Lifelock Worries After Employee Data Leaked To Web

itwbennett writes "Last week, Phoenix New Times reporter Ray Stein revealed that LifeLock CEO Todd Davis (who famously published his Social Security number in LifeLock ads) had been the victim of identity theft at least 13 times. This week, LifeLock made it clear that it's not so cavalier with its employees' personal data. The company asked the New Times to remove from its website a police report containing a redacted Social Security number, date of birth, address, and phone number of Lifelock employee Tamika Jones. In an interview, Stein said that the fact that LifeLock had to call and ask for the document to be removed reflected badly on Lifelock's service. 'I think this shows clearly that they know that it's got potential problems.'"

No different than the DNC registery

[BitZtream]

All LifeLock does is add you to all the little BS registries and companies that list people who don't want to be 'contacted'.

Unforunately, thats all the data someone needs to effectively steal your identity anyway, so in reality they just become a distributor of the very information they are 'protecting'.

Re:No different than the DNC registery

[Mr.+Freeman]

You're an idiot, it has nothing to do with no-call lists or any such thing.

It puts a "fraud alert" on your accounts and renews it every 90 days or however long they last for. Something you can easily do yourself for free. Basically having a fraud alert makes banks, lenders, etc. actually do SOME amount of work to verify your identity rather than blindly allowing anyone with a social security number to get a loan in the owner of that number's name.

Re:No different than the DNC registery

Back in the early 90's I had a student loan taken out against my social security number by a women who was attending college in a different state. If it were that easy back in the days before the Internet, the permutations of possible financial fraud now are approaching infinity.

Re:No different than the DNC registery

Basically having a fraud alert makes banks, lenders, etc. actually do SOME amount of work to verify your identity rather than blindly allowing anyone with a social security number to get a loan in the owner of that number's name.

Not entirely true. It theoretically requires banks, lenders, etc do some work before opening a new account. In practice, they usually skip this step. Trust me, I know from experience. I opened a new bank account while I had a fraud alert on my files, yet I was never contacted to confirm that I indeed opened that account. When I pressed the credit reporting agencies on it, I was told that the fraud alert system is more of a "best practice" type of thing, and that companies were in no way obligated to actually follow the guidelines.

Re:No different than the DNC registery

[Jason+Levine]

With fraud alerts, banks/lenders/etc are recommended to do some verification work, but they aren't *required* to do so. Some institutions might skip the verification and thus allow more ID theft to go on. Better to freeze your credit entirely. It costs some money to place, thaw and remove (how much depends on your state and whether or not you've been a victim of ID theft), but it is definitely worthwhile. As a bonus, since credit card companies can't see your credit information, they won't "pre-approve" you for credit cards and send those blank forms which then need to be shredded lest some ID thief steal them.

Of course, the credit agencies hate security freezes. They want you to place fraud alerts because they can still sell your credit information and you can still sign up for store credit cards on the fly. That's why their lobbyists will fight any bill that promises to make security freezes less expensive or easier to obtain.

Re:No different than the DNC registery

[Attila+Dimedici]

Very good point, my sister had her identity stolen. She put a fraud alert on with the credit reporting agencies. She, also, regularly obtained her credit report. On one of her reports, she saw that a major Department store chain had requested her credit report. She contacted their credit processing headquarters for our region to tell them that she had not requested credt from them and told them not to issue her any. Several months later she got a bill for around $2,000. It turns out that the person who stole her ID, lived in a different region and the people she talked to just blew my sister off because the application wasn't in their database. The chain ended up out that money and it didn't cause my sister more than the minor inconvenience of informing the chain that she had never asked for nor used the credit card in question.

Re:No different than the DNC registery

[qubezz]

Do I get mega-win for being the first commenter (as 'BootyFooz') in the original article to point out the flawed PDF 'blackouts', revealing SSN, drivers license, and DOB info for both the CEO and the other Lifelock employee?!

The Lifelock thing is clearly a scam founded by a guy who was already lifetime-banned from the credit repair industry. The only thing they did was use robo-dialers to call one credit reporting agency to set fraud alerts on subscribers's credit reports, and when the credit reporting agency stopped them from doing that, they now have no service at all except a false promise with a false $1 million guarantee. They had $12 million in liquid assets once, but a government fine completely cleaned out their bank accounts (yet allowed them to stay in business), so they couldn't even pay this guarantee even though their fine print says they really don't have to pay it anyway.

Really now?

[Darkness404]

Anyone who expects a service to 100% protect them from identity theft is an idiot. Its just like a virus scanner, it might be helpful but its no substitute for common sense.

Re:Really now?

[Shakrai]

it might be helpful but its no substitute for common sense.

Common sense would be banks requiring more information than an SSN and DOB from an internet connected computer before opening lines of credit. I watched someone apply for a line of credit with Citi online and receive a $15,000 account with no verification of his identity beyond the SSN/DOB match. What's wrong with that picture?

Re:Really now?

What's wrong with that picture?

That you're making shit up?

Re:Really now?

However, on the flipside, there are privacy issues with giving personally identifiable data to a prime hacking target (like a major lending institution.)

In order for them to validate a session as a legitimate person, they need personally identifiable data on that person. That means that they are warehousing such data, and in addition to being a target for wirefraud directly, they also become a target for identity theives of the highest order.

Knowing a little bit about data security (and security in general), there is NO SUCH THING as a perfectly secure system. Even an inoperable computer encased in 5 feet of concrete is not "Secure", since a jackhammer can grant access. You just have to be patient, and dilligent.

Thus, it is not a question of *IF* such a breach will occur, but WHEN. I am reminded of the "Malware on "Update" CD sent to a bank" covert security test last year. There are any number of ways that a bank could be compromised, and the data distributed. Unlike a password, or a username, or even a SSN, there is no way to change your mother's maiden name, etc.

Really, online banking is a very terrible idea. That's why I don't engage in it.

Identity theft will continue to be a problem as long as the internet is used to fascilitate banking. The incentive to steal an identity and get rich quick at some poor SOB's expense (especially in a foriegn country where the target's currency is "Hyper valued") will ensure that this is always so.

I might be a bit of a paranoid crank, but from where I sit, there is

1) Incentive
2) Opportunity

and therefor

3) profit

and as long as the first two hold true, the last one will always exist as well. Should it become not worth the time, or should there bey a major financial breakage where nobody has money thats worth a shit-- then 1) will go away. I suggest the far less deleterious 2) be removed-- Remove hacker opportunity to steal that data, by not having that data on public networks to begin with; EG, no online banking.

IMHO, Banks should use a dedicated, private network that does NOT have ANY endpoints connected to the public internet for just this reason.

Really, it's like having the door to your "Super sensitive, mission critical server room" outside in the public lobby, next to the bathroom. The only thing keeping people out is the lock on the door. I don't think it unreasonable to say that this is far from ideal from a security standpoint, and that a better solution is to have that door deeper in your company, well entrenched in the "employees only" section of the building.

The reason why wirefraud, and identity theft are so prevelent, is because the opportunity part of the equasion is running wild, in the name of "Convenience"-- Sure, online banking is very convenient, I am sure. It's also very convenient for the people that want to spend your money for you illicitly. It's also very convenient to dispose of toxic chemicals in a ditch somewhere too.

Sadly, people never seem to learn the intrinsic lesson here-- "Convenience" is not a justifiable reason to trump sensibility. EVER.

A simple mnemonic to think of when contemplating using the internet for something: Would trust handing that data to a total stranger on the street?

If the answer is no, then under no circumstances should you use the internet for that purpose. It's just that simple.

Re:Really now?

[biryokumaru]

Right on, brother!

This is exactly what I said when they first invented banks! I mean, anyone can just walk into one of those places with a fake ID and *bam* they've got all my money! That's why I keep all my money in gold Krugerrands in a shoe box under my...

