Transaction Details – Widgets

Updated on 07.10.22
12 minutes to read
Copy link
Video Guide
A quick video guide explaining the Transaction Details shown by SEON.

Understanding the information provided under the transaction details widgets.

Overview

Our data enrichment APIs enhance all the data you send to SEON. You can find the results of this process in the widgets of the transaction details page. Scroll down below the Applied rules section to unlock this wealth of information.

You can easily reposition each widget to customize the Transaction Details Page in a way that fits your workflows best. 

Additionally, many elements can be used to filter the transaction list. If you click on a green filter icon that appears over a metric, a new window will open listing all transactions that match the selected filter.

Read about what you can find in the different widgets below.

IP Information Widget

 

The IP API response can be seen in the IP Information widget where all of the IP address related data relating to the selected transaction is displayed. The following information is displayed:

  • IP Score
    Our IP scoring system identifies suspicious IP addresses. The higher the score, the more risky an address is deemed to be. 
    Using the default settings, any IP that is a server and not residential will be scored at least 10, with VPNs & TOR nodes always scored at over 80.
  • TOR
    If we identify the IP address as a TOR node then it will also be flagged here. TOR is the Onion browser used by those who want to maintain anonymity through a browser that connects to an open network, these IP addresses are TOR Exit Nodes. 
  • Location
    The Geolocation of the provided IP address is obtained, allowing you to cross reference against any other transactional location information.
  • VPN
    VPNs offer users a publicly accessible network for the purpose of hiding one’s IP address. If it has been possible to identify the IP address as a VPN then it will be flagged here.
  • IP Type
    This allows the analysts to identify whether the user is using a residential internet connection or something potentially higher risk.
    ISP - Residential Internet
    MOB - Mobile/cellular network
    DCH - Server or Data Center
  • Spam Blacklists
    This blacklist indicates whether the IP address has been previously marked as a spam source on any of the 60+ Domain Name System-based Blackhole Lists that we scan. Seeing more than three or four spam blacklists indicates high risk. Being listed in one to two places is usually not considered risky.
  • ISP
    You can view the exact name of the Internet Service Provider (ISP). This can be very useful for transaction investigation and clone detection as many fraudsters tend to stick to using the same ISP.
  • Public Proxy
    Public proxies function similar to VPNs, the main difference is in the limitations in functionality compared to VPNs. Additionally, proxy server software can be configured to listen on a specified port.
  • Open Ports
    Open HTTP ports can identify if the client is running any kind of web or other server (like an RDP) through their IP. All proxies will have some ports open to let other computers join, so if there are more ports open it can mean a higher fraud risk.
  • Web Proxy
    While still similar to VPNs and Public proxies, Web Proxies are more simple and do not operate at the IP address or other ports’ level.
  • Harmful IP
    Harmful IPs are IPs that we know are used for SSH brute force attacks, hacking attempts, malicious IPs, Postfix/IMAP scans, Telnet scans, and spam hosts. These are automatically assigned higher risk scores.

 

 

IP information displayed in SEON

 

Email Information Widget

The Email API response can be seen in the Email Information widget where all social media and domain information for the selected transaction is displayed. 

You can see how many times the email address in question has been seen across the entire SEON database under the Lookup details, as well as how many different SEON clients encountered it.

 

Email Risk Scoring

The Email API response can be seen in the Email Information widget where all social media and domain information for the selected transaction is displayed. 

Our Email Risk Scoring system identifies suspicious email addresses, with the higher the score, the more risky an address is deemed to be. The score is based on the default rules, which can be reviewed in the Scoring Engine. 

Free email providers have a no-risk and high risk category. A provider is flagged as High Risk when the customer can create a new mailbox without text message or other type of additional verification methods.

 

Data Breaches

The SEON Email API gives insight as to whether the email address supplied has been involved in any historical data breaches. 


If any data breaches are identified then the system shows many times the email address has been involved and when the first identified breach was. 


