Professional Documents
Culture Documents
Key Findings
■ Several OFD market leaders lost their focus and ability to innovate in fraud detection after being
acquired by larger companies in adjacent markets, according to Gartner clients.
■ Smaller more-fraud-focused players are filling the void in innovation. Nonetheless, these
vendors are often challenged to prove themselves over lagging incumbents.
■ Attackers find the points of least resistance, and they hone their attacks to avoid common fraud
detection measures and to exploit human weaknesses. Some leading OFD solutions effectively
detect the resulting subtle but unusual deviations in the attacks' session behavior, but they
cannot detect or prevent social engineering.
■ Fraudlike analytics are being incorporated into security and adaptive access solutions. SIEM,
IAM and other security vendors are trying to acquire analytic expertise that fraud vendors have
had for years.
Recommendations
■ Use a layered approach to detect online fraud, incorporating endpoint-centric (Layer 1),
navigation-/network-centric (Layer 2), and user-/entity-centric (Layer 3) fraud detection.
■ Favor vendors that implement multiple fraud detection layers, as well as provide user and peer
group profiling, behavioral analytics, and integration of external threat and identity intelligence.
■ Don't consider legacy fraud detection technology adequate if the vendor fails to keep up with
criminal trends. Replace or complement the technology with solutions from vendors that
continue to innovate, which is a necessity when combating rapidly evolving criminal behavior.
■ Counter social engineering attacks against unsuspecting employees, customers or partners, by
strengthening security awareness and education programs. OFD solutions can supplement but
cannot replace user training.
Strategic Planning Assumption
By 2017, more than two-thirds of online fraud detection (OFD) vendors will integrate external threat
and identity intelligence into their offerings.
Market Definition
This document was revised on 21 July 2015. The document you are viewing is the corrected
version. For more information, see the Corrections page on gartner.com.
The OFD market consists of vendors that help stop the use of stolen data and information and not
the theft itself. Vendors in the security market help stop the theft of data and information, some of
which is eventually used to commit fraud if the theft is not prevented.
The OFD market is composed of vendors that provide products or services that help an organization
detect fraud that occurs over the Web, mobile or telephony channels (that is, call center and
interactive voice response [IVR]) by performing one or both of these functions:
This is done by comparing this information to expected behavior using machine learning or
statistical algorithms, or rules that define "abnormal" behavior and activities.
■ Verifying the legitimacy of a user's identity using available internal and external information
sources.
This is done using by comparing incoming identity information and contextual attributes (as
described above in the first bullet), and reconciling them against available external or internal
identity information — for example, personally identifiable Information (PII), such as name,
Social Security number (SSN), passport number and date of birth; and non-PII information, such
as email address, Internet Protocol (IP) address, and device and phone number and attributes.
OFD vendors detect online fraud as transactions occur, either in real time or near real time. They
provide solutions for the Web, mobile or telephony channels from one or more of the first three
layers of Gartner's five-layer fraud detection framework (see "The Five Layers of Fraud Prevention
and Using Them to Beat Malware"). The first three layers are as follows: endpoint-centric (Layer 1);
navigation-centric (Layer 2); and user- or entity-centric for a specific channel (Layer 3). OFD
products that enable identity verification integrate with external or internal data sources to help
verify the legitimacy of a given user's identity.
OFD systems typically return alerts and results (such as scores with supporting data) to enterprise
users (IT or business staff), enabling the enterprise to take appropriate follow-up action, such as:
■ Suspending the transaction if actual behavior is out of range with what's expected or if the user
appears suspect
■ Detecting account takeover, which can occur when user account credentials are stolen (for
example, via malware-based attacks)
■ Detecting identity fraud (for example, when a fraudster sets up a new account or conducts an
unauthorized transaction, using a stolen or fictitious identity)
■ Detecting the use of a stolen financial account (for example, a stolen credit card) by a fraudster
when the individual makes a purchase or moves money from one account to another (see Note
1)
Market Direction
The OFD market changed substantially in 2014, as many previous Leaders and Challengers in
Gartner's 2012 and 2013 Web fraud detection Magic Quadrants were acquired and lost their focus
1
and innovation in fraud detection (see Note 2).
Market Consolidation Opens the Way for Newer Innovative Vendors to Gain Market
Share
Industry consolidation and the shrinking focus of former fraud detection market leaders opened
opportunities for newer smaller vendors to fill the innovation void in the growing OFD market (see
Gartner expects this trend to continue through 2018. Small innovative players will be acquired by
large vendors in the security or other adjacent markets that need their expertise to move forward in
their existing businesses. This will make room for new entrants to again pave the road to innovative
products and services. Rapidly changing fraud patterns makes the OFD market a hotbed for
innovation.
