Web Fraud Prevention, Identity Verification & Authentication Guide 2018 2019 Prevention
Open the PDF directly: View PDF .
Page Count: 251
|Open PDF In Browser||View PDF|
Other remarks For more information contact the company – Thirion de Briel, Olivier Clients Main clients / references For more information contact the company – Thirion de Briel, Olivier Future developments Widening its biometric offering and enhancing threat and fraud detection capabilities. 191 WEB FRAUD PREVENTION & ONLINE AUTHENTICATION MARKET GUIDE 2018-2019 | COMPANY PROFILES Protect digital identities and accurately assess risk to empower smart decision-making. With the increase of online activities it is essential to be able to assess the level of risk when authenticating digitally. Through data analysis powered by machine learning and artificial intelligence the level of risk can be assessed and a real-time decision engine will enable organizations to manage it and define the authentication steps according to the circumstances. This way, they can effectively protect both employees within the company and their customers. You’ll call it innovation in authentication. We call it, powering trusted identities. Powering Trusted Identities | Visit us at hidglobal.com/hidrms © 2018 HID Global Corporation/ASSA ABLOY AB. All rights reserved. HID, HID Global, the HID Blue Brick logo, and the Chain Design are trademarks or registered trademarks of HID Global or its licensor(s)/supplier(s) in the US and other countries and may not be used without permission. Company iovation, a TransUnion company View company profile in online database iovation, a TransUnion company, was founded in 2004 to make the Internet a safer place to conduct business. iovation protects online brands from cybercriminal activity with online fraud prevention and consumer authentication solutions. Having the world’s largest database of reputation insights iovation safeguards tens of millions of transactions each day. Website www.iovation.com Keywords for online profile device identification, device reputation, online fraud prevention, online fraud detection, mobile fraud, account takeover prevention, device-based authentication, customer authentication, online reputation, multifactor authentication, device fingerprinting Business model SaaS Target market Online businesses such as retailers, financial institutions, lenders, prepaid cards, insurers, social networks and dating sites, logistics, gaming/MMO, gambling operators, online auction sites, and travel and ticketing companies. Contact Connie Gougler, Director of Marketing, firstname.lastname@example.org, 503-943-6748 Geographical presence Global: iovation’s business is 51% US and 49% international Active since 2004 Service provider type Device intelligence, fraud detection & prevention, customer authentication, multifactor authentication Member of industry associations and or initiatives Merchant Risk Council, Online Lenders Association Services Unique selling points iovation provides a frictionless, flexible, reliable, real-time SaaS solution for user authentication and fraud prevention that tells our clients if a customer visiting their site is authorized for that account and/or is risky based upon specific criteria for evaluating the transaction or activity. iovation’s global consortium contains the reputations of four billion devices and 55 million fraud events such as chargebacks, identity theft, account takeovers, online scams and many more. Core services iovation offers fraud prevention, customer authentication, multifactor authentication, and transaction reputation scoring Pricing Model Per transaction fee based on system usage depending on volume, type of transaction, and length of contract. Fraud prevention partners 4Stop, ACI Worldwide, Avoka, Dealflo, Entrust Datacard, Equifax, Fischer International, Fiserv, Playtech, Regily, Scudetto, Synectic Solutions, TransUnion, TruNarrative Other services Our clients have access to the Fraud Force Community, an exclusive private B2B network of the world’s foremost security experts sharing intelligence about cybercrime prevention, device identification, new threats and other fraud-related topics. Third party connection iovation delivers data in XML format and offers real-time APIs, allowing output to be integrated easily with third-party systems Technology: anti-fraud detection tools available Address verifications services No: While we do not offer AVS services, we capture the IP address and its geolocation of the device in the transaction. We can flag transactions from ‘blocked’ countries, as well as notify clients when mismatches occur between the IP address shown by the user’s browser and the IP address we collect with our Real IP proxy unmasking feature. CNP transactions Yes: iovation’s service is primarily used to detect high risk activity at login, account creation, fund transfer and checkout. In addition, our iovation score helps identity the most trustworthy customers in our clients’ review queues so that they can take good business immediately, and offer higher-value promotions to their preferred customers. Card Verification Value (CVV) No: This service is handled through our client’s payment processor. Bin lookup No: This service is handled through our client’s payment processor. Geo-location Checks Yes: iovation’s clients can flag transactions when activity is coming from an unauthorized country or through a proxy, and they can use our Real IP technology to pinpoint the user’s actual location. 193 WEB FRAUD PREVENTION & ONLINE AUTHENTICATION MARKET GUIDE 2018-2019 | COMPANY PROFILES Device Fingerprint Yes: iovation offers a defense-in-depth approach to device recognition, supporting native and web integrations for mobile, tablet and desktop devices. Payer Authentication No: This service is handled through our client’s payment processor. Device-based Authentication Yes: iovation’s authentication service allows clients to use their customer’s known devices to help verify identity. Authentication happens in real-time, behind the scenes, reducing unnecessary friction. Velocity Rules – Purchase Limit Rules Yes: iovation’s velocity rules flag transactions when thresholds are exceeded. These may include situations where too many accounts are accessed per device, or too many new accounts are created within a timeframe. Specific rules include Accounts per Device, Accounts Created per Device, Countries per Account, Countries per Device, Transactions per Account, and Transactions per Device. Our service also flags transaction value thresholds, and other transactional velocities. White list/black list database Yes: iovation clients can flag transactions based on custom-built lists. These can be positive or negative lists. List types include accounts, devices, IP ranges, ISPs, locations and others, and are easily managed across rule sets. Device Anomalies Yes: iovation clients can flag transactions when device settings are anomalous and indicative of risk. While individual device characteristics may not be proof of risk, certain characteristics may be worth monitoring, and several in combination with each other may indicate attempts by the user to evade detection. Fraud and Abuse Records Yes: iovation clients can flag transactions that originate from an account or device already associated with fraud or abuse. Previous fraud or abuse is recorded in our system as evidence. The customer sets the types of evidence they want to consider, and decides whether to leverage only the evidence they log, or consider the evidence of other iovation subscribers. KYC – Know Your Customer No Credit Rating No Follow up action iovation’s fraud prevention service provides an Allow, Review or Deny result for each transaction. Clients then decide the best course of action to take in response to these results. iovation also returns detailed information about the device associated with the transaction; clients can store this data and correlate it back to identity management and other systems as needed. Authentication Context Online Yes Mobile Yes: iovation’s mobile SDK for iOS and Android identifies jailbroken or rooted devices, and captures device location through IP address, network-based geo-location information, and GPS data. The location services expose mismatches between the reported time zone and location, long distances between transactions made in short periods of time, and other location-based anomalies. It also detects transactions originating from virtual machines or emulators. ATM Yes: iovation’s device-based multifactor authentication solution can be used to facilitate the authentication of a person at an ATM. POS Yes: iovation’s device-based multifactor authentication solution can be used to facilitate the authentication of a person at POS. Call centre Yes: iovation’s device-based multifactor authentication solution can be used to facilitate the authentication of a person contacting a call centre. Reference data connectivity Connectivity to governmental data No Other databases Neustar – IP geolocation Fraud management system type Single-channel fraud prevention system Yes: iovation delivers comprehensive online fraud prevention and customer authentication for mobile, tablet and PC-based transactions. Multi-channel fraud prevention system Our services focus on online transactions and complement a multi-channel prevention system. 194 WEB FRAUD PREVENTION & ONLINE AUTHENTICATION MARKET GUIDE 2018-2019 | COMPANY PROFILES Certification Type iovation is Privacy Shield certified and is SOC 2 compliant as of April 2, 2018. Regulation iovation supports FFIEC compliance by providing device identification and device-based authentication services. Other quality programmes iovation follows strict Quality Assurance processes for new products and services, and offers Service Level Agreements (SLAs) which include 99.9% uptime as a part of all customer agreements. Other remarks For more information, please contact iovation at email@example.com Clients Main clients / references Ikano Bank UK, UMB Bank, NASA Federal Credit Union, 4Finance, Gain Capitol, The AA, Gocompare, B&H Photo, Bazaarvoice, No Office Walls, and hundreds more. Future developments For more information, please contact iovation at firstname.lastname@example.org 195 WEB FRAUD PREVENTION & ONLINE AUTHENTICATION MARKET GUIDE 2018-2019 | COMPANY PROFILES Company iSignthis View company profile in online database iSignthis is a leading e-money, payments, and identity technology company, publicly listed on the Australian Securities and Frankfurt Stock Exchange (ASX: ISX | FRA: TA8). Through our patented Paydentity and ISXPay solutions, we enable online businesses to stay on top of the regulatory curve whilst also optimising their payment cycle, in a safe, comprehensive, and cost-effective way. Website www.isignthis.com Keywords for online profile identity verification, authentication, payment gateway, payment processing, card acquiring, e-money issue and redemption, fraud and risk management Business model B2B, transactional Target market Online businesses with specific focus on high-risk/AML regulated sector merchants where (enhanced) Customer Due Diligence KYC is a regulatory requirement. Our solutions are also utilised by merchants seeking to mitigate fraud and chargebacks. Contact email@example.com Geographical presence Global Active since 2013 Service provider type E-money, identity verification, and payments technology company Member of industry associations and or initiatives ECSG, EPC, EPSM, OIX Services Core services The company’s core services include: Paydentity, which converges real time processing, clearing, and settlement with verification of payment instruments, delivering AML/CFT KYC identification of customers, payments and transaction monitoring simultaneously from a single platform. iSignthis, trading as ISXPay, also offers merchant card acquiring and payment services as an EEA authorised e-money Monetary Financial Institution, as well as transactional banking services including B2B EU based e-money accounts. Unique selling points Paydentity combines the verification of the end-user’s identity with the processing of their payment transaction, to simultaneously satisfy both AML/CFT regulatory requirements whilst clearing payments on behalf of the merchant. Our unique solution protects both online customers/cardholders from fraud whilst also protecting merchants against chargebacks. We deliver compelling evidence to reverse chargebacks and offer CNP liability shift under the incoming EU’s PSD2. Pricing Model Transactional Fraud prevention partners N/A Other services Find more information about our products by visiting our website or contacting our team, firstname.lastname@example.org Third party connection Principal of Visa, Mastercard, AMEX, JCB, UnionPay in Europe and Australia, with a number of partner networks spanning the rest of the world Technology: anti-fraud detection tools available Address verifications services Yes CNP transactions Yes Card Verification Value (CVV) Yes Bin lookup Yes Geo-location Checks Yes Device Fingerprint Yes Payer Authentication Yes Velocity Rules – Purchase Limit Rules Yes White list/black list database Yes KYC – Know Your Customer Yes Credit Rating Yes 196 WEB FRAUD PREVENTION & ONLINE AUTHENTICATION MARKET GUIDE 2018-2019 | COMPANY PROFILES Follow up action Payment instrument verification, two-factor authentication, mobile OTP Other N/A Authentication Context Online Yes Mobile Yes ATM No POS No Call centre No other N/A Reference data connectivity Connectivity to governmental data Yes: globally Other databases Additional information available upon request Fraud management system type Single-channel fraud prevention system Yes Multi-channel fraud prevention system Yes Certification Type PCI DSS 1, ISO 27001 Regulation Licensed/regulated in both Australia and the European Economic Area to process, clear, and settle payments Other quality programmes SWIFT BIC: ISEMCY22, CBC EMI License # 220.127.116.11 (passported to all EEA states) Other remarks N/A Clients Main clients / references Top tier high-risk merchants in the financial services, adult, gaming, gambling sectors as well as a range of money and payment service providers Future developments - strengthen our established iSXPay platform by expanding our Tier 1 connections across geographies and partner networks - utilise our e-money license in conjunction with our other products to offer additional transactional banking capabilities to our merchants - continue our strategic acquisitions like our recent one of Probanx, which currently supplies core banking software to banks across three continents 197 WEB FRAUD PREVENTION & ONLINE AUTHENTICATION MARKET GUIDE 2018-2019 | COMPANY PROFILES Company Kount View company profile in online database Kount’s award-winning fraud management, identity verification and online risk detection technology empowers digital businesses, online merchants and payment service providers around the world. With Kount, businesses approve more orders, uncover new revenue streams, and dramatically improve their bottom line all while minimising fraud management cost and losses. Kount delivers certainty in every digital interaction. Website www.kount.com Keywords for online profile fraud prevention, account takeover, payment security, ecommerce, AI, machine