Transcom Group Veritus

Vendor enrichment

When rules don't match, Veritus runs four vendor lookups in parallel to enrich the signup with external signal data. Each vendor returns a structured result that the scoring engine uses to compute reasons.

Email vendor

Checks:

  • Domain is in our curated disposable-email list (mailinator.com, 10minutemail.com, etc.)
  • MX records exist (otherwise the email can't receive mail)
  • Local part looks gibberish (heuristic: too few vowels, too many digits/punctuation)
  • Domain is a known free webmail provider (gmail.com etc.) — weak signal but logged

All-in-house, no external API calls. The disposable list is curated by our admin team and updated periodically from public sources.

IP vendor (MaxMind GeoLite2)

Uses MaxMind's GeoLite2 City + ASN databases. Returns:

  • Country (ISO-2), city, latitude, longitude
  • ASN number and organisation name
  • Datacentre flag — computed by checking ASN against a curated list of cloud-provider ASNs (AWS, GCP, Azure, DigitalOcean, Linode, Hetzner, OVH, Vultr, etc.)

Databases are loaded into memory at process start, so lookup is <1ms with no network round-trip. We refresh the data files weekly.

Password vendor (HIBP)

If a password is in the request, we check it against Have I Been Pwned's corpus of breached passwords. We use the k-anonymity range API: we send the first 5 chars of the password's SHA-1 hash, get back all hashes sharing that prefix, and match locally. The plaintext password never leaves our server.

HIBP currently contains over 12 billion breached credentials. If a password appears even once in their corpus, it's been seen in a known breach — reuse risk is high.

Phone vendor

Currently uses libphonenumber for format validation only. A future version will integrate Twilio Lookup for carrier type detection (e.g. "is this a burner VoIP number"). Customers who need this today can arrange an enterprise integration.

Failures and timeouts

Each vendor has a strict timeout (typically 1-2 seconds). If a vendor fails or times out:

  • We log the failure to vendor_calls with status=error/timeout
  • Scoring continues with the other vendors' data
  • We don't add reasons we don't have evidence for — better to under-call than to invent
Found a typo or have a suggestion? Let us know.