Analysis, fraud management and cybercrime
The rise of bots has left e-commerce vendors scrambling for new capabilities
Michael Novinson (ed.)Michael Novinson) •
May 19, 2023
New entrants LexisNexis Risk Solutions and F5 join longtime leaders Experian and IBM on the Kuppinger Cole Leadership Compass for fraud mitigation intelligence platforms.
Leading vendors in the fraud mitigation space allow users to define and enforce bot management policies and have capabilities that span a variety of sectors from finance to payments to e-commerce, said John Tolbert, director of cybersecurity research at Cuppinger Coll. Considering how much fraud is done by bots, Tolbert says the best platforms offer sophisticated options to address this emerging threat (see: Palo Alto, Versa, Cisco Lead First-Ever SASE Tech Evaluation).
“The ones at the top have a more comprehensive set of capabilities,” Tolbert told Information Security Media Group. “I would describe six main fraud detection services — identity verification, credentialing, user behavior analysis, behavioral biometrics, bot detection and bot management.” All of the above covers those different bases. They generally have a lot to offer. .”
LexisNexis, IBM and F5 took gold, silver and bronze respectively for product leadership. That’s a stark contrast to the previous report in June 2021, in which KuppingerCole’s ID data web and transmitter security product capabilities were head and shoulders above the pack. At this time, KuppingerCole ranked fourth and sixth in transmission and ID DataWeb product capabilities, respectively.
IBM jumped from third place to first in innovation in 2021, and Lexis Nexis and Experian took silver and bronze, respectively. Biocache and ID Dataweb occupy top innovation positions in 2021. Experian jumped from second to first in market strength, and Akamai and Lexis Nexis took silver and bronze this time. In 2021, Broadcom and Outseer ranked first and third in market strength.
In the future, Tolbert may expand into payment fraud as more pure-player anti-fraud specialists enter the market, focusing exclusively on e-commerce or bot-generated fraud. But Tolbert doesn’t expect companies specializing in finance or payment security to enter the broader e-commerce security space today given the level of investment required.
“This market is mature now,” Tolbert said. “All of the companies involved in this market have great strengths that I’m sure will benefit their customers. And there are some companies that cover every type of technology that you want to be able to protect against. Widespread fraud. It’s hard to predict where this market will go.”
Outside of the top four, here’s how KuppingerCole views the fraud reduction intelligence platform market.
- Leaders: HID Global, Akamai, Group-IB, Transmit Security, External, Biocache, Forter, GBG
- Challengers: Human Security, Broadcom, Arkose Labs, Sift, ID Dataweb, Gurucul
- Vendors to watch: Amazon, Cleafy, Equifax, Feedzai, FICO, Imperva, Nice Actimize, OneSpan, Ping Identity, Ravelin, Telesign, ThreatMark, TransUnion.
The latest rankings represent the decline of Transmit Security, Biocatch and Outseer, which dropped from third, fifth and eighth, respectively, to eighth, 10th and ninth. HID Global and Group-IB jumped from 10th to fifth and from 11th to seventh respectively. Forter was listed as a supplier to watch in 2021 after refusing to fully participate in the report last time. Akamai and GBG are new to the list.
LexisNexis adds behavioral biometrics to identify non-humans
The company’s new threat signals go beyond determining whether a user is human or not, but instead tries to determine if it’s the same person or if someone is learning from their interaction, Sutherland said. LexisNexis has taken its capabilities beyond the browser and now offers a software optimization tool that supports browsers, mobile apps and many other forms, Sutherland said (see: We are waiting for 2023 for the actual cheat price.).
“We use our data assets internally to provide our customers with a comprehensive set of solutions,” Sutherland told Information Security Media Group.
KuppingerCole describes Lexis Nexis as requiring ISO 27001 certification and bot management methods such as challenge and redirection as well as multiple services for full fraud mitigation functionality. Sutherland says LexisNexis has so far played with the application layer, but is keen to address the impact of lots and has deliberately made the tools only available to customers who need them.
“We’re not trying to give customers things they don’t want,” Sutherland said. “It’s a difference in approach.”
Experian allows customers to develop and test fraud indicators
Experian has strengthened its core device recognition technology and streamlined document verification to reduce the necessary planning, integration and workflow, said David Britton, vice president of strategy. The company stabilizes its customers’ digital footprint to provide a consistent device footprint over time and users aren’t always challenged when they log in again.
