// REFERENCE
How Wi-Fi positioning works
Everything you need to read a fraud.xxx response correctly — the physics, the fields, the accuracy, and the rules of the road.
[ 01 ] Wi-Fi positioning 101
Every Wi-Fi access point continuously broadcasts a globally-unique hardware address — its BSSID. Access points rarely move, so the set of BSSIDs a device can hear is a remarkably stable fingerprint of where that device physically is.
Mapping services (Apple, Google, Skyhook and others) have spent years observing which BSSIDs appear at which coordinates. fraud.xxx operates a large, US-focused observation graph of that relationship — given a BSSID we know roughly where it lives; given a coordinate we know which BSSIDs to expect.
[ 02 ] BSSID & OUI
A BSSID looks like aa:bb:cc:dd:ee:ff. The first three bytes (the OUI) are assigned by the IEEE to a manufacturer, revealing the vendor. We resolve the OUI to a vendor and device_class, and flag locally-administered addresses — the hallmark of a randomized or virtual MAC.
[ 03 ] hacc, vacc & altitude
hacc_m— horizontal accuracy in metres; the per-point confidence radius. Smaller is better.vacc_m— vertical accuracy, when an altitude solution exists.alt_m— estimated altitude; useful to separate floors in tall buildings.
[ 04 ] Randomized MACs & twins
Phones rotate their MAC for privacy. These randomized MACs are marked is_random: true — poor anchors, discount them. We also detect twins: one BSSID seen at two locations (a moved device or address reuse), so you can judge whether the anchor is trustworthy.
[ 05 ] ZIP vs coordinate precision
You can query by exact lat/lon or by zip. They are not the same, and we never pretend otherwise:
| precision.mode | est_accuracy_m | meaning |
|---|---|---|
| coordinate | 5–30 | Address-level. Safe for verification. |
| zip_centroid | 2,000–10,000 | Centre of a ZIP. Coarse enrichment only — never proof. |
[ 06 ] Confidence & freshness
Access points move, get replaced, or vanish. A point last seen two years ago is weaker evidence than one seen last week. first_seen / last_seen expose this; confidence (0…1) and spread_m summarise a verify result.
Rule of thumb: confidence > 0.7 with spread < 100 m is a strong on-site match. Anything ZIP-derived is contextual, not conclusive.
[ 07 ] Field glossary
| field | type | description |
|---|---|---|
| bssid | string | Normalised AP hardware address. |
| lat, lon | float | Estimated AP location (WGS-84). |
| hacc_m / vacc_m | int | Horizontal / vertical accuracy, metres. |
| alt_m | int | Estimated altitude, metres. |
| distance_m | float | Distance from the query point (nearby queries). |
| vendor | string | Manufacturer resolved from the OUI. |
| device_class | string | Inferred hardware type (router, AP, hotspot…). |
| is_random | bool | Locally-administered / randomized address. |
| first_seen / last_seen | datetime | Observation window — your freshness signal. |
| zip_city / zip_state | string | Reverse-geocoded context. |
| phone_area_codes | string[] | Area codes covering the location. |
[ 08 ] Quickstart
Authenticate with X-API-Key. Base URL https://api.fraud.xxx.
# verify observed BSSIDs
curl -s https://api.fraud.xxx/v1/verify \
-H "X-API-Key: $FRAUDXXX_KEY" \
-d '{"bssids":["aa:bb:cc:dd:ee:ff","12:34:56:78:9a:bc"]}'
# reverse lookup (zip = coarse, lat/lon = precise)
curl -s "https://api.fraud.xxx/v1/aps/nearby?zip=10003&limit=25" \
-H "X-API-Key: $FRAUDXXX_KEY"[ 09 ] Acceptable use
fraud.xxx is a B2B risk and verification signal. By using the API you agree:
- Permitted: fraud prevention, account-takeover defense, KYC/AML, geo-compliance, delivery/field verification, security research.
- Prohibited: stalking, surveillance of individuals, people-search, locating a specific person's home, consumer tracking without consent, bulk export or resale of the underlying data, or any unlawful use.
- Results are a probabilistic signal, not legal proof of any person's location. Never use as the sole basis for an adverse decision about an individual.
- Access is reviewed and may be revoked for abuse. Requests are logged.
[ 10 ] Privacy & opt-out
Networks whose SSID ends in _nomap are excluded upstream and not collected. To suppress a specific BSSID or report misuse, email privacy@fraud.xxx; verified requests are suppressed promptly.
fraud.xxx is not affiliated with, endorsed by, or connected to Apple Inc. or any network operator.