Hi, and welcome to our webinar. I'm John Tolbert, Director of Cybersecurity Research here at KuppingerCole, and today's webinar is about fraud reduction intelligence platforms. We're also going to look at how you can see the results of that through our new tool, KC OpenSelect. So some logistics info before we begin. Everyone is muted centrally. There's no need to mute or unmute yourself. We are going to do a couple of poll questions during the presentation, and we'll take a look at the results at the end.
And you can submit questions in the question control center, and I will take those at the end as well. And lastly, we are recording this, so both the recording and the slides will be available in a few days. So let's dig in. Fraud Reduction Intelligence Platforms. What is it? Why do we need it? And let's get going. So as everyone probably knows, through direct personal experience, as well as, you know, if you're working in just about any industry, cybercrime, fraud, particularly is has been on the increase for years.
And fraudsters have continued to innovate and develop new techniques to attack individuals, businesses, nonprofits, pretty much any kind of industry. And, you know, we'll dive a little deeper into what we mean by the different kinds of fraud.
But, you know, here, I just thought I'd put up some statistics from last year that were collected about the numbers of phishing, business email compromise, investment fraud, call center fraud, lots and lots of different types of fraud. And generally, it has been on the increase. Two of the biggest types of fraud that we deal with commonly are what we call ATO fraud, that stands for account takeover fraud, and AO fraud, or account opening fraud. Account takeover fraud is exactly what it sounds like. The hackers are trying to at least temporarily take over access to existing accounts.
And they do this so that they can drain those accounts of money or anything that can be converted into money. And like I said, almost all industries are targeted. Anything that can be transferred into money, whether it can be loyalty points, frequent flyer miles, all sorts of things are targeted by hackers that want to get control of people's accounts. Then there's account opening fraud. The goal here is to create fake accounts, but based on real people's information. They do this because you can conduct major financial fraud with that.
You can use a fraudulently created account to open up lines of credit, you know, get mortgages, all sorts of things, including doing money laundering, having mule accounts for moving money between, you know, different kinds of illegal activities in the real world of finance. So account opening fraud is very serious as well. So there are lots of different methods that fraudsters use to perpetrate both ATO and AO fraud. So on the ATO side, they do things like use phishing, phishing, smishing.
This is, you know, voice phishing, SMS phishing. All these are like forms of social engineering, trying to get a user to enter their information, give the bad guys the information that will enable them to take over their accounts. There's still brute force password guessing, compromised credentials that might be found on the dark web. Then they can also be used for credential stuffing attacks because a lot of people use the same password, email, user ID combination.
So if it's compromised in one place, the attacker will load that up into a bot and try to use it all over the place and see what other kind of access they can get. And then there's still malware that can come into play, you know, drive-by downloads, fake websites, key loggers, rootkits, spyware, anything that can give the attacker control over a user's device then gives them access to usernames and passwords. To build a fake account using a person's information, the records can come from all sorts of places.
There are government, school, employment, health care, insurance, many different sources of records that can, you know, be used to get postal address information, information about how old a person is, things that can help answer, you know, those secondary questions. And then there are plenty of breach consumer records available on the dark web that they can buy to create these accounts as well. Then there's credit card fraud. Probably one of the most prevalent here is card not present.
So doing an online transaction where you're not inserting or tapping a card against a reader, you know, card not present is very, very prevalent in all online transactions. So this is a problem. There are standards for conducting those kinds of transactions more securely, but fraud reduction techniques are also at play here as well. Then there's just simple things like card not received, counterfeit cards, cards that might have been created, you know, by a fraudster using a skimmer and then loading it up on another card or just plain stolen cards or card numbers.
So looking a little deeper at phishing, smishing, and vishing, again, these are all predominantly social engineering kinds of attacks. And I won't read through all these, but these are just kind of a sampling of the different kinds of techniques that the fraudsters use, you know, and we've probably all seen multiple variations of these different kinds of things that show up in email or text or phone calls, you know, fake investment opportunities, utility cutoff notices, fake invoices.
