The Shield of Innovation: How Technology Empowers Fraud Prevention

So I'm John Tolbert. I'm gonna talk about some of our latest research on fraud reduction intelligence platform. So I hope this is kind of a good segue from what we've heard earlier this morning on the human factor and and skill shortages. So I'm gonna start off talking about, oops, fraud types that are out there.

And then, yeah, we did some recent research we call our leadership compass. That's our comparative reports. I looked at a bunch of different fraud reduction intel vendors. We'll talk about the process and then show the results. So nice acronym here. fip Fraud reduction intel platforms. Let's talk about some of the, the crime stats, the cyber crime stats. So at least these are a little bit different than what we've heard this morning. And this is from last year.

The FBI, these are cases reported in the US but I think what's most notable here is how low they are. I mean, 300,000 phishing reports. We know they have to be higher than that.

Nearly 22,000 reports of business email compromise, you know, and that's again, just what's reported up to a $2.7 billion loss, which increased over 2021. Investment fraud. This is all sorts of weird things from, you know, crypto scam, social media hacks, celebrity impersonation, real estate fraud, all sorts of things there that kind of come under that umbrella. And then call center fraud.

These are, you know, when you get the calls saying, you know, purporting to be from a major tech provider and you know, you need to pick up and talk to 'em or get redirected 44,000 reports. I mean, I think I got that many this year already. So that's gonna be way under-reported. So two of the biggest fraud types that we see are account takeover fraud and account opening fraud, ATO and AO fraud.

The goal of account takeover, well, it's just like what it sounds, you know, takeover somebody's account to do something bad with it, usually drain money out of it, but it doesn't just have to be money. It could be anything that could be converted into currency. So there can be, you know, loyalty programs, frequent flyer miles, things like that.

And, and it really affects just about any and all industries out there. Account opening fraud, on the other hand is using personal information to create an account based on somebody else's data so that they can use it for things like major financial fraud, money laundering, creating mule accounts, you know, where they'll recruit somebody who can, you know, pass money from the, the dark market into convertible currency. So how do they do these things? The perpetration methods on the AO side or ATO side account takeover. We've heard a lot about phishing today. That's a primary vector.

But we've got all these other cool terms like vishing and smishing, that's VO getting voice calls or SMS text. I think we all get a lot of those too.

You know, brute force password guessing still works, unfortunately compromised credentials leaked from the dark web. They can be used in credential stuffing attacks. That's why we tell people not to reuse passwords, because if a bad one gets found somewhere, then it gets, can be reused in a credential stuffing attack, they'll hit tons of other sites and if you've reused a password, then they may get in, drive-by downloads, still work, you know, load a, a victim up with malware, things like key loggers, root kits, then they can, you know, directly get a person's credentials there.

User ID and passwords and spyware is still out there. Stealing cookies, stealing tokens, account opening information sources. This is why it's try to important to try to protect your own personal information because bad guys can use government records, school records, you know, job, healthcare, insurance, your, anything about you as a person to create a fake account and then drain money, you know, they couldn't even get lines of credit. Try to get mortgages with it. So even your postal address, all this stuff, you know, try to safeguard as much as possible.

Credit card fraud comes in as its own little special category. I'm sure we've all been victims of this too. Card not present attacks. These are like, when you're buying something online, which is all of us every day, you are not actually tapping the card or inserting it. So you use the CVV as we all know, there are millions and millions of credit card numbers out there for sale on the dark web or not even on dark web. It's in social media card not received. It doesn't come in the mail or it gets stolen. Obviously somebody can use that for ill counterfeit cards.

You know, there that happens too, where you put, you know, your card into what you think is a legitimate ATM or something, but they put a skimmer on top of it, it can steal your card information. So looking a little bit more at phishing, vishing and smishing, I mean, I won't read through all of these obviously there's tons of different examples, but what I think is interesting, but also alarming is the amount of innovation that you see here. And the word fake gets used a lot. You'll see, you know, things like fake investment opportunities, fake push notifications, delivery notices.

I mean, I've, I've heard that come up a couple of times in the last couple of days where, you know, you'll, you'll get a notice that, oh, you, you need to go here to release this from customs or something. It's just about trying to steal your credentials and get money. Fake utility or broadband cutoff notices, invoices, I mean, we've talked a bit about business email compromise, you know, CEO or CFO impersonation, trying to look like an executive directing someone to transfer money, fake tax refunds, fake notices from utilities. I mean the, the variety is astounding.

