Magic Quadrant for Web Fraud Detection

This document was revised on 11 June 2012. The document you are viewing is the corrected version. For more information, see the Corrections page on gartner.com.

The Web fraud detection (WFD) market is composed of vendors that provide software products or services that help an organization detect and prevent fraud that occurs over the Web by:

• Running background server-based processes (transparent to users) that verify users based on where they are and what device they are using, and/or examine what types of information retrievals, navigations and transactions users are executing.
• Comparing this information with a profile of what's expected of the user, or comparing it against more-generic rules as to what constitutes "normal" behavior.
• Suspending the transaction if actual behavior is out of range with what's expected, and taking appropriate follow-up action. Some WFD vendors offer additional authentication and transaction verification capabilities, while others do not.

WFD systems can employ technology that is endpoint-centric (Layer 1), navigation-centric (Layer 2), or user- or account-centric (Layer 3). See the Context section for more on the five layers of fraud prevention. Fraud detection systems use rules, predictive models or both to determine which transactions are anomalous and potentially fraudulent. See the Fraud Detection Basics: Scoring Versus Rules section in the 2010 "Magic Quadrant for Web Fraud Detection" for a discussion on the differences between rules and predictive models.

WFD typically applies to detecting fraud in three use cases:

• Account takeover: When a fraudster takes over an existing user account, typically to steal money or information
• New account fraud: When a fraudster sets up a new account using a stolen or fictitious identity
• Use of a stolen financial account (for example, a stolen credit card) when making a purchase

Once the fraud is detected, alerts are generated and follow-up actions are taken automatically or manually.

Note that this Magic Quadrant includes vendors with Layer 1, 2 or 3 technology solutions for fighting online fraud.

Source: Gartner (May 2012)

Vendor Strengths and Cautions

41st Parameter

41st Parameter provides effective and innovative fraud prevention services, and has captured the business of large global financial institutions, airlines and retailers. It provides a rule-based risk-scoring engine along with clientless device (for example, PC and mobile phone) fingerprinting and Time Differential Linking (TDL) software, which are useful in detecting account takeovers, new account fraud and e-commerce fraud. The company began targeting the online advertising market in the past 12 months, where, for privacy reasons, it is becoming more critical not to tag user endpoints by planting files on them. The firm claims 45 direct customers, including large payment and e-commerce processors that, in turn, have thousands of customers.

Target audience: This vendor's Layer 1 (endpoint-centric) and Layer 3 (user- or account-centric) fraud prevention services can be used by financial services companies, retailers, airlines and other companies with an online presence that need to prevent new account fraud, account takeovers and payment fraud.

Strengths

• It has a global presence with partners, resellers and customers on five continents. Customers include major banks, merchants and airlines that consider it to be a "strategic" partner.
• Customers claim that fraud rates are reduced dramatically when using 41st Parameter's software (for example, some say between 50% and 70% after a few months of use), and that they are able to detect fraud far more quickly than they were able to when using risk-scoring engines, which did not evaluate the endpoint "fingerprints."
• It has a friendly and rich user interface for fraud analysts, which has improved dramatically over the past few years, and which, in turn, has improved its ranking among competitors.
• Its software as a service (SaaS) version has proved scalable, with some individual customers processing 20 million or more transactions a day, making 41st Parameter a stronger contender than many competitors.
• More recently, the company has expanded its product functionality to detect most malware-based attacks through Web session header investigation and analysis. Most competitors are unable to do this unless they specialize in malware detection using endpoint software.
• Its service works on mobile devices, although it has not been proved to stop fraud there yet, since the firm's customers are not yet enabling high-risk functionality, and the fraudsters have not yet been focusing their attacks on the mobile channel that the firm's customers use. 41st Parameter's mobile software development kit (SDK) includes its patented TDL capability, which improves mobile device detection.
• It is proven in the cross-channel environment — that is, for the online and the call center channel. In the case of call center transactions, they are fed through 41st Parameter's FraudNet risk-scoring engine.
• Clients report close consultative services from 41st Parameter's staff and management. The firm also offers thought leadership by providing canned fraud prevention rules that are used by its clients.
• It has partnerships with multiple global business process outsourcing suppliers, enabling 24/7 fraud management and investigation services for its customers. In 2011, the firm also entered into a significant reseller relationship with a large global payment processor.

Cautions

• Device fingerprints for the same device can change due to minor alterations initiated by users to their endpoint. Furthermore, sophisticated criminals have developed methods for evading device fingerprints. The firm offers other risk-scoring capabilities that consider factors beyond the fingerprint (such as user mouse positions) to help determine the presence of an unauthorized user or process.
• The company has not enabled data sharing across its client base, which many customers cite as a service they would greatly welcome and from which they would benefit.
• 41st Parameter's system is rule-based only. It does not have a predictive and self-learning model.
• Clients cannot write their own fraud detection rules, and instead must go through 41st Parameter to have them added. This can result in delays of up to a month in getting new rules implemented due to the firm's quality assurance processes, which ensure that a proposed rule improves fraud detection. Customers can easily adjust existing rules on their own.
• 41st Parameter has engaged three CEOs since 2004. The high turnover rate caused concern in the procurement and sourcing departments, but did not adversely impact customer service or product development. The executive team seems to have stabilized in the past year, which is important for the firm's growth.
• The installations do not sit in line to transaction streams, and as such, the software does not natively block suspect transactions in real time. The company's fundamental methodology is to avoid real-time blocking because of potential false positives.

Accertify

Owned by American Express (AmEx) since 2010, Accertify is leveraging its new relationship by moving deeper into the payment chain as it plans to establish a payment gateway and full-featured chargeback management system. The company claims about 100 customers, including major airlines, retailers, e-commerce companies, payment processers and social networks.

Target audience: This vendor's Layer 3 (user- or account-centric) fraud prevention services can be used by financial services companies, retailers, airlines and other companies with an online presence that need to prevent new account fraud, account takeovers and payment fraud.

Strengths

• Accertify's Interceptas platform is known for its open flexible architecture, which makes it easy to plug in "best of breed" complementary solutions. Unlike its competitors, the company has well over 20 best-of-breed solution partners that integrate with the platform, including vendors that provide client device identification, email address and telephone number verification, identity data matching, and more.
• Accertify offers outsourced fraud management services, which enable customers to take full advantage of its expertise, and to get immediate assistance on system issues.
• Accertify has a flexible rule-writing capability with which business users can write, modify and test their own rules. This is on top of the canned vertical and industry-specific rule set that Accertify bundles into its software.
• AmEx ownership has infused needed funds into Accertify, allowing it to build up more data centers and backup capabilities, and giving it a financial advantage over competitors without well-capitalized parent companies. Accertify has also improved fraud detection capabilities for AmEx transactions using integrated AmEx data that was previously unavailable to Interceptas.
• Customers report that Accertify provides thought leadership and expert consultative services. Some customers cite very responsive customer service that continues throughout project life cycles.
• Accertify enables the sharing of "blacklists" across customers, which some find very useful for fraud prevention.

Cautions

• Accertify has a weak reporting system, despite attempts to improve it in a 2011 release. Customers report that they cannot retrieve useful cuts of the information on their own to monitor trends and analyze orders. (They are able to get customized reports from Accertify, usually within a day.) Accertify says that customers can benefit from training to learn how to fully use their reporting tools.
• The lack of robust reporting functionality makes it difficult to monitor the effectiveness and performance of the fraud detection rules.
• Some technically savvy customers would like more advanced out-of-the-box capabilities, such as more machine learning, with Accertify's predictive scoring functionality (which few customers are taking advantage of). Most Accertify customers rely solely on rules that embody knowledge of predictable attacks, or those that have already taken place.
• The AmEx acquisition of Accertify could result in lower levels of innovation as talented staff members leave for smaller, more agile companies. This has not happened yet in the management ranks, and so far, the company has remained competitive and benefited from the AmEx acquisition.
• The service's uptime should be improved (and its beefed up data centers should enable that in the future).
• Some customers want more information on the company's future road map and product vision so that they can better plan their own fraud prevention investments. (Accertify's recently initiated formal account review process should give customers what they want and need.)

