To create an account, a user must provide some combination of email address, phone number, and name. But since this information can be fabricated in seconds, it doesn’t provide much useful information about the user’s actual identity. Other data points are far more relevant: the device the user is on, network they’re coming from, how they moved through your signup form, and more.
Identity risk scoring is the cybersecurity process that assigns a risk level to an identity and turns those extraneous signals into a decision. Below, we’ll explain what identity risk scoring is, why static rules can’t detect modern abuse patterns, and how to evaluate and operate a scoring system once it’s in place.
Highlights
Identity risk scoring weighs dozens of signals simultaneously rather than relying on a single attribute. This makes it far harder for attackers to bypass than static rule sets.
Trial activation, promo redemption, and logins are some of the highest-value places to apply scoring.
Teams should always use ongoing threshold tuning and feedback loops when deploying a scoring platform.
What is identity risk scoring?
Identity risk scoring assigns a numeric or categorical risk value to an identity attempt based on the aggregate weight of signals present at that moment. Rather than focusing on whether the user’s email itself is real, it looks at whether the attempt as a whole coheres the way a legitimate user’s would.
What signals typically power identity analytics?
No single data point tells you whether a signup is legitimate. Identity analytics and risk scoring platforms aggregate signals across five distinct categories:
Device signals
A device fingerprint aggregates browser version, installed fonts, screen resolution, and hardware specs into a pseudonymous identifier that persists across sessions. This means a device tied to past fraud or abuse gets flagged even when the account credentials change. Platforms also look for signs of automation, such as headless browsers, missing expected application programming interfaces (APIs), or attribute combinations that don’t appear in real consumer devices.
Network signals
Internet protocol (IP) reputation matters more than the IP address itself; for example, whether it’s associated with a datacenter, known virtual private network (VPN) provider, Tor exit nodes, or residential proxy network that criminals use to mimic ordinary consumer traffic. Velocity at the network level, such as 50 signups from the same subnetwork in an hour, is its own signal of fraudulent activity.
Behavioral biometrics
Typing cadence, mouse movement patterns, time spent on each field, and whether a user copies and pastes versus types their email all produce measurable patterns. Bots and scripted tools generate statistically distinct signatures from humans, and it remains an ongoing engineering problem for attackers to naturalize those patterns.
Identity attribute signals
Email age, domain reputation, whether the address matches disposable email patterns, phone number type (e.g., Voice over Internet Protocol or VoIP, carrier-issued) are weak signals individually, but in combination with others, they’re significant.
Cross-account linkage
If five accounts share a device fingerprint, or 20 accounts were created from the same IP range in a week, those linkages are signals. A platform with broad coverage across many businesses can detect patterns that no single operator would ever see on their own.
Why do static rules fail where identity risk scoring succeeds?
Static rules are fixed targets. Attackers rotate to residential proxies when datacenter IPs get blocked, switch to custom domains when disposable email rules fire, and spread traffic across IPs when velocity caps kick in.
Here’s how scoring addresses these failure modes:
Binary decisions on continuous distributions
Real traffic is on a spectrum between legitimate and fraudulent, and the overlap zone is wide. A VPN user with a clean history and normal behavior is different from a VPN user on a flagged residential proxy with bot-like typing patterns and a three-minute-old email address. A static rule can’t express that difference, but a score can.
Attacker adaptation
When fraudulent actors shift tactics, a rule-based system doesn’t notice until someone writes a new rule. A scoring system trained on behavioral patterns can detect the new tactic as an anomaly relative to its baseline of legitimate traffic, often before it’s been explicitly labeled.
The gray zone
Many production systems use hard rules for clearly disqualifying signals, such as known malware infrastructure or sanctions list matches, and scoring for everything in between.
Where does identity risk scoring matter?
Abuse patterns follow users through their entire lifecycle on your platform. Risk scoring gets applied at each of the following points, where identity is asserted or potentially exploited.
Account creation
Some obvious targets for abuse are free-tier exploitation, credential farm creation, fake review accounts, and promo harvesting. A score at signup is your first and sometimes only opportunity to catch this before the account is active.
Free trial activation
Trial abuse follows a predictable pattern: create an account, activate a trial, exhaust it, create another. Scoring at trial activation, in addition to signup, catches users who’ve already slipped through the initial screening.
Promotion and referral redemption
Promotional abuse follows certain infrastructure patterns. Scoring at the redemption moment catches accounts that passed the signup screening but are now exhibiting abuse-correlated behavior.
