Professional Documents
Culture Documents
Magic Quadrant For Web Fraud Detection - May 2013
Magic Quadrant For Web Fraud Detection - May 2013
Magic Quadrant For Web Fraud Detection - May 2013
The Web fraud detection market grew more than 48% in 2012 as interest
expanded across sectors and countries. Innovation in fraud prevention
methods is imperative because thieves are increasingly circumventing old
techniques, such as device identification.
Market Definition/Description
This document was revised on 31 May 2013. The document you are viewing is the corrected
version. For more information, see the Corrections page on gartner.com.
The Web fraud detection (WFD) market is composed of vendors that provide software products or
services that help an organization detect and prevent fraud that occurs over the Web and mobile
channel by:
■ Running background processes (transparent to users) that use hundreds of attributes — such
as geolocation, device characteristics, user behavior, navigations and transaction activity — to
score the possibility of fraudulent transactions.
■ Comparing this information with machine learning algorithms of expected behavior, or against
more-generic rules as to what constitutes "normal" behavior, to detect fraud.
■ Suspending the transaction if actual behavior is out of range with what's expected, and then
taking appropriate follow-up action. While some WFD vendors offer additional automated
authentication and transaction verification capabilities, many only alert fraud management
systems of the presence of suspected fraud.
■ Detecting account takeover, which typically occurs when user account credentials are stolen, or
via malware-based (for example, man in the middle or man in the browser) attacks
■ Detecting new account fraud — that is, when a fraudster sets up a new account using a stolen
or fictitious identity
■ Detecting the use of a stolen financial account (for example, a stolen credit card) when making
a purchase
Magic Quadrant
Figure 1. Magic Quadrant for Web Fraud Detection
41st Parameter
41st Parameter is a dedicated midsize provider of fraud detection solutions aimed at larger global
financial institutions, airlines and retailers. Its FraudNet product line includes solutions for account
opening, takeover and transaction fraud, as well as specific modules for mobile and the travel
vertical industry. The vendor's primary innovations are in clientless device identification and
Target audience: This vendor's Layer 1 (endpoint-centric) and Layer 3 (user- or account-centric)
fraud prevention services can be used by financial services companies, retailers, airlines and other
companies with an online presence that need to prevent new account fraud, account takeovers and
payment fraud.
Strengths
■ FraudNet is delivered as software as a service (SaaS) and has proved scalable, with some
individual customers processing 20 million or more transactions per day.
■ FraudNet has a friendly and rich user interface for fraud analysts that has substantially improved
over the past few years.
■ 41st is a pioneer and remains a strong vendor in clientless device identification, using only
server-detected attributes that eliminate the need to tag machines via cookies or flash objects
or downloaded software. This enables its technology to operate on iOS and other mobile
platforms that do not support cookies or flash.
■ Its patented Time Differential Linking (TDL) detection method, link analysis and trojan detection
have proved successful in detecting and mitigating man-in-the-browser and man-in-the middle
attacks (see "Privacy Collides With Fraud Detection and Crumbles Flash Cookies").
■ It has partnerships with multiple global business process outsourcing suppliers, enabling 24/7
fraud management and investigation services for its customers. It also has strong reseller
relationships with global suppliers of its target customers.
Cautions
■ Although 41st has been innovative in the past, it appears that the firm's pace of innovation in
the fraud prevention space during the past year has slowed, relative to some of its competitors.
It has developed a new product called TrustInsight for positive scoring of a payment card
authorization transaction, but currently that is not directly tied to its fraud prevention product
(although it can be).
■ Rule creation is still largely done by 41st Parameter, although the firm enables its customers to
influence and adjust rules. Most users find it too technically challenging to create their own new
rules — and even to modify those that exist. 41st does not offer predictive modeling to augment
its rule-based analysis (which the firm believes leads to high false-positives).
■ Reference customers would like to see improvements in the reporting capability, as well as
more data sharing among customers in similar industries. The firm says it has improved these
capabilities in its latest release.
Accertify
Accertify, which is wholly owned by American Express, is a midsize provider of a SaaS-based fraud
management platform that is primarily aimed at account and user activity fraud detection methods.
Accertify is leveraging its American Express relationship to move deeper into the payment chain
with a payment gateway and chargeback management system. The company has about 120
customers, primarily in the e-commerce, travel and entertainment industries. Its reported growth is
in line with the market.
Target audience: This vendor's native Layer 3 (user- or account-centric) fraud prevention services
target companies with an online presence that need to prevent new account fraud, account
takeovers and payment fraud. It also provides Layer 1 functionality through integration with
technology partners.
Strengths
■ American Express ownership has improved Accertify's data center infrastructure, and provided
Accertify clients with improved fraud scoring on American Express transactions.
■ The flexible and scalable SaaS-based Interceptas Data Management Platform gives customers
full ownership of their data, as well as the ability to develop and control sophisticated rules,
workflows and hierarchies of user levels that are applicable to multiple use cases. In addition to
a custom rule creation capability, Accertify offers a large collection of predeveloped, industry-
specific rules.
■ The firm provides contracted fraud analysts that help and supplement enterprise fraud teams
with fraud detection and management.
■ The firm has a scalable and proven ability to handle very large transaction volumes of
megaonline commerce providers.
■ Accertify continues to innovate helpful fraud prevention features, notably the ability to profile
any entity (for example, account, travel route or machine), and to share "good" and "bad"
transaction indicators across customers.
