Data breaches are now so common, Motherboard features a series called, “Another Day, Another Breach.” Though fatigue may have found its way into the data breach discussion, the harmful effects – for individuals and organizations – are real and widespread.
And there is a ripple effect. When personal information is accessed in a breach, it not only goes up for sale on the dark web, it can also be used to amass sophisticated profiles that can then be used to set up fraudulent accounts with cable companies, banks, and other service providers. One company’s breach thus becomes a problem for multiple companies' bottom lines.
That’s why threat-sharing frameworks can be beneficial for companies across industry sectors. Though sharing threat data among public and private organizations is not new, it has not been easy initiative to implement. Companies have liability concerns and proprietary information they need protected.
One company, however, is offering a service to help breached organizations and those service providers that face fraudulent use of their services via breached personal information. XOR Data Exchange recently introduced what it calls the Compromised Identity Exchange. Launched in early May, the CIE helps a breached company and its customers as well as other companies that are likely high-fraud targets because of the breached data.
To start, a breached company shares a list of the users whose data was compromised with the exchange, free of charge. Once the records are in the exchange, they are analyzed for fraud patterns and combined with known fraudulent activity. XOR can then alert its customers – the banks, lenders, and other service providers – of the customers and customer applications that likely carry a higher risk of fraud. Those companies can then focus efforts on stopping these fake accounts and protect the real identities of customers.
A week after launching the CIE, XOR received more than 16 million breached records and identities. XOR Founder and CEO Mike Cook told Privacy Tech that the more breached records that make it into the exchange, the more effective it will become. Companies that have suffered a breach are not charged by XOR for sharing the compromised records, even though participating in the CIE is likely to reduce the injury their customers suffer following the breach. Where credit monitoring might flag when an inappropriate transaction occurs, XOR's goal is to prevent that transaction from happening in the first place.
“They’re the victim,” Cook explained. “We don’t want to charge them money. We want to get as many records as possible.” Plus, he hopes, if companies know sharing the data will not cost them money, they will likely share the compromised information more quickly. “For us,” he continued, “the faster we can speed the process up, the faster we can help protect the compromised identities and the service providers that face potential fraudulent activity.”
XOR has also baked a number of privacy and security protections in to the exchange.
Cook said the CIE employs encryption throughout the framework and uses two main security features for additional records protection. ID factoring maps breached records into individual elements. XOR does not keep the map, said Cook, only the provider maintains it. That way, if the exchange were breached and the adversary managed to crack the encrypted data, the adversary would only possess an individual element, like a Social Security number, which wouldn't be associated with any other data.
XOR also employs a distributed exchange. This proprietary software actually works behind a company’s firewall and allows the company to “ping records for matching purposes” so the affected organization does not have to send PII to XOR. Cook pointed out, though, that this solution includes an $8,000 licensing fee and is only recommended for large breaches or at-risk organizations.
Cook also noted that the exchange is a more protective solution for the individuals whose records have been compromised. In the more traditional credit-monitoring paradigm, the individual usually must choose to opt in to the program, and monitoring likely only lasts for one to three years. The exchange, on the other hand, provides protection for 100 percent of the customers because they do not need to opt in to the program. “Credit monitoring,” he argued, “is just a band-aid; it’s just an alert. Plus, it’s expensive and only protects against new application fraud.”
That said, Cook wants XOR to partner with companies rather than compete with them. “We want to cast a wide net,” he added, by helping breached companies and their customers as well as at-risk service providers.
If you want to comment on this post, you need to login.