Lifelock Worries After Employee Data Leaked To Web

itwbennett writes "Last week, Phoenix New Times reporter Ray Stein revealed that LifeLock CEO Todd Davis (who famously published his Social Security number in LifeLock ads) had been the victim of identity theft at least 13 times. This week, LifeLock made it clear that it's not so cavalier with its employees' personal data. The company asked the New Times to remove from its website a police report containing a redacted Social Security number, date of birth, address, and phone number of Lifelock employee Tamika Jones. In an interview, Stein said that the fact that LifeLock had to call and ask for the document to be removed reflected badly on Lifelock's service. 'I think this shows clearly that they know that it's got potential problems.'"

Really now?

[Darkness404]

Anyone who expects a service to 100% protect them from identity theft is an idiot. Its just like a virus scanner, it might be helpful but its no substitute for common sense.

Re:Really now?

[Shakrai]

it might be helpful but its no substitute for common sense.

Common sense would be banks requiring more information than an SSN and DOB from an internet connected computer before opening lines of credit. I watched someone apply for a line of credit with Citi online and receive a $15,000 account with no verification of his identity beyond the SSN/DOB match. What's wrong with that picture?

Re:Really now?

However, on the flipside, there are privacy issues with giving personally identifiable data to a prime hacking target (like a major lending institution.)

In order for them to validate a session as a legitimate person, they need personally identifiable data on that person. That means that they are warehousing such data, and in addition to being a target for wirefraud directly, they also become a target for identity theives of the highest order.

Knowing a little bit about data security (and security in general), there is NO SUCH THING as a perfectly secure system. Even an inoperable computer encased in 5 feet of concrete is not "Secure", since a jackhammer can grant access. You just have to be patient, and dilligent.

Thus, it is not a question of *IF* such a breach will occur, but WHEN. I am reminded of the "Malware on "Update" CD sent to a bank" covert security test last year. There are any number of ways that a bank could be compromised, and the data distributed. Unlike a password, or a username, or even a SSN, there is no way to change your mother's maiden name, etc.

Really, online banking is a very terrible idea. That's why I don't engage in it.

Identity theft will continue to be a problem as long as the internet is used to fascilitate banking. The incentive to steal an identity and get rich quick at some poor SOB's expense (especially in a foriegn country where the target's currency is "Hyper valued") will ensure that this is always so.

I might be a bit of a paranoid crank, but from where I sit, there is

1) Incentive
2) Opportunity

and therefor

3) profit

and as long as the first two hold true, the last one will always exist as well. Should it become not worth the time, or should there bey a major financial breakage where nobody has money thats worth a shit-- then 1) will go away. I suggest the far less deleterious 2) be removed-- Remove hacker opportunity to steal that data, by not having that data on public networks to begin with; EG, no online banking.

IMHO, Banks should use a dedicated, private network that does NOT have ANY endpoints connected to the public internet for just this reason.

Really, it's like having the door to your "Super sensitive, mission critical server room" outside in the public lobby, next to the bathroom. The only thing keeping people out is the lock on the door. I don't think it unreasonable to say that this is far from ideal from a security standpoint, and that a better solution is to have that door deeper in your company, well entrenched in the "employees only" section of the building.

The reason why wirefraud, and identity theft are so prevelent, is because the opportunity part of the equasion is running wild, in the name of "Convenience"-- Sure, online banking is very convenient, I am sure. It's also very convenient for the people that want to spend your money for you illicitly. It's also very convenient to dispose of toxic chemicals in a ditch somewhere too.

Sadly, people never seem to learn the intrinsic lesson here-- "Convenience" is not a justifiable reason to trump sensibility. EVER.

A simple mnemonic to think of when contemplating using the internet for something: Would trust handing that data to a total stranger on the street?

If the answer is no, then under no circumstances should you use the internet for that purpose. It's just that simple.

Re:Really now?

[biryokumaru]

Right on, brother!

This is exactly what I said when they first invented banks! I mean, anyone can just walk into one of those places with a fake ID and *bam* they've got all my money! That's why I keep all my money in gold Krugerrands in a shoe box under my...

Hey now, I'm not gonna tell you where I keep my shoe box! Now get off my lawn, you wacko!

Re:Really now?

[NotQuiteReal]

Yup - I've been anonymous on the Internet, since, well, since it was Darpanet, or uucp, or whatever it was. Call me paranoid, but even way back in the day, I always wondered, "why would I want anyone to know X, about me?"

