination of user interaction data, input patterns, sensor data, and device characteristics. These signals allow SEON to monitor and understand user behaviors in real time, flagging deviations that could indicate fraudulent or automated activities. Our SDKs can continuously collect and process this data during user sessions, providing valuable insights into security risks posed by unusual behavior patterns. These are the key areas of analysis:

Interaction analysis

• User behavior monitoring: Our SDKs capture how users interact with the interface, whether on the web (via mouse movements) or mobile (via touch gestures). For example, abnormal patterns like erratic mouse movement or inconsistent gesture paths and tapping may signal fraudulent or suspicious activity like remote access and automation.
• Form interactions: Monitors how users complete forms, including the time taken to fill out fields and any edits made. Rapid and inconsistent form completion could indicate automated form-filling.

Input analysis

• Typing and tapping patterns: Our SDKs analyze keystroke dynamics (web) or tapping patterns (mobile) to assess whether user input follows typical human behaviors. Unusual typing speed, irregular keypress durations, or suspicious touch inputs (such as inconsistent tap pressures) could be signs of bot activity or other fraudulent behavior.
• Autofill and paste detection: Identifies instances where users paste data into forms or rely on browser autofill rather than manually entering information, which may suggest automation.

Sensor analysis

• Motion sensors and environmental data: Leverage built-in device sensors (e.g., accelerometer, gyroscope) to detect irregularities in how the device is physically handled. For instance, unusually stable or erratic motion could suggest that the device is not being used by a human or that it's part of an automated device farm, depending on the support of the browser environment.

Device characteristics

• Device metadata collection: SEON’s SDKs also analyze key device characteristics—such as operating system, hardware specifications, and network details—to identify anomalies that may be linked to fraudulent setups like emulators, proxies, or virtual machines.
• Environment analysis: By comparing device and environment details (e.g., IP addresses, location, and time zones), our SDKs can detect potential signs of fraud, such as devices operating in simulated environments or under suspicious conditions.

JavaScript SDK for web applications

Our JavaScript SDK enhances fraud detection on web applications by analyzing user interactions such as form fill-out patterns, mouse movement, and keystroke dynamics. SEON uses this data to dynamically generate "suspicious flags" and detect anomalies in real time.

Suspicious flags in JavaScript SDK

• "suspicious_keypress_characteristics": Analyzes typing patterns such as keypress durations and typing rhythms to detect abnormal behaviors.
• "suspicious_mouse_movement": Indicates that automation tools or scripts may be controlling the device.
• "suspicious_form_fillout": Monitors how users fill out forms, including the time taken to complete each field, the sequence of completion, and corrections made during input.
• "paste_used": Indicates the use of paste on the targeted input elements
• "autofill_used":  Indicates the use of autofill on the targeted input elements

Integration summary for JavaScript SDK

For optimal results in a web environment, we recommend integrating SEON’s behavior analysis on pages where significant user interactions occur, such as login or registration forms, multi-step registration processes, checkout pages, and similar high-activity areas. Implementing seon.init() on-page load and capturing the session using getSession() upon form, submission ensures that sufficient data is gathered for thorough behavioral analysis. Without this type of integration, the SDK may not collect enough data, potentially leading to incomplete analysis or inconsistent results, which could affect the accuracy of fraud detection.

The JavaScript SDK allows developers to customize behavioral data collection by targeting specific UI elements. This can be set using the behavioralDataCollection configuration option, enabling focused monitoring of key user inputs for better fraud detection. Available from 6.0.0.

For detailed integration steps, refer to the SEON JavaScript SDK GitHub documentation.

Android SDK for native Android apps

Behavior Monitoring in the Android SDK enables real-time detection of suspicious user behavior. It collects session data and flags unusual activities such as bot usage, device farms, or voice phishing (vishing) attempts.

