XOR Data Exchange Combats Fraud For Online Retailers

The need for online retailers and brands to be vigilant in the face of fraud becomes more pressing by the day — but additional authentication measures can create friction on the consumer’s end, which has a nasty habit of reducing conversion rates.

The trouble is, the global implementation of EMV authentication has led to a major uptick in instances of card-not-present (CNP) fraud in the eCommerce space. Fueled by account takeovers facilitated by major data breaches, reports suggest that one out of every 86 CNP transactions today is deemed fraudulent, said Greg Bonin, COO of data-as-a-service company XOR Data Exchange.

For its part, XOR recently released a preventative, data-driven resource to enable online retailers to combat CNP fraud and account takeover attempts on the back-end. The platform, called Compromised Identity Exchange Basic (CIEB), allows online retailers to identify account takeover attempts by providing theft risk insight on the level of the individual consumer.

In simple terms, XOR gathers data on the information compromised in major breaches, Bonin said. The company then leverages that data to enable its platform to perform risk assessments on online retailers’ user accounts, namely email addresses associated with login.

Given a login attempt, the platform checks it against XOR’s breach data — assessing if an account was part of any breaches and, if so, how recent the breach was, along with what information was lost in the breach — and sends back a risk score.

“We return back to retailers a risk indicator — high, medium or low,” Bonin said. “If a plain text password was exposed, or the consumer had an easily crackable password, that will bump them to a higher risk category.”

XOR offers CIEB to retailers for free. The platform is based off a pre-existing paid enterprise platform the company offers to financial institutions. The differences are in the details, Bonin said. With the paid version, financial institutions receive more fine-grain risk assessments, for instance — not just the three tiers.

Still, the free version of the solution provides a useful tool for merchants who aren’t keen on introducing friction unless it’s necessary.

The CIEB platform allows merchants to see, for example, when someone new is signing up for an account, whether they should require additional verification. Rather than creating friction for every user by requiring tougher authentication measures, the CIE platform allows online retailers to pick their battles, in a sense.

Another instance where this capability comes in handy for online retailers is if a user is signing in from a new, unfamiliar device. Again, given the risk score, retailers can then allow the login, require additional verification or deny entry altogether.

At the moment, Bonin said XOR holds about 1.8 billion records from various major breaches. In assessments that the company has done, XOR has found that some 25 to 35 percent of all emails have been part of one or more major breaches.

“Now, I don’t know if that number will hold forever,” Bonin noted, “but we’ve tested through a few diverse populations and so far it appears to be pretty consistent.”

In the short term, Bonin said that the company is looking to allow merchants and other users engaging with the free solution to report fraud information back to XOR. This will allow the company to perform more thorough assessments of fraud risk as it relates to eCommerce merchants.

The reason this is important, Bonin said, is that different fraudsters may be targeting different types of organizations.

“Some might be trying to open credit cards in peoples’ names, whereas others might be trying to rip off Amazon,” Bonin said. “We want to be able to have our basic users report their fraud data and, in return, we can include that data in our future responses.”

In the long run, XOR Data Exchange is looking to move into the authentication space more broadly by leveraging their fraud expertise.

Bonin said, “A lot of the time it’s just as important, especially for enterprise customers, to safely qualify people with the minimum amount of friction as it is to find the bad guys.”