Analyst Chat #7: Fraud Reduction Intelligence Platforms

Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth, I'm an analyst and advisor at KuppingerCole analysts. We focus on specific and hopefully interesting topics that we as adults encounter in our daily work. In each edition, I will have one guest joining me, often a fellow analyst or another interesting partner, and we will have a 15 minutes or so chat around current topics. My guest today is John Tolbert.

He is the lead advisor for KuppingerCole in the US and today we will talk about fraud reduction intelligence platforms, and I'm really interested in learning more about that. So welcome John. Hi Mathias. And thanks for having me Great to have you, because really I can also learn something about that fraud reduction intelligence platforms. I've seen that we've just as Analyst published a leadership compass document about that. So there is a market segment about this topic. What can you tell us about this, this market segment? What are fraud reduction, intelligence platforms?

You know, I think it's a really interesting market. These are generally services that can collect and look at many different kinds of fraud, risk factors know, and we're really focused on like the consumer facing or sometimes B2B segments. So there are hundreds of different indicators that show up in, in transactions that, you know, most of the time they're benign, meaning it's good information and it, the transaction should be allowed to proceed, but sometimes these indicators can show the possibility of fraudsters behind the transaction.

And in those cases, these fraud reduction, intelligence platforms evaluate all these different factors in real time, and then can pass on either a recommendation for permit or deny, or maybe even recommend some other kinds of alternative actions. We see that they interact with things like adaptive authentication systems and different kinds of transaction process systems. So obviously payments services, banks, other kinds of financial institutions, but also retail healthcare.

Sometimes insurance will be very interested in consuming tens of services because fraud is just an ever increasing and evermore sophisticated problem that every business around the world really has to deal with today. As a user, I would probably notice that such a system is, is doing its work when I get the request to, to, as you said to reauthenticate to provide a second factor, would that be a sign of such a system being in place?

Yeah, yeah, exactly. Or, you know, sometimes I will get notifications either via email or SMS texts of, did you really make this transaction? Did you make this purchase, you know, push here to continue or, or, you know, type confirm and send that back. That is really the only consumer facing way that you're aware of these kinds of fraud reduction intelligence platforms.

And in those cases, they're informing, say your credit card company that, you know, there's a possibility that this transaction is fraudulent so better to get some sort of confirmation from the user than to allow it to proceed. Okay, understood.

So, and of course, for say a credit card company, of course they have just a business justification to have such a system in place, or what are the other drivers for having such a system implemented? It's also because of compliance governance and are there legal requirements? Yeah.

You know, in the case of, let's say PSD, two fraud reduction can be considered, you know, something analogous as, you know, forcing strong customer authentication. And there's also a need in PSD two for being able to mitigate requirements around popping up a strong customer authentication event every time if you're performing this transactional risk analysis. So by conducting these examinations of a multiplicity of risk factors in front of every transaction, you're, you're helping to comply with regulations like PSD two and beyond banking or finance or credit cards.

You know, many industries have a need for this kind of technology because it can eliminate other kinds of fraud, like new account fraud. That's where you, a bad actor will take information that they might find publicly information, but a person's name or social security number or physical address, or various other factors like that. And use it to construct an account to conduct fraud with same thing with account takeover.

We see that a lot with bad actors who will use phishing or spear phishing to gain access to someone's accounts, compromise them, and then either drain those accounts, get money off of those accounts. Or in some cases they use them as mutual accounts, moving fraudulently obtained funds from one account to another. We had a former Edition of this podcast about malware, about ransomware, about fishing. So this is closely related to that.

So that's, that's a business Model, right? Yeah, yeah.

Unfortunately that's a pretty effective business model, but you know, this is an area where it's, I think it's kind of interesting because it's where the realms of cybersecurity and identity management meet a fraud reduction intelligence platforms look at a variety of different kinds of information, like cyber threat intelligence lists of bad IPS URLs, as well as information about users that might be obtained through like user behavioral analysis programs, things that take into account transaction histories, and then also like physical location. Where is the transaction originating from?

Does this match patterns of activity that have been observed before? So it's really an interesting amalgamation of different cybersecurity. And I am kinds of technologies. Okay. When it comes to two deployment models, how is this provided? Is this just as a service? Is this something that, that customers of this service or the credit card companies, the banks can just consume via, I dunno, an API or something like that? You know, I wouldn't say the most common deployment model is as a service completely.

There are vendors that provide solutions that have an on-premise component, but even then they're going to be consuming a third-party threat intelligence of one kind or another. So I've mostly, it is, it's probably most effectively delivered as a service that would be integrated, but like you said, using an API. Okay. And what are the, The, the mechanisms behind that?

So what, what is the type of information that these solutions look at to identify it? If it's still materials or maybe some, some attacker from, I don't know, Well in looking at those different kinds of fraud attack methods and the ways to counter those things are things like I didn't the proofing and vetting, you know, making sure that the person, the real person who was issued in digital account should have access to that.

So, you know, a lot of times we think of that as kind of a physical process and it pretty much has been up until the last few months or a couple of years where like, you want to get a bank account, you need to go to a bank, but now there are some very interesting sort of offline mobile phone based solutions that can allow for remote identity proofing and vetting there's things like credential intelligence, you know, whether or not a person's credential has been used in a fraudulent or suspected fraudulent way in the past, those kinds of information are shared among different identity providers sometimes.

Or there are companies that collect this information and disseminate it usually through a subscription to other companies, device intelligence, same thing. There are companies that collect information on all the phones out there. They get information from mobile network operators. It can be tracking things all the way down to the SIM card level. I am the number and looking at patterns of usage, say over, you know, three to six months time, this could also include things like device hygiene is a known to have been compromised by some kind of malware.