Hey now, I'm not gonna tell you where I keep my shoe box! Now get off my lawn, you wacko!

Re:Really now?

[Gr8Apes]

A simple mnemonic to think of when contemplating using the internet for something: Would trust handing that data to a total stranger on the street?

And that's why I wish I could give 1 time card numbers to stores as well. Keeps them from tracking me too.

Paranoid? Obviously not enough, I'm not AC.

Re:Really now?

[NotQuiteReal]

Yup - I've been anonymous on the Internet, since, well, since it was Darpanet, or uucp, or whatever it was. Call me paranoid, but even way back in the day, I always wondered, "why would I want anyone to know X, about me?"

If you are writing me a check, I'll give you enough info so I can cash it, otherwise, meh. Even my cable bill has a misspelling in my name I have not corrected in 14 years.

P.S. NotQuiteReal, is not my real name... Proud alias-using "lurker" on the Internet/Usenet since 1982 (or before...)

Re:Really now?

To put it another way: Even in homes where the owners are heavily armed, someone still usually closes the front door if a departing guest left it open.

Re:Really now?

Everyone, let's use Cowboy Neal's SSN: 666-42-1701

Re:Really now?

[jonwil]

When I opened my bank account (here in Australia) I had to go into the branch physically and sign up for it, including showing various forms of ID.

The only reason the US isn't as strict is that the banks have used their powerful influence to make sure that nothing gets in the way of their ability to offer vast amounts of credit (home loans, car loans, personal loans, credit cards etc) to anyone and everyone.

They want to make getting a credit card as easy as possible.

Re:Really now?

[AK+Marc]

There are any number of ways that a bank could be compromised, and the data distributed. Unlike a password, or a username, or even a SSN, there is no way to change your mother's maiden name, etc.

I opened a bank in a foreign country. They take and hash your password as you give it to them. The password is never known by anyone there, can't be retrieved and will never be seen. It's up to me to make sure I don't use it on an infected system. If it gets out, I'm pretty much on the hook for whatever is in my account when someone wipes it out. That password is worth thousands of dollars. You make sure it's secure, and you treat it as such.

The fraud levels in the US are some of the highest in the world, and it's because the banks don't care. They make enough with the fraud and aren't held responsible for the actual harm they cause people when they put inaccurate information on credit reports.

Let someone sue when there's an inaccuracy on their credit report (with the burden being on the person who put it there to prove it's accurate) and you'll see that crap stopped pretty quick. Make the banks pay an "oops" fee of $100 to their customers when the banks take out money because of a fraudulent transaction the customer couldn't have prevented. Hold the banks responsible for the damage they are causing through "identity theft" (which is nothing more than lax security blamed on their customers when the banks have the ability to stop nearly all identity theft). When that's done, then fraud will drop and identity theft will be gone except for the few cases where couples pretend to be the other to wipe out an account as part of a breakup.

Re:Really now?

No. Actually it went more like this:

Police fucked up redacting a public record when they made it public. The Lifelock employee was made aware of the screw up via a web site which reported the fuck up (and NOT by Lifelock), otherwise, the employee would still be clueless as to why she was getting her identity anally raped hundreds of times a day, despite the (hopefully free) Lifelock "protection" she has signed up for. The Lifelock employee made her superiors aware of this, and probably asked what they could do to have the document removed. The situation was sent up the chain, probably all the way to the CEO, who then sent their corporate lawyers after the web site in question.

Now, had this been a regular customer of Lifelock and not an employee, does anyone REALLY believe Lifelock would have lifted a finger to help this person? There is nothing in the Lifelock service agreement that states they have to scan the web for PDF files which might have accidentally revealing information about their customers. The services that Livelock offer are clearly spelled out, and do not include actively scanning the internet for all possible customer identity leaks occurring in any possible web site or downloadable document.

Here is my guess as to the thought processes of the higher-up's at Lifelock: "Oh shit, one of our own employees has their personal info being broadcasted world wide! When (not if) they get their identity stolen, it will make all the headlines. Quick, lets call the lawyers and try to get this under control before we suffer yet another public relations black eye."

Lifelock is pure snake oil. It sounds great, till you drink it. Then, you suddenly realize it doesn't work, and you are worse off for having tried it, and not only did you lose the money you spent on the snake oil, but now you also have to pay for a doctor to cure you of the poison you just drank.

Re:Really now?

[logjon]

Really nice straw man. The real story is that the police are releasing this data and that lifelock can't be expected to watch the entire internet 24/7 but they're catching blame from this anyway somehow.

Re:Really now?

[mlts]

Common sense would be banks offering either a hardware keyfob and/or an app for Android/iPhone/Win Mobile that gives secondary authentication, or confirmation of transactions like IBM's ZTIC.

Or even better, a common standard, similar to RSA SecurID, so each bank doesn't have to have their own different, incompatible type of offline auth device.

Having this would shift theft of accounts from just getting malware onto peoples' computers back to either attacking banks directly, or their patrons.

Re: Really now?

[MoeDumb]

And yet 100% is what they claim - or they will cover your losses up to a million dollars. If there weren't enormous escape hatches in their customer contract they'd be out of business by now.

Re:Really now?

[MichaelSmith]

I thought that was your SSN, user 666.

Re:Really now?

[Kiel0]

Case in point, I took this idea to my neighbor around dinner-time this evening. Within 40 minutes I had places of birth, first car models owned, and the easiest was the ever-sacred maiden names. Now....what to buy???

Re:Really now?

[rtfa-troll]

Putting these technical restrictions to regulation is a bad idea (though some limited minimum standards is probably good). I think you have to look at the difference between the credit card system and the bank account system. You'll probably find that there's more technical protection on your bank account access, but credit card fraud worries you less and causes you fewer problems. The reason for this is that the credit card fraud is pushed to the place which is able to verify the transaction and not just the account holder; the shop and the credit card system. The security is very dynamic. If you make a small transaction in a place near where you live, it will almost always go through. If you make a large transaction in Cambodia, soon after making one at home (unless, of course you are Cambodian, in which case the same argument applies, but in New York), the company will call you directly to your mobile phone and ask you to confirm the transaction.

The reason this works like this (which is expensive) and works so well is simple. You are allowed to reverse the transactions if they aren't yours. This pushes the liability to the bank. If the same applied to bank accounts, that you could just reverse any transaction and the bank had to prove you were liable for it, suddenly bank fraud would be massively reduced, disappear completely as a consumer problem and the criminals trying it would be pursued to the ends of the earth.

Re:Really now?

[Moridineas]

I think your heart is in the right place, but I'm not sure your ideas make sense?

I opened a bank in a foreign country. They take and hash your password as you give it to them. The password is never known by anyone there, can't be retrieved and will never be seen. It's up to me to make sure I don't use it on an infected system. If it gets out, I'm pretty much on the hook for whatever is in my account when someone wipes it out. That password is worth thousands of dollars. You make sure it's secure, and you treat it as such.

God, I hope most banks don't rely on such weak security? The bank where I have my business account gave me a security token that I've got to use in addition to a username/password to login. Before I do anything major like account transfers or wires, I've got to use the security token again. Interactive Brokers trading offers security tokens as well though I haven't used theirs--I have a lookup page from them that serves the same function though.

Admittedly my personal banks do not use a security token, otp, etc. Most of them DO require usage of a pin code or csv code off a credit card/bank card before you can make account changes.

If freaking Blizzard can release a battle.net mobile authenticator for iphone/blackberry/etc, banks certainly should be able to. It's annoying.

The fraud levels in the US are some of the highest in the world, and it's because the banks don't care.

Are they really?

Let someone sue when there's an inaccuracy on their credit report (with the burden being on the person who put it there to prove it's accurate) and you'll see that crap stopped pretty quick.

