E-guide Web Fraud Protection Buyer’s Guide – part 2 Your expert guide to web fraud protection
E-guide
Web Fraud Protection Buyer’s Guide – part 2 Your expert guide to web fraud protection
Page 1 of 17
In this e-guide
Five criteria for purchasing Web
fraud detection systems
Comparing the top Web fraud
detection systems
E-guide
Five criteria for purchasing Web fraud detection systems
Ed Tittel
Expert Ed Tittel describes the purchasing criteria for Web fraud
detection systems and explains how they can protect banking, e-
commerce and other industries.
Frank Abagnale, a former imposter and fraudster who wrote the book, Catch Me
If You Can, believes "punishment for fraud and the recovery of stolen funds [is]
so rare, prevention is the only viable course of action." An organization that
conducts business over the Web should interpret that statement to mean
"detection" as well. That is, prevention of Web fraud is a combination of
accurate fraud detection along with layers of security that help to protect users,
devices and networks.
Web fraud detection, sometimes referred to as online fraud detection, is a set of
services or a software product that detects fraudulent transactions or activities
conducted over the Web. A typical Web fraud detection system detects new
account origination (identity fraud), account takeover (stolen user credentials)
and payment fraud (e.g., with a stolen credit card), but can offer much more.
How a Web fraud detection system accomplishes detection and to what extent
Page 2 of 17
In this e-guide
Five criteria for purchasing Web
fraud detection systems
Comparing the top Web fraud
detection systems
E-guide
is what sets one apart from the others. Read on for an overview of key factors to
consider when evaluating these products.
Sector focus
Some Web fraud detection vendors focus specifically on the banking/financial
services industry or e-commerce, whereas others offer products that claim to
tackle nearly any type of sector that maintains online accounts and conducts
transactions.
A financial services company may best be served by a Web fraud detection
system created specifically for that industry. The same applies to e-commerce
and retailers. Government agencies offering e-government services, social
networking sites, insurance companies and so forth can broaden their research
to look at sector-neutral products (those that support many different verticals),
which represent the lion's share of available products.
Multiple layers of Web fraud detection
In its Market Guide for Online Fraud Detection (revised on July 21, 2015) and
previous publications, Gartner highly recommends using multiple fraud
prevention layers designed to help prevent or stop further damage from
Internet-based malware attacks. The most significant layers involve endpoints
Page 3 of 17
In this e-guide
Five criteria for purchasing Web
fraud detection systems
Comparing the top Web fraud
detection systems
E-guide
(Layer 1), navigation (Layer 2) and users or entities (Layer 3). According to
Gartner's layering scheme, an endpoint product analyzes computer, mobile
device or telephony device characteristics, such as recent login data, and
provides validation of a user's account privileges. A navigation system analyzes
session navigation for anomalies. A user- or entity-centric product compares
transactions to the "norm" for that user or entity, for a specific channel such as
e-commerce.
Many Web fraud detection systems provide protection for all three layers; others
focus on only one layer. It's possible to get complete coverage from various
products, but it makes sense to look for a product that provides protection at all
three layers.
Who needs Web fraud detection services?
Organizations of all sizes (SMBs to enterprises) that deal with any volume of
CNP transactions, that are too burdensome or time-intensive to review
manually, should have some type of fraud detection in place. Types of
customers include banking and financial services institutions, e-commerce
merchants, human resources and payroll services, and social networking sites -
- just to name a few. Plus, Web fraud detection services help organizations
meet Payment Card Industry Data Security Standard requirements.
Page 4 of 17
In this e-guide
Five criteria for purchasing Web
fraud detection systems
Comparing the top Web fraud
detection systems
E-guide
Analytics and continuous profiling
Rule-based analytics rely on pattern recognition, which is based on what is
already known. Predictive behavioral analytics look at an account holder's
behavior and seek anomalies based on expected behavior. Models produce risk
scores, which are evaluated against user or entity profiles created from the
results of analytics.
A high mark in this category is a product that provides continuous profiling of
accounts and users to detect fraud, using one or both analytical models, with
behavioral edging out rule-based.
Integration of external intelligence information
One part of the security industry that's gained significant traction in recent years
is threat intelligence. A threat intelligence service gathers raw data about
emerging threats from several sources (and perhaps millions of endpoints), and
then analyzes and filters that data to produce useable information. Security
control systems, such as security information and event management and next-
gen firewalls, use threat intelligence to better protect an organization from
emerging or zero-day threats. An identity intelligence service, or identify
proofing service, provides an analysis of user identity and access characteristics
(user roles, policy violations, biometric data and so on), gathered from public
Page 5 of 17
In this e-guide
Five criteria for purchasing Web
fraud detection systems
Comparing the top Web fraud
detection systems
E-guide
and proprietary data sources. Identity intelligence is often used to verify a
person's identity before an organization approves an account and issues
credentials.
