Geographic Consistency Detection: Catch VPNs & Proxies
New: Geographic Consistency Detection catches VPNs and location spoofing by analyzing timezone and language mismatches. 23x cheaper than SEON.
WebDecoy Team
WebDecoy Security Team
Geographic Consistency Detection: The Fraud Signal That Costs $699/Month Elsewhere
We just shipped Geographic Consistency Detection. It’s the same capability that enterprise fraud platforms like SEON charge $699/month for—but WebDecoy includes it in every plan starting at $59/month.
That’s not a typo. That’s 12x cheaper.
Let’s break down what we built, why it matters, and why you should stop overpaying for fraud prevention.
What is Geographic Consistency Detection?
Geographic Consistency Detection analyzes multiple location signals from every visitor and flags inconsistencies that indicate VPN usage, proxy connections, or deliberate location spoofing.
Here’s what we check:
1. Timezone Mismatch Detection
Every browser reports its timezone. Every IP address maps to a geographic location. When a visitor claims to be in America/New_York but their IP geolocates to Germany, that’s a red flag.
We don’t just flag exact mismatches—we use continent-level comparison to reduce false positives. A user in New York connecting through a New Jersey VPN won’t trigger an alert. But someone in Moscow pretending to be in Miami? Caught.
2. Language Inconsistency Analysis
Browsers send Accept-Language headers that reveal the user’s preferred languages. We compare this against the expected languages for the visitor’s IP-geolocated country.
A German IP with Accept-Language: ru-RU, ru? Suspicious.
A US IP with Accept-Language: en-US, en? Normal.
We maintain a comprehensive mapping of 50+ countries to their expected primary languages, including multi-language countries like Switzerland (de, fr, it, rm) and Belgium (nl, fr, de).
3. VPN Likelihood Scoring
Individual signals can have innocent explanations. Travelers, expats, and multilingual users exist. That’s why we combine multiple signals into a consistency score from 0-100:
- 90-100: High consistency, likely legitimate
- 70-89: Minor inconsistencies, worth monitoring
- 50-69: Moderate inconsistencies, elevated risk
- Below 50: Significant inconsistencies, likely VPN/proxy
Each mismatch deducts points:
- Timezone continent mismatch: -30 points
- No matching expected languages: -25 points
- Partial language match only: -10 points
When the score drops low enough, we flag is_vpn_likely: true.
The Technical Implementation
Here’s what happens under the hood when a request hits WebDecoy:
{
"detection_source": "bot_scanner",
"geo_consistency": {
"consistency_score": 45,
"is_vpn_likely": true,
"flags": [
"timezone_mismatch",
"language_mismatch"
],
"analysis": {
"browser_timezone": "America/New_York",
"geoip_timezone": "Europe/Moscow",
"browser_languages": ["ru-RU", "ru"],
"expected_languages": ["en"],
"geoip_country": "US"
}
},
"threat_score": 78,
"action": "challenge"
}This visitor claims to be in New York (browser timezone), but their browser is configured for Russian (language), and they’re connecting from a US IP. Classic VPN pattern: Russian user connecting through a US VPN to appear American.
Why This Matters: The Fraud Attack Surface
Geographic inconsistencies are a leading indicator of:
Credential Stuffing Attacks
Attackers run credential lists through US-based proxies to avoid geo-blocking. Their bots still leak Russian, Chinese, or Vietnamese language settings. Geographic Consistency Detection catches them.
Account Takeover (ATO)
When a US-based account suddenly logs in from a “US” IP with a browser configured for Mandarin Chinese, something’s wrong. We flag it before the attacker can drain the account.
Carding & Payment Fraud
Fraudsters use US proxies to make purchases with stolen US cards. But their browser timezone says Asia/Ho_Chi_Minh. Caught.
Fake Account Creation
Bot farms spin up thousands of fake accounts through residential proxies. Their browser fingerprints reveal the truth: consistent timezone/language patterns that don’t match the “diverse” IP locations.
How We Compare to SEON
Let’s talk about the elephant in the room. SEON is a well-known fraud prevention platform. Here’s how we stack up:
| Feature | WebDecoy | SEON |
|---|---|---|
| Starting Price | $59/month | $699/month |
| API Calls Included | 5,000/month | 2,500/month |
| Cost Per Detection | $0.012 | $0.28 |
| Geographic Consistency | Included | Included |
| TLS Fingerprinting (JA3/JA4) | Included | Included |
| Device Fingerprinting | Included | Included |
| Behavioral Analysis | Included | Included |
| Real-time Webhooks | Included | Included |
| VPN/Proxy Detection | Included | Included |
WebDecoy is 23x cheaper per detection.