Uh, really? You CAN sue, and it happens (google). First of all, you have a clear set of rights as laid out under the Fair Credit Reporting Act (it's been amended and updated, but is NOT new). If you're not familiar with your legally protected rights and options, take a look at it, I think you might not be quite as disgruntled. Your rights include the credit report companies being REQUIRED to give you a written explanation (or fixing the error) when you notify them of a mistake. And so on. If they ignore you, they get in trouble.

There are plenty of types of identity theft that are not the customers fault, nor should the bank be able to catch.

Make the banks pay an "oops" fee of $100 to their customers when the banks take out money because of a fraudulent transaction the customer couldn't have prevented.

That would be awesome. I'd set up an arrangement where my friends would steal my identity. They'd give whatever they got back to me, and we'd split the $100. Nobody would possibly take advantage of that system!

Hold the banks responsible for the damage they are causing through "identity theft" (which is nothing more than lax security blamed on their customers when the banks have the ability to stop nearly all identity theft). When that's done, then fraud will drop and identity theft will be gone except for the few cases where couples pretend to be the other to wipe out an account as part of a breakup

It's your statement here that makes me think maybe you're missing what exactly identity theft is? It doesn't HAVE to be because of "lax security" at a bank. That's certainly a problem, yes, but not by any means the sole cause! Instead of thinking about it as "identity theft" think of it as impersonating somebody else. My wife's family was hit by identity theft when a piano teacher's trash was gone through by a criminal. Inside the trash was a ripped up and voided check. Who's liable in this situation? Between going through trash, malware, malware, professional hacking rings, weak security from VENDORS, public records, giving too much data to vendors/organizations/etc, there is a LOT of information out there. Not even getting into social engineering...

Identity theft is going to be a problem as long as the

Re:Really now?

[iamweasel]

That's what we have in Finland at least. First you have to physically go to the bank to identify yourself and then you get a login/password and a physical list of key-value pairs for online banking. When you start to run out of said keys you go get another list from the bank or order one through mail. Then you change the list using a value from the previous list and input the number of the new key list.

In order to compromise in this system someone would have to have access both to my specific key list and my login/password combination.

Of course that doesn't help at all if someone compromises the bank's systems, but in that case it wouldn't make a difference whether I used online banking or not.

It baffles me that something as simple as (or similar to) this is not being used as I do believe it makes online banking a whole lot more secure.

Re:Really now?

[Aeternitas827]

IMHO, Banks should use a dedicated, private network that does NOT have ANY endpoints connected to the public internet for just this reason.

Would there not be some point in transit between, say, a point-of-sale cardreader or an ATM, that could be similarly compromised? It wouldn't necessarily be easy, but where there's a will, there is a way. Even if every unit had it's own dedicated line from itself to the bank, those cables have to run somewhere, and you can't necessarily keep them under constant supervision. It might reduce the number of points of failure (as far as security mechanisms are concerned), but by no means would it eliminate them.

Re:Really now?

[Ihmhi]

Where's the best place to start, then? Any advice for someone who is going to get their first CC this year? Should I get it from my bank, or somewhere else?

Re:Really now?

[Ford+Prefect]

What I have for my British Nationwide account (a building society rather than a bank, but that's mainly semantics) is a small, calculator-lookalike card-reader that takes my ATM card and PIN and is used to sign any transactions or other significant operations involving money.

Say I want to transfer money to a non-Nationwide account, I have to:

Login by entering my customer number, passphrase and three randomly selected digits of a secret six-digit code,
Set up the transfer, put my ATM card (with chip) into the card-reader and enter my PIN.
Press 'Sign', enter the reference (typically the account number), press OK, enter the amount of money being transferred, press OK and then type the eight-digit code it gives me into the online banking service to authorise the transfer.

It's still vulnerable to man-in-the-middle attacks, but someone would have to be a bit thick to wonder why what appears to be their online banking service suddenly wants them to transfer lots of money somewhere.

Also, yes, it takes forever to do anything.

Re:Really now?

[lymond01]

I assumed it wasn't about protecting yourself but the ability to pay someone to do it and get paid by them if they don't. Paying someone to be responsible for you, with the expectation of getting reimbursed and then some if they don't. Liability.

Re:Really now?

I'll up you one further - even my driver's license has a misspelling - and I did try to correct it, but after they did nothing the first time, I stopped trying.
Even my auto insurance agent hasn't noticed, despite me paying with checks with the correct spelling but all their files have the wrong spelling.

Here's something else you can do to screw with the system. Make yourself a fake-id with all your real information except your age.
I did that for a girl who looks young and didn't want people to find out her real age if they saw her id.
Since she used it everywhere, she's 'in the system' twice now - all those websites where you can find out people's addresses and relatives and such have two entries for her, 15 years apart with differing addresses (since she moved around).

Re:Really now?

Yup - I've been anonymous on the Internet, since, well, since it was Darpanet, or uucp, or whatever it was.

Actually, I am anonymous, you insensitive clod!

Re:Really now?

[mlts]

I like the idea of a dedicated, private network. This is what a lot of companies used to have before they were called intranets.

Maybe expand on this some, have it be a B2B backbone (BIPRnet, similar to NIPRnet and SIPRnet) where unless authorization is prearranged beforehand for one business's machines to communicate with another's, the switching fabric wouldn't allow the connection? This could be done even at a port level, so B2B E-mail via an Exchange connector at a custom port would go through, but someone on a non-email host trying to spam would not be able to. This network doesn't even need to run TCP/IP.

This backbone can run connections atop the Internet if needed, using dedicated bridges which use preshared keys (no public keys to crack or PKI because the bridges only connect with 1, maybe 2-3 other failovers). However, the best security is dedicated lines. Add to this endpoint to endpoint encryption similar to IPSec on the packet level for starters, and application to encryption on higher layers.

This way, a large business that processes credit orders never have to send their batch transactions over the Internet, and unless someone hacks the central switch, the packets are not touchable by normal Internet hacking, and if they are, the unencrypted data is protected by multiple layers so one compromised host (unless it is an endpoint) doesn't reveal much.

It could even go as far as to have a hardware card that has functionality of a mini HSM, keeping public keys in that. That way, a compromised or hacked machine could be booted off the backbone by a CRL.

Re:Really now?

[KDR_11k]

I don't know about where you live but in my country creating a fake ID is a serious crime.

Re:Really now?

[mlts]

Most of Europe has something like this, either a keyfob, or a TAN list.

However, it a rare sight for an American bank to offer much if anything more than username/password protection. You might find a bank that asks a question from your challenge/response list, or asks you to select the answer on a random list, where the text is a bitmap (to help foil malware that doesn't have an OCR engine.) Anything more than that, good luck.

What is ironic is that Blizzard offers a keyfob and/or an app for the iPhone and Android. Why can't banks here in the US protect their customers more than a game company protects theirs?

Re:Really now?

[sodul]

American Express is your friend.

It took me over a year once I moved to the US to get a credit card. It took even longer for my wife since she had no SSN until a few years ago (yes you can live legally in the US for years and declare taxes without being allowed a SSN).

There is a vicious circle: no credit history, you can't get a credit card ... but you need one to get a credit history. You also have the option of the prepaid credit card, where you have to loan the bank say $500 for a $500 line of credit.

But my best advice: live within your means and always pay off you cards.

Re:Really now?

[Kozz]

We know who you are, Jack.

Right. As if you care.

Re:Really now?

[ArsenneLupin]

Good analysis, except that police didn't even fuck up the redaction of the PDF document. Well, it's a plausible error to do, indeed lots of institutions, even 3 letter agencies should should have known better have goofed in such a way.

But in this case, police actually did just fine, by putting the rectangles right into the image, rather than adding them as an (easily removed) additional layer into the PDF.

So why is Livelock fighting this then, if it didn't actually expose the employees data?

