Transaction Details – Widgets

Our data enrichment APIs enhance all the data you send to SEON. You can find the results of this process in the widgets of the transaction details page. Scroll down below the Applied rules section to unlock this wealth of information.

You can easily reposition each widget to customize the Transaction Details Page in a way that fits your workflows best. 

Additionally, many elements can be used to filter the transaction list. If you click on a green filter icon that appears over a metric, a new window will open listing all transactions that match the selected filter.

Read about what you can find in the different widgets below.

Learn more: Before learning about widgets, get a high-level overview of Transaction Details.

The IP API response can be seen in the IP Information widget where all of the IP address related data relating to the selected transaction is displayed. The following information is displayed:

The Email API response can be seen in the Email Information widget where all social media and domain information for the selected transaction is displayed. 

You can see how many times the email address in question has been seen across the entire SEON database under the Lookup details, as well as how many different SEON clients encountered it.

Email Risk Scoring

The Email API response can be seen in the Email Information widget where all social media and domain information for the selected transaction is displayed. 

Our Email Risk Scoring system identifies suspicious email addresses, with the higher the score, the more risky an address is deemed to be. The score is based on the default rules, which can be reviewed in the Scoring Engine. 

Note: A score of 8 or over is considered risky. 
If a domain is identified as being Disposable then, by default, it shall be given a score of at least 80. 
If a domain is identified as Deliverable, Disposable, Free or Custom then it is identified at the top of the Email Information Widget.
Custom usually refers to a company or university’s domain or personal website domain. 

Free email providers have a no-risk and high risk category. A provider is flagged as High Risk when the customer can create a new mailbox without text message or other type of additional verification methods.

Data Breaches The SEON Email API gives insight as to whether the email address supplied has been involved in any historical data breaches.  If any data breaches are identified then the system shows many times the email address has been involved and when the first identified breach was.  The first time an email address was part of a data breach can help to verify the age of an email address as it identifies that the email address was in use at this time. If an email address hasn't been part of any historical data breaches then it can mean it’s higher risk as it could be a newer email address.   Registered Online Profiles The SEON Email API checks the provided email address against more than 40 online and social platforms in real time. If the email is registered on the platform it is marked green and, if not, it is marked as grey. SEON will show any additional public profile information that may be associated with any matched social platforms. This may include the profile picture, description and location details.   Domain Analysis A domain can be manually updated from within this section to mark it as being a Free, Custom or Disposable address.  Additional metadata about the domain is shown within the Domain Analysis section including: Creation Date - This allows you to identify the age of the domain name. The older the registration, the less risky the domain. Registrar Name - The person/entity who registered the domain. Fraudsters sometimes try to register domains to pose as legitimate companies. Registered to - The company that the domain name was registered through. Accept All - If there is an accept all policy on the domain then the risk is increased as the mailbox is not unique and can be used by multiple people.  DMARC/SPF Strict - These are both anti-spam features added to the DNS records for a domain name and identifies that the domain is likely to be set up correctly, thereby reducing the risk slightly. Valid MX - If valid MX records exist against a domain it means that the domain can receive emails. If these are not set then there is an increased risk associated with the domain.  TLD Suspicious - the SEON Email API can validate whether the TLD (e.g. .com) is favoured by fraudsters Website Exists - If there is a live website on the domain then this identifies the domain as being lower risk.

Fraudsters often set up and use fresh email addresses, normally to match with the real name of the identity theft victim. 

If the email address is provided by a free provider, there is no social media profile data and no data breach occurrence, the email is considered to be High Risk. 

If email addresses are not verified there is a probability that fraudsters will use random emails that might have social media profiles. 

If the email is similar to the cardholder name, there is social media profile data and no strange user behaviour, you might be looking at a case of friendly fraud. Our data can be useful to serve as evidence in your chargeback dispute process.

Lookup Details

The SEON Email API identifies the number of times that the email address has been seen across the entire SEON database.