Security vendors in the user behavior analytics market and some authentication vendors in the user
authentication market (see "Market Guide for User Behavior Analytics" and "Magic Quadrant for
User Authentication") are incorporating these techniques into their products to yield more effective
results, consequently generating more demand for OFD analytic techniques.
However, it should be noted that applying statistical models and predictive analytics to security use
cases is generally more difficult than applying them to fraud use cases, in which there is a more
limited range of activities that must be monitored.
Fraudsters are also spreading their attacks over thousands of IP addresses — many of which
are purposefully chosen to originate in locations that appear legitimate (for example, in the
same geographic area that a target victim lives in). They are also slowing down their scripted
■ One-stop fraud detection solutions — Vendors provide solutions covering as many of the
three layers of online fraud detection as possible, so that users can meet most of their needs in
this area by engaging with one supplier.
■ Identity proofing and vetting — Enterprises need to combine the detection of online account
takeover with continual or on-demand proofing of an identity using internal and external
information. The high-risk events that typically require identity verification include new account
registration, suspect logins and high-risk transactions, such as changing an address or
transferring a large amount of money to an unknown account. Some vendors assess the
Other Relevant Fraud Deflection Technology Not Included in This Market Guide
Fraud detection technology not included in this document is as follows:
■ Website code obfuscation — Most cyberattacks exploit intelligence that criminals gather by
studying enterprise websites and how these sites function. This reconnaissance becomes an
order of magnitude more difficult if the website code is scrambled rather than in clear HTML
text, as most website code is today.
Market Analysis
OFD Buyers
OFD vendors target three main buyer segments with their products:
■ Banking
■ E-commerce
■ Sector-neutral (for example, banking, e-commerce, gaming, social networking, telecom, e-
government, transportation and other sectors)
■ Layer 1 — Endpoint-centric solution that analyzes the characteristics of the PC, mobile or
telephony device used to access the enterprise system. This analysis must be possible without
relying on an agent on the endpoint device.
■ Layer 2 — Navigation- and network-centric solution that analyzes the navigation of a session
usually by IP address and user ID, to see if it looks anomalous relative to normal user or peer
group behavior.
■ Layer 3 — User- or entity-centric solution, in which transactions are compared to what is
expected of the user or entity. To support identity proofing, this layer also includes integration of
external and internal data to help vet an identity, especially in a risky transaction (such as a new
account application), or verify a suspect authentication or high-risk transaction.
OFD Techniques
Optimally, vendors should support user and entity profiling and behavioral analytics, such that a
user's or entity's ongoing behavior is captured in a profile that can subsequently be used to
compare against new activity to determine whether the activity is legitimate.
This anomaly detection is accomplished using statistical models, rules, or a combination of both. In
addition, one of each type of statistical model should be deployed for best results. Statistical
models are based on either:
■ Confirmed fraud and "bad" behavior, which fraud analysts need to tell the model about.
■ "Normal behavior," most of which is assumed to be "good." This type of model is best when
there is no history of confirmed fraud, or when users want the model to be self-maintaining.
There is no need for users to tell the model what is normal; it can figure it out by itself by
baselining various activities and entity behaviors. Anomalies are detected because they stand
out relative to the baseline. Not all anomalies represent fraud.
Representative Vendors
The vendors listed in this Market Guide do not imply an exhaustive list. This section is intended to
provide more understanding of the market and its offerings.
Representative vendors are described below. Figure 2 depicts the sectors these vendors target, and
Figures 3 and 4 depict the functional capabilities of these vendors. Please note that only vendor
functionality that is native or is developed by an OEM and integrated into the vendor's product is
considered in Figures 3 and 4.
Accertify
Accertify, owned by American Express (Amex), is therefore able to perform deeper analysis on the
Amex transaction stream. Accertify's primary focus is on providing fraud management to card
acceptors. Accertify offers both a rule-based framework, in which customers can add plug-and-play
extensions to suit their needs, and a management console that provides clear reporting.
ACI Worldwide
Historically focused on the acquiring bank, ACI Worldwide's acquisition of Retail Decisions (ReD)
refreshes the product portfolio, providing online solutions and extended analytics that can be
deployed into the card acceptor and payment service provider. Offering on-premises or SaaS
deployments, ACI aims to embrace the payment ecosystem from acceptor through to acquiring
bank.
AGNITiO
AGNITiO is a provider of passive voice biometrics, allowing identification of both genuine customers
and recurring fraudsters. Typical implementations of the biometric solution are in call centers, with
an additional software development kit (SDK) allowing mobile application developers to provide
endpoint voice authentication.
