Sontiq’s SVP of Innovation Sheds Light on the Growth of Fintech and Cyber Threats
By Roy Urrico
Finopotamus presents InfoSec People Profiles, a series spotlighting individuals working in information security to protect data and transactions at credit unions and other financial institutions.
Jim Van Dyke, the senior vice president of innovation at identity security company Sontiq, has seen the best and the worst the internet has to offer — from working with fintech startups to more recently securing people and companies from identity theft and fraud threats.
Van Dyke earned his education in California’s Silicon Valley and Bay Area, with a bachelor’s from San Jose State University and a master’s from San Francisco’s Golden Gate University. Both degrees were in business and both were with honors.
Upon entering the workforce in the 1980s, he learned early on going electronic was a remedy for businesses that relied too much on paperwork. This realization led to a job with an early digital commerce company.
When internet banking (then called home banking) began to lift off in the mid-1990s, Van Dyke went to work for a credit union tech company. “I ended up being a product manager for all phases of fintech and security technology products,” he said. As part of the job, he then moved over to research. “That’s where I fell in love with the work I do now. Trying to understand how security problems turn into identity theft and fraud problems. And that is where I primarily stayed focused.”
The Promise and Problems of Digital Commerce
The early days of digital commerce were not so much plug-and-play but more like disks and cables. “When I started in digital commerce, we would literally run the wires in the business, you sold people the computer hardware and software for electronic communication.” Especially since the only widely available network then was the ARPANET, which became the basis for the internet, and was in just a few universities or the military, Van Dyke noted.
He recalled selling a 5 megabyte, 14-inch diameter disc pack for $5,000. “We would implement essentially a proprietary version of the web for that business in the supply chain and hand out floppy disks to teach people how to do everything from communicate, to set up bill pay, to the whole works.”
In 2002, Van Dyke founded advisory firm Javelin Strategy & Research, at least officially. Although he actually started Javelin in 1998, he put Javelin aside to move to Jupiter Media Metrix during the dot-com boom. He then returned to restart Javelin for a 13-year run that culminated with its sale to Greenwich Associates in 2015.
After selling Javelin, he became an expert witness in many large data breach cases. “All the type of big cases that are causing the fraud that credit unions and members have to deal with today, like Experian, Yahoo and Equifax,” said Van Dyke.
The knowledge gained from his experience as a witness led Van Dyke to co-found Breach Clarity with Al Pascual (now senior vice president, data breach solutions at Sontiq) in 2016. “I was the inventor of the technology and I was delighted to have Al's expertise as a person who's worked in a fraud mitigation role in fintech or financial institutions helping build out the product and start up the corporation.” Breach Clarity, which utilizes an algorithm that analyzes numerous data points to assess the risks stemming from a breach, won recognition from the credit union and fintech communities for its innovative approach to cyber protection.
That was before COVID-19 hit. “The pandemic made it hard to innovate because a lot of credit unions cut their innovation budgets for anything but obvious short term payoff areas like online account opening,” said Van Dyke. “A lot of innovation budgets really suffered in the pandemic even though we had more members (using) digital.”
Nottingham, Md.-based Sontiq bought Breach Clarity in March 2021 and renamed it BreachIQ. “It turned out to be a great partnership for me,” said Van Dyke, whose current role as SVP is to further BreachIQ’s market growth.
Raising Financial Institutions’ BreachIQ
“One hundred percent of everything that was in the old Breach Clarity product is still in BreachIQ. We kept all those features, but we're really able to expand what the product does for credit unions and members,” Van Dyke explained.
BreachIQ, analyzes every member's breach footprint, mainly through a personal email address. It searches the dark web for possible breach exposures, converts that information through artificial intelligence and runs it through the 1,300-element algorithm that Van Dyke invented. The solution translates the output for every member to determine what identity crimes, such as payment card or medical frauds, present the most risks. “Even more importantly, it (detects) for every unique member, what action steps that member needs to prioritize in order to minimize the risk of those crimes,” Van Dyke noted.
Sontiq expands upon that output by matching it with identity protection and helps people navigate the ID threats through 51 possible action steps such as password managers, credit monitoring and restoration help.
“For the many members that are just confused about what to do next,” explained Van Dyke. He added, everyone affected by a breach has different risk profiles and therefore the prognosis and advice should reflect that distinctiveness.
Top Security Dangers for Credit Unions
The Sontiq SVP explained in an average day there are seven publicly reported data breaches. Van Dyke said, “What keeps me up at night is worrying about how the unique information from any new data breach creates an equally unique pattern of risk, which in turn can lead to powerful scams.”
Van Dyke also discussed how phishing attacks evolved from the early typo-ridden or awkwardly worded emails to today’s more sophisticated communications. “So convincingly crafted that it's really hard to tell the real message outreaches from the fake ones,” he said.
In addition, Van Dyke explained how certain criminal groups target financial services organizations. At the same time, financial institutions are not usually the source of the breached data but customers could end up in the middle of an exposure in some way.
“We’ve got the only database that catalogs every single, publicly reported data breach reported to state attorneys general. We analyze the proportion of financial institutions — credit unions, banks, and other financial institutions — in our database compared to other organizations,” Van Dyke indicated. He detailed how Sontiq uncovered three different conclusions in measuring how likely a financial institution is to be source of the pollution caused by an exposed identity holder’s personally identifiable information (PII), payment card information (PCI), or protected health information (PHI)
1. The number of times financial institutions exposed in breach in the first place is low compared to hospitals, government, and merchants. In the last couple years, a number of the mega breaches have directly affected ecommerce and payment services.
2. The breaches of financial institutions that occur are typically just a subset of larger breaches. Although not targeted specifically member information, such as card data does become part of the exposure fallout.
3. When financial institutions become breach targets the infiltrated information tends to be less severe. “That is why we rate every breach on a 1-to-10 basis on how likely it is to create identity theft or fraud,” he noted.
Do Not Blame Members
Van Dyke acknowledged consumers, including credit union members, often get a bad rap in the identity theft commotion. The contamination of exposed consumer data that is leading to identity theft or fraud at financial institutions takes place because identity criminals follow the money, he pointed out.
“This whole field of protecting members needs a good shot in the arm of authenticity,” Van Dyke said. “Get rid of this horrible one size fits all advice that people have today, which is telling everybody regardless of their risk profile, ‘monitor your credit’ or maybe ‘freeze your credit’ and ‘change your password.’” He added “Then stop blaming the member for not being as active as organizations want them to be. It is not the member's fault for (not) being more involved or not changing their password.”
Van Dyke added, “I'm really excited and personally very fulfilled to be working on something that gives the credit union an opportunity to more innovatively and authentically strengthen member financial health.”
In late October 2021, Chicago-based TransUnion announced it has signed a definitive agreement to acquire Sontiq for $638 million. TransUnion’s said its digital identity assets and solutions, and the combined company will offer a comprehensive set of omnichannel solutions to make trust possible for consumers and businesses.