Companies are turning to Fraud Reduction Intelligence Platforms to reduce account takeover (ATO), synthetic fraud, bots, and other forms of fraud, which continue to be a pervasive and revenue-draining problem across many industries.
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Companies are turning to Fraud Reduction Intelligence Platforms to reduce account takeover (ATO), synthetic fraud, bots, and other forms of fraud, which continue to be a pervasive and revenue-draining problem across many industries.
Companies are turning to Fraud Reduction Intelligence Platforms to reduce account takeover (ATO), synthetic fraud, bots, and other forms of fraud, which continue to be a pervasive and revenue-draining problem across many industries.
Good morning. Good afternoon. Thanks for joining us at the webinar today.
Today, our topic is a compass for choosing the right fraud reduction intelligence platform. I'm John Tolbert lead Analyst here at KuppingerCole just published a report on fraud reduction intelligence, and I'm joined today by Raj gully, director of customer solutions and field engineering from transmit security. Just a little bit about us Cooper, and Cole's been in business since 2004.
We do research advisory now, including digital advisory, where we can work with you over video conferencing and online collaboration systems on projects like tech evals, strategy, definitions, conducting RFPs and architectural assessments. And we're also launching and have a couple of master classes out there. They're interactive webinars, full day of content in a virtual classroom based on our up to date research. So check our website about the availability of new master classes. So logistics here, we're muting everyone. There's no need to mute or unmute yourself.
We are recording the webinar and the webinar recording and slides should be available probably by tomorrow. And we'll do a Q and a session at the end. You'll notice there is a questions and the go to meeting control panel, feel free to enter your questions into that at any time. And we will take them at the end. So I'll start off talk about fraud trends, what the different reduction techniques are, and then give you an review of the leadership compass, comparative assessment of fraud reduction, Intel platforms.
And then I will turn it over to Raj and he can talk some more about fraud reduction and he has a short demo to show of transmit platforms, key differentiators. So overview of fraud, techniques and trends. This is probably not a big surprise to anybody. Cyber crime continues to increase by next year. Several sources estimated should hit $6 trillion worth of drain on the global economy. And we certainly don't need that up from 3 trillion in 2015. So you see how much of a growth industry it is.
Unfortunately, when talking about a couple of major kinds of fraud, give you a little background on that and, and why fraud reduction Intel systems are so important today. So we'll start with new account fraud, kind of what it sounds like this involves bad guys, stealing information like email addresses, phone numbers, physical addresses, course names, you know, and if they can get ahold of things like social security numbers and dates of birth, then that makes it much easier for them to create a new account based on their somebody else's identity.
And I think this is why we've seen a real uptick in data breaches going after healthcare organizations, various civilian kinds of government agencies, school records, employment records, cuz they do have that enriched PII. That can be so key for them to be able to create very legitimate looking accounts, what they used for well, as you might expect too, financial fraud often they're used for mule accounts. And even if these malicious let's say collect ransomware, ransoms and cryptocurrency, they at some point want to get that out into the real world.
And sometimes they use things like fraudulent accounts. They could also be used, you know, to open up credit cards, get lines of credit and, and make victims very miserable. And even though it's harder for them to set this up, I mean, it's much harder to do this than it is. Just go grab a social or a credit card number and, and CVV number off the dark web or even off just public groups. Sometimes it makes it harder to detect than just stealing those credit card numbers. So how do we mitigate against this identity? Vetting is probably number one.
I would think I probably should have listed it that way, but yeah, identity vetting, making sure that accounts get issued to the proper individuals. We'll be seeing this throughout the webinar content today. It's really important to make sure that the right individual can produce documentation in many cases to show that that's who they are and they should be entitled to get that account. But then sometimes these attacks can be perpetrated by bots.
So you may need bot intelligence and management and on the consumer side, when you notice it happens, you can do things like request credit freeze, but you gotta call all three credit agencies. If you're in the us, you know, there it's, it's a real hassle and it, it actually costs consumers money. So trying to prevent fraud is really important for most businesses these days, ATO account takeover fraud. This is where data breaches have led to username password combos in mass, out on, on the web bad guys will automate these sometimes and do these credential stuffing attacks.
Again, they're used for things like financial fraud, but you know, they're, they're hitting sites other than just banks and, and other kinds of financial accounts, but they could be, we see them going after pensions, 401ks, insurance, medical, real estate, real, real, real. Estate's not even a new one, but that's the, you know, the misdirection take over a real estate agent's account, send an email to the seller, tell 'em to at the last minute, transfer their money to the wrong place. Once it's transferred, you can't get it back.
