G00271775

Market Guide for Online Fraud Detection

Published: 27 April 2015

Analyst(s): Avivah Litan, Jonathan Care

The online fraud detection market substantially changed in 2014, as past

market leaders lost focus, leaving a market void for smaller players to fill.
This Market Guide will help fraud managers choose the most appropriate
products for their projects.

Key Findings
■ Several OFD market leaders lost their focus and ability to innovate in fraud detection after being
acquired by larger companies in adjacent markets, according to Gartner clients.
■ Smaller more-fraud-focused players are filling the void in innovation. Nonetheless, these
vendors are often challenged to prove themselves over lagging incumbents.
■ Attackers find the points of least resistance, and they hone their attacks to avoid common fraud
detection measures and to exploit human weaknesses. Some leading OFD solutions effectively
detect the resulting subtle but unusual deviations in the attacks' session behavior, but they
cannot detect or prevent social engineering.
■ Fraudlike analytics are being incorporated into security and adaptive access solutions. SIEM,
IAM and other security vendors are trying to acquire analytic expertise that fraud vendors have
had for years.

Recommendations
■ Use a layered approach to detect online fraud, incorporating endpoint-centric (Layer 1),
navigation-/network-centric (Layer 2), and user-/entity-centric (Layer 3) fraud detection.
■ Favor vendors that implement multiple fraud detection layers, as well as provide user and peer
group profiling, behavioral analytics, and integration of external threat and identity intelligence.
■ Don't consider legacy fraud detection technology adequate if the vendor fails to keep up with
criminal trends. Replace or complement the technology with solutions from vendors that
continue to innovate, which is a necessity when combating rapidly evolving criminal behavior.
■ Counter social engineering attacks against unsuspecting employees, customers or partners, by
strengthening security awareness and education programs. OFD solutions can supplement but
cannot replace user training.
 Strategic Planning Assumption
By 2017, more than two-thirds of online fraud detection (OFD) vendors will integrate external threat
and identity intelligence into their offerings.

Market Definition
This document was revised on 21 July 2015. The document you are viewing is the corrected
version. For more information, see the Corrections page on gartner.com.

The OFD market consists of vendors that help stop the use of stolen data and information and not
the theft itself. Vendors in the security market help stop the theft of data and information, some of
which is eventually used to commit fraud if the theft is not prevented.

The OFD market is composed of vendors that provide products or services that help an organization
detect fraud that occurs over the Web, mobile or telephony channels (that is, call center and
interactive voice response [IVR]) by performing one or both of these functions:

■ Running background processes (transparent to users) that use up to hundreds of contextual

attributes and data points — such as geolocation, device characteristics, user behavior,
navigations and transaction activity — to determine the likelihood of fraudulent transactions.

This is done by comparing this information to expected behavior using machine learning or
statistical algorithms, or rules that define "abnormal" behavior and activities.
■ Verifying the legitimacy of a user's identity using available internal and external information
sources.

This is done using by comparing incoming identity information and contextual attributes (as
described above in the first bullet), and reconciling them against available external or internal
identity information — for example, personally identifiable Information (PII), such as name,
Social Security number (SSN), passport number and date of birth; and non-PII information, such
as email address, Internet Protocol (IP) address, and device and phone number and attributes.

OFD vendors detect online fraud as transactions occur, either in real time or near real time. They
provide solutions for the Web, mobile or telephony channels from one or more of the first three
layers of Gartner's five-layer fraud detection framework (see "The Five Layers of Fraud Prevention
and Using Them to Beat Malware"). The first three layers are as follows: endpoint-centric (Layer 1);
navigation-centric (Layer 2); and user- or entity-centric for a specific channel (Layer 3). OFD
products that enable identity verification integrate with external or internal data sources to help
verify the legitimacy of a given user's identity.

OFD systems typically return alerts and results (such as scores with supporting data) to enterprise
users (IT or business staff), enabling the enterprise to take appropriate follow-up action, such as:

■ Suspending the transaction if actual behavior is out of range with what's expected or if the user
appears suspect

Page 2 of 23 Gartner, Inc. | G00271775

 ■ Conducting further manual review and investigation of the transaction and user, as warranted
■ Triggering automated identity verification, stepped-up user authentication and/or transaction
verification to automatically determine the legitimacy of the user or transaction

OFD applies mainly to three use cases:

■ Detecting account takeover, which can occur when user account credentials are stolen (for
example, via malware-based attacks)
■ Detecting identity fraud (for example, when a fraudster sets up a new account or conducts an
unauthorized transaction, using a stolen or fictitious identity)
■ Detecting the use of a stolen financial account (for example, a stolen credit card) by a fraudster
when the individual makes a purchase or moves money from one account to another (see Note
1)

In all three use cases, fraud can result from:

■ An automated script targeting a limited number of accounts

■ An automated script engaged in a massive attack against hundreds and thousands of accounts
or more
■ An individual conducting a manual attack
■ A combination of human(s) and automated script(s) executing either targeted or mass attacks

Market Direction
The OFD market changed substantially in 2014, as many previous Leaders and Challengers in
Gartner's 2012 and 2013 Web fraud detection Magic Quadrants were acquired and lost their focus
1
and innovation in fraud detection (see Note 2).