CA Arcot

CA Technologies inherited its fraud detection and prevention capabilities when it acquired Arcot Systems in October 2010. CA RiskMinder offers a basic fraud detection rule engine and good device identification. CA AuthMinder, the authentication software, when used in conjunction with CA RiskMinder, the fraud detection software, provides risk-based authentication for Web logins and e-commerce payments. CA Arcot remains a major supplier of cloud authentication services to credit card issuers, combating e-commerce fraud as part of its global support for 3-D Secure (Visa and MasterCard) payer authentication, but the firm has not made similar traction in other markets, such as online banking.

Target audience: This vendor's Layer 1 (endpoint-centric) and Layer 3 (user- or account-centric) fraud detection services can be used by financial services companies with an online presence that need to prevent new account fraud, account takeovers and payment fraud.

Strengths

• CA RiskMinder is proven in an on-premises and cloud-based environment. The firm's cloud service is used by enterprises and dozens of global card issuers. In the card issuing space, it is used along with CA AuthMinder to authenticate about 85 million cardholders who participate in the card brands' 3-D Secure payer authentication programs.
• The real-time, rule-based risk-scoring system is also available as on-premises software. Customers say that CA Arcot products have substantially reduced their fraud levels.
• Many customers use CA RiskMinder and CA AuthMinder together so that the process can run on its own with minimal human intervention and review, which is helpful for organizations with resource constraints. (This is similar to other vendors that offer fraud detection integrated with authentication, in what is commonly referred to as "risk-based authentication.") CA RiskMinder analyzes specific user transactions and, for those that look suspect, invokes the chosen authentication method, typically out-of-band one-time passwords or challenge questions.
• CA Arcot enables effective clientless device identification with its Device DNA product, which examines endpoint clock speed and other device parameters.
• It has a proven ability to deploy predictive models (as opposed to only rules), although these models are not widely deployed among the firm's customers.
• Its alert console is comprehensive and presents rich data to understand the reason for an alert. Also, users can configure the data that they want to see in the console.

Cautions

• Some customers report that, when it comes to CA RiskMinder, CA Arcot has lost technological innovation and thought leadership since the CA acquisition in 2010.
• CA Arcot's communications with its customers on matters such as system features and road maps need improvement. In the absence of communications, customers perceive a lack of interest in progressing RiskMinder.
• CA Arcot's marketing of fraud prevention capabilities needs much improvement.
• Some customers say that feedback on the timing for bug fixes and needed product enhancements are slow to roll out and sometimes hard to come by.
• Some customers report that management information systems are lacking. For example, they say there are no canned reports that summarize rule performance to help users with fine-tuning and maintaining rules for optimal results. Furthermore, there are performance issues with existing reports where there are hard physical limits on the amount of information that can be extracted. CA Arcot says it has improved its reporting systems and their performance.
• Business users are able to modify parameters on existing rules or add their own new rules, but most turn to CA Arcot's staff to add new parameters to existing rules or to add new rules that are not straightforward. This leads to overnight delays in rule enhancements and new rule implementations, where users often need immediate turnaround times. (The firm is releasing RiskMinder 3.0 in June 2012, which should address this issue.)
• CA Arcot's rule-based system has proved to scale in analyzing the risk associated with online logins and e-commerce payments, but hasn't been proved widely beyond that — for example, in high-value money transfers or other e-commerce scams.

Digital Resolve

Digital Resolve is a subsidiary of Digital Envoy, which provides extensive IP intelligence that is used to aid online marketing and digital content delivery programs. This IP intelligence has proved to be very helpful for Digital Resolve's fraud prevention product. Digital Resolve has more than 30 direct and 230 indirect customers, of which more than 85% are mainly small financial services firms, while the rest are e-commerce companies. Its clients are mainly in North America, but a few are in Europe. The firm is owned by Landmark Media Enterprises, a diversified media company.

Target audience: This vendor's Layer 1 (endpoint-centric), Layer 2 (navigation-centric) and Layer 3 (user- or account-centric) software or services can be used by financial services companies with an online presence that need to prevent new account fraud, account takeovers and payment fraud.

Strengths

• Digital Resolve's rule-based fraud detection system is mainly used by clients for login analysis, but it also enables clickstream analysis and anomaly detection beyond login, and Digital Resolve is rolling this out to some customers. Unlike most competitors, the system passively listens to (sniffs) transactions and sessions in real time, and is therefore easy to implement. It also comes with a set of APIs that can invoke another process, such as user authentication.
• The firm is integrated with Fundtech's CASHplus online banking system, thereby enabling tight integration with the online banking system and making it an attractive fraud prevention solution for Fundtech customers.
• The solution is attractively priced and comes bundled in an appliance or as software.
• Unlike most competitive products, the system comes with a set of very specific rules for bank money transfers that users can delete or modify.
• Unlike some competitive products, the product comes with a set of challenge questions that can serve up user authentication challenges for suspect sessions — for example, triggered by a user logging in from a suspect location. This enables "risk-based authentication."
• Digital Resolve customers are very enthusiastic and give rave reviews about the firm's customer service and responsiveness to their needs. They say the company is diligent, easy to work with and dedicated to eradicating fraud on their behalf.
• Users can easily configure the workflow on alerts — for example, to which email addresses the alerts should be sent.
• The firm has a proven capability to dissect and analyze user submissions of batch payment (automated clearinghouse) files for fraud.

Cautions

• The company needs to allocate more resources to sales and marketing because it does not appear on as many client shortlists as it should.
• Digital Resolve's extensive customer service has sometimes made customers "too reliant" on the firm for functions they can do themselves — for example, rule or custom report writing. Customers should establish more independence from Digital Resolve so they can get the most from the product.
• Just like other rule-based systems, enterprises can only catch attacks that they have thought about, usually because these attacks have appeared before. The solution would benefit from predictive modeling that uses more sophisticated techniques, such as Bayesian or regression analysis.
• The user interface is manageable, but some competitors win out in terms of friendliness, ease of navigation and use.
• Digital Resolve's solution is not always able to stop trojan-based (man in the browser [MITB]) attacks unless the attacker trips a rule, so not all MITB fraud is caught. This is also true of other WFD systems that rely on rules.

Easy Solutions

Easy Solutions is a small, private firm, headquartered in Florida, that was founded in 2002. It has about 70 customers and sells WFD and related services to financial services, telecommunications and retail firms mainly in Central America and South America. It has a full range of fraud prevention and detection products ranging from anti-phishing services, device identification, "secure" browsing, rule-based fraud scoring and multifactor authentication.

Target audience: This vendor's Layer 1 (endpoint-centric) and Layer 3 (user- or account-centric) fraud detection services can be used by financial services companies, retailers, airlines and other companies with an online presence that need to prevent new account fraud, account takeovers and payment fraud. It is also attractive to companies that want a one-stop shop for most related fraud prevention services, such as anti-phishing and secure browsing services in addition to fraud detection and authentication.

Strengths

• Customers especially like their ability to use Easy Solutions for multiple related fraud prevention services, and they typically buy more than one solution.
• South American customers report that Easy Solutions is more effective at combating and thwarting local malware and cybercrime variants than competitive solutions that don't have local crime knowledge.
• The firm has a strong reseller channel, especially throughout Central America and South America, and is now strengthening in the U.S.
• Customers can and have integrated their own predictive models with the DetectTA rule-based fraud detection system. This is not the case with most of the competitive offerings.
• Easy Solutions' fraud detection solutions (DetectID and DetectTA) can be and have been used across multiple channels (for example, call center, online and automated teller machines), thereby enabling organizations to stop cross-channel fraud.
• Customers report that Easy Solutions provides very responsive customer service and support.

