alphaspirit - Fotolia

Choosing the best web fraud detection system for your company

This guide explains the technology and the key features an effective system should include to help readers evaluate fraud detection products and choose the best for their company.

Each U.S. consumer has, on average, at least one credit card and two bank cards they use to make in-person and online purchases, pay bills and send money to others. Collectively, U.S. consumers make billions of noncash transactions every year; these are prime targets of cybercriminals looking to walk away with as much of that money as they can.

Although the rate of cybercrime and attempted fraud increases each year, the portion of lost e-commerce revenue by North American merchants is just under 1%, according to the 2014 CyberSource Online Fraud Report, a number that's remained fairly static since 2010. Experts point to the efficient management of web fraud as the key reason. Even so, payment fraud is a great concern to consumers, and merchants and financial institutions take the hit for most of the money lost as a result of fraud in the form of refunds and chargebacks.

Web fraud detection explained

Organizations that accept payment cards over the web -- also referred to as card not present (CNP) transactions -- or organizations that back those payments, will deploy web fraud detection software or services to detect and help prevent fraud.

Web fraud detection systems typically focus on new account origination, account takeover and payment fraud. With account takeover and new account origination fraud detection, organizations attempt to root out unauthorized or fraudulent users posing as legitimate users. Payment fraud detection involves determining whether purchases are being or have been made with stolen payment cards. Some vendors also offer fraud intelligence services, authentication, malware detection (such as man-in-the-browser infections on computers and mobile devices) and secure clients, as well as managed services in which the vendor is primarily responsible for monitoring and taking action on instances of fraud.

Web fraud detection system vendors generally provide either an on-premises software product or platform, or a cloud-based software as a service (SaaS) that scans financial transactions made via the web or with mobile devices.

How web fraud detection works

Web fraud detection software (or a cloud-based service) runs background processes that scan transactions and score them based on the possibility of fraud. Many different data points are considered to determine the score, such as user behavior, device ID, other device characteristics, geolocation, order links and so on. The data is then compared against "normal" attributes. If the transaction is deemed valid, it's allowed and processed. If the transaction falls outside of an accepted range, an alert is issued and the transaction may be automatically suspended or denied.

To detect fraud, vendors typically use either a predictive behavioral scoring model, in which an account holder's behavior is the predominant criteria, or a rule-based system that uses pattern recognition. Some products or services use both types of scoring models.

Even with automated systems available, organizations still need to manually analyze certain transactions, such as those that an automated tool flags as fraudulent.

Who needs web fraud detection services? Organizations of all sizes -- from SMBs to enterprises -- that deal with any volume of CNP transactions that are too burdensome or time-intensive to review manually should have some type of fraud detection in place. Specific customers include banking and financial services institutions, e-commerce merchants, human resources and payroll services, and social networking sites, just to name a few. Web fraud detection services especially help organizations that need to meet Payment Card Industry Data Security Standard requirements.

How is web fraud detection sold? SaaS offerings are the most straight-forward approach to web fraud detection. A customer simply signs up for a service and agrees to pay a monthly fee based on the number of anticipated transactions (or a similar metric). The customer can scale the fraud detection service up or down as its needs change.

On-premises software requires an upfront cost for the software and any hardware or infrastructure upgrades required to support the software. Companies that lack a full-time security support team (most often small to midsize companies) may need to pay the vendor for initial setup just to get the software up and running properly, plus minimal staff training.

Managing and supporting web fraud detection

Web fraud detection management and support varies depending on how it's implemented.

SaaS-based web fraud detection is hosted by a service provider; customers access the service through a configuration interface to customize settings and perform typical administrative tasks.

On-premises web fraud detection systems require more administrative effort for installation and maintenance of the server on which the software runs, for the software itself, and for the customer's network infrastructure.

Web fraud detection systems and services can't detect every instance of fraud, but they greatly reduce a merchant's or financial institution's risk and provide a high level of protection to consumers.

Features

Frank Abagnale, a former imposter and fraudster who wrote the book Catch Me If You Can believes "punishment for fraud and the recovery of stolen funds [is] so rare, prevention is the only viable course of action." An organization that conducts business over the web should interpret that statement to include detection as well. That is, prevention of web fraud is a combination of accurate fraud detection along with layers of security that help to protect users, devices and networks.

Web fraud detection, sometimes referred to as online fraud detection, is a set of services or a software product that detects fraudulent transactions or activities conducted over the web. A typical web fraud detection system detects new account origination (identity fraud), account takeover (stolen user credentials) and payment fraud (e.g., with a stolen credit card), but can offer much more. How a web fraud detection system accomplishes detection and to what extent is what sets one tool apart from the others. So it's important to understand key features available in a fraud detection tool in order to evaluate these products and choose the best for your company.