For the most comprehensive coverage, organizations should give preference to
Web fraud detection systems that can integrate external threat intelligence
and/or identity intelligence. In fact, the majority of products are expected to
provide this feature by 2017.
Compliance with regulations and standards
Ensure your organizations choice of Web fraud detection system meets the
requirements of all necessary compliance regulations. For example, if an
organization accepts payment cards, it should ask if the product under
consideration is PCI DSS-certified.
Many organizations need to comply with the Gramm-Leach-Bliley Act, the
Sarbanes-Oxley Act or FACTA Red-Flags, or require SSAE 16 or ISO/IEC
27001 for information security management. Keep a list of the organization's
compliance requirements handy when vetting Web fraud detection systems and
ask each vendor on the short list to provide documentation that indicates the
product's compliance support.
Page 6 of 17
In this e-guide
Five criteria for purchasing Web
fraud detection systems
Comparing the top Web fraud
detection systems
E-guide
Other considerations
Web fraud detection vendors typically provide downloadable data sheets,
brochures and similar product assets on their websites to prospective
customers. Be sure to check the copyright dates on the available assets,
especially the data sheets, and consider dropping products with asset dates
older than a year or two from the list. Web fraud detection systems must adapt
to a constant influx of new threats, and incorporate innovation to remain
relevant and competitive. Old assets may be an indicator of a product that's not
technologically fresh and effective.
As organization's research vendors and products, they'll read about how the
Web fraud detection industry has undergone a lot of churn since 2013, mainly
from mergers and acquisitions. When a vendor is acquired to fill in a technology
gap in a portfolio, innovation can suffer. When talking to each vendor sales rep,
be sure to ask (1) which products are the top three competitors, (2) if any
product improvements or upgrades are planned (and the nature of the changes)
and (3) how their Web fraud detection system stands out from the competitors.
Page 7 of 17
In this e-guide
Five criteria for purchasing Web
fraud detection systems
Comparing the top Web fraud
detection systems
E-guide
How to evaluate Web fraud detection systems
Evaluating Web fraud detection systems requires more than a search through
data sheets and marketing materials, which can be misleading and out of date.
Take advantage of one-on-one demos offered by the vendors, during which you
can ask the sales reps specific product questions in relation to your
organization's industry/channel and transaction volume. That's the best time to
establish realistic pricing as well because most Web fraud detection systems
are based on volume.
The next article in this series will map leading products and vendors in the Web
fraud detection market space with the criteria presented in this article. Readers
will learn which products are best for specific sectors and find out which ones
percolate to the top of the "best buy" list.
Next article
Page 8 of 17
In this e-guide
Five criteria for purchasing Web
fraud detection systems
Comparing the top Web fraud
detection systems
E-guide
Comparing the top Web fraud detection systems
Ed Tittel
Expert Ed Tittel explores the features of the top Web fraud detection
systems and compares critical purchasing criteria.
Facing millions of dollars in Web fraud losses, companies cannot rely solely on
strong user authentication for online banking, e-commerce and similar sites (as
underscored by the Federal Financial Institutions Examination Council [FFIEC]).
Once user credentials have been stolen or spoofed, authentication controls are
no longer effective by themselves. Web fraud detection systems then become
critical for identifying and stopping fraud before the losses pile up. These
products typically share a set of basic features, such as detection of account
origination, account takeover and payment fraud, but may use different
detection methods and offer value-adds that make individual products stand
apart from others.
This article compares Web fraud detection systems from several leading
vendors: 41st Parameter, Accertify Inc., Easy Solutions Inc., Guardian
Analytics, IBM Trusteer, iovation, Kount Inc., RSA and ThreatMetrix, with
Intellinx considered an outlier in this line-up. Let's look at how the products
Page 9 of 17
In this e-guide
Five criteria for purchasing Web
fraud detection systems
Comparing the top Web fraud
detection systems
E-guide
compare against purchasing criteria for Web fraud detection systems -- as
outlined in the previous article in this series.
Industry sector focus: Web fraud detection
Guardian Analytics FraudMAP and IBM Security Trusteer are designed for the
banking and financial services industry, although they both support general e-
commerce as well. Accertify Fraud Management is geared mainly toward e-
commerce environments (the company is owned by American Express Co.). In
fact, Fraud Management is tightly woven into American Express and can
integrate with that company's risk management features.