learning, merchant network, authentication Business model SaaS Target market ecommerce, financial institutions, payment services providers, online communities, web merchants, apparel, automotive, quick serve restuarants, loyalty, digital streaming, electronics, food/beverage, health/beauty, home/kitchen, gaming/gambling, telecom, travel/ leisure, other online and card not present businesses Contact email@example.com Geographical presence Worldwide Active since 2007 Service provider type SaaS technology vendor, web fraud detection company Member of industry associations and or initiatives Merchant Risk Council, National Retail Federation, CPE Credit Certification by NASBA, Internet Merchants Retail Group, Global Retail Insights Network. Services Unique selling points Through Kount’s global network and proprietary technologies in AI and machine learning, combined with policy and rules management, customers thwart online criminals and bad actors. Kount’s continuously adaptive platform provides certainty for businesses at every digital interaction. Core services (Max 20 words) Kount’s proprietary techniques and patented technology, including: superior mobile fraud detection, machine learning, feature engineering, multi-layer device fingerprinting, IP proxy detection and geo-location, transaction and custom scoring, global order linking, business intelligence reporting, comprehensive order management and professional services Pricing Model Tiered SaaS-based pricing model Fraud prevention partners - Channel Partners: BlueSnap, Braintree (a PayPal Service), Cayan, Chase, Conekta, Etisalat, Eway, First Atlantic Commerce, Global Payroll Gateway, J.P. Morgan, LimeLight, MaxiPago, Moneris, Openpay, PayCertify, Pinpoint Intelligence, Recurly, Sage - Ecommerce Partners: 3dcart, demandware, Magento, mozu, Pulse Commerce, Xcart Other services Chargeback managed services, risk-based authentication, fingerprinting, data orchestration, quarterly business review, policy/rules management, sales and marketing support (Kount Central Product), DataMart business intelligence, comprehensive onboarding and ongoing training support, dedicated client success manager, service support knowlege base. Third party connection BehavioSec, Chargebacks 911, Ethoca, LexisNexis, Neustar, TeleSign, WhitepagesPro. Technology: anti-fraud detection tools available Address verifications services Yes CNP transactions Yes Card Verification Value (CVV) No Bin lookup Yes Geo-location Checks Yes Device Fingerprint Yes Payer Authentication No Velocity Rules – Purchase Limit Rules Yes White list/black list database Yes KYC – Know Your Customer Yes 199 WEB FRAUD PREVENTION & ONLINE AUTHENTICATION MARKET GUIDE 2018-2019 | COMPANY PROFILES Credit Rating No Follow up action Robust APIs and case management to trigger any type of follow up action. Other Complete case management, agent management and reporting, mobile SDK for superior device authentication, mobile app and mcommerce fraud prevention, supervised and unsupervised machine learning. Authentication Context Online Yes Mobile Yes ATM No POS No Call centre Yes other In-store kiosk, mail order, omnichannel. Reference data connectivity Connectivity to governmental data No Other databases WhitepagesPro, BehavioSec Fraud management system type Single-channel fraud prevention system Yes Multi-channel fraud prevention system Yes Certification Type PCI Compliance Level 1 Service Provider and Participating Organization, SOC 2 Type II, Privacy Shield, GDPR. Regulation More information available upon request Other quality programmes More information available upon request Other remarks Contact firstname.lastname@example.org for more information. Clients Main clients / references CD Baby, Crate & Barrel, Domino’s Pizza, Dunkin’ Brands, Hydrobuilder, Jagex, JOANN Fabric & Crafts, Leatherman, Micro Center, PetSmart, Staples, The Iconic, The Source, The Vitamin Shoppe, TickPick, WebJet, and more. Future developments Kount is continuously delivering net new functionality month after month, contact email@example.com for more information. 200 WEB FRAUD PREVENTION & ONLINE AUTHENTICATION MARKET GUIDE 2018-2019 | COMPANY PROFILES Increase Sales with Better Fraud Protection Get back to business and let Kount take fraud off your hands. Digital businesses using Kount have the conﬁdence to grow boldly. How? Kount aggregates billions of transactions through its global network, feeding its AI and machine learning to expose fraud more accurately than other systems, in milliseconds. Weigh the value of each customer against potential fraud risk to maximize conversions with Kount. Learn more about Kount’s powerful tools for online retailers at www.kount.com Boost Sales. Beat Fraud. Company Melissa View company profile in online database Melissa is a leading provider of electronic identity verification, entity resolution and global contact data quality. Since 1985, we’ve helped more than 10,000 organisations worldwide to achieve and maintain quality data for a single, accurate and reliable customer view. Melissa’s solutions help companies operate more efficiently, deliver outstanding customer service and minimise risk. Website www.melissa.com Keywords for online profile eIDV, KYC, identity verification, contact data, payment, fraud detection Business model Real-time API integration and cloud-based Target market Card issuers, payment processors, financial institutions, payment services providers, government services, online communities/web merchants, gaming and gambling, other online businesses Contact firstname.lastname@example.org Geographical presence Global Active since 1985 Service provider type Web fraud detection company, digital identity service provider and technology vendor Member of industry associations and or initiatives Armed Forces Communications and Electronics Association (AFCEA) Services Unique selling points Real-time integration allows you to verify that your customer is who they say they are in seconds. Melissa’s services speed up customer onboarding and simplify checkout while minimising the risk of fraud and helping you stay compliant with industry regulations. Core services Cloud-based identity resolution (national ID and age verification, watch list/PEP screening, contact data validation), location intelligence and consumer insights Pricing Model Annual subscription based on volume Fraud prevention partners Scannovate Other services Optical character recognition (OCR) and data quality solutions that verify, standardise, update, enrich and dedupe data. Third party connection Scanovate Technology: anti-fraud detection tools available Address verifications services Yes CNP transactions Yes Card Verification Value (CVV) No Bin lookup No Geo-location Checks Yes Device Fingerprint No Payer Authentication Yes Velocity Rules – Purchase Limit Rules No White list/black list database Yes KYC – Know Your Customer Yes Credit Rating No Follow up action Additional authentication (out of band authentication) and transaction verification capabilities Other Person and company authentication for name, address, phone, email, national ID, location, demographics and IPv4 information Authentication Context Online Yes Mobile Yes ATM No 202 WEB FRAUD PREVENTION & ONLINE AUTHENTICATION MARKET GUIDE 2018-2019 | COMPANY PROFILES POS No Call centre Yes other For more information, please contact the company. Reference data connectivity Connectivity to governmental data International government data sources Other databases Credit, consumer, commercial, telco, utility, and other proprietary data sets Fraud management system type Single-channel fraud prevention system No Multi-channel fraud prevention system Yes Certification Type SOC 2 type II, HIPAA/HITECH, US/EU privacy shield, USPS® CASSTM and Canada Post® SERP CertifiedTM Regulation KYC, anti money laundering (AML), Bank Secrecy Act (BSA) Other quality programmes Primary compliance, fraud prevention, watchlist screening/Politically Exposed Persons (PEP) Other remarks Melissa operates numerous redundant, distributed server farms across the globe to ensure 99.99% uptime. Beyond the 99.99%, we offer service level agreements (SLAs) for those who need them. Our RESTful API provides data in both XML and JSON, and features SSL 256‑Bit Encryption. Clients Main clients / references Bank of America, Citi Bank, US Bank, Discover, Volvo Car Financial Services, Sun Trust, Meta Bank, car2go Future developments For more information, please contact the company. 203 WEB FRAUD PREVENTION & ONLINE AUTHENTICATION MARKET GUIDE 2018-2019 | COMPANY PROFILES Fight Fraud & Declare Independence from Untrusty Identities Losing money each year to fraud and compliance costs? Join the fight! Break free from bad contact data with Melissa. We offer affordable solutions that quickly provide real-time electronic ID verification – so you know who you’re doing business with, at the time you’re conducting business – every time. • Real-time global ID verification • National ID, age & name-to-address check • Mobile identity management with OCR • Demographic & location data enrichments • PEP & international watch list screening See how Melissa eIDV solves your specific business needs. Request a Free Demo. Melissa.com/revolution 1-800-MELISSA Company RISK IDENT View company profile in online database RISK IDENT is an anti-fraud software development company based in the US and Europe that protects companies within the ecommerce, telecommunication, and financial sectors. RISK IDENT’s machine-learning software uses sophisticated data analytics to block any kind of fraud, all with human-friendly user interface that simplify a fraud prevention team’s decision-making process. Website www.riskident.com Keywords for online profile online fraud prevention, account takeover prevention, device indentification, worlwide device pool, automatic fraud detection, fraud case processing, credit risk evaluation, mobile SDK Business model Direct and through partners Target market - online merchants - financial institutions - payment services providers - online communities - gaming and gambling - other online businesses Contact email@example.com Geographical presence Global Active since 2013 Service provider type - technology vendor - fraud detection Member of industry associations and or initiatives Merchant Risk Council Services Core services RISK IDENT battles payment fraud and account takeovers with a collection of highly developed software products that are easy to integrate. The software applies algorithms and machine learning on different data feeds to identify fraud risks on a variety of devices. FRIDA is an intelligent all-in-one solution that analyses transactions using data analytics and machine-learning. It will continuously adapt to changing fraud patterns. DEVICE IDENT, a sophisticated device fingerprinting technology on the market, uses efficient rule sets that calculate a risk score to every device – including a SDK for native mobile applications. Core services - fraud detection and credit scoring software - device fingerprinting services Pricing Model Monthly licensing fees (FRIDA)/Per transaction (DEVICE IDENT) Fraud prevention partners For more information please contact the company Other services For more information please contact the company Third party connection Yes Technology: anti-fraud detection tools available Address verifications services Yes CNP transactions Yes Card Verification Value (CVV) No Bin lookup Yes Geo-location Checks Yes Device Fingerprint Yes Payer Authentication No Velocity Rules – Purchase Limit Rules Yes White list/black list database Yes KYC – Know Your Customer Yes Credit Rating Yes Follow up action Various Other For more information please contact the company 205 WEB FRAUD PREVENTION & ONLINE AUTHENTICATION MARKET GUIDE 2018-2019 | COMPANY PROFILES Authentication Context Online Yes Mobile Yes ATM No POS Yes Call centre No other For more information please contact the company Reference data connectivity Connectivity to governmental data No Other databases Identity and address providers, credit scoring providers Fraud management system type Single-channel fraud prevention system Yes Multi-channel fraud prevention system Yes Certification Type For more information please contact the company Regulation For more information please contact the company Other quality programmes For more information please contact the company Other remarks Fully EU data privacy compliance Clients Main clients / references Key investor is Otto Group, Europe’s biggest online retailer Future developments For more information please contact the company 206 WEB FRAUD PREVENTION & ONLINE AUTHENTICATION MARKET GUIDE 2018-2019 | COMPANY PROFILES DOES FRAUD AFFECT YOUR BUSINESS? Think like a fraudster and fight the bad guys! Safeguard your enterprise and your customers by halting the sophisticated strategies of fraudsters and minimizing false positives – both of which boost sales. We believe every business should have the most up-to-date technology in the fight against fraud. Stop fraudsters in their tracks and simultaneously create a better customer experience with RISK IDENT. As global experts with long-term experience in data science and machine learning, we offer highly efficient anti-fraud solutions that protect millions of transactions within e-commerce, telecommunications and financial services – each and every day. www.riskident.com | firstname.lastname@example.org Company RSA View company profile in online database RSA, a Dell Technologies business, offers business-driven security to help organisations manage digital risk and protect what matters most. Award winning cybersecurity solutions from RSA can detect and respond to advanced attacks, manage user identities and access, and reduce business risk, fraud, and cybercrime. RSA protects millions of users around the world and helps more than 90% of Fortune 500 companies thrive in an uncertain, high-risk world. For more information, go to rsa.com. Website www.rsa.com Keywords for online profile fraud detection, fraud prevention, consumer authentication, adaptive authentication, 3-D Secure, CNP transactions, account takeover, PSD2 Business model Direct and partners Target market - financial institutions - payment services providers - card issuers - insurance and brokerages - ecommerce Contact https://www.rsa.com/en-us/contact-us 800-995-5095 Geographical presence North America, Europe, Middle East, Africa, AsiaPac, India, LATAM, Japan Active since 1982 Service provider type - technology vendor - web fraud detection company Member of industry associations and or initiatives FS-ISAC, NACHA, U.S. Payments Forum, NEACH, EMVCo, National Cybersecurity Alliance Services Unique selling points Omnichannel support: organisations can send RSA Adaptive Authentication details of transactions outside of the traditional web and mobile channels for risk assessment. Fraud detection rates: achieve 95% fraud detection rate with less than 5% requiring stepup authentication. The RSA eFraudNetwork: is a global cross-organisational database of confirmed fraud data gathered from an extensive network of RSA customers, ISPs, and third-party contributors worldwide. The eFraudNetwork is one of the many factors that contribute to the RSA Risk Engine in determining fraud risk. Transaction Signing: RSA Adaptive Authentication offers transaction