■ The firm integrates with dozens of best-of-breed third parties that bring value to fraud
prevention with extra data or capabilities — for example, device identification, data matching
with public sources, address scrubbing and more.
■ Customers report that Accertify's growth is adversely impacting its customer service and
support.
■ Some customers indicated that Accertify's reporting ability is substandard, although the
company claims to have overhauled it once again in March 2013 and improved it substantially.
■ Accertify still has no self-learning statistical models; instead, the system is rule-based, although
customers can integrate their own models into the service. Sophisticated Accertify customers
and prospects are keenly interested in statistical fraud detection models to stay ahead of the
threat curve. Accertify says it addressed this concern with its product update at the end of
March 2013.
■ Some customers have complained of technical outages, although the firm had less than eight
hours of unscheduled downtime in 2012.
■ Customers indicate that the user interface needs considerable updating to enable improved
fraud analyst productivity.
Alaric
Alaric started out in fraud prevention for payment (credit) cards in the card-present (plastic)
environment, serving mainly issuers. In 2011, Alaric branched out into WFD, and has spent its time
focusing on the merchant-acquiring and payment-processing spaces, serving these companies for
their own needs and also providing them with fraud detection systems to resell to their merchant
customers.
Target audience: Alaric provides Layer 3 (user- or account-centric) WFD functionality for e-
commerce merchants and acquiring payment processors. It also provides Layer 4 (user- or
account-centric) functionality across channels and products, and integrates Layer 1 (endpoint-
centric) functionality offered by technology partners.
Strengths
Cautions
■ Most of Alaric's WFD experience is with merchant acquirers (which provide account and
payment processing services for their merchant customers).
■ Alaric's alert management and dashboard are card-issuer-centric (and not user-friendly) due to
the firm's legacy, and they need to be more aligned with merchant needs. The firm is working to
rectify this.
■ Alaric's user interface for rule creation and investigation also needs improvement.
■ Alaric's reporting system is lacking and does not enable trend analysis and fraud data mining.
Users are turning elsewhere for their reporting needs.
■ Alaric's lack of market visibility — compared with its competitors — limits its growth potential.
CA Technologies
CA RiskMinder (acquired with Arcot in 2010) offers a fraud detection rule engine that has recently
been augmented with statistical modeling. It also offers good client device identification. The
integration of CA AuthMinder authentication software and services with CA RiskMinder provides
risk-based authentication for Web-based transactions. CA Technologies is a major supplier of cloud
authentication services to credit card issuers as part of its global support for 3-D Secure (Visa and
MasterCard) payer authentication. Although CA has a large presence in the enterprise market, the
former Arcot products are primarily sold to the financial services vertical industry. CA is currently
focused on providing enterprise fraud management (EFM) functionality, of which WFD is just one
module.
Target audience: This vendor's Layer 1 (endpoint-centric), Layer 3 (user- or account-centric) and
Layer 4 (user- or account-centric across channels) fraud detection services target financial services
companies with an online presence that need to prevent new account fraud, account takeovers and
payment fraud.
Cautions
■ CA is not well known for providing continuous innovation or maintaining solutions at the pace of
the current fraud market.
■ Adding rules is difficult when the data needed to support the rule execution is not already in the
Arcot environment.
■ The risk-based authentication method is dependent on the device ID marker being present on
the user's device. As such, if the device ID marker is missing due to a new or revamped user
device, then the default policy results in those customers being challenged with SMS OOB
authentication or challenge questions. Some customers say at least 10% of their end users are
being challenged, and this can result in a poor user experience. CA says that customers can
configure the solution differently to avoid these high challenge rates, assuming they are willing
to accept more risk.
■ Reporting facilities are lacking and users must rely on other facilities, such as information
extracts, so that they can use their own reporting tools to get information and satisfactory
reporting.
■ Device ID (previously based on flash, but now also on HTML5) now supports a wide range of
devices and operating systems, including iOS, Android and Windows 8. However, a few
customers mentioned challenges with identifying devices using iOS and Windows 8 operating
systems.
Digital Resolve
U.S.-based Digital Resolve is one of the smallest companies in this analysis. It is a subsidiary of
Digital Envoy, which, in turn, is owned by Landmark Media Enterprises, a diversified media
Target audience: This vendor's Layer 1 (endpoint-centric), Layer 2 (navigation-centric) and Layer 3
(user- or account-centric) software or services can be used by financial services companies with an
online presence that need to prevent new account fraud, account takeovers and payment fraud.
Strengths
■ Digital Resolve has a full set of out-of-the-box fraud detection rules, especially around
payments and device information, such as IP addresses. The system comes with a set of very
specific rules for bank money transfers that users can customize.
■ Available APIs enable users to invoke other processes, such as transaction verification, if they
detect a high-risk and potentially fraudulent transaction.
■ It is a turnkey solution for customers of Fundtech's CASHplus online banking system, due to
the tight integration of Digital Resolve with Fundtech's online banking and payment platform.
■ Digital Resolve customers are able to easily view user behavioral changes that caused fraud
alerts.
■ The solution provides Layer 2 session navigation information, and the entire clickstream is
stored and available for historical review.
■ The solution is attractively priced and comes bundled in an appliance, as software or as a
cloud-based service.
■ Digital Resolve has very responsive customer service.