Email String Analysis

The email string analysis identifies various metrics associated with the structure of the email address.

Clicking on the API Runner button will resubmit the email data to the Email API in order to refresh and update the information available.

The Phone Information Widget provides a risk score, which indicates how risky the phone number provided is. 

This score is based on default SEON rules which can be reviewed in the Scoring Engine. A score of 4 or more is considered risky.
The widget also shows additional information about the phone number:

• You can instantly see whether the phone number is valid or not, what country it originates from, as well as the carrier’s name. We also check whether the phone number is listed by disposable phone number provider sites.
• The widget will also detail the type of the phone number. 
  • Premium rate – Premium-rate telephone numbers are telephone numbers that charge callers higher price rates for select services, including information and entertainment. A portion of the call fees is paid to the service provider, allowing premium calls to be an additional source of revenue for businesses.
  • Toll free – Toll-free numbers are telephone numbers with distinct three-digit codes that can be dialed from landlines at no charge to the person placing the call. Such numbers allow callers to reach businesses and individuals out of the area without being charged a long-distance fee for the call.
  • Shared cost – Shared cost numbers are premium numbers in the UK, Australia, Germany, Switzerland, France, Portugal, and the Netherlands, often used by businesses and other institutions. They are charged at a higher rate than regular numbers.
  • Voip – A VoIP (Voice over Internet Protocol) phone number is assigned to you when you sign up for a VoIP service. It works the same as traditional phone numbers, but there's usually a PC App or phone app on the receiving end.
  • Personal number – Personal numbering is the name of the virtual telephone number service in the UK. Typically the national destination code used for this service is (0)70. The service provides a flexible virtual telephone number routed to any other number, including international mobiles. For example, the UK number +44 70 0585 0070 might route to an Inmarsat satellite phone number, allowing the user to have a UK number while roaming globally.
  • Pager – A number used to communicate with pagers
  • Uan – When an EPFO (Employees Provident Fund Organisation) member is generated a UAN (Universal Account Number), or EPF Passbook, they must have the member's registered mobile number, for which the EPFO has made provisions.
  • Voicemail – A number that directly connects to a voicemail.
  • Fixed line – A landline number is just a regular phone number that relies on physical wires to enable voice calls.
  • Mobile – Personal number associated with the user.
  • Unknown – We can't share any information about this number.
• The phone widget cross references with 15 social media networks including WhatsApp, Viber, Twitter, Facebook, and Telegram to highlight details from any registered accounts such as last seen status or profile pictures where applicable.
• Additionally the Phone API also queries the Home Location Register (HLR) and Caller Name Delivery (CNAM) database to provide additional metadata for any fraud analysis. Please keep in mind that this is a premium feature, you can contact our team if you want this enabled in your account.

Under lookup Details, you can see how many times the phone number has been seen across the entire SEON database, as well as how many different SEON customers encountered it.
Clicking on the Refresh Data button will resubmit the phone data to the Phone API in order to refresh and update the information.

Relevant addresses associated with the user and the transaction are displayed on the map showing Google Street View images and the distances between every location. 

Integrating SEON Device Fingerprinting allows the collection of a range of information about the user’s client device. Device Fingerprinting Modules are available for JavaScript or as a mobile SDK (iOS and Android). 

To learn more about how the system works, please refer to the Device Fingerprinting Documentation. 

• If the device widget is not active and showing as no data being received, please make sure you have set up your integration correctly. Our API Documentation can help to understand what may have gone wrong and our support team is ready to help with any troubleshooting.
• We collect more than 50 different data points using our JS Agent/SDKs to provide you with the clearest possible picture of your users’ devices, you can find a full list of these in our API Documentation.
   

Returning users are identified by using cookie, browser and device hashes:

Cookie hash

Unique identifier based on the cookie session. If someone shares the same cookie hash with someone else, they are most likely using the same browser and device. It is the most accurate identifier for shared devices. However if the client clears the browser’s cookies and storage cache this ID will change.