In some cases it can also contain sort of an environmental or a set of environmental factors, usually related to location, user behavioral analysis, kind of talked about that a bit that can be, you know, looking at patterns of usage over a certain given amount of time, behavioral or passive biometrics. Those are how you might use the phone phone, smartphones, gyroscopes. They can also recognize how you swipe, hold, or type into the phone and use that to sort of build a profile of a given user and detect when it's not the appropriate user.

And then lastly, we've got a bot intelligence bot management, you know, in thinking about non-finance or non-payments kinds of use cases. Bots are automated programs that can do a wide variety of things, some of which are useful from a business. And so not all bots are bad, but there are bots that do things like what we would call inventory hoarding, where they'll go out and scrape a retailer's site, look at prices, and either order up all their inventory and try to resell it or undercut them and pricing.

So those are bots that as a retailer, you would want to be able to appropriately manage how your site interacts with them. Okay, got It. That would actually be somewhat my next question, because as I am a bank user, as I am a credit card holder, I know that I want to protect myself from account takeover from somebody using my, my account for their purposes. That is quite obvious, but I would assume that that's such a solution would also try to cover other types of fraud. You've mentioned back bot attacks, which I did not even think of.

Are there other types of fraud that these platforms cover? Yeah. Bots bots can be involved in automating things like credential stuffing attacks where, you know, maybe bad actors have already compromised a site and put out lists of usernames and passwords. So bots can be programmed to take those username password combinations, then go try that against hundreds of other sites and see if the user's been reusing passwords between sites. And that unfortunately, often times it gives them access to sites that they certainly shouldn't have.

So, yeah, there's, that's probably one of the more prevalent forms of identity fraud, methods of perpetrating, you know, using credential stuffing attacks. Okay. Yeah.

That's, that's really an interesting market actually. So I I've read in your document synthetic account fraud. What is Synthetic account for all? That's like the balance, the same thing as new account fraud, that's where the bad actors will go take information like email addresses, your physical address, date of birth, other sources to make more realistic looking accounts come from healthcare, government agencies, school records and employment records.

So that's why, you know, we, we tend to be very concerned when we see healthcare organizations getting hacked and losing patient information because healthcare records, at least in the U S you know, often contain social security numbers. So that's like a very important underlying data element that can be used to build very authoritative looking accounts. And those cases, most of the bad actors are looking to do things like use this as a staging text so that they can perpetrate additional financial fraud.

And this would be the case of creating mule accounts so that they may have committed fraud somewhere else, but they need an intermediate account to transfer money to, to get it out into the real world. This is, especially in the case when bad guys are using things like cryptocurrencies.

So these, these accounts are sort of an intermediate pass through for fraudulent only obtained cash. Okay.

When, when we put out a leadership compass that usually hints at a mature market, so there is a broad coverage by many vendors, special subs providers. Yeah.

You know, I have to look back, you know, I think there are about 12 to 14 different companies involved that we surveyed this time around and, you know, sort of run the gamut from large it stack vendors to several reasonably new we'll call them early stage venture capital backed, not quite startups. And one thing I've found about this market is, you know, six categories of information that I started with, you know, the user behavioral analysis, Prudential intelligence, spot management, not every one of the vendors does all six of those.

So, I mean, especially if you look at bot management, that's kind of a highly sophisticated, highly specialized kind of technology that's involved in detecting and then dealing with them. So even though it's a pretty mature market, and we've got a really good selection of vendors, there is a pretty wide distribution of the services that they provide. And then also how they do that. And in this field, especially relies on multiple sources of different kinds of threat information. And that can even be somewhat, not necessarily localized, but regionalized.

So you'll find that there are certain vendors amongst this list that let's say specialize in the north American market, or some that specialize in the European market. There are a few of course cover anywhere around the globe. But as you can imagine, it's such a rich and voluminous data set. It would be, it is difficult to provide Intel on transactions around the world. Right. Got it.

So If somebody looked at the leadership compass, they will always have to, to map their individual requirements, maybe even their region as a second set of requirements, to understand which of the rated vendors, especially service providers are the right to choose for them. Maybe we can even support them in identifying the right solution here.

Yeah, exactly. And we try to call out both with the market rating graphic in detail, where each company operates, which ones are global, which ones are regional. And then you're right too, in terms of overall requirements.

That, again, I think it's important for companies or organizations to really stand what it is they need to do in order to be able to reduce the kinds of fraud they face that that will be an important differentiator in looking at these different solutions that are out there and selecting the right one. Okay. Got it.

So, so I learned a lot about fraud reduction, intelligence platforms. If our audience wants to learn more about that, I assume we have more information on that. Yeah. There's the leadership compass. There are some individual executive views and there we have a couple of webinars coming up on the topics or would just look at the website.

We'll, we'll be doing some webinars in the next couple of weeks, or we can dive down even more detail about this and look at some of the solution providers in the area. Okay, great. And For those who are listening to this podcast later in the year, all these webinars will of course be available as recording. So you just can come watch them afterwards very easily. So thank you very much, John, for giving that insight. Also to me, that was new to me and very interesting, a real, real life solution.

Of course, somebody interested in learning more about that for the individual use case can contact KuppingerCole and can contact John for help when it comes to identifying and maybe even implementing such a solution. Thanks again, John, any famous last words, Just to echo what you're saying. Yeah. We're always happy to talk about these things.

It's, it's a very interesting field, but we know, and I'm sure everyone sees every day looking at the, at the news, there are more and more cases of data breaches, different kinds of hacks and fraud. Unfortunately, that will probably continue to increase. So these kinds of solutions will be even more necessary and we will continue to report on these as well. Exactly.

Okay, great. Thanks again. And I'm looking forward to having you in one of the next additions of this podcast. Again.

Thank you, John. Bye-bye. Thank you.