Market Consolidation Leads to Innovation Decline Among Prior Market Leaders

Acquisition of innovative market leaders by larger companies generally led to a marked decline in
the acquired company's ability to continually innovate in fraud detection. In 2014, Gartner clients
consistently reported that innovation notably declined among acquired companies that had led the
way in fraud-fighting efforts during the previous five years. Innovation is critical to the success of a
fraud detection product, given rapidly changing fraud attack methods that aim to defeat incumbent
detection methods.

Market Consolidation Opens the Way for Newer Innovative Vendors to Gain Market
Share
Industry consolidation and the shrinking focus of former fraud detection market leaders opened
opportunities for newer smaller vendors to fill the innovation void in the growing OFD market (see

Gartner, Inc. | G00271775 Page 3 of 23

 Note 3). Lesser-known vendors are gaining market share in these changing times by leading with
innovation and responsive customer service.

Gartner expects this trend to continue through 2018. Small innovative players will be acquired by
large vendors in the security or other adjacent markets that need their expertise to move forward in
their existing businesses. This will make room for new entrants to again pave the road to innovative
products and services. Rapidly changing fraud patterns makes the OFD market a hotbed for
innovation.

Fraud Analytics Techniques Moving Into Security

In 2013 and 2014, vendors of internal security products — such as user monitoring (for example,
security information and event management [SIEM]) and access control (for example, identity and
access management [IAM]) — started incorporating behavioral analytics and contextual awareness,
techniques long used by fraud detection vendors. These methods include user and entity profiling,
peer group profiling, anomaly detection using statistical models, and integration of contextual
attributes, such as behavior and location into risk engines. Analytics based on statistical models are
needed in enterprise security, in which products have been largely rule-based. Rules, which are
usually based on attacks that happened, are only as good as what a user knows. Rules do a poor
job when it comes to predicting future attacks, and they also become difficult to manage over time
as they proliferate.

Security vendors in the user behavior analytics market and some authentication vendors in the user
authentication market (see "Market Guide for User Behavior Analytics" and "Magic Quadrant for
User Authentication") are incorporating these techniques into their products to yield more effective
results, consequently generating more demand for OFD analytic techniques.

However, it should be noted that applying statistical models and predictive analytics to security use
cases is generally more difficult than applying them to fraud use cases, in which there is a more
limited range of activities that must be monitored.

Attack Trends Driving OFD Innovation

Two main attack trends of the past 18 months are driving innovation in the OFD market — that is,
those that:

■ Circumvent commonly adopted fraud detection techniques, such as identifying endpoint

devices, and checking for IP addresses and transaction velocity that are out of range with what
is expected. These techniques are increasingly defeated by fraudsters who can mimic almost
any device or browser using software readily available from the underground (for example,
2
FraudFox VM, along with even more advanced and sinister, yet unnamed, browser
configuration tools).

Fraudsters are also spreading their attacks over thousands of IP addresses — many of which
are purposefully chosen to originate in locations that appear legitimate (for example, in the
same geographic area that a target victim lives in). They are also slowing down their scripted

Page 4 of 23 Gartner, Inc. | G00271775

 attacks to move at the pace of an average human. (For more information on these attack trends,
see "Where Have All Our Passwords Gone?")
■ Exploit the weakest links in an organization, including identity verification and people-handling
transactions.
■ Fraudsters continue to falsify information that allows them to open new accounts or
conduct high-risk transactions using stolen or fictitious identities. The market saw this
clearly in early 2015 with the rollout of Apple Pay. Criminals beat the Apple Pay credit card
registration processes used by the card-issuing banks, defeating all the security controls
built into Apple Pay payments. (For more information on the Apple Pay fraud scams, see
"Apple Pay Fraud Points to Looming Problems With Mobile Payments.")
■ As OFD controls have tightened at banks and service providers, criminals increasingly
socially engineer authorized humans to move money to fraudster accounts or to give
3
fraudsters enough confidential information so they can move it themselves:
■ Socially engineered individuals include staff at a financial institution (for example, a call
center representative or a trusted private banking advisor). Increasingly, criminals are
targeting employees of any corporation that does any kind of business where
corporations have to pay suppliers and partners.
■ Many of these attacks are not under a bank's or affected corporation's direct
systematic control because the social engineering reaches deep into the supply chain
and exploits trust relationships within customer organizations.
■ Security education and awareness for employees, supply chain partners and customers
are instrumental in detecting and preventing these types of attacks. OFD technology
can only supplement the training programs by detecting suspect transactions it has
access to for analysis purposes. Online fraud detection, however, cannot stop a socially
engineered employee from overriding an exception noted by the system.