Suspicious flags in Android SDK

• "possible_automation": Indicates that automation tools or scripts may be controlling the device.
• "possible_device_farm": Suggests that the device is part of a device farm used for fraudulent activities.
• "possible_vishing" Flags potential voice phishing activity in which the user might be coerced into providing sensitive information.
• "possible_ongoing_call": Flags ongoing phone calls when  READ_PHONE_STATE permission is not granted. This best-effort flag helps detect calls without needing permissions.

Integration summary for Android SDK

For optimal performance in Android applications, we recommend integrating the startBehaviourMonitoring and stopBehaviourMonitoring methods into specific user flows where active user interactions occur, such as login processes, account registration, or payment and checkout screens. Initiating startBehaviourMonitoring when users begin these interactions and stopping it with stopBehaviourMonitoring once the process is complete ensures that the SDK gathers sufficient data for accurate behavioral analysis. Without this targeted integration, the SDK may not capture enough data, which could lead to incomplete analysis or inconsistent results, potentially affecting the precision of fraud detection.

If stopBehaviourMonitoring is called without a corresponding startBehaviourMonitoring, the SDK throws a BehaviouralMonitoringException to ensure proper monitoring flow.

To integrate the Android SDK, ensure you are using version 6.5.0 or later. Call startBehaviourMonitoring and stopBehaviourMonitoring to track suspicious behavior in the app, and pass the session string to SEON’s Fraud API. Suspicious flags will appear in the suspicious_flags field of the API response.

For detailed setup instructions, refer to the SEON Android SDK GitHub documentation.

iOS SDK for native iOS apps

Our SEON iOS SDK brings behavioral monitoring to native iOS applications, allowing the detection of fraudulent user behaviors during app sessions. It collects user interaction data and flags anomalies such as bot activity, device farms, or vishing attempts.

Suspicious flags in iOS SDK

• "possible_automation": Detects signs of automation tools or scripts controlling the device.
• "possible_device_farm": Flags when the device might be part of a device farm used for fraud.
• "possible_vishing": Identifies possible voice phishing activity in which users might be under external pressure to disclose sensitive information.

Integration summary for iOS SDK

For best results in iOS applications, we suggest using the startBehaviourMonitoring and stopBehaviourMonitoring methods during key user flows where active interactions take place, such as logging in, registering for an account, or completing a purchase. Start behavior monitoring with startBehaviourMonitoring when these activities begin and stop it using stopBehaviourMonitoring once the interaction ends. This approach ensures that the SDK collects sufficient data for a thorough behavioral analysis. Without this targeted integration, the SDK may lack the necessary data, leading to incomplete analysis or inconsistent results, which could impact the effectiveness of fraud detection.

To integrate the iOS SDK, use version 5.4.0 or later. Start and stop behavior monitoring by using startBehaviourMonitoring and stopBehaviourMonitoring, and pass the session string to SEON’s Fraud API. The suspicious_flags field in the API response will reflect potential fraud risks.

For detailed integration steps, refer to the SEON iOS SDK GitHub documentation.

In SEON’s scoring engine, suspicious behavior signals are reflected in the suspicious_flags field. Developers can set up custom rules to evaluate transactions based on these signals.

Rule example:

suspicious_flags contains “suspicious_form_fillout

The available flags across platforms include:

For web:

• suspicious_keypress_characteristics
• suspicious_mouse_movement
• suspicious_form_fillout
• paste_used
• autofill_used

For mobile apps:

• possible_automation
• possible_device_farm
• possible_vishing
• possible_ongoing_call (Android only)

This unified approach enables a consistent fraud detection framework across web and mobile environments.

SEON’s behavioral data signals and device intelligence solution provide a robust framework for detecting fraudulent activity across web and mobile platforms. By analyzing user interactions, input patterns, sensor data, and device characteristics, SEON's SDKs can identify suspicious behaviors in real time, flagging potentially fraudulent activities before they escalate. The real-time generation of suspicious flags—whether on web applications or native Android and iOS apps—allows for proactive fraud detection and mitigation.