The rest of the 10 Web fraud detection systems featured in this article cover a
gamut of industries, which include banking/financial services and e-commerce,
as well as social networking, travel, gaming, insurance and government
agencies engaged in e-government. For example, 41st Parameter (part of
Experian) and Easy Solutions cater mainly to e-commerce merchants, financial
institutions and travel services providers. Kount, on the other hand, aims at
business-to-business (B2B) organizations, digital goods retailers, gift card
issuers, online gaming, insurance, travel, ticketing and events, as well as many
other industries.
Page 10 of 17
In this e-guide
Five criteria for purchasing Web
fraud detection systems
Comparing the top Web fraud
detection systems
E-guide
Multiple layers of Web fraud detection systems
One of the most important features for Web fraud detection systems is the
incorporation of multiple layers of detection. Endpoint features analyze user
devices for identity, location and authentication data, among other factors.
Navigation features analyze Web session data to detect anomalies and flag
high-risk users or devices. Transaction analysis looks for fraudulent activity by
comparing what are considered "normal" user transactions.
Multiple layers of general security are also essential to reducing Web fraud.
Some vendors focus solely on fraud detection, with the expectation that
customers will provide antimalware and other forms of security protection from
third-party sources, where other vendors build in malware detection on
endpoints, administer controls and checks for man-in-the-middle attacks,
phishing and so on.
All of the featured Web fraud detection systems covered in this article provide
multiple layers of detection and security to varying degrees.
Easy Solutions offers one of the most comprehensive products among the
featured vendors. The company's Total Fraud Protection emphasizes
"leveraged intelligence across multiple layers" and covers endpoint
identification, strong authentication monitoring, navigation analysis and
Page 11 of 17
In this e-guide
Five criteria for purchasing Web
fraud detection systems
Comparing the top Web fraud
detection systems
E-guide
transaction monitoring, as well as proactive malware detection, controls for
email spoofing, transaction risk monitoring and much more.
Kount, Guardian Analytics, IBM Security Trusteer and RSA also rank high
regarding multiple layers of detection and security protection. The IBM Security
Trusteer suite provides tools for preventing malware and phishing-related fraud
attacks, as well as risk analysis. Online banking customers may already be
familiar with Trusteer Rapport, one of the first readily available browser plug-ins
that adds an additional layer of protection for user credentials and personal
information. Easy Solutions also provides user-centric safe browsing, but it goes
one step further by reporting detected malware on the user device to a
deactivation tool.
RSA Transaction Monitoring requires the RSA FraudAction 360 Anti-Trojan
Service and RSA Adaptive Authentication for more complete protection.
Accertify, part of AmEx, provides an adequate layered product, which focuses
mainly on fraud management for payment card acceptors.
Iovation and ThreatMetrix are mainly device-based; that is, they focus on device
recognition and device-based authentication. Likewise, 41st Parameter appears
to be more endpoint-based.
Page 12 of 17
In this e-guide
Five criteria for purchasing Web
fraud detection systems
Comparing the top Web fraud
detection systems
E-guide
Intellinx offers user behavior profiling and transaction analysis, as well as online
application profiling to detect malware and distributed denial-of-service attacks.
Its most unique feature is a visual replay of user screens, which allows an
investigator to replay a user's activities.
Analytics and profiling
Easy Solutions, Guardian Analytics, Intellinx, Kount, RSA and ThreatMetrix
employ predictive behavioral analytics, which analyzes account holder behavior
and detects anomalies based on expected behavior.
41st Parameter and Accertify rely on rule-based analytics -- pattern-based
recognition of what is already known. The problem with relying only on rule-
based analytics is that statistical models can be inaccurate, which can result in
a high rate of false negatives and false positives, thereby increasing costs and
personnel resources needed to resolve such matters.
For its part, Kount Complete uses a combination of rule-based and behavioral
analytics, thereby capitalizing on the strengths of each approach. That
combination also helps offset certain weaknesses, especially by reducing false
negative or positive findings.
Indeed, analytics is the meat in each Web fraud detection system -- the more
accurate its analytics, the better the detection rate. Analytics are also a
Page 13 of 17
In this e-guide
Five criteria for purchasing Web
fraud detection systems
Comparing the top Web fraud
detection systems
E-guide
significant factor in the quality of a product. Vendors create proprietary analytics
or modeling engines to achieve the highest detection rates possible. For
example, Guardian Analytics' FraudMAP Online uses a proprietary behavioral
analytics implementation called "Dynamic Account Modeling" to detect
suspicious online activity, account compromise and fraudulent transactions.
FraudMAP Online can also detect known and emerging threats.
IBM Security Trusteer includes proprietary Pinpoint Criminal Detection software
that uses "evidence-based" methods of fraud detection. Pinpoint Criminal
Detection correlates a combination of device, geolocation and transactional
modeling with a database of fraud indicators. Like its competitors, the product
detects login and transaction anomalies and creates a risk score for account
takeovers, but also uses device fingerprinting to detect newly spoofed devices,
can detect remote access tools (RATs) used by criminals and can identify
phishing incidents in real time.
