LexisNexis, Experian, IBM, F5 Top Fraud Reduction TechRise of Bots, E-Commerce Attacks Leaves Providers Scrambling for New Capabilities
New entrants LexisNexis Risk Solutions and F5 joined longtime leaders Experian and IBM atop KuppingerCole's Leadership Compass for fraud reduction intelligence platforms.
Leading vendors in the fraud reduction space allow users to detect and set policies for handling bots and have capabilities spanning different sectors from finance to payments to e-commerce, said John Tolbert, KuppingerCole's director of cybersecurity research. Given how much fraud is perpetuated by bots, Tolbert said the best platforms provide sophisticated options for addressing this emerging threat (see: Palo Alto, Versa, Cisco Lead First-Ever SASE Tech Evaluation).
"The ones at the top have a more comprehensive package of capabilities," Tolbert told Information Security Media Group. "I define six major areas of fraud detection services - identity proofing, credential intelligence, user behavior analysis, behavioral biometrics, bot detection and bot management. The ones at the top pretty much cover all of those different bases. They have more to offer overall."
LexisNexis, IBM and F5 captured the gold, silver and bronze, respectively, in product leadership. That's completely different from the last report in June 2021, in which KuppingerCole said ID Dataweb and Transmit Security's product capabilities were head and shoulders above the pack. This time, KuppingerCole ranked Transmit and ID Dataweb's product capabilities fourth and sixth, respectively.
IBM jumped from third in 2021 to first in innovation, and LexisNexis and Experian took silver and bronze, respectively. Biocatch and ID Dataweb captured the top innovation slots in 2021. Experian jumped from second to first in market strength, and Akamai and LexisNexis took silver and bronze this time around. In 2021, Broadcom and Outseer earned first and third in market strength.
Going forward, Tolbert expects to see more pure-play anti-fraud specialists enter the market while those who focus solely on e-commerce or bot-generated fraud will likely expand into payments fraud. But Tolbert doesn't necessarily expect companies that specialize today in finance or payments security to get into the broader e-commerce protection space given the level of investment required.
"This market is really mature now," Tolbert said. "All of the companies participating in this market have some really good strengths that I'm sure benefit their customers. And there are some companies that pretty much cover the gamut of all the different kinds of technologies you would need to be able to prevent a wide variety of fraud. It's hard to predict where this market will go."
Outside of the top four, here's how KuppingerCole sees the fraud reduction intelligence platform market:
- Leaders: HID Global, Akamai, Group-IB, Transmit Security, Outseer, Biocatch, Forter, GBG
- Challengers: Human Security, Broadcom, Arkose Labs, Sift, ID Dataweb, Gurucul
- Vendors to Watch: Amazon, Cleafy, Equifax, Feedzai, FICO, Imperva, Nice Actimize, OneSpan, Ping Identity, Ravelin, Telesign, ThreatMark, TransUnion
The latest rankings represent a drop for Transmit Security, Biocatch and Outseer, which fell from third, fifth and eighth, respectively, to eighth, 10th and ninth, respectively. HID Global and Group-IB leapt from 10th to fifth and 11th to seventh, respectively. Forter was listed as a vendor to watch in 2021 after declining to participate fully in the report the last time around. Akamai and GBG are new to the list.
LexisNexis Adds Behavioral Biometrics to Help Spot Nonhumans
The company's new risk signals go beyond determining whether a user is human or nonhuman and instead attempt to determine if it's the same human or if someone is being coached in their interaction, Sutherland said. LexisNexis has taken its capabilities beyond the browser and now offers a software development kit that supports browsers, mobile apps and many other form factors, Sutherland said (see: Looking Ahead to 2023 for the Real Cost of Fraud).
"We leverage our data assets internally that really give our customers a comprehensive solution set. That's been our approach," Sutherland told Information Security Media Group. "I think it's our global data assets and unique data linking capabilities that really distinguish some of the offerings that we have."
KuppingerCole chided LexisNexis for lacking ISO 27001 certification and bot management methods such as challenging and redirection as well as requiring multiple services for full fraud reduction functionality. Sutherland said LexisNexis has until now played at the application layer but is interested in addressing the impact of lots and intentionally made its tools granular so customers pay for only what they need.
"We're not trying to give customers things that they don't need to have," Sutherland said. "It's a difference of approach."
Experian Allows Customers to Develop and Test Fraud Signals
Experian strengthened its core device recognition technology and streamlined document verification to minimize the planning, integrations and workflow needed, said David Britton, vice president of strategy, global identity and fraud. The company has stabilized its digital observations of clients to provide a consistent device footprint over time and not have users constantly challenged when they log in again.
