We’re handling breaches all wrong.
Mike Cook, CEO and Founder of XOR Data Exchange, says that every time a company gets hit with a data breach, it’s the same old cycle: compromised companies take too long to report, and when they do and notify consumers that their information might be compromised, part of the consumer apology tour is offering consumers free credit report monitoring. The same agencies who also sell that data to others for marketing purposes.
Something Cook calls the “biggest elephant in the room.”
Credit report monitoring doesn’t solve the problem – and if anything, it might only perpetuate it. Only a small sliver of a fraction of at-risk consumers take advantage of the free option, leaving the vast majority of consumers exposed – or perhaps not. Just because data was stolen doesn’t mean that it will be used against them creating uncertainty for the consumer and those organizations that are at risk. That lack of certainty often means that some companies reissue new credentials to all compromised consumers, a costly and sometimes unnecessary move.
There’s a much better way to tackle this, Cook says, and he and his co-founders have been hard at work creating a new model. This new model, Cook contends, could not only solve the breach problem but also put the consumer squarely in control of his or her identity.
XOR Data Exchange is a permission-based data platform that makes it possible for data owners to contribute their data to a common exchange.
But why in the world would anyone want to do that?
For the same reason anyone does anything – because what they get back is orders of magnitude better than what they put in.
Companies that contribute their data also know that XOR isn’t going to monetize that data in any other way. Data owners who become data contributors know that their data is safe, and used only for the explicit and agreed to purpose that XOR has permission from the data owner to use.
XOR Data Exchange customers – the data owners - ran the gamut from credit card issuers to small business lenders to marketplace lenders to the wireless, cable and satellite industries. They contribute information so what they get back is the ability to make better decisions about a variety of things related to credit and risk – and now the use of compromised consumer identities by fraudsters to commit fraud.
Cook sat down with Karen Webster to take her under the hood of how a permission-based data platform works, generally, and why Cook feels so strongly about its potential use in the compromised identity arena to lower the incidences of fraud.
Which also, Cook believes, outing that great big elephant in the room – and getting the industry to think differently about what should happen when a breach occurs.
Here’s what they discussed.
WEBSTER: XOR is a permission-based data platform that you characterize as one that has helped businesses fight fraud and credit risk. Data is the hottest thing going on right now and so I think that I’ve heard a number of takes on “new ways to organize data” that “helps businesses fight fraud and credit risk.” What makes your approach different – and in your view - better?
COOK: XOR is a transparent, privacy-centric model – a permission-based data exchange platform. We don’t build solutions looking for a marketplace to sell data into. We build platforms within an industry that have a problem to solve and we use the data to do that – and nothing more. The market comes to us.
When we are approached by an industry stakeholder with a problem or a concern, we explore how we can facilitate data sharing among other industries to create that data platform that helps to solve for things as diverse as small business credit and fraud risk, digital money transfer fraud, and, now, the problem of data breaches and compromised identities.
But whatever solution we build, we only use the data specifically for the way the data owner has asked us to use it. We don't monetize it in any other way.
WEBSTER: Give me an example of a data owner — a category of a company, the data they are contributing to the exchange and what they expect to get out of doing it.
COOK: The first exchange that we built was a small business credit and fraud exchange. The use case was the communications marketplace where there are really, really small companies trying to get services — wireless phones, cable, satellite. What a communications customer would get from us, in that specific exchange, is a credit risk score back with 100 variables that we assessed so they could do custom modeling against it. That fraud risk score would predict fraud risk over the next six months – data for sure, but intelligent data that helps them make better decisions.
WEBSTER: How do you decide what exchanges you create and therefore solicit data owners to contribute?
COOK: We focus on industries that we know pretty well. We’re very strong in financial services and communications. But again, we are very industry and customer-centric. We ask data owners what permission-based data exchanges would help them solve some of their big credit/fraud solutions, how would they like us to facilitate data sharing, and they will tell us. We build very industry-driven solutions.
