Fight Fraud With Fraud Reduction Intelligence Platforms (FRIP)

Hi, and welcome to our webinar. I'm John Tolbert, director of Cybersecurity Research here at KuppingerCole. And today's webinar is about fraud reduction intelligence platforms. We're also gonna look at how you can see the results of that through our new tool, KC Open Select. So some logistics info before we begin. Everyone is muted centrally. There's no need to mute or unmute yourself.

We are gonna do a couple of poll questions during the presentation, and we'll take a look at the results at the end, and you can submit questions in the question control center, and I will take those at the end as well. And lastly, we are recording this. So both the recording and the slides will be available in a few days. So let's dig in Fraud reduction intelligence platforms. What is it?

Why, why do we need it? And let's get going. So as everyone probably knows through direct personal experience as well as, you know, if you're working in, in just about any industry, cyber crime fraud particularly is, has been on the increase for years and fraudsters have continued to innovate and develop new techniques to attack individuals, businesses, nonprofits, pretty much any kind of industry.

And, you know, we'll dive a little deeper into what we mean by the different kinds of fraud. But you know, here I just thought I'd put up some statistics from last year that were collected about the numbers of phishing business, email compromise, investment fraud, call center fraud, lots and lots of different types of fraud. And generally it has been on the increase. Two of the biggest types of fraud that we deal with commonly are what we call a t o fraud. A t o fraud that stands for account takeover fraud and AO fraud or account opening fraud.

Account takeover Fraud is exactly what it sounds like. The hackers are trying to at least temporarily take over access to existing accounts. And they do this so that they can drain those accounts of money or anything that can be converted into money. And like I said, almost all industries are targeted. Anything that can be, you know, transferred into money, they can be loyalty points, frequent flyer miles, all sorts of things are targeted by hackers that want to get control of people's accounts. Then there's account opening fraud.

The goal here is to create fake accounts, but based on real people's information, they do this because you can conduct, you know, major financial fraud with that. You can use a a, a fraudulently created account to open up lines of credit, you know, get mortgages, all sorts of things, including doing money laundering, having mule accounts for moving money between, you know, different kinds of illegal activities and, and the real world of finance. So account opening fraud is very serious as well. So there are lots of different methods that fraudsters use to perpetrate both a t o and AO fraud.

So on the a t o side, they do things like use phishing, phishing, smishing. This is, you know, voice phishing, s m s, phishing, all these are like forms of social engineering. Trying to get a user to enter their information, give the the bad guys the information. They will enable 'em to take over their accounts. They're still brute force password guessing compromise credentials that might be found on the dark web. Then they can also be used for credential stuffing attacks. 'cause a lot of people use the same password email user ID combination.

So if it's compromised in one place, the attacker will load that up into a bot and try to use it all over the place and see what other kind of access they can get. And then there's still malware that can come into play.

You know, drive by downloads, fake websites, key loggers, root kits, spyware, anything that can give the attacker control over a user's device. Then gives them access to usernames and passwords to build a fake account using a personal, a person's information. The records can come from all sorts of places. There are government, school employment, healthcare insurance, many different sources of records that can, you know, be used to get postal address information, information about how old a person is, things that can help answer, you know, those secondary questions.

And then there are plenty of breach consumer records available on the dark web that they can buy to create these accounts as well. Then there's credit card fraud. Probably one of the most prevalent here is card not present. So doing an online transaction where you're not inserting or tapping a card against a reader, you, you know, card not present is very, very prevalent in, in all online transactions.

So this, this is a problem. There are standards for conducting those kinds of transactions more securely, but fraud reduction techniques are also at play here as well. And then there's just simple things like card not received, counterfeit cards. Cards that might have been created, you know, by a, a fraudster, using a skimmer and then loading it up on another card or just plain stolen cards or card numbers. So looking a little deeper at phishing, smishing and vishing.

Again, these are all predominantly social engineering kinds of attacks, and I won't read through all these, but these are just kind of a, a sampling of the different kinds of techniques that the fraudsters use. You know, and we've probably all seen multiple variations of these different kinds of things that show up in email or text or, or phone calls, you know, fake investment opportunities, utility cutoff notices, fake invoices.

