The following is a brief manual that discusses the various output fields of the minFraud service. The explanations should include a description of the type of data that is being outputted as well as its relevance to fraud detection. When reviewing transactions, the output fields should be reviewed in conjunction which will provide a more complete picture.

Please note that the guide below addresses the data as generalizations of which some are based on common sense. The recommendation we provide may or may not fit what you are seeing for your specific e-commerce business. For example, some merchants may experience a lot of fraudulent transactions from open proxies, others may not.

Risk Score Information

score - This field displays a risk score that ranges from 0-10 where a score of zero is low risk and a score of ten is high risk. The risk score is calculated using many but not all of the data fields addressed below. For the majority of orders, the risk score tapers off at either end of the 0-10 spectrum. Finding the magic threshold number may take some experimenting since different businesses have their own unique customer bases as well as different tolerance levels for risk. Generally speaking, for Business-to-Business (B2B) environments, we recommend that orders with a risk score of 2.5 or above be flagged for review. For Business-to-Consumer (B2C) environments, the recommended risk score will depend on the kind of e-mail address that the customer uses. This will be explained in more detail in the e-mail section.

The risk score can also be customized since we output all the raw information as part of the output string. To customize how the fraud score is calculated, one would modify the formula we use to calculate the risk score, and using the outputs returned by the minFraud service as inputs for the modified formula.

IP Address Information

countryMatch - This field determines whether or not the customer's country location based on their IP address matches their billing address country. For the majority of orders, the customer's IP country should match the corresponding country of the billing address. In some cases, a legitimate order may result in a mismatch. Usually, this results from customers who are making purchases while they are traveling or if a company has office branches in different countries. How you handle a country mismatch should be dependent on your specific customer base or the context of the particular order. For example, if you sell pre-charged phone cards, you may have more orders with mismatches since travelers often purchase such products while traveling. If you sell computer parts, it would be less likely that someone would be making a purchase while traveling.

A positive countryMatch does not mean that an order is legitimate, as fraudsters have been known to use proxies or anonymizing services as a way of creating a country match for the IP address and billing address. A negative countryMatch does not mean that an order is fraudulent but the order should warrant further review. If there is a negative countryMatch, it is recommended to check where the user is actually making a purchase from by looking at the other IP address fields. For example, a customer making a purchase from the United Kingdom will generally be less risky than one from Nigeria. Accuracy for countryMatch is around 99%.

countryCode - This field displays the country code of the customer's IP address country. This field should be examined if there is a negative countryMatch. A country code of US(United States) is generally less risky than, for example, GH (Ghana). However, risk levels would again depend on your typical customer base and the context of the order. In addition, a negative countryMatch of a France IP address and a Belgium billing address is less risky due to the proximity of the two countries in most situations. The distance between IP and billing addresses is expressed through the "distance" field.

This field can also be used to automatically flag, limit, or block orders from certain countries. For example, if you primarily serve only customers from Spain and do not want to sell orders placed from other countries, you can use the country code "ES" as a filter. MaxMind uses an extended ISO-3166 Country Code.

highRiskCountry - This field determines if the transaction's billing address or IP address is located in a country that MaxMind has flagged as high risk. A positive matches means that either the IP address or billing address is located in Egypt(EG), Ghana(GH), Indonesia(ID), Lebanon(LB), Macedonia(MK), Morocco(MA), Nigeria(NG), Pakistan(PK), Romania(RO), Serbia and Montenegro(CS), Ukraine(UA), or Vietnam(VN).

Please note that these countries were not flagged randomly because of the perceived risks of accepting orders from these countries. These countries were flagged because, statistically, the majority of the transactions on the minFraud Network placed from those countries were fraudulent. Countries may be added or removed based on our analysis of the orders being placed on the minFraud Network. There are other countries where many fraudulent transactions stem, but, we will typically not mark a country as high risk if there are also a large number of legitimate transactions coming from that country.