Cautions
■ Parent companies Digital Envoy and Landmark Media Enterprises are marketing companies, not
security companies. Business priorities for security vendors and marketing vendors are very
different, and it is unclear whether this relationship will be mutually beneficial for all customers.
Early indications are that the growth of Digital Resolve has slowed slightly, and brand
recognition among Gartner customers is very low.
■ Because of the lack of a "holding tank" in between Digital Resolve and a given payment service
provider — for example, handling wire payments — users may only have a finite amount of time
(typically 10 minutes) to act on a (wire) payment alert.
■ Software needs to pull more reference data, such as customer name, out of the Fundtech
system with which it is integrated.
Target audience: This vendor's Layer 1 (endpoint-centric) and Layer 3 (user- or account-centric)
fraud detection services can be used by financial services companies, retailers, airlines and other
companies with an online presence that need to prevent new account fraud, account takeovers and
payment fraud. Easy Solutions is also attractive to companies that want a one-stop shop for most
related fraud. It is a good choice for Latin American organizations due to its solid understanding of
the Latin American banking market and the attacks those banks face.
Strengths
■ Its WFD tool, DetectTA, is complemented by other online fraud-related tools it offers, including
an anti-phishing service, "safe browsing" software (which works across iOS and Android mobile
devices) and device identification.
■ Easy Solutions' fraud detection solutions (DetectID and DetectTA) can be and have been used
across multiple channels (for example, call centers, online and ATMs), thereby enabling
organizations to stop cross-channel fraud.
■ DetectTA offers a good rule engine that is relatively easy for fraud analysts to work with, along
with a statistical predictive fraud model. Customers can integrate and have integrated their own
predictive models.
■ Easy Solutions enables risk-based authentication with challenge questions that are invoked
when users log in from a suspect device, which is detected by the firm's DetectID product.
■ Customers report that Easy Solutions provides very responsive customer service and support.
Cautions
■ DetectTA is licensed according to the number of users and accounts at the enterprise. Inactive
accounts are included in the licensing arrangement if they are online in the main production
systems.
■ An alert management and investigation module is not integrated with the DetectTA module, so
users must buy one separately.
■ Easy Solutions is not well-proven and lacks visibility in markets outside Latin America, where
the competition is stronger and, therefore, customer expectations are much higher. (However,
the firm is working hard to change this, as demonstrated by some new wins in the U.S. in early
2013, and by pulling in $11 million in additional funding for U.S. and global expansion.)
Guardian Analytics
Guardian Analytics (GA) targets U.S. banks and credit unions with its FraudMAP as a service (a
SaaS) product platform. GA continues to grow well above the market growth rates in 2012.
FraudMAP modules include Mobile, ACH and Wire (the latter two are used to detect fraud in U.S.
bank money transfers). GA can support a range of financial institutions on custom or outsourced
online banking platforms, and partnerships with third-party platforms are a component of the
company's ongoing ability to scale.
Target audience: This vendor's Layer 3 (user- or account-centric) software or service targets
financial services companies that need to prevent new account fraud, account takeovers or
payment fraud. The firm is moving its product into providing Layer 1 (endpoint-centric), Layer 4
(user- or account-centric across channels) and Layer 5 (big data analytics) functionality.
Strengths
Cautions
iovation
Iovation is a provider of device identification technology and device reputation for endpoints that
are part of its network. It is a midsize company in this market and has more than 330 sites, about
half of which are in the U.S., and the firm is expanding globally. Its growth is robust, but below the
market growth rate.
Target audience: This vendor's Layer 1 (endpoint-centric) service can be used by financial services
companies, retailers, airlines and other companies with an online presence that need to prevent
new account fraud, account takeovers and payment fraud.
Strengths
■ Iovation provides clientless and flash cookie-based device identification and reputation
services, which have multiple use cases including new account setup, account takeover and
payment fraud. Iovation returns hundreds of pieces of information on a device, which can be
useful in building fraud detection rules. It is easy for a fraud team to create custom rules without
IT or vendor assistance.
■ Customers report that the technology is easy to install and provides real-time information.
■ Iovation has an extensive device reputation database that is useful especially for and within
same-sector businesses, since criminals tend to cross businesses within a given sector.
Cautions
■ The company's product set is limited to device identification and reputation. It does not have a
bold future vision and strategy.
■ Iovation cannot identify devices or IP addresses (which are mainly needed for internal access)
coming through a VPN.
■ Iovation's user interface is not flexible with information views; for example, it needs to go
through multiple steps to see a user's name and associated company.
■ Only about 60% of mobile devices are identified at a useful, detailed level because of the lack
of granular information on them. This is generally true for any mobile device identification
system from any vendor.
■ Customers want to be able to sort and choose the evidence, or device reputation and history
information, they work with on their own. For example, they may only want to use evidence from
other companies in their sector. For now, they have to rely on iovation to provide this subset of
evidence.
Intellinx
Intellinx provides EFM mainly for financial institutions, but also across numerous sectors, and
enables fraud scoring using rules developed and maintained in the Intellinx application. The
privately held, profitable firm has about 160 customers, some of which are using its technology for
WFD.
Intellinx sells its product across most continents and multiple sectors, primarily through focused
channel partners (notably Attachmate, IBM and Wolters Kluwer). It is one of the smaller vendors in
this analysis, but it is growing rapidly.
Target audience: This vendor has functionality in Layers 1 through 5, which could be used by any
company with an online presence for multiple use cases.
