G00247632

Magic Quadrant for Web Fraud Detection

Published: 30 May 2013

Analyst(s): Avivah Litan, Peter Firstbrook

The Web fraud detection market grew more than 48% in 2012 as interest
expanded across sectors and countries. Innovation in fraud prevention
methods is imperative because thieves are increasingly circumventing old
techniques, such as device identification.

Market Definition/Description
This document was revised on 31 May 2013. The document you are viewing is the corrected
version. For more information, see the Corrections page on gartner.com.

The Web fraud detection (WFD) market is composed of vendors that provide software products or
services that help an organization detect and prevent fraud that occurs over the Web and mobile
channel by:

■ Running background processes (transparent to users) that use hundreds of attributes — such
as geolocation, device characteristics, user behavior, navigations and transaction activity — to
score the possibility of fraudulent transactions.
■ Comparing this information with machine learning algorithms of expected behavior, or against
more-generic rules as to what constitutes "normal" behavior, to detect fraud.
■ Suspending the transaction if actual behavior is out of range with what's expected, and then
taking appropriate follow-up action. While some WFD vendors offer additional automated
authentication and transaction verification capabilities, many only alert fraud management
systems of the presence of suspected fraud.

WFD typically applies to three use cases:

■ Detecting account takeover, which typically occurs when user account credentials are stolen, or
via malware-based (for example, man in the middle or man in the browser) attacks
■ Detecting new account fraud — that is, when a fraudster sets up a new account using a stolen
or fictitious identity
■ Detecting the use of a stolen financial account (for example, a stolen credit card) when making
a purchase
 Magic Quadrant
Figure 1. Magic Quadrant for Web Fraud Detection

Source: Gartner (May 2013)

Vendor Strengths and Cautions

41st Parameter
41st Parameter is a dedicated midsize provider of fraud detection solutions aimed at larger global
financial institutions, airlines and retailers. Its FraudNet product line includes solutions for account
opening, takeover and transaction fraud, as well as specific modules for mobile and the travel
vertical industry. The vendor's primary innovations are in clientless device identification and

Page 2 of 31 Gartner, Inc. | G00247632

 analyzing the time differential between a client and a server. FraudNet uses a rule-based risk-
scoring technique to detect fraud.

Target audience: This vendor's Layer 1 (endpoint-centric) and Layer 3 (user- or account-centric)
fraud prevention services can be used by financial services companies, retailers, airlines and other
companies with an online presence that need to prevent new account fraud, account takeovers and
payment fraud.

Strengths

■ FraudNet is delivered as software as a service (SaaS) and has proved scalable, with some
individual customers processing 20 million or more transactions per day.
■ FraudNet has a friendly and rich user interface for fraud analysts that has substantially improved
over the past few years.
■ 41st is a pioneer and remains a strong vendor in clientless device identification, using only
server-detected attributes that eliminate the need to tag machines via cookies or flash objects
or downloaded software. This enables its technology to operate on iOS and other mobile
platforms that do not support cookies or flash.
■ Its patented Time Differential Linking (TDL) detection method, link analysis and trojan detection
have proved successful in detecting and mitigating man-in-the-browser and man-in-the middle
attacks (see "Privacy Collides With Fraud Detection and Crumbles Flash Cookies").
■ It has partnerships with multiple global business process outsourcing suppliers, enabling 24/7
fraud management and investigation services for its customers. It also has strong reseller
relationships with global suppliers of its target customers.

Cautions

■ Although 41st has been innovative in the past, it appears that the firm's pace of innovation in
the fraud prevention space during the past year has slowed, relative to some of its competitors.
It has developed a new product called TrustInsight for positive scoring of a payment card
authorization transaction, but currently that is not directly tied to its fraud prevention product
(although it can be).
■ Rule creation is still largely done by 41st Parameter, although the firm enables its customers to
influence and adjust rules. Most users find it too technically challenging to create their own new
rules — and even to modify those that exist. 41st does not offer predictive modeling to augment
its rule-based analysis (which the firm believes leads to high false-positives).
■ Reference customers would like to see improvements in the reporting capability, as well as
more data sharing among customers in similar industries. The firm says it has improved these
capabilities in its latest release.

Gartner, Inc. | G00247632 Page 3 of 31

 ■ Clients that were forced to move from on-premises software to the firm's SaaS-based solution
are somewhat frustrated by the number of layers and steps they must go through to line up
internal and external resources to implement the required changes.
■ Most installations do not sit in line to transaction streams, and as such, the software does not
block suspect transactions in real time. Only a subset of the risk rules can be used to block
suspect transactions in real time.

Accertify
Accertify, which is wholly owned by American Express, is a midsize provider of a SaaS-based fraud
management platform that is primarily aimed at account and user activity fraud detection methods.
Accertify is leveraging its American Express relationship to move deeper into the payment chain
with a payment gateway and chargeback management system. The company has about 120
customers, primarily in the e-commerce, travel and entertainment industries. Its reported growth is
in line with the market.

Target audience: This vendor's native Layer 3 (user- or account-centric) fraud prevention services
target companies with an online presence that need to prevent new account fraud, account
takeovers and payment fraud. It also provides Layer 1 functionality through integration with
technology partners.

Strengths

■ American Express ownership has improved Accertify's data center infrastructure, and provided
Accertify clients with improved fraud scoring on American Express transactions.
■ The flexible and scalable SaaS-based Interceptas Data Management Platform gives customers
full ownership of their data, as well as the ability to develop and control sophisticated rules,
workflows and hierarchies of user levels that are applicable to multiple use cases. In addition to
a custom rule creation capability, Accertify offers a large collection of predeveloped, industry-
specific rules.
■ The firm provides contracted fraud analysts that help and supplement enterprise fraud teams
with fraud detection and management.
■ The firm has a scalable and proven ability to handle very large transaction volumes of
megaonline commerce providers.
■ Accertify continues to innovate helpful fraud prevention features, notably the ability to profile
any entity (for example, account, travel route or machine), and to share "good" and "bad"
transaction indicators across customers.
■ The firm integrates with dozens of best-of-breed third parties that bring value to fraud
prevention with extra data or capabilities — for example, device identification, data matching
with public sources, address scrubbing and more.

Page 4 of 31 Gartner, Inc. | G00247632

 Cautions

■ Customers report that Accertify's growth is adversely impacting its customer service and
support.
■ Some customers indicated that Accertify's reporting ability is substandard, although the
company claims to have overhauled it once again in March 2013 and improved it substantially.
■ Accertify still has no self-learning statistical models; instead, the system is rule-based, although
customers can integrate their own models into the service. Sophisticated Accertify customers
and prospects are keenly interested in statistical fraud detection models to stay ahead of the
threat curve. Accertify says it addressed this concern with its product update at the end of
March 2013.
■ Some customers have complained of technical outages, although the firm had less than eight
hours of unscheduled downtime in 2012.
■ Customers indicate that the user interface needs considerable updating to enable improved
fraud analyst productivity.

Alaric
Alaric started out in fraud prevention for payment (credit) cards in the card-present (plastic)
environment, serving mainly issuers. In 2011, Alaric branched out into WFD, and has spent its time
focusing on the merchant-acquiring and payment-processing spaces, serving these companies for
their own needs and also providing them with fraud detection systems to resell to their merchant
customers.

Target audience: Alaric provides Layer 3 (user- or account-centric) WFD functionality for e-
commerce merchants and acquiring payment processors. It also provides Layer 4 (user- or
account-centric) functionality across channels and products, and integrates Layer 1 (endpoint-
centric) functionality offered by technology partners.