I mean, that's, that's been going on for a while. You know, it's also sort of like c E o or c f o impersonation fraud where, you know, inside an organization a fraudster will gain access to a person, you know, a a legitimate person's account or call them up and direct them to, you know, make a payment somewhere.

So again, much of this really could be more broadly categorized as social engineering scams. There are also specific types of fraud that target e-commerce or website operators. A lot of these are perpetrated by bots as you can see.

And again, I won't read the whole list, but, you know, some interesting ones here are inventory hoarding bots, competitive price checking bots, you know, and, and not all bots are bad. That's the, that's the thing that you have to keep in mind, that a lot of business on the web happens via bots. So you need solutions in the fraud reduction area that can detect which bots are good and which bots are not, and then deal with them proactively so that they don't cause financial loss.

But you know, there are other kinds of bot e-commerce fraud schemes that may not necessarily be bot related, but they can be potentially damaging to brands. These things could include things like fake reviews and comments, fake job postings on job sites, fake goods on auction sites. So there are, you know, many, many different permutations of fraud that affect e-commerce operators.

And again, it's, I think it's imperative for e-commerce operators to have fraud reduction intelligence solutions working for them. So we come to our first poll question. Which of those following general fraud categories are your organization most concerned about right now? Is it account takeovers or account opening fraud payments, financial fraud, e-commerce fraud, or all of the above? We'll look at the results at the end. So now that we've kind of described some of the high level types of fraud and motivations and, and how they do it, let's talk about how to reduce fraud.

So I've identified six primary techniques that fraud reduction intelligence platforms use for reducing fraud. Number one is identity proofing. And this is to raise the overall identity assurance level. This also helps comply with anti-money laundering regulations, know your customer regulations and initiatives and for sanction screening. And you can often see, you know, remote ident ident kinds of processes and you know, remote mobile application identity proofing solutions that have, you know, become quite prevalent in the last few years.

And these can help, like I said, raise the overall identity assurance level so that you know that you're creating account and assigning it to the proper individual. There's also credential intelligence. This is about knowing has this user Id been used somewhere else recently for fraud? This is a great place where both FRI companies or other intelligence providers can share information about what they know about particular user IDs and whether or not they have been involved in fraud.

There's device intelligence and this includes just knowing anything and everything you can about the device from which an transaction request originates. This can include IP address, locations, reputation of the IP address, you know, can you tell what the patch level is on the device? Is it fully patched and does it have any signs that may have been infected by malware? All these are great for helping to make real time decisions about whether or not a transaction should go forward.

User behavioral analysis, this is looking at the locations, the networks, transaction history, you know, specific to an individual, even the transaction details in some cases, you know, asking, being able to sort of figuratively ask, is this transaction like what this user has done before? Is it, you know, an an amount that is typical for what the user would send? Is this a payee that the user would normally transact with? So these things can be analyzed to either raise or lower the risk score, you know, on a per transaction basis.

Behavioral biometrics, this is how users interact with their devices. Many of these solutions have behavioral biometrics and they build a baseline of individuals, you know, how they, what are their keystrokes, like the, the timing between those, how do they use the mouse if it's a mobile device with a touch screen, it can even build a profile based on touch screen pressure, how they move it, you know, using the internal gyroscope and all that can be, you know, baselined and help determine whether or not the proper user is actually using that device.

And then I mentioned bot detection and management. The fact that there are good bots, there are bad bots and some that are in between. There are intel sources that FR solutions can subscribe to to bring in more information about bot attacks. There's also behavioral biometrics. A human interacts with a device generally much more differently than a bot would. Being able to to detect that and then challenge, challenge the user. I mean we've all seen different kinds of challenges.