Fraud Detection Capabilities and Solution Categories

Evolving cyberattacks have driven innovation in fraud detection and have helped enterprises stay
ahead of rapidly changing criminal methods.

Key fraud detection capabilities based on evolving user needs include:

■ One-stop fraud detection solutions — Vendors provide solutions covering as many of the
three layers of online fraud detection as possible, so that users can meet most of their needs in
this area by engaging with one supplier.
■ Identity proofing and vetting — Enterprises need to combine the detection of online account
takeover with continual or on-demand proofing of an identity using internal and external
information. The high-risk events that typically require identity verification include new account
registration, suspect logins and high-risk transactions, such as changing an address or
transferring a large amount of money to an unknown account. Some vendors assess the

Gartner, Inc. | G00271775 Page 5 of 23

 legitimacy of an identity by correlating an identity's attributes with external information, such as
the following:
■ Public and PII records from data aggregators, credit bureaus, news feeds, drivers' license
databases and more.
■ Non-PII data records that identify entities and relationships associated with suspect or
fraudulent activities using non-PII data, such as device IDs, IP addresses, email addresses,
phone numbers and more. These data stores contain metadata and reputations on non-PII
attributes (such as endpoint device reputation), as well as linkages showing relationships
across the attributes (for example, an email address shared by multiple names).
■ Public social network information from networks such as Facebook and LinkedIn that
assess an individual's social footprint and associated risk.
■ External threat intelligence and malware detection — Most cyberattacks employ malware
that either is targeted against a specific enterprise or has been used before to attack companies
in a specific sector (for example, retail and financial services). Some vendors with capabilities in
malware identification and analysis, and threat intelligence are also in the OFD market.
■ Telephony-based fraud detection — As enterprises tighten up controls across various points
of entry, such as Web channels, kiosks and points of sale (POSs), fraudsters are more frequently
exploiting traditionally less-protected telephony channels, including call centers and IVR units.
Large financial services companies report that about 30% of their fraud occurs via
compromises of multiple channels, which include the telephony channel, and several OFD
vendors sell solutions to stop telephony-based fraud.
■ Mobile-centric fraud detection — Mobile commerce has presented significant usability
challenges to existing ways of authenticating users on fixed-line computing devices. For
example, traditional device fingerprinting based on browser information is not granular enough
when used on mobile devices to derive a useful fingerprint. Similarly, verifying user identities by
relying on answers to secret questions is awkward on mobile devices, and it is difficult for
legitimate users to navigate. As such, enterprises seek transparent fraud detection solutions
that do not inconvenient mobile users but that do ensure applications are accessed by only
legitimate authorized users. These solutions are typically resident on the mobile device, and
they examine the device itself, the application and the user. (They do not include server-based
fraud detection models that are customized for mobile transactions.)
■ Passive biometric techniques — With passive biometric techniques, analysis is done "behind
the scenes" and is transparent or unknown to the user (unless an organization chooses to tell
the user it is occurring). Over time, the system is trained on a user's biometric "signature," so
that it can compare it to a fraudster's on a blacklist or to ongoing user behavior to determine if
the legitimate user is being impersonated. The use of passive voice recognition and passive
behavioral authentication (also referred to as gesture dynamics), in which user movements on a
device are tracked and measured, have already proven useful in the OFD market.
■ One-stop fraud detection managed services — Some enterprises want to outsource the
fraud review and management of transactions. This is an emerging service that also guarantees
payment on a transaction in return for a percentage of the value. It can be particularly useful for

Page 6 of 23 Gartner, Inc. | G00271775

 declined transactions that could benefit from additional review for potential acceptance, as well
as for international transactions, in which companies have little experience with fraud detection.

Other Relevant Fraud Deflection Technology Not Included in This Market Guide
Fraud detection technology not included in this document is as follows:

■ Website code obfuscation — Most cyberattacks exploit intelligence that criminals gather by
studying enterprise websites and how these sites function. This reconnaissance becomes an
order of magnitude more difficult if the website code is scrambled rather than in clear HTML
text, as most website code is today.

Market Analysis
OFD Buyers
OFD vendors target three main buyer segments with their products:

■ Banking
■ E-commerce
■ Sector-neutral (for example, banking, e-commerce, gaming, social networking, telecom, e-
government, transportation and other sectors)

Layers of Online Fraud Detection

Gartner defines five layers of fraud detection (see Figure 1), and as noted in the Market Definition
section, vendors in the OFD market provide one or more of the first three layers of fraud detection:

■ Layer 1 — Endpoint-centric solution that analyzes the characteristics of the PC, mobile or
telephony device used to access the enterprise system. This analysis must be possible without
relying on an agent on the endpoint device.
■ Layer 2 — Navigation- and network-centric solution that analyzes the navigation of a session
usually by IP address and user ID, to see if it looks anomalous relative to normal user or peer
group behavior.
■ Layer 3 — User- or entity-centric solution, in which transactions are compared to what is
expected of the user or entity. To support identity proofing, this layer also includes integration of
external and internal data to help vet an identity, especially in a risky transaction (such as a new
account application), or verify a suspect authentication or high-risk transaction.