And the thing is, is they continue to innovate, you know, day after day it makes me leery to answer a phone call or, you know, look at a text message or an email that I don't really recognize myself. So e-commerce fraud, I call this out as a special category too because it's a little bit different from just the, the payment services fraud. These are the ones that really affect anybody running a website more or less think retailer in particular. A lot of it is bought perpetrated.

So we have things like inventory hoarding, bots, Grinch, that's, you know, loading up a, a shopping cart and then abandoning the cart. 'cause it temporarily takes those items out of inventory. So if you know a competitor is trying to, you know, temporarily make it look like you don't have items in your store. API inventory checking bots, I mean, some of these bots are legitimate too, you know, they're competitive price checking bots, but you wanna be able to throttle them. Headless browsers, the bad guys use headless browsers a lot. They can be detected and and prevented DDoS.

And then again, lots and lots of fake stuff here. Fake reviews and comments. Fake job postings, fake goods on auction sites. The thing about, you know, fake reviews and comments on websites is sometimes they use 'em to leave malicious links, which again, can be used to get somebody's credentials. Ticket scalping.

You know, a lot of times when we go to, you know, I won't name any particular sites, but if you wanna buy a ticket, it feels like it's an onerous process. It's, it's because they're putting so much effort into trying to prevent ticket scalping bots from operating. So how do we reduce all of this fraud? Obviously it's a big problem and it's only getting worse. I've called out six major techniques that are used for fraud reduction. The first is identity proofing. This is designed to raise identity assurance levels.

You know, initially this is about like anti-money laundering and know your customer initiatives, being able to do sanction screening. And this sounds like it's really about what the finance industry does, but what we've learned over the last couple of years is lots of other organizations want to raise the overall identity assurance level so that they don't face a lot of these kinds of fraud. Credential intelligence has this user Id recently been used elsewhere for fraud.

I mean you won't know that as an independent store operator unless you're using one of these fraud reduction intel platforms that can aggregate information from across all of their customers. Because if they, that ID has been used somewhere for fraud, well certainly you would want to at least raise the risk level, if not outright deny the transaction. Device intelligence, this is looking at characteristics of the devices, the device identifier, the type IP address, device reputation.

There are lots of components of the, the FIP industry that maintain up-to-date information about device reputation. Then look at the patch level, you know, what operating system is it running?

What, what other applications is it running? Does it have malware detection on it? Are there signs that that may be contaminated by malware already? User behavioral analysis, this is too, just what it sounds like. Looking at what a user is doing, looking at the locations that they come from, what networks, whether it be wifi or cellular. And then you, there's a really good vendors out there. Use transaction history and transaction details to look to see, okay, is, is the current request for a transaction, does this really fall in line with what the user's done before?

Is it originating from a place where they've done business before? Is it the same kind of thing that they've bought? Is the amount, you know, within reason? So this in itself is a really good thing to help reduce fraud. Then we have behavioral biometrics. This is an area of innovation. This is looking at how users interact with their devices.

So, you know, if you're working on a computer, it's how you type your keystrokes, how you use the mouse. If you're using a phone, you know, we all actually use our phones a little bit differently. You know how you touch the screen, the pressure, how you move it around. There's a gyroscope in here in all phones. So this can be used to build a baseline profile for knowing when a particular user is using that device. And then bot detection and management, since so much fraud is perpetrated by bots, it's great to be able to determine what's coming from a legitimate user and what's not.

And there's a multitude, different, different ways that they can do that. There's intel sources or tax signatures, there's information about botnets that needs to be constantly updated, but they also use behavioral biometrics because generally people interact with their devices a little bit differently than a bot would. Although bots are getting much better. And on the management side, it's how do you deal with it? Since not all bots are bad, you wanna be able to let some through because that's how a lot of business on the web gets done anyway.

So you need to be able to tell which ones are good, which ones are bad. And let's say your site is really, really busy and you wanna let good bots through, maybe you need to throttle 'em, maybe you need to redirect them somewhere until later time.

You know, you've got the, the bandwidth to process it. With this slide, I'm just trying to show how do these different methods line up with, you know, account opening prevention versus account takeover prevention. So AO prevention here in red, ATO prevention in green, you know, the best thing for account opening fraud is using ID proofing, followed closely by behavioral biometrics and device intelligence for preventing ATO fraud. Multi-factor authentication is something we always recommend and we've been recommending for years. Along with risk-based authentication.