Integration of alternative data sources/external intelligence information
Accertify, Easy Solutions, Guardian Analytics, IBM Security Trusteer, iovation,
RSA Transaction Monitoring and ThreatMetrix integrate external intelligence
into their products. For example, Accertify relies on three data sources: a
company's data generated across all channels (websites, call centers and so
Page 14 of 17
In this e-guide
Five criteria for purchasing Web
fraud detection systems
Comparing the top Web fraud
detection systems
E-guide
on), other merchants conducting the same types of transactions and third-party
sources such as Emailage, an email fraud-risk assessment and scoring product.
Easy Solutions' threat intelligence is called Detect Monitoring Service (DMS).
The company constantly monitors websites and social networks, and
incorporates threat data into its DMS databases. Easy Solutions' Total Fraud
Protection product includes Detect Safe Browsing (DSB), which is software
installed on user devices that scans for malware and reports back to DMS. This
combination helps to detect and prevent damage from threats, not only to users
with DSB software installed, but to Easy Solutions customers in general.
RSA maintains the eFraudNetwork (eFN) service, a large cross-platform, cross-
institutional (financial, e-commerce, healthcare, among others) global network
that identifies and tracks online fraud. EFN facilitates threat information sharing,
both confirmed and bogus, among its customers and partners. RSA Transaction
Monitoring, as well as other RSA antifraud-related products, use eFN to help
determine fraudulent activity.
ThreatMetrix has the ThreatMetrix Global Trust Intelligence Network, a digital
identity network that analyzes over one billion transactions every month. The
Network compares a consumer's device identity, persona and behavior from
every transaction to previous activity, in real time.
Page 15 of 17
In this e-guide
Five criteria for purchasing Web
fraud detection systems
Comparing the top Web fraud
detection systems
E-guide
Compliance with regulations and standards
There are two ways to look at compliance when evaluating Web fraud detection
systems -- whether the vendor meets its compliance requirements and whether
the product helps a customer meet compliance.
41st Parameter, Accertify, Easy Solutions, iovation and Kount are Payment
Card Industry Data Security Standard (PCI DSS)-certified. Easy Solutions is
also a Certified Qualified Security Assessor company, which means it is certified
to assist e-commerce merchants and financial institutions in meeting their own
PCI DSS compliance. Accertify is also ISO/IEC 27001-certified, a SSAE 16-
certified data center provider and EU Safe Harbor-registered.
Easy Solutions, Guardian Analytics, IBM Security Trusteer, Kount, RSA and
ThreatMetrix support FFIEC compliance.
Intellinx's visibility and reporting capabilities help companies comply with PCI
DSS, the Fair and Accurate Credit Transactions Act, the Gramm-Leach-Bliley
Act, SOX, the HIPAA and Basel II.
Page 16 of 17
In this e-guide
Five criteria for purchasing Web
fraud detection systems
Comparing the top Web fraud
detection systems
E-guide
Platform and pricing structure
Most Web fraud detection systems are sold as software as a service (SaaS),
based on transaction volume. However, other factors such as industry sector,
transaction risk, geography and partner integration can also affect pricing.
Vendors who offer SaaS-based products include 41st Parameter, Accertify,
Guardian Analytics, IBM Security Trusteer, iovation, Kount, RSA and
ThreatMetrix.
Easy Solutions is a software product, is not SaaS-based, and is priced on a per-
device basis. Customers must purchase Easy Solutions through a reseller.
Finding the right Web fraud detection system
Non-banking organizations that are in the market for a solid, comprehensive
Web fraud detection system should look first to Easy Solutions Total Fraud
Protection, Kount Complete and RSA products. Because Accertify is owned by
American Express, it's designed with Amex integration in mind and can perform
deeper analysis on Amex transactions. Banking and financial institutions may
fare best with products geared specifically for that industry, such as Guardian
Analytics FraudMAP and IBM Security Trusteer.
Page 17 of 17
In this e-guide
Five criteria for purchasing Web
fraud detection systems
Comparing the top Web fraud
detection systems
E-guide
About the author
Ed Tittel is a 30-plus year IT veteran who's worked as a developer, networking
consultant, technical trainer, writer and expert witness. Perhaps best known for
creating the Exam Cram series, Ed has contributed to more than 100 books on
many computing topics, including titles on information security, Windows OSes
and HTML. Ed also blogs regularly for TechTarget (Windows Enterprise
Desktop), Tom's IT Pro, GoCertify and PearsonITCertification.com.