Strengths

■ Alaric currently focuses its WFD efforts on merchant-acquiring processors, which is an

underserved market.
■ Alaric gives acquiring processors the ability to manage their merchant risk and fraud to ensure
that their merchants are legitimate and financially sound, and also to provide their merchants
with a facility to manage card-not-present fraud committed against them.
■ Alaric has a flexible, on-premises, real-time scoring engine (using a Bayesian statistical model)
and application that enable ownership and control of the data, as opposed to some other card-
not-present payment fraud prevention platforms that only give back a fraud score without the
underlying data that supports it.

Gartner, Inc. | G00247632 Page 5 of 31

 ■ Alaric has proven to be scalable in environments with hundreds of millions of transactions per
year.
■ Alaric comes with a suite of standard rules that fraud managers can easily customize. Users can
easily analyze which fraud detection rules have the highest hit rate and the biggest impact on
false positives.
■ Alaric has a software license model for on-premises software, which is much more appealing to
high-volume merchant acquirers than transaction pricing.
■ Alaric has an open platform that easily integrates with third-party applications, such as device
identification, proxy piercing (to determine the true originating IP address that is trying to
disguise itself behind a proxy server) and SMS out of band (OOB) user authentication.
■ Alaric has very responsive customer service.

Cautions

■ Most of Alaric's WFD experience is with merchant acquirers (which provide account and
payment processing services for their merchant customers).
■ Alaric's alert management and dashboard are card-issuer-centric (and not user-friendly) due to
the firm's legacy, and they need to be more aligned with merchant needs. The firm is working to
rectify this.
■ Alaric's user interface for rule creation and investigation also needs improvement.
■ Alaric's reporting system is lacking and does not enable trend analysis and fraud data mining.
Users are turning elsewhere for their reporting needs.
■ Alaric's lack of market visibility — compared with its competitors — limits its growth potential.

CA Technologies
CA RiskMinder (acquired with Arcot in 2010) offers a fraud detection rule engine that has recently
been augmented with statistical modeling. It also offers good client device identification. The
integration of CA AuthMinder authentication software and services with CA RiskMinder provides
risk-based authentication for Web-based transactions. CA Technologies is a major supplier of cloud
authentication services to credit card issuers as part of its global support for 3-D Secure (Visa and
MasterCard) payer authentication. Although CA has a large presence in the enterprise market, the
former Arcot products are primarily sold to the financial services vertical industry. CA is currently
focused on providing enterprise fraud management (EFM) functionality, of which WFD is just one
module.

Target audience: This vendor's Layer 1 (endpoint-centric), Layer 3 (user- or account-centric) and
Layer 4 (user- or account-centric across channels) fraud detection services target financial services
companies with an online presence that need to prevent new account fraud, account takeovers and
payment fraud.

Page 6 of 31 Gartner, Inc. | G00247632

 Strengths

■ CA has a complete risk-based authentication solution that includes AuthMinder user

authentication, which uses the ArcotID software planted on the device, and RiskMinder, a rule-
based online fraud detection system that can also incorporate predictive models when
developed.
■ CA is especially successful in major Indian banks and in the Asia/Pacific region, where it enjoys
a strong relationship with key reseller Infosys, along with an active direct sales channel.
■ CA has branched off into EFM (Gartner's Layer 4 of fraud detection), and has won many large
contracts because it can support multiple banking channels, such as point of sale, automated
teller machines (ATMs) and interactive voice response, along with Web and mobile.
■ CA's pricing is viewed as more reasonable than many of its competitors', especially in the EFM
space.
■ CA has an open platform and is able to integrate with multiple applications produced by other
vendors.

Cautions

■ CA is not well known for providing continuous innovation or maintaining solutions at the pace of
the current fraud market.
■ Adding rules is difficult when the data needed to support the rule execution is not already in the
Arcot environment.
■ The risk-based authentication method is dependent on the device ID marker being present on
the user's device. As such, if the device ID marker is missing due to a new or revamped user
device, then the default policy results in those customers being challenged with SMS OOB
authentication or challenge questions. Some customers say at least 10% of their end users are
being challenged, and this can result in a poor user experience. CA says that customers can
configure the solution differently to avoid these high challenge rates, assuming they are willing
to accept more risk.
■ Reporting facilities are lacking and users must rely on other facilities, such as information
extracts, so that they can use their own reporting tools to get information and satisfactory
reporting.
■ Device ID (previously based on flash, but now also on HTML5) now supports a wide range of
devices and operating systems, including iOS, Android and Windows 8. However, a few
customers mentioned challenges with identifying devices using iOS and Windows 8 operating
systems.

Digital Resolve
U.S.-based Digital Resolve is one of the smallest companies in this analysis. It is a subsidiary of
Digital Envoy, which, in turn, is owned by Landmark Media Enterprises, a diversified media

Gartner, Inc. | G00247632 Page 7 of 31

 company. Digital Envoy provides IP intelligence for online marketing and digital content delivery
programs. This IP intelligence has proved to be very helpful for Digital Resolve's fraud prevention
product. Digital Resolve has more than 30 direct and 230 indirect customers, of which more than
85% are mainly small financial services firms, while the rest are e-commerce companies. Its clients
are mainly in North America, but a few are in Europe.

Target audience: This vendor's Layer 1 (endpoint-centric), Layer 2 (navigation-centric) and Layer 3
(user- or account-centric) software or services can be used by financial services companies with an
online presence that need to prevent new account fraud, account takeovers and payment fraud.

Strengths

■ Digital Resolve has a full set of out-of-the-box fraud detection rules, especially around
payments and device information, such as IP addresses. The system comes with a set of very
specific rules for bank money transfers that users can customize.
■ Available APIs enable users to invoke other processes, such as transaction verification, if they
detect a high-risk and potentially fraudulent transaction.
■ It is a turnkey solution for customers of Fundtech's CASHplus online banking system, due to
the tight integration of Digital Resolve with Fundtech's online banking and payment platform.
■ Digital Resolve customers are able to easily view user behavioral changes that caused fraud
alerts.
■ The solution provides Layer 2 session navigation information, and the entire clickstream is
stored and available for historical review.
■ The solution is attractively priced and comes bundled in an appliance, as software or as a
cloud-based service.
■ Digital Resolve has very responsive customer service.

Cautions

■ Parent companies Digital Envoy and Landmark Media Enterprises are marketing companies, not
security companies. Business priorities for security vendors and marketing vendors are very
different, and it is unclear whether this relationship will be mutually beneficial for all customers.
Early indications are that the growth of Digital Resolve has slowed slightly, and brand
recognition among Gartner customers is very low.
■ Because of the lack of a "holding tank" in between Digital Resolve and a given payment service
provider — for example, handling wire payments — users may only have a finite amount of time
(typically 10 minutes) to act on a (wire) payment alert.
■ Software needs to pull more reference data, such as customer name, out of the Fundtech
system with which it is integrated.

Page 8 of 31 Gartner, Inc. | G00247632

 Easy Solutions
Easy Solutions is a small, private firm, headquartered in Florida, that was founded in 2002. It is
growing at about the market rate, and now has more than 120 customers in financial services,
telecommunications and retail markets — mainly in Central America and South America. It has a full
range of online fraud prevention and detection products ranging from anti-phishing services, device
identification, "secure" browsing, rule-based fraud scoring and challenge questions used for user
authentication.

Target audience: This vendor's Layer 1 (endpoint-centric) and Layer 3 (user- or account-centric)
fraud detection services can be used by financial services companies, retailers, airlines and other
companies with an online presence that need to prevent new account fraud, account takeovers and
payment fraud. Easy Solutions is also attractive to companies that want a one-stop shop for most
related fraud. It is a good choice for Latin American organizations due to its solid understanding of
the Latin American banking market and the attacks those banks face.