This field will directly affect the risk score. If you do cater to customers from the countries listed as high risk, you can customize your own risk score model so that this field would not trigger a higher score. Obviously, if your shop caters to customers within these countries, this field may create many false positives and should be modified. Consider the risks and context of your customer base before considering making a change to this field.

Distance - This field expresses the distance between the IP address and the billing address in kilometers (1 kilometer = 0.6214 mile). The distance can provide additional information for situations where there is a positive and negative countryMatch as indicated above. Generally, an increase in distance means an increase in risk. However, smaller distances doesn't automatically legitimize an order. Fraudsters have been seen to make use of proxies located in close proximity to the billing address. In some cases, sophisticated carders will even use proxies that are located in the same city as the billing city, in which case, the distance would be close to zero. Use this field in conjunction with the other fields. This field also directly affects the risk score (larger distance = higher risk score). For B2B and some B2C transactions, the distance field will not always make sense at first since the customer may be connecting through a corporate proxy. Corporate proxies will be discussed more in the "ip_organization" section.

ip_region - If the ip_region matches the billing region, the risk is likely lower if there is no indication that a proxy has been used. If it does not match, you should check the distance field.

ip_city - If the ip_city matches the billing city, the risk is likely lower if there is no indication that a proxy has been used. If it does not match, you should check the distance field.

ip_latitude - This field provides the latitude of the IP address location.

ip_longitude - This field provides the longitude of the IP address location.

Note: We also provide ip_region, ip_city, ip_latitude, ip_longitude etc, for contextual information so the end client can match up the city with additional location information besides the billing location. This is also useful if we can't recognize the billing city and return a CITY_NOT_FOUND error.

ip_isp - This field provides the name of the Internet Service Provider (ISP) that the customer's IP address was allocated to. In many cases, knowing the ISP can provide additional insight. For example, some ISPs route their user traffic through proxies. As a result, hundreds or even thousands of users can share the same IP address. For example, users from California and New York can be sharing the same IP address. As a result, IP geolocation is not as effective. The most well known ISP that does this is AOL. Generally, we will blank out the associated location fields for ISPs that route traffic in this manner. For example, only the IP address country field will be available for AOL address. Fraudsters know that using ISPs like AOL can blur and disable IP geolocation tools and that is one of the reasons why it has been a popular medium for making fraudulent orders.

While there are still many users that use AOL, transactions that come from AOL IP addresses (not necessarily aol.com e-mail) for B2B transactions are very high risk. Many AOL IP addresses used for B2B purchases logged within the minFraud Network were fraudulent. Typically, established businesses will not be using AOL as their Internet Service Provider since AOL pre-dominantly caters to consumers.

Important: If the ISP field shows the name of a hosting provider, the transaction should be flagged for further review. Having a hosting provider in the ip_isp field means that the customer making the purchase is connecting to a server provided by a hosting provider with his existing Internet connection before connecting to the e-commerce site. It is likely that a fraudster leased or hijacked the server as a way of bypassing geolocation controls. If the server is based in the US, IP geolocation lookups will likely identify the transaction as coming from the US or wherever the server is physically located. Most of the transactions that have identified within the minFraud Network that are coming from hosting providers have been fraudulent. To know if the ISP is a hosting provider, you can search the ISP name with one of the popular search engines. Visit the site. It should be fairly apparent if the ISP is a hosting provider. Make sure not to confuse a hosting provider from an actual ISP. An example of a hosting provider is "Verio" whereas an example of an ISP is "AOL".

The ISP can also determine how different IP addresses should be handled. Some merchants will block certain IP addresses or ranges if they sense fraud or receive a chargeback from those IP addresses. Merchants that utilize this strategy should be aware that different ISPs have different ways of handling their allocation assignments. For example, Comcast IP addresses are relatively static and do not change very frequently (every 30-90 days). On the hand, ISPs like AOL and SBC cycle their IP addresses more frequently. For AOL dial-up, every time someone connects, he is assigned a different IP address while SBC cycles their IP address every few days. As a result, blocking specific IP addresses may result in blocking of legitimate orders in the future once the IP address has been reassigned or re-allocated.

ip_org - This field provides the name of the organization or company that the IP address has been allocated to. Knowing this information can provide some additional insight for dealing with legitimate and suspicious orders. Like with ip_isp, if the ip_org field displays the name of a hosting provider, the transaction would be suspicious and warrants further review.