So it's devastating frequent flyer programs or the reward programs. Anything that can be converted into money is a target of account takeover fraud. Number one, mitigation against that MFA multifactor authentication and risk adaptive authentication. We're gonna be driving down into that a little bit today, too powered by these fraud reduction intelligence platforms.
We also tell people don't reuse passwords in between sites, but it's kinda lame that we're still using passwords at this point, insider fraud, this, you know, in BDE environments, this can, you know, be a disgruntled employee or somebody who's having money problems. Somebody's about to leave the company or contractors who don't necessarily have a vested stake in the health of the business, for which they're contracting these amount to financial transfers or theft of IP IP, of course can include customer da customer lists from CRM mitigations against this privileged account management.
Don't give anybody more access than what they absolutely need to be able to do their job. Same with segregation of duties, have workflows and approval processes. Then we come back to risk and based authentication and having an insider threat program. So let's talk a little bit more about these fraud reduction methods, identity proofing, and vetting. Kind of describe that again. Let's say you wanna create a bank account. You go to the bank, you have to show some documentation. There are more modern technological means to do this.
I've seen various app providers who can, you know, deliver a secure app to a phone that let's say allows you to use NFC to scan the passport, take a picture of the passport picture, do a selfie. You know, this can theoretically reduce costs. It might be a good way to do identity proofing and vetting and in some cases, but really it's about making sure the appropriate user is issued the account credential intelligence. This is knowing whether or not a credential's been used in fraud before device intelligence information about devices.
And I'm gonna dive down into each one of these in a little bit more detail, user behavioral analysis, again, kind of what it sounds like looking at historical patterns of activity that users have done behavioral or passive biometrics. That's a really interesting, we see more and more of that becoming common these days. And I think that's, that's probably a good thing.
Again, we'll look at the details in a minute and then bot Intel and management. So let's talk about behavioral and passive biometrics.
This is, let's say if you're on a desktop computer, a laptop it's keystroke mouse analysis, you know, your dwell time, your flight time, how you use the mouse. It may sound a little bit spooky that you go to a site and they're able to discern this information about you. They do it generally by downloading some Java script. It's kind of anonymized to a degree.
I mean, they're not trying to collect your passwords, but they are measuring these patterns to see if it, your pattern or the pattern of the, the user in the session matches previously established sessions related to mobile device interactions. How you swipe on that device, how you touch the screen pressure sensors, how you hold or manipulate it. All these things can contribute to a unique signature. We'll call it of how a given user interacts with their device. Same thing with gesture recognition.
You know, maybe how you draw your unlock pattern and then some physical factors too. Like, are you in proximity of the normal wifi SSIDs that you, that you're frequently are around or not?
You know, again, these, all these things can be scored, same thing with mobile network or location analysis. And each one of these factors can be scored by a fraud reduction Intel platform, which then may have multiple ways of informing the downstream application about the overall riskiness of letting a transaction through UBA. Many different factors can come into play here.
In some cases, if you are, have an integrated social media profile, if you've been using say Facebook login, Twitter login or something like that, you know, there's information that gets carried around there, theres and identity analytics, I'd call 'em like frequency and time of logins failed login attempts. Again, these can fall into patterns and then looking at specifically, let's say on the financial side, or, you know, interacting with the business, what are the types of transactions, the amounts, how frequent are they?
And looking at those over a very long period of time to know if in any given situation a, a user that presents themselves is actually the same one that's that's made these kinds of transaction types and amounts before adjustments for known travel. That can be interesting. You may have seen that if you buy airplane tickets with a credit card, oftentimes that credit card then knows that you're gonna be traveling and where you'll be traveling. So you don't get alerted about potential malicious charges. There changes the user profile.
All these things are enhanced by machine learning detection techniques these days, and then device Intel that would be starting with looking at various attributes around the IP address, the networks you're on IP reputation, geolocation, where are you? Have you done any impossible travel? What kind of device is it? Device fingerprint? This doesn't mean using, let's say touch ID, but it's like looking at all these factors, like some of the things here, colors, fonts, languages installed, you know, what's unique to your phone.