Strengths

■ Its WFD tool, DetectTA, is complemented by other online fraud-related tools it offers, including
an anti-phishing service, "safe browsing" software (which works across iOS and Android mobile
devices) and device identification.
■ Easy Solutions' fraud detection solutions (DetectID and DetectTA) can be and have been used
across multiple channels (for example, call centers, online and ATMs), thereby enabling
organizations to stop cross-channel fraud.
■ DetectTA offers a good rule engine that is relatively easy for fraud analysts to work with, along
with a statistical predictive fraud model. Customers can integrate and have integrated their own
predictive models.
■ Easy Solutions enables risk-based authentication with challenge questions that are invoked
when users log in from a suspect device, which is detected by the firm's DetectID product.
■ Customers report that Easy Solutions provides very responsive customer service and support.

Cautions

■ DetectTA is licensed according to the number of users and accounts at the enterprise. Inactive
accounts are included in the licensing arrangement if they are online in the main production
systems.
■ An alert management and investigation module is not integrated with the DetectTA module, so
users must buy one separately.
■ Easy Solutions is not well-proven and lacks visibility in markets outside Latin America, where
the competition is stronger and, therefore, customer expectations are much higher. (However,
the firm is working hard to change this, as demonstrated by some new wins in the U.S. in early
2013, and by pulling in $11 million in additional funding for U.S. and global expansion.)

Gartner, Inc. | G00247632 Page 9 of 31

 ■ The safe browsing client software takes up about 30MB of disk space, and customers in most
countries will be averse to imposing this download on their end users. Furthermore, the USB
drive that comes loaded with a separate browser is not a practical solution for enterprises with
tens of thousands or millions of active users.

Guardian Analytics
Guardian Analytics (GA) targets U.S. banks and credit unions with its FraudMAP as a service (a
SaaS) product platform. GA continues to grow well above the market growth rates in 2012.
FraudMAP modules include Mobile, ACH and Wire (the latter two are used to detect fraud in U.S.
bank money transfers). GA can support a range of financial institutions on custom or outsourced
online banking platforms, and partnerships with third-party platforms are a component of the
company's ongoing ability to scale.

Target audience: This vendor's Layer 3 (user- or account-centric) software or service targets
financial services companies that need to prevent new account fraud, account takeovers or
payment fraud. The firm is moving its product into providing Layer 1 (endpoint-centric), Layer 4
(user- or account-centric across channels) and Layer 5 (big data analytics) functionality.

Strengths

■ FraudMAP uses a predictive behavioral scoring model — as opposed to a rule-based system —

to detect fraud. GA provides all the risk scoring intelligence, which customers report has been
very effective at preventing fraud. The SaaS platform provides GA with visibility of fraud actions
across multiple organizations.
■ The firm offers a fully managed fraud prevention service.
■ FraudMAP's user interface is especially user-friendly. The Version 5 FraudMAP platform
provides a new visual user experience that is designed to provide more rapid decisions and
more context, as well as a single view of customer actions across multiple interaction channels
(that is, Web and mobile).
■ GA has key sales relationships with several online banking providers, such as ACI Worldwide
and Fiserv, which should help it grow customer revenue among banks that use these providers.
■ In the case of already-developed integrations with online banking platforms, GA system
implementations can take only days.
■ GA clients report responsive customer service as well as thought leadership when it comes to
addressing fraud issues.
■ Some customers, especially smaller ones, find FraudMAP to be attractively priced.

Cautions

■ FraudMAP is not typically implemented in a real-time or near-real-time environment, nor does it

sit in line to a transaction stream. Instead, in many instances, it reads batch files sent from

Page 10 of 31 Gartner, Inc. | G00247632

 online banking providers every couple of hours. GA provides real-time APIs to its scoring engine
to address this, and says customers are implementing this real-time API.
■ If integrations with online banking platforms are not in place, then integration can take
significantly more time. Without providing GA with historical data, tuning the system can take a
couple of months.
■ Reference customers expressed an interest in adding some of their own rules to the machine-
leaning algorithms, and in being allowed to change the weighting of particular attributes or
events for their environments. The reference customers also expressed interest in more custom
reporting.
■ The online component of GA's revenue base is tied to compensating for the lack of adequate,
effective fraud prevention capabilities provided by third-party online banking providers, which
most smaller U.S. financial institutions use. While GA is partnering with some of these
providers, there is some risk that the providers will partner with or acquire one of GA's
competitors, thus impacting this portion of GA's revenue.
■ At this point, GA's solution set is only in use by U.S. depository financial institutions. This limits
GA's growth opportunities relative to most of its competition. The firm says its road map will
address additional markets.

iovation
Iovation is a provider of device identification technology and device reputation for endpoints that
are part of its network. It is a midsize company in this market and has more than 330 sites, about
half of which are in the U.S., and the firm is expanding globally. Its growth is robust, but below the
market growth rate.

Target audience: This vendor's Layer 1 (endpoint-centric) service can be used by financial services
companies, retailers, airlines and other companies with an online presence that need to prevent
new account fraud, account takeovers and payment fraud.

Strengths

■ Iovation provides clientless and flash cookie-based device identification and reputation
services, which have multiple use cases including new account setup, account takeover and
payment fraud. Iovation returns hundreds of pieces of information on a device, which can be
useful in building fraud detection rules. It is easy for a fraud team to create custom rules without
IT or vendor assistance.
■ Customers report that the technology is easy to install and provides real-time information.
■ Iovation has an extensive device reputation database that is useful especially for and within
same-sector businesses, since criminals tend to cross businesses within a given sector.

Gartner, Inc. | G00247632 Page 11 of 31

 ■ Customers reported very responsive customer service and technical support, and they provided
good feedback on the Fraud Force Online Community, which allows them to discuss issues
with other iovation customers.
■ It is easy to figure out which accounts were touched by a given device, ISP, router, or other
device and network attributes captured by iovation.

Cautions

■ The company's product set is limited to device identification and reputation. It does not have a
bold future vision and strategy.
■ Iovation cannot identify devices or IP addresses (which are mainly needed for internal access)
coming through a VPN.
■ Iovation's user interface is not flexible with information views; for example, it needs to go
through multiple steps to see a user's name and associated company.
■ Only about 60% of mobile devices are identified at a useful, detailed level because of the lack
of granular information on them. This is generally true for any mobile device identification
system from any vendor.
■ Customers want to be able to sort and choose the evidence, or device reputation and history
information, they work with on their own. For example, they may only want to use evidence from
other companies in their sector. For now, they have to rely on iovation to provide this subset of
evidence.

Intellinx
Intellinx provides EFM mainly for financial institutions, but also across numerous sectors, and
enables fraud scoring using rules developed and maintained in the Intellinx application. The
privately held, profitable firm has about 160 customers, some of which are using its technology for
WFD.

Intellinx sells its product across most continents and multiple sectors, primarily through focused
channel partners (notably Attachmate, IBM and Wolters Kluwer). It is one of the smaller vendors in
this analysis, but it is growing rapidly.

Target audience: This vendor has functionality in Layers 1 through 5, which could be used by any
company with an online presence for multiple use cases.

Strengths

■ Intellinx can read and parse most protocols, including IBM 3270 or HTTP traffic. It can also
replay user actions and screen movements, as well as data entered like a video camera for
sniffed information.
■ Intellinx has flexible technology that enables functionality at all five layers of Gartner's fraud
prevention framework, including Layer 1, where the software parses session header

Page 12 of 31 Gartner, Inc. | G00247632

 information, helping to flag trojan-based or man-in-the-middle attacks. The platform includes
flexible alert and case management systems integrated with WFD.
■ Customers or accounts can be profiled for purposes of behavioral modeling and anomaly
detection.
■ Intellinx has a noninvasive sniffing tool that does not interfere with operations because it
typically sits in front of applications that must be monitored and does the monitoring by
duplicating the network flow. The tool also collects information from Web applications through
direct integration, and can import alerts from other systems for correlation of data across
channels and products.
■ Intellinx has very responsive and skilled customer and technical service and support, especially
if an enterprise works with Intellinx's staff directly. Some of the vendor's resellers are much
more responsive than others.