Easy: because it's egg on their (the corporation's) face. But they can't admit that of course. so they send out their astroturfers with some silly "o God, police redacted the document poorly", and slashbots are falling for this without actually doublechecking that document.

Re:Really now?

[ArsenneLupin]

Really nice straw man. The real story is that the police are releasing this data

No, they aren't. They released a properly redacted document, with all info that could be used by an identity thief properly covered up.

and that lifelock can't be expected to watch the entire internet 24/7

... and yet, they expect their customers to pay $10 / month for exactly this "service".

but they're catching blame from this anyway somehow.

... because they're selling snake oil, then are caught red-handed trying to censor the news, and finally spin their censorship as just protecting their employee's id data (which was never actually exposed in the police report).

Re:Really now?

[oreaq]

Anyone who expects a service to 100% protect them from identity theft is an idiot.

Identity Theft does not exist. No one can steal an identity. At least not with today's technology. Some bank gets scammed by somebody. The bank then recovers its loss by defrauding one of their customers. The solution to this "problem" is obvious.

Re:Really now?

[jittles]

Are you sure people can't sue? I had Cingular (Now AT&T Wireless) put a fraudulent entry on my credit report. They even sent me to collections on a $0.00 balance. I wrote both the collections agency and AT&T and told them they had 2 business weeks to correct my credit report and cease collections attempts or I was going to sue them both for libel. Sure enough, two weeks later everything had been cleaned up.

I'm certainly no expert but my guess is that's a record time for having a credit report fixed.

Re:Really now?

[SkyDude]

Anyone who expects a service to 100% protect them from identity theft is an idiot. Its just like a virus scanner, it might be helpful but its no substitute for common sense.

Sometimes they're not idiots. Some are just too trusting or are just plain unaware.

My company often receives mail orders containing personal checks. Every year we see several who continue to allow their SSN to be printed on the check, along with the name, address and phone number. These folks are seniors (+70) and don't understand that the SSN is the key to the castle.

In a few cases, I've sent a short letter explaining why they shouldn't do that, and a few have called and thanked me for the information. Often, the reason they give for using the checks is they have a ton of printed checks and don't want to throw them out. Of course, if they did, that could be even worse than continuing to use them because you know they don't own a shredder.

Re:Really now?

[Z8]

The only reason the US isn't as strict is that the banks have used their powerful influence to make sure that nothing gets in the way of their ability to offer vast amounts of credit (home loans, car loans, personal loans, credit cards etc) to anyone and everyone.

Do you have any evidence of this? Because it also happens the other way around—the banks put up fake barriers to credit, and the government orders them to take them down due to fairness, anti-discrimination, etc.

Re:Really now?

[TJamieson]

Interestingly, the maiden name has lost its value in recent times. It used to be that the moment a woman got married, her maiden name all but vanished; these days, it seems the younger married woman prefers to use her maiden name as a new middle name.

The maiden name was always a goofy "security" thing anyway; long before the internet, a little social engineering is all it took to glean a maiden name.

Re:Really now?

and this is an example of the lack of QA processes (or lack of legislation for processes) that caused the recession.

Re:Really now?

[Myopic]

Yes indeed, without a credit history you can't get a credit card, and without a credit card, you can't get a credit history. That is why nobody in the world has a credit card, right?

Re:Really now?

[m4cph1sto]

The only reason the US isn't as strict is that the banks have used their powerful influence to make sure that nothing gets in the way of their ability to offer vast amounts of credit (home loans, car loans, personal loans, credit cards etc) to anyone and everyone.

Right - it is in a bank's best interest to lend their money to as many people as possible, with no verification of whether or not those people will ever be able to pay it back. Because you know, when you steal the bank's money, the bank wins!

Re:Really now?

[apoc.famine]

Find a local credit union. Bank and do your credit card with them.

Mine lets me transfer money directly from my checking/savings to pay off my credit card. They've got automated bill paying (rent check gets mailed out mid-month for me, automatically.) and a bunch of other good stuff. All free.

Seriously - credit card companies and banks are the spawn of satan. Find a good credit union.

Re:Really now?

[operagost]

They released a properly redacted document

No, they didn't. A child could press CTRL-A, CTRL-C to copy all the "hidden" information.

Re:Really now?

[ArsenneLupin]

But then the Chief of Police himself could press CTRL-X CTRL-Z to instantly make the perp's head explode.

Re:Really now?

[Effexor]

No, they aren't. They released a properly redacted document, with all info that could be used by an identity thief properly covered up.

From the article you didn't read:

After considering LifeLock's request, we've decided to republish the PDF document in "Cracking LifeLock" as Chandler police had intended -- with the personal data blacked out.

Note the use of the prefix re on there. It means 'again'.

Re:Really now?

[ArsenneLupin]

Maybe, but LifeLock is still an overpriced and useless service run by crooks.

Re:Really now?

[qubezz]

You sir, are incorrect. The original PDF from the police department (which was copied by and is still being hosted on Wired.com's website with their follow-up article) has a layer of black 'redaction' blocks, but all the personal data is still there and can be cut-and-pasted.

The reporter sanitized the PDF for the cops by printing it, scanning it, and making another PDF (I would have just raster printed it direct to another PDF file), and replaced the original on the web site with the new one.

Re:Really now?

Except the rules are in their favor, to the point that if someone takes out a mortgage on your house, the law presumes it was you, and the burden is on YOU to PROVE you DIDN'T take out that second mortgage.

Why should the banks care, when they are protected either way?

Re:Really now?

[Shakrai]

Actually no, in a court of law the burden is on the plaintiff to prove his case. If I deny that the mortgage is mine then the bank has to prove that it is, not the other way around.

The real problem with ID theft isn't innocent people paying for loans they didn't take out. It's the time and hassle required to clean up your credit reports. A bank can list that 2nd mortgage on your credit report a lot easier than they can convince a court that the mortgage is yours.

Re:Really now?

[Ungrounded+Lightning]

Right - it is in a bank's best interest to lend their money to as many people as possible, with no verification of whether or not those people will ever be able to pay it back. Because you know, when you steal the bank's money, the bank wins!

The banks borrow the money from the Federal Reserve (which creates it "out of thin air") at very low interest (currently nearly zero - but call it 2% to make some numbers come out nice later). Why do they accept and solicit deposits (on which they pay similarly low interest) at all? Because the Fed will only lend to them in proportion to the money they got elsewhere.

Then they use it to pay off the credit card users' bills - at a discount, due to their contracts with the company. The bank and the credit card company split about 2% of the trasaction - for maybe a month's float on the money. Call it 26%/year. (This money comes out of higher prices at stores that accept credit cards - prices that also apply to customers who use cash or checks, too.)

If the customer doesn't pay the full amount every month they also charge the customer interest on the float. After the teaser rate has expired this might be another 18%. And many will charge it for another month even if he DOES pay in full that month. If the customer was ever late with a payment (for some banks - if he's late on ANY of his OTHER accounts even if the credit card account is paid) they sock him with a penalty and bump his interest rate, perhaps to 26%. That brings the interest rate up to 52% or so. Also there may be annual fees.

So for every thousand bux they borrow at nearly zero interest to fund this operation they make somewhere between $240 and over %500 per year.

With their money doubling every couple years they can afford a pretty hefty amount of losses from fraud and still come out 'way ahead. A surprisingly high percentage of the transactions have to be both fraudulent AND ending up paid for by the bank before it even makes a dent in their bottom line, let alone make the operation a net money-loser.

It's like the early ATMs - where (I hear) a major city bank was willing to accept $10,000/weekend in fraudulent withdrawals due to running in standalone mode (i.e. trusting what the mag stripe said about the account). When it went up to $100,000/weekend it became worth their while to pay for the extra manhours necessary to keep the computers online all weekend.

