Request ID Security

Request IDs are temporary tokens that carry fraud assessment data. If attackers steal and reuse them, they can completely bypass your fraud detection.

How Request ID Attacks Work

The Problem: Your server sees a valid request ID with good fraud scores, but it's being used by an attacker.

Essential Security Measures

1. Request ID Expiration

2. Usage Frequency Tracking

3. Action-Specific Limits

Risk-based expiration times:

• Profile updates: 24 hours (low risk)

• Account changes: 6 hours (medium risk)

• Payments: 1 hour (high risk)

• Password changes: 15 minutes (critical)

Real-World Impact

Attack Examples

• E-commerce: Fraudster uses intercepted request ID to validate stolen credit card purchases

• Banking: Attacker replays request ID to authorize unauthorized transfers

• SaaS: Bulk account creation using harvested "legitimate" fraud assessments

Detection Patterns

Watch for these attack indicators:

• Same request ID used from multiple IP addresses

• High frequency of expired request ID attempts

• Geographic inconsistencies (ID generated in US, used in Russia)

• Burst patterns of request ID usage

Implementation Recommendations

Security Levels by Action

Response Strategy

• Low violations: Log and monitor patterns

• Medium violations: Require fresh fraud check

• High violations: Block transaction and alert security team

• Critical violations: Consider temporary IP restrictions

Key Takeaways

Request IDs are security tokens - treat them like temporary API keys:

• ✅ Set expiration based on action risk level

• ✅ Limit usage frequency to prevent replay attacks

• ✅ Monitor patterns and alert on suspicious activity

• ❌ Don't ignore age or usage validation

Balance security with user experience - start strict and adjust based on user feedback and attack patterns.

Questions about implementing request ID security for your risk tolerance? Our team helps customers find the right balance between protection and user experience.