Gartner, Inc. | G00271775 Page 7 of 23

 Figure 1. Layers of Fraud Detection and How OFD Fits In

UBA = user behavior analytics

Source: Gartner (April 2015)

OFD Techniques
Optimally, vendors should support user and entity profiling and behavioral analytics, such that a
user's or entity's ongoing behavior is captured in a profile that can subsequently be used to
compare against new activity to determine whether the activity is legitimate.

This anomaly detection is accomplished using statistical models, rules, or a combination of both. In
addition, one of each type of statistical model should be deployed for best results. Statistical
models are based on either:

■ Confirmed fraud and "bad" behavior, which fraud analysts need to tell the model about.
■ "Normal behavior," most of which is assumed to be "good." This type of model is best when
there is no history of confirmed fraud, or when users want the model to be self-maintaining.
There is no need for users to tell the model what is normal; it can figure it out by itself by
baselining various activities and entity behaviors. Anomalies are detected because they stand
out relative to the baseline. Not all anomalies represent fraud.

Page 8 of 23 Gartner, Inc. | G00271775

 In the end, the ultimate methods of a fraud detection solution include:

■ Continuous behavioral profiling of users, accounts and entities.

■ Identity verification on demand — usually in a high-risk interaction — using internal and external
identity information.
■ Ingesting and integrating external threat intelligence into fraud detection analysis and
operations.
■ Using the above rich data sources to compare incoming transactions across online channels
with existing profiles and norms of user or entity behavior in order to detect fraud. As noted
above, fraud detection uses rules, statistical models or both. Optimally, linkages should be
established across key attributes, such as device, name, IP, phone, address and email address,
to find patterns of suspect activities.

Representative Vendors
The vendors listed in this Market Guide do not imply an exhaustive list. This section is intended to
provide more understanding of the market and its offerings.

Representative vendors are described below. Figure 2 depicts the sectors these vendors target, and
Figures 3 and 4 depict the functional capabilities of these vendors. Please note that only vendor
functionality that is native or is developed by an OEM and integrated into the vendor's product is
considered in Figures 3 and 4.

Gartner, Inc. | G00271775 Page 9 of 23

 Figure 2. Vendors by Target Sector

Source: Gartner (April 2015)

Page 10 of 23 Gartner, Inc. | G00271775

 Figure 3. Vendors by Functionality — Part 1

Source: Gartner (April 2015)

Gartner, Inc. | G00271775 Page 11 of 23

 Figure 4. Vendors by Functionality — Part 2

Source: Gartner (April 2015)

Page 12 of 23 Gartner, Inc. | G00271775

 41st Parameter (part of Experian)
Experian acquired 41st Parameter in October 2013. 41st Parameter offers a range of online fraud
detection capabilities, including identity proofing, device risk assessment and fraud management
systems. While the solutions are sector-neutral, the company focuses primarily on financial services,
telecommunications, insurance, healthcare, public sector, retail, e-commerce and travel.

Accertify
Accertify, owned by American Express (Amex), is therefore able to perform deeper analysis on the
Amex transaction stream. Accertify's primary focus is on providing fraud management to card
acceptors. Accertify offers both a rule-based framework, in which customers can add plug-and-play
extensions to suit their needs, and a management console that provides clear reporting.

ACI Worldwide
Historically focused on the acquiring bank, ACI Worldwide's acquisition of Retail Decisions (ReD)
refreshes the product portfolio, providing online solutions and extended analytics that can be
deployed into the card acceptor and payment service provider. Offering on-premises or SaaS
deployments, ACI aims to embrace the payment ecosystem from acceptor through to acquiring
bank.

AGNITiO
AGNITiO is a provider of passive voice biometrics, allowing identification of both genuine customers
and recurring fraudsters. Typical implementations of the biometric solution are in call centers, with
an additional software development kit (SDK) allowing mobile application developers to provide
endpoint voice authentication.

BAE Systems Applied Intelligence

BAE Systems Applied Intelligence's NetReveal solution is a hybrid fraud management platform
consisting of statistical modeling, combined with profiling and business rules. The solution makes
use of social network data as part of its cross-channel behavioral analysis function, with a primary
focus on banking, including online payments, electronic funds transfer (EFT)/Automated Clearing
House (ACH), and wire fraud.

BioCatch
BioCatch provides online and mobile fraud detection. Its solution transparently tracks 500
behavioral and cognitive biometric parameters derived from the user interaction and gestures, and it
builds a unique user profile. BioCatch's solution detects account takeover fraud and malware
attacks, such as remote access trojan (RAT) and man in the browser (MITB).