And then the other things here, the credential intel device, intel bot detection. So on this research, the evaluation criteria, I called out eight categories of things that I wanted to rate particularly on. So identity proofing in account opening protection, user behavioral analysis, device intelligence, the behavioral biometrics, bot detection and management, ATO protection, e-commerce support and finance and payment security. I broke those two out at the bottom because it turns out there are differences in vendor implementation.

Some are more specific to just the finance and payments support. Others are very specific on the e-commerce. Some do all of it. So our process, how do we do this? It's not advancing here. We identify all the vendors in the field, we invite them to participate. We get briefings and demonstrations. We put together what most vendors probably think is a ridiculously long list of technical questions and get them to answer it. Then we analyze that, we rate that, we write the first draft, we send it out for fact check. We have another conversation with the, the service providers.

They can correct anything that's wrong. They can tell us about something that's changed, you know, since we last talked to them. Then we finalize it and publish it on our site at KuppingerCole dot com. We rate nine categories, standard categories, security. In this case, it's not about delivering security to the end user, it's about how well the product or service is built. Functionality. Does it have everything in it that we've called out? Those eight technical criteria integration, how's it deployed? In this case, most of these are just SaaS services.

So they're pretty easy to deploy and integrate. Same with interoperability, usability. This is not something that end users need to deal with necessarily. So we're rating here for what's it like for the customer administrator, what's it like for the customer's? Fraud Analyst innovation, does it have cool new features? Is it leading edge or is it kind of playing catch up to the rest of the industry market? How many customers do they have? Are they globally distributed? Are they kind of a regional player ecosystem? What's their support system like? Are they globally distributed?

Do they only operate in some countries? And then financial strength, you know, are they profitable? Is it a big company, is it a startup or is it a mid, mid stage startup? All these things are interesting for prospective buyers of these kinds of enterprise services to know. Then we have four categories of leadership, product market innovation. All that gets rolled up into overall leadership. So let's take a look at the results. Here are the vendors that were in the report this time encourage you to read it. I'll provide a link at the end of this. This is the third time I've done this report.

Every time there are more vendors in it. There are more vendors because some of 'em are starting up.

It's, it's a big field and a lot of companies need help with this. So we expect this to continue to grow. So everybody likes the pictures. I won't go through and name names kind of at the end of time here. But the overall leaders on the whole are your credit rating agencies and some of the large IT security stack vendors. Product leaders, again, here are the criteria, the eight major categories. And you'll see again, credit rating agencies, some of the large IT security stack vendors, but also some who are specialized in fraud prevention, especially on the bot detection side.

Innovation leaders here are the things that I thought were, you know, really cool new in the market things to keep an eye on. Remote identity verification apps, really good support for A-M-L-K-Y-C or sanction screening. That transaction level user behavioral analysis. Not all of them do that. Some do. And I think this is a real advantage for let's say retailers or other e-commerce vendors that that need transaction level details, good malware detection capabilities.

I mean they're, it's not like they're putting anti-malware clients on everybody's devices, but they can analyze signals from say a phone and, and get a picture of whether or not it may be influenced by malware, behavioral biometric modalities that kind of go above and beyond just the basic gyroscope and keystroke and touchscreen pressure. There are some pretty interesting things and I tried to write that up in, in each one of the specific vendor write-ups. What's what's interesting there, advanced bot management, you know, that means the challenges that can be delivered.

I think we've all done CAPS and we're probably not all that thrilled with having to do caps, but there are some pretty innovative techniques that can be used there that are unobtrusive to the end user, but yet give them the, the, the vendor, the same level of assurance as doing something like a capcha. And lastly, the ability to detect emerging fraud trends and having a really nice fraud Analyst interface because if you've got people working with a solution like that, you wanna make sure that they can do that as efficiently as possible.

Last graphic here, we've got market leadership and again, this is, you know, your larger companies with more global reach tend to rise to the top of this, but there are a lot of fraud specialists and the ones that are coming up, I think, you know, pay attention next year when we revamp this report, I think we'll see some position, position changes here as well. It's probably more vendors in the report too. And last example, we, we do rate those categories individually for each vendor and we show them in one of our spider charts.

So this is kind of a representative sample of what you would see inside the leadership compass with regard to how each individual vendor is positioned for the eight different technical categories. And that's it. Anybody have any questions?