KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Fraud is a major cost to businesses worldwide. Cybersecurity Ventures estimates that cybercrime costs will reach $10.5 trillion by 2025. Banking, finance, payment services, and retail are some of the most frequent objectives of fraudsters, as expected. However, insurance, gaming, telecommunications, health care, cryptocurrency exchanges, government assistance agencies, travel and hospitality, and real estate are increasingly targeted as cybercriminals have realized that most online services trade in monetary equivalents. In this session we will look at critical capabilities for FRIPs and provide an overview on the solution market.
Fraud is a major cost to businesses worldwide. Cybersecurity Ventures estimates that cybercrime costs will reach $10.5 trillion by 2025. Banking, finance, payment services, and retail are some of the most frequent objectives of fraudsters, as expected. However, insurance, gaming, telecommunications, health care, cryptocurrency exchanges, government assistance agencies, travel and hospitality, and real estate are increasingly targeted as cybercriminals have realized that most online services trade in monetary equivalents. In this session we will look at critical capabilities for FRIPs and provide an overview on the solution market.
So yeah, just a couple of weeks ago I published a leadership compass on fraud reduction intelligence platforms. I'll go through and kind of describe what that means, what is involved in that, and then talk about the evaluation criteria that we use when we do a leadership compass, our methodology and the main categories, and then I'll show you some of the main charts from the shows, the positions of the different vendors there.
So fraud, I think we all at least have a vague idea of what it is and, and probably can't stand it because it takes money out of our pockets, affects our identities, and is, you know, something that really afflicts a lot of businesses. I won't read through all the statistics here, but I did go out and update them. I think it's interesting to see that there's variation from year to year and what kinds of fraud schemes that the fraudsters are using. There's more investment fraud over the last year or so and more.
Call center, you know, gov pretending to be a government agency or some sort of tech support. I mean, I get those calls and texts every day. It still seems like, so yeah, I can attest to the fact that certain kinds of fraud are, are going up to the biggest fraud types that we talk about are account takeover fraud and account opening fraud, account takeover fraud is exactly what it sounds like.
Trying to gain at least temporary access to accounts to steal money or, you know, anything of value that can be drained from an account and just about any kind of account that has something that has value in it is a potential target account. Opening fraud on the other hand is using real people's data, but trying to create fake identities to do even bigger financial fraud.
Try to, you know, take out loans or, you know, get credit cards based on real, but you know, not your self accounts or using mule accounts, you know, from doing money laundering, how, what are some of the main methods that the fraudsters use? So for account takeover, there's phishing. Phishing and smashing. Gotta love that term.
You know, phishing, email, phishing, phishing is getting a voice call. Submiss is SMS text.
And yeah, I think we all see plenty of that every day. Different kinds of offers or whatnot. Bruteforce password guessing, I guess that still works in a lot of cases. Unfortunately, the goal is to get compromised credentials, use them in credential stuffing attacks. That's where bots are used to just blast out, you know, username, password combinations that have been discovered against a whole bunch of different sites to see what works.
And there are still things like drive by downloads, malware, fake websites, key loggers, root kits, spyware, anything that can, you know, give a fraudster access to your credentials. Then for account opening information sources, any kind of record that can be useful.
You know, think about how you build an account where that information is. That's the kind of stuff that those kinds of fraudsters are gonna be going after.
You know, your government records, school records, something that shows your physical address, phone number, email address, you know, depending on what kind of account they're trying to create. And then there's credit card fraud.
You know, so many transactions are done online every day, you know, and throughout the pandemic, of course we did more, you know, buying groceries and everything online, so that leads to a lot of card not present fraud. So, you know, that's where you put in your credit card number, your expiry date, your cvv. These things unfortunately are for sale on the dark, well, not even on the dark web. I understand from other presentations at other conferences, you could find these on certain social media sites where fraudsters are just, you know, sharing information about credit cards.
So card not present, fraud has, you know, shot through the roof. But then there's also, you know, physical credit card fraud where the, the card might have been stolen out of the mail, may have been counterfeited, may have used some sort of skimmer so that the fraudsters take your credit card information and use that later. So I've got a long list of just examples of different kinds of phishing, fishing and smashing.
I won't read through all of these, but you know, you may have seen some of these and it's, it's sad how creative that the cyber criminals have gotten with so many different kinds of scams. You know, everything from, you know, fake notices for deliveries or we're gonna cut off your utilities or, you know, ceo, cfo, impersonation fraud has been a, a big problem. That's where, you know, somebody may gain illegitimate access to a network and pretend to be your CEO and say, you know, I need you to send 40,000 euros to this account right now.
And of course, you know, people have been taken by that kind of a scam, unfortunately. But lots of variety and I think we expect to see more innovation, and that's not a word I want to use in the fraud space, but, but it's real. Then we have e what I call e-commerce focused fraud schemes. A lot of these are perpetrated by bots. Anything that can be automated, you know, so there are lots and lots of different kinds of bots, inventory hoarding, bots, buying up everything a company's got, or trying to API inventory, checking bots.