Gartner, Inc. | G00271775 Page 13 of 23

 CA Technologies (via Acquisition of Arcot Systems)
CA Technologies delivers fraud detection that focuses on combating online shopping fraud through
3-D Secure authentication. Its CA Risk Analytics product employs statistical modeling and machine-
learning techniques that understand legitimate and fraudulent behavior in the context of the
individual cardholder, and the database of learned behaviors is updated in real time. CA
Technologies also provides risk-based authentication for online systems that includes enterprise-
specific behavioral models.

CardinalCommerce
CardinalCommerce offers a consumer authentication solution that applies rule-based controls and
analytics over financial transactions. These transactions can be initiated through the 3-D Secure
protocol and various other authentication tools in parallel. CardinalCommerce also provides
statistical modeling to ensure performance of its services and also provides data to its partners to
help them fit any form of authentication to their business. Targeting retailers to financial institutions,
high risk to low risk, CardinalCommerce's value proposition is the bridge between card acceptor
and card processor.

Contact Solutions
Contact Solutions is focused on IVR and contact centers. It has integrated licensed technology from
IDology and Pindrop Security into its own product to offer fraud detection. Contact Solutions also
includes its own "Red Flag" system that uses call data record and IVR data to compare caller
behavior to a statistical behavioral model to assess the threat level of callers. Contact Solutions
offers an integrated solution to allow risk management and identification of callers, and it provides
assurance around identity proofing.

CyberSource
CyberSource's fraud management solutions leverage the relationship with its parent company, Visa,
as well as other data sources, to provide a hybrid fraud engine that includes rule checking,
statistical modeling and fraud strategy analytics. It also provides payment acceptance authorization,
rule-based 3-D Secure implementation and delivery address verification for customer-not-present
transactions.

Digital Resolve
Digital Resolve provides online behavior monitoring, login authentication and identify proofing, in
addition to a suite of reporting and analysis tools, both to investigate meaningful anomalies and to
uncover patterns and trends of significance. This vendor's Layer 1 (endpoint-centric), Layer 2
(navigation-centric) and Layer 3 (user- or entity-centric) software or services can be used by any
company with an online presence that needs to protect access to sensitive information or financial
transactions, whether for customers, vendors or employees.

Page 14 of 23 Gartner, Inc. | G00271775

 Distil Networks
Distil Networks provides a solution that identifies and polices human website traffic, good bot (for
example, Google and Bing) and bad bot website traffic. Bad bots include bots responsible for brute-
force login attacks, fraudulent user registrations, click fraud and "imitation fraud" — the practice of
content imitators and fraudsters copying information from a website, such as pricing, dynamic data
and other content. Distil Networks' focus is not in "traditional" fraud services. The company's
solution can provide useful protection against automated arbitrage and "consumer comparison"
systems, or other attempts to fraudulently leverage automated bots to imitate human Web actions.

Easy Solutions
One of the more comprehensive and advanced fraud vendors, Easy Solutions operates across
multiple channels, such as automated teller machine (ATM), IVR, online and mobile. Solutions are
offered primarily in the banking sector, and they cover navigation analysis, endpoint identification,
strong authentication and transaction monitoring.

F5 Networks-Versafe
With the acquisition by F5 Networks, Versafe has been rebranded "WebSafe" and is provided as an
add-on module to F5's security appliances. The focus is on clientless endpoint-centric fraud
detection, phishing protection and protection against trojans (for example, MITB).

Feedzai
Feedzai's advanced modeling risk platform, which relies on automated machine learning, is based
on transaction streams across ATM, POS and online channels. It allows transaction risk scoring and
blocking based on behavioral analysis of users and devices.

Forter
Forter provides an automated fraud management solution to online retailers using a transaction-
percentage pricing model. Forter provides a real-time "approve/decline" decision for every
transaction, and it guarantees payment of chargeback costs in transactions it previously authorized.
Forter's solution integrates with the online shopping cart and perform behavioral analysis and
identity verification against social graphs and public information sources.

Fox-IT
Fox-IT's DetACT performs clickstream modeling and analysis of events and user/entity behaviors,
highlighting anomalies, trends and clusters in real time. It can be integrated with SIEM systems or
payment systems, and it also has insight in some endpoint-centric events. It is fully compatible with
Web and native mobile app architectures. This event analytics and fraud detection product
integrates tightly with Fox-IT's threat intelligence data.

Gartner, Inc. | G00271775 Page 15 of 23

 GBGroup
GBGroup provides global identity proofing and validation, as well as anti-money-laundering (AML)
checks and know your customer (KYC — part of AML regulations), to ensure safe customer
onboarding and transactions. Solutions are focused at the financial services and e-commerce
sectors. The company does not cover online fraud detection capabilities; however, with the
acquisition of DecTech Solutions, GBGroup provides Layer 5 fraud detection.

Guardian Analytics
Guardian Analytics offers solutions for mobile/online banking, payments and online accounts.
Individual behavioral analytics are used to identify high-risk transactions and users. Layer 2
capabilities allow Guardian Analytics to track page flows, navigation, velocity and timing. Its
licensing of external threat intelligence and reputation data allows enhancement of the risk scores
and also provisions of the intelligence data to its customer base.