signing, which can optionally integrate with biometrics as a stronger means of authentication layered on top of the payment transaction signature. Core services RSA Adaptive Authentication is an advanced, omni-channel fraud detection hub that provides risk-based, multi-factor authentication for organisations seeking to protect their consumers from fraud across digital channels. Powered by the RSA Risk Engine, RSA Adaptive Authentication is designed to measure a user’s login and post-login activities by evaluating a variety of risk indicators. Using powerful machine learning, in company with options for fine-grained policy controls, the RSA Adaptive Authentication anti-fraud hub only requires additional assurance, such as out-of-band authentication, for scenarios that are high risk and/or violate rules established by an organisation. This methodology provides transparent authentication for the majority of the users, ensuring a positive user experience. Pricing Model RSA Adaptive Authentication can be purchased in an On-Premise or Cloud deployment. - On-Premise: user-based; supports both Perpetual and Subscription licenses - Cloud: transaction-based; supports Subscription licenses - Perpetual user licenses: once the customer pays for them, they are theirs for perpetuity, no additional payment required ever - Subscription user licenses: these are paid for a pre-determined time; at the end of that time, the user must renew their subscription. Maintenance is included. - Software maintenance: this is tied to the perpetual user licenses. This is a yearly renewable cost based on the number of user licenses that customer owns. The software maintenance allows for customer support, upgrades, and access to RSA’s extensive knowledge base. 208 WEB FRAUD PREVENTION & ONLINE AUTHENTICATION MARKET GUIDE 2018-2019 | COMPANY PROFILES Fraud prevention partners Partners include, but are not limited to: Jack Henry, FiServ, TODO1, ACI, & FIS Other services Out of Band SMS/Phone integration partners include Telesign & Authentify Third party connection If a customer is interested in integrating data elements from an existing third-party relationship, they may do so by utilising the ecosystem approach. Through the RSA Adaptive Authentication ecosystem approach, organisations can use the RSA Risk Engine to consume external data elements, in addition to RSA’s predefined facts, to calculate a risk score. By utilising 3rd party facts to influence the risk assessment and impact the risk score, customers can contribute additional insights from both internal business intelligence and additional anti-fraud tools. Technology: anti-fraud detection tools available Address verifications services Yes: can facilitate a billing address (AVS) check via RSA Adaptive Authentication for eCommerce with issuer/processor. CNP transactions Yes: only with the issuer/issuing processor side Card Verification Value (CVV) Yes: can consume and verify as part of RSA Adaptive Authentication for eCommerce. Bin lookup Yes: can verify fraud tied to a BIN or specific card number as part of RSA Adaptive Authentication for eCommerce. Geo-location Checks Yes: part of the RSA Risk Engine in both RSA Adaptive Authentication and RSA Adaptive Authentication for eCommerce. Device Fingerprint Yes: part of the RSA Risk Engine in both RSA Adaptive Authentication and RSA Adaptive Authentication for eCommerce. Payer Authentication Yes: part of RSA Adaptive Authentication for eCommerce (3-D Secure ACS service) Velocity Rules – Purchase Limit Rules Yes: can deploy in rules in both RSA Adaptive Authentication and RSA Adaptive Authentication for eCommerce. White list/black list database: Yes: can facilitate these in both RSA Adaptive Authentication and RSA Adaptive Authentication for eCommerce. KYC – Know Your Customer No Credit Rating No Follow up action Breadth of Step-up authentication modalities, paired with the flexibility of the MultiCredential Framework: - biometrics: fingerprint and face ID - transaction signing - SMS/Phone call - push notification - challenge questions - knowledge-based authentication (KBA) - OTP - email - multi-credential framework: third-party authentication methods can be integrated via the RSA Multi-Credential Framework, such as tokens (like RSA SecurID) or card readers Other IP address, Known Bad IP, Geo-Velocity, Device Type, cookie, device health assessment (i.e. RSA Adaptive Authentication RDP Trojan Protection), Device history, User Attributes, User History, new device check, jailbroken/rooted device Authentication Context Online Yes Mobile Yes ATM Yes POS No Call centre Yes other IVR, custom IOT channel 209 WEB FRAUD PREVENTION & ONLINE AUTHENTICATION MARKET GUIDE 2018-2019 | COMPANY PROFILES Reference Data connectivity Connectivity to governmental data Not out of the box. However, a customer can integrate a data store via the RSA Adaptive Authentication “ecosystem approach”, to contribute new data elements in the form of risk score custom facts. Other databases RSA eFraudNetwork. The RSA eFraudNetwork is a global cross-organisational database of confirmed fraud entities gathered from an extensive network of RSA customers, ISPs, and third-party contributors worldwide. When fraudulent activity is identified, the data elements associated with this activity, such as device or payee, are shared via the RSA eFraudNetwork. When RSA Adaptive Authentication identifies a mule account, an account used to transfer funds that have been obtained fraudulently, it is flagged as high-risk and the mule account details are shared through the RSA eFraudNetwork service. The RSA eFraudNetwork service provides direct feedback to the RSA Risk Engine, so that future transactions or activities attempted from a device or IP address that appears in the RSA eFraudNetwork service data repository are classified as high risk. In addition, through the RSA Adaptive Authentication ecosystem approach, an organisation can consider the database of their choice, to influence the risk assessment: Through the RSA Adaptive Authentication ecosystem approach, organisations can use the Risk Engine to consume data elements, in addition to RSA’s predefined facts, to calculate a risk score. By utilising third party facts to influence the risk assessment and impact the risk score, customers can contribute additional insights from both internal business intelligence and additional anti-fraud tools. Fraud management system type Single-channel fraud prevention system Yes Multi-channel fraud prevention system Yes Certification Type Regulation - RSA Adaptive Authentication: GDPR - RSA Adaptive Authentication for eCommerce: PCI DSS, EMVCo Other quality programmes For more information, contact RSA Other remarks For more information, contact RSA Clients Main clients / references Financial services, insurance, brokerages, ecommerce, healthcare Future developments RSA Forward Looking Statements Notice: concepts presented for consideration only. RSA makes no representation and undertakes no obligations with regard to product planning information, anticipated product characteristics, performance specifications, or anticipated release dates (collectively, “Roadmap Information”). Roadmap Information is provided by RSA as an accommodation to the recipient solely for purposes of discussion and without intending to be bound thereby. Copyright 2017 Dell Technologies Corp. All rights reserved. - Enhanced omnichannel strategy – support for the ingestion of raw data across channels in addition to enriched data. - Improved Risk Scoring with deep entity profiling – to create a more accurate profile of consumers by leveraging insight into consumers online banking and ecommerce activities, web-session intelligence and recovered compromised data from deep-web sources. The combined information will ultimately lead to stronger fraud detection rates and lower false positives. - eFraudNetwork Global Community Intelligence Sharing Enrichment – community data sharing platform will be enriched by extending consumers’ behavioural patterns outside of one single customer and expand the types of data/knowledge that is shared, including recommendations on policy settings derived from like-sized entities. - Easing the integration process will lower customers TCO (resources needed to integrate) and allow easier implementations allowing smaller organisations to perform more self service. - Automated case/alert handling – to help customers deal with growing caseloads and as a result, reduce TCO. 210 WEB FRAUD PREVENTION & ONLINE AUTHENTICATION MARKET GUIDE 2018-2019 | COMPANY PROFILES Company SecureKey Technologies View company profile in online database SecureKey is a leading identity and authentication provider that simplifies consumer access to online services and applications. Website www.securekey.com Keywords for online profile digital Identity, authentication, blockchain Business model Info upon request Target market Info upon request Contact email@example.com Geographical presence Global Active since 2009 Service provider type Digital identity service providers Member of industry associations and initiatives DIACC, OIX, FIDO, Hyperledger, GPS, IDPro, Kantara Services Core services SecureKey Concierge and Verified.Me Other services E.g. transaction services: offering connectivity to other credential issuers Unique selling points Verified.Me, by SecureKey Technologies, is a new service to help you verify your identity, Pricing model N/A Partners See full list here: https://securekey.com/partner-directory/ so you can get things done fast online, in person and on the phone. Verified.Me helps you verify your identity quickly and securely from any iOS or Android smartphone, using personal information that you consent to share from your connections. You always stay in control by choosing when to share your information and with whom, reducing unnecessary oversharing of personal information in order to access the services you want. The Verified. Me service is protected with strong security protocols to prevent personal information from being identified, accessed or misused. Verified.Me uses blockchain technology to securely and privately transfer your personal information to trusted network participants, giving you easy access to the services you want, when you want them. Contact us today to learn more about joining our growing network. Offering: authentication technology used Technology used Info upon request Authentication context Online Yes Mobile Yes ATM Info upon request Branch/Point of Sale Info upon request Call Centre Info upon request Other Info upon request 212 WEB FRAUD PREVENTION & ONLINE AUTHENTICATION MARKET GUIDE 2018-2019 | COMPANY PROFILES An ecosystem approach to verifying digital identity M verified by MyBANK Where Can I Use It? Discover participating services and start accessing them with Verified.Me to make your life easier! Learn More Home Home New to Verified.Me? Check out the Getting Started guide. Me Activity Settings Verified.Me is the new and secure way to help you verify your identity, so you can quickly get access to the services and products you want online, in person and on the phone.1 Visit www.securekey.com/join us to learn more. Some features are not yet available. | ©SecureKey Technologies Inc. All Rights Reserved. 1 Company Sedicii View company profile in online database In the world of regulated digital services Sedicii delivers robust, efficient, and fast customer onboarding services in full compliance with the most stringent CDD, KYC, AML, and Data Privacy obligations. Sedicii’s Zero knowledge proof technology provides state-of-theart capability for real-time identity verification against trusted identity providers that is completely privacy preserving. Website https://sedicii.com/ Keywords for online profile digital identity, remote onboarding, e-Identity, real-time authentication, AML, KYC, AMLD5, PSD2, fraud detection Business model Subscription-based, transaction-based Target market Financially regulated industries: financial institutions, governments, legal and accounting, retailing/merchants, telco, and more Contact firstname.lastname@example.org Geographical presence Global Active since 2013 Service provider type Privacy preserving identity authentication and verification services Member of industry associations and initiatives World Economic Forum, FIDO Alliance Services Unique selling points Sedicii’s streamlined identity authentication and verification network uses advanced ZKP technology. It enables verification of identity attributes without data being exposed or exchanged, thereby ensuring that both the privacy of the individual, and the confidentiality and integrity of the Identity Providers’ data remains intact. Core services Secure account creation, robust, secure, real-time KYC/AML/GDPR compliant onboarding document/information capture, identity proofing, background checks, risk profiling, live video interview Pricing Model Subscription-based, transaction-based Fraud prevention partners For more information contact the company Other services Identity Verification against Identity Providers connected to the network eliminates data exposure during the checking process Offering: authentication technology used PIN Yes Password/phrase Yes Token Yes Card N/A Digital certificates (hosted yes/no) N/A Multifactor authentication Yes Biometrics Yes Authentication context Online Yes Mobile Yes ATM No Branch/Point of Sale No Call Centre Yes Other For more information contact the company Issuing process (if applicable) Assurance levels conformity O Auth 2 Online issuing process (incl lead time in working days) Real-time digital onboarding and proofing of digital identities supporting several identity credentials - liveness checks and image recognition of global ID documents 214 WEB FRAUD PREVENTION & ONLINE AUTHENTICATION MARKET GUIDE 2018-2019 | COMPANY PROFILES Face-to-face issuing (incl lead time in working days) N/A Issuing network For more information contact the company Attributes offered Persons Address, age, passport Companies For more information contact the company Reference data connectivity Connectivity to governmental data For more information contact the company Other databases Background checking against more than 1,000 global watchlists Certification Type For more information contact the company Regulation KYC, AML, PSD2, GDPR Other quality programs FIDO Alliance Other remarks World Economic Forum Panelist Clients Main clients / references Global banks, utilities, telcos Future developments Zero Knowledge Proof high-assurance verification against authoritative sources 215 WEB FRAUD PREVENTION & ONLINE AUTHENTICATION MARKET GUIDE 2018-2019 | COMPANY PROFILES Company Sift Science View company profile in online database Sift Science is a machine learning company that fuels business growth by empowering worldleading online businesses to drive risk-free user experiences. Sift dynamically prevents fraud and abuse by combining industry leading technology and expertise, a global data network and long-term customer partnership. Global brands such as Twitter, Airbnb, Yelp!, Shutterstock, Jet.com, Indeed and Wayfair rely on the Sift Science Digital Trust Platform for access to a global network of fraud data, more than 16,000 fraud signals, and its unique ability to detect and prevent fraud in real time. Website www.siftscience.com