Fraud Reduction Intelligence Platforms
This report provides an overview of the market for Fraud Reduction Intelligence Platforms and provides you with a compass to help you to find the solution that best meets your needs. We examine the market segment, vendor service functionality, relative market share, and innovative approaches to providing Fraud Reduction Intelligence Platform solutions.
Fraud is a major cost to businesses worldwide. Multiple reporting sources estimate that total related cybercrime costs will reach $2 trillion globally in 2019 and will rise to $6 trillion by 2021. Banking, finance, payment services, and retail are some of the most frequent objectives of fraudsters, as expected. However, insurance, gaming, telecommunications, health care, cryptocurrency exchanges, travel and hospitality, and real estate are increasingly targeted as cybercriminals have realized that most online services trade in monetary equivalents. Moreover, after years in the sights of cybercriminals, banking and finance in general are better secured than other industries, so fraudsters attack any potentially lucrative target of opportunity. Fraud perpetrators also continually diversify their Tactics, Techniques, and Procedures (TTPs).
Online fraud comes in several major forms:
- Account Takeover (ATO) - most often occur when fraudsters use breached passwords and credential stuffing attacks to execute unauthorized transactions
- New Account Fraud (NAF) - sometimes called Synthetic Fraud, can be more difficult to detect and have advantages for attackers. This type involves gathering bits of PII (Personally Identifiable Information) on legitimate persons to construct illegitimate accounts. Educational, financial, and medical records can be sources of PII used for assembling fake accounts, which are then often used to launch attacks and/or are used as mule accounts to move money around
- Insider Fraud - includes not only financial theft by employees, contractors, or partners, but also the theft of intellectual property (IP), which may include customer information from CRM systems
- Screen Scraping – programmatically scraping information entered into web forms by consumers and sending to other web services. This technique is (unfortunately, because it is insecure) sometimes used for legitimate purposes
- Inventory Skimming or Depletion – perpetrated largely by bots that buy up a retailer’s inventory to re-sell
- Fraudulent Insurance Claim Submission – insurance agents’ and brokers’ credentials are captured and used to authorize fraudulent insurance claims
- Real Estate Escrow Mis-Direct – real estate agents’ credentials are captured and used to send emails to customers to have them transfer large sums (down payments) to fraudsters’ accounts. These transfers are usually unrecoverable and can be devastating to home buyers
- Banking Overlays – malicious apps that look like login screens for mobile banking apps, designed to harvest credentials and hijack transactions
- Travel Site Overlays - malicious apps that look like login screens for mobile travel apps, designed to harvest credentials and hijack transactions
One of the chief mitigations against these types of fraud is risk-based multi-factor authentication (MFA). Strong authentication or MFA can eliminate a substantial portion of ATOs by increasing authentication assurance levels. Risk-based MFA often includes mechanisms to increase identity assurance, such as identity proofing, user behavioral analytics, and behavioral/passive biometrics. Insider Fraud is handled differently due to the fact that in many cases, the access policy conditions are met because the individual(s) are authorized. Thus, monitoring and user behavioral analysis are key deterrents; and implementing the principles of least privilege and separation of duties are important to limit possible damage by insiders.
Risk-based MFA is characterized by transaction-time evaluation of multiple factors, including information about users, their devices, and the environments from which requests emanate. Risk-based MFA solutions operate optimally when integrated with or informed by Fraud Reduction Intelligence Platforms (FRIPs). FRIPs provide to risk-based MFA and transaction processing systems the information needed to make more accurate decisions on whether or not transactions should execute. FRIP solutions generally provide up to six major functions:
- Identity proofing/vetting
- Credential intelligence
- Device intelligence
- User behavioral analysis
- Behavioral/passive biometrics
- Bot detection & management
FRIP solutions also can interoperate with transaction processing systems, evaluating the context of each transaction request against pre-determined policies (similarly to authentication decisions in risk-based authentication systems) and then outputting risk scores. In these use cases, customers of FRIP solutions usually must write a bit of code to have their transaction processing systems query the FRIP service providers’ APIs. For example, a FRIP customer will collect transaction context information and transmit that as part of the API call to the FRIP service. The FRIP solution analyzes the transaction request context, gathers additional intelligence relevant to the user and request in real-time, scores it in accordance with customer-determined policies, then returns the risk score to the calling customer. The customer’s transaction processing logic than executes, taking into consideration the risk score from the FRIP service.
1.1 Market Segment
The Fraud Reduction Intelligence Platform market is mature and growing, with some vendors offering full-featured solutions providing comprehensive functionality addressing each of the major methods listed above to support millions of users and billions of transactions across every industrial sector. As will be reflected in this report, the solutions in this space are quite diverse. Some vendors have about every feature one could want in a FRIP service, while others are more specialized, and thus have different kinds of technical capabilities. For example, some vendors are highly adept at device intelligence, including detailed histories of devices and information provided by working relationships with Mobile Network Operators (MNOs), but may not offer bot detection & management. Others excel at user behavioral analysis and passive biometrics, but don’t do identity proofing. In general, identity proofing and vetting is quite specialized and is not found in all FRIP services.
Furthermore, KuppingerCole research indicates that the particular market segments that vendors choose to target often has a direct effect on the type of features available in their FRIP solutions. Some vendors specialize strictly in preventing fraud in financial transactions. Others are more general purpose, offering their services for insurance, health care, gaming, etc.