If you are writing me a check, I'll give you enough info so I can cash it, otherwise, meh. Even my cable bill has a misspelling in my name I have not corrected in 14 years.

P.S. NotQuiteReal, is not my real name... Proud alias-using "lurker" on the Internet/Usenet since 1982 (or before...)

Re:Really now?

[jonwil]

When I opened my bank account (here in Australia) I had to go into the branch physically and sign up for it, including showing various forms of ID.

The only reason the US isn't as strict is that the banks have used their powerful influence to make sure that nothing gets in the way of their ability to offer vast amounts of credit (home loans, car loans, personal loans, credit cards etc) to anyone and everyone.

They want to make getting a credit card as easy as possible.

Re:Really now?

[AK+Marc]

There are any number of ways that a bank could be compromised, and the data distributed. Unlike a password, or a username, or even a SSN, there is no way to change your mother's maiden name, etc.

I opened a bank in a foreign country. They take and hash your password as you give it to them. The password is never known by anyone there, can't be retrieved and will never be seen. It's up to me to make sure I don't use it on an infected system. If it gets out, I'm pretty much on the hook for whatever is in my account when someone wipes it out. That password is worth thousands of dollars. You make sure it's secure, and you treat it as such.

The fraud levels in the US are some of the highest in the world, and it's because the banks don't care. They make enough with the fraud and aren't held responsible for the actual harm they cause people when they put inaccurate information on credit reports.

Let someone sue when there's an inaccuracy on their credit report (with the burden being on the person who put it there to prove it's accurate) and you'll see that crap stopped pretty quick. Make the banks pay an "oops" fee of $100 to their customers when the banks take out money because of a fraudulent transaction the customer couldn't have prevented. Hold the banks responsible for the damage they are causing through "identity theft" (which is nothing more than lax security blamed on their customers when the banks have the ability to stop nearly all identity theft). When that's done, then fraud will drop and identity theft will be gone except for the few cases where couples pretend to be the other to wipe out an account as part of a breakup.

Re:Really now?

[rtfa-troll]

Putting these technical restrictions to regulation is a bad idea (though some limited minimum standards is probably good). I think you have to look at the difference between the credit card system and the bank account system. You'll probably find that there's more technical protection on your bank account access, but credit card fraud worries you less and causes you fewer problems. The reason for this is that the credit card fraud is pushed to the place which is able to verify the transaction and not just the account holder; the shop and the credit card system. The security is very dynamic. If you make a small transaction in a place near where you live, it will almost always go through. If you make a large transaction in Cambodia, soon after making one at home (unless, of course you are Cambodian, in which case the same argument applies, but in New York), the company will call you directly to your mobile phone and ask you to confirm the transaction.

The reason this works like this (which is expensive) and works so well is simple. You are allowed to reverse the transactions if they aren't yours. This pushes the liability to the bank. If the same applied to bank accounts, that you could just reverse any transaction and the bank had to prove you were liable for it, suddenly bank fraud would be massively reduced, disappear completely as a consumer problem and the criminals trying it would be pursued to the ends of the earth.

Re:Really now?

[Moridineas]

I think your heart is in the right place, but I'm not sure your ideas make sense?

I opened a bank in a foreign country. They take and hash your password as you give it to them. The password is never known by anyone there, can't be retrieved and will never be seen. It's up to me to make sure I don't use it on an infected system. If it gets out, I'm pretty much on the hook for whatever is in my account when someone wipes it out. That password is worth thousands of dollars. You make sure it's secure, and you treat it as such.

God, I hope most banks don't rely on such weak security? The bank where I have my business account gave me a security token that I've got to use in addition to a username/password to login. Before I do anything major like account transfers or wires, I've got to use the security token again. Interactive Brokers trading offers security tokens as well though I haven't used theirs--I have a lookup page from them that serves the same function though.

Admittedly my personal banks do not use a security token, otp, etc. Most of them DO require usage of a pin code or csv code off a credit card/bank card before you can make account changes.

If freaking Blizzard can release a battle.net mobile authenticator for iphone/blackberry/etc, banks certainly should be able to. It's annoying.

The fraud levels in the US are some of the highest in the world, and it's because the banks don't care.

Are they really?

Let someone sue when there's an inaccuracy on their credit report (with the burden being on the person who put it there to prove it's accurate) and you'll see that crap stopped pretty quick.