Re:Really now?

[Ungrounded+Lightning]

So for every thousand bux they borrow at nearly zero interest to fund this operation they make somewhere between $240 and over %500 per year.

Typo: Make that $500.

Re:Really now?

[sjames]

The real WTF is that if the account is opened fraudulently, the bank and credit agencies will spread nasty gossip (slander) about the actual person and try to collect the money from him. If (and only if) he challenges them on it, they will claim that the original fraudster committed a crime against him and that it is his problem. They will also claim that they are an innocent and uninvolved 3rd party to the crime.

Re:Really now?

[sjames]

Just get your name into the advertiser's databases. Soon enough, you will have credit card offers streaming in. So will your dog, cat, goldfish, and the deceased hamster you had when you were 5 years old.

Re:Really now?

[sjames]

That would be awesome. I'd set up an arrangement where my friends would steal my identity. They'd give whatever they got back to me, and we'd split the $100. Nobody would possibly take advantage of that system!

Excellent! If the banks are that lax, they deserve to lose. Watch carefully though since they'll soon tighten up security and then your friends will get busted for fraud (and you for conspiracy). If the banks are actually doing what they should be, there can be no abuse of the oops fee. You'll know it's working when the detectives show up.

Re:Really now?

[Ihmhi]

So wait, the best way to get a credit card is to ignore actually sign up for all of those Limited Time Offers I've been ignoring all these years? DAMMIT!

Well, it's a good thing that I never told them my e-mail address is i_have_mental_health_issues@yahoo.com and that I am HIGHLY interested in opening a new line of credit. Yes, very good thing, that.

Re:Really now?

I second this idea. Had a CS class where 50 kids brainstormed fraud prevention, and the conclusion was almost the same as yours. It is pretty much the only solution that isn't intrusive or annoying.

Re:Really now?

[AK+Marc]

People can sue any time for any reason. I could sue you because you used my oxygen breathing. I'd lose, but I "can sue."

In your case, you'd have lost such a suit (or, at bet won with no award of damages). For one, "fraud" requires they gain something. It also requires purpose. Accidentally doing it isn't fraud. Doing something that doesn't cause harm isn't fraud. And to sue, you'd need to prove actual damages. What damage did you receive? Libel also requires that it be published. If no one else read your credit report, then it wasn't libel. Unless you were denied credit, your reputation wasn't harmed, so there was no libel. If you were denied credit, you have cause, but no damages. The inability to get credit doesn't carry an actual loss with it.

But then, they'd lose in court and be ordered to fix it, so fixing it before being sued was cheaper. But you'd have won nothing other than getting one bad report removed, so there was no actual cost to them in acting with gross negligence.

Re:Really now?

Woha. You just responded to (and trolled) yourself 3 times in a row. Someone must have hacked your account or you're in need of some serious help.

By the way, it's your not you're.

Re:Really now?

[Moridineas]

Absolutely that would be the proper outcome. My point is merely that ranting isn't enough, when you just randomly toss out ideas like this you have to consider the full consequences. It's Bastiat's seen and unseen.

Some people like to think criminals are dumb. It's true that there are a lot of dumb criminals (and a lot of dumb people in general), but when it comes to financial fraud and millions of dollars, there are some smart people out there as well, and they're playing for keeps.

Kind of funny how on slashdot when it comes to computers any encryption system is beatable, any security system has holes, and it's just a matter of time (hours) before any new game / program gets cracked. Yet change the industry and the slashdotters are singing a wildly different tune about security.

Re:Really now?

[mattack2]

But people are also legally liable for $50 in unauthorized charges at most (though AFAIK, most card companies waive that too, as long as it's reported promptly). Also (this may be a state by state thing), merchants are unable to charge a fee for credit card use. (They can give a "cash discount", thus effectively the same thing -- but at least you pay the posted price with credit cards. I realize this also can be considered a bad thing from a merchant's point of view.)

So at least for credit cards, it seems to me that the consumer is largely protected.

(and no, I don't work for credit card companies.. but I do use them very often for cash/rewards.. thus ending up cheaper to me AND more convenient than cash.)

Re:Really now?

[NotQuiteReal]

I agree - pollute all the databases you can. Heck, some people don't even need any ID

I'd say if anyone calls you on it, claim "equal protection".

Re:Really now?

[AK+Marc]

Are they really?

Yes, the US is a location of a great amount of fraud.

You CAN sue,

I use the phrase "can sue" that holds meaning. Anyone can sue for any reason. You can sue your neighbor for not being home when you burned your house down. There doesn't need to be cause or standing to file paperwork. It will likely not make it past the first viewing by a judge, but anyone can sue for any reason. So "can" sue means to me that you'd get to a judgment with at least, say, a 25% chance of winning. With that definition, you can't sue.

Your rights include the credit report companies being REQUIRED to give you a written explanation (or fixing the error) when you notify them of a mistake. And so on. If they ignore you, they get in trouble.

So? They send a form letter back with "on XXX date Joe Schiester stated that you were in default." And done. That's it. You have no recourse after that with the credit report agency if they contact Joe and he says it's true. At best, you can have an explanation attached to that item, but you can't get it off through the agency if the bad data was put on by someone who continues to claim it's correct. Please correct me if I'm wrong, but that's my understanding. At that point, you can sue the person that put it on, but not the agency itself.

That would be awesome. I'd set up an arrangement where my friends would steal my identity. They'd give whatever they got back to me, and we'd split the $100. Nobody would possibly take advantage of that system!

Why wait, do it now. Go charge up a bunch of crap on a friend's credit card. Have him report it stolen a couple hours later. Sell the crap on ebay. If you aren't doing that now, then you are a liar when you say you'd game the system. And the implication that it can be gamed is irrelevant to the assertion it would stop the practice.

Identity theft is going to be a problem as long as there are people.

There is no such thing as identity theft. There is fraud. Blaming fraud on a real person vs a fictitious person is irrelevant to the act, and shouldn't change how it's treated. Identity theft was created by financial institutions to screw their customers out of some of the institution's fraud losses.

Re:Really now?

[Moridineas]

Yes, the US is a location of a great amount of fraud.

Yes, but that wasn't the question. Further data?

I use the phrase "can sue" that holds meaning. Anyone can sue for any reason. You can sue your neighbor for not being home when you burned your house down. There doesn't need to be cause or standing to file paperwork. It will likely not make it past the first viewing by a judge, but anyone can sue for any reason. So "can" sue means to me that you'd get to a judgment with at least, say, a 25% chance of winning. With that definition, you can't sue.

As I said, google it. If you don't find instances of succesful law suits in these situations, you're seeing different search results than I am!

So? They send a form letter back with "on XXX date Joe Schiester stated that you were in default." And done. That's it. You have no recourse after that with the credit report agency if they contact Joe and he says it's true. At best, you can have an explanation attached to that item, but you can't get it off through the agency if the bad data was put on by someone who continues to claim it's correct. Please correct me if I'm wrong, but that's my understanding. At that point, you can sue the person that put it on, but not the agency itself.

That's not true. If you send them proof that their source data is wrong, they HAVE to respond. Again, check out the Fair Credit Reporting Act.

Why wait, do it now. Go charge up a bunch of crap on a friend's credit card. Have him report it stolen a couple hours later. Sell the crap on ebay. If you aren't doing that now, then you are a liar when you say you'd game the system. And the implication that it can be gamed is irrelevant to the assertion it would stop the practice.

I'm a liar? Ok, you got me! Sheesh, I never understand how people can get so worked up in personal fashion on online conversations. People game the system right now, if you don't think such a change wouldn't bring out even more "gaming" while having a minimal change on banks, think again. Guess who pays the ultimate price? The consumer.

There is no such thing as identity theft. There is fraud. Blaming fraud on a real person vs a fictitious person is irrelevant to the act, and shouldn't change how it's treated. Identity theft was created by financial institutions to screw their customers out of some of the institution's fraud losses.