Additionally, looking at this field may also provide insight for orders that may seem suspicious at first but are really legitimate. For example, if there are many orders with multiple billing addresses coming from the same IP address, it may seem like a suspicious batch of orders. Many merchants may flag that IP address as a proxy and block any other orders from that IP address. A closer look at the ip_org output may provide an explanation. If the ip_org is assigned to a large company, it is likely that the customer is connecting through some type of corporate proxy or using a computer from one of the office branches. As a result, the various customers connecting through the corporate proxy would share the same IP address but the billing addresses being used may be very different. For example, XYZ corporation may have offices in New York, California, and Florida where the all of the company's traffic is routed through a corporate proxy. The corporate proxy IP address would then potentially have orders associated with it with billing addresses from various parts of the country.

The same case can be applied to IP addresses that have been allocated to universities who will tend to route outbound traffic through a few IP addresses. Since many students will send their statements to their home address, this will explain the difference in billing addresses. Many large universities will have a national/global student base.

It is entirely possible that a fraudster can somehow hack their way into a corporate proxy or an university IP address which could explain the various billing addresses in the scenarios posed above. However, large companies and universities generally have fairly good security in place so the outbound IP addresses are not very likely to be hijacked by fraudsters.

Proxy Detection

anonymousProxy - This field verifies whether or not an IP address has been marked as an anonymous proxy. Anonymous proxies are servers set up by the server's owner to provide “legitimate” anonymizing services. Examples of anonymous proxies include services provided by anonymizer.com and Tor. Anonymous proxies will be represented in the "countryCode" field as "A1" while the associated region and city fields will be blanked out to prevent false positives. We do this because the user of that IP address can technically be coming from anywhere around the world and providing the location of the server hosting the anonymizing service provides little useful information. Anonymous proxies are used legally by customers who are concerned about their online privacy. However, they are also used by fraudsters who understand the effects these proxies have on circumventing IP geolocation controls. Anonymous proxies essentially disable and prevent the use of IP geolocation tools. Orders placed from anonymous proxies are considered to be high risk. We recommend that merchants either do not accept orders from anonymous proxies or process those orders with extra care. A positive anonymousProxy match will directly affect the risk score.

proxyScore - This field provides a score that can be used to evaluate the riskiness of the IP address that was used on the online transaction. The proxyScore deals more with open proxies. Open proxies are compromised or hijacked computers/servers that have been hacked or infected with trojans and/or viruses, which allow users to connect to those computers without the computer owner's knowledge. In effect, it allows fraudsters to simulate that they are making a transaction from that specific computer. Unlike anonymous proxies that evade IP geolocation controls by blurring the resolution, open proxies bypass IP geolocation by spoofing the location of where the transaction is coming from. For example, a fraudster can find a compromised computer located in the same general area as his stolen credit card's billing address so that there will be a IP address and billing location match. The proxyScore will directly affect the overall risk score.

Please Note: while the score range is between 0-10, the numeric value does not translate to a direct percentage likelihood of the IP address being a proxy. For example, a proxy score of 3.0 does not mean that there is 30% chance that the IP address is an open proxy. In fact, a 3.0 proxy score or above signifies that the order is 90% likely to be fraudulent. Please see the following chart:

Proxy Score Fraud Likelihood

Proxy Score	Fraud likelihood
0.5	15%
1.0	30%
2.0	60%
3.0 or higher	90%

IP addresses that have been marked with a proxy score of 3.0 or above have at some point been manually reviewed by MaxMind. As a result, if a transaction receives a proxy score of 3.0 or above, the likelihood that the transaction is fraudulent is very high. Since open proxies are more dynamic and harder to detect, the proxyScore should have high importance in your processing decisions. Orders with "high" proxyScore should be flagged for review even if the IP address matches the billing address. The proxyScore in many cases would reverse any positive indicators that IP geolocation tools may have provided about the transaction.