Strengths
■ Intellinx can read and parse most protocols, including IBM 3270 or HTTP traffic. It can also
replay user actions and screen movements, as well as data entered like a video camera for
sniffed information.
■ Intellinx has flexible technology that enables functionality at all five layers of Gartner's fraud
prevention framework, including Layer 1, where the software parses session header
Cautions
■ Intellinx has not traditionally been focused on WFD, but it has the capability to broaden and
deepen its offering here. As such, the software does not come with a lot of out-of-the-box
intelligence and rules for online fraud detection.
■ Intellinx lacks predictive and statistical modeling capabilities.
■ Some customers find it difficult to add their own business rules. Menus make it look easy, but
some users say they are impractical to use. These customers generally rely on Intellinx's staff to
create the rules they need.
Kount
Founded in 2007, Kount is a privately held and wholly owned division of Keynetics, which started
developing fraud detection technology in 1998. Kount grew its revenue base rapidly in 2011, and at
market rates in 2012. It remains a relatively small vendor in this analysis. Although its SaaS-based
solution is primarily used today for online payment fraud detection, it has also been proved in other
use cases, such as new account enrollment and login analysis for e-commerce and gaming industry
customers.
Target audience: This vendor's Layer 1 (endpoint-centric) and Layer 3 (user- or account-centric)
services can be used by financial services companies, retailers and other companies with an online
presence that need to prevent new account fraud, account takeovers and payment fraud.
Strengths
■ Kount has its own SaaS-delivered device ID and proxy-piercing technology (which is useful for
identifying a true originating IP address that's trying to hide behind a proxy server), as well as
something it calls Persona ID, which is an amalgamated identification of a person known to its
system.
Cautions
■ Some customers note that Kount has a limited number of third-party data sources (particularly
outside the U.S.) that they have integrated with, especially related to identity.
■ Proxy-piercing technology is not entirely reliable because, occasionally, incorrect location
results that do not reflect the use of a proxy are returned. (This is true with other vendors that
enable proxy piercing.)
■ Kount lacks the ability to provide a full test environment that is a replica of a customer's
production environment so that new rules can be properly tested. (The firm does provide the
ability to implement test rules in a "no change" mode.)
■ The Web user interface to the system can be slow and cumbersome to use, especially when
users add a lot of their own rules.
■ Kount is not well known among Gartner clients and needs a stronger sales and marketing
presence.
Nice Actimize
Nice Systems, a provider of contact management systems, acquired Actimize in 2007 to provide it
with EFM and compliance capabilities. Nice is one of the largest companies in this analysis;
however, the inferred growth rate of its WFD offering (the firm did not disclose this) is well below the
Web fraud market average. Customers are primarily North American financial services firms.
Target audience: This vendor's Layer 3 (user- or account-centric) software can be used by financial
services companies — especially large ones with substantial in-house IT and fraud expertise — that
need fraud prevention for online payments using methods such as automated clearinghouse (ACH)
and wires.
■ Nice Actimize offers a broad fraud prevention framework that includes multiple integrated
modules and components, including alert management and correlation, common user profiles,
shared models, a policy and rule editor, and a case management system.
■ Nice Actimize has a strong risk engine and predictive fraud models.
■ Nice Actimize has broad and deep, end-to-end fraud prevention support for multiple transaction
types and business functions. The product suite also includes compliance and associated case
management functionality, which satisfies corporatewide fraud and risk management needs.
■ Nice Actimize recently deployed Layer 1 (endpoint-centric) functionality that should help detect
and stop trojans and associated fraud.
■ Nice Actimize can detect about 80% of wire payment fraud, but users say the false-positive
rates are extremely high. However, this is common for wire fraud detection scoring systems.
■ Nice Actimize has a solid and rich reporting, analytical and forensics platform called Dart.
Cautions
■ Customer service levels are still very inconsistent across the customer base.
■ Customers still complain of long, difficult implementations, which suggests a strong need for a
technological overhaul.
■ Nice Actimize has been late to deliver Layer 1 (endpoint-centric) functionality, which is
important when it comes to detecting malware-based fraud and account takeover. The firm's
newly released Layer 1 capability has not been proved in the field among Gartner clients.
■ Customers need to constantly tune the Nice Actimize risk-scoring model (at least every 12
months) because it does not automatically adapt to new fraud patterns, unless someone
programmatically informs the model about them.
■ Advanced reporting requires the Dart reporting module, which is licensed separately.
■ The ability to score ACH transactions is limited because only single transactions can be scored,
as opposed to entire batches, with which the bank staff has to work.
NuData Security
NuData Security was started in 2008 and used behavior-based intelligence to provision threat-
appropriate "captchas" to thwart automated activities on websites. (A captcha is a type of
challenge-response test used to ensure that the response is generated by a human being.) The firm
has now expanded to provide a real-time, rule-based behavioral detection engine called NuDetect
to spot automated activity and fraud on e-commerce websites. Its primary customer base is e-
commerce, financial and telecommunications. The company is growing very rapidly, but remains a
small vendor in this analysis.
Strengths
■ Despite its relatively young age and small size, NuData has some demanding, megaonline e-
commerce brands processing billions of transactions per month, using its solutions to detect
fraud and abuse.