I mean, that's been going on for a while. You know, it's also sort of like CEO or CFO impersonation fraud where, you know, inside an organization, a fraudster will gain access to a person, you know, a legitimate person's account or call them up and direct them to, you know, make a payment somewhere.
So again, much of this really could be more broadly categorized as social engineering scams. There are also specific types of fraud that target e-commerce or website operators. A lot of these are perpetrated by bots, as you can see.
And again, I won't read the whole list, but, you know, some interesting ones here are inventory hoarding bots, competitive price checking bots, you know, and not all bots are bad. That's the thing that you have to keep in mind that a lot of business on the web happens via bots. So you need solutions in the fraud reduction area that can detect which bots are good and which bots are not, and then deal with them proactively so that they don't cause financial loss.
But, you know, there are other kinds of e-commerce fraud schemes that may not necessarily be bot related, but they can be potentially damaging to brands. These things could include things like fake reviews and comments, fake job postings on job sites, fake goods on auction sites. So there are, you know, many, many different permutations of fraud that affect e-commerce operators.
And again, I think it's imperative for e-commerce operators to have fraud reduction intelligence solutions working for them. So we come to our first poll question, which of those following general fraud categories are your organization most concerned about right now? Is it account takeovers or account opening fraud, payments, financial fraud, e-commerce fraud, or all of the above? We'll look at the results at the end. So now that we've kind of described some of the high level types of fraud and motivations and how they do it, let's talk about how to reduce fraud.
So I've identified six primary techniques that fraud reduction intelligence platforms use for reducing fraud. Number one is identity proofing. And this is to raise the overall identity assurance level. This also helps comply with anti-money laundering regulations, know your customer regulations and initiatives, and for sanction screening. And you can often see, you know, remote ident kinds of processes and, you know, remote mobile application identity proofing solutions that have, you know, become quite prevalent in the last few years.
And these can help, like I said, raise the overall identity assurance level so that you know that you're creating an account and assigning it to the proper individual. There's also prudential intelligence. This is about knowing, has this user ID been used somewhere else recently for fraud? This is a great place where both Fripp companies or other intelligence providers can share information about what they know about particular user IDs and whether or not they have been involved in fraud.
There's device intelligence, and this includes just knowing anything and everything you can about the device from which a transaction request originates. This can include IP address, locations, reputation of the IP address.
You know, can you tell what the patch level is on the device? Is it fully patched? And does it have any signs that it may have been infected by malware? All these are great for helping to make real-time decisions about whether or not a transaction should go forward. User behavioral analysis. This is looking at the locations, the networks, transaction history, you know, specific to an individual, even the transaction details in some cases.
You know, asking, being able to sort of figuratively ask, is this transaction like what this user has done before? Is it, you know, an amount that is typical for what the user would send? Is this a payee that the user would normally transact with?
So, these things can be analyzed to either raise or lower the risk score, you know, on a per transaction basis. Behavioral biometrics. This is how users interact with their devices. Many of these solutions have behavioral biometrics, and they build a baseline of individuals, you know, how they, what are their keystrokes like, the timing between those, how do they use the mouse.
If it's a mobile device with a touchscreen, it can even build a profile based on touchscreen pressure, how they move it, you know, using the internal gyroscope, and all that can be, you know, baselined and help determine whether or not the proper user is actually using that device. And then I mentioned bot detection and management, the fact that there are good bots, there are bad bots, and some that are in between. There are intel sources that FRIP solutions can subscribe to to bring in more information about bot attacks. There's also behavioral biometrics.
A human interacts with a device generally much more differently than a bot would, being able to detect that and then challenge the user. I mean, we've all seen different kinds of challenges. Some are more user-friendly than others, but the idea of a challenge is just to make sure that it's really a person and the proper person on the other end of the channel.
If it's, the FRIP solution thinks it's a gray bot or, you know, a bad bot, then, you know, besides challenging, you need to be able to do things like throttle it. Well, maybe it's not a really, really bad bot, you know, but you don't want it to get in the way of, you know, conducting real business. You can also redirect it or just terminate sessions. So there's lots of different kinds of bot management options. So about our leadership compass, I thought I'd start with talking about what our evaluation criteria are and then the overall methodology.