Keywords for online profile fraud prevention, account takeover, content abuse, fraud detection, machine learning, ecommerce fraud, fraud prevention software, chargebacks Business model SaaS Target market Ecommerce, financial institutions, payment services providers, online communities, web merchants, gaming and gambling, travel, on-demand services, online ticketing, marketplaces Contact email@example.com Geographical presence Global Active since 2011 Service provider type SaaS technology vendor, web fraud detection company Member of industry associations Merchant Risk Council and or initiatives Services Unique selling points Real-time machine learning, global network, advanced automation Core services A suite of products that prevent payment fraud, account takeover, content abuse, fake accounts, and promo abuse Pricing Model Pay as you go with volume discounts based on transaction volume Fraud prevention partners Soon Other services Account management, integration support Third party connection Contact us for more information Technology: anti-fraud detection tools available Address verifications services Yes CNP transactions Yes Card Verification Value (CVV) Yes Bin lookup Yes Geo-location Checks Yes Device Fingerprint Yes Payer Authentication No Velocity Rules – Purchase Limit Rules Yes White list/black list database Yes KYC – Know Your Customer No Credit Rating No Follow up action Yes Other Yes 216 WEB FRAUD PREVENTION & ONLINE AUTHENTICATION MARKET GUIDE 2018-2019 | COMPANY PROFILES Authentication Context Online Yes Mobile Yes ATM No POS No Call centre No other No Reference data connectivity Connectivity to governmental data No Other databases Multiple Fraud management system type Single-channel fraud prevention system No Multi-channel fraud prevention system Yes Certification Type Information Security (SOC 2 Type 2) Regulation N/A Other quality programmes Contact us for more information Other remarks Contact us for more information Clients Main clients / references Airbnb, Twitter, Wayfair, Yelp!, Jet.com, Remitly, OpenTable, Indeed, Zoosk, Instacart, Everlane, Patreon Future developments Expanding products and markets 217 WEB FRAUD PREVENTION & ONLINE AUTHENTICATION MARKET GUIDE 2018-2019 | COMPANY PROFILES For Sale Company Simility, a PayPal Service View company profile in online database Simility offers real-time risk and fraud decisioning solutions to protect global businesses. Simility’s offerings are underpinned by the Adaptive Decisioning Platform, built with a datafirst approach to deliver continuous risk assurance. By combining artificial intelligence (AI) and big data analytics, Simility helps businesses orchestrate complex decisions to reduce friction, improve trust, and solve complex fraud problems. Built by industry veterans, Similty is trusted by some of the world’s leading consumer brands across financial services, payment processors and commerce merchants. Simility was recently acquired by PayPal, and will leverge their partnership to continue developing innovative fraud and risk management solutions for the digital-first economy. Website https://simility.com/ Keywords for online profile fraud detection, identity assurance, risk management, decision orchestration, fraud prevention, trust and safety, authentication Business model SaaS and on-premise models Target market - ecommerce, marketplaces, digital commerce, on-demand/sharing economy, classifieds, financial institutions, fintech (banks, mobile wallets, and more) - payment services providers (acquirers, payment gateways, payment processors) Contact firstname.lastname@example.org Geographical presence Global coverage with offices in Palo Alto (US), Dallas (US), Hyderabad (India), London (UK), Amsterdam (NL), and Sao Paulo (Brazil) Active since 2014 Service provider type - technology vendor - web fraud detection company Member of industry associations and/or initiatives Merchant Risk Council, SOC2 Type II compliant, PCI compliant Services Unique selling points Complete enterprise fraud management platform, with ingress processing, Device Recon, third party validation, analytics, machine learning, and case management Core services Fraud and risk management Pricing model Per-transaction and on-premise license pricing models Fraud prevention partners Assertiva Other services Data-Science-as-a-Service, historical data analysis Third party connection Simility can connect to various 3rd party feeds, including internal customer data feeds. Technology: anti-fraud detection tools available Address verifications services Yes, through third-party services CNP transactions Yes Card Verification Value (CVV) More information available upon request Bin lookup Yes Geo-location checks Yes Device fingerprint Yes Payer authentication Yes Velocity rules – Purchase limit rules Yes White list/black list database Yes KYC – Know Your Customer Yes Credit rating No Follow up action Yes Other IP blacklists, device fingerprint 219 WEB FRAUD PREVENTION & ONLINE AUTHENTICATION MARKET GUIDE 2018-2019 | COMPANY PROFILES Authentication context Online Yes Mobile Yes ATM More information available upon request POS Yes Call centre More information available upon request Other Branch banking data Reference data connectivity Connectivity to governmental data More information available upon request Other databases Yes, we work with a variety of third party services Fraud management system type Single-channel fraud prevention system More information available upon request Multi-channel fraud prevention system Yes Certification Type SOC2 Type I and II, PCI compliance Regulation More information available upon request Other quality programmes More information available upon request Other remarks More information available upon request Clients Main clients / references Customers include Global 500 in financial services, ecommerce, payments, classifieds. Public references include US Bank, Chime, Jumia, OfferUp, Luisaviaroma, Zions Bank. Future developments Further interactive data visualisation and out-of-the box integrations with new data sources. 220 WEB FRAUD PREVENTION & ONLINE AUTHENTICATION MARKET GUIDE 2018-2019 | COMPANY PROFILES Transforming the way analysts detect fraud Tailored, end-to-end solutions that provide real-time fraud intelligence Purpose-built Data Lake Big-data Enabled State-of-the-art, White-box Machine Learning Continuous Rules Optimization Powerful Decision Engine GET STARTED TODAY An AI-based fraud prevention and risk management platform that continuously adapts as fraud evolves. See for yourself: WWW.SIMILITY.COM/DEMO Company ThreatMetrix View company profile in online database a LexisNexis Risk Solutions Company ThreatMetrix, A LexisNexis Risk Solutions Company, empowers the global economy to grow profitably and securely without compromise. With deep insight into hundreds of millions of anonymised digital identities, ThreatMetrix ID delivers the intelligence behind 110 million daily authentication and trust decisions, to differentiate legitimate customers from fraudsters in real time. Website www.threatmetrix.com Keywords for online profile digital identity, authentication, identity verification, fraud detection, mobile fraud, web fraud, forensics, threat detection Business model Software-as-a-Service (SaaS) Target market - banking and brokerage - ecommerce - gaming - government - healthcare - insurance - lending - media - payment processing - telecommunications - travel Contact Courtney Austin, Senior Director EMEA Marketing, ThreatMetrix Geographical presence Worldwide: more than 185 countries Active since 2005 Service provider type - digital identity service provider - technology vendor - web fraud detection company Member of industry associations and or initiatives FIDO, One World Identity, MRC Services Unique selling points Comprehensive platform to manage fraud, authentication, and identity decisions. By seamlessly combining digital identity intelligence from ThreatMetrix with vast offline data sources from LexisNexis Risk Solutions, organisations get unparalleled visibility into the true identity of their users in order to instantly differentiate between trusted consumers and fraudsters. Core services Digital identity, risk-based authentication, fraud prevention, mobile security, knowledgebased authentication Pricing Model Tiered pricing based on transaction volume Fraud prevention partners ACI, Cardinal Commerce, CyberSource, First Data, FIS, Fujisoft, Gemalto, LexisNexis, nets, Paysafe and Worldpay. Other services Prevention against account takeover, new account registration and payment fraud; strong authentication; behavioural analytics and machine learning; bot and remote access trojan detection; professional services Third party connection Yes Technology: anti-fraud detection tools available Address verifications services Yes CNP transactions Yes Card Verification Value (CVV) No Bin lookup No Geo-location Checks Yes Device Fingerprint Yes 222 WEB FRAUD PREVENTION & ONLINE AUTHENTICATION MARKET GUIDE 2018-2019 | COMPANY PROFILES Payer Authentication Yes Velocity Rules – Purchase Limit Rules Yes White list/black list database: Yes KYC – Know Your Customer Yes Credit Rating No Follow up action Additional authentication (out of band authentication) and transaction verification capabilities Other Carrier ID for strong mobile authentication Authentication Context Online Yes Mobile Yes ATM No POS No Call center Yes other No Reference Data connectivity Connectivity to governmental data Yes Other databases ThreatMetrix Digital Identity Network is one of the largest databases for monitoring customers providing global shared intelligence. Every day millions of consumer events are logged as well as thousands of high risk flags. Fraud management system type Single-channel fraud prevention system Yes Multi-channel fraud prevention system Yes Certification Type SOC-2 expected in 2019 Regulation No Other quality programs No Other remarks No Clients Main clients / references Netflix, Lloyds Banking Group, Visa, Yandex.Money, Gumtree Future developments Continued platform integrations between ThreatMetrix and LexisNexis Risk Solutions 223 WEB FRAUD PREVENTION & ONLINE AUTHENTICATION MARKET GUIDE 2018-2019 | COMPANY PROFILES www.threatmetrix.com The Decision Engine for Seamless Digital Business Fighting fraud with digital identity intelligence from billions of transactions and a powerful decision platform. ThreatMetrix® Digital Identity Network® Harness the power of global shared intelligence from the largest network of its kind. 40b annual network transactions 165k websites & apps supported 4.5b unique devices identified .8b unique email addresses 1.5b mobile devices 185 countries served globally Company Trulioo View company profile in online database Trulioo is a global identity and business verification company that provides secure access to reliable, independent, trusted data sources to instantly verify customers and merchants online. Trulioo’s instant online verification platform, GlobalGateway, helps organisations comply with AML and KYC requirements by automating due diligence workflows across borders through a single solution. Website www.trulioo.com Keywords for online profile regtech, KYC, Know Your Customer, AML compliance, identity verficiation, ultimate beneficial owners, identity checks, customer due diligence Business model Transaction-based Target market Financial services providers, banks, payments, remittance, ecommerce, gaming, and online marketplaces Contact email@example.com Geographical presence Global Active since 2011 Service provider type Digital Identity Service Providers Member of industry associations and initiatives More information available upon request Services Unique selling points Trulioo’s GlobalGateway offers clients with secure access to 5 billion people, more than 100 countries, 250 million companies, and 400 data sources through a single API integration for instant verification. Core services Digital electronic identity verification Pricing Model Pricing is per transaction and based on volume and complexity. Fraud prevention partners Other services Offers Mobile ID, business verification and ID document verification. Offering: authentication technology used PIN No Password/phrase Yes (for API) Token No Card No Digital certificates (hosted yes/no) No Multifactor authentication Yes (in the portal) Biometrics Yes Authentication context Online Yes Mobile Yes ATM No Branch/Point of Sale Yes Call Centre Yes Other N/A Attributes offered Persons First, middle and last name, DOB; minimum age, gender, address, mobile/telephone number, email addres, driver licence number and expiry, National IDs Companies Date of incorporation, jurisdiction of incorporation, shareholder list document, financial information document, address, mobile/telephone number, email address 225 WEB FRAUD PREVENTION & ONLINE AUTHENTICATION MARKET GUIDE 2018-2019 | COMPANY PROFILES Reference data connectivity Connectivity to governmental data Citizens register, company register, IDs Other databases Utility bills, mobile network operators, social data, credit databases Certification Type ISO27001 Regulation KYC, AML, 4AMLD, PSD2, FCA, Fintrac, MiFID II, GDPR and FinCEN, AUSTRAC Other quality programs N/A Other remarks N/A Clients Main clients / references Trulioo is a trusted verification provider for more than 500 companies, including some of the world’s top payments, ecommerce and financial services providers. Future developments N/A 226 WEB FRAUD PREVENTION & ONLINE AUTHENTICATION MARKET GUIDE 2018-2019 | COMPANY PROFILES Fraud Prevention Begins with Knowing Your Customer Trulioo's AML/KYC solution automates the CDD process for over 5 billion people & 250 million corporate entities in 100+ countries Accelerate your KYC process from weeks to minutes with award-winning identity verification. Chat with us at trulioo.com Company Trust Stamp View company profile in online database Trust Stamp provides a proprietary AI-powered hashed biometric identity solution. A one-way process converts biometric data into a hash that cannot be reconstructed into the original biometric, avoiding the security risks and legal complications of storing and transmitting PII data. These hashes solve problems like synthetic identity fraud and KYC. Website https://truststamp.ai/ Keywords for online profile fraud, risk, protect, loss, biometrics, detection Business model Per use licenses or custom product development Target market (limited list of markets) Financial institutions, payment services providers, government services, P2P platforms, gaming and gambling, other online businesses, and real estate Contact firstname.lastname@example.org Geographical presence Europe, North America, Latin America, Middle East & Africa Active since 2015 Service provider type Digital identity service provider, technology vendor, web fraud detection company Member of industry associations and initiatives Conference of Western Attorney Generals, Biometrics Institute Services Unique selling points Trust Stamp is a multi-factor biometric platform with inbuilt de-duplication that can be augmented with social media and other data mining or even self-warrantied identities. A unique factor is a shareable non-PII hash that tokenizes the identity and can embed both encrypted data and pivot points to external data. Core services Trust Stamp uses proprietary facial biometric AI with proof of life to create tokenized identity hashes. Pricing Pricing is per transaction and based on volume and complexity Partners Plug and Play, The National Association of Realtors, Mastercard Startpath, QC Fintech, SixThirty Cyber, and Gerogia Institute of Technology Advanced Technology Development Center Other services For more information contact the company Offering: authentication technology used PIN Yes Password/phrase Yes Token Yes Card For more information contact the company Digital certificates (hosted yes/no) For more information contact the company Multifactor authentication Yes Biometrics Yes Authentication context Online Yes Mobile Yes ATM For more information contact the company Branch/Point of Sale Yes Call Centre Yes Other For more information contact the company Reference data connectivity Connectivity to governmental data For our safety apps we search public data sources, such as criminal databases and sexual offender lists. Other databases For our real estate solution we are using proprietary non-FCRA data to qualify leads for real estate. 