■ NuDetect uses behavior profiling around five key sensor groups, segmenting behaviors into
clusters to detect anomalies as part of its real-time fraud scoring engine. The sensors include
velocity and timing, transaction coherency (for example, IP mismatch and proxy piercing),
reputation, script detection (for example, browser capability mismatch), and human detection
(for example, keystroke analysis).
■ NuDetect is very easy to integrate, and reference customers report consistent and strong
results in fraud detection.
■ The software provides customers with the scores as well as the data that goes into the scores.
Large sophisticated customers prefer working with the data directly.
■ Customers can tune their scores to improve accuracy and manage false-positive ratios.
Cautions
■ Despite early success, NuData has limited brand recognition in the WFD market.
■ Much of NuData's analytics remains a black box to its customers, and they cannot always
determine the reasons for a specific score (although they are presented with all the data that
goes into a score).
■ Customers must rely on NuData to implement the tuning on their scores, even if it is done per
customer specifications in addition to NuData's suggestions.
■ NuData has no alert management or dashboard functionality for business users, which
precludes the firm from going down-market until one is developed. Similarly, there is no
management reporting system. The firm's upcoming 3Q13 release intends to address these
shortcomings.
■ NuData is a small firm, which makes it agile, but it needs to scale its sales, marketing and
customer support activities to grow the business.
■ NuData relies on the Amazon Web Services (AWS) cloud hosting service. Although AWS
outages have impacted NuData, the firm is continuing to architect its systems around AWS
dependencies to enable greater redundancy and failover mechanisms.
In late 2012, RSA acquired Silver Tail Systems for more than $300 million, according to Gartner
sources, or more than 13 times Silver Tail's 2012 revenue. In early 2013, RSA sold its identity
proofing service, Identity Verification, to LexisNexis, but that should not impact the firm's core fraud
detection and adaptive authentication service.
Target audience: RSA's Layer 1, Layer 2, Layer 3 and Layer 5 functionality is useful in multiple
sectors, including financial services and online commerce, and in multiple use cases, such as new
account fraud, account takeover and payment fraud.
Strengths
■ RSA has a full set of Layer 1 (endpoint-centric), Layer 2 (navigation-centric), Layer 3 (user- or
account-centric) and Layer 5 (big data analytics around its Web session data) fraud detection
and authentication services, which can be used by multiple sectors for many fraud and security
use cases, including new account fraud, account takeovers, payment fraud and distributed
denial of service (DDoS) application layer attack prevention.
■ RSA has a self-learning risk engine (which adjusts based on information it receives about
confirmed fraud from its clients) that is also adapted for mobile applications and mobile
browsing.
■ RSA hosts an eFraudNetwork that enables the sharing of confirmed threat and negative list
information across its customer and partner base.
■ RSA's Silver Tail technology, which analyzes entire Web streams and traffic navigations by peer
groups, user IDs and IP addresses, has been very useful in spotting aberrational activities that
would not otherwise be visible. For example, this has enabled some banks to quickly block
application-level DDoS attacks.
■ Silver Tail's Layer 2 and Layer 5 technology complements RSA's existing Layer 1 and Layer 3
technology. Silver Tail brings RSA competitive, innovative technology, which should enhance
RSA's standing with prospects and clients — especially since its innovative edge started to slip
in 2011 and 2012.
■ RSA is actively implementing and further developing its mobile fraud prevention and
authentication capabilities; thoughtfully embracing various techniques that help identify and
analyze mobile devices, their locations and transactions; and helping to authenticate mobile
users.
■ Customer service for technical issues is suboptimal. Issues must be escalated to get the right
level of responsive engagement. In addition, response times are often not within hours, as they
should be.
■ The firm is sometimes not proactive in telling customers about adjustments to their risk engine
and model that can change the enterprise operations built around them — for example,
escalating false-positive rates.
■ Silver Tail Systems was largely successful in its innovation due to its small size and
accompanying agility. As is typical with acquisitions of this nature, Silver Tail's pace and level of
innovation could be slowed during the integration with RSA/EMC.
■ RSA's alert management console is lacking in features, such as workflow and the ability to
assign certain records to certain fraud analysts. Reporting is also lacking, and customers tend
to do their own reporting using their own tools. The firm says it is adding these features to the
next version of its solution. Silver Tail's management console has also been lacking and is hard
to work with (although the new version, to be released in June 2013, should address many of
the issues).
■ There's no clear statement from RSA on how its Adaptive Authentication product and Silver Tail
Systems will integrate or complement each other, but RSA says it is working on a road map.
■ Users cannot receive enhancements to the RSA risk engine and model in a hurry to adjust to a
rapidly changing threat landscape; rather, they usually must wait 30 days for new
enhancements, unless they subscribe to RSA's Risk Account Manager (RAM) service, which
implements demanded model changes on customer request. Rules that address new threats
can be added quickly, but this is not as effective as changing the model quickly.
ThreatMetrix
ThreatMetrix provides client device identification and malware protection through a cloud-based
service that's used by more than 2,000 customers. The vendor's customer base and revenue are
growing rapidly, well ahead of the market. Forty percent of its customers are in financial services,
40% are e-commerce companies and 20% represent social networks. About 60% of its customers
are in the U.S., while most of the rest are in Europe. In January 2012, it acquired a malware
detection and prevention company called TrustDefender, which is based in Australia, where
ThreatMetrix was founded.
Target audience: This vendor's Layer 1 (endpoint-centric) service can be used by financial services
companies, retailers, airlines and other companies with an online presence that need to prevent
new account fraud, account takeovers and payment fraud.
