Account Abuse Protection (Early Access)

Identify and mitigate attacks on your customer and user accounts.

Fraud detection allows you to detect and mitigate account abuse among your traffic, specifically bulk account creation and account takeover attacks. You can use fraud signals to update or create new rules for suspicious account activity, or pass signals to their origins to integrate into authentication and authorization systems.

Availability

Account Abuse Protection is available in Early Access for any Bot Management Enterprise customer. You can use these features at no additional cost for a limited period until they are generally available.

---

Concepts

User ID

User ID is a cryptographically hashed, per-zone identifier that customers can use in Security Analytics, Security Rules, and Managed Transforms. With access to hashed User ID, website owners can:

• Review which users have the most activity on your website.
• Find the details on a specific user's characteristics and activity patterns.
• Mitigate traffic based on the user, such as blocking a user with historically suspicious activity.
• Combine fields to see when accounts are being targeted with leaked credentials.
• Manage network patterns or signals associated with specific users.

Data privacy

User profiling was created with privacy in mind. Its design and engineering align with our privacy and compliance programs and contain technical controls that protect the privacy of users. Hashed User IDs are created by encrypting the primary credentials your users use to access your applications.

Other Cloudflare customers cannot access your user profiles. They are unique to your zone.

User ID is enabled by default in the Cloudflare dashboard.

To edit or disable the setting:

1. In the Cloudflare dashboard, go to the Security Settings page.

   Go to Settings

2. Filter by Fraud.

3. Go to User ID.

4. Turn User ID on or off.

Ephemeral IDs

Customers using Cloudflare Turnstile can utilize ephemeral IDs for Fraud detection.

Refer to Fraud detection with ephemeral IDs for more information.

Account takeover detections

Cloudflare Bot Management includes dedicated detection IDs for account takeover attacks.

Refer to Account takeover detections for more information.

---

Get started

Prerequisites

Fraud detection requires the following configurations and settings to be enabled to properly identify suspicious behavior.

Security Settings

• User ID: Cloudflare encrypts or hashes your user IDs to better understand typical user traffic patterns across your applications. Enabling Cloudflare to create hashed user ID mappings to your users will allow you to receive account takeover and bulk account creation detections.

Eligible traffic

Cloudflare automatically identifies certain login and sign up traffic on your applications and runs these detections without any additional configurations.

• Sign-ups: Cloudflare automatically monitors traffic on endpoints that match common sign up endpoints.
• Login: Cloudflare automatically monitors traffic on endpoints that match common login endpoints.

Verify that your endpoints are properly labeled to ensure Cloudflare can detect and monitor them correctly.

Login or sign up endpoints

Not all login or sign up endpoints are automatically detected.

Cloudflare evaluates and automatically detects your website or application's login or sign up endpoint, but non-traditional login or sign up endpoints may not be recognized.

For example, if you have a non-traditional login endpoint, you should label it with cf-log-in using the endpoint labeling service. Once you have applied the cf-log-in label, Cloudflare will use the labeled endpoint for account takeover detection decisions.

Enhanced with leaked credential detections

Cloudflare also recommends enabling Leaked credentials detection to help identify compromised credentials across your users.

---

Detections

Fraud detections focus on account abuse attacks such as account takeover, bulk account creation, and credential quality. These detections run on all eligible traffic and can be used across Cloudflare Rules to log, challenge, and/or block requests to your sign up and login endpoints.

Account creation

Disposable Email Checks detect when users sign up with throwaway email addresses commonly used for promotion abuse and fake account creation. These disposable email services allow attackers to create thousands of unique accounts without maintaining real infrastructure.

You can use the following binary field as you build rules to enforce security preferences, choosing to block all disposable emails outright, or issue a challenge to anyone attempting to create an account with a disposable email.

Suspicious emails

Cloudflare analyzes the components of an email used during sign up to help identify suspicious patterns. Refer to prerequisites to ensure your traffic is eligible for detections.

Cloudflare does not store email addresses during this analysis. All detections processed without any storage or caching.

Detection tag	Description
cf.fraud_detection.disposable_email	Identifies emails with domains that are commonly found in lists of temporary or disposable email services.
cf.fraud.email_risk	Analyzes the randomness of characters in an email username and top level domain. High risk emails indicate high entropy, while medium and low risk emails indicate less randomness in the string of characters.

---

Mitigations

The following Fraud detection fields can be used in Security Rules to help identify and mitigate suspicious traffic.

Security Rules

The following fields can be used in new and existing Security Rules.

Field	Description	Values
cf.fraud_detection.dispoable_domain	Flags whether a domain for a given email is included in a known list of temporary email providers.	True or False
cf.fraud.email_risk	Measures risk of email based on randomness of characters in the username and domain.	Low represents low risk due to reduced randomness and simple emails. Medium represents medium risk based on larger strings with slightly more randomness. High represents high risk based on larger and random character strings. Unknown

Other rules

You can use Fraud detection data in Request Header Transform Rules to pass information down to the origin.

LogPush

You can add Fraud detection fields to existing or new LogPush jobs.

---

Analytics

You can find Fraud data and detections in Security Analytics, where you can see top User IDs.

Go to Analytics

Fraud fields can be used as filters to identify suspicious patterns in your traffic.

The hashed User ID field within Security Analytics also provides Fraud customers with data that can help review detections and patterns per individual users rather than requests. You can review user level aggregations for IPs and IP counts, event types (login or sign up), locations, devices, and browsers.

A user level profile also provides a quick way to review the latest events associated with a user so that you can identify any anomalies and create a custom rule to log, block, or challenge that user.