So now you want to argue semantics? Fraud / identity theft / whatever you want to call it, doesn't change the nature of the beast at all.

If you care to respond right now, let me ask you this--what specifically are banks doing wrong right now to encourage identity theft, and what specifically should they be doing differently?

Re:Really now?

[AK+Marc]

That's not true. If you send them proof that their source data is wrong, they HAVE to respond. Again, check out the Fair Credit Reporting Act.

It is true. You said nothing that contradicted me. And how do you prove that you don't owe money to someone you never met?

what specifically are banks doing wrong right now to encourage identity theft, and what specifically should they be doing differently?

I never said they encouraged it. Again, you are making up things. They are not taking steps to reduce it. They are not addressing new vectors of fraud, and instead punishing their customers. But actively encouraging it? I don't think anyone has ever made that claim, so how can I respond to some fictitious red herring?

As for what to do differently, there was a dramatic drop in fraud when Europe moved to the chip-based ATM card. They could work on that. Additionally, there are massive gaps in the security and ease of transferring money among accounts. In other countries, electronic transfers are used more widely than checks. But in the US, checks, though on the decline, are still vastly preferred in private transactions to electronic transfers. Changes to the fee structures and enhanced security would see electronic transfers be safer, easier, faster, cheaper, and preferred over paper checks, as they are in many other countries. But in the US, you are expected to give SSN, DOB, phone number, bank account number and such on a check, when those are all security checks on the account when you call in. So giving someone a check is giving them most of the information they need to steal from the bank. But in other countries, bank account numbers are handed out freely because they aren't used for verification of identity, but used to send money into an account. They assume everyone has your bank account, and it isn't considered a verification at all, but my US banks hide my account number from me when I log in the secure web site. Either they are asserting that their web portal is grossly insecure, or that having the account number (which is prominently displayed on the front of each and every check) is a security risk, or both. Either of those two is unacceptable, and they presume either or both. Foreign countries freely display the account number on the secure web site, and are "safer" than the US. The US should pick places with lower fraud and analyze why it's lower and do what they can to adopt the better practices from those places.

So now you want to argue semantics? Fraud / identity theft / whatever you want to call it, doesn't change the nature of the beast at all.

Yes, it does. In one case, someone steals from the bank and the bank says "he stole from us." In the other case, someone steals from the bank and the bank says, "your account, your problem." In both cases, a theft was committed, but the actions of the bank are completely different, and so is the effect on the customers. That's a very real difference, not just semantics. I agree that both are simple theft. But that's not what identity theft is. Identity theft is where the bank assigns their losses to a customer and charges the customer for the loss.

worthless

need I say more?

how is this a sign of potential problems?

[Michael+Kristopeit]

In an interview, Stein said that the fact that LifeLock had to call and ask for the document to be removed reflected badly on Lifelock's service. 'I think this shows clearly that they know that it's got potential problems.'"

so a service designed to protect your privacy is broken if it actively attempts to protect your privacy? I think this shows clearly that they got a proactive strategy to protect personal information.

just because the CEO is willing to stick his chin out doesn't mean i trust him to stick MY chin out.

Re:how is this a sign of potential problems?

[thedohman]

You are absolutely correct! They are doing exactly as I would expect the service to do. She got her info on a police report. The police department gave a media outlet the report in such a way that her personal information was exposed. LifeLock called the media outlet and asked to remove her data. There is no way anybody could have prevented the info from getting there in the first place... except maybe not giving the police department your SSN when reporting a crime happening to someone else.

If I was a customer of theirs, and a police department did the same to me, then LifeLock is doing exactly as I would expect them to do, if they wanted to continue getting my monthly fee.

However, Tamika is one of their own, and the police report was published in an article about them. I don't think they would even notice if it had happened to a regular customer and/or if it had not been an article concerning LifeLock.

Re:how is this a sign of potential problems?

why don't you think they would have noticed if it had happened to a regular customer?

Re:how is this a sign of potential problems?

[Z8]

Because it's cool to be cynical and against the "system".

Fraud Alert != Fraud Immunity

[mysidia]

Not everyone reviews a credit report before issuing any type of credit.

ID thieves can potentially abuse personal information, no matter how many types of fraud alerts you put, there is no guarantee that it will be seen by every third party.

Or the ID thief may employee social engineering and even defeat the 'fraud alert'

Todd Davis' publishing his social security number is a gimmick, and he should understand the risks, and chose to do so anyway, clearly as a publicity stunt.

As CEO and well-known media figure he can probably more easily deal with any ills that result than the average joe, and rely on his company to pay all the money and take all the hassle haggling with creditors of ID thief.

Minor cost well worth the publicity.

His SSN is also more likely to be recognized by banks, and (I suspect) he has little need to himself apply for credit, personally, otherwise he would not do it.

As for other employees of the company.... they have not agreed to this, not agreed to the hassle, and are in a much poorer position to defend themselves against ID theft. They have every right to their privacy, and to not have media organizations publish redacted/legally sealed or legally witheld info.

Re:Fraud Alert != Fraud Immunity

[Shakrai]

no matter how many types of fraud alerts you put

Better than a fraud alert is the security freeze. They won't open a new account if they can't see your credit report. The security freeze shouldn't even be a major inconvenience, unless you are one of the champs that applies for every new credit and store card under the sun.

Re:Fraud Alert != Fraud Immunity

[mysidia]

I'll agree a security freeze is better.

But a Credit card or Loan isn't the only type of account an ID thief can try to open fraudulently in a victim's name.

They might try to open a checking account instead, which does not involve a CRA inquiry. Instead, the inquiry would go to CheXsystems or similar, which do not provide a 'security freeze' option

The ID thief may also create a bogus instrument, such as a 'checkbook' of fake checks in victim's name.

If the ID thief is up to title fraud, they also may be able to take out certain type of mortgages on the victim's property, without a credit check.

Or "rent" out certain items in their name and not return them. In any case the bad checks /non-returned items will result in probably nastygrams for the victim, telephone calls, threats, possibly attempts at legal action.

Re:Fraud Alert != Fraud Immunity

[Jason+Levine]

That's what my wife and I did to our credit after my identity was stolen. It was a slight hassle when I needed to buy a new car. I had to thaw our credit for a small time frame. Still, that slight hassle is nothing compared with the hassle of repairing a stolen identity. Of course, the credit agencies don't like security freezes. They make their money off of selling your data to other companies and they can't sell frozen accounts. They'd much rather you put a next-to-useless fraud alert on your account so they could continue to profit off of your information (and so you could still open up accounts spur of the moment).

Re:Fraud Alert != Fraud Immunity

[hedwards]

Why it is that we allow them to think that they own that information is beyond me. The information belongs to the person to which it applies. I should have complete control over how it's used and who gets to see it. There certainly shouldn't be anybody looking at it without my requesting a product or service which requires a credit check. But I'm sure the ZOMG corporations being held accountable people will tell me that it's completely my fault if they lose my personal information like TD Ameritrade did. Because obviously I should've known that they'd buy out my brokerage firm and fail to properly secure my contact information.

Re:Fraud Alert != Fraud Immunity

[Shakrai]

Instead, the inquiry would go to CheXsystems or similar, which do not provide a 'security freeze' option

CheXsystems is a consumer reporting agency like any other, even though they might claim otherwise. My state requires all consumer reporting agencies to provide consumers with a method to freeze their information. If CheXsystems isn't already doing this then they should be sued and forced to comply with the law.

Re:Fraud Alert != Fraud Immunity

[Lehk228]

The security freeze shouldn't even be a major inconvenience, unless you are one of the champs that applies for every new credit and store card under the sun.


in which case identity theives can't very well trash your credit when you have already done the job for them

Re:Fraud Alert != Fraud Immunity

[mysidia]

CheXsystems is not a Credit Reporting Agency. They do not report on creditworthiness.