IDology
IDology provides multilayered identify verification and fraud prevention solutions, such as identity
proofing, knowledge-based authentication, photo ID scan and validation, identity risk scoring, and
network collaboration tools.

InAuth
Focused on mobile device and browser security, InAuth enables an online portal to calculate the
likelihood of a genuine identity assertion by the customer and the trustworthiness of the customer's
mobile device or browser. This solution is focused on the endpoint and does not provide insight into
transaction risk.

Inform
Offering solutions in card processing, ACH, wire payments and insurance, Inform's RiskShield
performs statistical modeling across multiple channels, including the online channel. Focusing on
transactional analysis, this solution is traditional fraud detection and does not offer support for
mobile devices or apps at the Layer 1 endpoint level.

Intellinx
Recently merged with Bottomline Technologies, Intellinx offers a visual replay of user screens, user
behavior profiling and transaction analysis for detecting online fraud, malware and distributed denial
of service (DDoS) attacks. Working across multiple channels and offering real-time alerts, including
transaction blocking, the solution provides endpoint identification and fingerprinting, relying on
statistical modeling of data sniffed from the network.

Page 16 of 23 Gartner, Inc. | G00271775

 iovation
Offering device recognition, reputation and device-based authentication solutions, iovation's risk
service records hardware, software and network characteristics, such as browser, operating system,
language and locale, and IP geolocation. Clients leverage iovation's global consortium containing
more than 2 billion Internet-enabled devices and their associations with other devices and the
accounts they log into. Clients report back to the system and mark devices as associated with fraud
and abuse. Banks, retailers, telcos and gaming companies use iovation's service direct, or through
partner integrations with other large service providers in related areas.

Kaspersky Lab
Kaspersky Lab, best known for its endpoint security platform and threat intelligence, also offers
fraud prevention for online and mobile applications. It supports endpoint and malware behavioral
analysis with client software, and the firm plans to introduce a clientless version as well. It has a full
mobile security module accessed via an SDK that aims to identify and secure the device, as well as
secure the application, data and connection.

Kount
Kount interpolates data from the following: payments, logins, account creation (including free trials),
and mail order/telephone order. Transactional data and metadata are fed into a weighted statistical
model, which creates a risk score for each transaction, and then each transaction is evaluated
against rules based on the client's unique risk strategy. Kount is focused toward e-commerce card
acceptors and online payment processors. Kount's recent offering — Kount Access — offers
endpoint-centric authentication, using device and recent login data, to provide validation of each
user's account privileges.

mSIGNIA
mSIGNIA's fraud prevention offering takes aim at identity fraud, using mobile device reputation
analysis and multifactor authentication to verify customers. Its fraud prevention solution makes use
of behavioral analysis on user-added data, PIN, geolocation and device identification. mSIGNIA
includes mobile app validation, and it confirms whether a protected app and device are in a
manufacturer-approved state or have been jailbroken or compromised. mSIGNIA offers a
cryptographic service to sign transaction messages emanating from the mobile device.

Plus Technologies & Innovations

Using a hybrid fraud engine, Plus Technologies & Innovations' fraud management product —
Monitor Plus — is aimed at banks and payment card participants, including issuers, acquirers and
payment processors. The product provides transaction risk scoring and derives the score from
analysis of clients, accounts, merchants and terminals. Real-time monitoring of card transactions,
deposits and savings accounts is provided.

Gartner, Inc. | G00271775 Page 17 of 23

 Nice Actimize
Nice Actimize provides solutions across a wide range of banking sectors and applications. Its online
fraud product benefits from its experience in the field and uses statistical modeling across mobile
and Web channels to provide a customer-centric risk profile. Nice's Contact Center Fraud
Prevention suite is now part of Nice Actimize's fraud portfolio, along with Remote Banking for
Contact Center.

NuData Security
NuData Security offers fraud detection and prevention software that utilizes behavioral analysis and
statistical analytics to detect automated and human attacks, identifying the good and bad users.
NuData has a cloud network of metadata (for example, reputation data and history) on billions of IP
addresses, device fingerprints, email addresses and phone numbers, and the data linkages.
NuDetect is used by some of the largest global e-commerce companies to protect them from
automated — as well as manual — account creation and takeover.

Pindrop Security
Focused on voice call fraud prevention, Pindrop Security aims to protect call center voice
operations from account takeover, social engineering and other types of attacks. Types of calls
include inbound, live, recorded, and customer- and employee-facing IVR. Pindrop analyzes
numerous aspects and attributes of a phone call to detect fraud or confirm a legitimate user. It
recently added voice biometrics to complement the "phoneprinting" offering, which strengthens
both its fraud detection and new caller authentication capabilities.

RSA, The Security Division of EMC

The fraud detection products of RSA, The Security Division of EMC, detect online and mobile
fraudulent activity. The products include behavioral analysis, trojan behavior detection, fraud
monitoring and postlogin transaction monitoring. They can integrate with external identity proofing
services and brand protection services, such as fraudulent site takedown. RSA offers device
fingerprinting and other endpoint analysis, a global network of shared fraud intelligence, and a
statistical modeling engine.