228 WEB FRAUD PREVENTION & ONLINE AUTHENTICATION MARKET GUIDE 2018-2019 | COMPANY PROFILES Certification Type For more information contact the company Regulation KYC, PII, GDPR Other quality programs For more information contact the company Other remarks For more information contact the company Clients Main clients / references Synchrony Financial, Conference of Western Attorny Generals, Mastercard Startpath Program, Plug and Play ADGM Future developments For more information contact the company 229 WEB FRAUD PREVENTION & ONLINE AUTHENTICATION MARKET GUIDE 2018-2019 | COMPANY PROFILES Artificial Intelligence Powered Federated Trust and Identity DATE OF BIRTH XX-XX-XXXX Evergreen HashTM Biometric data is transformed into a 512 byte-hash using a deep neural network. The hash is pseudo-anonymized data and can never be reverse engineered. ADDRESS ### XX-XXXX • Hashes can be generated from any biometric data • The Hash also offers 1.28 Bn. unique hash or encrypted data points • Fields can contain substantive data or serve as a pivot point to external data Hashed Identity LakeTM Once created, the hash is added to an Identity Lake • The lake can be hosted on a server or a blockchain • Proprietary AI predicts the cprobability that two hashes came cfrom the same face, flagging cfraudsters with multiple identities # # # # • The lake can act as a non-PII data csharing consotrium with adjustable caccess based on agreement Learn More at www.truststamp.ai Company Web Shield Limited View company profile in online database Founded by highly-motivated, technology-aﬀine professionals from the credit card and IT industries, we at Web Shield use our expertise in large-scale project management, system architecture design, software development and several investigation areas to perform risk assessments and persistent monitoring of legal entities. Website www.webshield.com Keywords for online profile on-boarding, underwriting, monitoring Business model On-demand and subscription service Target market - acquiring banks - payment service providers - financial institutions - online communities/web merchants - credit bureaus (qualitative data approach) - gaming and gambling - law enforcement - detective agencies - other online businesses Contact email@example.com Geographical presence Leipzig, Warsaw, London Active since 2011 Service provider type - SaaS vendor - training - consulting services Member of industry associations and or initiatives Merchant Acquirers’ Comittee, European Financial Coalition, Internet Watch Foundation, Electronic Transactions Association, International RegTech Association Services Unique selling points Web Shield helps acquiring banks, payment processors and other actors in the payments space to protect themselves from bad actors involved in illegal or non-compliant activities. Our highly precise on-boarding and monitoring tools enable underwriters to make informed decisions about prospective clients, and alert them when existing ones behave dubiously. Core services On-boarding and monitoring solutions Pricing Model For more information please contact firstname.lastname@example.org Fraud prevention partners Wołoszański & Partners Law Firm Other services - training seminars for risk management, underwriting best practices and online investigation - regulatory monitoring, a dynamic international database with legal opinions concerning cryptocurrency regulation - organising the RiskConnect Networking Conference for Risk Professionals in Frankfurt a.M. (https://www.riskconnect.eu/) - content violation detection for Cyberlockers Third party connection CreditSafe, LexisNexis, iSignthis, Vendorcom, Minera, RiskSkill, 4Stop Technology: anti-fraud detection tools available Address verifications services Yes CNP transactions No Card Verification Value (CVV) No Bin lookup No Geo-location Checks Yes Device Fingerprint No Payer Authentication No Velocity Rules – Purchase Limit Rules No White list/black list database Yes 231 WEB FRAUD PREVENTION & ONLINE AUTHENTICATION MARKET GUIDE 2018-2019 | COMPANY PROFILES KYC – Know Your Customer Yes Credit Rating Yes Follow up action For more information please contact email@example.com Other For more information please contact firstname.lastname@example.org Authentication Context Online Yes Mobile Yes ATM No POS No Call centre No other For more information please contact email@example.com Reference data connectivity Connectivity to governmental data Yes Other databases Commercial attribute providers, e.g. credit databases Fraud management system type Single-channel fraud prevention system Yes Multi-channel fraud prevention system Yes Certification Type For more information please contact firstname.lastname@example.org Regulation For more information please contact email@example.com Other quality programmes Mastercard Merchant Monitoring Service Provider Other remarks For more information please contact firstname.lastname@example.org Clients Main clients / references Wirecard Bank AG, Worldline SA, Concardis Future developments For more information please contact email@example.com 232 WEB FRAUD PREVENTION & ONLINE AUTHENTICATION MARKET GUIDE 2018-2019 | COMPANY PROFILES Company Wibmo Inc. View company profile in online database Wibmo Inc. a Cupertino, California company is a leading provider of payment security and mobile payments in emerging markets with a leading market presence in India, one of the world’s largest digital payment markets. Website www.wibmo.co Keywords for online profile Online fraud prevention, mobile app security, mobile banking, online banking, CNP fraud prevention, out-of-band authentication, multi-factor authentication, push-based authentication, EMV® 3-D Secure, behavioural biometrics, artificial intelligence Business model Software-as-a-Service (SaaS) Target market Banks, issuers, ecommerce/merchants, acquirers/PSPs, fintech, mobile commerce and mobile payment consumers Contact firstname.lastname@example.org Geographical presence India, Middle East, Africa, Asia, Southeast Asia Active since 1999 Service provider type Web fraud detection company / payment service provider (PSP) Member of industry associations and or initiatives Visa, Mastercard authorised processor EMVCo Business and Technical Associate PCI-DSS 3.2 certified EMVCo 3DS certified Services Unique selling points Trident the next generation intelligent enterprise fraud mitigation system performs realtime fraud detection with a combination of rules-based approach and advanced analytics powered by artificial intelligence. 1. Enterprise screening 2. Multi-factor fraud detection techniques 3. Advanced Analytics 4. Realtime Transaction Monitoring and Case Management 5. Dynamic addition of new data types and data streams 6. Realtime rules activation resulting in ability to react to fraud trends in real time Core services Multi-channel support - POS, ATM, ecommerce, Prepaid, and more. Case management, static and dynamic rules based engine, real-time analytics, machine learning models Pricing Model Varies by service model, data dimensions, volume and complexity of fraud management framework deployed Fraud prevention partners For more information contact the company Other services Fraud data network, device intelligence, account take over, identity validations, bot detections, prevention of promotional abuse, seamless authentication Third party connection For more information contact the company Technology: anti-fraud detection tools available Address verifications services No CNP transactions Yes Card Verification Value (CVV) N/A Bin lookup Yes Geo-location Checks Yes Device Fingerprint Yes Payer Authentication Yes Velocity Rules – Purchase Limit Rules Yes White list/black list database: Yes KYC – Know Your Customer No Credit Rating Yes 233 WEB FRAUD PREVENTION & ONLINE AUTHENTICATION MARKET GUIDE 2018-2019 | COMPANY PROFILES Follow up action Yes Other Behavioural analytics, trident score, spend and fraud patterns, multi-factor fraud detection techniques Authentication Context Online Yes Mobile Yes ATM Yes POS Yes Call centre Yes other NetBanking, Prepaid, Non-Financial Systems Reference Data connectivity Connectivity to governmental data No Other databases Yes Fraud management system type Single-channel fraud prevention system N/A Multi-channel fraud prevention system Yes Certification Type For more information contact the company Regulation AML Other quality programmes For more information contact the company Other remarks For more information contact the company Clients Main clients / references Leading banks across Asia. More information available upon request. Future developments More information available upon request 234 WEB FRAUD PREVENTION & ONLINE AUTHENTICATION MARKET GUIDE 2018-2019 | COMPANY PROFILES Is your authentication intelligent enough? Copyright © 2018 Wibmo Inc. All rights reserved. www.wibmo.com Glossary Glossary A Authentication Abuse list A security measure that determines whether someone or some Intelligence-sharing mechanisms used to widely disseminate tac thing is, in fact, who or what it declares to be. An authentication tical fraud intelligence like mule accounts, phishing sites, malware process implies the verification of a cardholder with the issuing distribution sites, compromised websites, botnet IP addresses, bank. Authentication often precedes authorisation (although they compromised point-of-sale terminals, etc. Abuse lists may be pri may often seem to be combined). The two terms are often used vate (available on subscription or as part of a larger fraud detection synonymously but they imply two different processes. solution) or public. Authentication factor Account takeover (ATO) A piece of information and process used to authenticate or verify the A form of identity theft where a criminal gains complete control of identity of an entity based on one or more of the following: a consumer’s account, such as obtaining the PIN or changing the • Possession, e.g. device signature, passport, hardware device con statement mailing address and/or making unauthorised trans taining a credential, private key; • Knowledge, e.g. password, PIN; actions. • Inherence, e.g. biometric characteristic; Adaptive decisioning • Context, e.g. behaviour pattern, geo-location. A system which draws insights from multiple data sources and is armed with the agility to make real-time adjustments for maximum Authorisation impact on fraud levels whilst minimising customer friction. Verifying that the entity initiating a transaction is entitled to per form that action. Address Verification System (AVS) A service used to check the billing address of the credit card pro B vided by the user with the address on file at the credit card com Behaviour patterns pany. AVS is widely supported by Visa, Mastercard, and American Behavioural pattern detection technologies identify fraud by moni Express in the US, Canada and the UK. toring the user session to detect suspicious activities or patterns. These anomalies manifest in a couple of ways: Anti-Money Laundering (AML) A set of procedures, laws or regulations designed to stop the prac • Transactional: The user is performing transactions that are outof-pattern compared with normal behaviour. tice of generating income through illegal actions. In most cases, • Navigational: The manner in which the user is navigating the money launderers hide their actions through a series of steps website is inconsistent with his or her usual pattern, is inconsis that make it look like money coming from illegal or unethical tent with the pattern of his or her peer group, or is indicative of sources was earned legitimately. the navigational pattern of a bot. Many (though not all) transactional anomaly detection solutions Artificial Intelligence require extensive data integration. Navigational anomaly detection The simulation of the processes of human intelligence by machines, tends to be a more lightweight deployment. especially computer systems. These processes include learning (the acquisition of information and rules for using the information), reasoning (using the rules to reach approximate or definite con clusions), and self-correction. 237 WEB FRAUD PREVENTION, IDENTITY VERIFICATION & AUTHENTICATION GUIDE 2018-2019 Glossary Big Data Cardholder-not-present (CNP) fraud Large data sets that may be analysed computationally to reveal Using stolen cards or card details and personal information, a patterns, trends, and associations relating to human behaviour and fraudster purchases goods or services remotely – online, by tele interactions. By developing predictive models based on both histo phone or by mail order. rical and real-time data, companies can identify suspected frau dulent claims in the early stages. Case management In the context of fraud management, it refers to the actions required Botnet to contain and remediate the impact of a detected fraud incident. A network of computers that fraudsters have corrupted with hidden Case management system refers to the ICT tooling used to software to secretly send spam. automate routine follow-up activities and facilitate case manage ment workflows. Bring your own authentication (BYOA) A computing concept in which an employee-owned device, such as CCV a key fob or smartphone, can be used to provide authentication A unique check value encoded on the magnetic stripe and repli credentials within a business environment. cated in the chip of a card or the magnetic stripe of a Visa card to validate card information during the authorisation process. C Card capture device CCV2 (CID) A device inserted into an ATM card slot which captures the data Also known as Card Validation Code or Value, or Card Security contained on the card. Code. This is a unique 3‐digit check value generated using a secure cryptographic process that is indent‐printed on the back of Card testing a Visa card or provided to a virtual account holder. Occurs when a fraudster uses a merchant’s website to ‘test’ stolen credit card information to determine if the card is valid. Fraudsters can Change of address fraud purchase lists of credit card numbers online on the ‘Dark Web’ at a Occurs when the fraudster obtains details of a genuine customer’s low cost but often do not know if the cards they are purchasing are account and then contacts the business to announce that he has active. To test these cards, fraudsters often use automated bots changed address. This is usually accompanied or followed by a and scripts to run many of these numbers through a merchant’s request for items of value such as a chequebook, debit card or checkout page. If a transaction is approved, the fraudster knows statement of account to be sent to the fake new address. A false that the card is valid and can make fraudulent high-value purcha change of address is used to facilitate previous address fraud and ses elsewhere. account/facility takeover fraud. Card-on-file (CoF) Chargeback management Authorised storage of a consumer’s payment credentials by a An additional service for management of claims initiated on the merchant, PSP, or WSP, that allows the consumer to conveniently issuing side. make repeat or automatic purchases without the need to re-enter payment credentials each time. Consumer authentication The term used to describe tools intended to verify that the person making the transaction is actually the person authorised to do so, both in-person and card-not-present transactions. 