Different factors and variables are considered when generating the proxyScore. The most common instances where an IP address may generate a high proxyScore is if there is 1) increased and inconsistent activities 2) associations with previous suspicious activities or chargebacks. Unfortunately, we are not able to go into more detail about how our proxyScore is generated. There are no good reasons why someone should be making a purchase from an open proxy unless the person making the purchase is actually the owner the of the computer, the coincidence being highly unlikely. In most countries, connecting to or taking control of someone else's computer without their permission is illegal. People concerned with privacy should be using anonymizing services which are legal and not open proxies which are illegal.

If you are customizing your own risk model, we highly recommend that the proxyScore be given a heavy weight. We consider proxyScore to be one of the best direct indicators of fraud within the minFraud service. The proxyScore is an additional layer of defense against carders who are sophisticated enough to bypass IP geolocation or any of the other checks within our system. We did some statistical analysis of the actual fraudulent orders (not perceived) placed through the minFraud Network and have the following results:

Statistics of Where Fraud Comes From Within the minFraud Network

Percentage	Category
32%	High Risk Countries
21%	Country Mismatch
6%	Anonymous Proxies
4%	Satellite Providers
26%	Open Proxies
11%	Not Detected

Please note that you should not worry if you are not seeing these kind of statistics for you specific site. The numbers above represents the aggregate of fraudulent transactions placed in the minFraud Network. Different sites may attract different kinds of fraudsters who may have different levels of sophistication. More sophisticated fraudsters tend to use open proxies as oppose to anonymous proxies because they are dynamic and harder to detect. According to our analysis, the minFraud service should be able to help merchants detect an estimated 89% of stolen card fraud. In fact, many clients have seen higher detection rates. If you are seeing detection rates that are not even close to 89%, you should consider re-evaluating your order process cycle as well as how you are utilizing and interpreting the minFraud data.

isTransProxy - This field determines whether the forwardedIP address is in our database of known transparent proxy servers. Transparent proxies are proxies that do not fully anonymize the details of the end user that is connecting to the transparent proxy. Many transparent proxies will also pass on the IP address of the end user that is connecting to the proxy. For example, if the forwardedIP is an open proxy, then the transaction would be riskier even if the transparent proxy looked legitimate.

E-mail and Login Checks

freeMail - This field checks if the e-mail domain used by the customer is from a free e-mail provider. Examples of free e-mail providers include the following: Yahoo.com, Gmail.com, and MSN.com. The MaxMind system currently has categorized 31,000 free e-mail domain providers around the world. In terms of how to handle free e-mail providers, the discussion will be broken up into the following two categories: Business-to-Business (B2B) and Business-to-Consumer (B2C).

B2C - While the adoption of free e-mail addresses is very high, orders coming from free e-mail domains are inherently more risky. The reason is that free e-mail accounts can easily be created or recycled and cannot be traced back the rightful owner which is exactly why fraudsters prefer them. With the current minFraud risk model, e-mail domains from free e-mail providers will automatically increase the risk score by 2.5. If free e-mails are not a concern for you, you can write code that will subtract 2.5 from the risk score or you can completely customize the risk model and give your own weight to certain parameters. We recommend that you continue passing the domain field because we perform checks on domains on the back-end and may mark certain domains as high risk which will indirectly affect the other output fields like the proxyscore. From statistical analysis of transactions within the minFraud Network, free e-mail addresses double the likelihood that a transaction would be fraudulent. For example, if a typical transaction has a 1% likelihood of being fraudulent, then the same order placed with a free e-mail address will have a 2% likelihood of being fraudulent.