Sift Science
Sift Science leverages machine learning and statistical modeling to predict fraud by using identity,
behavioral and network signals. Sift Science adapts to a changing threat model in real time and
alerts customers to suspicious activity and fraud patterns that are seen across its global customer
network. Sift Science targets various use cases, including payment fraud, fraudulent account
creation, spam, referral fraud, and other use cases for Web and mobile applications.

Signifyd
Signifyd reduces reliance on static data — much of which is PII data that has been compromised by
the crooks — and increases reliance on dynamic data, such as reputation, behavior and

Page 18 of 23 Gartner, Inc. | G00271775

 relationships between non-PII data elements. By combining data from device fingerprint, IP
geolocation and velocity, social graphing, customer history, bank identification number (BIN) data
and collaborative blacklists, together with public records, Signifyd provides businesses (e-
commerce, financial services and online marketplaces) with risk profiling of users and transactions.
In addition to those offerings, Signifyd offers e-commerce retailers a guarantee on transactions that
they have approved.

Socure
Socure's online identity verification SaaS solution protects against identity fraud and increases
acceptance where traditional offline identity verification (IDV) solutions fall short, specifically among
the millennial, thin-file and unbanked/underbanked customers. By combining social behavior data
across major social networks with open Internet and offline data (subject to the privacy regulations
in the Gramm-Leach-Bliley Act [GBLA]), Socure is able to verify whether a customer is real, fake or
poses a fraud risk, thereby reducing fraud, along with reducing financial institutions' manual review
costs.

ThreatMetrix
ThreatMetrix's original focus on device identification and fingerprinting has expanded into defining
relationships between devices and other non-PII data attributes for the purpose of detecting fraud
with its Persona ID product. Using its collaborative intelligence base, the company enables context-
aware authentication (transparent to the user), account takeover protection, payment fraud
prevention and identity proofing. It also offers a mobile SDK with extensive mobile security features.

Trusteer (part of IBM)

Since the acquisition by IBM, Trusteer appears focused mainly at endpoint identification, fraud
detection and prevention. It offers a solution to malware and phishing-driven fraud attacks, such as
account takeovers and fraudulent transactions, and it also offers tools to control mobile fraud. IBM
Security Trusteer Pinpoint Criminal Detection performs risk analysis, and IBM Security Trusteer
Pinpoint Malware Detection Advanced Edition works to protect online services; however, market
exposure appears limited since the acquisition.

Trustev
Trustev takes a multilayered approach, analyzing devices, user accounts, network topology,
customer history at a retailer, social network interactions, IP location and transaction velocity, as
well as many other factors to make a fraud decision. Trustev presents a dashboard to the fraud
manager, allowing the review of real-time transaction decisions. Trustev operates in the retail,
financial and telecom sectors, and it also has experience in the high-risk gift card market.

Verint Systems-Victrio
With the acquisition of Victrio, Verint Systems is able to include passive voice biometric
authentication in its range of fraud, risk and compliance solutions. Victrio screens calls against

Gartner, Inc. | G00271775 Page 19 of 23

 customer and fraudster voiceprint databases, and it reports identity confidence to the call center.
Voice biometrics, signal characteristics and other metadata are used.

Whitepages
Whitepages leverages 18 years of experience collecting and curating large volumes of contact data
for online directory services. Its Whitepages Pro offers identity proofing solutions to help manage
operational risk to the financial services and e-commerce industries. Whitepages Pro constructs a
digital identity from fragmented parts, centered on pervasive elements, such as a phone number
(depending on age, either a landline or mobile phone number will be most pervasive). Whitepages'
graph-structured database format cross-verifies name, phone, address, email and social linkages.

Market Recommendations
Fraud managers should:

■ Employ a layered online fraud detection approach, and, at a minimum, use products that
integrate endpoint-centric (Layer 1) solutions with user- or entity-centric (Layer 3) fraud
detection.
■ Implement continuous user and entity profiling that sets a baseline for detecting anomalous
transactions with statistical models or rules. Feed fraud data into a big data warehouse to get
an enterprise view of fraud and security issues.
■ Favor vendors that implement multiple fraud detection layers; user and peer group profiling;
behavioral analytics; and integration of external threat and identity intelligence. This should
especially be the case if your enterprise does not have IT capacity or resources to integrate
products and services on its own.
■ Choose products that fit your use case (for example, telephony-based fraud detection for IVR or
call centers, or mobile centric fraud detection for mobile applications, as well as for your sector,
whether it is banking, e-commerce or another).
■ When evaluating vendors, give strong consideration to those that continually innovate, which is
a necessity when combating rapidly evolving criminal behavior. Don't consider legacy fraud
detection technology adequate if the vendor fails to keep up with criminal trends.
■ Counter social engineering attacks against unsuspecting employees, customers or partners, by
strengthening security awareness and training programs. OFD can supplement — but cannot
replace — user training.
■ Integrate disparate point solutions into a common alert management system, where alerts and
their attributes can be weighted and correlated in order to highlight the most suspect alerts and
events that need immediate attention.