There are threat Intel providers that have a lot of information on device reputation and fraud reduction. Intel providers can sort of wholesale that and bring that into the overall equation device health assessment. Are you running some sort of anti-virus kind of product on your mobile phone? Good idea. Information about the I E I numbers Sims there have been any SIM swaps. Is there a known user on a new device? Does it match any of the patterns of other users jail broken or has it been rooted?
And again, ML is very important for sorting through the mountains of data associated with any transaction out there today. Credential Intel. It can come from, let's say within an identity provider's network or maybe in a fraud production, Intel providers network that are covering many, many different clients information about whether or not a, a user's credential has been compromised. And maybe you attempted to use fraud at some other site. You'd probably want to raise the risk flag on that.
If you discover that likewise there a third party feeds this kind of information and many F providers or IDPs will consume these kinds of feeds as, as well. This gets brought in and processed by the risk engine in fraud reduction, Intel platforms. So strong authentication for fraud reduction.
This is a, I, I think a real key again for the account takeover prevention, no more knowledge based authentication, please. You know, a lot of this stuff is on the web. Even if you don't answer social media quizzes, a lot of this stuff is on the web.
So, you know, it's just a bad idea to use KBA. So if your company that's doing that, please stop it. Risk adaptive authentication. This is what's risk analysis.
Well, it's looking at all these different factors and there can be hundreds. There can be hundreds of different factors that need to be evaluated at run time for every transaction. So it's looking at all these different Intel sources and sometimes static attributes like static attributes about the user.
You know, there are things that don't change very frequently, same thing about devices. So you need both that mix of a current check on the state of things with regard to users, their devices, and then also information that may be stored in a, in another kind of repository.
Like, so again, processing, you know, UBA attributes about the user device Intel, and then environmental attributes, where's it coming from? Is it within a normal pattern of time? Do we think this is influenced by malware or bots?
If so, raise the red flag. And these are all functions that fraud reduction, Intel platforms perform trends in authentication we see is move toward passwordless, which is, would be wonderful.
You know, we have passwords still everywhere today to make this possible. A lot of trip or strong authentication vendors have SDKs for developing secure mobile applications that include authentication. There are mobile biometrics. As you know, there are generally, we see companies leveraging the built in or native biometrics on apple or Android phones, and they can integrate these with their own mobile apps that allows 'em to give it a consistent look and feel.
Then we layer on the risk adaptive authentication paradigm, taking in all this information and making a smart decision based on that, and then really doing it all the time or for every requested transaction leads to what we might call a continuous authentication model, or simply doing these risk adaptive evaluations for every attempted transaction. And sometimes this means you don't have to actually pop up some sort of authentication event in front of a user. You can simply evaluate, you know, these different factors that we've been talking about at, in front of every transaction.
And, you know, if everything's the same and it's a low risk, low value transaction, don't even bother the user. Only, only present them with friction as we call it. When we think there's a real reason to get some sort of verification that it's the right user on the other end of the transaction with a little hope, all these technological solutions that we have here put into place that will help us get to the passwordless paradigm and get rid of passwords. And really these fraud reduction, Intel platforms are key for making this happen.
The drivers I see for market uptake here, well, reduce fraud, reduce all kinds of fraud, financial payments insurance, and all the other types that we've talked about, provide input to these risk adaptive authentication and authorization systems increase the overall authentication assurance level, make the authentication assurance level match the use case. This improves security and then detect, manage, and deter bots or other gray activities.
You know, not all bots are bad. Bots bots do things like inventory audits, but they're also inventory hoarding bots that will go up and buy inventory from a, a small store or something, and then try to resell it.
So there, you know, it's not just about detecting the bot, but deciding what to do with each given bot that you encounter.
So for our leadership compass, here are the six major criteria that kind of map to those six major fraud reduction techniques that I outlined in the beginning, ID proofing, making sure it's the right user behind the credential credential Intel has this been used anywhere, fraudulently lately, UBA looking at the history device, Intel, what do we know about the device behavioral or passive biometrics, how they interact with their phone or computer and then bot detection, Intel and management.
So when we do a leadership compass, we go through this process where we define the market segment, figure out what a market that we think is very interesting. Something that clients need to know more about something that, you know, might benefit from a comparative analysis. Then we define the key criteria like we've shown. We look at all the vendors in the space, invite them to participate. And I think one of our advantages is we don't, you know, we don't charge anybody for that.