B2B - For B2B transaction, free e-mail domains should warrant additional review. While the use of free e-mail is relatively common, most established e-commerce sites should have an e-mail domain that is associated with their e-commerce site. Free e-mails for B2B transactions are higher risk. If the customer is not using a free e-mail address and the order looks slightly suspicious, it would be wise to perform a quick whois lookup on the domain or search Google for the domain. Whois lookup will tell you if the domain was recently registered while the Google search should generate some reference points if the customer's business is an established one. If it is a new business, see if the customer has previous sites or domains that you can review.

carderEmail - This field checks if the customer's e-mail address has been associated with previous fraudulent orders or chargebacks within the network. Fraudsters will often re-use the same e-mail address to reduce overhead and simplify the number of e-mail accounts they have to manage. If there is a carderEmail match then that increase the riskiness of the associated transaction(s).

highRiskUsername - This field checks if the customer's Username has been associated with previous fraudulent or suspicious activity within the network. Like the situation with carderEmail, carders will often use the same username and/or password across various networks, to simplify what they need to remember.

highRiskPassword - This field checks if the customer's password has been associated with previous fraudulent or suspicious activity within the network.

Issuing Bank BIN Number Checks

binMatch - This field checks to see if the billing address matches the country of the issuing bank. It is unlikely and rare for a person to have their billing address country differ from their issuing bank's country. Having a positive binMatch does not necessarily mean that a transaction is legitimate. Fraudsters have been known to have access to limited and incomplete BIN lists and will select cards that will match up accordingly. MaxMind uses a self-developed BIN database and the accuracy for binMatch is around 99%.

binCountry - The field outputs the country code of the submitted BIN. This field will be present for Premium minFraud queries or if there is a positive binMatch. Knowing where the issuing bank is located can provide more information for making your decision. For example, generally, the risk of a transaction is higher for credit cards issued in a developing country than one from a developed country.

binNameMatch - This field determines whether name of issuing bank matches inputted binName. A return value of Yes provides a positive indication that card holder is in possession of credit card. This field is only active if you are requesting your customer to input the name of the issuing bank.

binName - This field displays the name of the bank which issued the credit card based on BIN number. Available for approximately 96% of BIN numbers, this field is only available for Premium minFraud queries.

binPhoneMatch - This field determines whether the number of the issuing bank matches the inputted binPhone. A return value of Yes provides a positive indication that card holder is in possession of credit card. This field is only active if you are requesting your customer to input the customer service number.

binPhone -This field displays the phone number of the bank which issued the credit card. Available for approximately 75% of BIN numbers, this field is only available for Premium minFraud queries.

Address and Phone Number Checks

custPhoneInBillingLoc - This field checks whether the customer phone number is located in the billing zip code. Currently, this field only supports US phone numbers. A return value of “Yes” provides a confirmation that the phone number listed is located within the same area as the card holder. A return value of No indicates that the phone number may be in a different area, or may not be listed in our database. For example, someone who is using a cell phone may have a completely different prefix or local number exchange than what would match up against his billing zip code. This field should be used as secondary support data and decisions should not be based solely on this field. Fraudsters have been known to purchase VoIP numbers so that the prefix and local exchange of the number will match with the zip code listed on the billing address.

shipForward - This field checks to see if the shipping address listed for the order is in our database of known mail drops. Many e-commerce merchants will not ship abroad due to the risks involved. As a result, fraudsters will often use mail forwarding services. This field should be examined in conjunction with the other fields. A shipping address to a known mail drop does not mean the order is fraudulent since mail forwarding services do serve legitimate transactions as well. However, orders with a positive ShipForward match is more risky because the product is not necessarily being shipped or to the given billing address in the end.

cityPostalMatch / shipCityPostalMatch – This field checks whether the city and state portion of the billing address match up with the zip code of the billing address. Currently, this feature is only available for US addresses. The Address Verification Service (AVS) only checks to see if the zip code matches the numeric portion of the street address. In order to save time while testing stolen cards, some fraudsters will type in bogus values (e.g. "asdf") since they know that AVS only matches the street address to zip code. Generally, when fraudsters are inputting fake or blank data for region or city fields, they know the order will not go through but are trying to test whether or not the credit card is alive and checking the credit limit available on the card. While that does not necessary pose a risk to your site, it poses a risk to other sites that those tested cards will likely be used against. However, it may increase your gateway/processing fees.