Cautions

• Some application functionality, such as end-user policy enforcement, is not clear and easy to use.
• Testing and implementing a change to the production environment can sometimes be difficult.
• There is no capability to create customized reports.
• Business users cannot input their own rules into the system and must ask the IT staff for assistance. In turn, the IT staff must ask Easy Solutions for assistance if the rules are complex.
• Easy Solutions charges per-user annual subscription fees for its fraud detection, but many customers, particularly large ones, prefer a perpetual license fee model. (This is true for other fraud detection services that charge annual subscription per-user fees.)
• Device identification for mobile devices is still in its early stages. The firm expects to release it in July 2012.
• The firm needs to improve its sales and marketing efforts to gain market share and mind share among prospects.

Gas Tecnologia

Gas Tecnologia sells its products mainly to about 10 banks in Brazil, where it is a dominant malware protection and device identification vendor. It has enjoyed fast growth over the past three years. It offers a variety of on-premises software products, including client software for protecting Web sessions from malware intrusion, device identification, login analysis, and endpoint (machine) reputation that is shared across its customer base.

Target audience: This vendor's Layer 1 (endpoint-centric) fraud detection services can be used by financial services companies in South America that want to prevent malware-based attacks that can result in new account fraud, account takeovers or payment fraud.

Strengths

• Gas Tecnologia's malware detection and prevention software (which is based on a client download) has proved to be effective at reducing fraud rates for its bank customers, while other endpoint protection products sold directly to customers have failed.
• Customers report responsive customer service and agility at helping them resolve issues.
• The firm's management console gives users the ability to easily create rules based on previously identified suspect behavior, such as the identification of malware variants or new fraud patterns.
• The firm has extensive knowledge of fraud patterns and tactics in South America, especially when it comes to malware targeting Brazilian users.

Cautions

• The firm has no sales channels outside Latin America.
• System functionality is endpoint-centric, and there is no server-side fraud detection beyond login analysis.
• Browser protection is restricted and not fully operational on some operating systems and browsers — for example, Chrome and Linux and mobile devices from Apple and Android.
• The browser protection software module that is downloaded to end-user machines is 1.5MB, making it a relatively large file download and more than three times the size of competitive offerings. Daily updates to user machines can be cumbersome, and can cause conflicts with other software that a user is running. This aspect generates a noticeable amount of customer service calls.
• Some end users (about 3%) have been unable to install the client software, which necessitates putting their machines on a whitelist so that they can bypass having to run the protection module, which is mandated by Gas Tecnologia's Brazilian bank customers.
• Customers say product enhancements can be slow to roll out, and that they have to wait months for needed features. Customers would like Gas Tecnologia to be more forthcoming about its product enhancement plans, and also about new attacks it is seeing. The firm says that the release of a new engine occurs every 30 to 40 days, and that customers can reconfigure the fraud detection parameters on a daily basis using daily information on new and emerging malware techniques.
• The system generates a wealth of information on customer access patterns, but there is no intelligence in the product that can make use of most of it for fraud detection purposes.

Guardian Analytics

Guardian Analytics (GA) targets U.S. banks and credit unions, most of which outsource their online banking operations to third parties that remain deficient in providing their clients with effective fraud prevention tools. The firm sells FraudMAP as a service (SaaS). GA grew quickly in 2011, and by year-end had more than 115 bank and credit union customers.

Target audience: This vendor's Layer 3 (user- or account-centric) software or service can be used by financial services companies, especially those that outsource their online banking operations, and those that need to prevent new account fraud, account takeovers or payment fraud.

Strengths

• FraudMAP uses a mathematically predictive behavioral scoring model — as opposed to a rule-based system — to detect fraud. GA provides all the risk-scoring intelligence, which customers report has been very effective at preventing fraud, and, in some cases, has detected every single instance of it.
• FraudMAP's user interface is especially user-friendly, enabling bank customers to easily track end-user activities over time, and to quickly differentiate high-risk and suspect activities from those that do not pose a risk. Customers report an extremely short learning curve with using the application.
• GA has key sales relationships with several online banking providers. S1 is a full reseller of its service; some providers refer GA as a solution for U.S. Federal Financial Institutions Examination Council (FFIEC) compliance; and others support GA's sales efforts. GA continues to evolve and develop its relationships with online and mobile banking technology and service providers because its primary prospect base uses these third parties, and GA must easily integrate with them to grow its revenue base.
• In the case of already-developed integrations with online banking platforms, GA system implementations can take only days, since the format and mapping of log files have already been worked out. Otherwise, if the online banking data has not been previously mapped to GA's system, then it can take a month or two to get the right log files prepared for FraudMAP. Tuning the system so that it learns the customer activity at a given financial institution can take a couple of months after implementation, unless the customer provides GA with historical data, which is what usually happens. (This is true of other behavioral modeling or rule-based systems.)
• GA clients report excellent, responsive customer service as well as thought leadership when it comes to addressing fraud issues.
• Some customers, especially smaller ones, find FraudMAP to be attractively priced.
• Similar to some competitors, the firm offers a fully managed fraud prevention service so that banks can outsource the entire fraud prevention process in addition to the technology.

Cautions

• FraudMAP is not typically implemented in a real-time or near-real-time environment, nor does it sit in line to a transaction stream. Instead, in many instances, it reads batch files sent from online banking providers every couple of hours. While this is not an issue for GA's customer base, generally because smaller financial institutions take more time to review money transfers, others find this functionality important, and they have not chosen GA partly for these reasons. GA provides real-time APIs to its scoring engine to address this.
• GA's customers would like it to expand its offering to include fraud detection for other banking channels (for example, phone banking) to catch more fraud. (GA's product road map includes this product development.)
• GA's predictive models should work well in the mobile application space, but customers are unsure because there is not yet adequate experience with this. They are also unsure as to the company's overall product road map.
• No user authentication mechanisms have been built into the product, and the firm's target customer base of smaller financial institutions would especially benefit from this integration since it minimizes resource demands.
• GA's revenue base is closely tied to compensating for the lack of adequate, effective fraud prevention capabilities provided by third-party online banking providers for smaller U.S. financial institutions. In the future, these providers could partner with or buy a competitive company, thereby undermining GA's revenue opportunities. Alternatively, one of these providers could potentially buy GA.
• At this point, GA's solution set is only in use by financial institutions with deposit accounts, and is U.S.-centric. This limits GA's growth opportunities relative to most of the competition.

iovation

Iovation is a provider of client device identification technology and a device reputation database for its more than 200 customers. The customers come from many sectors, including online gaming, gambling, retail, social networks and financial services. About half of iovation's customers are in the U.S., with the rest located in Europe and around the globe.

Target audience: This vendor's Layer 1 (endpoint-centric) service can be used by financial services companies, retailers, airlines and other companies with an online presence that need to prevent new account fraud, account takeovers and payment fraud.

Strengths

• Iovation's SaaS offering provides device identification and reconciles and analyzes information found on the device — for example, by comparing the geolocation of the device to its time zone. Through custom rules, users are able to assign their own weights to different device attributes and conditions, which the iovation system uses to determine whether a transaction should be flagged for review or stopped altogether.
• Iovation has a reputation database (called ReputationManager 360) that shares fraud and abuse data on PCs and other devices seen by its customers. Some customers, especially those that come from the same sectors as other iovation customers that participate in device reputation sharing, find this service useful.
• Customers report very responsive service from the iovation staff, and also say the iovation service is very reliable.
• Similar to the most directly competitive offerings, iovation provides device risk scoring or data on devices back to customers.
• Iovation has a friendly and rich user interface in which, for example, users are able to click on an alert and easily see all the rules, reasons, and associated accounts and devices that contributed to the alert.
• The tool enables easy analysis of relationships between attributes, such as devices and accounts. Users can easily spot rings of suspicious activity — for example, where a few "bad" devices have been accessing multiple accounts.
• Like other device identification services, system integration is relatively quick and easy because it requires placing a few lines of code on the Web pages that gather the device information.