The company has launched a fraud sandbox where customers can reliably test new risk indicators based on their own historical data and more anonymized data from third parties compiled over the years, Britton said. Tapping into cross-customer data makes it easier for organizations to gain visibility into fraud that is occurring across the broader industry ecosystem (see: Expert: Why cyber attacks can develop into ‘cyberwar’).
“We are able to gain rich insights into the most recent name, address, phone number and social security information our customers have spent in our credit process,” Britton said. “We can use this data as evidence because we’re seeing it every time we make a loan or credit card payment. We can use that data as the backbone of what we do to combat fraud.”
Coopinger criticized Cole Experian for its lack of hard data, as well as its failure to review ML-rich search models and transaction lists for UBA and SIM for device data. Britton said Experian wants to bring unconventional analytics to banking, doesn’t need ML to understand user behavior, relies on mobile phone partners for SIMs and doesn’t see a small price for compromised credentials.
“We believe that every piece of information on the planet has been stolen,” Britton said. “In terms of fraud mitigation, however, this data has a shelf life. Fraudsters don’t use the same data over and over again. Effectively, they use it for a period of time and don’t touch it again.”
IBM seeks to expand fraud detection coverage, effectiveness
IBM has enhanced the fraud detection capabilities of its machine learning models to improve the coverage and effectiveness of fraud detection, said Wesley Geure, director of product management security at IBM. Big Blue has improved the user interface and the experience around detecting and investigating attacks, making it easier to see and categorize threats such as remote access Trojans or device spoofing.
Gyure said IBM has created more self-service functionality so that customers can quickly and easily identify fraud by using small snippets of code embedded in the app to capture telemetry data. IBM’s fraud mitigation capabilities are integrated into the company’s orchestration and automation engine to help users take immediate action when issues are detected (see: IBM buys Polar Security to access and protect cloud, SaaS data).
“It’s one thing to be able to find risk points and identify fraud in your environment,” Gyure told ISMG. But that alone won’t stop the challenges our customers face or fix the attacks they face. They need to take action, and they need to do it autonomously and in real time. presentation.”
KuppingerCole criticized IBM for not detecting or preventing some e-commerce fraud and for not having some strong form of API authentication and the ability to package evaluation results against OIDC or OAuth 2.0. Gyure confirmed that IBM has recently extended its API to handle web tokens, is now working on support for OIDC and OAuth 2.0, and has historically focused fraud activity on banking, finance and insurance.
“In e-commerce, there can be attacks that take advantage of loyalty programs or fraudulent activities,” Guire said. “These types of attacks are very unique and you have to have some built-in capabilities and logic around them. And we’re working on that process with both vendors and what we’re doing to extend that coverage.”
F5 quickly detects cases of fraudulent digital skimming
F5 focuses on preventing fraud earlier in the hacker’s journey by integrating with bot protection products that detect digital scam attacks that often lead to fraud, said Angel Grant, vice president of security. F5 has integrated all of its bot and fraud products into one, so organizations can view and manage their overall security and fraud from a single dashboard, Grant said.
Grant said the customers bypass controls like multifactor authentication or CAPTCHA that could hinder performance or revenue generation. For this reason, Grant F5 has created an intelligent authentication product that identifies known good customers and provides passwordless login, and has partnered with Visa to provide e-commerce merchants with a more seamless and personalized experience (see: F5 lays off 623 workers as customers postpone new purchases).
“I’m amazed at how fraud providers and many fraud analysts are doing the same thing they were doing ten years ago,” Grant told ISMG. That’s not the right approach because you’re missing key context and you’re missing the opportunity to eliminate the threat. Further enhancing the customer journey.”
KuppingerCole criticized F5 for requiring professional services for policy changes and the integration of call center and IT service management. Grant said F5 chose to partner rather than build or buy its own identity verification offering and create new self-service capabilities so customers can configure policy changes entirely on their own.
“With our managed service offering, we have the ability to work with our customers at the speed that criminals attack,” Grant said. “We have that relationship with the customer, and we’re constantly working on the threats we see to target their organization, and we’re going to screen and call them out.”