238 WEB FRAUD PREVENTION, IDENTITY VERIFICATION & AUTHENTICATION GUIDE 2018-2019 Glossary Credit card fraud Delivery and returns fraud Fraud committed using a credit card or any similar payment mecha Return fraud is the act of defrauding a retail store via the return nism as a fraudulent source of funds in a transaction. The purpose process. There are various ways in which this crime is committed. may be to obtain goods without paying or to obtain unauthorised For example, the offender may return stolen goods to secure cash funds from an account. Credit card fraud is also an adjunct to or steal receipts or receipt tape to enable a falsified return, or to identity theft. use somebody else’s receipt to try to return an item picked up from a store shelf. Return abuse is a form of ‘friendly fraud’ where Credit check someone purchases products without intending to keep them. From researching the customer’s financial history, the vendor can make a decision regarding onboarding the user. Derived identification Relying on the identification that took place at another instance, Compliance check for example, a bank or governmental institution. Making use One can also check an organisation that provides PII or other data of derived identification also has its constraints. Next to that, it to see if that organisation is compliant with current regulations becomes less valuable if everyone makes use of derived identi regarding data security and potential breaches. fication. It also implies the prospect already needed to have an account at another bank. Customer due diligence Identification and verification of customers and beneficial owners. Device fingerprinting Device fingerprinting is a process by which a fingerprint of a Cryptography connected device – desktop, tablet, smartphone, game console, Protecting information or hiding its meaning by converting it into a etc – is captured when visiting a website. secret code before sending it out over a public network. Device identity D Device identity technology examines a combination of identifiable Data ingestion hardware and software attributes associated with a computer The process of accessing and importing data for immediate use or mobile device. The unique fingerprint associated with each or storage in a database. Connected to Data ingestion is the con device can be used to recognise devices associated with cept of Stateless data ingestion and augmentation, which is the fraudulent activity as well as for ongoing recognition of devices system’s ability to ingest all types of data, structured, unstructured, with trusted reputations. The technology is completely transparent from third parties and users, as well as to include device/beha to end users, so it does not insert any friction into the customer vioural biometrics. experience. Fraudsters use the dark web, the portion of the Internet that can The mobile browser environment can be challenging to fingerprint, be browsed anonymously, to search for stolen identities and credit/ since there are fewer parameters to track than in the desktop debit card numbers to buy hacking tutorials or other malicious browser environment. Mobile apps are just the opposite: Digital services. identity vendors provide software development kits to dive deep into the device and create a footprint around parameter changes Deep learning (e.g. the number of contacts, the number of songs in playlists, the Deep learning is an aspect of artificial intelligence (AI) that is apps on the device) as well as create behavioural analytics around concerned with emulating the learning approach that human the ways in which those parameters change. beings use to gain certain types of knowledge. At its simplest, deep learning can be thought of as a way to automate predictive analytics. 239 WEB FRAUD PREVENTION, IDENTITY VERIFICATION & AUTHENTICATION GUIDE 2018-2019 Glossary Device location Digital signature Device location uses the sensors native to a device to identify its A digital code (generated and authenticated by public key encryp location. The technology is transparent to the end user and is a tion) which is attached to an electronically transmitted document reliable risk indicator, particularly when used in conjunction with to verify its contents and the sender’s identity. other layers of protection. Mobile geolocation can be very useful for payment authorisation: If a device with the issuer’s mobile app Document capture is in close proximity to a payment card transaction, this can be a These solutions use the camera on the device to capture a picture valuable indicator to help prevent false declines. of an identity document (eg a driver’s license or utility bill), verify the credential, and parse the data into an onboarding system or Device malware ecommerce shopping cart form, minimizing the need for consumers With the steep trajectory of malware creation and deployment by to go through the data-entry process. organised crime rings, many banks have deployed technology to detect malware as well as whether a device is jailbroken or has E a rootkit installed. One important consideration as businesses E-ID services implement this technology is the fact that not all malware is created Services for entity authentication and signing data. equal; some malware doesn’t truly risk compromising the online or mobile banking session. For one type of malware, a company may Electronic Data Interchange (EDI) choose to take no action; for another, it may call the customer; and It is an electronic communication method that provides standards for a third strain, it may want to shut down transactional capability for exchanging data. By adhering to the same standard, compa immediately. nies that use EDI can transfer data from one branch to another and even across the world. Device-user interaction Observations of how the user interacts with the input device, e.g. Encryption the smartphone, mouse, or keyboard. Fraudsters have been known A method of coding data, using an algorithm, to protect it from to make use of either remote-access tools within malware or misuse unauthorised access. There are many types of data encryption, of legitimate remote-access software to gain control of a victim’s and they are the basis of network security. device. End-to-end encryption Denial of service attack (DoS) Uninterrupted protection of the integrity and confidentiality of trans An attack on a computer system or network that causes a loss of mitted data by encoding it at the start and decoding it at the end of service to users. A network of computers is used to bombard the transaction. and overwhelm another network of computers with the intention of causing the server to ‘crash’. A Distributed Denial of Service Endpoint authentication (DDoS) attack relies on brute force by using attacks from multiple A security system that verifies the identity of a remotely connected computers. These attacks can be used to extort money from the device (and its user), such as a personal digital assistant (PDA) or businesses targeted. laptop, before allowing access to enterprise network resources or data. Digital identity It is a collection of identity attributes, an identity in an electronic form (e.g. electronic identity). 240 WEB FRAUD PREVENTION, IDENTITY VERIFICATION & AUTHENTICATION GUIDE 2018-2019 Glossary Endpoint protection FIDO (Fast ID Online) Endpoint protection refers to a wide range of solutions for pro A set of technology-agnostic security specifications for strong tecting and/or detecting compromise of the end-user’s computing authentication. FIDO is developed by the FIDO Alliance, a non- device (desktop, laptop, mobile device etc). Endpoint protection profit organisation formed in 2012. solutions, in general, use one or more of the following techniques: • Hardening: the solution blocks or otherwise eliminates commonly exploited vulnerabilities. • Monitoring/Detection: the solution monitors the system and/or user behaviour and detects anomalies. Fraud apps These are fraudulent apps that work in two ways: • simulated ad interactions; • intentionally misleading buttons or layouts. • Sandbox: the solution redirects any untrusted content to a sand box environment that enables safe identification of malicious In the simulated ad interactions, bots trigger ad activity. With the content. misleading buttons or layouts, developers create layouts that • Anti-Virus solutions are an example of endpoint solutions that generally use a signature/rule-based approach. overlap ads with content so users will unintentionally click the ads. Users usually have no intention of clicking some of these ads but •Sensitive Information Protection solutions rely more on infor do so because the ads are so small that they tap them by mistake. mation classification and heuristics or machine learning-based Furthermore, these types of apps can contain more ads than they algorithms for detection of abnormal information flows. are usually allowed by their operating system to serve, or display • Malware Protection solutions rely on a combination of one or more ads outside of the screen view of an application. of the three techniques. Fraud detection EMV Tools and techniques used to detect ‘acts of fraud’. It includes EMV (Europay-Mastercard-Visa) is a global standard for credit tools and techniques for: data analysis, data mining, rule-based and debit cards based on chip card technology. The EMV cards detection systems, supervised machine learning systems, and make in-person transactions more secure, but increase the threat unsupervised machine learning systems. of fraud in card-not-present transactions because the chip is not involved in the transaction and provides no benefit when the card Fraud management is not present. Organisational processes to prevent, detect, contain and remedy fraud. F False front merchants Fraud prevention Entities who hide the true nature of their businesses and sales of Processes, tools, and techniques used to prevent ‘acts of fraud’. card-brand prohibited goods and services. These companies do It includes communication and awareness, authentication, and not actually engage in selling what they claim during the merchant other business processes controls. underwriting process, and usually are involved in illicit, illegal endeavours. Fraud screening A checking system that identifies potentially fraudulent transac False positive tions. Fraud screening helps reduce fraudulent credit card trans It occurs when a good transaction or order is rejected by either actions, eliminating the need for manual reviews, minimizing bad the issuer or the merchant, due to suspected fraud. sales and improving a company’s bottom line. 241 WEB FRAUD PREVENTION, IDENTITY VERIFICATION & AUTHENTICATION GUIDE 2018-2019 Glossary Federated identity Global Address Verification Directories A federated identity is the means of linking a person’s electronic This feature enables fraud protection solutions to compare the identity and attributes stored across multiple distinct identity address introduced by the visitor with the existing address, detec management systems. Without federated identity, users are forced ting any fake data. It also helps e‐merchants keep their customers to manage different credentials for every site they use. easily reachable. Related to federated identity is single sign-on (SSO), in which a Guaranteed Fraud Prevention user’s single authentication ticket, or token, is trusted across mult A kind of insurance that transfers the impact of fraud losses from iple IT systems or even organisations. SSO is a subset of federated the insured entity (bank or processor or merchant) to a third party. identity management, as it relates only to authentication and is This may be linked to the implementation of specific fraud preven understood on the level of technical interoperability and it would not tion solutions. be possible without some sort of federation. Fingerprint recognition H Hash function The biometric modality that uses the physical structure of the A function that can be used to map digital data of arbitrary size to user’s fingerprint for recognition. In most of fingerprint recognition digital data of fixed size. The values returned by a hash function processes, the biometric samples are compressed in minutiae are called hash values, hash codes, hash sums, or simply hashes. points that reduce the size of data and accelerate the process. With Bitcoin, a cryptographic hash function takes input data of any size and transforms it into a compact string. Fraud score A fraud score may be available during transaction authorisation. Host Card Emulation (HCE) This is a number, usually between 0 and 1,000 that represents On-device technology that permits a phone to perform card emu the overall fraud risk of a particular transaction. The higher the lation on an NFC-enabled device. With HCE, critical payment number, the riskier the transaction. credentials are stored in a secure shared repository (the issuer data centre or private cloud) rather than on the phone. Limited use Friendly fraud credentials are delivered to the phone in advance to enable contact When a consumer (or someone with access to a credit card) makes less transactions to take place. a purchase and then initiates a chargeback, saying they did not make the purchase and/or did not receive the goods or services. Hybrid detection system Fraud detection system that uses both rule-based and machine G learning techniques. Geo Location Detection Set of diverse and ideally automated tests that help fraud protec I tion solutions assess the risk of fraud involved in a specific order Identity of Things (IDoT) passing through a merchant’s website. These tests might include An area of endeavour that involves assigning unique identifiers IP to Zip Code, IP to Billing Address, High IP Cross Referencing, IP (UID) with associated metadata to devices and objects (things), Geo Location & Proxy Detection, and NPA NXX Area Code Web enabling them to connect and communicate effectively with other Service. entities over the internet. 