If you were talking to someone whose organization is considering ThreatMetrix, what would you say?
How would you rate it and why? Any other tips or advice?
I'm not sure which version of the solution we are using. It may be some variation of version five. The solution in terms of implementation is pretty good and it can be a fairly simple deployment. It seems complex at first, however, it's very, very simple and the documentation is fairly good. That said, we thought we would be getting more benefit and only later realized some areas are not as robust as we had thought. In terms of our requirements for device detection, I'd rate the solution a nine out of ten.
ThreatMetrix seems like a fairly complete solution. Because of the rise of mobile, we were moving to a mobile based lending product. Given that fact there was a concern that there was a new vector for attack and that's what we wanted to protect ourselves against. It's important to understand your use case very clearly. I think the challenge we had was the understanding that this was a capability that we needed, but we were not particularly clear as to how extensively we would use it. That's worth figuring out in advance. You can access the admin console and view performance once it's been implemented. That's worth doing as well as making use of the ThreatMetrix dashboard. One of the things that I learned was just the sheer number of vectors that a potential attacker could use when they access your service, or your platform. That was a whole journey, discovering the many ways attackers can access the system, try to create multiple accounts, and do lots of accessing on servers in hidden locations. The fact that it's actually possible to track that information based on the browser, and based on the user ID, and being able to link that through different devices was interesting. I think device intelligence is still relatively new, and not everyone in the risk team fully understood it. We had a few people who didn't think that it provided much value from the outset, and getting them on board was more challenging. It slowly improved over time, as we became more embedded in part of the credit check, primarily by the credit risk team. It was used more to identify, to ensure that people are who they say they are, and they're contacting from devices that we know to be safe and secure. I would rate this solution a seven out of 10.
We're using the web version. I'm not aware of if they have multiple versions. I would recommend the solution to others. I would tell potential users that it's important to provide ongoing feedback to ThreatMetrix as to the outcomes. That will help them further refine the tool. If you don't have a commitment to providing the feedback loop, my guess is it would be less successful. One of the reasons we've had success is that we've been providing information back on the outcomes, which helps them fine-tune the model and improve on it from that perspective. Overall, I would rate the solution ten out of ten. We've had a very good experience using it.
I would suggest that a potential new customer that's in the market for such a product get quotes from the top three or four players. These would be ThreatMetrix, Kount Retail Decisions, eCertify, and CyberSource. Those are the main fraud assessment platforms that I'm aware of. Fraud assessment is a good thing for merchants to implement. Fraud, in general, in the transaction processing space, is a big issue and becoming larger as the years go by. I would advise merchants to do engage with such fraud assessment tools as ThreatMetrix. Overall, I would rate the solution seven out of ten. It's not a higher ranking due to the fact that the integration has limitations with other vendors like Credit Card Gateway. Some of these things may change over time, however, the other products that I mentioned have more integration options with other vendors, and therefore that would be a limitation ThreatMetrix.
I would say to definitely consider it at a design stage, or at least to have an extensive sandbox where you can set it out. The major thing is integration into your current system and also false positives from poorly configured systems. If you actually do have a system that is already running, then definitely look at the integration and look at the knowledge base to understand exactly what it takes and how do they integrate. It is not just integrating the SDK or the API in the product; it is understanding the massive parameters that you can tune. ThreatMetrix helps you with that aspect, but it is really up to you to tune them for your application on your platform. If they are not tuned properly, you would definitely get into trouble because you have started flagging up false positives, which you don't want to do. I would rate ThreatMetrix an eight out of ten. It needs a few improvements, but it is definitely good.
What do you like most about ThreatMetrix?
Thanks for sharing your thoughts with the community!
In your experience, what fraud detection tool is the most effective?