Cautions

• Customers report that device fingerprinting from iovation (and other vendors) is becoming less effective over time as fraudsters use various techniques that circumvent it. These techniques go beyond MITB attacks.
• Legitimate users sometimes share devices that are marked as "bad" in iovation's reputation database, and these devices must therefore be manually unblocked or automatically unblocked through a rule by the enterprise relying on iovation. To avoid this scenario, iovation encourages clients to place their fraud or abuse evidence on accounts rather than devices.
• Iovation does not enable complex business rules, but is reportedly working on them.
• Iovation reports should be improved. For example, users would like to sort or search evidence by the organization that provided it, instead of having to go through each device record one by one to see the originator of the evidence.
• Iovation's iPhone and Android SDKs are not yet widely deployed, and Gartner was unable to verify their effectiveness.

Kount

Founded in 2007, Kount is a privately held and wholly owned division of Keynetics, which started developing fraud detection technology in another of its subsidiaries in 1998. Kount grew its revenue base very quickly in 2011. Although it is primarily used today for online payment fraud detection, it has also been proved in other use cases, such as new account enrollment and login analysis. In addition, it is being used to detect fraud in the insurance industry — primarily auto insurance.

Target audience: This vendor's Layer 1 (endpoint-centric) and Layer 3 (user- or account-centric) services can be used by financial services companies, retailers and other companies with an online presence that need to prevent new account fraud, account takeovers and payment fraud.

Strengths

• Kount has more than 150 customers, mostly e-commerce companies, and has benefited greatly from a relationship with major payment processor Chase Paymentech, which has been reselling Kount to its customers since 2010. Kount's service is also embedded into LexisNexis' Retail Decision Manager product.
• According to its customers, Kount provides its own device identification, which capably pierces through proxy servers and uniquely identifies user endpoints.
• Similar to at least one major competitor, Kount has integrated data feeds from specialized data providers; these feeds help with fraud detection, including phone-related information from Targus Group International and 192.com. The firm also has an in-house copy of the U.S. Postal Service's database, which is used for real-time fraud prevention.
• Kount provides very responsive customer service and thought leadership to its customers. The small 40-employee firm provides on-site implementation and periodic follow-up and tuning support services for low fees.
• Business users find it easy to write simple rules and adjust existing ones using Kount's rule editor. They can also assign their own weights to different attributes of rules that generate a fraud score.
• Kount provides good canned reporting on system activities, rule performance and effectiveness. The service also enables users to customize their own reports off a data mart hosted by Kount.
• Customers are pleased with the system's dashboard and user interface. They say it is easy to drill into alerts and data, and to investigate related incidents.
• Kount offers a flexible pricing model, including per-transaction fees, flat monthly rates and prepaid transaction blocks.

Cautions

• The bulk release of multiple transactions in a fraud queue (for example, to approve them) must be done using a different module than the one the fraud analysts normally use. Otherwise, the fraud analysts must release one at a time, which is time-consuming.
• Kount has not shared its road map with customers and needs to do a better job of communicating its plans for the future.
• Kount is strongly associated in the market with the payment fraud detection use case only.
• To grow its sales, Kount needs to step up marketing efforts so that it is included more frequently on shortlists for fraud detection vendors, and so that prospects understand that its product provides functionality that can be used well-beyond payment card authorization fraud detection.

Nice Actimize

Nice Actimize is a division of Nice Systems, and contributed about one-seventh of Nice Systems' 2010 revenue. Nice Actimize's WFD capabilities are sold exclusively to the financial services industry.

Nice Actimize's Web fraud products have been sold directly and indirectly through processors to more than 130 banks around the globe as of year-end 2011. Its WFD product sits in Layer 3 or Layer 4 of Gartner's fraud prevention framework and, as such, provides important backstop layers to fighting fraud that may be missed by Layer 1 (endpoint-centric) and Layer 2 (navigation-centric).

Target audience: This vendor's Layer 3 (user- or account-centric) software or service can be used by financial services companies — especially large ones with substantial in-house IT and fraud expertise — that need to prevent new account fraud, account takeovers and payment fraud.

Strengths

• Nice Actimize has a real-time and non-real-time behavioral risk-scoring engine with very strong analytics behind it. This engine has proved very effective at detecting and preventing online and real-time payment fraud.
• Nice Actimize offers a sound and broad fraud prevention architecture and framework that includes multiple integrated modules, alert management and correlation, common user profiles, shared models, a rich policy and rule editor, and a case management system. Nice Actimize's WFD modules benefit from all of the firm's related fraud management systems and processes.
• Nice Actimize is typically used by large bank customers as a master broker of fraud prevention systems, whereby alerts from other systems (for example, device identification or malware prevention) are sent to its alert management system for correlation and follow-up.
• Customers give high marks to the firm's alert management capability, and to its ability to filter, sort and correlate various alerts, and then use them to drive follow-up actions, such as locking a customer's account that has been the target of account takeover.
• In 2011, Nice Actimize invested considerably in improving its customer service and implementation support, which have long been drawbacks in working with the firm.
• Business users can easily write their own rules and scenarios. (Complex rules require Nice Actimize's assistance.) The Actimize Policy Manager enables users to manage and deploy rules for non-Actimize systems that may play a large role in online banking and online payments. This helps users consolidate their fraud operations.

Cautions

• While Nice Actimize provides an effective risk-scoring module, customers have had to invest considerably in developing surrounding processes that feed the risk-scoring engine, or use the data coming out of it.
• False-positive rates incurred by the Nice Actimize scoring engine can be very high without periodic tuning (for example, every six months) of the model used by the customer enterprise. However, to tune the system, customers require on-site assistance from the vendor, and there are always additional fees associated with this that some customers report are fairly steep. Customers also complain that it often takes too long to get the support resources they require.
• Banks that use Nice Actimize Layer 3 applications for online fraud detection typically add Layer 1 (endpoint-centric) fraud prevention software, especially device identification and malware detection, and find that these additions can often eliminate many of the suspect transactions before they even get to Nice Actimize for risk scoring. Nice Actimize would be a more comprehensive and effective solution for WFD if it offered more Layer 1 (endpoint-centric) functionality that specifically targets malware and other online threats.
• Customers continue to complain of onerous and outdated extraction, transformation and loading processes, which make data and system integration with the Nice Actimize platform long and painful.
• Nearly every (if not each) major development effort requires hands-on technical support from the Nice Actimize staff. Implementations require on-site assistance for several months to properly fine-tune the models and scoring engine, and to customize system interfaces.
• The reporting system provided by the WFD products for consumer or corporate banking are inadequate, so customers must also separately purchase the Nice Actimize detection and research tool (DART) reporting system.

Oracle

Oracle's Adaptive Access Manager (OAAM) provides online fraud detection and user authentication, and is part of Oracle's identity and access management (IAM) products. Since Oracle acquired the fraud detection technology from Bharosa in 2007, it has mainly focused on selling OAAM to customers of other Oracle IAM products. Gartner does not see OAAM on the shortlists of vendors being considered for online fraud detection unless an Oracle IAM customer is looking for enhanced misuse monitoring or risk-based authentication.

Target audience: This vendor's Layer 1 (endpoint-centric) and Layer 3 (user- or account-centric) software can be best used by existing customers of Oracle's IAM product suite that need to prevent account takeovers and payment fraud, or to prevent other types of misuse of applications and information access rights.

Strengths

• OAAM is a potentially good choice for companies that already have Oracle IAM products and want risk-based authentication where they can identify a device and, based on the risk of the access, require various forms of user authentication (such as challenge questions or one-time passwords transmitted via SMS).
• OAAM has a full set of fraud detection and authentication features, such as rule templates and customization, device fingerprinting and user profiling. (However, most customers Gartner has spoken with are only using OAAM to analyze logins and challenge users to authenticate themselves when their devices are not recognized. OAAM customers have plans to begin monitoring activities after login, but have not implemented them yet.)
• Oracle's global reach includes a strong global sales force, global support, localization of the product suite and support for numerous languages.
• The system has the ingredients for a successful fraud detection system — that is, well-defined APIs, data acquisition capabilities, a rule writing capability and an administrative console.