242 WEB FRAUD PREVENTION, IDENTITY VERIFICATION & AUTHENTICATION GUIDE 2018-2019 Glossary Identity Service Provider Information sharing network An identity provider (IdP) is a system entity that creates, maintains, In the context of fraud management, refers to a public or private and manages identity information for principals while providing service provider of one or more Abuse Lists. authentication services to relying on party applications within a federation or distributed network. InfoSec (information security) The practice of defending information from unauthorised access, It usually offers user authentication as a service. Relying party use, disclosure, disruption, modification, perusal, inspection, applications, such as web applications, outsource the user authen recording or destruction. tication step to a trusted identity provider. Such a relying party application is said to be federated, that is, it consumes federated Integrator (Systems Integrator) identity. An entity that specialises in bringing together component subsystems into a whole and ensuring that those subsystems An identity provider is considered a trusted provider that enables function together. consumers to use single sign-on (SSO) to access other websites. SSO enhances usability by reducing password fatigue. It also Intelligence provides better security by decreasing the potential attack surface. The gathering, assessment and dissemination of information that is valuable for fraud prevention and/or detection. Fraud intelli Identity spoofing gence can be strategic (activities of threat actors, etc) and/or Using a stolen identity, credit card or compromised username / tactical (mule accounts, phishing sites, botnet IPs, etc). password combination to attempt fraud or account takeover. Typically, identity spoofing is detected based on high velocity of Internal fraud identity usage for a given device, detecting the same device Internal fraud occurs when a staff member dishonestly makes a accessing multiple unrelated user accounts or unusual identity false representation, or wrongfully fails to disclose information, linkages and usage. or abuses a position of trust for personal gain, or causes loss to others. Internal fraud can range from compromising customer Identity theft or payroll data to inflating expenses to straightforward theft. Identity theft happens when fraudsters access enough information Sometimes it’s an unplanned, opportunistic attack purely for about someone’s identity (such as their name, date of birth, personal financial gain, but sometimes it’s linked to a serious and current or previous addresses) to commit identity fraud. Identity organised criminal network or even terrorist financing. theft can take place whether the fraud victim is alive or deceased. Internet of Things (IoT) Identity verification The network of physical objects that feature an IP address for Checking the provided information about the identity with pre internet connectivity, and the communication that occurs between viously corroborated information and its binding to the entity. these objects and other internet-enabled devices and systems. Identity and Access Management (IAM) Interoperability The security and business discipline that enables the right A situation in which payment instruments belonging to a given individuals to access the right resources at the right time and for the scheme may be used in other countries and in systems installed right reasons. It addresses the need to ensure appropriate access by other schemes. Interoperability requires technical compatibility to resources across increasingly heterogeneous technology between systems, but can only take effect where commercial environments and to meet increasingly rigorous compliance agreements have been concluded between the schemes requirements. concerned. 243 WEB FRAUD PREVENTION, IDENTITY VERIFICATION & AUTHENTICATION GUIDE 2018-2019 Glossary Investment fraud M Investment fraud is any scheme or deception relating to invest Machine Learning System ments that affect a person or company. Investment fraud includes: Machine learning fraud detection systems use artificial intelligence • illegal insider trading solutions to detect ‘acts of fraud’. These techniques fall under two • fraudulent manipulation of the Stock Market main categories: • prime bank investment schemes. • Supervised learning systems – these systems require training K data sets to learn and use techniques like neural networks, Knowledge-Based Authentication bayesian models, regression models, statistical models, or a KBA is a method of authentication which seeks to prove the combination. identity of someone accessing a service, such as a financial • U nsupervised learning systems – these systems are able to institution or website. As the name suggests, KBA requires the identify potential fraud based on techniques like clustering, peer knowledge of private information of the individual to prove that group analysis, breakpoint analysis, profiling or a combination. the person providing the identity information is the owner of the identity. There are two types of KBA: ‘static KBA’, which is based Mail Order – Telephone Order (MOTO) on a pre-agreed set of ‘shared secrets’; and ‘dynamic KBA’, which MOTO accounts are required when more than 30% of credit is based on questions generated from a wider base of personal cards cannot be physically swiped. Merchants that have a MOTO information. merchant account usually process credit card payments by entering the credit card information directly into a terminal that Know Your Customer (KYC) contains a keypad, by using terminal software installed on a per The term refers to due diligence activities that financial institutions sonal computer, or by using a ‘virtual’ terminal that allows the and other regulated companies must perform to ascertain relevant merchant to use a normal web browser to process transactions on information from their clients for the purpose of doing business a payment service provider’s website. with them. Know your customer policies are becoming increasingly important globally to prevent identity theft, financial fraud, money Malware laundering and terrorist financing. A software specifically designed to disrupt or damage a computer system. L Level of Assurance (LoA) Man-in-the-browser Degree of confidence reached in the authentication process that A form of internet threat related to man-in-the-middle (MITM); it is the entity is what it claims to be or is expected to be. a proxy Trojan that infects a web browser by taking the advantage of vulnerabilities in browser security to modify web pages or Liability shift transaction content or to insert additional transactions, all in a The liability for chargebacks resulting from fraudulent transactions completely covert fashion invisible to both the user and host web moves from the merchant to the issuing bank when the merchant application. A proxy Trojan is a virus which hijacks and turns the has authenticated the transaction using any of the 3-D Secure host computer into a proxy server, part of a botnet, from which an protocols. Without Consumer Authentication, merchants are liable attacker can stage anonymous activities and attacks. for chargebacks. 244 WEB FRAUD PREVENTION, IDENTITY VERIFICATION & AUTHENTICATION GUIDE 2018-2019 Glossary Man-in-the-middle Open Authorisation (OAuth) In cryptography and computer security, it is a form of active eaves An open standard for token-based authentication and authorisation dropping in which the attacker makes independent connections on the Internet. It allows an end user’s account information to be with the victims and relays messages between them, making them used by third-party services, such as Facebook, without exposing believe that they are talking directly to each other over a private the user’s password. OAuth acts as an intermediary on behalf connection, when in fact the entire conversation is controlled by of the end user, providing the service with an access token that the attacker. authorises specific account information to be shared. The process for obtaining the token is called a flow. Manual review A technique in which merchants use staff members to perform OpenID manual checks on orders to determine which orders are frau An open standard that describes how users can be authenticated dulent. in a decentralised manner, eliminating the need for services to provide their own ad hoc systems and allowing users to conso Merchant account lidate their digital identities. Users may create accounts with their A type of bank account that allows businesses to accept pay preferred OpenID identity providers, and then use those accounts ments in multiple ways, typically debit or credit cards. A merchant as the basis for signing on to any website which accepts OpenID account is established under an agreement between an acceptor authentication. and a merchant acquiring bank for the settlement of payment card transactions. Orchestration hub Orchestration hub is part of a fraud prevention platform that allows Money laundering companies to request and receive data from third-party providers, The process of concealing the source of money obtained by illicit with static, data-based identification, endpoint profiling, entity means. The methods by which money may be laundered are varied relationship, and behaviour analytics. and can range in sophistication. Many regulatory and governmental authorities quote estimates each year for the amount of money On-premise Solutions laundered, either worldwide or within their national economy. A software that is installed and runs on computers on the organi sation’s premises (in the building), rather than remotely, such as a Multi-factor authentication server farm or cloud. An approach to security authentication, which requires that the user of a system provide more than one form of verification in Out-of-band Authentication order to prove their identity and gain access to the system. Multi- Out-of-band Authentication (OOBA) uses a communication mecha factor authentication takes advantage of a combination of several nism that is not directly associated with the device being used factors of authentication; three major factors include verification to access the banking application or ecommerce site in order to by something a user knows (such as a password), something the facilitate a second mode of communication. user has (such as a smart card or a security token), and something the user is (such as the use of biometrics). P Passive authentication O A method where the user signs in through a Web form displayed One-time Password (OTP) by the identity provider and the user is requested to log in. A password that can be used only once, usually randomly gen rated by special software. 245 WEB FRAUD PREVENTION, IDENTITY VERIFICATION & AUTHENTICATION GUIDE 2018-2019 Glossary Payment Application Data Security Standard (PA DSS) Phishing PA DSS is a system designed by the Payment Card Industry A method which allows criminals to gain access to sensitive infor Security Standards Council and adopted worldwide. It was mation (like usernames or passwords). It is a method of social implemented in an effort to provide the definitive data standard engineering. Very often, phishing is done by electronic mail. This mail for software vendors that develop payment applications. appears to come from a bank or other service provider. It usually The standard aims to prevent developed payment applications says that because of some change in the system, the users need for third parties from storing prohibited secure data including to re-enter their usernames/passwords to confirm them. The emails magnetic stripe, CVV2, or PIN. In that process, the standard also usually have a link to a page similar to the one of the real bank. dictates that software vendors develop payment applications that are compliant with the Payment Card Industry Data Security Public Key Infrastructure (PKI) Standards (PCI DSS). The infrastructure needed to support the use of Digital Certificates. It includes Registration Authorities, Certificate Authorities, relying Payment Card Industry Data Security Standard parties, servers, PKCS and OCSP protocols, validation services, (PCI-DSS) revocation lists. Uses include secure e-mail, file transfer, document A proprietary information security standard for organisations management services, remote access, web-based transactions, that handle branded credit cards from the major card schemes. services, non-repudiation, wireless networks and virtual private The PCI Standard is mandated by the card brands and admi networks, corporate networks, encryption, and ecommerce. nistered by the Payment Card Industry Security Standards Council. The standard was created to increase controls around Point-to-point encryption (P2PE) cardholder data to reduce credit card fraud. Validation of com A point-to-point encryption (P2PE) solution is provided by a third pliance is performed annually, either by an external Qualified party solution provider and is a combination of secure devices, Security Assessor (QSA) or by a firm-specific Internal Security applications and processes that encrypt data from the point of Assessor (ISA) that creates a Report on Compliance (ROC) for interaction (for example, at the point of swipe or dip) until the data organisations handling large volumes of transactions, or by Self- reaches the solution provider’s secure decryption environment. Assessment Questionnaire (SAQ) for companies handling smaller volumes. A PCI P2PE solution must include all of the following: - Secure encryption of payment card data at the point-of-interaction Personally identifiable information (PII) validation (POI) Personally identifiable information (PII) is information that can be - P2PE-validated application(s) at the point-of-interaction used on its own or with other information to identify, contact, or - Secure management of encryption and decryption devices locate a single person, or to identify an individual in context (eg - Management of the decryption environment and all decrypted address, email, passport number, date of birth, etc). account data Pharming Use of secure encryption methodologies and cryptographic key A type of online fraud where people are redirected from a real web operations, including key generation, distribution, loading/injec site to a website impersonating a real one, with malicious intent. tion, administration and usage. 