SAN FRANCISCO (Reuters) - As the continuing parade of mass data breaches increases the opportunities for miscreants to use grabbed credentials for all manner of fraud, it is also driving defenders to seek new ways to connect the dots and stop secondary crimes sooner.
Companies like Baltimore’s Terbium Labs have professionalized crawling the Dark Web, where criminals trade or sell large quantities of stolen credit card data and most other imaginable categories of personal information.
Austin-based AllClear ID, formerly known as Debix, is among the companies that go beyond credit monitoring and report additional information to consumers. One of its services looks for breached data turned over to the FBI-affiliated National Cyber-Forensics & Training Alliance, then alerts subscribers if material about them shows up.
Starting on Monday, an Austin startup will try a third way: collecting breached data directly from the companies that were hit, then allowing banks and other potential fraud magnets to see if their customers are involved and have accounts more likely to be targeted.
The idea behind what is being dubbed the Compromised Identity Exchange is to charge those most likely to be hit with follow-on fraud for access to information that reduces their risk.
Companies that have been breached will not pay anything to hand over the data that was stolen, and they can feel that they have done more than most to protect their customers or employees by heading off future fraud that might hurt them.
The service is being run by a company called XOR Data Exchange, which says it can produce useful data faster by hearing from the victims instead of trolling the Dark Web, where it may already be too late by the time it appears.
Due to heavy security on the data, XOR says, the system may also allow breached companies to share the sensitive information without changing their privacy policies or waiting for the people exposed to opt in, as they must for credit monitoring.
Reporting by Joseph Menn; Editing by Christian Schmollinger