The suspicious flags generated by SEON’s SDKs are particularly effective in catching a variety of fraud cases, including but not limited to:

1. Bot and automation attacks

Automation tools and bots are frequently used in fraud schemes to mimic legitimate user behavior, such as mass account creation, credential stuffing, or automated form submissions. SEON’s SDK can detect:

• Suspicious mouse movements: Abnormal interaction patterns, such as rapid or unnatural mouse movements, are flagged as possible bot behavior.
• Suspicious keypress characteristics: Irregular keystrokes, inconsistent typing speeds, or unusual input patterns help identify automated scripts or bots attempting to simulate human behavior.
• Suspicious form fill-out and paste used: Automation is further highlighted when bots paste information or rapidly fill out forms in a way that deviates from human patterns.
• Possible automation: Detects signs of automation tools or scripts controlling the device.

2. Device farms and virtual device fraud

Device farms are large networks of devices or virtual environments used for fraudulent activities, such as ad fraud, synthetic identity fraud, or mass account takeovers. SEON’s SDK helps detect these environments through:

• Possible device farm: SEON’s SDK flags devices with environmental or interaction characteristics consistent with those used in device farms, such as stable motion patterns, identical device configurations, or unusual IP and network behavior.
• Device characteristic anomalies: Detecting virtual machines, emulators, or inconsistencies between the device’s reported specifications and actual usage helps identify devices running in simulated environments.

3. Phishing and social engineering (vishing)

Voice phishing (vishing) and other forms of social engineering attacks rely on coercing users into performing specific actions, such as sharing sensitive data or initiating unauthorized transactions. SEON’s SDK detects:

• Possible vishing: By monitoring interaction patterns and sensor data, SEON can flag situations where a user’s behavior deviates due to external pressure, such as input hesitations or abnormal tapping/typing during sensitive interactions.

4. Account takeover

Fraudsters often use stolen credentials to take over accounts or carry out credential-stuffing attacks (repeated attempts to log in using lists of leaked username-password combinations). SEON’s SDK detects:

• Suspicious typing or input patterns: Unusual typing behaviors during login, such as erratic pauses between key presses, can indicate the use of compromised credentials or automated tools.
• Autofill and paste usage: Frequent use of paste or autofill during login can suggest that the user is copying credentials from a list, indicating a potential account takeover attempt.

5. Synthetic identity and fake account creation

Fraudsters often create synthetic identities by combining real and fake information to open fraudulent accounts or engage in illegal transactions. SEON’s behavioral monitoring helps detect:

• Suspicious form fill-out patterns: Automated or suspiciously fast form completions can flag fake account creation attempts, where bots fill in fields rapidly and consistently across multiple registrations.
• Suspicious touch or typing patterns: Irregular interactions during the account creation process can further indicate that fraudulent or synthetic identities are being registered.

6. Fraudulent transactions and payment fraud

When fraudsters attempt unauthorized transactions, they may exhibit abnormal behavior during sensitive financial interactions. SEON’s SDK can detect:

• Suspicious behavior during key transaction points: Monitoring how users interact during critical moments, such as entering payment details and flagging inconsistencies in their behavior (e.g., rushed typing or erratic touch input), can help identify fraudulent payment attempts.

7. Identity theft and unauthorized access

Identity theft involves fraudsters gaining unauthorized access to user accounts or personal information. SEON helps detect unauthorized access by:

• Environmental and device anomalies: Unusual device or environment details (e.g., accessing an account from a new device or location) coupled with suspicious behavior signals further strengthen fraud detection.

By leveraging SEON's multi-layered approach—combining user interaction monitoring, input analysis, device characteristics, and sensor data—businesses can detect and mitigate a wide range of fraud cases in real time. Whether preventing automated attacks, detecting phishing attempts, or identifying device farms, SEON’s behavioral data signals provide robust protection across various platforms.

For developers, integrating SEON's SDKs (JavaScript, Android, and iOS) into web and mobile applications offers advanced fraud detection capabilities that are easy to customize and implement, enabling stronger security for users and transactions alike.