Strengths
■ ThreatMetrix provides strong client device identification and risk scoring, which have proved to
be scalable. They also work across sectors and use cases.
Cautions
■ Customers report a lack of proactive outreach from ThreatMetrix in teaching them how to
benefit from some of its features, or by developing new analytics, or by seeing if it can assist
with customers' specific implementations.
■ The anti-malware downloadable client needs a lighter footprint and less bandwidth
consumption, and ThreatMetrix is promising to deliver these in its next release.
■ According to some Gartner clients, reliable device fingerprints are not captured about 5% of the
time (ThreatMetrix says this number is less than 2%). They believe this happens mainly with
mobile devices, where the quality of device fingerprints is poorer. More tactically, customers
also say that the firm should improve its device fingerprinting service so they can distinguish
between not receiving a device ID because the user was not on a Web page long enough to get
his or her device print, and not receiving a device ID because the device they were trying to
identify disallowed such data capture.
■ Customers say they would like to see more innovation from ThreatMetrix, and would like to hear
more about its vision for the future and its road map (aside from hearing plans once a year at
the vendor's user group conference). Customers also say that they would like to see more of a
sense of urgency from ThreatMetrix in responding to customer issues that it can help resolve.
■ ThreatMetrix's proxy-piercing technology is ineffective much of the time — some customers
claim as much as 50% of the time. (This is true of most vendor products that claim the ability to
pierce through proxies.) However, using other data that ThreatMetrix reliably provides,
enterprises can still determine if a device is risky — for example, atypical screen resolution
Trusteer
Trusteer products in the Web fraud arena are focused on detecting and mitigating client-side
malware attacks. It also sells anti-phishing software, and provides a financial crime intelligence
portal. In late 2012, Trusteer started selling device identification and user authentication. In early
2013, it launched Pinpoint Account Takeover (ATO) Detection, a risk engine that combines account
profiling with client malware and device identification and analytics, as well as relevant external
intelligence (for example, on phishing and malware attacks). Gartner was unable to verify the
efficacy of Pinpoint ATO Detection in the field, but it could be a strong competitive product in
account profiling and Layer 3 fraud prevention. The company primarily sells to more than 300
financial services companies in North America, in EMEA and across the globe.
Target audience: This vendor's Layer 1 (endpoint-centric) and Layer 3 (user- or account-centric)
services can be used by financial services firms or companies in any other sector that want to
prevent new account fraud, account takeovers and payment fraud, as well as malware-based
attacks for any purpose. The vendor also provides related fraud prevention services, such as anti-
phishing techniques, collective threat intelligence, malware removal and device forensics.
Strengths
■ Reference customers report solid success using Trusteer Rapport, the endpoint client (which
detects malware, isolates it from the browser session and deletes it from the endpoint), and
Trusteer Pinpoint Malware Detection, the server-based product (which detects malware, but
cannot remove it from the desktop). Both products have been used to successfully reduce
malware-based fraud losses on customers' endpoints.
■ Both products are very easy to install; enterprises only need to insert a few lines of code into
their Web servers that link to Trusteer's cloud-based service. Trusteer Rapport client software is
downloaded from Trusteer's service directly, and at half a megabyte in size — which is much
smaller than competitive products — it typically takes less than three minutes to download.
■ Consumer issues that infrequently arise from the download and execution of Rapport desktop
software are handled by Trusteer's help desk, offloading support work for Trusteer's bank and
enterprise customers.
■ Trusteer is one of the larger vendors in this analysis, and it is experiencing well above the
market's growth rates.
■ Although Trusteer provides guidance and marketing material to improve Rapport installation
rates, convincing banking customers to download Rapport is not a trivial task. Without
continuous outbound marketing and login advertising, installation rates can stall at 10% or less.
Even with marketing, penetration rates are typically less than 50%, unless the use of Rapport is
mandated. Thus, using Rapport in combination with the server-based Pinpoint product is
recommended for complete fraud detection coverage. Mandating customer use of Rapport is
also a good alternative, and 30 U.S. banks have done so for their business customers.
■ Detection of malware with the server-based Pinpoint product typically requires manual action to
block events and alert end users. Integration capability with other fraud management systems is
ongoing (although this capability integrates directly with Pinpoint ATO Detection, Trusteer's new
WFD offering).
■ Some customers reported a desire to customize the types of alert communications they receive
from Trusteer's system, along with a need for enhanced reporting customization.
■ Trusteer has developed products for mobile endpoint support, but customers have not yet had
enough experience with them to know whether they are effective.
■ The company does not yet have a significant presence in the Asia/Pacific region.
■ As the company grows its enterprise security business (with its new enterprise product line), it
will be more stretched and more challenged to focus on its WFD products and services.
Added
Two new vendors were added to this year's Magic Quadrant: Alaric and NuData Security.
Dropped
Oracle was dropped from this year's Magic Quadrant because it does not serve this market any
longer.
Gas Tecnologia was dropped because it was acquired by Diebold in 2012 and stopped competing
in the WFD market, at least temporarily.
WFD vendors that meet Gartner's market definition and description are considered for this Magic
Quadrant under the following conditions:
■ The vendor's software or service must be able to detect abnormal logins into an organization's
website, abnormal navigation and/or user transactions using the organization's Web
application.
■ The vendor's products or services must be in general availability as of 1 August 2012.
