Leadership Compass

Fraud Reduction Intelligence Platforms

This report provides an overview of the market for Fraud Reduction Intelligence Platforms and provides you with a compass to help you to find the solution that best meets your needs. We examine the market segment, vendor service functionality, relative market share, and innovative approaches to providing Fraud Reduction Intelligence Platform solutions.

John Tolbert

jt@kuppingercole.com

1 Introduction

Fraud is a major cost to businesses worldwide. Cybersecurity Ventures estimates that cybercrime costs will reach $10.5 trillion by 2025. Fraud has been exacerbated by the Covid pandemic. Banking, finance, payment services, and retail are some of the most frequent objectives of fraudsters, as expected. However, insurance, gaming, telecommunications, health care, cryptocurrency exchanges, government assistance agencies, travel and hospitality, and real estate are increasingly targeted as cybercriminals have realized that most online services trade in monetary equivalents. Moreover, after years in the sights of cybercriminals, banking and finance in general are better secured than other industries, so fraudsters attack any potentially lucrative target of opportunity. Fraud perpetrators also continually diversifying and innovating their Tactics, Techniques, and Procedures (TTPs).

The most prevalent types of fraud businesses and government agencies experience today are:

Account Takeover Fraud (ATO) - occurs when fraudsters use breached passwords and credential stuffing attacks to execute unauthorized transactions. Additional means for account takeover fraud are malware attacks (man in the middle and man in the browser) as well as the use of Remote Access Tools via Trojan or social engineering scams.

New Account Fraud (NAF) – also called Account Opening (AO) Fraud, often happens as a result of using stolen identities or assemblages of personal information to create a synthetic digital ID, and can be more difficult to detect but has advantages for attackers. This type involves gathering complete sets of or bits of PII (Personally Identifiable Information) on legitimate persons to construct illegitimate accounts. Educational, financial, and medical records can be sources of PII used for assembling fake accounts, which are then often used to abuse promotions and instant loans and/or used as mule accounts to move money around.

Other common fraud types that are encountered include:

SIM Swap Fraud – a SIM swap is a special type of ATO involving a change within Mobile Network Operator’s (MNO’s) device mapping database that points a phone number to a specific SIM card installed in customer phones. SIM Swap Fraud occurs when malicious actors convince MNO employees to associate victims’ mobile phone numbers with the fraudsters’ devices. Fraudsters may try to get information directly from victims or may buy victim info on the dark web in order to set the stage for these kinds of attacks. In this sense, it is a special kind of ATO fraud that relies upon social engineering and/or insider fraud.

Insider Fraud - includes not only financial theft by employees, contractors, or partners, but also the theft of intellectual property (IP), which may include customer information from CRM systems

Screen Scraping – programmatically scraping information entered into web forms by consumers and sending to other web services. This technique is (unfortunately, because it is insecure) sometimes used for legitimate purposes.

Inventory Skimming or Depletion – perpetrated largely by bots that buy up a retailer’s inventory to re-sell.

Fraudulent Insurance Claim Submission – insurance agents’ and brokers’ credentials are captured and used to authorize fraudulent insurance claims.

Real Estate Escrow Mis-Direct – real estate agents’ credentials are captured and used to send emails to customers to have them transfer large sums (down payments) to fraudsters’ accounts. These transfers are usually unrecoverable and can be devastating to home buyers.

Banking Overlays – malicious apps that look like login screens for mobile banking apps, designed to harvest credentials and hijack transactions.

Travel Site Overlays - malicious apps that look like login screens for mobile travel apps, designed to harvest credentials and hijack transactions.

The chief mitigation strategies against these types of fraud employ real-time risk analytics and decisioning. Risk-based Multi-Factor Authentication (MFA) can eliminate a substantial portion of ATOs by increasing authentication assurance levels. Risk-based MFA often evaluates credential intelligence, device intelligence, user behavioral analytics, and behavioral/passive biometrics. To decrease NAF/AO/Synthetic Fraud, increasing identity assurance at registration and authentication time with identity vetting services is recommended. Bot detection and management can also be helpful at cutting other types of fraud.

Risk-based MFA and transaction processing solutions operate optimally when integrated with or informed by Fraud Reduction Intelligence Platforms (FRIPs). FRIPs provide to risk-based MFA and transaction processing systems the information needed to make more accurate decisions on whether or not transactions should execute. FRIP solutions generally provide up to six major functions:

  • Identity proofing/vetting
  • Credential intelligence
  • Device intelligence
  • User behavioral analysis
  • Behavioral/passive biometrics
  • Bot detection & management
 KuppingerCole
Figure 9: KuppingerCole

This report covers solutions that aggregate multiple fraud intelligence sources and provide advanced analytics services for customer organizations to augment their applications with the goal of reducing costly fraud.