The first time an email address was part of a data breach can help to verify the age of an email address as it identifies that the email address was in use at this time. If an email address hasn't been part of any historical data breaches then it can mean it’s higher risk as it could be a newer email address.

 

Registered Online Profiles

The SEON Email API checks the provided email address against more than 40 online and social platforms in real time.


If the email is registered on the platform it is marked green and, if not, it is marked as grey.


SEON will show any additional public profile information that may be associated with any matched social platforms. This may include the profile picture, description and location details.

 

Domain Analysis

A domain can be manually updated from within this section to mark it as being a Free, Custom or Disposable address. 

Additional metadata about the domain is shown within the Domain Analysis section including:

  • Creation Date - This allows you to identify the age of the domain name. The older the registration, the less risky the domain.
  • Registrar Name - The person/entity who registered the domain. Fraudsters sometimes try to register domains to pose as legitimate companies.
  • Registered to - The company that the domain name was registered through.
  • Accept All - If there is an accept all policy on the domain then the risk is increased as the mailbox is not unique and can be used by multiple people. 
  • DMARC/SPF Strict - These are both anti-spam features added to the DNS records for a domain name and identifies that the domain is likely to be set up correctly, thereby reducing the risk slightly.
  • Valid MX - If valid MX records exist against a domain it means that the domain can receive emails. If these are not set then there is an increased risk associated with the domain. 
  • TLD Suspicious - the SEON Email API can validate whether the TLD (e.g. .com) is favoured by fraudsters
  • Website Exists - If there is a live website on the domain then this identifies the domain as being lower risk.

Lookup Details

The SEON Email API identifies the number of times that the email address has been seen across the entire SEON database.

 

Email String Analysis

The email string analysis identifies various metrics associated with the structure of the email address.

Clicking on the API Runner button will resubmit the email data to the Email API in order to refresh and update the information available.

 

Phone Information Widget

The Phone Information Widget provides a risk score, which indicates how risky the phone number provided is. 

This score is based on default SEON rules which can be reviewed in the Scoring Engine. A score of 4 or more is considered risky.
The widget also shows additional information about the phone number:

  • You can instantly see whether the phone number is valid or not, what country it originates from, as well as the carrier’s name. We also check whether the phone number is listed by disposable phone number provider sites.
  • The widget will also detail the type of the phone number. 
    • Premium rate – Premium-rate telephone numbers are telephone numbers that charge callers higher price rates for select services, including information and entertainment. A portion of the call fees is paid to the service provider, allowing premium calls to be an additional source of revenue for businesses.
    • Toll free – Toll-free numbers are telephone numbers with distinct three-digit codes that can be dialed from landlines at no charge to the person placing the call. Such numbers allow callers to reach businesses and individuals out of the area without being charged a long-distance fee for the call.
    • Shared cost – Shared cost numbers are premium numbers in the UK, Australia, Germany, Switzerland, France, Portugal, and the Netherlands, often used by businesses and other institutions. They are charged at a higher rate than regular numbers.
    • Voip – A VoIP (Voice over Internet Protocol) phone number is assigned to you when you sign up for a VoIP service. It works the same as traditional phone numbers, but there's usually a PC App or phone app on the receiving end.
    • Personal numberPersonal numbering is the name of the virtual telephone number service in the UK. Typically the national destination code used for this service is (0)70. The service provides a flexible virtual telephone number routed to any other number, including international mobiles. For example, the UK number +44 70 0585 0070 might route to an Inmarsat satellite phone number, allowing the user to have a UK number while roaming globally.
    • Pager – A number used to communicate with pagers
    • Uan – When an EPFO (Employees Provident Fund Organisation) member is generated a UAN (Universal Account Number), or EPF Passbook, they must have the member's registered mobile number, for which the EPFO has made provisions.
    • Voicemail – A number that directly connects to a voicemail.
    • Fixed line – A landline number is just a regular phone number that relies on physical wires to enable voice calls.
    • Mobile – Personal number associated with the user.
    • Unknown – We can't share any information about this number.
  • The phone widget cross references with 15 social media networks including WhatsApp, Viber, Twitter, Facebook, and Telegram to highlight details from any registered accounts such as last seen status or profile pictures where applicable.
  • Additionally the Phone API also queries the Home Location Register (HLR) and Caller Name Delivery (CNAM) database to provide additional metadata for any fraud analysis. Please keep in mind that this is a premium feature, you can contact our team if you want this enabled in your account.

