Fraud Profiling

Explore our fraud profiling capability and its implementation with the Acquisition API.

Implementation of device profiling

This functionality is currently provided for NewDay by ThreatMetrix and is achieved through the inclusion of specific JavaScript tags on the UI pages supporting the Apply and Purchase APIs. The JavaScript tag must be configured with three discrete parameters: profiling_domain, org_id and session_id, described below.
  1. 1
    profiling_domain This is the domain from which a call to ThreatMetrix is being made. All domains, from where the Fraud Profiling all to ThreatMetrix will be made, must be passed to NewDay, so that the associated 'SAN' Certificate (used to secure the Profiling call) can be updated. This certificate needs to match the domain where the JavaScript is hosted, therefore the Client needs to be involved in the creation of this certificate. There should be one certificate for UAT and one for production.
  2. 2
    org_id This is a mandatory parameter. It is a string of characters that serves to uniquely identify a ThreatMetrix Client (in this case, NewDay). For the UAT value please reach out to your contact at NewDay. For the Production value please reach out to your contact at NewDay.
  3. 3
    session_id This is a mandatory parameter. It is a unique value that identifies a single event performed by the customer. This session_id is passed in the ThreatMetrix link, outlined below, and is subsequently in the verificationId field in the Order Processing and Acquisitions APIs API Requests. It must be an RFC-4122 compliant GUID and must be generated by the client. The value should be different for a single customer between Order Processing and Acquisitions APIs.

The JavaScript to be added to the UI screens is as follows:

Javascript

1<head>
2	<script type="text/javascript" src="path/to/toolkit.js"/>
3	<!-- other head content -->
4<head>
5<body>
6	<script type="text/javascript">
7		var session_id = <%=generateSessionId()%>;
8		threatmetrix.profile("<profiling_domain>", "<org_id>", session_id);
9	</script>
10	<noscript>
11    <iframe style="width: 100px; height: 100px; border: 0; position: absolute; top: -5000px;" src="<profiling_doman>/fp/tags?org_id=<org_id>&session_id=<session_id>"></iframe>
12	</noscript>
13</body>

Subject Alternative Names (SANs)

In addition to embedding this Javascript in your UI screens, a SANs (Subject Alternative Names) certificate needs to be created and used. This certificate is obtained through collaboration directly with ThreatMetrix.
  1. 1
    Define a Sub-Domain
    Use the name that is not suggestive of security/fraud profiling. e.g. img.client.com
  2. 2
    Provide SSL/TLS Certificate information:
    - Common name (FQDM) -> img.client.com
    - Company Name -> Client
    - Company Department -> IT
    - Country Name & Code - > Great Britain GBR
    - State or Province name -> UK
    - City name -> London`
  3. 3
    Generate Certificate from CSR:
    - Sign and submit the following: signed certificate, root certificate of your CA and chain ->
    - Return file as PEM file named:- Img.client.com.crt ->
  4. 4
    Set up redirection
    - Add a DNS record, such as img.client.co CNAME h.online-metrix.net.
  5. 5
    Replace profiling_domain in the above JavaScript with https://img.client.com

Still have questions

Can’t find the answer to your question? Our friendly team are more than happy to help

Was this page helpful?