1.1 Highlights

  • Fraud Reduction Intelligence Platforms are increasingly sought after by consumer facing businesses in all industries. Account takeovers and new account fraud has been rising for years but has been exacerbated by the Covid pandemic.
  • More FRIP solutions incorporate identity proofing directly and/or allow customers to extend identity vetting by enabling connections to 3rd-party authoritative attribute providers. The most innovative platforms offer remote identity verification apps and/or SDKs.
  • Compromised credential intelligence is not ubiquitously used. Most vendors use credential intelligence from among their customer bases but sharing and consumption of external sources is not common.
  • User behavioral analysis capabilities are expanding and getting more detailed in terms of transaction level attributes.
  • Device intelligence, as a key indicator of fraud, is more widely collected and used effectively by FRIP service providers.
  • Behavioral biometrics are catching on as more FRIP vendors provide built-in capabilities or partner with specialists to add this to their portfolios. Behavioral biometrics are a leading driver of innovation in the FRIP market.
  • Bot detection capabilities are essential, and this is reflected by the fact that most vendors in this space now have at least basic bot detection functions. Advanced bot management is not commonplace yet within FRIP solutions.
  • The product leaders are ID Dataweb, Transmit Security, Experian, BioCatch, OneSpan, IBM, Broadcom, and Arkose Labs.
  • The innovation leaders are ID Dataweb, BioCatch, IBM, Transmit Security, Experian, OneSpan, and Arkose Labs.
  • The market leaders are Broadcom, Experian, Neustar, Outseer (RSA), IBM, OneSpan, and Transmit Security.

1.2 Market Segment

The Fraud Reduction Intelligence Platform market is mature and growing, with some vendors offering full-featured solutions providing comprehensive functionality addressing each of the major methods listed above to support millions of users and billions of transactions across every industrial sector. As will be reflected in this report, the solutions in this space are quite diverse. Some vendors have about every feature one could want in a FRIP service, while others are more specialized, and thus have different kinds of technical capabilities. For example, some vendors are highly adept at device intelligence, including detailed histories of devices and information provided by working relationships with MNOs, but may not offer bot detection & management. Others excel at user behavioral analysis and passive biometrics, but don’t do identity proofing. In general, identity proofing and vetting is quite specialized and is not built-in to all FRIP services. Many FRIP vendors allow customers to outfit their instances with identity vetting capabilities by enabling API callouts to 3rd-party ID vetting services, and then processing the results at transaction time.

Furthermore, KuppingerCole research indicates that the particular market segments that vendors choose to target often have a direct effect on the type of features available in their FRIP solutions. Some vendors specialize strictly in preventing fraud in financial transactions. Others are more general purpose, offering their services for insurance, health care, gaming, etc.

1.3 Delivery models

In the Fraud Reduction Intelligence Platform market, solutions are generally offered as SaaS. It’s a consumable service, not usually something that customers would need or want to run in-house. For these SaaS offerings, the licensing model is often priced per volume of transactions. Some may offer discounts or refunds for low-scored results (i.e., missed fraud detections) that lead to chargebacks or other fraud.

1.4 Required capabilities

We are looking for comprehensive solutions that provide at least 4 of the 6 major areas of functionality areas. These are typically the requirements that customers pose to prospective vendors in RFPs:

  • ID Proofing – verification that the proper user subject is issued digital credentials, often validated against government-issued ID credentials. Identity proofing and vetting services tend to be localized to specific regions or countries. FRIP solutions generally call out via APIs to one or more ID Proofing services rather than building this functionality directly into their FRIP. Some vendor services have built-in ID proofing functions.
  • Credential Intelligence - information about prior usage of digital credentials, to answer questions such as “has this credential known to have been recently compromised?” or “has this credential been used for fraud at other sites?”
  • User Behavioral Analysis (UBA) – examination of past user activities to determine if the current transaction request is within normal parameters. For example, “is the requested amount and recipient typical of what this user has successfully transacted before?” or “does the request originate with similar environmental attributes as prior transaction requests?”. Environmental attributes may consist of data points such as time/day, IP, cyber threat intelligence, geo-location, geo-velocity, Wi-Fi SSIDs, and others. Longer storage periods allow for larger volumes of data to be evaluated, increasing accuracy and effectiveness.
  • Device Intelligence - includes device hygiene (OS patch versions, anti-malware client presence, and RAT detection), device history and reputation, location history, IP reputation, MNO carrier information (IMSI, IMEI, etc.). MNO identifers, such as the IMEI and IMSI, in conjunction with UBA and Behavioral Biometrics (see next), can enable FRIP services to detect SIM swap attacks. Some services may include consumption of other 3rd-party sources of information.
  • Behavioral/Passive Biometrics – the ability to analyze metrics of users’ physical interaction with devices for comparison against registered samples. For desktop/laptop computers, this may involve downloading JavaScript from the customer site to capture information on keystroke and mouse usage; for mobile devices, this may involve building a mobile app using a special SDK that allows for collection of information on screen pressure, swipe analysis, gyroscopic orientation, etc.
  • Bot Detection – evaluation of pertinent cyber threat intelligence on botnet activities, request context behavior, and behavioral biometrics to determine on a per-session basis whether a real user vs. bot is requesting the action.