Under lookup Details, you can see how many times the phone number has been seen across the entire SEON database, as well as how many different SEON customers encountered it.
Clicking on the Refresh Data button will resubmit the phone data to the Phone API in order to refresh and update the information.

 

Identity Widget

The Identity Widget shows a combined list of all known customer related information.

You can access previously used data and our string analysis of the user’s username by clicking the arrows next to the values.

It is also possible to create a custom fraud rule, based on your preferences of the selected user’s data, by selecting the Exclude Settings button.

identity widget

 

 

Addresses Widget

Relevant addresses associated with the user and the transaction are displayed on the map showing Google Street View images and the distances between every location. 

address widget

 

 

IP address

 

 

Devices & OS Widget

 

Integrating SEON Device Fingerprinting allows the collection of a range of information about the user’s client device. Device Fingerprinting Modules are available for JavaScript or as a mobile SDK (iOS and Android). 


To learn more about how the system works, please refer to the Device Fingerprinting Documentation

  • If the device widget is not active and showing as no data being received, please make sure you have set up your integration correctly. Our API Documentation can help to understand what may have gone wrong and our support team is ready to help with any troubleshooting.
  • We collect more than 50 different data points using our JS Agent/SDKs to provide you with the clearest possible picture of your users’ devices, you can find a full list of these in our API Documentation.
     

Returning users are identified by using cookie, browser and device hashes:

Cookie hash

Unique identifier based on the cookie session. If someone shares the same cookie hash with someone else, they are most likely using the same browser and device. It is the most accurate identifier for shared devices. However if the client clears the browser’s cookies and storage cache this ID will change.

 

Browser hash

A unique identifier based on the complete browser profile. This includes details on the screen resolution, hardware, font, plugin set, network layers and specific features in the browser. 
This is a very good way to make connections between shared devices, but in some rare cases, specifically for mobile devices, the ID can be the same. This may occur if they have completely the same hardware, software and settings profile.
If the client clears the browser’s cookie and storage cache then this ID will not change. Likewise, if someone is browsing using Incognito or InPrivate tabs then the same ID will be returned.

 

Device hash

Unique identifier based on the hardware of a device. It is generated based on a number of data points including the HTML5 canvas fingerprint, WebGL driver, audio fingerprint and others. 
It's useful to detect virtual machines and emulators. We recommend using it for blacklists, if there are bad actors who share a hash, or using it as an extra parameter for rules if needed.
Two identical devices with the same hardware will share the same hash. However customers who share the hash are not likely to be related. 
We also offer native iOS and Android SDKs for Device Fingerprinting purposes. These return slightly different device details, the most important among these, at least for clone search purposes, is the device_hash. In the case of the native SDKs, there is no Browser or Cookie hash, only the Device hash, however this value will always be a 100% match if more users are sharing the same value.

 

How we determine device risk scores

When you check user profiles in SEON, you probably noticed that we assign an individual risk score to each device.

Our fraud experts constantly collect and analyze data from different fraud rings and malicious attacks. We then identify behavioral patterns and create rules in SEON to spot the telltale signs such as bots, device spoofing, and many more.

These rules are used to add points to the risk score, determining the final device score of a transaction. A device score of 4 or higher is considered suspicious.