BioCatch
BioCatch provides online and mobile fraud detection. Its solution transparently tracks 500
behavioral and cognitive biometric parameters derived from the user interaction and gestures, and it
builds a unique user profile. BioCatch's solution detects account takeover fraud and malware
attacks, such as remote access trojan (RAT) and man in the browser (MITB).
CardinalCommerce
CardinalCommerce offers a consumer authentication solution that applies rule-based controls and
analytics over financial transactions. These transactions can be initiated through the 3-D Secure
protocol and various other authentication tools in parallel. CardinalCommerce also provides
statistical modeling to ensure performance of its services and also provides data to its partners to
help them fit any form of authentication to their business. Targeting retailers to financial institutions,
high risk to low risk, CardinalCommerce's value proposition is the bridge between card acceptor
and card processor.
Contact Solutions
Contact Solutions is focused on IVR and contact centers. It has integrated licensed technology from
IDology and Pindrop Security into its own product to offer fraud detection. Contact Solutions also
includes its own "Red Flag" system that uses call data record and IVR data to compare caller
behavior to a statistical behavioral model to assess the threat level of callers. Contact Solutions
offers an integrated solution to allow risk management and identification of callers, and it provides
assurance around identity proofing.
CyberSource
CyberSource's fraud management solutions leverage the relationship with its parent company, Visa,
as well as other data sources, to provide a hybrid fraud engine that includes rule checking,
statistical modeling and fraud strategy analytics. It also provides payment acceptance authorization,
rule-based 3-D Secure implementation and delivery address verification for customer-not-present
transactions.
Digital Resolve
Digital Resolve provides online behavior monitoring, login authentication and identify proofing, in
addition to a suite of reporting and analysis tools, both to investigate meaningful anomalies and to
uncover patterns and trends of significance. This vendor's Layer 1 (endpoint-centric), Layer 2
(navigation-centric) and Layer 3 (user- or entity-centric) software or services can be used by any
company with an online presence that needs to protect access to sensitive information or financial
transactions, whether for customers, vendors or employees.
Easy Solutions
One of the more comprehensive and advanced fraud vendors, Easy Solutions operates across
multiple channels, such as automated teller machine (ATM), IVR, online and mobile. Solutions are
offered primarily in the banking sector, and they cover navigation analysis, endpoint identification,
strong authentication and transaction monitoring.
F5 Networks-Versafe
With the acquisition by F5 Networks, Versafe has been rebranded "WebSafe" and is provided as an
add-on module to F5's security appliances. The focus is on clientless endpoint-centric fraud
detection, phishing protection and protection against trojans (for example, MITB).
Feedzai
Feedzai's advanced modeling risk platform, which relies on automated machine learning, is based
on transaction streams across ATM, POS and online channels. It allows transaction risk scoring and
blocking based on behavioral analysis of users and devices.
Forter
Forter provides an automated fraud management solution to online retailers using a transaction-
percentage pricing model. Forter provides a real-time "approve/decline" decision for every
transaction, and it guarantees payment of chargeback costs in transactions it previously authorized.
Forter's solution integrates with the online shopping cart and perform behavioral analysis and
identity verification against social graphs and public information sources.
Fox-IT
Fox-IT's DetACT performs clickstream modeling and analysis of events and user/entity behaviors,
highlighting anomalies, trends and clusters in real time. It can be integrated with SIEM systems or
payment systems, and it also has insight in some endpoint-centric events. It is fully compatible with
Web and native mobile app architectures. This event analytics and fraud detection product
integrates tightly with Fox-IT's threat intelligence data.
Guardian Analytics
Guardian Analytics offers solutions for mobile/online banking, payments and online accounts.
Individual behavioral analytics are used to identify high-risk transactions and users. Layer 2
capabilities allow Guardian Analytics to track page flows, navigation, velocity and timing. Its
licensing of external threat intelligence and reputation data allows enhancement of the risk scores
and also provisions of the intelligence data to its customer base.
IDology
IDology provides multilayered identify verification and fraud prevention solutions, such as identity
proofing, knowledge-based authentication, photo ID scan and validation, identity risk scoring, and
network collaboration tools.
InAuth
Focused on mobile device and browser security, InAuth enables an online portal to calculate the
likelihood of a genuine identity assertion by the customer and the trustworthiness of the customer's
mobile device or browser. This solution is focused on the endpoint and does not provide insight into
transaction risk.
Inform
Offering solutions in card processing, ACH, wire payments and insurance, Inform's RiskShield
performs statistical modeling across multiple channels, including the online channel. Focusing on
transactional analysis, this solution is traditional fraud detection and does not offer support for
mobile devices or apps at the Layer 1 endpoint level.
