Logon fraud detection helps enterprises protect user accounts with high-value assets, such as accounts with balances, bank cards, points, and credit limits, preventing account theft, customer complaints, and reputation damage caused by malicious attacks.
Editions
To meet the risk control requirements of enterprises in different industries and at different stages, logon fraud detection is available in Basic Edition and Advanced Edition. The following table describes the differences between these editions:
Features | Basic Edition | Advanced |
Real-time Analytics | Yes, real-time analytics is supported. | Yes, real-time analytics is supported. |
Return value | Quantitative scores. | Quantitative scores and risk tags. |
Device risk monitoring | No, device risk monitoring is not supported. | Yes, device risk monitoring is supported. The system can check whether a device is an emulator, multi-boxing instance, device in device farms, multi-tasking software, cloud phone, or hook device. |
Device fingerprint | No, device fingerprint is not supported. | Yes, device fingerprint is supported. |
Gang analysis | No, gang analysis is not supported. | Yes, gang analysis is supported. |
Log delivery to Simple Log Service | No, log delivery to Simple Log Service is not supported. | Yes, log delivery to Simple Log Service is supported. You can authorize Fraud Detection to deliver logs to Simple Log Service. Then, Simple Log Service stores the logs free of charge for one year. |
Service event parameters
Service event parameters refer to the request parameters that are passed to the common request parameter.
Service Parameters
in the JSON format. The following table describes the request parameters that you must specify for the Logon Fraud Detection service (Basic Edition and Advanced Edition).
Alibaba Cloud Fraud Detection does not verify the format of strings that are specified for input parameters. This helps maximize the adaptability of input parameters. You need to manually verify the format of your data. For example, you need to check whether the format of the mobile parameter value meets the requirements of mobile phone numbers in the Chinese mainland. This type of mobile phone number must consist of 11 digits and start with 1.
Parameter | Supported version | Description | Data Type | Example value | Required |
accountId | Basic and Advanced | The unique ID of your account. | String | 10123**** | Yes (Optional if a mobile phone number is specified) |
operateTime | Basic and Advanced | The timestamp of the operation, which is accurate to the second. The timestamp is in UTC. Note If you want to scan historical data for risks, you must specify the time when the historical operation occurred for this parameter. This prevents misidentification due to incorrect calculation time. | Long | For example, the timestamp is 1522555200 at 2018-04-01 12:00:00 GMT. | Yes |
mobile | Basic and Advanced | The mobile phone number. By default, the mobile phone number that you specify is considered a mobile phone number in the Chinese mainland. If you want to specify a mobile phone number outside the Chinese mainland, you must include the country or region code. The format is | String |
| Yes (Optional if an email address is specified) |
mobileMd5 | Basic and Advanced | The MD5 hash value of the mobile phone number. Specify a 32-digit value that consists of lowercase letters and digits. Make sure that the mobile phone number consists of 11 digits and starts with 1. | String |
| Yes (You must specify the mobile or mobileMd5 parameter.) |
ip | Basic and Advanced | The public IPv4 address of the client (user side) when the business event occurs. | String | 42.120.XX.XX | Yes |
Basic and Advanced | The email address. | String | admin****@aliyun.com | Yes (Optional if a mobile phone number is specified) | |
deviceToken | Advanced | The device token obtained by using the Device Risk SDK. | String | MzQvo1d7scyZ3tl_RcJZo_QOytAjy1LWRRLoRKo5oZSoo_JGj1ZoR5JGoRo5jcdn57gV5kxVRcLER5RQoZSvRZZQRcROjcMW5csZR_RGy_55RKJ_oooqZ7dSV5gRnKxOV7eWVQQjRtlRQoAjRcM0 | No (Recommended) |
nickName | Basic and Advanced | The alias of your account. | String | admin**** | No (Recommended) |
userAgent | Basic and Advanced | The User-Agent request header. | String | Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36 | No (Recommended) |
refer | Basic and Advanced | The Referer request header. | String | https://www.aliyun.com/ | No (Recommended) |
mac | Basic and Advanced | The media access control (MAC) address of the device. | String | C0:77:36:2E:XX:XX | No (Recommended) |
operateSource | Basic and Advanced | The source of the operation. Valid values:
| String | PC | No (Recommended) |
appVersion | Basic and Advanced | The version number of the app. | String | 1.0 | No (Recommended) |
deviceType | Basic and Advanced | The type of the device. Valid values:
| String | PC | No (Recommended) |
Response parameters
The response parameters of the logon fraud detection service include scores and risk tags. Risk tags are returned only in Advanced Edition.
The following table describes the business meaning of the score field value in the Data response parameter and provides suggestions (based on the experience of the Alibaba Cloud risk control team).
You can perform operations based on your business requirements.
Score interval | Risk level | Recommendations |
[0,35) | Low Risk | We recommend that you allow the operation or mark it for observation. |
[35,65) | Medium Risk | We recommend that you perform simple verification, such as text message verification or security question verification. |
[65,85) | Medium-high risk | We recommend that you perform verification with a certain level of intensity, such as text message verification plus identity verification. |
[85,100] | High Risk | We recommend that you perform high-intensity verification or restrict permissions for important business operations. |
For information about the business meaning of the tags field value in the Data response parameter, you can refer to the Risk Tag Definitions module in the Access Management section of the Fraud Detection console. Click to go.
For more information about common response parameters, see Common response parameters.