Page 20 of 23 Gartner, Inc. | G00271775

 Gartner Recommended Reading
Some documents may not be available as part of your current Gartner subscription.

"Market Guide for Online Fraud Detection"

"Market Guide for User Behavior Analytics"

"The Five Layers of Fraud Prevention and Using Them to Beat Malware"

"Identity Proofing revisited as Data Confidentiality Dies"

Evidence
1 Gartner Inquiries:

Gartner fields several hundred inquiries from clients around the world each year on fraud detection
and prevention. These calls unearth common requirements and trends across the globe in relation
to combating fraud.

2 Criminal Browser Configuration Tools:

FraudFox VM is a version of Windows with a significantly modified version of the Firefox browser
that runs on VMware's Workstation for Windows or VMware Fusion on OS X. It's for sale on
Evolution, the apparent successor to the Silk Road online contraband market, for 1.8 bitcoins, or
about $390.

FraudFox VM helps fraudsters defeat device fingerprinting, a common fraud detection tool.

More advanced versions of browser configuration tools that enable fraudsters to beat device
fingerprinting are also available in the criminal underground but have not yet been publicized to the
general public.

3 Social Engineering Scams:

Call center fraud: According to numerous large financial institutions that are Gartner clients, 30%
of their fraud occurs across channels, meaning over the Web and through the call center. Call center
representatives are socially engineered by the fraudsters to give away sensitive information that
eventually enables the criminals to illegally transfer funds to their own accounts.

Business email scams: Across the globe, these scams are robbing vast sums of money (hundreds
of millions of dollars). In these scams, criminal email senders impersonate company CEOs or other
managers, sending emails to their staff who can originate money transfers to fraudster bank
accounts. The fraudulent email requests the staff to move the money, and the staff complies
accordingly. This same type of social engineering also uses phone calls, whereby a fraudster will
impersonate a senior manager and will call a lower-level employee to similarly instruct a fraudulent
money transfer. These scams fall outside the direct purview of banks, which have warned their

Gartner, Inc. | G00271775 Page 21 of 23

 customers about suspicious money transfers (if they pick up on it), only to be overridden by the
customer who is convinced the money transfer order is coming from an authorized superior.

In January 2015, the Internet Crime Complaint Center (IC3) and Federal Bureau of Investigation (FBI)
issued an alert on a business email compromise (BEC) scam. The gist of the alert is as follows:

"The BEC is a global scam with subjects and victims in many countries. The IC3 has received BEC
complaint data from victims in every U.S. state and 45 countries." From 1 October 2013 through 1
December 2014, "the following statistics are reported:

■ Total U.S. victims: 1,198

■ Total U.S. dollar loss: $179,755,367.08
■ Total non-U.S. victims: 928
■ Total non-U.S. dollar loss: $35,217,136.22
■ Combined victims: 2,126
■ Combined dollar loss: $214,972,503.30"

Note 1 Fraud Use Cases

Detecting use of a stolen financial account, the third fraud detection use case, differs from detecting
account takeover, the first use case, when there are no existing user credentials (for example, login
user ID and password, required to use the financial account). For example, this happens when a
stolen credit card is used to buy goods or services on a website that does not require user
registration and credentials in order to complete the purchase.

Note 2 Magic Quadrant and Market Guide

The Web fraud detection Magic Quadrant was superseded by the OFD Market Guide because of
the transforming and fragmented market.

Note 3 Market Size

Just the Web fraud detection market, a subset of OFD, was valued at $450 million at the end of
2012.

Note 4 Fraud Detection Vendors and User Behavior Analytics

Several fraud detection vendors have the capabilities required of a UBA vendor, in addition to the
ability to specifically identify fraud in the online world. UBA is represented in Layers 4 and 5 of the
fraud detection framework.

Page 22 of 23 Gartner, Inc. | G00271775

 GARTNER HEADQUARTERS

Corporate Headquarters
56 Top Gallant Road
Stamford, CT 06902-7700
USA
+1 203 964 0096

Regional Headquarters
AUSTRALIA
BRAZIL
JAPAN
UNITED KINGDOM

For a complete list of worldwide locations,

visit http://www.gartner.com/technology/about.jsp

© 2015 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This
publication may not be reproduced or distributed in any form without Gartner’s prior written permission. If you are authorized to access
this publication, your use of it is subject to the Usage Guidelines for Gartner Services posted on gartner.com. The information contained
in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy,
completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This
publication consists of the opinions of Gartner’s research organization and should not be construed as statements of fact. The opinions
expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues,
Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company,
and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner’s Board of
Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization
without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner
research, see “Guiding Principles on Independence and Objectivity.”

Gartner, Inc. | G00271775 Page 23 of 23