Cautions

■ Intellinx has not traditionally been focused on WFD, but it has the capability to broaden and
deepen its offering here. As such, the software does not come with a lot of out-of-the-box
intelligence and rules for online fraud detection.
■ Intellinx lacks predictive and statistical modeling capabilities.
■ Some customers find it difficult to add their own business rules. Menus make it look easy, but
some users say they are impractical to use. These customers generally rely on Intellinx's staff to
create the rules they need.

Kount
Founded in 2007, Kount is a privately held and wholly owned division of Keynetics, which started
developing fraud detection technology in 1998. Kount grew its revenue base rapidly in 2011, and at
market rates in 2012. It remains a relatively small vendor in this analysis. Although its SaaS-based
solution is primarily used today for online payment fraud detection, it has also been proved in other
use cases, such as new account enrollment and login analysis for e-commerce and gaming industry
customers.

Target audience: This vendor's Layer 1 (endpoint-centric) and Layer 3 (user- or account-centric)
services can be used by financial services companies, retailers and other companies with an online
presence that need to prevent new account fraud, account takeovers and payment fraud.

Strengths

■ Kount has its own SaaS-delivered device ID and proxy-piercing technology (which is useful for
identifying a true originating IP address that's trying to hide behind a proxy server), as well as
something it calls Persona ID, which is an amalgamated identification of a person known to its
system.

Gartner, Inc. | G00247632 Page 13 of 31

 ■ Kount has strong risk-scoring technology that benefits from analyzing data across its customer
base — for example, to determine a risky card account or device.
■ Kount has a very flexible rule engine that customers can use to integrate as much of their own
data as they want or need to create rules on their own, and they can send the new data to
Kount for integration with their scoring engines. Kount does not have to perform any special
integration work to make this happen.
■ Kount has proved to be scalable and successful in reducing fraud in challenging environments
— for example, digital content microtransactions, where there are no manual reviews and
transactions must be approved or declined on the spot.
■ Kount has very responsive customer service.
■ Kount has a good set of management reports, and also a data mart where users can create
their own reports based on their own transactional data.

Cautions

■ Some customers note that Kount has a limited number of third-party data sources (particularly
outside the U.S.) that they have integrated with, especially related to identity.
■ Proxy-piercing technology is not entirely reliable because, occasionally, incorrect location
results that do not reflect the use of a proxy are returned. (This is true with other vendors that
enable proxy piercing.)
■ Kount lacks the ability to provide a full test environment that is a replica of a customer's
production environment so that new rules can be properly tested. (The firm does provide the
ability to implement test rules in a "no change" mode.)
■ The Web user interface to the system can be slow and cumbersome to use, especially when
users add a lot of their own rules.
■ Kount is not well known among Gartner clients and needs a stronger sales and marketing
presence.

Nice Actimize
Nice Systems, a provider of contact management systems, acquired Actimize in 2007 to provide it
with EFM and compliance capabilities. Nice is one of the largest companies in this analysis;
however, the inferred growth rate of its WFD offering (the firm did not disclose this) is well below the
Web fraud market average. Customers are primarily North American financial services firms.

Target audience: This vendor's Layer 3 (user- or account-centric) software can be used by financial
services companies — especially large ones with substantial in-house IT and fraud expertise — that
need fraud prevention for online payments using methods such as automated clearinghouse (ACH)
and wires.

Page 14 of 31 Gartner, Inc. | G00247632

 Strengths

■ Nice Actimize offers a broad fraud prevention framework that includes multiple integrated
modules and components, including alert management and correlation, common user profiles,
shared models, a policy and rule editor, and a case management system.
■ Nice Actimize has a strong risk engine and predictive fraud models.
■ Nice Actimize has broad and deep, end-to-end fraud prevention support for multiple transaction
types and business functions. The product suite also includes compliance and associated case
management functionality, which satisfies corporatewide fraud and risk management needs.
■ Nice Actimize recently deployed Layer 1 (endpoint-centric) functionality that should help detect
and stop trojans and associated fraud.
■ Nice Actimize can detect about 80% of wire payment fraud, but users say the false-positive
rates are extremely high. However, this is common for wire fraud detection scoring systems.
■ Nice Actimize has a solid and rich reporting, analytical and forensics platform called Dart.

Cautions

■ Customer service levels are still very inconsistent across the customer base.
■ Customers still complain of long, difficult implementations, which suggests a strong need for a
technological overhaul.
■ Nice Actimize has been late to deliver Layer 1 (endpoint-centric) functionality, which is
important when it comes to detecting malware-based fraud and account takeover. The firm's
newly released Layer 1 capability has not been proved in the field among Gartner clients.
■ Customers need to constantly tune the Nice Actimize risk-scoring model (at least every 12
months) because it does not automatically adapt to new fraud patterns, unless someone
programmatically informs the model about them.
■ Advanced reporting requires the Dart reporting module, which is licensed separately.
■ The ability to score ACH transactions is limited because only single transactions can be scored,
as opposed to entire batches, with which the bank staff has to work.

NuData Security
NuData Security was started in 2008 and used behavior-based intelligence to provision threat-
appropriate "captchas" to thwart automated activities on websites. (A captcha is a type of
challenge-response test used to ensure that the response is generated by a human being.) The firm
has now expanded to provide a real-time, rule-based behavioral detection engine called NuDetect
to spot automated activity and fraud on e-commerce websites. Its primary customer base is e-
commerce, financial and telecommunications. The company is growing very rapidly, but remains a
small vendor in this analysis.

Gartner, Inc. | G00247632 Page 15 of 31

 Target audience: This vendor's Layer 1 (endpoint-centric) and Layer 3 (user- or account-centric)
services can be used by financial services companies, retailers and other companies with an online
presence that need to detect automated or risky activity.

Strengths

■ Despite its relatively young age and small size, NuData has some demanding, megaonline e-
commerce brands processing billions of transactions per month, using its solutions to detect
fraud and abuse.
■ NuDetect uses behavior profiling around five key sensor groups, segmenting behaviors into
clusters to detect anomalies as part of its real-time fraud scoring engine. The sensors include
velocity and timing, transaction coherency (for example, IP mismatch and proxy piercing),
reputation, script detection (for example, browser capability mismatch), and human detection
(for example, keystroke analysis).
■ NuDetect is very easy to integrate, and reference customers report consistent and strong
results in fraud detection.
■ The software provides customers with the scores as well as the data that goes into the scores.
Large sophisticated customers prefer working with the data directly.
■ Customers can tune their scores to improve accuracy and manage false-positive ratios.

Cautions

■ Despite early success, NuData has limited brand recognition in the WFD market.
■ Much of NuData's analytics remains a black box to its customers, and they cannot always
determine the reasons for a specific score (although they are presented with all the data that
goes into a score).
■ Customers must rely on NuData to implement the tuning on their scores, even if it is done per
customer specifications in addition to NuData's suggestions.
■ NuData has no alert management or dashboard functionality for business users, which
precludes the firm from going down-market until one is developed. Similarly, there is no
management reporting system. The firm's upcoming 3Q13 release intends to address these
shortcomings.
■ NuData is a small firm, which makes it agile, but it needs to scale its sales, marketing and
customer support activities to grow the business.
■ NuData relies on the Amazon Web Services (AWS) cloud hosting service. Although AWS
outages have impacted NuData, the firm is continuing to architect its systems around AWS
dependencies to enable greater redundancy and failover mechanisms.