Most vendor solutions that utilize these methods employ various Machine Learning (ML) algorithms to process the vast amounts of data required to detect and classify anomalies in order to determine accurate risk scores and help customer applications make informed decisions.

Solutions not meeting our general inclusion criteria but nevertheless strongly focusing on specific types of fraud reduction are mentioned separately in our “Vendors to watch” chapter. Consequently, we did not impose any additional restrictions on vendors, such as a minimum number of customers or revenue caps – both large international companies and small but innovative startups were invited to participate. KuppingerCole does not charge vendors to participate in Leadership Compass reports.

Evaluation Criteria Key Features

  • Solutions which interoperate with authoritative attribute sources for ID proofing, generally via APIs

  • Solutions which can draw from both in-network and out-of-network sources for compromised credential intelligence and effectively use that information for transaction-time analyses without impeding customer business (for example, high false positive rates)

  • Solutions which can build a baseline of normal activity per user and compare it in real-time to incoming transaction requests; or those which interoperate with 3rd-party sources of user behavioral analysis

  • Solutions which can harvest device intelligence from in-network and/or consume 3rd-party device intelligence sources

  • olutions which enable customers to deploy behavioral/passive biometrics capabilities by use of JavaScript or vendor-provided SDKs and process collected passive biometrics data within their risk analysis engine

  • Solutions which can granularly build policies to evaluate business-relevant environmental attributes

  • Solutions that utilize the above-mentioned types of information and offer customer administrators flexible and automated response actions such as

    • Permit
    • Deny
    • Re-authenticate
    • Step-up / out-of-band authorization
    • Place holds on accounts
    • Set monetary limits on transaction amounts by account or account type
    • Throttle transactions per period and per user
    • Approve/prohibit IP addresses and ranges
  • Solutions which generate dashboards and reports for customers including the following standard types:

    • Total number of dismissed, detections, case open and close events, etc.
    • Regional activities
    • Source/destination aggregation
    • Fraud types detected
    • Location/fraud type trend analysis
    • Chargeback events per period, rates, and reasons
    • Fraud rates benchmarked per industry
    • Others as needed per industry or general use case

Additional and related features will be considered as innovations and benefits but not absolute functional requirements in this analysis:

  • Solutions which can adequately identify bot-generated activities and present customer administrators with appropriate management options for proactively handling these kinds of activities. Sessions suspected of being manipulated by bots can be handled differently than those believed to be initiated by real users. For example, customers usually can set policies to deny, throttle, or redirect bot traffic while giving priority to real users. This collection of features is not found in all FRIP solutions.
  • Geographic and industry-specific compliance regimes and certifications, such as but not limited to AML, GDPR, KYC, OFAC, PCI-DSS, PEPs, PSD2, etc.
  • OLAs or service guarantees that provide relief to customers in cases where missed fraud detections or false positives decrease customer revenue
  • Support for relevant standards such as OAuth and Global Platform Secure Element (SE) and Trusted Execution Environment (TEE) standards
  • Integration with national e-IDs and passports issuers and validators
  • Support for advanced use cases outside of only the financial and payments sectors, including but not limited to insurance, retail, media, travel and hospitality, etc.

The criteria evaluated in this Leadership Compass reflect the varieties of use cases, experiences, business rules, and technical capabilities required by KuppingerCole clients today, and what we anticipate clients will need in the future. The products examined meet many of the requirements described above, although they sometimes take different approaches in solving the business problems.

The following are our standard criteria against which we evaluate products and services:

  • overall functionality and usability
  • internal service security
  • size of the company
  • number of customers and end-user consumers
  • number of developers
  • partner ecosystem
  • licensing models

Each of the features and criteria listed above will be considered in the product evaluations below.

Continue reading...
Read the full report and get access to KuppingerCole Research for 4 weeks.
Start Your Free Trial
Already a subscriber? Click here to login.