Profile Access Protection

Account Profile Update Identity Protection

Account Profiles for Card Testing Prevention

Identity Protection for Account Profile Access can be used to protect from testing several credit cards within a customer's account by leveraging the merchant gateway's $0 auth to check whether the stolen card data is still valid. It can also prevent account takeover by bad actors attempting to takeover customer accounts.

Account Profile Updates Identity Protection Integration

Step 1: Front End Integration

In your dedicated Forter portal, you will receive a JavaScript snippet for both sandbox and production. For native mobile apps, you will receive links to download Forter's Native SDKs. You'll paste the JS script on the appropriate pages of your website or call mobile SDK methods on relevant mobile app screens so that it can load and asynchronously collect important behavioral data from your customer. The script or mobileUID generated by the mobile SDK will also generate a unique token for each user on your site that should be included in the Account Profile Access API Request Body.

Step 2: Account Profile Access API

**Profile Access API Request** Forter can provide a decision to approve a frictionless login or suggest that Multi-Factor Auth if suspicious activity is detected. The relevant access type is denoted as the `"UPDATE_PAYMENT"` enum of the `"accessRequestType"` parameter in the request body. For the full API see, please see the Customer Account Profile Update API Reference section for more details.

The Primary Data Points for the Account Profile Access API request in the context of card testing are:

  • Account ID
  • AccessRequestType "UPDATE_PAYMENT"
  • Details of the new Payment Method added to merchant profile.
  • ConnectionInformation - Cyber intelligence data to analyze browsing behavior, device and connection quality such as IP address, user agent and data collected via JS / mobile SDK
  "accountId": "e520-ba9a-367-60b",
  "eventTime": 1415287568000,
  "connectionInformation": {
    "customerIP": "",
    "userAgent": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.73 Safari/537.36",
    "forterTokenCookie": "2315688945984"
  "channelType": "WEB",
  "accountOwner": {
    "email": "[email protected]",
    "accountId": "e520-ba9a-367-60b",
    "created": 1415273168
  "newPaymentMethods": {
    "billingDetails": {
      "personalDetails": {
        "firstName": "John",
        "lastName": "Smith",
        "email": "[email protected]"
      "address": {
        "address1": "235 Montgomery st.",
        "city": "San Francisco",
        "country": "US",
        "zip": "94104"
    "creditCard": {
      "nameOnCard": "John R. H. Smith",
      "bin": "424242",
      "cardBrand": "VISA",
      "lastFourDigits": "4242",
      "expirationMonth": "03",
      "expirationYear": "2025",
      "verificationResults": {
        "avsFullResult": "Y",
        "cvvResult": "M"
  "accessRequestType": "UPDATE_PAYMENT"

Account Profile Update API Response
The Account Profile Access API response will include the Forter decision and potential recommendations, as well as a correlation ID that should be stored and used when the merchant provides additional updates (e.g. result of MFA)

  "forterDecision": "DECLINE",
  "decisionReason": "",
  "accountId": "e520-ba9a-367-60b",
  "correlationId": "HGJ7512345H3DE",
  "recommendations": [

Step 3: Authentication Attempt API

The Forter Authentication Attempt API is called after the Account Profile Access or Account Login APIs, because its role is to provide Forter with the results of the additional authentication carried out after an attempt at login or profile access has been made. Types of additional authentication include multi-factor authentication, one time passwords, and payment method verification.

Whether or not the user can pass the challenge is very important data in protecting your customers’ accounts. The Account Authentication Attempt API is used to provide Forter with the results of the additional authentication for account login.

Rather, the response will always be "NOT_REVIEWED" Please see the Authentication Attempt API Reference for more details.

Authentication Attempt API Request
The Authentication Attempt API provides Forter with more information about the customer verification. Forter can update its evaluation of the customer and provide you with appropriate decision updates (e.g. Forer might recommend to approve the customer if the verification succeeded, or suggest an alternative form of authentication if it failed).

The primary data points needed for the Account Authentication Attempt API are:

AdvancedAuthenticationMethod which contains information about the method of authentication done (email, phone, etc..),
correlation ID that was provided in the Login / Profile Access API response and is used to link the authentication attempt data to the original event that was decisioned.

Authentication Attempt API Response
As this API is only used to provide Forter's model's additional information, the decision returned will always be "NOT_REVIEWED". Supplementary parameters like correlationId and accountId are also returned in the API response.