Page 16 of 31 Gartner, Inc. | G00247632

 RSA, The Security Division of EMC
RSA remains a dominant player in WFD, a position it has held since 2005, when it grew its sales in
conjunction with compliance guidance issued by the Federal Financial Institutions Examination
Council (FFIEC), the U.S. banking regulator group, in "Authentication in an Internet Banking
Environment." RSA's Adaptive Authentication system is used by more than 800 direct customers
worldwide, of which 70% are in the Americas and 75% are in financial services. The firm also has
more than 8,000 indirect customers (representing mainly smaller financial institutions) using the
service, which is provided by their online service providers.

In late 2012, RSA acquired Silver Tail Systems for more than $300 million, according to Gartner
sources, or more than 13 times Silver Tail's 2012 revenue. In early 2013, RSA sold its identity
proofing service, Identity Verification, to LexisNexis, but that should not impact the firm's core fraud
detection and adaptive authentication service.

Target audience: RSA's Layer 1, Layer 2, Layer 3 and Layer 5 functionality is useful in multiple
sectors, including financial services and online commerce, and in multiple use cases, such as new
account fraud, account takeover and payment fraud.

Strengths

■ RSA has a full set of Layer 1 (endpoint-centric), Layer 2 (navigation-centric), Layer 3 (user- or
account-centric) and Layer 5 (big data analytics around its Web session data) fraud detection
and authentication services, which can be used by multiple sectors for many fraud and security
use cases, including new account fraud, account takeovers, payment fraud and distributed
denial of service (DDoS) application layer attack prevention.
■ RSA has a self-learning risk engine (which adjusts based on information it receives about
confirmed fraud from its clients) that is also adapted for mobile applications and mobile
browsing.
■ RSA hosts an eFraudNetwork that enables the sharing of confirmed threat and negative list
information across its customer and partner base.
■ RSA's Silver Tail technology, which analyzes entire Web streams and traffic navigations by peer
groups, user IDs and IP addresses, has been very useful in spotting aberrational activities that
would not otherwise be visible. For example, this has enabled some banks to quickly block
application-level DDoS attacks.
■ Silver Tail's Layer 2 and Layer 5 technology complements RSA's existing Layer 1 and Layer 3
technology. Silver Tail brings RSA competitive, innovative technology, which should enhance
RSA's standing with prospects and clients — especially since its innovative edge started to slip
in 2011 and 2012.
■ RSA is actively implementing and further developing its mobile fraud prevention and
authentication capabilities; thoughtfully embracing various techniques that help identify and
analyze mobile devices, their locations and transactions; and helping to authenticate mobile
users.

Gartner, Inc. | G00247632 Page 17 of 31

 Cautions

■ Customer service for technical issues is suboptimal. Issues must be escalated to get the right
level of responsive engagement. In addition, response times are often not within hours, as they
should be.
■ The firm is sometimes not proactive in telling customers about adjustments to their risk engine
and model that can change the enterprise operations built around them — for example,
escalating false-positive rates.
■ Silver Tail Systems was largely successful in its innovation due to its small size and
accompanying agility. As is typical with acquisitions of this nature, Silver Tail's pace and level of
innovation could be slowed during the integration with RSA/EMC.
■ RSA's alert management console is lacking in features, such as workflow and the ability to
assign certain records to certain fraud analysts. Reporting is also lacking, and customers tend
to do their own reporting using their own tools. The firm says it is adding these features to the
next version of its solution. Silver Tail's management console has also been lacking and is hard
to work with (although the new version, to be released in June 2013, should address many of
the issues).
■ There's no clear statement from RSA on how its Adaptive Authentication product and Silver Tail
Systems will integrate or complement each other, but RSA says it is working on a road map.
■ Users cannot receive enhancements to the RSA risk engine and model in a hurry to adjust to a
rapidly changing threat landscape; rather, they usually must wait 30 days for new
enhancements, unless they subscribe to RSA's Risk Account Manager (RAM) service, which
implements demanded model changes on customer request. Rules that address new threats
can be added quickly, but this is not as effective as changing the model quickly.

ThreatMetrix
ThreatMetrix provides client device identification and malware protection through a cloud-based
service that's used by more than 2,000 customers. The vendor's customer base and revenue are
growing rapidly, well ahead of the market. Forty percent of its customers are in financial services,
40% are e-commerce companies and 20% represent social networks. About 60% of its customers
are in the U.S., while most of the rest are in Europe. In January 2012, it acquired a malware
detection and prevention company called TrustDefender, which is based in Australia, where
ThreatMetrix was founded.

Target audience: This vendor's Layer 1 (endpoint-centric) service can be used by financial services
companies, retailers, airlines and other companies with an online presence that need to prevent
new account fraud, account takeovers and payment fraud.

Strengths

■ ThreatMetrix provides strong client device identification and risk scoring, which have proved to
be scalable. They also work across sectors and use cases.

Page 18 of 31 Gartner, Inc. | G00247632

 ■ Similar to competitive client device identification services, ThreatMetrix's cloud-based service is
relatively easy to implement. This is accomplished by inserting profiling scripts into transaction
pages, or by using APIs that connect to the service.
■ The company has evolved its service to include more device-related and anti-malware-related
features and products, along with a shared network of attributes across customers (for
example, IP addresses, device IDs, email addresses, phone numbers and chargeback
resolution). If used properly, these shared attributes should improve fraud detection results.
■ ThreatMetrix was the first device identification vendor to return customers a risk score along
with raw data gathered from the end-user device, which includes 150 to 250 data variables
about the device. This helped the vendor gain early market traction among larger prospects and
clients, which it has leveraged to maintain good visibility.
■ ThreatMetrix also maintains a cloud-based data warehouse of information on the user's device,
associated account, and whatever other information related to the device that its customers
want to share. This information is useful for fraud detection because criminals tend to attack
multiple organizations and leave a trail wherever they go.
■ Customers can influence the scores through customization of the rules for their particular
businesses — for example, by changing the weights on the rules or by creating new ones.

Cautions

■ Customers report a lack of proactive outreach from ThreatMetrix in teaching them how to
benefit from some of its features, or by developing new analytics, or by seeing if it can assist
with customers' specific implementations.
■ The anti-malware downloadable client needs a lighter footprint and less bandwidth
consumption, and ThreatMetrix is promising to deliver these in its next release.
■ According to some Gartner clients, reliable device fingerprints are not captured about 5% of the
time (ThreatMetrix says this number is less than 2%). They believe this happens mainly with
mobile devices, where the quality of device fingerprints is poorer. More tactically, customers
also say that the firm should improve its device fingerprinting service so they can distinguish
between not receiving a device ID because the user was not on a Web page long enough to get
his or her device print, and not receiving a device ID because the device they were trying to
identify disallowed such data capture.
■ Customers say they would like to see more innovation from ThreatMetrix, and would like to hear
more about its vision for the future and its road map (aside from hearing plans once a year at
the vendor's user group conference). Customers also say that they would like to see more of a
sense of urgency from ThreatMetrix in responding to customer issues that it can help resolve.
■ ThreatMetrix's proxy-piercing technology is ineffective much of the time — some customers
claim as much as 50% of the time. (This is true of most vendor products that claim the ability to
pierce through proxies.) However, using other data that ThreatMetrix reliably provides,
enterprises can still determine if a device is risky — for example, atypical screen resolution

Gartner, Inc. | G00247632 Page 19 of 31

 (common in virtual machines), browser language and more. (The firm can detect that someone
is using a VPN to hide his or her true identity, even if and when it cannot detect the true IP of
that user.)
■ ThreatMetrix's user interface is not as flexible, intuitive and customizable as customers would
like. The vendor's reporting functionality is similarly limited.

