Frank Abagnale, a former imposter and fraudster who wrote the book, Catch Me If You Can, believes "punishment for fraud and the recovery of stolen funds [is] so rare, prevention is the only viable course of action." An organization that conducts business over the Web should interpret that statement to mean "detection" as well. That is, prevention of Web fraud is a combination of accurate fraud detection along with layers of security that help to protect users, devices and networks.
Web fraud detection, sometimes referred to as online fraud detection, is a set of services or a software product that detects fraudulent transactions or activities conducted over the Web. A typical Web fraud detection system detects new account origination (identity fraud), account takeover (stolen user credentials) and payment fraud (e.g., with a stolen credit card), but can offer much more. How a Web fraud detection system accomplishes detection and to what extent is what sets one apart from the others. Read on for an overview of key factors to consider when evaluating these products.
Some Web fraud detection vendors focus specifically on the banking/financial services industry or e-commerce, whereas others offer products that claim to tackle nearly any type of sector that maintains online accounts and conducts transactions.
A financial services company may best be served by a Web fraud detection system created specifically for that industry. The same applies to e-commerce and retailers. Government agencies offering e-government services, social networking sites, insurance companies and so forth can broaden their research to look at sector-neutral products (those that support many different verticals), which represent the lion's share of available products.
Multiple layers of Web fraud detection
In its Market Guide for Online Fraud Detection (revised on July 21, 2015) and previous publications, Gartner highly recommends using multiple fraud prevention layers designed to help prevent or stop further damage from Internet-based malware attacks. The most significant layers involve endpoints (Layer 1), navigation (Layer 2) and users or entities (Layer 3). According to Gartner's layering scheme, an endpoint product analyzes computer, mobile device or telephony device characteristics, such as recent login data, and provides validation of a user's account privileges. A navigation system analyzes session navigation for anomalies. A user- or entity-centric product compares transactions to the "norm" for that user or entity, for a specific channel such as e-commerce.
Many Web fraud detection systems provide protection for all three layers; others focus on only one layer. It's possible to get complete coverage from various products, but it makes sense to look for a product that provides protection at all three layers.
Analytics and continuous profiling
Rule-based analytics rely on pattern recognition, which is based on what is already known. Predictive behavioral analytics look at an account holder's behavior and seek anomalies based on expected behavior. Models produce risk scores, which are evaluated against user or entity profiles created from the results of analytics.
A high mark in this category is a product that provides continuous profiling of accounts and users to detect fraud, using one or both analytical models, with behavioral edging out rule-based.
Integration of external intelligence information
One part of the security industry that's gained significant traction in recent years is threat intelligence. A threat intelligence service gathers raw data about emerging threats from several sources (and perhaps millions of endpoints), and then analyzes and filters that data to produce useable information. Security control systems, such as security information and event management and next-gen firewalls, use threat intelligence to better protect an organization from emerging or zero-day threats. An identity intelligence service, or identify proofing service, provides an analysis of user identity and access characteristics (user roles, policy violations, biometric data and so on), gathered from public and proprietary data sources. Identity intelligence is often used to verify a person's identity before an organization approves an account and issues credentials.
For the most comprehensive coverage, organizations should give preference to Web fraud detection systems that can integrate external threat intelligence and/or identity intelligence. In fact, the majority of products are expected to provide this feature by 2017.
Compliance with regulations and standards
Ensure your organizations choice of Web fraud detection system meets the requirements of all necessary compliance regulations. For example, if an organization accepts payment cards, it should ask if the product under consideration is PCI DSS-certified.
Many organizations need to comply with the Gramm-Leach-Bliley Act, the Sarbanes-Oxley Act or FACTA Red-Flags, or require SSAE 16 or ISO/IEC 27001 for information security management. Keep a list of the organization's compliance requirements handy when vetting Web fraud detection systems and ask each vendor on the short list to provide documentation that indicates the product's compliance support.
Web fraud detection vendors typically provide downloadable data sheets, brochures and similar product assets on their websites to prospective customers. Be sure to check the copyright dates on the available assets, especially the data sheets, and consider dropping products with asset dates older than a year or two from the list. Web fraud detection systems must adapt to a constant influx of new threats, and incorporate innovation to remain relevant and competitive. Old assets may be an indicator of a product that's not technologically fresh and effective.
As organization's research vendors and products, they'll read about how the Web fraud detection industry has undergone a lot of churn since 2013, mainly from mergers and acquisitions. When a vendor is acquired to fill in a technology gap in a portfolio, innovation can suffer. When talking to each vendor sales rep, be sure to ask (1) which products are the top three competitors, (2) if any product improvements or upgrades are planned (and the nature of the changes) and (3) how their Web fraud detection system stands out from the competitors.
How to evaluate Web fraud detection systems
Evaluating Web fraud detection systems requires more than a search through data sheets and marketing materials, which can be misleading and out of date. Take advantage of one-on-one demos offered by the vendors, during which you can ask the sales reps specific product questions in relation to your organization's industry/channel and transaction volume. That's the best time to establish realistic pricing as well because most Web fraud detection systems are based on volume.
In part one of this series, learn about the basics of Web fraud detection in the enterprise
In part two of this series, find out about the four enterprise scenarios for Web fraud detection systems