Browser hash

A unique identifier based on the complete browser profile. This includes details on the screen resolution, hardware, font, plugin set, network layers and specific features in the browser. 
This is a very good way to make connections between shared devices, but in some rare cases, specifically for mobile devices, the ID can be the same. This may occur if they have completely the same hardware, software and settings profile.
If the client clears the browser’s cookie and storage cache then this ID will not change. Likewise, if someone is browsing using Incognito or InPrivate tabs then the same ID will be returned.

Device hash

Unique identifier based on the hardware of a device. It is generated based on a number of data points including the HTML5 canvas fingerprint, WebGL driver, audio fingerprint and others. 
It's useful to detect virtual machines and emulators. We recommend using it for blacklists, if there are bad actors who share a hash, or using it as an extra parameter for rules if needed.
Two identical devices with the same hardware will share the same hash. However customers who share the hash are not likely to be related. 
We also offer native iOS and Android SDKs for Device Fingerprinting purposes. These return slightly different device details, the most important among these, at least for clone search purposes, is the device_hash. In the case of the native SDKs, there is no Browser or Cookie hash, only the Device hash, however this value will always be a 100% match if more users are sharing the same value.

How we determine device risk scores

When you check user profiles in SEON, you probably noticed that we assign an individual risk score to each device.

Our fraud experts constantly collect and analyze data from different fraud rings and malicious attacks. We then identify behavioral patterns and create rules in SEON to spot the telltale signs such as bots, device spoofing, and many more.

These rules are used to add points to the risk score, determining the final device score of a transaction. A device score of 4 or higher is considered suspicious.

Most notable data points to observe for fraud detection purposes:

WebRTC IP checks

• Web real-time-communications, known as WebRTC, is a technology that enables your browser to communicate with websites by establishing a real-time peer-to-peer connection. 
• While using a proxy, users might think they can mask their public IP address. With the WebRTC check, you can detect what the user’s actual IP address behind their proxy is because the communication channel between the website and the user’s browser exchanges their public IP address along with other data.

Domain IP checks

• Similar to WebRTC IPs, users can have DNS (Domain Name System) IP addresses that are different from their regular IP. The use of proxy connections can also be detected by checking for distinct DNS IPs. This is not always a cause for concern however, because a number of legitimate users tend to utilise large, well-known companies DNS servers to protect their privacy and to prevent their ISPs from observing their traffic. 
• In conclusion, if you see a DNS IP with a much less common DNS ISP Name and the regular and DNS IP addresses of users are different, the connection can be considered suspicious. 

Time zone offset and Region language

• Differences in the IP location’s time zone and that of the device can be an obvious sign of suspicious activity, same goes for differences between languages. 

Window’s size and Screen resolution

• We have found that these attributes, especially the Window’s size, can be a great tool for clone searches when dealing with a large fraud ring.
   

The Credit Card widget shows all data related to any payment card details passed to SEON via the API. 
This can be used to spot unusual BINs, issuer countries, issuing bank, card type, level and whether the card is prepaid or virtual. 

The Transactional Information Widget shows all other transactional and payment information passed to SEON via the API.

This includes details about the payment method, bank account, and any relevant verification steps, such as user verification or 3D-Secure.

Where flight information is passed to the SEON API,  the Flight Information Widget is displayed. 
 

It shows any information related to the flight itself, including departure times, cabin classes, and any personal details about the passenger(s).

Any additional information about the order that has been passed into SEON via the API can be accessed from the Order Details widget. 
This includes notes, discount codes, and gift messages.

You can send additional business-specific data points that aren’t covered by any of the standard SEON fields as custom fields to the API.

This allows for the scoring model to be more accurate for your business.

All custom fields passed into SEON are shown on the Custom Fields widget, and it is possible to search for these via filtering.

Additionally, customer custom rules can be created directly based on these passed-in values.