Intellinx
Recently merged with Bottomline Technologies, Intellinx offers a visual replay of user screens, user
behavior profiling and transaction analysis for detecting online fraud, malware and distributed denial
of service (DDoS) attacks. Working across multiple channels and offering real-time alerts, including
transaction blocking, the solution provides endpoint identification and fingerprinting, relying on
statistical modeling of data sniffed from the network.
Kaspersky Lab
Kaspersky Lab, best known for its endpoint security platform and threat intelligence, also offers
fraud prevention for online and mobile applications. It supports endpoint and malware behavioral
analysis with client software, and the firm plans to introduce a clientless version as well. It has a full
mobile security module accessed via an SDK that aims to identify and secure the device, as well as
secure the application, data and connection.
Kount
Kount interpolates data from the following: payments, logins, account creation (including free trials),
and mail order/telephone order. Transactional data and metadata are fed into a weighted statistical
model, which creates a risk score for each transaction, and then each transaction is evaluated
against rules based on the client's unique risk strategy. Kount is focused toward e-commerce card
acceptors and online payment processors. Kount's recent offering — Kount Access — offers
endpoint-centric authentication, using device and recent login data, to provide validation of each
user's account privileges.
mSIGNIA
mSIGNIA's fraud prevention offering takes aim at identity fraud, using mobile device reputation
analysis and multifactor authentication to verify customers. Its fraud prevention solution makes use
of behavioral analysis on user-added data, PIN, geolocation and device identification. mSIGNIA
includes mobile app validation, and it confirms whether a protected app and device are in a
manufacturer-approved state or have been jailbroken or compromised. mSIGNIA offers a
cryptographic service to sign transaction messages emanating from the mobile device.
NuData Security
NuData Security offers fraud detection and prevention software that utilizes behavioral analysis and
statistical analytics to detect automated and human attacks, identifying the good and bad users.
NuData has a cloud network of metadata (for example, reputation data and history) on billions of IP
addresses, device fingerprints, email addresses and phone numbers, and the data linkages.
NuDetect is used by some of the largest global e-commerce companies to protect them from
automated — as well as manual — account creation and takeover.
Pindrop Security
Focused on voice call fraud prevention, Pindrop Security aims to protect call center voice
operations from account takeover, social engineering and other types of attacks. Types of calls
include inbound, live, recorded, and customer- and employee-facing IVR. Pindrop analyzes
numerous aspects and attributes of a phone call to detect fraud or confirm a legitimate user. It
recently added voice biometrics to complement the "phoneprinting" offering, which strengthens
both its fraud detection and new caller authentication capabilities.
Sift Science
Sift Science leverages machine learning and statistical modeling to predict fraud by using identity,
behavioral and network signals. Sift Science adapts to a changing threat model in real time and
alerts customers to suspicious activity and fraud patterns that are seen across its global customer
network. Sift Science targets various use cases, including payment fraud, fraudulent account
creation, spam, referral fraud, and other use cases for Web and mobile applications.
Signifyd
Signifyd reduces reliance on static data — much of which is PII data that has been compromised by
the crooks — and increases reliance on dynamic data, such as reputation, behavior and
Socure
Socure's online identity verification SaaS solution protects against identity fraud and increases
acceptance where traditional offline identity verification (IDV) solutions fall short, specifically among
the millennial, thin-file and unbanked/underbanked customers. By combining social behavior data
across major social networks with open Internet and offline data (subject to the privacy regulations
in the Gramm-Leach-Bliley Act [GBLA]), Socure is able to verify whether a customer is real, fake or
poses a fraud risk, thereby reducing fraud, along with reducing financial institutions' manual review
costs.
ThreatMetrix
ThreatMetrix's original focus on device identification and fingerprinting has expanded into defining
relationships between devices and other non-PII data attributes for the purpose of detecting fraud
with its Persona ID product. Using its collaborative intelligence base, the company enables context-
aware authentication (transparent to the user), account takeover protection, payment fraud
prevention and identity proofing. It also offers a mobile SDK with extensive mobile security features.
Trustev
Trustev takes a multilayered approach, analyzing devices, user accounts, network topology,
customer history at a retailer, social network interactions, IP location and transaction velocity, as
well as many other factors to make a fraud decision. Trustev presents a dashboard to the fraud
manager, allowing the review of real-time transaction decisions. Trustev operates in the retail,
financial and telecom sectors, and it also has experience in the high-risk gift card market.