You know, maybe you don't want your competitors to know what you're charging. Maybe they're doing, you know, point charging and changing their prices based on whatever their competitors have to say. Then you have like farms of headless browsers. DDoS is still a problem. It doesn't make the news every day, but it happens every day. And then things like fake reviews, fake comments, bots that post stuff on social media. So these are, are types of fraud that as a website operator, you're interested in having some sort of protection against that. So how do we reduce it?
I reordered my slides yesterday, but it didn't get updated, so I'll just skip ahead. I, I think there's six major means for reducing fraud. Number one is identity proofing. And this is really about raising the assurance level, you know, at the time of registration that a person who purports to be opening account is the right person. This can help with, you know, anti-money laundering, legal compliance, know your customer sanction screening. Then there's credential intelligence, knowing has this user Id been used somewhere else for fraud?
Really, really recently. A lot of the vendors you'll see here do like what I call in-network compromised credential intelligence. So if they hit, you know, site A and and fail, or it's detected that it's, you know, they're trying to do fraud and then they go to another one of their customers site B, they can reuse that information and protect the whole of their customer base. This is something that, you know, was alluded to earlier this morning and James lap palm's speech about CM and fraud reduction.
There needs to be more sharing of signals between these vendors to to help out with, you know, compromised credential intelligence across, you know, the multi-vendor landscape. Then there is device intelligence. This may include things like your device identifier, the device id, IP address, reputation, and then more granular things like, well, what operating system and patch level is running on it? Does it have signs of malware or is there any kind of malware protection installed on the machine? There's user behavioral analysis.
This is, you know, looking at where the user's been, what network are they coming from? Looking at transaction history, transaction details in real time and being able to offer up some sort of decision on whether or not this looks legitimate at, at runtime behavioral biometrics, how users interact with their devices. Things like keystroke and and mouse usage analysis or you know, on a phone, the touchscreen pressure or how they swipe. There's some other more advanced things that companies vendors in this area can do, and I call that that out in the innovation section in a minute.
And then bot detection and management, like I said, so much of this is perpetrated by bots. It's really important to be able to detect bots and not only detect them, but then figure out how to manage them. And because not all bots are bad, you know, some bots are kind of key for, for business happening, but you don't want to let that overwhelm your systems. So I tried to put together a slide that would show, you know, risk mitigating impact of these different kinds of technologies with what I think is kind of a very general, how much effort does it take to deploy it?
So, and I color coded it for account opening prevention. Is it the boxes are red ATO prevention, the boxes are green, and then a couple of them you can see kind of help out with both ID proofing, you know, I think has the biggest impact on account opening fraud.
But, you know, it can be difficult to implement. Fortunately, there's a lot of ID proofing services out there and many of the vendors will look at it a minute, offer integrations with those services. So that does make it a bit easier. And of course, we've been seeing for years MFA multifactor authentication is the number one way to help reduce the risk of account takeover fraud. But even though we know that there are also plenty of attacks against mfa, so you've gotta have really good implementation of mfa, preferably passwordless.
So let's look at the evaluation criteria for this leadership compass. You'll see in the back, you know, we rate each company on eight up to eight different categories, technical categories. So what I chose for this addition to the report was identity proofing and account opening, protection, user behavioral analysis, device intelligence, behavioral biometrics, bot detection and management, ATO protection, and then e-commerce support and finance and payments security, which are, are two kind of different use case use cases using sometimes different technology.
And you'll see that the vendors sometimes specialize either more on the e-commerce side or more on the finance and payment side, or in some cases they, they do both to talk about our process. First up to do our research, we identify all the companies that, that we think are relevant in the area. We go get briefings. We've asked them hundreds upon hundreds of questions, talk to customers, figure out, you know, where we think they are. Then we analyze the information, do the ratings, you'll see the charts in a minute, and then write up summaries of, of what each vendor does.
Then we send them back for a fact check. Once that's agreed upon, we publish it and I'll share a link at the end for this particular leadership compass. Then we have nine major categories that we look at for, for every subject that we cover. First up is security. This is internal product security functionality.
Is this, does this product have everything in it? We think it should be in this field integration. How easy is it to deploy, you know, as a single service or does it require multiple services? Is it all built in or do you need to integrate with other, other products to make it work for you? Interoperability that's really about supporting standards and standard communication. Usability is, you know, how hard is it for, you know, in this case it's not really about end users. End users shouldn't really have to know what's going on for fraud protection.
But you know, for the administrators and the fraud analysts, what are the interfaces that they interact with and, and does it seem like it would facilitate investigations? Then innovation, is it doing new and cool things to help deter fraud market? How many customers do they have? What industries do they target? Where in the world are they they selling to ecosystem? What's their tech support?