WEBSTER: Let’s dig into the breach scenario. So, there’s a breach, and there's consumer data that's been compromised. We have the breached entity and then those that would like to know what data has been compromised since they could be targets of fraudsters with compromised information. Sounds like a great permission-based platform opportunity to me – but how do you solve for the compromised identity problem that arises as a result of the breach?
COOK: When any company loses information – banks, health insurers, the Office of Personnel Management – there’s no question about what happens next: that data then gets sold on the Internet. Its expressed purpose is to be used by fraudsters to perpetrate all kinds of fraud — new account fraud, account takeover fraud, wire-transfer fraud, etc. That data is used very broadly, and today there is no way to really know when that information will be used by fraudsters.
We, frankly, don't think it’s right that fraudsters have such a free range to operate under this blanket of secrecy.
So, we’ve established the Compromised Identity Exchange that is available to all compromised entities, for free. Those entities put their compromised customers’ data into the data exchange, knowing that the only entities looking at it are those who might be harmed if that data was being used against them to commit fraud.
Then, “at-risk” entities can query that database in real time, when a new account opening of any kind is being attempted. They can see if it matches a compromised identity in the database. Those entities are then better able to protect that consumer by doing additional authentication as needed. The goal, obviously, is to stop fraud before it happens.
In addition, one of the big value-adds is that this query can extend to checking and savings accounts or credit lines vulnerable to account takeover fraud or wire transfer fraud. Since there is no credit check run to initiate those types of transactions, credit monitoring services may not be effective in preventing those types of fraud – which can be devastating. By scoring existing accounts against the Compromised Identity Exchange, at-risk entities can determine which accounts need additional monitoring to catch those transactions and avoid losses.
It’s not just a concept. The Compromised Identity Exchange has launched and it’s working. We are working with large banks – who are the “at-risk” entities that would be fraudster targets – and large compromised entities to enrich the platform that already exists.
WEBSTER: Could having a Compromised Identity Exchange give companies an incentive to come forward earlier and contribute compromised data into the exchange?
COOK: The issue isn't if you're going to report it, it's when you are going to report it. One of the biggest concerns is always: how much is this breach going to cost the organization on a multitude of levels – cost of fraud, cost of reputation, and a variety of other operational costs.
In the case of a bank, they have to regenerate cards. They have to buy credit monitoring because that's the standard now. If there is a data breach of PII information, consumers and regulators expect the entity to buy credit monitoring. That's very expensive. And for a lot of reasons it's not actually a very good solution.
We want access to our platform to be free for compromised entities, so to take the concern of those dollars off their plate. We hope that will encourage them to participate in a compromised data exchange sooner rather than later.
We really believe that when the exchange is in place and really revved up, it will stop a lot of fraud – since the faster it's reported, the faster it can protect banks from being defrauded and consumers from having their identities compromised.
WEBSTER: So it sounds to me that your exchange could eliminate the need for anyone to buy credit monitoring for their customers in the future since, in theory, at least, your platform provides the knowledge about whether the consumer’s identity is being used against them.
COOK: We want consumers to actively own and take part in their identity. That’s why we built the company. We think our solution will let them do that. And since we can offer 100 percent coverage – card, checking, wire and even credit lines, consumers will be protected proactively regardless of whether they opt in – or not – to a credit monitoring service. Naturally, consumers can always opt-out if they wish.
All that said, I think in the short run people will continue to buy credit monitoring - it does serve some kind of a purpose for those who opt-in. The consumer gets an alert when a new account was opened and for that roughly 8 percent of people who take the service, that is good news.
However, because not that many people opt-in, most consumers are still at risk as are a number of other entities – and the fraudsters have free rein to wreak havoc with them and the banks and merchants they are out to hurt whenever and however they please.
Immediately, we think we will be a supplement to the existing credit monitoring solution – but if have our way, not for very long.