The company has debuted a fraud sandbox where clients can safely experiment with new risk markers based on both their own historical data as well as massive amounts of anonymized data from third parties that have been compiled over the years, Britton said. Tapping into cross-client data makes it easier for organizations to gain visibility into fraud that's occurring across the broad industry ecosystem (see: Experian: Why Cyberattacks Could Escalate to 'Cyberwar').
"Because of our client engagement in our credit business, we're able to have enriched insights in terms of the latest name, address, phone number and Social Security data," Britton said. "We can leverage that data as authenticated because we're seeing it on a recurring basis with every repayment of a loan or credit card payment. We can leverage that data as the backbone for what we do in fraud mitigation."
KuppingerCole critiqued Experian for lacking compromised credential intelligence as well as ML-enhanced detection models and transaction details for UBA and not evaluating SIM for device intelligence. Britton said Experian wants to bring anomaly detection to banking, doesn't need ML to understand user behavior, relies on mobile phone partners for SIM and sees little value in compromised credential info.
"We believe frankly that every piece of data on the planet has been stolen," Britton said. "In terms of fraud mitigation, though, this data has a shelf life. Fraudsters aren't using the same data over and over again. Effectively, they use it for a period of time and they'll never touch it again."
IBM Looks to Expand Fraud Detection Coverage, Efficacy
IBM has boosted both the coverage and efficacy of its fraud detection by enhancing the ability of its machine-learning models to detect fraud, said IBM Security Director of Product Management Wesley Gyure. Big Blue has enhanced its user interface and experience around identifying and auditing attacks by making it easier to view and classify data for threats such as remote access Trojans or device spoofing.
Gyure said IBM has created more self-service functionality so that customers can quickly and easily identify and capture fraud on their own by using small snippets of code that are embedded into apps to capture telemetry data. IBM's fraud reduction capabilities have been embedded into the company's orchestration and automation engine to help users take near real-time action when issues are detected (see: IBM Buys Polar Security to Find and Protect Cloud, SaaS Data).
"It's one thing to be able to get risk scores and identify fraud within your environment," Gyure told ISMG. "But that doesn't, in itself, stop or help remediate the challenges that our clients are facing when these attacks are happening. They need to take action, and they need to do it on an autonomous basis and in a near real-time approach."
KuppingerCole criticized IBM for not detected or preventing certain types of e-commerce fraud and for lacking some types of strong API authentication and the ability to package evaluation results in OIDC or OAuth 2.0. Gyure said IBM recently extended its API to handle web tokens, is now working to extend support to OIDC and OAuth 2.0, and historically found that fraud activity focused on banking, finance and insurance.
"In e-commerce, there may be attacks that are taking advantage of loyalty programs or return fraud," Gyure said. "Those types of attacks are very specific and you have to have specific built capabilities and logic around them. And we're working through that process with both vendors as well as what we're doing to extend that coverage."
F5 Looks for Cases of Digital Skimming to Spot Fraud Sooner
F5 has focused on preventing fraud earlier in the hacker's journey through integrations with bot defense products that spot digital skimming attacks that often lead to fraud, said Vice President of Security Angel Grant. F5 has worked to integrate all its bot and fraud products together so that organizations can view and control their entire security and fraud posture from a single dashboard, according to Grant.
Grant said customers will bypass controls such as multifactor authentication or CAPTCHA that impede performance or potential revenue generation. For this reason, Grant said, F5 has created an intelligent authentication product that identifies known good customers and offers them passwordless login, and it has partnered with Visa to give e-commerce merchants a more seamless and personalized experience (see: F5 Lays Off 623 Staffers as Customers Postpone New Purchases).
"I am surprised with how fraud vendors as well as a lot of fraud analysts are still doing the same thing they were doing a decade ago," Grant told ISMG. "A lot of fraud vendors are typically looking at a point-in-time type of strategy, typically at the transaction level. That's not the right approach because you're losing key context and you're missing a chance to cut off the threat further up the customer journey."
KuppingerCole reproached F5 for having a low uptime guarantee, requiring professional services for policy changes and lacking identity proofing capabilities and call center and IT service management integration. Grant said F5 has opted to partner rather than build or buy its own identity proofing offering and will create new self-service capabilities so that customers can configure policy changes totally on their own.
"For our managed service offering, we have the ability to work with our customers so that they can retool as quickly as criminals attack," Grant said. "We have that relationship with the customer, and we'll continuously work and refine and dial up and dial down based on the risks we see targeting their organization."