Logon fraud detection helps enterprises protect user accounts with high-value assets, such as accounts with balances, bank cards, points, and credit limits, preventing account theft, customer complaints, and reputation damage caused by malicious attacks.
Editions
To meet the risk control requirements of enterprises in different industries and at different stages, logon fraud detection is available in Basic Edition and Advanced Edition. The following table compares the differences between these two editions:
Features | Basic Edition | Advanced Edition |
Real-time analysis | Yes | Yes |
Return value | Quantitative scores | Quantitative scores and risk tags |
Device risk monitoring | No | Yes, device risk monitoring is supported. The system can check whether a device is an emulator, multi-boxing instance, device in device farms, multi-tasking software, cloud phone, or hook device. |
Device fingerprint | No | Yes |
Gang analysis | No | Yes |
Log delivery to Simple Log Service | No | Yes, log delivery to Simple Log Service is supported. You can authorize Fraud Detection to deliver logs to Simple Log Service. Then, Simple Log Service stores the logs free of charge for one year. |
Service event parameters
Service event parameters refer to the request parameters that are passed to the common request parameter
ServiceParameters
in the JSON format. The following table describes the request parameters for Logon Fraud Detection service (including Basic Edition and Advanced Edition) events.
Alibaba Cloud Fraud Detection does not verify the format of strings that are specified for input parameters. This helps maximize the adaptability of input parameters. You need to manually verify the format of your data. For example, you need to check whether the format of the mobile parameter value meets the requirements of mobile phone numbers in the Chinese mainland. This type of mobile phone number must consist of 11 digits and start with 1.
Parameter name | Supported edition | Description | Data format | Example | Required |
accountId | Basic and Advanced | The unique ID of your account. | String | 10123**** | Yes (Optional if a mobile phone number is provided) |
operateTime | Basic and Advanced | The timestamp of the operation, which is accurate to the second. The timestamp is in UTC. Note If you scan historical data for risks, you must specify the historical operation time for this parameter to avoid misidentification caused by incorrect calculation time. | Long | The timestamp is 1522555200 at 2018-04-01 12:00:00 GMT. | Yes |
mobile | Basic and Advanced | The mobile phone number. By default, the mobile phone number that you specify is considered a mobile phone number in the Chinese mainland. If you want to specify a mobile phone number outside the Chinese mainland, you must include the country code in the format of | String |
| Yes (Optional if an email address is provided) |
mobileMd5 | Basic and Advanced | The MD5 hash value of the mobile phone number. Specify a 32-digit value that consists of lowercase letters and digits. Make sure that the mobile phone number consists of 11 digits and starts with 1. | String |
| Yes (You must specify the mobile or mobileMd5 parameter.) |
ip | Basic and Advanced | The public IPv4 address of the client (user side) when the business event occurs. | String | 42.120.XX.XX | Yes |
Basic and Advanced | The email address of the user. | String | admin****@aliyun.com | Yes (Optional if a mobile phone number is provided) | |
deviceToken | Advanced | The device token obtained from the Device Risk SDK. | String | MzQvo1d7scyZ3tl_RcJZo_QOytAjy1LWRRLoRKo5oZSoo_JGj1ZoR5JGoRo5jcdn57gV5kxVRcLER5RQoZSvRZZQRcROjcMW5csZR_RGy_55RKJ_oooqZ7dSV5gRnKxOV7eWVQQjRtlRQoAjRcM0 | No (Recommended) |
nickName | Basic and Advanced | The alias of your account. | String | admin**** | No (Recommended) |
userAgent | Basic and Advanced | The User-Agent request header. | String | Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36 | No (Recommended) |
refer | Basic and Advanced | The Referer request header. | String | https://www.aliyun.com/ | No (Recommended) |
mac | Basic and Advanced | The media access control (MAC) address of the device. | String | C0:77:36:2E:XX:XX | No (Recommended) |
operateSource | Basic and Advanced | The source of the operation. Valid values:
| String | PC | No (Recommended) |
appVersion | Basic and Advanced | The version number of the app. | String | 1.0 | No (Recommended) |
deviceType | Basic and Advanced | The type of the device. Valid values:
| String | PC | No (Recommended) |
Response parameters
The response parameters of the logon fraud detection service include scores and risk tags. Risk tags are returned only in the Advanced Edition.
The business meaning of the score field value in the Data response parameter can be referenced in the following table for recommended operations (based on the experience of the Alibaba Cloud risk control team).
You can perform operations based on your business requirements.
Score interval | Risk level | Recommendations |
[0,35) | Low | Allow the operation or tag it for observation. |
[35,65) | Medium | Perform simple verification (such as SMS verification or security question verification). |
[65,85) | Medium-high | Perform verification with a certain level of strength (such as SMS verification plus identity information verification). |
[85,100] | High | Perform high-strength verification or restrict access to high-risk business operations. |
For the business meaning of the tags field value in the Data response parameter, you can refer to the Risk Tag Definitions module in the Access Management section of the Fraud Detection console, click to go.
For more information about common response parameters, see Common response parameters.