Fraud Profiling

NewDay requires the inclusion of enhanced device profiling code within any client developed user-interface.

Implementation of device profiling

This functionality is currently provided for NewDay by ThreatMetrix and is achieved through the inclusion of specific JavaScript tags on the UI pages supporting the Apply and Purchase APIs. The JavaScript tag must be configured with three discrete parameters: <code>profiling_domain</code>, <code>org_id</code> and <code>session_id</code>, described below.
  1. 1
    profiling_domain This is the domain from which a call to ThreatMetrix is being made. - All domains, from where the Fraud Profiling all to ThreatMetrix will be made, must be passed to NewDay, so that the associated 'SAN' Certificate (used to secure the Profiling call) can be updated. This certificate needs to match the domain where the JavaScript is hosted, therefore the Client needs to be involved in the creation of this certificate. There should be one certificate for UAT and one for production.
  2. 2
    org_id This is a mandatory parameter. It is a string of characters that serves to uniquely identify a ThreatMetrix Client (in this case, NewDay). - For the UAT value please reach out to your contact at NewDay. - For the Production value please reach out to your contact at NewDay.
  3. 3
    session_id This is a mandatory parameter. It is a unique value that identifies a single event performed by the customer. This session_id is passed in the ThreatMetrix link (below) and is subsequently in the verificationId field in the Apply and Purchase API Requests. It must be an RFC-4122 compliant GUID and be generated by the client. The value should be different for a single customer between Apply and Purchase.

The JavaScript to be added to the UI screens is as follows:

Javascript

1<head>
2	<script type="text/javascript" src="path/to/toolkit.js"/>
3	<!-- other head content -->
4<head>
5<body>
6	<script type="text/javascript">
7		var session_id = <%=generateSessionId()%>;
8		threatmetrix.profile("<profiling_domain>", "<org_id>", session_id);
9	</script>
10	<noscript>
11    <iframe style="width: 100px; height: 100px; border: 0; position: absolute; top: -5000px;" src="<profiling_doman>/fp/tags?org_id=<org_id>&session_id=<session_id>"></iframe>
12	</noscript>
13</body>

Subject Alternative Names (SANs)

In addition to embedding this Javascript in your UI screens, a SANs (Subject Alternative Names (SANs)) certificate needs to be created and used. This certificate is obtained through collaboration directly with ThreatMetrix:

Fraud Image 1

  1. 1
    Define a Sub-Domain
    - e.g. img.client.com - Use the name that is not suggestive of security/fraud profiling
  2. 2
    Provide SSL/TLS Certificate information:
    - Common name (FQDM) -> img.client.com
    - Company Name -> Client
    - Company Department -> IT
    - Country Name & Code - > Great Britain GBR
    - State or Province name -> UK
    - City name -> London`
  3. 3
    Generate Certificate from CSR
    1. 1
      Sign and submit the following: - Signed certificate - Root certificate of your CA - Chain
    2. 2
      Return file as PEM file named:
      - Img.client.com.crt
  4. 4
    Set up redirection
    - Add a DNS record, such as img.client.co CNAME h.online-metrix.net.
  5. 5
    Replace profiling_domain in the above JavaScript with https://img.client.com

Was this page helpful?


© NewDay 2022. All rights reserved.

Cookie PolicyPrivacy PolicyTerms of UseSupport