Cautions

• Customer support is handled mainly by third-party system integrators. Sometimes, however, Oracle's direct support is required, and is reportedly not easy to get in a timely fashion.
• OAAM system documentation is poor; so, for example, when a customer introduces a new rule, and the rule leads to anomalous alerts, it is difficult for the user to discern what the problem is without talking to Oracle directly.
• Customers report that the device fingerprinting feature needs improvement and more precision, because they say that the challenge and misidentification rates are too high, relative to what they think the rates should be.
• OAAM does not yet provide native support for mobile application access, although Oracle says it can be customized. Mobile browser support is functional, but not yet certified in the current software version (but it will be in the upcoming 11g Release 2, which is due out in summer 2012).
• OAAM is marketed as an "out of the box" solution with a good supply of effective canned rules, but customers report this is not the case, and that the application requires a lot of tuning, modification and testing before yielding useful results.
• Customers using some versions of OAAM are unable to use the native tools for trend analysis, or to easily analyze linkages across transactions and accounts. Instead, they must use another Oracle tool, BI Publisher, to dig into the data and run detailed reports. Oracle plans to upgrade the investigatory functionality in the upcoming 11g Release 2.

RSA

This firm became the dominant player in WFD and adaptive authentication in 2005 and 2006 as its sales grew in conjunction with compliance with guidance issued by the FFIEC for "Authentication in an Internet Banking Environment." RSA's Adaptive Authentication system is used by hundreds of direct customers around the world, of which 70% are in the Americas and 75% are in financial services. The firm also has thousands of indirect customers (representing mainly smaller financial institutions) using the service, provided by their online banking providers.

Within the product suite of Identity Protection and Verification (IPV), RSA also provides hosted services to card issuers that need to support fraud prevention for 3-D Secure, card-not-present transactions. RSA also provides identity-proofing and verification, anti-phishing, anti-trojan, threat detection and cyberintelligence services, and a few other related solutions.

RSA enjoys double-digit revenue and bookings growth on a year-over-year basis. It has been successfully selling Adaptive Authentication into the enterprise and other sectors beyond financial services.

Target audience: This vendor's Layer 1 (endpoint-centric) and Layer 3 (user- or account-centric) fraud detection services can be used by financial services companies, healthcare firms and other companies with an online presence that need to prevent new account fraud, account takeovers and payment fraud. The services are also attractive to companies that want a one-stop shop for most related fraud prevention services — for example, anti-phishing and identity-proofing services — in addition to fraud detection and authentication.

Strengths

• RSA has a dominant presence in the WFD market. It supports about 500 million end users performing online banking, and 500 million payment cards used to make e-commerce payments with payment cards issued by thousands of financial services companies.
• Some customers report good results with RSA's predictive risk-scoring engine, with relatively low false-positive rates.
• RSA supports fraud detection for mobile devices, although it is too early to rate its performance here (also because there have not been any notable attacks on its mobile customers). It has partnered with mobile banking providers, such as Clairmail and mFoundry, and with enterprise providers, such as Citrix, Juniper Networks and Good Technology.
• Customers are attracted to RSA partly because of its full range of fraud detection and authentication products. This includes its latest addition of NetWitness, a network intelligence vendor, which EMC acquired in 2011.
• Unlike most of its competitors, and because of its large installed base of enterprise authentication customers, RSA has been able to sell risk-based authentication to enterprises for internal use, although the implementations are relatively simple.

Cautions

• Some customers report that RSA's risk model does not appear to be "self-learning" in their own environments as fraud detection rates do not decrease over time without model tuning and rule writing. (RSA says that issues may be because these customers are not running the latest version of the application, or are not using the case management system to inform the model about confirmed fraud.)
• RSA customers need to be prepared to evaluate and mark fraud cases as "genuine" or "false" to obtain the full benefit of the Risk Engine. Otherwise, they may need to engage professional services to fine-tune the models and reduce false-positive rates.
• Several RSA customers report that the firm has lost its ability to lead in the online fraud detection market. These customers now look elsewhere, and at other vendors, for innovative fraud prevention features and products.
• Customers report that RSA takes too long to make changes and implement new features, and that it is not demonstrating the same agility it used to. Customers attribute this to RSA's corporate ownership by EMC.
• RSA customers have had to layer on other products to help them combat MITB attacks.

Silver Tail Systems

Founded in 2008 by former eBay and PayPal fraud managers, this private company focuses on financial services, government and e-commerce organizations, and its solution helps to address fraud, misuse or security issues. Its customer base is still small, although most of the customers it does support are often very large, complex organizations.

Target audience: This vendor's Layer 2 (navigation-centric) service can be used by financial services companies, retailers, airlines and other companies with an online presence that need to prevent new account fraud, account takeovers and payment fraud. The service can also be used to detect and prevent damage from security violations (such as denial-of-service attacks), detect problems in website programming and structures, and detect other abusive navigations at a company website, such as competitive snooping.

Strengths

• Silver Tail raised $20 million in venture capital funds in 2011, enabling it to scale its operation and build out its staff and infrastructure. It also quickly grew its revenue in 2011. Silver Tail continues to expand its direct sales forces and reseller partners, including its recent addition, MasterCard, which is selling the Silver Tail solution to its merchant customers.
• The software has been proved scalable and supports high-performance computing environments that are more demanding than the environments supported by most of Silver Tail's competitors. Deployments currently process Web traffic for more than 1 billion Web users and more than 300 million Web page requests daily. At peak traffic times on some customer sites, the system can handle 300,000 Secure Sockets Layer (SSL) handshakes per second.
• Unlike competitors with clickstream analysis technology, Silver Tail uses self-adjusting proprietary models and algorithms to flag anomalous session navigations (by user ID and IP address), behaviors and clusters of threat groups by comparing individual sessions with normal baselines, which it establishes and continually updates (typically hourly) by profiling the monitored sites after installation.
• Unlike competitors, Silver Tail offers multiple implementation options, such as on-premises software, SaaS or hardware as a service, and this has helped the firm win some deals over competitors that only offer SaaS solutions.
• Installation is generally easy and requires no changes to the enterprise host systems. Customers can be up and running within hours or days. Unlike the competitive solutions, the system does its own learning, which is expedited by the amount of data it can crunch in a given period. It is easy to install by plugging a "listener" or Web session sniffer into a Switched Port Analyzer (SPAN) port.
• Silver Tail began releasing a major update of its software in 2012, wherein its system profiles user behavior based on the user's specific history at the site, and then compares incoming user transactions to that profile. This puts Silver Tail in direct competition with fraud detection vendors that provide user and account profiling and anomaly detection (or Layer 3 fraud prevention in Gartner terminology). In February 2012, it started shipping the user behavior profiling capability, called Profile Analyzer, which provides behavioral profiling of Web sessions on a per-user basis.
• Silver Tail customers are very enthusiastic about the results the system produces, especially because they have to do very little work to get them. They also say they can see things with the system in minutes that would take weeks to see, or would be extremely difficult to figure out, using other existing tools.
• Customers say they receive excellent service and support from the firm.