You know, we'll take vendors big or small, anybody that's got a relevant product and compare them, then create a really, really long list of technical questions. We get briefings from the vendors, get demos, talk to customers. Then we rate the responses to those questionnaires and the demos that we see. That's how we create the graphs, which we'll see in a minute. And then, then we write the report, or at least the first draft of the report, then the report goes out to each of the vendors. They have an opportunity to fact check it and you know, we'll correct anything in there.
Our main name is getting accurate information out for readers. Then we have nine major categories that we look at when doing a leadership compass on any given field. We start with security. Does this meet the security requirements that we see in a given field? And I'll tell you what I think is really important here, especially on cybersecurity or identity management products is internal product or service security.
And that starts with, in my opinion, enforcing strong authentication for administrators of a service or a product, because if somebody can guess a password and get in, then you really don't have security. Secondly, functionality. Exactly what it sounds like, how many different features does it have every feature in order to get a really good score in functionality and product leadership. It needs to kind of go above and beyond what we see as the feature set for a given market segment integration delivery.
How integrated is it with other, with other products in a suite, for example, how easy is it to deploy scores? There can be influenced by, you know, is this an on-premise only kind of product or is it a cloud only kind of product?
You know, we try to call out in the written portion of the leadership compass, whether or not, you know, what the deployment models are, what the dependencies are and how easy is it to deploy and maintain, and also include in, in integration or ease of delivery as we'll see is how many different components are necessary for building a solution. Sometimes you'll see a company that sells, you know, X product or X service, like in this case fraud reduction.
And it's kind of a one size fits all in other cases, you know, you might have to go through and well, you need this module and you need this module. Then you need that module that makes it much more complicated and harder to deploy. And overall it has a less integrated field. So that's what lead me in here, interoperability. This is where standards come into play and support for standards in order to be able to work with other identity management or cybersecurity kinds of solutions supporting the relevant standards is important.
And that's how you get high marks in interoperability that plus many companies like in the flip market here, if you have connectors to, you know, easily configured that don't require customization connectors to different line of business applications, that's very helpful. It increases the interoperability score. Then usability, you know, in many cases, a service like this, you may not rate usability from the end user perspective so much. Although there obviously is a component of that.
If things get popped up in front of the user, they'll they may realize there's the fraud reduction, Intel platform working behind the scenes, but you know, here too, we mean, what's it like for an administrator of the service or, you know, a power user at a company who's subscribing to a fraud reduction, Intel service, what, what do those screens look like? Is it easy for them to do what they need to do? What are the workflows like? Then we measure innovation. Do they have not only all the basic features, but are they doing really cool things of customer request?
Are they leading edge or are they sort of playing catch up? You know, and there's, there can be a wide range here in how feature rich and how attentive to customers and what customers' needs are. And this gets reflected in the innovation score. The next three are around market size in the market size ecosystem and financial strength.
So market, I look at how many customers of the product, sometimes you'll have, let's say a large vendor that has multiple products and, you know, maybe they have 10,000 overall customers. Well, when we rate, you know, on a given product or service, I wanna know how many of those that larger set of customers are actually using the product that we're evaluating. And then in this case, how many consumers are served by it and are they targeting specific industries? And then lastly, geographic dis distribution is important here.
If you're, let's say a us company and you're only working in the us, obviously you're not global. You know, our customers wanna know where are you located and where do you have support? So same thing with ecosystem, how many partners, resellers support institutions or personnel, and where are they located globally?
That's the overall ecosystem and then financial strength, you know, we're, we're happy to consider large stack vendors and startups, but we need to be able to relate to readers how well the company is doing many companies make decisions based on whether or not they think the company, the vendor that they're gonna do business with is gonna be around in two or three years.
So we need to be able to say whether, or it's a small or a large how profitable that sort of, we compile all this into product leadership, these four ratings, product leadership, how functional is and how complete is their vision. Have they executed according to their product roadmap? How are they in terms of market leadership?
Again, that's numbers of customers serve consumers, partners and financial strength, innovation, leadership, you know, where do they stand in relation to others in the field? Are they delivering new and interesting, helpful features? And then we combine these into overall leadership inside the report for each company, you'll find about one page of text where we describe what the key features are and how it's doing those things. You'll also see these spider graphs and they relate to the, the key technical criteria. So here we've got user intelligence.
I selected that wasn't, that kind of covers the ID proofing credential, Intel and UBA factors, analytics engine, looking at the volumes types and the sources of Intel that the fraud reduction Intel platforms use, then how granular are the risk engine controls and you know, what format does it input, output that in? And is it using ML?