So for this particular leadership compass, the categories that I decided to rate were identity proofing and account opening protection, the user behavioral analysis, device intelligence, behavioral biometrics, bot detection and management, ATO protection, e-commerce support, and finance and payment security. So those are, the last two are, you know, sort of different kinds of use cases. Some of the solutions that I looked at provide coverage for both.
Some specialize in one more than the other, but these will be the points that are on the spider charts in the leadership compass, and these are also the categories that you can drill down into on KC OpenSelect and rate vendors and products based on which of these categories is most important. So in the overall leadership compass process, our methodology is, we start off by doing research. We look for the vendors that we think are relevant. We get briefings from them. We get demonstrations of how their products work. We send them to We get briefings from them.
We get demonstrations of how their products work. We send out a very, very long technical questionnaire, get the answers back, review that. Then we analyze it and write a first draft. Then we send it up for fact check, and once we go through the fact check process, we publish it live on our website. The nine standard categories that we rate every company, regardless of which leadership compass it is, start with security, and this is about internal product security.
It's not so much about how a product helps enhance security in one way or another, you know, at a customer site, but we really want to understand, you know, how secure is the product itself? You know, is it following standards? Is it using multi-factor authentication for their administrators? Do they have attribute-based access control? Lots of different factors that can go into the security rating. Then there's functionality, exactly what it sounds like. Does this product do what we expect it to do to be in the space? So how complete is it overall?
Deployment, you know, here we look at, you know, different kinds of deployment options, whether it's cloud, you know, full SaaS, is it hybrid? Do they still have on-prem options?
And also, how easy is it to deploy? Where can it be deployed?
You know, is it available globally in infrastructures or service data centers? And then also, how much effort is needed by the customer to deploy and maintain it? Interoperability, how well does it work with other services? Does it have connectors for other kinds of platforms? Does it use standard protocols for information exchange?
Usability, is it easy for admins and the end users to use, or analysts, fraud analysts, really an end user in the sense of a consumer trying to get into an e-commerce site or a bank or something? It should be totally transparent to them, except for maybe some sort of bot challenge.
But yeah, we're really looking at, you know, what's it like for an everyday fraud analyst or administrator to use the product? Then we also look at innovation, you know, is the solution cutting edge or, you know, kind of playing catch up to others in the field?
Market, you know, we determine that based on, you know, how many customers, how many end users are protected? Are they targeting specific industries? Or is it a more general purpose kind of FRIP solution where, you know, it can be for banks or e-commerce? And then also, which regions in the world are using it? Is it strictly localized to North America and or Europe?
Or, you know, is this a really market-leading company and they're selling globally? Ecosystem, how many partners do they have? Do they have support for custom development, resellers, system integrators? And then again, how globally distributed are they? And the last major category is financial strength. We want to know, is the company profitable? Is it a big public company or a startup or somewhere in between?
You know, these can be important decision factors for many organizations. So now we'll take our second poll question. Is your organization currently using some FRIP services? And the answer choices are yes, no, we don't think it's relevant, or we're not interested at this time, or C, not yet, but we're looking for it. So we'll have a few seconds to look at the poll.
All right, so let's move into the results, and I'll show you how you can use KCOpenSelect to see some of the results. This is just kind of high-level, quick, you know, look at what KCOpenSelect can do.
And again, it's free, so I'd encourage you to go out and take a look. KCOpenSelect is our tool that launched earlier this year. It's about helping end users come in and look at different categories of tools and get an idea of where to start in a tools choice or RFP sort of process.
So it can help you, you know, start your decision-making process to figure out what tools and which areas are most pertinent for your organization, because we take the data and allow you to, you know, slice and dice it according to use cases and functionality and language support and a whole number of different kinds of options. And KCOpenSelect continues to grow and evolve too. So for this particular leadership compass, you can see the pretty long list of vendors. This is the third year I've done this report. The vendor list continues to grow.