They only report on negative items, and do not 'score' consumers.

Their service is basically a blacklist. And used by retailers.

So if you could place a 'security freeze' on your ChexSystems data, you would likely soon find all your bank accounts closed, and most businesses would refuse your paper checks (after running through the CheXsystems scanner and getting a reject code due to the security freeze).

That's definitely not zero-impact to the consumer.

Unlike credit reporting agencies.... stores don't expect to pull a credit report every time you make a purchase with CC. They do expect to check you are not in the ChexSystems database, before stores will accept a cheque.

Cringely...

http://www.cringely.com/2010/05/lifeblocked/

So that's how it works

[T+Murphy]

Their service must not actually be trying to prevent identity theft, but trying to keep you from knowing when it happens.

Re:So that's how it works

[fluffy99]

Their service must not actually be trying to prevent identity theft, but trying to keep you from knowing when it happens.

Close. When they see something they clean it up and then tell the customer they blocked the attempt, so the customer thinks they got their money's worth.

Ya, You Betcha

[MightyMartian]

... 'I think this shows clearly that they know that it's got potential problems.'

What it shows clearly is that Lifelock is worthless, except at taking money from morons.

Re:Ya, You Betcha

[DrugCheese]

What it shows clearly is that Lifelock is worthless, except at taking money from morons.

Exactly. I've been waiting for this story ever since I laughed at their first commercial.

what a gross thing to do

Journalism seems to attract more than its share of cloddish type people who enjoy spouting self justifying remarks redirecting criticism of their stories ("I wasn't the one who made those claims. Livelock Corporation was the one...."). Usually fortified by frequent trips to the bar.

If you really want protection

[ksemlerK]

...Freeze your credit reports.

EQUIFAX Online Help: How to place a security freeze

Experian Online Help: Security Freeze

TransUnion Personal: Security Freeze

Problem solved, and you're not paying $9.95 a month for a service you can easily perform yourself that is far more effective then what any of these supposed "Identity protection" companies offer.

Re:If you really want protection

[Ron+Bennett]

Freezing often costs money. And each of those credit bureau charges separately. Could cost one upwards of $30 to place a freeze at all three.

The hassles of "freezing" along with the fees to do so, is another illustration of the financial system being crooked; not designed to protect people, but rather to make credit as easy to obtain as possible with little regard to security.

Ron

Re:If you really want protection

[ksemlerK]

That's $30 for a protection for life, (until you lift the freeze), versus $120/yr for nothing then a company placing fraud alerts on your credit report for you. I know which one I choose.

Re:If you really want protection

[AK+Marc]

That's $30 for a protection for life,

Protection from what? Banks that blame a 3rd party every time they get robbed? This is no different than if a robber walks into a bank with a deposit slip from your account, writes "give me $10,000" on it, and robs the bank at gun point. Then, when the bank notices that it has your name on the deposit slip, they take it out of your account without your knowledge or permission, even when they know for sure you weren't the robber.

Banks are stealing from their customers when they are robbed. When "identity theft" is treated as it really is, simple fraud, then the world will be a better place. If Congress had balls (and they don't have balls, just pockets with checks in them from the banks), they'd pass a law where every contact with a customer because of a fraudulent account opened by a 3rd party earned them a $100 fine to be paid to the customer, they'd figure out security pretty damn quick. Instead, it's cheaper to screw the lives of their customers (or often, even non customers) because they are too cheap and lazy to have actual security.

"Identity theft" is where the bank performs legalized fraud to harm people because the bank got robbed due to their own negligence.

Re:If you really want protection

[Ron+Bennett]

$30 for life? Not exactly, because "until you lift the freeze" often involves a fee too (and possibly an additional fee to put the freeze back on), which too can be upwards of $10 for each credit bureau.

Still, even with the added "lift freeze" fees, for most people, you're right that it's cheaper to skip LifeLock and do-it-yourself.

Ron

Re:If you really want protection

[ksemlerK]

Unless it is a mortgage, or another purchase in excess of $50000, the credit granter will typically only check with one bureau. Inquire about which bureau they are checking with, so you don't end up spending unnecessary money. It usually only takes 15 minutes to unfreeze a credit line, so place the call, and go have a cigarette. By the time that you come back in, it will be open, and they can run the credit score. After you are approved for the loan, place another call, and freeze your credit score again.

Re:If you really want protection

[jittles]

If Congress had balls (and they don't have balls, just pockets with checks in them from the banks)...

The beauty of it all is that the bank wrote that check on your account!

Re:If you really want protection

I am not impressed:

equifax-us.custhelp.com uses an invalid security certificate.

The certificate is only valid for help.equifax.com

(Error code: ssl_error_bad_cert_domain)

Re:If you really want protection

[Arthur+Grumbine]

"Identity theft" is where the bank performs legalized fraud to harm people because the bank got robbed due to their own negligence.

Here's the obligatory Mitchell and Webb clip:

Smoking something?

[LuckyJ]

If it sounds to good to be true...

Who honestly thought that with this service they were "untouchable"? Seriously....

Re:Smoking something?

[hedwards]

Sigh, I'm not sure where that rumor got started. They don't claim to be untouchable otherwise why would they be advertising an insurance policy included with service? They pay the first I think it's 2 million of fraudulent activities if they're unable to get it fixed so that you aren't charged for them. I doubt very much that they'd include that if they were really untouchable. Not saying that I trust them or use them, but we should at least be telling the truth about it.

POTENTIAL problems?

[Chas]

No. At this point, potential has surpassed threshold and achieved REAL problem status.

Anyhoo, Lifelock is a scam. Plain and simple.
They'll take your money right enough, but they really can't deliver on their promises to protect you and your information.
They're like insurance salesmen. They're simply trying for quantity and trying to live on margins, hoping that they don't get hit big by some massive info theft that they can't cover up or make disappear.
Once they get a breach of a truly significant portion of their customer's data, expect to see them fold up shop like all the old fly-by-night insurance salesmen in the Depression.

Re:POTENTIAL problems?

[SlappyBastard]

In fairness, whole industries are built around telling customers the exact lie they want to hear.

Re:POTENTIAL problems?

[GNUALMAFUERTE]

http://computer.howstuffworks.com/windows-vista.htm

Oh Really?

Re:POTENTIAL problems?

[SlappyBastard]

I'm running Windows 7, dammit! I never bought any lies! Oh, shit . . . is this the same lie, ya know, just told again?

Re:POTENTIAL problems?

[logjon]

Police fucked up redacting a public record when they made it public. Lifelock moved to correct. If anything, this speaks well of lifelock, they did what they were supposed to. Nothing to see here, move along.

Re:POTENTIAL problems?

[logjon]

Police fucked up redacting a public record when they made it public. Lifelock moved to correct. If anything, this speaks well of lifelock, they did what they were supposed to. Nothing to see here, move along. Posted again.

Re:POTENTIAL problems?

[biryokumaru]

I hate it when people double post and the same comment shows up twice in a row. It's so annoying!

Re:POTENTIAL problems?

[biryokumaru]

It's so annoying when people double post and the same comment shows up twice in a row. I hate it!

Re:POTENTIAL problems?

[logjon]

I hate it when /. scapegoats because editors are retarded.

Re:POTENTIAL problems?

[logjon]

you're mom's fat ass is flamebait

Re:POTENTIAL problems?

No.... actually it went more like this:

Police fucked up redacting a public record when they made it public. The Lifelock employee was made aware of the screw up via a web site which reported the fuck up (and NOT by Lifelock), otherwise, the employee would still be clueless as to why she was getting her identity anally raped hundreds of times a day, despite the (hopefully free) Lifelock "protection" she has signed up for. The Lifelock employee made her superiors aware of this, and probably asked what they could do to have the document removed. The situation was sent up the chain, probably all the way to the CEO, who then sent their corporate lawyers after the web site in question.