Cautions

• The upcoming user monitoring capability (and comparing users' transactions with their profiles) may not work as effectively as the current functionality does because user-specific data will not be as plentiful as the cross-user session data with which the system currently works. Also, as with any product that is user-centric, the user information view will have limited use at e-commerce sites, where many customers do not always sign in through user accounts and instead remain anonymous throughout a session.
• Today, Silver Tail works by essentially building a "signature" of normal activity and comparing each session to this signature pattern. Criminals are likely to figure this out, and will start navigating and behaving like normal users, making it more difficult — but certainly not impossible — for Silver Tail to spot the hackers' sessions.
• Silver Tail does not have a good customizable reporting system; so, for example, customers are unable to easily track activity over time, analyze trends or monitor the performance of their rules.
• Similarly, users complain that the user interface for the dashboards for investigation and system administration are unfriendly. Furthermore, the amount of data returned to the dashboard from a query is limited to 10,000 records. Reportedly, Silver Tail is working on rectifying these problems, and is more easily able to do so, given the infusion of capital funds in 2011.
• Adding customized rules to the system so that certain activities generate alerts requires technical expertise from Silver Tail or a technically skilled user. Furthermore, users are unable to create rules with "or" functionality when combining nonscored clauses with score-based clauses; instead, they are limited to "and" functionality in these cases — for now.
• Several customers and prospects complained about the high annual subscription fees for using the software or service, and would prefer a fixed perpetual license fee.
• Customers would like the company to include device identification technology in its product, and would like to add that data to Silver Tail analytics.
• Silver Tail should be able to interpret mobile application traffic through analysis of JSON files, but it is not proven in this area yet.
• Some customers need Silver Tail's assistance in knowing which traffic they need to listen to and analyze, because the amount of information gathered and filtered can be overwhelming and not useful otherwise.

ThreatMetrix

ThreatMetrix provides client device identification and malware protection through a cloud-based service used by more than 600 customers. Forty percent of its customers are in financial services, 40% are e-commerce companies and 20% represent social networks. About 60% of its customers are in the U.S., while most of the rest are in Europe. In January 2012, it acquired a malware detection and prevention company called TrustDefender, based in Australia, where ThreatMetrix was founded.

Target audience: This vendor's Layer 1 (endpoint-centric) service can be used by financial services companies, retailers, airlines and other companies with an online presence that need to prevent new account fraud, account takeovers and payment fraud.

Strengths

• ThreatMetrix provides strong client device identification (also known as device fingerprinting) that its customers say is especially effective, relative to its competitors, at piercing through proxy servers.
• More than half of ThreatMetrix's 2011 revenue came through its strong reseller channel, which includes e-commerce and financial services vendors such as CyberSource, Accertify and ActivIdentity.
• Similar to competitive client device identification services, ThreatMetrix's cloud-based service is relatively easy to implement, and is accomplished by inserting profiling scripts into transaction pages, or by using APIs that connect to the service.
• ThreatMetrix was the first client device identification vendor to return customers a score along with raw data gathered from the end-user device. Other competitors are now following suit. Many of ThreatMetrix's largest customers use the returned raw data attributes, which are fed into their own analytics and other third-party fraud decisioning systems.
• The granularity of data collected and analyzed by ThreatMetrix is helpful to companies, because sophisticated fraudsters are learning to circumvent device identification by simulating a user's device. By working with some of the gathered parameters, ThreatMetrix and its customers are usually able to stay ahead of the fraudsters' device ID circumvention techniques.
• ThreatMetrix also maintains a cloud-based data warehouse of information on the user's device, associated account, and whatever other information related to the device that its customers want to share. This information is useful for fraud detection because criminals tend to attack multiple organizations and leave a trail throughout.
• By adding TrustDefender's technology to its portfolio, the firm can now plug a security hole that exists with device identification, which cannot detect an MITB attack launched from a legitimate user's endpoint.
• Customers can influence the scores through customization of the rules for their particular business — for example, by changing the weights on the rules or by creating new ones.
• The venture-capital-backed firm has quickly grown its revenue in the past year.

Cautions

• Total device profiling time (for example, using JavaScript or flash objects) takes about two to three seconds and, therefore, requires the device (for example, PC) to stay on a page for at least that long. Unidentified device rates can be about 2% to 5%; however, other methods are simultaneously employed that take less time and are typically able to return enough data (for example, an IP address or the detection of a hidden proxy) to yield some meaningful information.
• Customers take care of where they place ThreatMetrix "tags" on their Web pages so that the system has enough time to gather sufficient device data. Users must remain on a page for enough time for the process to work effectively.
• Fraudsters are learning how to circumvent device identification, so enterprises must work with ThreatMetrix to determine new types of analysis that can be done on various collected data elements to compensate for this.
• Customers report that ThreatMetrix is not as proactive with them as they would like it to be when it comes to helping them fine-tune the analysis of parameters to catch fraudsters who are evading device identification.
• Customers say they don't have a good ability to monitor the efficacy of the rules they have in place. Users can only look at individual transactions and see how the rules lead to particular scores, but they cannot, for example, retroactively backtest new rules.
• The firm ported its device identification technology to mobile platforms (iOS and Android), but there is not yet enough customer experience to know whether it's effective.

Trusteer

Founded in 2006, Trusteer sells client-based and server-based products that are focused on detecting and preventing client-side malware attacks. It also sells anti-phishing software and provides a financial crime intelligence portal for its customers, where they can view discovered malware targeting Trusteer's customers' institutions along with trends in attacks across Trusteer's global customer base.

Trusteer sells mainly to the financial services industry. It claims more than 200 customers around the world, of which almost 90% represent financial institutions, with the rest in other e-commerce sectors. The company quickly grew its revenue in 2011, as banks continued to face increasing malware-based attacks against their customers' accounts. Many banks report that about 4% of their corporate users' desktops are infected with dangerous financial malware, although this percentage is much lower at some banks, at least for the time being.

Target audience: This vendor's Layer 1 (endpoint-centric) services can be used by financial services firms or companies in any other sector that want to prevent malware-based attacks that can result in new account fraud, account takeovers or payment fraud. The vendor also provides related fraud prevention services such as anti-phishing techniques, collective threat intelligence, malware removal and device forensics.

Strengths

• Trusteer's customers report that they have not experienced fraud losses on user accounts protected by Trusteer Rapport, the desktop client, or Trusteer Pinpoint, the server-based product. They also cite that, before they introduced Trusteer's products, they determined that the attack vector for most of the payment fraud losses they previously incurred was malware on their customers' desktops.
• Because Trusteer Rapport and Trusteer Pinpoint are widely proven in the marketplace, banks and other prospects are attracted to Trusteer because they have the choice of ubiquitous customer session monitoring for malware with Trusteer Pinpoint, and customer desktop malware protection and removal with the client software Trusteer Rapport.
• Intelligence gathered from Trusteer Rapport on customer desktops (now totaling more than 30 million) is used to feed and strengthen Trusteer Pinpoint's malware detection capabilities, which customers report have improved significantly over the past year so that they are nearly on par with Trusteer Rapport's.
• The products are very easy for Trusteer's customers to install; they only need to insert a few lines of code into their Web servers that link to Trusteer's cloud-based service. Trusteer Rapport client software is downloaded from Trusteer's service directly, and at half a megabyte in size — which is much smaller than competitive products — it typically takes less than three minutes to download.
• Trusteer's customers report negligible customer service calls stemming from the download and execution of Rapport desktop software. These calls are handled by Trusteer's staff.
• Trusteer's customers claim that the company provides excellent and very responsive service.
• The management console provides enterprises with useful information on Trusteer Rapport installations, including the fact that it's installed, and what malware (if any) the customer has on its machine.
• Customers benefit directly from information sharing across Trusteer's customer base. For example, when Trusteer discovers malware targeting one of its bank customers, all of its customers benefit from the gathered intelligence through the continued strengthening of the products' defenses.
• Trusteer sells directly to large banks and smaller institutions on different continents directly and through partnerships with online banking providers, such as Intuit, Fidelity Information Services (FIS) and FundsXpress. It is starting to target the enterprise market and, as such, has partnered with application firewall provider Imperva.