And if so, how I've been asking increasingly detailed questions on that to try to cut through some of the hype on machine learning and AI, there is a proper role for that. And we definitely need all these solutions actually require machine learning algorithms to process the huge amounts of data. So that's an important consideration app integration unit. Do they have well documented APIs? What standards do they support?
Excuse me, device Intel that covers all the device related Intel factors. We've already talked about bot Intel, you know, how are they doing it? Management techniques, you know, there are multiple it's more than just permit and deny. There are different things you can do once you decide what you wanna do with a discovered bot and then scalability.
And, you know, we base that on how many customers, users, what's a typical transaction processing volume or a peak. Where are your data centers? How geographically distributed are they, what's your typical SLAs state? Are you hosted in the cloud? And are you taking advantage of things like automated provisioning and deprovisioning and response to load? So you hear, you see transmit as an example for how the spider graph gets populated. Here are the vendors that I looked at this time. You'll see a good mix here too.
There are some, you know, relative newcomers to the field and there's some pretty big well-established companies. So on to the results, this is our overall leader chart. And you'll see here across the top, on the, on the right side, we've got IBM guru, cool transmit security and Broadcom, and then RSA as overall leaders in the field of fraud reduction Intel, then the rest of the vendors are actually kind of in the top half of the challenger section. And you know, what I think makes this really interesting is that this is this shows, this is a pretty well-established field.
You know, companies, many companies have been in this business for years and delivering different forms of fraud reduction, Intel to different kinds of customers for, for years and years, it's only gotten more complex. And that's why there are more and more players in the field now, but this shows at least, you know, the companies that I sampled, I, I think most of them are, are doing a reasonably good job at helping to protect their customers, product leaders.
Again, this is, you know, overall feature richness, completeness of vision, how they've executed on their product roadmaps. We see transmit at the top along with GU cool, and then ID data, web labs, Broadcom IBM in a good, again, a good scattering across the center for the others. And then that's a good number of product leaders.
And, you know, in the case of transmit, they, they do have all the features that you would normally expect in a solution like this, then market. Again, this is a big market, and I think it's only gonna get bigger.
Any, any retail outlet or insurance or media company that's in business, I think could with an online web presence, which is practically all of them can definitely benefit from fraud reduction, Intel platforms. And here we see we've got Broadcom TransUnion, IBM, RSA NewStar transmit guru cool as market leaders. And then lastly here innovation leaders. And this is again who, who has a really good mix of innovation.
When again, think back to those categories of UBA and identity proofing, identity vet bot management, there are few vendors that do every single thing because it is such a complex mix of different kinds of threat and fraud risk Intel that they have to process and make decisions about. So the ones that I think have the most innovative approach to that are cover most of the different functional areas and do it well in our leading, in terms of innovation here, we see Google ID, data web IBM transmit security and Arco slab. So with that, I will turn it Raj and again, feel to questions.
We at John, a great in terms of the analysis and a very comprehensive report on platforms that enable our customers around the globe for fraud detection, mitigation, and how they actually do it under the hood. Thank you so much for that report. My name is Raj, and I'm gonna actually quickly show you all a live platform from transmit security that brings to forefront everything that John mentioned so far, this is gonna be a live demonstration of the actual platform.
And I will just start with three quick slides as a refresher course, as a starting point for everyone to understand what this transmit platform is all about. Transmit platform is a very comprehensive, low code identity platform that is modular in nature. It comes be packaged with many of the things that John mentioned earlier. It has an authentication engine that comes pre packaged with over 20 authentication modalities, including on the device biometrics your authenticators, centralized authenticators, third party authentication modalities.
Hey, I need soft token that can work even without wifi signals, QR code, being able to do web to mobile push or anything that will aid you to give you a different level of assurance to each of those authentication modalities. The platform also comes with the built in risk and trust engine models.
One of the things that you constantly heard in John's presentation was all around the ability to not look at one single entity, but multiple entities or what we call them as multiple attributes that may come from one source or context from hundreds of sources, because I'm sure all of you agree that when it comes to fraud detection and mitigation, there is no single silver bullet.
So your success is going to depend on your ability to continuously monitor and assess hundreds of attributes throughout the life cycle of that user session within your application, not just at the front door, not just at when the user is doing something, but throughout the life cycle, you should have the ability to monitor hundreds of attributes, whether it is user behavior, whether it is device attribute, whether it is environment variable, whether it is location attribute, whether it is historical transaction analysis for that user, you need to be able to assess them and make a decision at one time.