Now, had this been a regular customer of Lifelock and not an employee, does anyone REALLY believe Lifelock would have lifted a finger to help this person? There is nothing in the Lifelock service agreement that states they have to scan the web for PDF files which might have accidentally revealing information about their customers. The services that Livelock offer are clearly spelled out, and do not include actively scanning the internet for all possible customer identity leak occurring in any possible web site or downloadable document.

Here is my guess as to the though processes of the higher-up's at Lifelock: "Oh shit, one of our own employees has their personal info being broadcasted world wide! When (not if) they get their identity stolen it will make all the headlines. Quick, lets call the lawyers and try to get this under control before we have suffer yet another PR black eye."

Lifelock is pure snake oil. It sounds great, till you drink it, then you suddenly realize it doesn't work, and you are worse off for having tried it, and not only did you lose the money you spent on the snake oil, but now you also have to pay for a doctor to cure you of the poison you just drank.

Re:POTENTIAL problems?

[logjon]

Nice straw man. The real story is that the police are releasing this data and that lifelock can't be expected to watch the entire internet 24/7 but they're catching blame from this anyway somehow.

Re:POTENTIAL problems?

[logjon]

you're mom is offtopic

Re:POTENTIAL problems?

There was no straw man in that reply. Actually, your reply has the straw man. No one is blaming Life Lock for the leak of the personal data. That was clearly not their fault, not in this instance, anyway. It clearly was the fault of a clueless police department. But to assume that Life Lock is just routinely "doing their job protecting their customers" is grossly overstating what they will actually do for their customers. They are only protecting this woman because she is an employee, and they probably won't be able to prevent her from identity theft, no more than they could for their CEO Todd Davis. Whats his tally up to now? Thirteen times so far, and counting?

Nice "protection" there.

Re:POTENTIAL problems?

[antdude]

So which companies are not scammers? Or are they all the same?

Re:POTENTIAL problems?

[Z8]

They're like insurance salesmen. They're simply trying for quantity and trying to live on margins, hoping that they don't get hit big by some massive info theft that they can't cover up or make disappear.

Uhh yeah, insurance is all a big scam that only morons buy into. No insurance company has ever paid out a claim and all that paperwork is just lies. Fortunately here at Slashdot we are too smart to be tricked into buying insurance. House fires and auto accidents are more lies by the megacorps/policitians.

Re:POTENTIAL problems?

http://computer.howstuffworks.com/windows-vista.htm

Oh Really?

It does????

Bullshit sensationalism

[logjon]

Police fucked up. Let's get with the /. flaming the private sector.

Re:Bullshit sensationalism

[logjon]

This story gets IT and identitytheft tags? really?

Re:Bullshit sensationalism

Let's get with the /. flaming the private sector.

Oh noes, one company gets flamed and now the whole private sector is under rhetorical attack! Is nothing sacred in this godless commie nation anymore?

Re:Bullshit sensationalism

Police fucked up. Let's get with the /. flaming the private sector.

Everybody knows cops are incompetent. Plus they are untouchable, no matter how big they screw up. That's not really news-worthy or else you'd drown in stories about police fuck-ups.

The only real interesting thing is that this CEO published his SSN in a publicity stunt and apparently it got abused. At least that's mildly funny.

Re:Bullshit sensationalism

[ArsenneLupin]

Why is parent Interesting? Even for those without access to the IP log, Redundant would be more appropriate, given the number of time this same comment has been splattered all over Slashdot.

Police fail to properly redact data

[logjon]

Where is that story? Oh, lifelock is an easier target. I understand.

Re:Police fail to properly redact data

[ArsenneLupin]

When astroturfing, at least do it from home, so that people don't see your account attached to a Livelock IP address. Moron.

The report was redacted just fine (image editing, rather than just "covering up" the redacted info using a different layer)

doesn't it make you feel better?

[logjon]

the pigs have won tonight. they can all sleep soundly. and everything is alright.

lol

[spaceducky]

lol

Identity Theft Victim How To

I have no faith in these so-called lifelock solutions for ID theft. I have twice been the victim of ID theft. The only way to protect yourself is to notify the three credit bureaus and CHEX systems that you are a victim of ID theft. Every month I notified the financial institutions that falsely issued credit in my name by US mail that the information they had in my credit report and the account they opened in my name for another person was not opened or used by me and disputed the records they maintained on me. What that does is it requires the financial institutions to remove the account from your credit reports and investigate. The only costs for you is the stamp, envelope and changing the date on your letter every month. I had to keep this up for 7 years, 5 yrs. for CHEX Systems, since one time I received a letter from the President of financial institute that they would no longer report my account to credit agencies and 60 days later they did report the falsified account to Equifax again. It may seem like a pain, but if you send out the letters every time you pay your monthly bills it just becomes a habit. BT,DT

Re:No different than the DNC registery - NOT

LifeLock never claimed to prevent your identity being stolen - they have always said they'll take the normal precautions (putting you on the credit lock lists, for example) and will pay up to $1M to have other people work to correct problems should your identity be stolen.

After all, for most of us the real expense isn't the theft...it's the ridiculous, time-consuming process of correcting everything with credit bureaus which are shielded by law from we consumers.

Comment removed

[account_deleted]

Comment removed based on user account deletion

re: security freeze and downsides

[King_TJ]

The problem with doing a security freeze on your account is that many places will charge you a fee every time they have to un-freeze it to run your credit when you DO authorize it.

Like you say, it's probably fine if you have no intentions of applying for any credit or loans for quite a while. But it gets annoying when, say, a person decides to buy a new car and finds out they're hit with a $25 charge just so the dealership can verify they're a good credit risk.

Re: security freeze and downsides

[Shakrai]

The fee is not $25 in any jurisdiction that I'm aware of. It's $8 here in NYS. Even if it was $25, that's a small price to pay for not having to deal with the fallout from ID theft.

tmi

[josepha48]

I've noticed everyone says lifelock is a scam. Well they caught the fact that the information was exposed! It is a start. The question is will they catch anyone who tries to use the ssn and birth date and other information to steal her identity?

One thing people here should think about, is that the owner is ok with putting out his info, but maybe an employee does not want to always have to have that lingering thought of what if. I know I wouldn't if it were me.

Having never used lifelock and I doubt anyone here has and I have yet to hear about anyone who has used them having their identity stolen this story is just kind of a "let's make fun of" / "let's trash" story than a real story. If the story went something like after this information was posted 30 people assumed the identity of the woman and she is now unable to get her identity back, then I could see a real story here. So far they are doing what one would expect them to do, which is trying to keep peoples information private.

Dear Crooks,

[clo1_2000]

Please stop stealing the identities of our customers. Signed, CEO of Lifelock

Orwell?

[Sir+Holo]

Did they remove it, or did they simply redact it from the web version of the article?

If newspapers are to retain their place as the writers of the first-draft of history, then they should firmly refuse any revision of an article, once published, even electronically.

Police reports

[nurb432]

Are public information. They shouldn't be able to have it taken down, even with a personal visit from their CEO in his billboard truck.

Hello privacy!

[Leslie43]

Had it been someone other than a person working there all of you would be up in arms over the privacy implication.

Seems to me the paper was in the wrong here and should be facing a lawsuit over privacy. This isn't simply publishing someone's name. Has everyone just totally missed this? Employees may not be partaking in the program, they are employees, and employees don't stay employees forever and are normally mindless drones. She didn't ask for her information to be published and she is not a public spokesperson.

The police failed, as did the publisher, one of them should have caught this.

ha ha ha

When having a fake ID is a crime, only criminals will have a fake ID!