1.2 Delivery models
In the Fraud Reduction Intelligence Platform market, solutions are generally offered as SaaS. It’s a consumable service, not usually something that customers would need or want to run in-house. For these SaaS offerings, the licensing model is often priced per volume of transactions. Some may offer discounts or refunds for low-scored results (i.e., missed fraud detections) that lead to chargebacks or other fraud.
1.3 Required capabilities
We are looking for comprehensive solutions that provide at least 4 of the 6 major areas of functionality areas. These are typically the requirements that customers pose to prospective vendors in RFPs:
- ID Proofing – verification that the proper user subject is issued digital credentials, usually validated against government-issued ID credentials
- Credential Intelligence - information about prior usage of digital credentials, to answer questions such as “has this credential known to have been recently compromised?” or “has this credential been used for fraud at other sites?”
- User Behavioral Analysis (UBA) – examination of past user activities to determine if the current transaction request is within normal parameters. For example, “is the requested amount and recipient typical of what this user has successfully transacted before?” or “does the request originate with similar environmental attributes as prior transaction requests?”. Environmental Attributes may consist of data points such as time/day, IP, cyber threat intelligence, geo-location, geo-velocity, Wi-Fi SSIDs, and others. Longer storage periods allow for larger volumes of data to be evaluated, increasing effectiveness.
- Device Intelligence, which includes device hygiene (OS patch versions, anti-malware client presence, and RAT detection), device history and reputation, location history, IP reputation, MNO carrier information (SIM, IMEI, etc.). Some services may include consumption of other 3rd party sources of information.
- Bot Intelligence and Management – evaluation of pertinent cyber threat intelligence on botnet activities, request context behavior, and behavioral biometrics. Sessions suspected of being manipulated by bots can be handled differently than those believed to be initiated by real users. For example, customers usually can set policies to deny, throttle, or redirect bot traffic while giving priority to real users. This collection of features is not found in all FRIP solutions, and ratings in this document reflect that.
Most vendor solutions that utilize these methods employ various Machine Learning (ML) algorithms to process the vast amounts of data required to make accurate risk scores and informed decisions.
Solutions not meeting our general inclusion criteria but nevertheless strongly focusing on specific types of fraud reduction are mentioned separately in our “Vendors to watch” chapter. Consequently, we did not impose any additional restrictions on vendors, such as a minimum number of customers or revenue caps – both large international companies and small but innovative startups were invited to participate. KuppingerCole does not charge vendors to participate in Leadership Compass reports.
Evaluation Criteria Key Features
- Solutions which interoperate with authoritative attribute sources for ID proofing, generally via APIs
- Solutions which can draw from both in-network and out-of-network sources for compromised credential intelligence and effectively use that information for transaction-time analyses without impeding customer business (for example, high false positive rates)
- Solutions which can build a baseline of normal user activity per user and compare it in real-time to incoming transaction requests; or those which interoperate with 3rd-party sources of user information
- Solutions which can harvest device intelligence in-network and/or consume 3rd-party device intelligence sources
- Solutions which can granularly build policies to evaluate business-relevant environmental attributes
- Solutions which can adequately identify bot-generated activities and present customer administrators with appropriate options for proactively handling these kinds of activities
- Solutions that utilize the above-mentioned types of information and offer customer administrators flexible and automated response actions such as
- Step-up / out-of-band authorization
- Place holds on accounts
- Set monetary limits on transaction amounts by account or account type
- Throttle transactions per period and per user
- Blacklist/whitelist IPs
- Solutions which generate dashboards and reports for customers including the following standard types:
- Total number of dismiss, detect, case open, case closed, etc.
- Regional activities
- Source/destination aggregation
- Fraud types detected
- Location/fraud type trend analysis
- Chargeback events per period, rates, and reasons
- Fraud rates benchmarked per industry
- Others as needed per industry or general use case
- Additional and related features will be considered as benefits but not absolute functional requirements in this analysis:
- Geographic and industry-specific compliance regimes and certifications, such as but not limited to AML, GDPR, KYC, OFAC, PCI-DSS, PSD2, etc.
- OLAs or service guarantees that provide relief to customers in cases where missed fraud detections or false positives decrease customer revenue.
The criteria evaluated in this Leadership Compass reflect the varieties of use cases, experiences, business rules, and technical capabilities required by KuppingerCole clients today, and what we anticipate clients will need in the future. The products examined meet many of the requirements described above, although they sometimes take different approaches in solving the business problems.
The following are our standard criteria against which we evaluate products and services:
- overall functionality and usability
- internal service security
- size of the company
- number of customers and end-user consumers
- number of developers
- partner ecosystem
- licensing models
Each of the features and criteria listed above will be considered in the product evaluations below. We’ve also looked at specific USPs (Unique Selling Propositions) and innovative features of products which distinguish them from other offerings available in the market. Features that are considered innovative are listed below.
- Support for relevant standards such as OAuth and Global Platform Secure Element (SE) and Trusted Execution Environment (TEE) standards
- A comprehensive and consistent set of REST-based APIs for integrating with customer transaction processing systems
- Browser and mobile app integration capabilities (SDKs).
- Integration with national e-IDs and passports.
Please note that we only listed a sample of features, and we consider other capabilities per solution as well when evaluating and rating the various consumer authentication solutions.