Trusteer
Trusteer products in the Web fraud arena are focused on detecting and mitigating client-side
malware attacks. It also sells anti-phishing software, and provides a financial crime intelligence
portal. In late 2012, Trusteer started selling device identification and user authentication. In early
2013, it launched Pinpoint Account Takeover (ATO) Detection, a risk engine that combines account
profiling with client malware and device identification and analytics, as well as relevant external
intelligence (for example, on phishing and malware attacks). Gartner was unable to verify the
efficacy of Pinpoint ATO Detection in the field, but it could be a strong competitive product in
account profiling and Layer 3 fraud prevention. The company primarily sells to more than 300
financial services companies in North America, in EMEA and across the globe.

Target audience: This vendor's Layer 1 (endpoint-centric) and Layer 3 (user- or account-centric)
services can be used by financial services firms or companies in any other sector that want to
prevent new account fraud, account takeovers and payment fraud, as well as malware-based
attacks for any purpose. The vendor also provides related fraud prevention services, such as anti-
phishing techniques, collective threat intelligence, malware removal and device forensics.

Strengths

■ Reference customers report solid success using Trusteer Rapport, the endpoint client (which
detects malware, isolates it from the browser session and deletes it from the endpoint), and
Trusteer Pinpoint Malware Detection, the server-based product (which detects malware, but
cannot remove it from the desktop). Both products have been used to successfully reduce
malware-based fraud losses on customers' endpoints.
■ Both products are very easy to install; enterprises only need to insert a few lines of code into
their Web servers that link to Trusteer's cloud-based service. Trusteer Rapport client software is
downloaded from Trusteer's service directly, and at half a megabyte in size — which is much
smaller than competitive products — it typically takes less than three minutes to download.
■ Consumer issues that infrequently arise from the download and execution of Rapport desktop
software are handled by Trusteer's help desk, offloading support work for Trusteer's bank and
enterprise customers.
■ Trusteer is one of the larger vendors in this analysis, and it is experiencing well above the
market's growth rates.

Page 20 of 31 Gartner, Inc. | G00247632

 Cautions

■ Although Trusteer provides guidance and marketing material to improve Rapport installation
rates, convincing banking customers to download Rapport is not a trivial task. Without
continuous outbound marketing and login advertising, installation rates can stall at 10% or less.
Even with marketing, penetration rates are typically less than 50%, unless the use of Rapport is
mandated. Thus, using Rapport in combination with the server-based Pinpoint product is
recommended for complete fraud detection coverage. Mandating customer use of Rapport is
also a good alternative, and 30 U.S. banks have done so for their business customers.
■ Detection of malware with the server-based Pinpoint product typically requires manual action to
block events and alert end users. Integration capability with other fraud management systems is
ongoing (although this capability integrates directly with Pinpoint ATO Detection, Trusteer's new
WFD offering).
■ Some customers reported a desire to customize the types of alert communications they receive
from Trusteer's system, along with a need for enhanced reporting customization.
■ Trusteer has developed products for mobile endpoint support, but customers have not yet had
enough experience with them to know whether they are effective.
■ The company does not yet have a significant presence in the Asia/Pacific region.
■ As the company grows its enterprise security business (with its new enterprise product line), it
will be more stretched and more challenged to focus on its WFD products and services.

Vendors Added or Dropped

We review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as markets
change. As a result of these adjustments, the mix of vendors in any Magic Quadrant or
MarketScope may change over time. A vendor appearing in a Magic Quadrant or MarketScope one
year and not the next does not necessarily indicate that we have changed our opinion of that
vendor. This may be a reflection of a change in the market and, therefore, changed evaluation
criteria, or a change of focus by a vendor.

Added
Two new vendors were added to this year's Magic Quadrant: Alaric and NuData Security.

Dropped
Oracle was dropped from this year's Magic Quadrant because it does not serve this market any
longer.

Gas Tecnologia was dropped because it was acquired by Diebold in 2012 and stopped competing
in the WFD market, at least temporarily.

Gartner, Inc. | G00247632 Page 21 of 31

 Inclusion and Exclusion Criteria
Inclusion Criteria

WFD vendors that meet Gartner's market definition and description are considered for this Magic
Quadrant under the following conditions:

■ The vendor's software or service must be able to detect abnormal logins into an organization's
website, abnormal navigation and/or user transactions using the organization's Web
application.
■ The vendor's products or services must be in general availability as of 1 August 2012.
■ The vendor's products or services must be deployed in at least three customer production
environments, with references available, as of 1 September 2012.
■ The vendor's products must specifically target and market to the WFD — and, optionally, the
user authentication — market with a critical mass of technology specific to the WFD function.
■ The vendor's products or services must support more than one use case — for example, two
out of the three use cases referenced in the Market Definition/Description section.

Exclusion Criteria

Companies with insufficient information for assessment, or those that did not meet Gartner's
inclusion criteria, were excluded from the Magic Quadrant based on the following conditions:

■ The vendor does not have a scoring or rule-based fraud detection system that can assess, at a
minimum, the authenticity and validity of a user's browser-based login, access or transaction.
■ The vendor is not actively shipping products or providing services.
■ The vendor did not provide three production customer references for WFD. Gartner did not
have additional references to help validate the vendor's assertions.
■ The vendor has products or services that can be used for WFD — for example, business
intelligence and security information and event management tools — but they are not packaged
or targeted for off-the-shelf fraud detection use.
■ The vendor only supports fraud detection for online payments, which are generally made with
credit or debit cards.

Specific vendors were assessed for, but not included in, the Magic Quadrant:

■ Fraud detection vendors for electronic payments provide fraud detection for card-not-
present e-commerce payments. These include, but are not limited to, CyberSource and Retail
Decisions (ReD). Gartner did not include these vendors in this Magic Quadrant because they
only satisfied one use case, which is detecting the use of a stolen financial account (for
example, a stolen credit card). As noted above in the Inclusion Criteria subsection, vendors

Page 22 of 31 Gartner, Inc. | G00247632

 evaluated for this Magic Quadrant had to satisfy more than one use case as of 1 September
2012, with production customer references that validated this.
■ Vendors that provide OOB authentication and transaction verification services, such as
Authentify, TeleSign and ValidSoft. While these vendors' services certainly help to prevent
fraud, they do not fit into the WFD market category as defined above (see more on OOB
authentication vendors in the "Magic Quadrant for User Authentication").
■ Vendors that met the Magic Quadrant inclusion criteria, but did not yet have enough
production customer references, such as Entrust, Fox-IT, Imperva, Norse and Verafin.
■ Vendors that provide secure browsing services, often along with other related services, such
as AhnLab. While these services are very helpful in preventing fraud, they do not meet the WFD
market definition as outlined above.