And you're gonna see that in action, how transmit and achieving that goal. Finally, you will see the power of having a robust or, and integration engine, right? As I mentioned, you need the ability. I'm sure every customer on this call already has some sort of a risk, whether it is a point product from vendor AB or C or some of you might have developed a homegrown risk. We hear a lot of these data lake projects, AI ML based project, where you have developed a sophisticated risk.
However, how do I now further supplement and compliment what you may already have within your environment and eventually what you need. You need a system that allows you to what I call as ability to build the model of the models. So in that aspect, you'll see transmit giving you certain models of both trust and risk, but that may not be enough, or you may want to further supplement what transmit provides you of the box with what you may already have within your environment.
And here I'm showing you third party scores say from bio cash, RSA pen drop, your homegrown system could be optimized trust here, you name it. There are plenty of point products that are out there. What if I can take all of these things, use a sophisticated machine learning orchestration engine under the hood and at the run time, make a decision whether it's introduce friction. And if we do decide to introduce friction to that user, what kind of friction do you want to introduce?
Oh, I want enforce MFA. Great. If you wanna enforce MFA, what kind authentication modality do I want to enforce? Do I still want to ask him password, which may not make any sense at that point?
Hey, I want biometric, oh, I wanna see if the user has a side authentication modality that is available or resisted, or I wanna enforce a, a strong biometric. So being able to decide that run time, what kind of step up, what kind of MFA that I want to enforce based upon the overall risk or trust or that contiguous evaluation of that trust for that particular user for that particular session?
So what I will see in my demo right now is we are gonna change certain underlying attributes, whether those attributes are device based attributes or authenticator based attributes or environment attributes, or user behavior based attributes, or a third party risk engine attributes, and see how all of that comes into forefront and drives user experience, and eventually enables you to detect and mitigate fraud. So, as I mentioned, this is a live platform.
What you're seeing on the left of my screen is my actual iPhone that I'm connected, and we are good for the purpose of demo of financial retail application. And the whole goal here is to make you see that this can be applied to any vertical. It doesn't have to be for financial. So for the purpose of demo, Hey, you can log into an application using touch ID or whatever you have. And in this application, you have certain functionalities. I can transfer money. I can add a pay, I can check my account status. And so on the right hand side is the UI to the transmit platform.
As I mentioned, this is a hundred percent software and the live demo, I'm actually running this from the cloud. You can host it on brand containerize, it virtualize, it, consume it as a SA service. All the options are available for you. As I mentioned, transmit has a module called risk center, and I wanna show you how each of this modules are involved within the user journey for us.
The definition of a user journey is, Hey, when the user comes in to access an application, whether they come on a mobile channel or a web channel or a call center, or a kiosk or a chat session, it is the same user coming into consume an application within your enterprise. So the platform almost allows you to follow that user and then provide those services by monitoring everything that the user does and evaluating these attributes. So you can see the platform allows you to build the models or profilers.
John mentioned, Hey, we wanna be able to assess based on the location, the velocity, oh, I wanna be able to ask a question. What is the probability that user is going to use an opera browser in the middle of the night to conduct a transaction where the amount is unusually high, or it falls into the top 10 standard deviation value for that user based on the last six months transaction.
Now, if you just analyze what I just said, you wanna be able to understand user's device. You wanna be able to understand user location.
You wanna, the time of the day when the user was doing the transaction, you the behavior in of all the, the confidence of the device, for example, you can see, I have two models here called mobile device confidence and web device confidence. When it comes to mobile device, confidence is not just one attribute, right? I've shown over here. A few sample attributes I wanna see is it the gel broken device? I wanna see how many times have I seen this mobile device from this user for accessing this application?
I also wanna say, Hey, does it have a very strong cryptographic enabled hardware security model? Like a secure enclave in a check set this mobile device or not. I wanna able to assess the overall trust of this device based on certain attributes that I can change. Not only that I wanna different level of trust the industry level of assurance based on the authentication modality that the user uses. So over here, you can see, Hey, I've given different scores based upon something, you have something you are or something, you know, and even within those categories, you can assign different scores.
I wanna bring to your attention, something really important. You can see over here for fingerprint. I've given a score of 300, but what if I don't want to treat all fingerprints as him? What if your security team comes in and says, oh, we have recognized that there is a vulnerability, again, nothing against any vendor, but let's say somebody running Android version seven or running on an inexpensive device from vendor XYZ, Hey, we want to not have the same level of trust that I would have on an iPhone, excess running 13 X and using I don't touch Heidi.
