Online fraud detection is not an easy task. Fraud comes in many flavors - from malware embedded in mobile apps to click-fraud and account takeover. So it is not surprising that there would evolve applications that address portions of the online fraud landscape. This month, we took a look at four of these and, surprisingly, although we had seen these companies before, their products and services have matured considerably.
It also is not surprising that these tools have matured rapidly because the creativity and effectiveness of online fraudsters seems to know no bounds. All one needs to do is watch the news for the next big breach to appreciate the task that online fraud detection represents.
So, it was with a healthy curiosity that we watched these four products and services perform. Our conclusion is that while we are not quite keeping up with the bad guys - that probably never will happen, if for no other reason than not all organizations deploy these advanced tools - we are getting close to breathing down their backs. That's the good news.
The bad news, of course, is that if you don't deploy the tools you won't prevent the fraud. To that end, we were pleased by their comprehensive capabilities, but a bit daunted by the price tags. However, for all of that, remember that one major breach costs a whole lot more than the cost of the tools to prevent it. As we looked at what these products and services do and how they do it, we were reminded of how the various high-profile breaches of the past couple of years happened and how they could have been prevented. Truly, some organizations can be penny-wise and pound-foolish.
These products almost universally act by detecting things that should not be present but are. It could be the presence of abnormal browsing patterns, malware in the data stream or malware in an Android app. But with the availability of sophisticated analysis algorithms, we are becoming more and more able to detect very small anomalies.
The technologies represented in the four tools we looked at are prodigious. They address the problem slightly differently in each case. One method is to deploy sensors in web applications to detect anomalous behavior. Another is to profile all of the apps in the various app stores and then compare the ones being downloaded into your mobile device with what it should look like, or blacklisting apps that come equipped with malware. Some detect man-in-the-browser attacks.
Overall, we found these four emerging products to set the stage for a comprehensive view of fraud operations against an organization, but in reality each organization will have unique requirements and some mix of products is necessary. Selecting fraud protection tools is a serious undertaking and requires the participation of groups within the organization that go beyond IT and cybersecurity. In a financial services company, for example, support for the fraud investigation team may be appropriate since much of today's fraud is, in fact, online.
So, as you look at solutions to the online fraud problem, be sure that you include the correct players. The second issue to consider is: do you want a hosted service - SaaS - or do you want an on-premise tool? While this decision usually is made based on such things as cost and support, with these tools the ability to benefit from widely distributed data from other deployments is, perhaps, attractive.
The other side of that, of course, is confidentiality. Keeping your analysis in-house may make the most sense if you deal with high value or extremely sensitive data.
The bottom line when selecting the appropriate tool is: understand your environment and the types of fraud it invites, understand the nature of your data and how it is used within your organization, consider the controls already in place and generally augment rather than replace them, and understand how you are prepared to support the tool you buy. Around the $150K range for some of these tools, the cost may not be the best use of your money.