Cautions

• Customers want to be able to customize the types of alert communications they receive from Trusteer's system. For example, they want to specify exactly which data is extracted into an email or report that can be sent to any particular user or group.
• The Trusteer system is mainly a stand-alone application, although data can be exported to a few other Layer 3 or Layer 4 fraud prevention and detection systems — for example, RSA's and Actimize's. More interfaces and standard APIs for such interactions are desired.
• The company should strengthen and improve communications on its road map and future product enhancements with its customers.
• The reporting system is too limited. Customers would like to be able to customize reports so that, for example, they can correlate alerts, or analyze trends across end-users' desktops or malware occurrences among their client communities.
• Trusteer's products are highly effective at fighting malware, but in two or three years, the attack vectors used by fraudsters may differ substantially. The company must therefore broaden its arsenal of fraud-fighting tools to ensure that it remains competitive. For example, some customers would like to see the firm branch off into user and device profiling and behavioral analytics. (These features are on the company's road map, and some large customers are already piloting their device profiling.)
• In the past year, the company has spent considerable resources gradually transforming itself from a solid technology company to one that can scale its sales, marketing and support. It's too early to know whether these efforts will succeed, but early indications are positive.
• Trusteer has developed products for mobile endpoint support, but there is not enough customer experience with them yet to know whether they are effective.
• While Trusteer Pinpoint is effective at detecting malware, it does not include an automatic process to close the loop — for example, to remove the malware on the desktop and deactivate the account being attacked. Banks and other Trusteer customers must develop and implement these processes on their own by integrating the results of Trusteer Pinpoint alerts with their legacy systems or processes.

Vendors Added or Dropped

We review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant or MarketScope may change over time. A vendor appearing in a Magic Quadrant or MarketScope one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. This may be a reflection of a change in the market and, therefore, changed evaluation criteria, or a change of focus by a vendor.

Added

Two new vendors were added to the 2012 Magic Quadrant: Gas Tecnologia and Kount.

Dropped

Entrust was dropped from the 2012 Magic Quadrant because it was unable to provide three customer references. Additionally, Gartner did not see it competing in the WFD market in 2011. Symantec was dropped from the 2012 Magic Quadrant because it exited this market in late 2011.

Inclusion Criteria

WFD vendors that meet Gartner's market definition/description are considered for this Magic Quadrant under the following conditions:

• The software or service must be able to detect abnormal logins into an organization's website, abnormal navigation and/or user transactions using the organization's Web application.
• Products or services must be in general availability as of 1 August 2011.
• Products or services must be deployed in at least three customer production environments, with references available, as of 1 September 2011.
• Products must specifically target and market to the WFD market, and optionally the user authentication market, with a critical mass of technology specific to the WFD function.
• Products or services must support more than one use case — for example, two out of the three use cases referenced in the market definition above.

Exclusion Criteria

Companies with insufficient information for assessment, or those that did not meet Gartner's inclusion criteria, were excluded from the Magic Quadrant based on the following conditions:

• The vendor does not have a scoring or rule-based fraud detection system that can assess, at a minimum, the authenticity and validity of a user browser-based login, access or transaction.
• The vendor is not actively shipping products or providing services.
• The vendor did not provide three production customer references for WFD.
• The vendor has products or services that can be used for WFD — for example, business intelligence and security information and event management tools — but are not being packaged or targeted for off-the-shelf fraud detection use.
• The vendor only supports fraud detection for online payments, which are generally made with credit or debit cards.

Specific vendors assessed for, but not included in, the Magic Quadrant were:

• Fraud detection vendors for online payments provide fraud detection for card-not-present e-commerce payments. These include, but are not limited, to Alaric, CyberSource and Retail Decisions. Gartner did not include these vendors in the 2012 Magic Quadrant because they only satisfy one use case, which is detecting the use of a stolen financial account (for example, a stolen credit card). As noted above in the Inclusion Criteria section, vendors evaluated for this Magic Quadrant had to satisfy more than one use case as of 1 September 2011, with production customer references that validated this.
• Vendors that provide out-of-band authentication and transaction verification services, such as Authentify, PhoneFactor, TeleSign and ValidSoft. While these vendors' services certainly help to prevent fraud, they do not fit into the WFD market category as defined above.
• Vendors that met the Magic Quadrant inclusion criteria, but did not yet have enough production customer references, such as Fox-IT and NorseCorp.
• Vendors that provide secure browsing services, often along with other related services, such as AhnLab, Crealogix Group and IronKey. While these services are very helpful in preventing fraud, they do not meet the WFD market definition as outlined above.

Evaluation Criteria

Ability to Execute

• Product/service: This includes the core fraud detection technology offered by the technology provider that competes in/serves the defined market. It also includes current product/service capabilities, quality, feature sets and skills, whether offered natively or through OEM agreements/partnerships, as defined in the market definition. Strong execution means that a vendor has demonstrated to Gartner that its products or services are successfully and continuously deployed in enterprises. Execution is not primarily about company size or market share, although these factors can considerably affect a company's ability to execute. Key features, such as the ability to support complex deployments with real-time transaction demands, are weighted heavily.
• Overall viability: Viability includes an assessment of the overall organization's financial health, the financial and practical success of the business unit, and the likelihood that the individual business unit will continue to invest in the product, offer the product and advance the state of the art within the organization's portfolio of products — for example, by incorporating more fraud rule templates or new predictive modeling techniques.
• Sales execution/pricing: This includes the technology provider's capabilities in all presales activities and the structure that supports them. It also includes deal management, pricing and negotiation, presales support, and the overall effectiveness of the sales channel. In addition, it includes deal size and the use of the product or service by managed service providers (such as online banking service providers). Low pricing will not guarantee high execution or client interest. Buyers want good results more than they want bargains.
• Market responsiveness and track record: This is the ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the provider's history of responsiveness — for example, to customer requirements for responding to new types of criminal attacks.
• Marketing execution: This includes the clarity, quality, creativity and efficacy of programs designed to deliver the organization's message to influence the WFD market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers seeking to defeat fraud. This mind share can be driven by a combination of publicity, promotional activities, thought leadership, word-of-mouth and sales activities.
• Customer experience: This criterion looks at the relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups and service-level agreements.
• Operations: This addresses the ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure, such as skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis.

Source: Gartner (May 2012)

Completeness of Vision

• Market understanding: This examines the ability of the technology provider to understand buyers' wants and needs, and to translate them into fraud detection products and services. Vendors that show the highest degree of vision listen to and understand buyers' wants and needs, and can shape or enhance them with their added vision.
• Marketing strategy: This determines whether the vendor has a clear, differentiated set of messages that are consistently communicated throughout the organization and externalized through its website, advertising, customer programs and positioning statements.
• Sales strategy: This looks at the vendor's strategy for selling WFD products, and whether it uses the appropriate network of direct and indirect sales, marketing, service, and communication affiliates to extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base.
• Offering (product) strategy: This analyzes whether the provider's approach to product development and delivery emphasizes differentiation, functionality, methodology and feature sets as they map to current and future requirements. As attacks change and become more targeted and complex, we highly weight vendors with road maps that move their products beyond rule-based WFD, which only evaluates a minimal number of factors or data points.
• Business model: This reviews the soundness and logic of the vendor's underlying business proposition (not rated in this Magic Quadrant).
• Vertical/industry strategy: This examines the technology provider's strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical markets. Vendors with successful strategies in multiple vertical markets get higher scores in this category.
• Innovation: This reviews the vendor's direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes. It includes product innovation and quality differentiators, such as new methods for detecting fraud risk.
• Geographic strategy: This looks at the provider's strategy to direct resources, skills and offerings to meet the specific needs of geographies outside its "home" or native geography, either directly or through partners, channels and subsidiaries, as appropriate for that geography and market. Vendors with successful strategies in multiple geographies get higher scores in this category.