So now you are able to dynamically assess different level of trust, and then take that into consideration when you are really evaluating the contiguous level of trust. Hey, what if I wanted to check any variables that may change mid session within the session? Right? So for example, I want to see what time, this thing, where does this transaction lie? What kind SS I is he coming from? Did the SS. I get hijacked between the, oh, I saw one SS ID at, and now all of a sudden I see that the SS I was hijacked, right? And finally, as I mentioned, being able to build a model of the models, right?
It's not just transmit that I want you to really focus on because you may have other models that you already built it. So here is a sample configuration, but we are gonna see it in action. I'm taking the overall device confidence. So behind the hood, that device confidence might be a result of about 200 different variables. I'm looking at the level of assurance. I'm looking at the transaction details, but I'm also looking at external risk engines. In this case, I got a homegrown risk engine and then RSA as a risk engine. And I'm gonna see how this all comes into play.
So with that, you already saw that I logged in, let me go and then do a transaction. So on my mobile device, Hey, I'm gonna go and then do a transaction to user John. And let's zoom that I want transfer $1,500. So in this case, for the purpose of demo, I have deliberately shown over here, Hey, the overall score or the trust level I got about 1900 I've categorically said, what is my device? Confidence? What is the level of assurance? What is the session score and so on? And obviously you don't show that to the user.
It says, Hey, looks like you're transferring $1,500 to John and your transaction went through without any problem. I'm going out of the app. I'm go. And then an important attribute, right?
I said, SS, ID hijacking. I'm gonna change my SS I D mid session, right? Let's assume that, Hey, there is an SS I D that somehow got in. And then now you want to change that SS ID mids session. I'm gonna go and then change the SS I D from whatever I have. And now let us see what happens if I want to conduct the same transaction, remember that I haven't even logged out of that application. So I'm gonna go back. And now I wanna do the same transaction that I was doing earlier. Transfer money to user. Not that the user may not know what happened or what changed. It might be a fraudster.
And it says, Hey, yeah, you're transferring 1500 to John. Now notice, obviously, again, you didn't show this to the user. My overall trust level went down on this device because I noticed something really drastic as a result, I wanna enforce an MFA and notice. I also decided to enforce only something you are as an authentication modality. I can have him show his face or touch ID or voice, and then have the user authenticate.
In fact, you're gonna see me in a second. I'm gonna use a transmit authenticator called centralized phase. And we are going to use that as the modality to complete the transaction and it went through. So that was a very simple use case wherein behind the scene. We were monitoring hundreds of attributes and context from different sources and within the session, because we saw a significant change. Now you are able to enforce a friction and a desired MFA modality in the interest of time.
I'm gonna jump in quickly to a web channel and then show you a similar use case as to how the platform is truly omnichannel in nature, and allows you to look at attributes, not just for a mobile channel or a web channel, but also different context from different sources that you're able to take into consideration. So here is a web browser. We have built our web application and I wanna be able to log into my web application. So over here, again, for the purpose of demo, I have presented the data that the platform analyzed.
So the data that you are seeing over here is, Hey, I see that the probability of you using Chrome is over 94%. Oh, I'm looking at all the historical way. And specifically this device, I've already seen 184 times.
Oh, by the way, I also know that you just used this application. You saw me using my face server using on the mobile channel. This is the GMT time at 2 49 PI. And by the way, I almost have close to 90% trust. Having said that, Hey, John also discussed about giving a passwordless experience. Now you can see, I have so many other options for the user to log in. I also spoke about authentication modalities, such as Fido. So in fact, I'm gonna show you how transmit enables you to use a phyto modality. So if I choose Fido, you're seeing in my camera here, our U key.
And when I touch the U key, I am further protecting that U key, which is a Fido two device with a pin code. And now as soon as I touch my UBI key, I just log directly into my web application.
Yeah, you're great. You log in and let's assume that you want to do a financial transaction. Let's assume that for John, I wanna send $500. Let's call this as an expensive launch money for John. And now I just, haven't given up on evaluation of various attributes. I'm going to now look within the session as well. And now you can see I'm looking at level of assurance, but now I'm also looking at the risk score coming from the external systems as well. So behind the scene, I made a call and yes, they gave up with certain score, but I'm not to one single engine.