■ The vendor's products or services must be deployed in at least three customer production
environments, with references available, as of 1 September 2012.
■ The vendor's products must specifically target and market to the WFD — and, optionally, the
user authentication — market with a critical mass of technology specific to the WFD function.
■ The vendor's products or services must support more than one use case — for example, two
out of the three use cases referenced in the Market Definition/Description section.
Exclusion Criteria
Companies with insufficient information for assessment, or those that did not meet Gartner's
inclusion criteria, were excluded from the Magic Quadrant based on the following conditions:
■ The vendor does not have a scoring or rule-based fraud detection system that can assess, at a
minimum, the authenticity and validity of a user's browser-based login, access or transaction.
■ The vendor is not actively shipping products or providing services.
■ The vendor did not provide three production customer references for WFD. Gartner did not
have additional references to help validate the vendor's assertions.
■ The vendor has products or services that can be used for WFD — for example, business
intelligence and security information and event management tools — but they are not packaged
or targeted for off-the-shelf fraud detection use.
■ The vendor only supports fraud detection for online payments, which are generally made with
credit or debit cards.
Specific vendors were assessed for, but not included in, the Magic Quadrant:
■ Fraud detection vendors for electronic payments provide fraud detection for card-not-
present e-commerce payments. These include, but are not limited to, CyberSource and Retail
Decisions (ReD). Gartner did not include these vendors in this Magic Quadrant because they
only satisfied one use case, which is detecting the use of a stolen financial account (for
example, a stolen credit card). As noted above in the Inclusion Criteria subsection, vendors
Evaluation Criteria
Ability to Execute
■ Product/service: This criterion includes the core fraud detection technology offered by the
technology provider that competes in/serves the defined market. This criterion also includes
current product/service capabilities, quality, feature sets and skills, whether offered natively or
through OEM agreements/partnerships, as defined in the market definition. Strong execution
means that a vendor has demonstrated to Gartner that its products or services are successfully
and continuously deployed in enterprises. Execution is not primarily about company size or
market share, although these factors can considerably affect a company's Ability to Execute.
Key features, such as the ability to support complex deployments with real-time transaction
demands, are weighted heavily.
■ Overall viability: Viability includes an assessment of the overall organization's financial health,
the financial and practical success of the business unit, and the likelihood that the individual
business unit will continue investing in the product, offering the product and advancing the
state of the art within the organization's portfolio of products — for example, by incorporating
more fraud rule templates or new predictive modeling techniques.
■ Sales execution/pricing: This criterion includes the technology provider's capabilities in all
presales activities and the structure that supports them. It also includes deal management,
pricing and negotiation, presales support and the overall effectiveness of the sales channel. In
addition, it includes deal size and the use of the product or service by managed service
providers (such as online banking service providers). Low pricing will not guarantee high
execution or client interest. Buyers want good results more than they want bargains.
■ Market responsiveness and track record: This criterion is the ability to respond, change
direction, be flexible and achieve competitive success as opportunities develop, competitors
act, customer needs evolve and market dynamics change. This criterion also considers the
provider's history of responsiveness — for example, to customer requirements for responding
to new types of criminal attacks.
Product/Service High
Operations High
Completeness of Vision
■ Market understanding: This criterion examines the technology provider's ability to understand
buyers' wants and needs, and to translate them into fraud detection products and services.
Vendors that show the highest degree of vision listen to and understand buyers' wants and
needs, and can shape or enhance them with their added vision.
■ Marketing strategy: This criterion determines whether the vendor has a clear, differentiated set
of messages that is consistently communicated throughout the organization and externalized
through its website, advertising, customer programs and positioning statements.
Innovation High
Quadrant Descriptions
Leaders
The Leaders quadrant contains four fraud prevention vendors — 41st Parameter, Accertify, RSA
and Trusteer — that have well-established records in online fraud detection. They earn high scores
from their customers for their ability to effectively stop fraud while minimizing inconvenience to end
users. They also earn high marks for responsive customer service and relatively easy
implementations. Their product, sales and marketing strategies and executions are strong, and they
continue to innovate and improve their services. They are firmly committed to staying and winning in
this market, and to developing their products and services to meet evolving customer needs. All
four offer their services through SaaS-based models. They have also demonstrated that they can
support markets in different parts of the world, other than their home countries.
Challengers
The Challengers quadrant contains two vendors, CA Technologies and Nice Actimize, which are
mainly Layer 4 EFM vendors, but they offer WFD functionality to satisfy a big piece of their clients'
and prospects' requirements. Although their products lack the "Web savviness" of the Leaders',
they have the resources to improve in this area.
Visionaries
The Visionaries quadrant has five vendors: Easy Solutions, Guardian Analytics, iovation, Kount and
ThreatMetrix. The Visionaries' products are easy to implement and use, and have achieved very
Niche Players
There are four Niche Players vendors in this year's Magic Quadrant: Alaric, Digital Resolve, Intellinx
and NuData Security. In the case of Digital Resolve, customers are very pleased with the service,
but the firm's sales and marketing strategies and execution need strengthening so that its
capabilities are more widely known and understood. Newcomers Alaric and NuData Security are
just getting started; they still need to build out their products and markets, and expand on their
already solid results. Intellinx is a recognized EFM player and still needs to build out its product line
for more out-of-the-box, Web-centric functionality for the WFD market. Niche Players can often be
the best choice for enterprises with narrow and specific requirements, which these vendors can
meet.
