How It Works

Account Protect combines our machine learning engine and a database of trillions of transaction data points to generate a risk decision for account related actions in your application. When users attempt to create, update, or log in to accounts on your system, Vesta analyzes data from multiple sources and generates a risk decision that you can use to determine whether you will allow the action.

Data Sources

Account Protect combines information from the following sources to verify and monitor user accounts:

  • Customer Behavior - Vesta’s Behavioral Analytics tools tracks elements of customer behavior, including the pages your customers visit, how long they spend on each page, and how they select products to identify potentially fraudulent purchases. Behavioral Analytics uses a unique session ID to track user behavior and compares user behavior to profiles of fraudulent activity.
  • Device Specifics - Vesta’s Device Fingerprinting feature identifies unique properties of each customer’s device, including the associated email address, age, and location. This makes it possible to detect if a customer is masking identifying information as a way to commit fraud.
  • ID Verification - ID Verification uses the camera on your user’s device to capture images of ID documents and the user’s face. The document images are compared with templates of known valid ID cards, and the user’s face is compared with the photo on the ID card. This ensures that the ID is valid and that it belongs to the person who is creating the account.
  • Biometrics - Account Protect’s passwordless multifactor authentication feature creates a vCrypt token that associates a user with a specific device. Once the vCrypt token has been created and verified, the user can use biometric sensors on the device to verify the authenticity of any request to your service.
  • Data Vault/Consortium - Vesta participates in the GDPR-compliant consortium data vault, which includes more than 2 trillion data points gathered over 25 years of transaction processing. Vesta leverages this data to compare user actions with historical data to identify potential fraud.

Risk Decisions

For every supported account action in your application, Account Protect returns a decision about the risk of account fraud:

  • Accept - Account Protect determined there was low risk associated with the analyzed data. The user can proceed with the account activity.
  • Challenge - There is risk associated with the analyzed data. Account Protect will ask the user to complete additional verification steps before proceeding with the activity.
  • Deny - Account Protect determined that the action is likely fraudulent. Vesta does not recommend allowing the user to access the features of the account. If applicable, notify the account holder of potential fraud and ask them to verify the account by confirming and updating their credentials.


Account Protect is built on state-of-the-art technologies that provide powerful analytic capabilities and that make it easy to integrate into your website or app.


Vesta uses machine learning, behavioral models, and smart authentication controls to analyze data:

  • Machine Learning Platform and Models - Vesta uses machine learning and big data to build baseline models that describe behaviors associated with account takeover fraud. Detecting these behaviors during a transaction is an indication of fraud. Vesta’s models can be updated and deployed within hours, making sure that the protection you get from Account Protect keeps up with new fraud techniques.
  • Patented Deep Link Analysis - By sourcing, cross-referencing, and identifying patterns in data from multiple big-data repositories, Vesta can identify anomalous activity which could indicate fraud.
  • Smart Authentication Controls - Biometric data makes it possible to verify the identity of an applicant and perform passwordless multifactor authentication for every account-related activity in your application.


Vesta provides SDKs, REST APIs and JavaScript method that you will use to integrate Account Protect with your application:

  • REST API - Use the Account Protect REST API to request a risk analysis of account activities.
  • SDKs - The Data Collector SDK adds Behavioral Analytics, ID Verification, and vCrypt Tokenization to your application. You must incorporate the Data Collector libraries into you application, and initialize the libraries when your app launches.
  • JavaScript - For web applications, Vesta provides JavaScripts, that support Device Fingerprinting and Behavioral Analytics services.

The Account Monitoring Integration and Account Verification Integration pages describe how to incorporate and use Account Protect in your application.

Use Cases

The use cases below illustrate how Account Protect defends your users from different attack vectors.

Synthetic Account Fraud

During synthetic account fraud, a criminal creates a new account by combining stolen and fake identity information. Account Protect takes the following steps during account opening to defend against synthetic account fraud:

  • PII Checks - Account Protect checks information entered in your account creation form against existing data about the person opening the account. If details like phone numbers and addresses seem suspicious, Account Protect alerts you about potential fraudulent behavior.
  • ID Verification - Account Protect includes ID document scanning and facial matching features. When a user attempts to open a new account, Account Protect verifies the validity of the ID document and compares the photo on the photo ID to a photo taken using the camera on the user’s device. If the ID document does not belong to the person opening the account, you can deny the account, or follow up with the user for additional identity verification.
  • Biometric Data - Account Protect generates a vCrypt token that links a user’s account with the device used to create the account. The token is encrypted and stored on the user’s device. If the person creating the account is unable to use the device’s biometric authentication during token binding, Account Protect will alert you that the action failed, indicating possible fraudulent activity.

If a new user fails one or more of these verification checks, you can choose to deny the account. If you want to follow up with the user for additional verification, you will have the information you need to make an informed decision about the validity of the account.

Credential Stuffing and Cracking

During credential stuffing and cracking, a criminal attempts to use stolen user names and passwords to access related accounts. Typically the criminal will try to log in using many combinations of usernames and passwords on your site in a short amount of time. Account Protect watches login activity and uses the following checks to protect against fraudulent logins:

  • Velocity Checking - Account Protect watches for multiple login attempts in a short period of time. This can indicate that a criminal is using a bot to crack accounts on your site. If detected, Account Protect will trigger passwordless multifactor verification using biometrics and device specifics to ensure that the person accessing the account is the actual account owner.
  • Device Verification - The vCrypt token created during the account creation process is tied to the account owner’s device. If the login activity is suspicious and the device cannot be verified, Vesta will notify you of potential fraudulent activity. You can choose to follow up with the user to ensure the safety of the account.
  • IP Information - Account Protect checks the IP address associated with the device that is being used to log in. If the IP address is part of a network known for committing fraud, Account Protect can deny the login request.

By monitoring typical user behavior and providing additional security checks during log in, Account Protect can stop credential stuffing in its tracks and save your business’ reputation from the far reaching consequences of data breaches on other systems.

Account Purchase Fraud

During account purchase fraud, a criminal accesses a legitimate account and changes shipping information to purchase and receive goods that are paid for using your valid user’s existing payment methods. Account Protect watches the change address event on your account update form and checks the following details to protect against account purchase fraud:

  • Address History and Reputation - Account Protect checks the new address against previous fraud attempts to ensure that the address is not already known as fraudulent.
  • Change Address Behavior - Account Protect looks at how often the verified user changes or adds addresses and whether the user changing the address has displayed any additional indications of fraudulent behavior.
  • Location of Shipping and Billing Addresses - Comparing the location of the shipping and billing addresses can identify attempts to use existing payment information to receive goods in a significantly different part of the world.

If any of the fraud checks raise flags, Account Protect can issue a multifactor authentication challenge. If the purchase is determined to be fraudulent, Account Protect will issue a deny decision, so that you can notify the account owner of possible fraudulent activity.