Device Failures
This document describes various device signals that can indicate anomalies or suspicious behavior. These signals contribute to deductions from the overall device score based on the device's activity or configuration. These deductions are classified into five severity levels: Extreme, Severe, Moderate, Minor and Dynamic.
Score Deductions
The following score deductions are applied based on the severity of the device's behavior. The device score starts at 100 and decreases based on detected fraud signals.
Deductions categories:
🔴 Critical Deductions (100 points)
These signals represent the most critical, high-risk behaviors, resulting in an immediate and complete deduction of the device score.
| Signal | Description |
|---|---|
| Wrapper tampering | The participant attempted to illegally modify or clear the browser's storage data related to the Quality Tools. |
🔴 Extreme Deductions (90 points)
These signals indicate serious issues or high-risk activity and result in the highest deduction.
| Signal | Description |
|---|---|
| Bot Detection | The request behavior is consistent with that of an automated bot, potentially indicating scripted interactions, web scraping, or fraudulent activity (e.g., Selenium, Playwright). |
| TOR Network Usage | The device is accessing the service via the TOR network, which is commonly used to anonymize traffic and may indicate attempts to conceal identity or location. |
| IP BlockList | The device’s IP address is found on a known blocklist, indicating it may be associated with malicious, compromised, or abusive behavior. |
| Anti-Detect Browser | The browser is using techniques to hide or avoid detection, which is typical of suspicious activities (e.g., Incogniton). |
| Compromised Mobile Device | The device has been compromised or jailbroken, indicating a significant security risk. This can happen when the quality tools are executed on:
|
| Request Blocked | The request was actively blocked on the user's browser, and we cannot run the Quality Tools on the browser. This returns a device score of 0 |
| Requests too fast | Check this section for more details. |
🟠 Severe Deductions (60 points)
These signals suggest significant security or integrity concerns that need to be addressed.
| Signal | Description |
|---|---|
| Developer Tools Open | The browser's developer tools are open, a common indicator of someone attempting to inspect or manipulate the page, often seen in malicious activity. |
| Timezone Mismatch | The device’s timezone does not match the expected one, potentially indicating fraudulent or spoofed activity. |
| Virtual Machine | The device is operating in a virtualized environment, commonly used for testing or by fraudsters to disguise its nature. |
| Location Spoofing | The location of the device is being spoofed, potentially indicating deceptive actions or attempts to hide its true origin. |
| Identity Reuse Tampering | The browser storage has been modified to distinguish the user's response as that of another participant. |
🟡 Moderate Deductions (30 points)
These signals represent moderate concerns or potential security risks.
| Signal | Description |
|---|---|
| Public VPN | The device is connected to a public VPN, which could be masking its real identity and may be used to bypass restrictions. |
| Privacy Settings | Privacy settings on the device are configured to limit tracking, which could be used for hiding activity but could also indicate suspicious behavior. |
🟢 Minor Deductions (10 points)
These signals represent minor concerns or behaviors that don’t pose an immediate risk but still contribute to the overall score.
| Signal | Description |
|---|---|
| Incognito Mode | The device is using private or incognito browsing, which may indicate an attempt to conceal browsing activity. |
Dynamic Deductions
Dynamic deductions are based on real-time device behavior and can vary in severity depending on detected anomalies. These deductions help identify potential tampering or unusually high activity, which may indicate fraudulent or automated behavior.
| Signal | Description | Deduction Range |
|---|---|---|
| Tampering Detection | Indicates that the browser has been altered or manipulated to evade detection mechanisms, which may be a sign of malicious activity. | 45-100 |
| High Activity Device | Indicates that the device is in the top 2% of most frequently identified devices, which could indicate excessive or automated use. It is calculated based on the number of requests in the last 24 hours across all of our customers' integrations | 3-100 |
Detected Device Failures (No Score Deduction)
Some device signals are detected and flagged for monitoring purposes, but do not directly reduce the device score. These signals may still indicate suspicious or noteworthy activity and should be considered when evaluating device integrity.
| Signal | Description |
|---|---|
| Proxy | The device is using a proxy server to route its traffic, which can be used to mask its real IP address and may be associated with suspicious or fraudulent activity. Proxies can be:
|
Conclusion
This guide outlines the various signals that contribute to a device's overall security score. By evaluating these signals, we can determine the level of risk associated with the device’s behavior and take appropriate actions to mitigate any potential threats. The severity of each signal impacts the score deduction, with extreme signals contributing the highest penalties.