Context
■ The WFD market continues to grow at a healthy pace across the globe, even as cybercriminals
continue launching successful targeted attacks for financial gain. Since year-end 2011, the WFD
revenue of the Magic Quadrant participants increased more than 48% to about $450 million in
2012 annual revenue.
■ Financial services, online commerce and online retail firms continue to be the main adopters of
WFD services and products, but adoption has readily expanded to the social, travel and gaming
industries.
■ Product trends in WFD include increasing the type of information used to profile users and
fraudulent activity, improving the mapping of good behavior to enhance accuracy, including
analytics capabilities and extending WFD functionality to mobile devices.
Market Overview
The 2012 demand for WFD products and services was driven by increasing cyberattacks across
multiple sectors, including financial services, online retail, travel, ticketing, entertainment, social
networking and gaming. The WFD market grew more than 48% in 2012 to $450 million.
In "The Five Layers of Fraud Prevention and Using Them to Beat Malware," Gartner presents a
framework from which to analyze various fraud prevention products. Products and services that are
focused on Web fraud prevention can be found in Layer 1 (endpoint-centric), Layer 2 (navigation-
centric) and Layer 3 (user- and account-centric for the online channel). Therefore, this Magic
Quadrant analyzes relevant vendors with products in these layers of the framework.
Significant market consolidation occurred in October 2012 when RSA, The Security Division of
EMC, bought the main Layer 2 vendor Silver Tail Systems, thereby demonstrating its determination
to expand its WFD market share in 2013. Meanwhile, a couple of relative newcomers to the WFD
market (see the Vendors Added section) are targeting large e-commerce companies in sectors
whose requirements have been underserved by existing WFD tools.
■ Increasing the range of attributes, relationships and activities profiled beyond users and
accounts to satisfy industry requirements beyond financial services. This is particularly useful in
industries where companies don't necessarily deal with frequently recurring customers.
■ Positive scoring, in addition to negative or risk scoring, so that good transactions are
recognized as such. This helps to lower false-positive rates and the number of transactions that
must be reviewed to find the fraud.
■ Less reliance on device identification as criminals learn to thwart it, and also because it is not
fully effective (only about 70%) on mobile devices, where less information is available to the
identification process. Similarly, less reliance on proxy-piercing technology, which is becoming
much less reliable (about 50% to 60%) as criminals learn to circumvent it.
■ Including Layer 5 big data analytics functionality in WFD offerings so that enterprises can get
their "arms" around their data and discover unobvious collusive relationships, attack patterns or
broken business processes.
■ The ability to fully extend the WFD platform to mobile commerce with specific Layer 1
functionality.
Recommended Reading
Some documents may not be available as part of your current Gartner subscription.
"Magic Quadrants and MarketScopes: How Gartner Evaluates Vendors Within a Market"
Evidence
Gartner takes hundreds of client inquiries a month on security and fraud topics. We obtain feedback
on vendors' performance in the field through these inquiry calls.
As part of the Magic Quadrant research process, we proactively and directly reached out to
customer references that we knew of, and to references that the vendors gave us. In addition, we
read documents and briefing materials submitted by the covered vendors. Finally, we spoke with
the vendors directly about their services and future plans.
Sales Execution/Pricing: The vendor's capabilities in all presales activities and the
structure that supports them. This includes deal management, pricing and negotiation,
presales support, and the overall effectiveness of the sales channel.
Marketing Execution: The clarity, quality, creativity and efficacy of programs designed
to deliver the organization's message to influence the market, promote the brand and
business, increase awareness of the products, and establish a positive identification
with the product/brand and organization in the minds of buyers. This "mind share" can
be driven by a combination of publicity, promotional initiatives, thought leadership,
word-of-mouth and sales activities.
Operations: The ability of the organization to meet its goals and commitments. Factors
include the quality of the organizational structure, including skills, experiences,
programs, systems and other vehicles that enable the organization to operate
effectively and efficiently on an ongoing basis.
Completeness of Vision
Market Understanding: Ability of the vendor to understand buyers' wants and needs
and to translate those into products and services. Vendors that show the highest
degree of vision listen and understand buyers' wants and needs, and can shape or
enhance those with their added vision.
Sales Strategy: The strategy for selling products that uses the appropriate network of
direct and indirect sales, marketing, service, and communication affiliates that extend
the scope and depth of market reach, skills, expertise, technologies, services and the
customer base.
Business Model: The soundness and logic of the vendor's underlying business
proposition.
Geographic Strategy: The vendor's strategy to direct resources, skills and offerings to
meet the specific needs of geographies outside the "home" or native geography, either
directly or through partners, channels and subsidiaries as appropriate for that
geography and market.
Corporate Headquarters
56 Top Gallant Road
Stamford, CT 06902-7700
USA
+1 203 964 0096
Regional Headquarters
AUSTRALIA
BRAZIL
JAPAN
UNITED KINGDOM
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This
publication may not be reproduced or distributed in any form without Gartner’s prior written permission. If you are authorized to access
this publication, your use of it is subject to the Usage Guidelines for Gartner Services posted on gartner.com. The information contained
in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy,
completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This
publication consists of the opinions of Gartner’s research organization and should not be construed as statements of fact. The opinions
expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues,
Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company,
and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner’s Board of
Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization
without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner
research, see “Guiding Principles on Independence and Objectivity.”