Source: Gartner (May 2012)

Quadrant Descriptions

Leaders

The Leaders quadrant contains four fraud prevention vendors — Accertify, 41st Parameter, Silver Tail Systems and Trusteer — that have well-established records in online fraud detection. The companies serve different use cases and don't all compete directly with each other. They all earn high scores from their customers for their ability to effectively stop fraud, while minimizing inconvenience to end users and the organizations that use them. They also earn high marks for responsive customer service and relatively easy implementations. Their product, sales and marketing strategies and executions are strong, and they continue to innovate and improve their services. They are firmly committed to staying and winning in this market, and to developing their products and services to meet evolving customer needs. They have also demonstrated that they can sell into markets in different parts of the world, other than their home countries. They have demonstrated agility and the ability to move quickly in helping their customers address difficult and fast-changing fraud issues.

Challengers

The Challengers quadrant contains two vendors, Nice Actimize and RSA, both of which were in the Leaders quadrant in 2011. These companies still have a very strong presence in the global market, but they did not stay as innovative and focused on building out and delivering their WFD capabilities to the market as the Leaders did. The Challengers need to improve thought leadership for WFD among their customers, and also see that clear strategies that are acted on. In addition, they need to provide more responsive and proactive customer service.

Visionaries

The Visionaries quadrant has four vendors (Guardian Analytics, iovation, Kount and ThreatMetrix), one of which (Kount) is new to the Magic Quadrant. The Visionaries' products are very easy to implement and use, and have achieved very good results in reducing online fraud using SaaS-based models. Most of the vendors in this category serve multiple use cases across sectors. They each have a very good understanding of their markets and the problems they are trying to solve, along with solid strategies that have them set for healthy growth.

Niche Players

The five Niche Players — CA Arcot, Digital Resolve, Easy Solutions, Gas Tecnologia and Oracle — are in this quadrant for one of two main reasons. In the case of CA Arcot and Oracle, their WFD products (gained through acquisitions of smaller companies that had WFD and authentication products) have taken a back seat to other product sets sold by these large technology companies. Their existing WFD customers note a lack of vision from the firms, along with poor execution when it comes to staying responsive to customer needs and requirements. In the case of the other three relatively small Niche Players — Digital Resolve, Easy Solutions and Gas Tecnologia — customers are very pleased with the services, and the products or services perform as advertised. However, the firms need to expand their sales and marketing strategies and execution so that their products are more widely known, understood and adopted. Still, Niche Players can often be the best choice for enterprises with specific requirements.

Demand for WFD software and services remains healthy, as cybercriminals continue launching targeted as well as widespread attacks against their prey. Financial services, online commerce and online retail firms continue to be the main adopters of WFD, but WFD is also trickling into other sectors, such as healthcare, insurance, government and other enterprises.

In "The Five Layers of Fraud Prevention and Using Them to Beat Malware," Gartner presents a framework from which to analyze and choose various fraud prevention products. Products and services focused on Web fraud prevention can be found in Layer 1 (endpoint-centric), Layer 2 (navigation-centric) and Layer 3 (user- and account-centric for the online channel). This Magic Quadrant analyzes relevant vendors and products in the first three layers of this framework. (Layer 4 is user- and account-centric across channels and products, while Layer 5 provides entity link analysis that is best able to spot fraud rings and other collusive behavior.)

Many Layer 3 vendors have incorporated Layer 1 technology to strengthen their products. An enterprise best practice is to adopt multiple layers and to feed alerts and scores from Layer 1, Layer 2, and Layer 3 into Layer 4 enterprise fraud management systems to derive a combined score. Layer 5 is then used to analyze relationships across entities, and can also be used to score incoming transactions to determine whether they are part of an already-identified fraud network. Here, we present the vendors' capabilities in each of the WFD and prevention layers (see "The Five Layers of Fraud Prevention and Using Them to Beat Malware" for a description of these layers):

• 41st Parameter — Layer 1: Endpoint-Centric; Layer 3: User- or Account-Centric
• Accertify — Layer 1: Endpoint-Centric; Layer 3: User- or Account-Centric
• CA Arcot — Layer 1: Endpoint-Centric; Layer 3: User- or Account-Centric
• Digital Resolve — Layer 1: Endpoint-Centric; Layer 2: Navigation-Centric; Layer 3: User- or Account-Centric
• Easy Solutions — Layer 1: Endpoint-Centric; Layer 3: User- or Account-Centric
• Gas Tecnologia — Layer 1: Endpoint-Centric
• Guardian Analytics — Layer 3: User- or Account-Centric
• iovation — Layer 1: Endpoint-Centric
• Kount — Layer 1: Endpoint-Centric; Layer 3: User- or Account-Centric
• Nice Actimize — Layer 3: User- or Account-Centric
• Oracle — Layer 1: Endpoint-Centric; Layer 3: User- or Account-Centric
• RSA — Layer 1: Endpoint-Centric; Layer 3: User- or Account-Centric
• Silver Tail Systems — Layer 2: Navigation-Centric; Layer 3: User- or Account-Centric
• ThreatMetrix — Layer 1: Endpoint-Centric
• Trusteer — Layer 1: Endpoint-Centric

Accertify achieves Layer 1 functionality through integration with Layer 1 vendors (such as iovation and ThreatMetrix). Silver Tail Systems achieved Layer 3 functionality as of February 2012.

Since year-end 2010, the market has grown 25% to about $304 million in annual revenue. This growth was largely driven by three key trends:

• The rapid movement and changing nature of hacker attacks rendered useless the fraud prevention solutions that many companies had in place. These companies therefore sought solutions that could be plugged in as needed, without excessive disruption to their IT infrastructures. In a dynamic environment where fraud patterns change quickly, enterprises should deploy a common fraud service layer around their core legacy systems. This helps to future-proof their system environment, since fraud prevention software that is no longer effective can be retired while new software that works can be more easily plugged in.
• A second key WFD requirement that emerged in 2011 was the need to implement real-time WFD solutions. What changed in 2011 is the time between a customer being infected and the account takeover attempt. In the past, fraudsters used to sit on stolen information for days or even months. However, as banks and others got better at thwarting fraud, the time frame of the fraudsters sped up considerably. The objective now should be to compress the time between detection and response, because it can be just seconds or minutes between user infection and account takeover and damage. The time it takes to react can literally make or break a customer's bank account.
• Thousands of financial malware variants, undetected by pervasive signature-based anti-malware endpoint protection, have spread across desktops around the world. Many U.S. and European financial institutions report that anywhere from an average of 2% to 6% of their customer desktops are infected with financial malware (although this percentage can be much lower at other institutions).

Many of the WFD customers that Gartner spoke with reported fraud reduction rates of 80% or more with the various WFD products and services they chose to implement. Their investments were easily paid back — sometimes in as few as six months. Of course, ROI is more difficult to demonstrate in companies that have low fraud rates to begin with. In this case, implementing WFD can be seen as a preventive measure, and as a means of demonstrating that the enterprise is practicing due care and commercially reasonable security.

WFD — 2011 Market Highlights

Since year-end 2010, the market has grown 25% to about $304 million in annual revenue as the need for online fraud prevention escalates. In 2011, smaller vendors with effective solutions offered the products of choice, while the larger vendors, typically representing large technology companies that gained WFD software through company acquisitions, took a back seat in terms of innovation, agility and responsive customer service — all important qualities for a company trying to help in the war against cybercrime. Gartner believes that most of the larger companies lost their focus largely because WFD represents a small portion of their revenue and, thus, does not get the attention it needs to stay competitive. Talented employees from smaller acquired companies tend to leave the large ones, which makes it even harder for the large firms to keep up.

We expect the smaller WFD vendors to continue to drive market growth and innovation in the next 18 months. We also expect more WFD market consolidation in 2013 and beyond as more WFD vendors are acquired by cash-rich companies that sell broader solutions, such as security monitoring, payment processing or IAM.

In the next five years, two macroforces will drive enterprise interest in using WFD technologies for their internal systems, which should further expand the WFD market. These forces include:

• The bring your own device (BYOD) to work phenomenon, where internal users and employees start looking like external customers using unmanaged endpoints
• Cloud computing, where systems are hosted externally, thereby reducing enterprise control over and visibility into application activity

WFD technologies will be instrumental in helping to address the security issues posed by these two macroforces.