Like, what's their extended tech support system like, you know, ISVs or resellers. And then the, the financial strength. Then the four charts that you'll see here in a minute are about product leadership. That's again looking at, you know, how complete of a product it is. Market leadership pulls together the, the, the market size, financial strength and that sort of thing. Innovation, and then the, the combined or overall leadership. So let's take a quick look at the results.
Here are the vendors that participated this time, this is the third time I've done this report and it seems that every time, you know, we get more and more vendors that are interested in participating and this is a really good, good selection of what's available in the field today.
So here's the chart for product leaders, and again, just as a refresher, the the main things that kind of filter in and determine the, the positioning here or how well each does on identity proofing and account opening protection, uba, user behavioral analysis, device intelligence, whether or not they have either b behavioral biometrics as part of the platform or something that may be OEMed into their solution bot detection and management, account takeover protection, and then the e-commerce and finance and payment support.
So you can see there's a, a good range of different capabilities as reflected on the positions on the chart on innovation. Here are the things that I found in this edition of the report that were stood out to me as being most innovative across all the, you know, the 20 or so companies that looked at remote identity verification apps.
These are, you know, mobile apps that, you know, you can take a selfie that does liveness detection, take a picture of your identity document, you know, driver's license or passport to match. You know, maybe it can actually read, you know, over nfc. These things started out, you know, several years ago and I think they've gotten much better. They've become much more widespread. They've been used not only for consumer identity use cases, but you know, throughout the pandemic it became necessary and quite popular to use remote onboarding apps for onboarding employees and contractors too.
So not everybody has this capability, but I think this is a, a really good feature for helping out to do identity proofing in, in certain areas. Support for anti-money laundering, know your customer and sanction screening.
Again, not everybody does this, but I think it's, it's pretty valuable for customers, prospective customers of fraud reduction intel platforms to know about that. The, the need to be able to do AML and sanction screening has only increased in recent years. Transaction level user behavioral analysis. Some of the vendors do sort of a general uba, maybe they'll look at where requests are originating from others go into more detail about, you know, does this transaction look like something that this user has done in the past?
If so, okay. That maybe that adds more legitimacy to it. Otherwise they can also sometimes too integrate with consumer identity management systems such that it would allow for a step up authentication or some sort of, you know, run time authorization to make sure that yes indeed you want to actually make that transaction. And we might have seen that too, like with 3D S two, you know, you tried to make a purchase, you know, maybe a large purchase with a credit card. You'll get a, a popup on your, your credit card application asking did you really want to do this?
That's, that's what we mean here. But transaction level uba, there's malware detection capabilities in some of the products. Looking at the behavior, additional behavioral biometric modalities beyond the touchscreen pressure, the keystroke and mouse analysis, advanced bot management, again, to be able to do things like throttling or redirection in, in cases where fraud is detected or or bots are detected. And then the ability to figure out new fraud trends and then whether or not they have a good, nice, intuitive, easy to use Analyst interface.
Lastly, market leadership. You'll see the leaders are credit rating agencies. They have all the information on us as well as bot detection specialists and some identity and security stack vendors. And there are some fraud prevention specialists as well. The challengers are mostly specialists at this time, but they're growing and this will be a growing industry. And I throw in one spider chart from the end kind of as a representative of what you'll see in the report, how each individual vendor is rated by category. And with that I encourage you to take a look at the report online.
If you have any questions, let me know. Perfect. Thank you very much John, for this insights into our fraud reduction intelligence platforms leadership compass. One question from the audience and I love it. I mean we had in the past a lot of discussions around behavior analytics and data privacy. Is there something different with this F platforms or is it the same stuff, especially in Europe and Germany? We have with monitoring and logging, There can be conflicts, yeah, but they're also legitimate uses of information.
I think in, in many cases the idea that sometimes personal information or what some may consider personal information that can be used for fraud prevention is AEG legitimate business use of that info. Okay. Because U usually really the challenge was behavior analytics was like the workers counselor, whatever from IT security. We love this tools because they make our organizations more secure business or most of the time the end users do not. Okay. Any question from the audience here in the room then I have to do a short sprint. Physical education is important as well. Okay. Hi.
So really quickly, what about vendors like that are providing only part of what you presented? Like biggest players? I'm thinking about human security or in Europe, DA data dom.
Yeah, human was in there. Human security's in there. Yeah. There are smaller companies that may, I mean there are lots of different companies that let's say do identity proofing and it's tends to be per region or per country. We do have other reports on, you know, providers of verified identity where we cover, you know, a smaller market segment like that that's specialized. But you know, with this report I'm trying to like roll up all the major functionality of, you know, what a company, you know, in any given industry might be looking for, for overall fraud reduction. Thank you. Perfect.
Thank you very much John.