I have built a flexible model as a result of that. I have a positive trust. And I also notice that this transaction is less than the average. And then the transaction goes through.
However, if it were to be the same transaction or same user, let's assume that all of a sudden I'm gonna send instead of 500, I'm gonna try to send $5,000 to user. And then now all of a sudden, no, I notice that my session score went down. My overall trust went down and now of that, I'm gonna step up the user because I see that the risk is hot. I've never seen Raj transfer. His average transaction is only 626. This is way higher than what I've generally seen Raj do.
And now maybe this time, I want to decide and then use mobile approval, which is a cost channel and says, Hey, I know that you have a device, an iPhone, and notice my phone on the left hand side. Now I'm gonna get a vector mobile push. There you go. And it says, Hey, I wanted to approve this transaction that you're trying to conduct only web device using a strong biometric. Maybe this time I use touch ID. And only after I complete that transaction on my mobile, that is much more trusted. My transaction goes through. So I'm gonna pause over here.
But the whole goal over here was to showcase how transmit really allows you to build this model of the models by taking into consideration, hundreds of attributes that John explained earlier, whether it is the type of authenticators, whether it is the level of trust and trust based on device, location, users, behavior, time of the day, the type of devices or the result coming from a third party, user behavioral analysis, using all of this with a strong machine learning based engine is what really transmit brings to the table and all of this without ever having to touch your application or make changes.
These are all runtime decisions that you can make. And all of this is by simply doing what we call as run engines so that I hand are questions. Great.
Well, Raj, come in. First question is logistical.
Yeah, we will share slides and recording should be up tomorrow or no later than early next week. Then let's see if you change a threat Intel service, how does that affect the risk models in transmit and what applications need to be updated?
I said, that is an excellent question. So the question for a benefit of everyone was, Hey, if I have a risk external service that gives me some sort of risk indication and do I need to make any changes to the application when I'm using transmit? The answer is you absolutely do not need to make any changes to your application.
In fact, I'll go one step further and say, Hey, you might be subscribing to service a today. Tomorrow you might subscribe to additional services or you might change it. Or you might introduce a new risk detection system from whatever vendor or a homegrown in all these scenarios. It is simply the transmit engine making a call or integrating or making a call to the access. And you never have to make any changes to the actual end application that the user is using.
So it simply becomes another input within transmit modeling and yes, you simply go and then do a drag and drop within transmits orchestration engine. And now you have the ability to take into consideration the result from that new service that you're subscribed or that you're changed. Great. Next question is how long do you see it taking for most organizations to go passwordless?
Well, I would say a lot longer than I would like, I mean, seriously, you know, putting my own consumer hat on and knowing that there are lots of good technical solutions out there that would allow most of the sites that I interact with to not force authentication events, especially passwords. I do find it a bit frustrating, you know, and I think the kinds of things that these fraud reduction Intel platforms have to offer can be of particular service to identity providers.
I a S solution providers who consumer identity and access management solution providers, they just need to subscribe to these services and, and utilize them.
And then I think we can see more companies moving in that direction And playing in workforce compared to consumer well, you know, I think that's interesting because up until the last few weeks, I probably would've said not much, but I think in light of recent events with the shift to work from home and increasing use of B Y O D, I think that companies who have, you know, pretty entrenched a robust B to E identity management solutions should begin to consider opening that up, allowing more, you know, in the B Y O D area, but in order to do that safely, you're gonna need device Intel.
So I think, and, you know, honestly, I think a lot of the changes that we're seeing in terms of work from home are probably gonna have a degree of permanence to them. So this is forcing a ma shift in, in culture and policy in companies and organizations around the world. So I think fraud, risk reduction, Intel platforms are going to take on a larger role even into, you know, BTE business to employee authentication.
Oh, I see. We're at the top of the hour.
Any, any final thoughts maybe on that question, Raj? I, well, a lot of I'm sure heard about the zero trust model and we are actually seeing lot of our customers embrace the same transmit platform for workforce and yeah, as customers wherein they say, Hey, did the employee badge, he sitting in a Starbucks or he is in a different network and then deciding what access and level of access they have to the internal resources within the enterprise. So definitely a lot of adoption and interest of applying similar model and concept within the workforce. Great.
Well, thanks Raj. And thank everyone for attending again, the recording and slides should be ready later tomorrow or early next week, and please join us on our next webinar. Thanks everyone. And have a good rest of your day.