Some are more user-friendly than others, but the idea of a challenge is just to make sure that it's really a person and the proper person on the other end of the channel. If it's the FRI solution thinks it's a gray bot or you know a bad bot, then you know, besides challenging, you need to be able to do things like throttle it. Well maybe, maybe it's not a really, really bad bot, you don't, but you don't want it to get in the way of, you know, conducting real business. You can also redirect it or just terminate sessions. So there's lots of different kinds of bot management options.

So about our leadership compass, I thought I'd start with talking about what our evaluation criteria are and then the overall methodology. So for this particular leadership compass, the categories that I decided to rate were identity proofing and account opening protection, the user behavioral analysis, device intelligence, behavioral biometrics, bot detection and management, A T O protection, e-commerce support and finance and payment security. So those are the last two are, you know, sort of different kinds of use cases. Some of the solutions that I looked at provide coverage for both.

Some specialize in one more than the other, but these will be the, the points that are on the spider charts and the leadership compass. And these are also the categories that you can drill down into on KC Open select and rate vendors and products based on which of these categories is most important. So in the overall leadership compass process, our methodology is we start off by doing research. We look for the vendors that we think are relevant, we get briefings from them, we get demonstrations of how their products work.

We send out a very, very long technical questionnaire, get the answers back, review that, then we analyze it and, and write a first draft. Then we send it out for fact check. And once we go through the fact check process, we publish it live on our website. The nine standard categories that we rate every company, regardless of which leadership compass it is, start with security. And this is about internal product security. It's not so much about how a product helps enhance security in one way or another, you know, at a customer site.

But we really wanna understand, you know, how secure is the product itself. You know, is it following standards? Is it using multifactor authentication for their administrators? Do they have attribute based access control? Lots of different factors that can go into the security rating. Then there's functionality, exactly what it sounds like. Does this product do what we expect it to do to be in this space? So how complete is it overall deployment?

You know, here we look at, you know, different kinds of deployment options, whether it's cloud, you know, full SaaS, is it hybrid? Do they still have on-prem options? And also how easy is it deploy, where can it be deployed?

You know, is it available globally and in infrastructure as a service data centers? And then also how much effort's needed by the customer to deploy and maintain it interoperability. How well does it work with other services? Does it have connectors for other kinds of platforms? Does it use standard protocols for information exchange usability? Is it easy for admins and the end users to use? Or Analysts fraud? Analysts really a end user in the sense of a consumer trying to get into an e-commerce site or a bank or something.

It should be totally transparent to them except for maybe some sort of bot challenge. But yeah, we're really looking at, you know, what's it like for an everyday fraud Analyst or administrator to use the product. Then we also look at innovation, you know, is the solution cutting edge or you know, kind of playing catch up to others in the field market.

You know, we determine that based on, you know, how many customers, how many end users are protected, are they targeting specific industries or is it a more general purpose kind of FRI solution where, you know, it can be for banks or e-commerce. And then also, which regions in the world are using it? Is it strictly localized North America and or Europe or you know, is this a, you know, a really market leading company and they're selling globally ecosystem. How many partners do they have? Do they have support for custom development resellers, system integrators?

And then again, how globally distributed are they? And the last major category is financial strength. We wanna know is the company profitable? Is a big public company or a startup or somewhere in between?

You know, these, these can be important decision factors for many organizations. So now we'll take our second poll question. Is your organization currently using some services? And the answer choices are yes, no, we don't think it's relevant or we're not interested at this time or see not yet, but we're looking for it. So we'll have a few seconds to look at the poll.

All right, so let's move into the results and I'll show you how you can use KC Opens select to see some of the results. This is just kinda high level, quick, you know, look at what KC opens Select can do.

And again, it's free. So I would encourage you to go out and take a look. KC Opens Select is our, our tool that launched earlier this year. It's about helping end users come in and, and look at different categories of tools and, and get an idea of where to start in a tools choice or an R F P sort of process. So it can help you, you know, start your decision making process to figure out what tools in which areas are are most pertinent for your organization.

'cause we take the data and allow you to, you know, slice and dice it according to use cases and functionality and, and language support in a whole number of different kinds of options. And, and Casey opens, select continues to grow and evolve too. So for this particular leadership compass, you can see the pretty long list of vendors. This is the third year I've done this report. The vendor list continues to grow. That tells me it's a large and growing market and, and there's room for new entrants.