Sector focus: Some web fraud detection vendors focus specifically on the banking/financial services industry or e-commerce, whereas others offer products that claim to tackle nearly any type of sector that maintains online accounts and conducts transactions.

A financial services company may best be served by a web fraud detection system created specifically for that industry. The same applies to e-commerce and retailers. Government agencies offering e-government services, social networking sites, insurance companies and so forth can broaden their research to look at sector-neutral products (those that support many different verticals), which represent the lion's share of available products.

Multiple layers: In both its Market Guide for Online Fraud Detection (revised on July 21, 2015) and in previous publications, Gartner highly recommends using multiple fraud-prevention layers designed to help prevent or stop further damage from internet-based malware attacks. The most significant layers involve endpoints (Layer 1), navigation (Layer 2) and users or entities (Layer 3).

According to Gartner's layering scheme, an endpoint product analyzes computer, mobile device or telephony device characteristics, such as recent login data, and provides validation of a user's account privileges. A navigation system analyzes session navigation for anomalies. A user- or entity-centric product compares transactions to the "norm" for that user or entity, for a specific channel such as e-commerce.

Many web fraud detection systems provide protection for all three layers; others focus on only one layer. It's possible to get complete coverage from various products, but it makes sense to look for a product that provides protection at all three layers.

Analytics and continuous profiling: Rule-based analytics rely on pattern recognition, which is based on what is already known. Predictive behavioral analytics look at an account holder's behavior and seek anomalies based on expected behavior. Models produce risk scores, which are evaluated against user or entity profiles created from the results of analytics.

Products that get high marks in this category are those that provide continuous profiling of accounts and users to detect fraud, using one or both analytical models, though behavioral analytics is somewhat preferable over rule-based.

Integration of external intelligence: One part of the security industry that's gained significant traction in recent years is threat intelligence. A threat intelligence service gathers raw data about emerging threats from several sources (and perhaps millions of endpoints), and then analyzes and filters that data to produce useable information.

Security control systems, such as security information and event management and next-gen firewalls, use threat intelligence to better protect an organization from emerging or zero-day threats. An identity intelligence service, or identify proofing service, provides an analysis of user identity and access characteristics (user roles, policy violations, biometric data and so on), gathered from public and proprietary data sources. Identity intelligence is often used to verify a person's identity before an organization approves an account and issues credentials.

For the most comprehensive coverage, organizations should give preference to web fraud detection systems that can integrate external threat intelligence and/or identity intelligence. In fact, the majority of products are expected to provide this feature by 2017.

Compliance: Ensure your organizations choice of web fraud detection system meets the requirements of all necessary compliance regulations. For example, if an organization accepts payment cards, it should ask if the product under consideration carry PCI DSS-certification.

Many organizations need to comply with the Gramm-Leach-Bliley Act, the Sarbanes-Oxley Act or FACTA Red-Flags, or require SSAE 16 or ISO/IEC 27001 for information security management. Keep a list of the organization's compliance requirements handy when vetting web fraud detection systems and ask each vendor on the short list to provide documentation that indicates the product's compliance support.

Other considerations: Web fraud detection vendors typically provide downloadable data sheets, brochures and similar product assets on their websites to prospective customers. Be sure to check the copyright dates on the available assets, especially the data sheets, and consider dropping from consideration any products with asset dates older than a year or two. Web fraud detection systems must adapt to a constant influx of new threats, and incorporate innovation to remain relevant and competitive. Old assets may be an indicator of a product that's not technologically fresh and effective.

As organizations research vendors and products, they'll read about how the web fraud detection industry has undergone a lot of churn since 2013, mainly from mergers and acquisitions. When a vendor is acquired to fill in a technology gap in a portfolio, innovation can suffer. When talking to each vendor sales rep, be sure to ask the following:

  1. Which products are the top three competitors?
  2. Are any product improvements or upgrades are planned (and the nature of the changes)?
  3. How does this web fraud detection system stands out from the competitors?

The bottom line

Evaluating web fraud detection systems requires more than a search through data sheets and marketing materials, all of which can be misleading and out of date. Take advantage of one-on-one demos offered by the vendors, during which you can ask the sales reps specific product questions in relation to your organization's industry/channel and transaction volume. That's the best time to establish realistic pricing as well, because most web fraud detection systems are based on volume.

About the author:
Ed Tittel is a 30-plus year IT veteran who's worked as a developer, networking consultant, technical trainer, writer and expert witness. Perhaps best known for creating the Exam Cram series, Ed has contributed to more than 100 books on many computing topics, including titles on information security, Windows OSes and HTML.

Dig Deeper on Identity Theft and Data Security Breaches

Networking
CIO
Enterprise Desktop
Cloud Computing
ComputerWeekly.com
Close