Evaluation Criteria

Ability to Execute
■ Product/service: This criterion includes the core fraud detection technology offered by the
technology provider that competes in/serves the defined market. This criterion also includes
current product/service capabilities, quality, feature sets and skills, whether offered natively or
through OEM agreements/partnerships, as defined in the market definition. Strong execution
means that a vendor has demonstrated to Gartner that its products or services are successfully
and continuously deployed in enterprises. Execution is not primarily about company size or
market share, although these factors can considerably affect a company's Ability to Execute.
Key features, such as the ability to support complex deployments with real-time transaction
demands, are weighted heavily.
■ Overall viability: Viability includes an assessment of the overall organization's financial health,
the financial and practical success of the business unit, and the likelihood that the individual
business unit will continue investing in the product, offering the product and advancing the
state of the art within the organization's portfolio of products — for example, by incorporating
more fraud rule templates or new predictive modeling techniques.
■ Sales execution/pricing: This criterion includes the technology provider's capabilities in all
presales activities and the structure that supports them. It also includes deal management,
pricing and negotiation, presales support and the overall effectiveness of the sales channel. In
addition, it includes deal size and the use of the product or service by managed service
providers (such as online banking service providers). Low pricing will not guarantee high
execution or client interest. Buyers want good results more than they want bargains.
■ Market responsiveness and track record: This criterion is the ability to respond, change
direction, be flexible and achieve competitive success as opportunities develop, competitors
act, customer needs evolve and market dynamics change. This criterion also considers the
provider's history of responsiveness — for example, to customer requirements for responding
to new types of criminal attacks.

Gartner, Inc. | G00247632 Page 23 of 31

 ■ Marketing execution: This criterion includes the clarity, quality, creativity and efficacy of
programs designed to deliver the organization's message to influence the WFD market,
promote the brand and business, increase awareness of the products, and establish a positive
identification with the product/brand and organization in the minds of buyers that are seeking to
defeat fraud. This mind share can be driven by a combination of publicity, promotional, thought
leadership, word-of-mouth and sales activities.
■ Customer experience: This criterion looks at the relationships, products and services/
programs that enable clients to be successful with the products evaluated. Specifically, this
criterion includes the ways customers receive technical support or account support. This
criterion can also include ancillary tools, customer support programs (and the quality thereof),
availability of user groups and service-level agreements.
■ Operations: This criterion addresses the organization's ability to meet its goals and
commitments. Factors include the quality of the organizational structure, such as skills,
experiences, programs, systems and other vehicles that enable the organization to operate
effectively and efficiently on an ongoing basis.
Table 1. Ability to Execute Evaluation Criteria

Evaluation Criteria Weighting

Product/Service High

Overall Viability (Business Unit, Financial, Strategy, Organization) High

Sales Execution/Pricing Standard

Market Responsiveness and Track Record Standard

Marketing Execution Standard

Customer Experience High

Operations High

Source: Gartner (May 2013)

Completeness of Vision
■ Market understanding: This criterion examines the technology provider's ability to understand
buyers' wants and needs, and to translate them into fraud detection products and services.
Vendors that show the highest degree of vision listen to and understand buyers' wants and
needs, and can shape or enhance them with their added vision.
■ Marketing strategy: This criterion determines whether the vendor has a clear, differentiated set
of messages that is consistently communicated throughout the organization and externalized
through its website, advertising, customer programs and positioning statements.

Page 24 of 31 Gartner, Inc. | G00247632

 ■ Sales strategy: This criterion looks at the vendor's strategy for selling WFD products, and
whether it uses the appropriate network of direct and indirect sales, marketing, service, and
communication affiliates that extend the scope and depth of market reach, skills, expertise,
technologies, services and the customer base.
■ Offering (product) strategy: This criterion analyzes whether the provider's approach to product
development and delivery emphasizes differentiation, functionality, methodology and feature
sets as they map to current and future requirements. As attacks change and become more
targeted and complex, we highly weight vendors with road maps that move their products
beyond rule-based WFD, which generally limits the fraud detection capability to the evaluation
of a minimal range of factors.
■ Business model: This criterion reviews the soundness and logic of the vendor's underlying
business proposition.
■ Vertical/industry strategy: This criterion examines the technology provider's strategy to direct
resources, skills and offerings to meet the specific needs of individual market segments,
including vertical industry markets. Vendors with successful strategies in multiple vertical
industry markets get higher scores in this category.
■ Innovation: This criterion reviews the vendor's direct, related, complementary and synergistic
layouts of resources, expertise or capital for investment, consolidation, defensive or pre-
emptive purposes. It includes product innovation and quality differentiators, such as new
methods for detecting fraud risk.
■ Geographic strategy: This criterion looks at the provider's strategy to direct resources, skills
and offerings to meet the specific needs of geographies outside its "home" or native geography
— directly or through partners, channels and subsidiaries — as appropriate for those
geographies and markets. Vendors with successful strategies in multiple geographies get higher
scores in this category.

Gartner, Inc. | G00247632 Page 25 of 31

 Table 2. Completeness of Vision Evaluation Criteria

Evaluation Criteria Weighting

Market Understanding High

Marketing Strategy Standard

Sales Strategy Standard

Offering (Product) Strategy High

Business Model Standard

Vertical/Industry Strategy Standard

Innovation High

Geographic Strategy High

Source: Gartner (May 2013)

Quadrant Descriptions

Leaders
The Leaders quadrant contains four fraud prevention vendors — 41st Parameter, Accertify, RSA
and Trusteer — that have well-established records in online fraud detection. They earn high scores
from their customers for their ability to effectively stop fraud while minimizing inconvenience to end
users. They also earn high marks for responsive customer service and relatively easy
implementations. Their product, sales and marketing strategies and executions are strong, and they
continue to innovate and improve their services. They are firmly committed to staying and winning in
this market, and to developing their products and services to meet evolving customer needs. All
four offer their services through SaaS-based models. They have also demonstrated that they can
support markets in different parts of the world, other than their home countries.

Challengers
The Challengers quadrant contains two vendors, CA Technologies and Nice Actimize, which are
mainly Layer 4 EFM vendors, but they offer WFD functionality to satisfy a big piece of their clients'
and prospects' requirements. Although their products lack the "Web savviness" of the Leaders',
they have the resources to improve in this area.

Visionaries
The Visionaries quadrant has five vendors: Easy Solutions, Guardian Analytics, iovation, Kount and
ThreatMetrix. The Visionaries' products are easy to implement and use, and have achieved very

Page 26 of 31 Gartner, Inc. | G00247632

 good results in reducing online fraud for their clients using SaaS-based models. Aside from
Guardian Analytics, which only targets financial services firms, the vendors in this quadrant target
multiple sectors. All have in common innovative research and development, a good understanding
of their markets and solid strategies that poise them for healthy growth, assuming they can grow
their sales and revenue while maintaining market responsiveness and good customer service.

Niche Players
There are four Niche Players vendors in this year's Magic Quadrant: Alaric, Digital Resolve, Intellinx
and NuData Security. In the case of Digital Resolve, customers are very pleased with the service,
but the firm's sales and marketing strategies and execution need strengthening so that its
capabilities are more widely known and understood. Newcomers Alaric and NuData Security are
just getting started; they still need to build out their products and markets, and expand on their
already solid results. Intellinx is a recognized EFM player and still needs to build out its product line
for more out-of-the-box, Web-centric functionality for the WFD market. Niche Players can often be
the best choice for enterprises with narrow and specific requirements, which these vendors can
meet.

Context
■ The WFD market continues to grow at a healthy pace across the globe, even as cybercriminals
continue launching successful targeted attacks for financial gain. Since year-end 2011, the WFD
revenue of the Magic Quadrant participants increased more than 48% to about $450 million in
2012 annual revenue.
■ Financial services, online commerce and online retail firms continue to be the main adopters of
WFD services and products, but adoption has readily expanded to the social, travel and gaming
industries.
■ Product trends in WFD include increasing the type of information used to profile users and
fraudulent activity, improving the mapping of good behavior to enhance accuracy, including
analytics capabilities and extending WFD functionality to mobile devices.

Market Overview
The 2012 demand for WFD products and services was driven by increasing cyberattacks across
multiple sectors, including financial services, online retail, travel, ticketing, entertainment, social
networking and gaming. The WFD market grew more than 48% in 2012 to $450 million.