We’re not cutting corners. We’re just not charging enterprise prices for technology that should be accessible to everyone.
What SEON Charges Extra For
SEON’s $699/month “Starter” plan gives you:
- 2,500 API calls (that’s it)
- 10 users
- 50 custom rules
- “Basic monitoring”
Want unlimited API calls? Custom pricing. Dedicated support? Custom pricing. Their pricing page literally says “contact sales” for anything serious.
What WebDecoy Includes at $59/month
- 5,000 detections/month (2x SEON’s starter)
- Bot Scanner behavioral analysis
- Geographic Consistency Detection
- TLS fingerprinting
- Webhook integrations
- Real-time dashboard
- Email support
Scale to Pro ($149/month) and you get 100,000 detections, SDK access, and WAF integrations. That’s 40x SEON’s starter volume for 1/5th the price.
Real Detection Example
Here’s an actual detection from our system (anonymized):
The Request:
POST /api/checkout
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/120.0.0.0
X-Forwarded-For: 192.0.2.1 (US - New York)Browser Fingerprint Data:
{
"timezone": "Asia/Shanghai",
"languages": ["zh-CN", "zh"],
"screen": "1920x1080",
"platform": "Win32"
}WebDecoy Analysis:
{
"geo_consistency": {
"score": 35,
"is_vpn_likely": true,
"flags": ["timezone_mismatch", "language_mismatch"]
},
"tls_fingerprint": {
"ja3_match": "python-requests",
"ua_mismatch": true
},
"threat_score": 94,
"verdict": "block",
"mitre_attack": ["T1090.003", "T1078"]
}What We Caught:
- Chinese timezone + Chinese language + US IP = VPN user
- TLS fingerprint says
python-requests, User-Agent says Chrome = Bot - Combined threat score: 94 = Blocked
This wasn’t a human using a VPN for privacy. This was an automated attack script routing through a US proxy to card stolen payment credentials. Geographic Consistency Detection was the first signal that something was wrong.
Implementation: Already Done
If you’re using WebDecoy’s Bot Scanner SDK or server-side SDKs, Geographic Consistency Detection is already active. No configuration needed.
For Bot Scanner (JavaScript):
<script
src="https://cdn.webdecoy.io/s.js"
data-account="acc_your_id"
data-scanner="scn_scanner_id"
async
></script>The SDK automatically collects timezone and language data from the browser and sends it to our API for analysis.
For server-side SDKs (Node, Go, PHP), geographic consistency analysis uses HTTP headers:
// We parse Accept-Language automatically
const detection = await webdecoy.detect(req);
if (detection.geo_consistency.is_vpn_likely) {
// Handle VPN user
}What’s Next: Phase 2
Geographic Consistency Detection is Phase 1. Here’s what’s coming:
WebRTC IP Comparison
Real browsers can leak your true IP through WebRTC. If WebRTC shows a different IP than the connection IP, that’s definitive VPN proof. We’re adding this signal to the consistency score.
Connection Timing Analysis
VPN connections add latency. A “New York” user with 400ms ping times to New York servers is probably not in New York. We’re building latency-based location verification.
Historical Consistency
We’ll track location patterns over time. A user who suddenly appears from 5 different “countries” in 24 hours is suspicious, even if each individual session looks clean.
Stop Overpaying for Fraud Prevention
SEON, Arkose, and the other enterprise fraud platforms are charging 2019 prices for 2019 technology. The algorithms aren’t magic. The data sources aren’t secret. They’re just expensive because enterprise buyers don’t question six-figure contracts.
WebDecoy is different:
- Same detection capabilities at a fraction of the cost
- Transparent pricing without “contact sales” gatekeeping
- Developer-first SDKs that actually make sense
- Real-time response through your existing infrastructure
Geographic Consistency Detection is included in every WebDecoy plan. No enterprise tier. No “contact sales.” No $699/month minimums.
Get Started
Start your free trial and see Geographic Consistency Detection in action. Deploy in 5 minutes, catch fraudsters in 6.
Have questions about implementation? Contact us or check out our documentation.
Ready to stop paying enterprise prices for enterprise features?
Share this post
Like this post? Share it with your friends!
Want to see WebDecoy in action?
Get a personalized demo from our team.