Verint Systems-Victrio
With the acquisition of Victrio, Verint Systems is able to include passive voice biometric
authentication in its range of fraud, risk and compliance solutions. Victrio screens calls against
Whitepages
Whitepages leverages 18 years of experience collecting and curating large volumes of contact data
for online directory services. Its Whitepages Pro offers identity proofing solutions to help manage
operational risk to the financial services and e-commerce industries. Whitepages Pro constructs a
digital identity from fragmented parts, centered on pervasive elements, such as a phone number
(depending on age, either a landline or mobile phone number will be most pervasive). Whitepages'
graph-structured database format cross-verifies name, phone, address, email and social linkages.
Market Recommendations
Fraud managers should:
■ Employ a layered online fraud detection approach, and, at a minimum, use products that
integrate endpoint-centric (Layer 1) solutions with user- or entity-centric (Layer 3) fraud
detection.
■ Implement continuous user and entity profiling that sets a baseline for detecting anomalous
transactions with statistical models or rules. Feed fraud data into a big data warehouse to get
an enterprise view of fraud and security issues.
■ Favor vendors that implement multiple fraud detection layers; user and peer group profiling;
behavioral analytics; and integration of external threat and identity intelligence. This should
especially be the case if your enterprise does not have IT capacity or resources to integrate
products and services on its own.
■ Choose products that fit your use case (for example, telephony-based fraud detection for IVR or
call centers, or mobile centric fraud detection for mobile applications, as well as for your sector,
whether it is banking, e-commerce or another).
■ When evaluating vendors, give strong consideration to those that continually innovate, which is
a necessity when combating rapidly evolving criminal behavior. Don't consider legacy fraud
detection technology adequate if the vendor fails to keep up with criminal trends.
■ Counter social engineering attacks against unsuspecting employees, customers or partners, by
strengthening security awareness and training programs. OFD can supplement — but cannot
replace — user training.
■ Integrate disparate point solutions into a common alert management system, where alerts and
their attributes can be weighted and correlated in order to highlight the most suspect alerts and
events that need immediate attention.
"The Five Layers of Fraud Prevention and Using Them to Beat Malware"
Evidence
1 Gartner Inquiries:
Gartner fields several hundred inquiries from clients around the world each year on fraud detection
and prevention. These calls unearth common requirements and trends across the globe in relation
to combating fraud.
FraudFox VM is a version of Windows with a significantly modified version of the Firefox browser
that runs on VMware's Workstation for Windows or VMware Fusion on OS X. It's for sale on
Evolution, the apparent successor to the Silk Road online contraband market, for 1.8 bitcoins, or
about $390.
FraudFox VM helps fraudsters defeat device fingerprinting, a common fraud detection tool.
More advanced versions of browser configuration tools that enable fraudsters to beat device
fingerprinting are also available in the criminal underground but have not yet been publicized to the
general public.
Call center fraud: According to numerous large financial institutions that are Gartner clients, 30%
of their fraud occurs across channels, meaning over the Web and through the call center. Call center
representatives are socially engineered by the fraudsters to give away sensitive information that
eventually enables the criminals to illegally transfer funds to their own accounts.
Business email scams: Across the globe, these scams are robbing vast sums of money (hundreds
of millions of dollars). In these scams, criminal email senders impersonate company CEOs or other
managers, sending emails to their staff who can originate money transfers to fraudster bank
accounts. The fraudulent email requests the staff to move the money, and the staff complies
accordingly. This same type of social engineering also uses phone calls, whereby a fraudster will
impersonate a senior manager and will call a lower-level employee to similarly instruct a fraudulent
money transfer. These scams fall outside the direct purview of banks, which have warned their
In January 2015, the Internet Crime Complaint Center (IC3) and Federal Bureau of Investigation (FBI)
issued an alert on a business email compromise (BEC) scam. The gist of the alert is as follows:
"The BEC is a global scam with subjects and victims in many countries. The IC3 has received BEC
complaint data from victims in every U.S. state and 45 countries." From 1 October 2013 through 1
December 2014, "the following statistics are reported:
Corporate Headquarters
56 Top Gallant Road
Stamford, CT 06902-7700
USA
+1 203 964 0096
Regional Headquarters
AUSTRALIA
BRAZIL
JAPAN
UNITED KINGDOM
© 2015 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This
publication may not be reproduced or distributed in any form without Gartner’s prior written permission. If you are authorized to access
this publication, your use of it is subject to the Usage Guidelines for Gartner Services posted on gartner.com. The information contained
in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy,
completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This
publication consists of the opinions of Gartner’s research organization and should not be construed as statements of fact. The opinions
expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues,
Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company,
and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner’s Board of
Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization
without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner
research, see “Guiding Principles on Independence and Objectivity.”