In "The Five Layers of Fraud Prevention and Using Them to Beat Malware," Gartner presents a
framework from which to analyze various fraud prevention products. Products and services that are
focused on Web fraud prevention can be found in Layer 1 (endpoint-centric), Layer 2 (navigation-
centric) and Layer 3 (user- and account-centric for the online channel). Therefore, this Magic
Quadrant analyzes relevant vendors with products in these layers of the framework.

Gartner, Inc. | G00247632 Page 27 of 31

 Layer 1 (endpoint-centric) and Layer 2 (navigation-centric) vendors easily serve all sectors because
they don't have user- or account-centric rules or models that are specific to an industry. Layer 3
(user- or account-centric) WFD vendors generally serve financial services or the online commerce
sectors, since their account-centric or user-centric rule sets or models are very specific for industry
use cases. A few vendors (that is, CA Technologies, Intellinx and Nice Actimize) in this Magic
Quadrant primarily focus on Layer 4 (cross-channel and cross-product user- and account-centric)
EFM functionality, and have embedded Layer 3 WFD functionality into their suites to satisfy financial
services client requirements. Some of the WFD vendors also offer solutions for nononline channels
— primarily the phone channel — but generally they are not as deep into EFM as the EFM vendors
noted above.

Significant market consolidation occurred in October 2012 when RSA, The Security Division of
EMC, bought the main Layer 2 vendor Silver Tail Systems, thereby demonstrating its determination
to expand its WFD market share in 2013. Meanwhile, a couple of relative newcomers to the WFD
market (see the Vendors Added section) are targeting large e-commerce companies in sectors
whose requirements have been underserved by existing WFD tools.

Trends in WFD include:

■ Increasing the range of attributes, relationships and activities profiled beyond users and
accounts to satisfy industry requirements beyond financial services. This is particularly useful in
industries where companies don't necessarily deal with frequently recurring customers.
■ Positive scoring, in addition to negative or risk scoring, so that good transactions are
recognized as such. This helps to lower false-positive rates and the number of transactions that
must be reviewed to find the fraud.
■ Less reliance on device identification as criminals learn to thwart it, and also because it is not
fully effective (only about 70%) on mobile devices, where less information is available to the
identification process. Similarly, less reliance on proxy-piercing technology, which is becoming
much less reliable (about 50% to 60%) as criminals learn to circumvent it.
■ Including Layer 5 big data analytics functionality in WFD offerings so that enterprises can get
their "arms" around their data and discover unobvious collusive relationships, attack patterns or
broken business processes.
■ The ability to fully extend the WFD platform to mobile commerce with specific Layer 1
functionality.

Recommended Reading
Some documents may not be available as part of your current Gartner subscription.

"Magic Quadrants and MarketScopes: How Gartner Evaluates Vendors Within a Market"

"Best Practices in Mobile User Authentication and Layered Fraud Prevention"

"Arming Financial and E-Commerce Services Against Top 2013 Cyberthreats"

Page 28 of 31 Gartner, Inc. | G00247632

 "Where Strong Authentication Fails and What You Can Do About It"

"The Four Layers of Identity Proofing Lead to Stronger Identity Verification"

Evidence
Gartner takes hundreds of client inquiries a month on security and fraud topics. We obtain feedback
on vendors' performance in the field through these inquiry calls.

As part of the Magic Quadrant research process, we proactively and directly reached out to
customer references that we knew of, and to references that the vendors gave us. In addition, we
read documents and briefing materials submitted by the covered vendors. Finally, we spoke with
the vendors directly about their services and future plans.

Evaluation Criteria Definitions

Ability to Execute
Product/Service: Core goods and services offered by the vendor that compete in/
serve the defined market. This includes current product/service capabilities, quality,
feature sets, skills and so on, whether offered natively or through OEM agreements/
partnerships as defined in the market definition and detailed in the subcriteria.

Overall Viability (Business Unit, Financial, Strategy, Organization): Viability includes

an assessment of the overall organization's financial health, the financial and practical
success of the business unit, and the likelihood that the individual business unit will
continue investing in the product, will continue offering the product and will advance
the state of the art within the organization's portfolio of products.

Sales Execution/Pricing: The vendor's capabilities in all presales activities and the
structure that supports them. This includes deal management, pricing and negotiation,
presales support, and the overall effectiveness of the sales channel.

Market Responsiveness and Track Record: Ability to respond, change direction, be

flexible and achieve competitive success as opportunities develop, competitors act,
customer needs evolve and market dynamics change. This criterion also considers the
vendor's history of responsiveness.

Marketing Execution: The clarity, quality, creativity and efficacy of programs designed
to deliver the organization's message to influence the market, promote the brand and
business, increase awareness of the products, and establish a positive identification
with the product/brand and organization in the minds of buyers. This "mind share" can
be driven by a combination of publicity, promotional initiatives, thought leadership,
word-of-mouth and sales activities.

Gartner, Inc. | G00247632 Page 29 of 31

 Customer Experience: Relationships, products and services/programs that enable
clients to be successful with the products evaluated. Specifically, this includes the ways
customers receive technical support or account support. This can also include ancillary
tools, customer support programs (and the quality thereof), availability of user groups,
service-level agreements and so on.

Operations: The ability of the organization to meet its goals and commitments. Factors
include the quality of the organizational structure, including skills, experiences,
programs, systems and other vehicles that enable the organization to operate
effectively and efficiently on an ongoing basis.

Completeness of Vision
Market Understanding: Ability of the vendor to understand buyers' wants and needs
and to translate those into products and services. Vendors that show the highest
degree of vision listen and understand buyers' wants and needs, and can shape or
enhance those with their added vision.

Marketing Strategy: A clear, differentiated set of messages consistently

communicated throughout the organization and externalized through the website,
advertising, customer programs and positioning statements.

Sales Strategy: The strategy for selling products that uses the appropriate network of
direct and indirect sales, marketing, service, and communication affiliates that extend
the scope and depth of market reach, skills, expertise, technologies, services and the
customer base.

Offering (Product) Strategy: The vendor's approach to product development and

delivery that emphasizes differentiation, functionality, methodology and feature sets as
they map to current and future requirements.

Business Model: The soundness and logic of the vendor's underlying business
proposition.

Vertical/Industry Strategy: The vendor's strategy to direct resources, skills and

offerings to meet the specific needs of individual market segments, including vertical
markets.

Innovation: Direct, related, complementary and synergistic layouts of resources,

expertise or capital for investment, consolidation, defensive or pre-emptive purposes.

Geographic Strategy: The vendor's strategy to direct resources, skills and offerings to
meet the specific needs of geographies outside the "home" or native geography, either
directly or through partners, channels and subsidiaries as appropriate for that
geography and market.

Page 30 of 31 Gartner, Inc. | G00247632

 GARTNER HEADQUARTERS

Corporate Headquarters
56 Top Gallant Road
Stamford, CT 06902-7700
USA
+1 203 964 0096

Regional Headquarters
AUSTRALIA
BRAZIL
JAPAN
UNITED KINGDOM

For a complete list of worldwide locations,

visit http://www.gartner.com/technology/about.jsp

© 2013 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This
publication may not be reproduced or distributed in any form without Gartner’s prior written permission. If you are authorized to access
this publication, your use of it is subject to the Usage Guidelines for Gartner Services posted on gartner.com. The information contained
in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy,
completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This
publication consists of the opinions of Gartner’s research organization and should not be construed as statements of fact. The opinions
expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues,
Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company,
and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner’s Board of
Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization
without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner
research, see “Guiding Principles on Independence and Objectivity.”

Gartner, Inc. | G00247632 Page 31 of 31