Login
Account takeover is a different threat model than new account fraud, but the signals overlap. Anomalous login attempts warrant their own scoring layer.
Some platforms score constantly during a session. A user who passes signup scoring but then attempts high-velocity API calls, bulk data exports, or repeated payment failures gets re-scored against that behavior. Stripe Radar scores transactions using signals from across Stripe’s network, which gives it visibility into patterns that individual businesses can’t see on their own. For businesses building signup protection that connects to Stripe payments, this scoring layer at the payment stage acts as a backstop against fraud that passes earlier screening.
How do you evaluate an identity risk scoring platform?
The differences between vendors aren’t always legible from their marketing pages. Choosing the wrong platform can either block legitimate users or let abuse through.
Here’s what you should look for in a risk scoring platform:
Signal coverage and freshness
Determine how many signal types the platform ingests and how current its reputation data is. A platform with stale IP reputation data or limited device fingerprinting coverage will produce scores that miss modern attack patterns. Ask vendors specifically about their residential proxy detection and behavioral biometrics capabilities; these are areas where platforms vary substantially.
Real-time performance
Identity scoring at signup needs to return a result before the user expects a response. Latency above a few hundred milliseconds starts affecting conversion. Get actual 99th percentile latency numbers.
Accuracy and false positive rates
A system that blocks 95% of fraud but incorrectly rejects 3% of legitimate users might be net negative, depending on your business. False positive rates need to be measured against your specific traffic profile. When the system flags an account, it should be able to tell you which signals drove the decision.
Integration options
Find out whether the platform has prebuilt integrations with your stack and offers a real-time API that fits your signup flow. Look at how it handles decisions that need to feed back into your authentication or payment systems.
Operations tools
Scoring needs dashboards that show score distributions, tools for reviewing flagged accounts, the ability to adjust thresholds, and feedback mechanisms that let human-review decisions improve the model. Platforms that don’t invest in this infrastructure become more inefficient over time.
How do you operate and tune an identity risk scoring system over time?
Deploying an identity analytics and risk scoring platform is the beginning of an ongoing process.
Here’s what you need to know from the start:
Set thresholds based on risk tolerance
Many platforms ship with default score thresholds that prompt blocks, challenges, or passes. Those defaults are calibrated for the average customer, so they’ll likely need adjustment. Run the system in shadow mode and examine the distribution of scores against your known outcomes. This tells you where your thresholds should actually sit.
Monitor for drift
Attacker behavior changes, and so does legitimate user behavior, especially when you launch in new markets, change your product, or run a campaign that attracts unusual traffic. Score distributions that shift without a corresponding change in actual fraud rates are a signal that something has changed and needs investigation.
Build feedback loops
The score is a prediction, but actual outcomes are reality. Platforms that can ingest feedback and adjust their models are measurably more accurate over time than those that can’t.
Revisit thresholds regularly
Teams often set thresholds during onboarding and don’t revisit them for months. Meanwhile, fraud rates change, product surfaces change, and the threshold calibrated for last year’s traffic profile might be too aggressive or too permissive now. Build a review cadence that looks at score performance against outcomes and adjust accordingly.
How Stripe Radar can help
Stripe Radar uses AI models to detect and prevent fraud, trained on data from Stripe’s global network. It continuously updates these models based on the latest fraud trends, protecting your business as fraud evolves.
Stripe also offers Radar for Fraud Teams, which allows users to add custom rules addressing fraud scenarios specific to their businesses and access advanced fraud insights.
Radar can help your business:
Prevent fraud losses: Stripe processes over $1 trillion in payments annually. This scale uniquely enables Radar to accurately detect and prevent fraud, saving you money.
Increase revenue: Radar’s AI models are trained on actual dispute data, customer information, browsing data, and more. This enables Radar to identify risky transactions and reduce false positives, boosting your revenue.
Save time: Radar is built into Stripe and requires zero lines of code to set up. You can also monitor your fraud performance, write rules, and more in a single platform, increasing efficiency.
Learn more about Stripe Radar, or get started today.
De inhoud van dit artikel is uitsluitend bedoeld voor algemene informatieve en educatieve doeleinden en mag niet worden opgevat als juridisch of fiscaal advies. Stripe verklaart of garandeert niet dat de informatie in dit artikel nauwkeurig, volledig, adequaat of actueel is. Voor aanbevelingen voor jouw specifieke situatie moet je het advies inwinnen van een bekwame, in je rechtsgebied bevoegde advocaat of accountant.