Most notable data points to observe for fraud detection purposes:

WebRTC IP checks

  • Web real-time-communications, known as WebRTC, is a technology that enables your browser to communicate with websites by establishing a real-time peer-to-peer connection. 
  • While using a VPN, users might think they can mask their public IP address but with WebRTC checks you can detect what the user’s actual IP address behind their proxy is because the communication channel between the website and the user’s browser exchanges their public IP address along with other data. 
  • The presence of WebRTC IPs can be a sign of suspicious activity, which is why SEON has a Default rule built in your system to flag such users.

 

Domain IP checks

  • Similar to WebRTC IPs, users can have DNS (Domain Name System) IP addresses that are different from their regular IP. The use of proxy connections can also be detected by checking for distinct DNS IPs. This is not always a cause for concern however, because a number of legitimate users tend to utilise large, well-known companies DNS servers to protect their privacy and to prevent their ISPs from observing their traffic. 
  • In conclusion, if you see a DNS IP with a much less common DNS ISP Name and the regular and DNS IP addresses of users are different, the connection can be considered suspicious. 

 

Time zone offset and Region language

  • Differences in the IP location’s time zone and that of the device can be an obvious sign of suspicious activity, same goes for differences between languages. 

 

Window’s size and Screen resolution

  • We have found that these attributes, especially the Window’s size, can be a great tool for clone searches when dealing with a large fraud ring.
device widget

 

device widget 2

 

Credit Card Widget

The Credit Card widget shows all data related to any payment card details passed to SEON via the API. 
This can be used to spot unusual BINs, issuer countries, issuing bank, card type, level and whether the card is prepaid or virtual.
credit card widget

 

Lists Widget

The Lists Widget allows for the review of all the blacklisted or whitelisted data-points within the current transaction.  

Clicking the 'Change' button allows you to see a detailed view of every data-point used by the transaction. In addition it allows for the change of state, addition of comments and ability to set an expiration date for a particular data point.

lists widget
list status

 

User Revenue Widget

The User Revenue widget lets you quickly see a snapshot of the user's revenue based on how much they’ve deposited and withdrawn within a certain time frame.

The amounts are calculated based on transactions where  deposit or withdrawal was sent as action_type.

On the top right corner you are able to choose the time frames you want to view within the past year and select a Brand where the revenue was earned. This is based on the brand_id field sent via the Fraud API. The charts and all the aggregated numbers change according to these filters.

On the bottom you see the total bonus or deposit rate for the user.

  • Total bonus used: Sum of the transaction amount in transactions where bonus_campaign_id field was sent as not null or empty.
  • Total bonus / total deposit: Total bonus as described above / Sum of transaction amount in transactions where action_type was deposit.

     

Transactional Information Widget

The Transactional Information Widget shows all other transactional and payment information  passed to SEON via the API.

This includes details about the payment method, bank account and any relevant verification steps such as user verification or 3D-Secure.

transaction widget

 

Flight Information Widget

Where flight information is passed to the SEON API,  the Flight Information Widget is displayed. 
 

It shows any information related to the flight itself, including departure times, cabin classes and any personal details about the passenger(s).

flight widget
detailed flight ticket information

 

Order Details Widget

Any additional information about the order that has been passed into SEON via the API can be accessed from the Order Details widget. 
This includes notes, discount codes and gift messages.
order widget

 

Custom Fields Widget

You can send additional business-specific data points that aren’t covered by any of the standard SEON fields as custom fields to the API. 

This allows for the scoring model to be more accurate for your business.

All custom fields passed into SEON are shown on the Custom Fields widget and it is possible to search for these via filtering. 

Additionally, customer custom rules can be created directly based on these passed-in values.

 

custom fields widget

 

Notes Widget

The notes widget allows for the saving of any relevant notes about the transaction.
This is useful for giving other analysts information about the transaction or the reasoning behind a given decision. 
The notes are saved in a chat-like format, including the users’ name, date & time and avatar.
notes widget

 

Was this article helpful?

?Got a question

Talk to sales