And, and there have been a number of acquisitions over the last few years in this fraud reduction market as well. So when you first get into K c Open Select, you can see, you know, a couple of different menus along the top and some along the bottom. So we start off with a solution comparison. This will give you sort of an overview of the field, we'll, we'll tell you in a bit more detail than I've been able to present today.

You know, what, what exactly is fraud reduction intelligence platforms? Then you can see the vendors that are listed a sample here.

You know, we can drill down, go through more detail that we have on the vendor. You can see their individual spider graphs. You can rearrange which of those particular technical categories is of most interest to your organization. And then sort vendors by that. We list out, you know, the major use cases and capabilities and, and then also allow you to sort the results by, you know, the scoring that we analyzed as a result of the leadership compass process. We also give you a list of internal considerations that you might want to think about for both planning.

And then also when you start to go into the R F I R F P process, you know, like in the case of fraud reduction, you of course you'd wanna know what are the backend applications, the line of business applications that you need to be able to plug a FRI service into and then figure out, you know, well how do you do that? I mean, almost all of the FRI solutions are based on rest APIs or, or, or similar. So you know, being able to architect your existing line of business applications to interact with FRI services.

That's just one example of, you know, some of the internal considerations that you'd want to go through as you start the process of perhaps looking for a fraud reduction tool. We also provide some questions to ask. These are things that I think are relevant particularly to these fraud reduction space.

You know, I think for example, you'd want to know are you serving specific industries? There's a big difference between those that are sort of all encompassing or those that might just specialize in e-commerce or finance support. Does your solution help customers with regulatory or standards compliance? There's sort of a wide range of approaches on this one, so yeah, be sure to check out this section as well. And here are, here's a link to the leadership compass and previous leadership compasses and other research that we have that are relevant for fri.

And with that, I think I'd like to say, let's take a look at the poll results. Okay, great. So which of the following general fraud categories is your organization most concerned about? Just as I would've suspected account takeovers. They are very, very prevalent. Unfortunately, account opening fraud is, is a big problem too. I wouldn't be surprised if the next time we run a poll like that, we see that number come up. Payments fraud of course, makes a, a ton of sense. E-commerce fraud is really, really prevalent. But probably the, the good answer here is all of the above.

That makes a lot of sense. Okay, thank you.

Next one, is your organization currently using fri Well, almost half. Almost half, yes. And around a third are looking for it. So good to know. Good to know. Thank you for that. And let's go out and see what questions that we might have. How do you prevent account takeover fraud?

You know, we always tell people the best method for preventing attack a t o is multifactor authentication. And really, I can't recommend that highly enough.

Yes, there have been cases where M F A has been broken, there have been poor implementations of M F A that can be somewhat difficult to use. But there are a large number of, of good and useful passwordless authentication solutions.

And I, I should direct you to our research on password list too. It's also in case you open select, but there are passwordless multifactor authentication solutions that certainly can help both improve the end user experience as well as decrease the risk of account takeover fraud. Next one is, how do you prevent account opening fraud account opening fraud Again being, you know, the collecting information about a person to assemble a fake account.

This is where identity proofing comes in, you know, making sure that you're assigning an account or creating an account only for the proper individual that should have access to it. So identity proofing can be a bit on the obtrusive side, but it's, it's a necessary thing from a regulatory perspective in, in many industries, banking being, you know, a good example of that. But you know, other industries are starting to require at least some milder forms of identity proofing as well.

Many businesses want to have, you know, some level of assurance that they're creating accounts for legitimate people because that saves them trouble down the line because they don't have to deal with fraud created by fake accounts. So with that, we're at the top of the hour. I don't see any more questions, so I wanna say thank you to everyone who has joined.

And yes, please, I invite you to take a look at KC Opens Select Drill down into it. If you have any questions, get in touch with us, we'd be happy to take them. Thank you everyone.