246 WEB FRAUD PREVENTION, IDENTITY VERIFICATION & AUTHENTICATION GUIDE 2018-2019 Glossary Privacy Risk assessment Privacy is the ability of a person to control the availability of perso The process of studying the vulnerabilities, threats, and likelihood nal information and exposure of himself or herself. It is related to of attacks on a computer system or network. being able to function in society anonymously (including pseudo nymous or blind credential identification). Risk-Based Authentication (RBA) Risk-Based Authentication is where issuing banks apply varying Proofing levels of stringency to authentication processes, based on the Identity proofing is a common term used to describe the act of likelihood that access to a given system could result in it being verifying a person’s identity, as in verifying the ‘proof of an ID’. compromised. Other terms that describe this process include identity verification and identity vetting. As the level of risk increases, the authentication process becomes more intense. R Ransomware Rule-based fraud detection Ransomware is a type of malicious software from cryptovirology Rule-based fraud detection systems use correlation, statistics, that threatens to publish the victim’s data or perpetually block and logical comparison of data to identify potential ‘acts of fraud’ access to it unless a ransom is paid. While some simple ransom based on insights gained from previous (known) fraud incidents. ware may lock the system in a way which is not difficult for a They generally use traditional methods of data analysis and knowledgeable person to reverse, more advanced malware uses require complex and time-consuming investigations that deal a technique called cryptoviral extortion in which it encrypts the with different domains of knowledge like financial, economics, victim’s files, making them inaccessible, and demands a ransom business practices and behaviour. Fraud often consists of many payment to decrypt them. instances or incidents involving repeated transgressions using the same method. Fraud instances can be similar in content and Ransomware attacks are typically carried out using a Trojan that appearance, but usually are not identical. Rule-based systems is disguised as a legitimate file that the user is tricked into down rely on identifying a known fraud pattern. loading or opening when it arrives as an email attachment. Real-time risk management S Smart card A process which allows risk associated with payments between An access card that contains encoded information used to identify payment system participants to be managed immediately and the user. continuously. Secure element Relying Party (RP) A tamper-proof Smart Card chip capable to embed smart card- A website or application that wants to verify the end-user’s identi grade applications with the required level of security and features. fier. Other terms for this entity include ‘service provider’ or the In the NFC architecture, the secure element will embed contactless now obsolete ‘consumer’. and NFC-related applications, and is connected to the NFC chip acting as the contactless front end. The secure element could be Retail loss prevention integrated into various form factors: SIM cards, embedded in the A set of practices employed by retail companies to reduce and handset or SD Card. deter losses from theft and fraud, colloquially known as ‘shrink reduction’. 247 WEB FRAUD PREVENTION, IDENTITY VERIFICATION & AUTHENTICATION GUIDE 2018-2019 Glossary Security protocol Signing (confirmation by customer) A sequence of operations that ensure the protection of data. Used Confirming a financial or non-financial transaction by verifying an with a communications protocol, it provides secure delivery of entity’s identity in a manner that is non-repudiable (i.e. using one data between two parties. or more authenticators). Security threat and risk assessment Skimming A method that identifies general business and security risks Card skimming is the illegal copying of information from the aiming to determine the adequacy of security controls with the magnetic strip of a credit or ATM card. It is a more direct version service and mitigating those risks. of a phishing scam. In biometrics and ID, it could be the act of obtaining data from an unknowing end user who is not willing to Security token (authentication token) submit the sample at that time. It is a small hardware device that the owner carries to authorise access to a network service. The device may be in the form of a Social media analytics smart card or may be embedded in a commonly used object such Social media analytics combine public and private data sources as a key fob. with an analysis of the consumer’s social media presence. For example, an applicant who is in her mid-thirties but has no public Sensitive data record data nor any trace of social media presence is one who Information that relates to contact information, identification cards bears further scrutiny. and numbers, birth date, social insurance number and other data that can be used for malicious purposes by cybercriminals. This type of analysis is also helpful for thin-file consumers who can’t be readily verified by traditional data sources. SIM Cloning A victim’s SIM card data, containing all of their phone’s data, is Spoofs copied to a fraudster’s SIM so that the fraudster can impersonate Various scams in which fraudsters attempt to gather personal them and access all incoming communication, as well as mobile information directly from unaware individuals. The methods could banking. To keep personal information secure, users are advised include letters, telephone calls, canvassing, websites, e-mails or to make sure they download the latest banking apps directly from street surveys. the official websites, and be wary of using financial institution contact details from SMSes or emails, as well as confirming Strong Customer Authentication (SCA) account details via email, SMS, or telephone. Also, if a user In accordance with EBA Consultation Paper, the authentication realises (s)he is not receiving calls or text notifications, (s)he may procedure shall result in the generation of an authentication code have fallen victim to a SIM card cloning scam. that is accepted only once by the payment services provider each time that the payer, making use of the authentication code, Single point of purchase accesses its payment account online, initiates an electronic The ability to detect whether a consumer’s card may have been transaction or carries out any action through a remote channel compromised when an institution is experiencing a high volume of which may imply a risk of payment fraud or other abuses. fraudulent transactions. Suspicious transaction reports (STR) Smishing (SMS phishing) A report compiled by the regulated private sector (most commonly A variant of phishing email scams that utilises SMS systems banks and financial institutions) about financial flows they have instead of sending fake text messages. detected that could be related to money laundering or terrorist financing. 248 WEB FRAUD PREVENTION, IDENTITY VERIFICATION & AUTHENTICATION GUIDE 2018-2019 Glossary Synthetic ID fraud Triangulation fraud This type of fraud occurs when a fictitious identity is created, Considered as one of the most complex ecommerce attack usually with a combination of real and fake information, and is methods, triangulation fraud involves three points. used to obtain credit, make purchases and open accounts. • An unsuspecting customer who places an order on an auction or marketplace using some form of credit, debit, or PayPal tender. T • A fraudulent seller who receives the order and then places the Threat order for the actual product with a legitimate ecommerce website A threat consists of an adverse action performed by a threat agent using a stolen credit card. on an asset. Examples of threats are: • a hacker (with substantial expertise, standard equipment, and • A legitimate ecommerce website that processes the criminal’s order. being paid to do so) remotely copying confidential files from a company network or from card; • a computer malware seriously degrading the performance of a wide-area network; Trust The firm belief in the competence of an entity to act dependably, securely, and reliably within a specified context. • a system administrator violating user privacy; • someone on the internet listening confidential electronic communi Trusted framework A certification program that enables a party who accepts a digital cation. identity credential (called the relying party) to trust the identity, Third-party fraud security and privacy policies of the party who issues the credential Fraud committed against an individual by an unrelated or unknown (called the identity service provider) and vice versa. third-party. Trusted third-party Token An entity trusted by multiple other entities within a specific context Any hardware or software that contains credentials related to a and which is alien to their internal relationship. user’s attributes. Tokens may take any form, ranging from a digital data set to smart cards or mobile phones. Tokens can be used Two-Factor Authentication (2FA) for both data/entity authentication (authentication tokens) and Two-Factor Authentication is a security process in which the user authorisation purposes (authorisation tokens). provides two means of identification, one of which is typically a physical token, such as a card, and the other of which is typically Tokenization The process of substituting sensitive data with an easily reversible benign substitute. In the payment card industry, tokenization something memorised, such as a security code. U is one means of protecting sensitive cardholder PII in order to Unique identity comply with industry standards and government regulations. A set of identifiers/attributes forms a unique identity. Furthermore, The technology is meant to prevent the theft of the credit card an identifier, such as a unique number or any set of attributes, is information in storage. capable of determining precisely who or what the entity is. Transaction Authentication Number (TAN) URL spoofing A type of single-use password used for an online banking This is an attempt to closely mimic the URL of another website. transaction in conjunction with a standard ID and password. This makes the fraudulent website appear legitimate. 249 WEB FRAUD PREVENTION, IDENTITY VERIFICATION & AUTHENTICATION GUIDE 2018-2019 Glossary User data verification W One of the first actions FIs take when onboarding a prospective Wire fraud new customer is verifying the individual’s identifying information A financial fraud involving the use of telecommunications or infor by comparing the data provided by the prospective customer to mation technology. third-party sources. While many countries’ anti-money laundering requirements mandate the verification of specific PII elements, 3-D Secure 2.0 such as name, address, and taxpayer identification number, many 3-D Secure (3DS) is the program jointly developed by Visa and issuers verify more than just the bare minimum dictated by com Mastercard to combat online credit card fraud. To reflect current pliance. While ecommerce merchants verify PII less frequently due and future market requirements, the payments industry recognised to cost constraints, many incorporate elements of digital identity the need to create a new 3-D Secure (3DS) specification that would verification into their risk protocols. support app-based authentication and integration with digital wallets, as well as traditional browser-based ecommerce trans V actions. This led to the development of EMV 3-D Secure – Protocol Verified by Visa and Core Functions Specification v2.0.0 (EMV 3DS 2.0 Specific Verified by Visa provides merchants, acquirers and issuers with ation). The specification takes into account these new payment cardholder authentication on ecommerce transactions, by levera channels and supports the delivery of industry leading security, ging the 3-D Secure protocols. It helps to reduce ecommerce fraud performance and user experience. by ensuring that the transaction is being initiated by the rightful owner of the Visa account. This gives merchants, acquirers, issuers and consumers greater protection on ecommerce transactions. Vishing The act of using the telephone in an attempt to scam the user into providing private information that will be used for identity theft. The scammer usually pretends to be a legitimate business, and fools the victim into thinking (s)he will profit. Voice authorisation An approval response that is obtained through interactive commu nication between an issuer and an acquirer, their authorising pro cessors or stand-in processing or through telephone, facsimile or telex communications. Voice over IP (VoIP, or voice over Internet Protocol) Refers to the communication protocols, technologies, metho dologies and transmission techniques involved in the delivery of voice communications and multimedia sessions over Internet Protocol (IP) networks, such as the internet. Other terms commonly associated with VoIP are IP telephony, internet telephony, voice over broadband (VoBB), broadband telephony, IP communications and broadband phone. 250 WEB FRAUD PREVENTION, IDENTITY VERIFICATION & AUTHENTICATION GUIDE 2018-2019 Don’t Miss the Opportunity of Being Part of Large-Scale Payments Industry Overviews Once a year, The Paypers releases four large-scale industry overviews covering the latest trends, developments, disruptive innovations and challenges that define the global online/mobile payments, e-invoicing, B2B payments, ecommerce and web fraud prevention & digital identity space. Industry consultants, policy makers, service providers, merchants from all over the world share their views and expertise on different key topics within the industry. Listings and advertorial options are also part of the Guides for the purpose of ensuring effective company exposure at a global level. B2B Fintech: Payments, Supply Chain Finance & E-invoicing Payment Methods Report Open Banking Report Payments and Commerce Market Guide For the latest edition, please check the Reports section
Source Exif Data:
File Type : PDF File Type Extension : pdf MIME Type : application/pdf PDF Version : 1.6 Linearized : Yes Author : The Paypers Create Date : 2018:12:11 23:54:57+01:00 Keywords : data breaches, digital identity, customer experience, digital onboarding, identity verification, online authentication, KYC, SCA, biometrics, machine learning, artificial intelligence, banks, merchants, payments, telecoms fraud, travelling fraud, sim swap fraud, mapping, infographic, technology vendors Modify Date : 2018:12:13 09:03:13-07:00 Has XFA : No Language : en-GB Tagged PDF : Yes XMP Toolkit : Adobe XMP Core 5.6-c015 84.159810, 2016/09/10-02:41:30 Metadata Date : 2018:12:13 09:03:13-07:00 Creator Tool : Adobe InDesign CC 13.1 (Macintosh) Instance ID : uuid:8eb1bf63-9d2b-df41-b291-1aa44d291f7f Original Document ID : adobe:docid:indd:b8995a87-e663-11de-a544-d8fb66847181 Document ID : xmp.id:54da2600-ec40-4c44-97a3-6b630ea46927 Rendition Class : proof:pdf Derived From Instance ID : xmp.iid:bb5f96bf-6d2c-43bf-8400-fdbbab81337b Derived From Document ID : xmp.did:c484cf2d-3879-498b-8200-8c545644b6a8 Derived From Original Document ID: adobe:docid:indd:b8995a87-e663-11de-a544-d8fb66847181 Derived From Rendition Class : default History Action : converted History Parameters : from application/x-indesign to application/pdf History Software Agent : Adobe InDesign CC 13.1 (Macintosh) History Changed : / History When : 2018:12:11 23:54:57+01:00 Format : application/pdf Title : Web Fraud Prevention, Identity Verification & Authentication Guide 2018 -2019 Creator : The Paypers Description : Web Fraud Prevention, Identity Verification & Authentication Guide 2018 -2019 Rights : The Paypers Subject : data breaches, digital identity, customer experience, digital onboarding, identity verification, online authentication, KYC, SCA, biometrics, machine learning, artificial intelligence, banks, merchants, payments, telecoms fraud, travelling fraud, sim swap fraud, mapping, infographic, technology vendors Marked : True Producer : Adobe PDF Library 15.0 Trapped : False Page Layout : SinglePage Page Mode : UseOutlines Page Count : 251EXIF Metadata provided by EXIF.tools