That tells me it's a large and growing market, and there's room for new entrants. And there have been a number of acquisitions over the last few years in this fraud reduction market as well. So when you first get into KCOpenSelect, you can see, you know, a couple of different menus along the top and some along the bottom. So we start off with a solution comparison. This will give you sort of an overview of the field. We'll tell you in a bit more detail than I've been able to present today, you know, what exactly is fraud reduction intelligence platforms.
Then you can see the vendors that are listed. A sample here, you know, we can drill down, go through more detail that we have on the vendor. You can see their individual spider graphs. You can rearrange which of those particular technical categories is of most interest to your organization and then sort vendors by that. We list out, you know, the major use cases and capabilities. And then also allow you to sort the results by, you know, the scoring that we analyzed as a result of the leadership compass process.
We also give you a list of internal considerations that you might want to think about for both planning and then also when you start to go into the RFI, RFP process. You know, like in the case of fraud reduction, of course, you'd want to know what are the back-end applications, the line of business applications that you need to be able to plug a FRIP service into and then figure out, you know, well, how do you do that?
I mean, almost all of the FRIP solutions are based on REST APIs or similar. So, you know, being able to architect your existing line of business applications to interact with FRIP services. That's just one example of, you know, some of the internal considerations that you want to go through as you start the process of perhaps looking for a fraud reduction tool. We also provide some questions to ask. These are things that I think are relevant, particularly to these fraud reduction space.
You know, I think, for example, you'd want to know, are you serving specific industries? There's a big difference between those that are sort of all-encompassing or those that might just specialize in e-commerce or finance support. Does your solution help customers with regulatory or standards compliance? There's sort of a wide range of approaches on this one.
So, yeah, be sure to check out this section as well. And here's a link to the leadership compass and previous leadership compasses and other research that we have that are relevant for FRIP. And with that, I think I'd like to say let's take a look at the poll results.
Okay, great. So, which of the following general fraud categories is your organization most concerned about? Just as I would have suspected, account takeovers. They are very, very prevalent, unfortunately. Account opening fraud is a big problem, too. I wouldn't be surprised if the next time we run a poll like that, we see that number come up. Payments fraud, of course, makes a ton of sense. E-commerce fraud is really, really prevalent. But probably the good answer here is all of the above. It makes a lot of sense.
Okay, thank you. Next one. Is your organization currently using FRIP?
Well, almost half. Almost half, yes. And around a third are looking for it.
So, good to know. Good to know. Thank you for that. And let's go out and see what questions that we might have. How do you prevent account takeover fraud?
You know, we always tell people the best method for preventing ATO is multi-factor authentication. And really, I can't recommend that highly enough.
Yes, there have been cases where MFA has been broken. There have been poor implementations of MFA that can be somewhat difficult to use, but there are a large number of good and useful passwordless authentication solutions. And I should direct you to our research on passwordless too. It's also in KC OpenSelect. But there are passwordless multi-factor authentication solutions that certainly can help both improve the end user experience as well as decrease the risk of account takeover fraud. Next one is how do you prevent account opening fraud?
Account opening fraud, again, being, you know, collecting information about a person to assemble a fake account. This is where identity proofing comes in.
You know, making sure that you're assigning an account or creating an account only for the proper individual that should have access to it. So, identity proofing can be a bit on the obtrusive side, but it's a necessary thing from a regulatory perspective in many industries, banking being, you know, a good example of that.
But, you know, other industries are starting to require at least some milder forms of identity proofing as well. Many businesses want to have, you know, some level of assurance that they're creating accounts for legitimate people, because that saves them trouble down the line, because they don't have to deal with fraud created by fake accounts.
So, with that, we're at the top of the hour. I don't see any more questions.
So, I want to say thank you to everyone who has joined. And yes, please, I invite you to take a look at KC OpenSelect. Drill down into it. If you have any questions, get in touch with us. We'll be happy to take them.
Thank you, everyone.