Uh, really? You CAN sue, and it happens (google). First of all, you have a clear set of rights as laid out under the Fair Credit Reporting Act (it's been amended and updated, but is NOT new). If you're not familiar with your legally protected rights and options, take a look at it, I think you might not be quite as disgruntled. Your rights include the credit report companies being REQUIRED to give you a written explanation (or fixing the error) when you notify them of a mistake. And so on. If they ignore you, they get in trouble.

There are plenty of types of identity theft that are not the customers fault, nor should the bank be able to catch.

Make the banks pay an "oops" fee of $100 to their customers when the banks take out money because of a fraudulent transaction the customer couldn't have prevented.

That would be awesome. I'd set up an arrangement where my friends would steal my identity. They'd give whatever they got back to me, and we'd split the $100. Nobody would possibly take advantage of that system!

Hold the banks responsible for the damage they are causing through "identity theft" (which is nothing more than lax security blamed on their customers when the banks have the ability to stop nearly all identity theft). When that's done, then fraud will drop and identity theft will be gone except for the few cases where couples pretend to be the other to wipe out an account as part of a breakup

It's your statement here that makes me think maybe you're missing what exactly identity theft is? It doesn't HAVE to be because of "lax security" at a bank. That's certainly a problem, yes, but not by any means the sole cause! Instead of thinking about it as "identity theft" think of it as impersonating somebody else. My wife's family was hit by identity theft when a piano teacher's trash was gone through by a criminal. Inside the trash was a ripped up and voided check. Who's liable in this situation? Between going through trash, malware, malware, professional hacking rings, weak security from VENDORS, public records, giving too much data to vendors/organizations/etc, there is a LOT of information out there. Not even getting into social engineering...

Identity theft is going to be a problem as long as the

Re:Really now?

[iamweasel]

That's what we have in Finland at least. First you have to physically go to the bank to identify yourself and then you get a login/password and a physical list of key-value pairs for online banking. When you start to run out of said keys you go get another list from the bank or order one through mail. Then you change the list using a value from the previous list and input the number of the new key list.

In order to compromise in this system someone would have to have access both to my specific key list and my login/password combination.

Of course that doesn't help at all if someone compromises the bank's systems, but in that case it wouldn't make a difference whether I used online banking or not.

It baffles me that something as simple as (or similar to) this is not being used as I do believe it makes online banking a whole lot more secure.

Re:Really now?

[Ford+Prefect]

What I have for my British Nationwide account (a building society rather than a bank, but that's mainly semantics) is a small, calculator-lookalike card-reader that takes my ATM card and PIN and is used to sign any transactions or other significant operations involving money.

Say I want to transfer money to a non-Nationwide account, I have to:

Login by entering my customer number, passphrase and three randomly selected digits of a secret six-digit code,
Set up the transfer, put my ATM card (with chip) into the card-reader and enter my PIN.
Press 'Sign', enter the reference (typically the account number), press OK, enter the amount of money being transferred, press OK and then type the eight-digit code it gives me into the online banking service to authorise the transfer.

It's still vulnerable to man-in-the-middle attacks, but someone would have to be a bit thick to wonder why what appears to be their online banking service suddenly wants them to transfer lots of money somewhere.

Also, yes, it takes forever to do anything.

Re:Really now?

[mlts]

Most of Europe has something like this, either a keyfob, or a TAN list.

However, it a rare sight for an American bank to offer much if anything more than username/password protection. You might find a bank that asks a question from your challenge/response list, or asks you to select the answer on a random list, where the text is a bitmap (to help foil malware that doesn't have an OCR engine.) Anything more than that, good luck.

What is ironic is that Blizzard offers a keyfob and/or an app for the iPhone and Android. Why can't banks here in the US protect their customers more than a game company protects theirs?

Re:Really now?

[sodul]

American Express is your friend.

It took me over a year once I moved to the US to get a credit card. It took even longer for my wife since she had no SSN until a few years ago (yes you can live legally in the US for years and declare taxes without being allowed a SSN).

There is a vicious circle: no credit history, you can't get a credit card ... but you need one to get a credit history. You also have the option of the prepaid credit card, where you have to loan the bank say $500 for a $500 line of credit.

But my best advice: live within your means and always pay off you cards.

Re:Really now?

[qubezz]

You sir, are incorrect. The original PDF from the police department (which was copied by and is still being hosted on Wired.com's website with their follow-up article) has a layer of black 'redaction' blocks, but all the personal data is still there and can be cut-and-pasted.

The reporter sanitized the PDF for the cops by printing it, scanning it, and making another PDF (I would have just raster printed it direct to another PDF file), and replaced the original on the web site with the new one.

how is this a sign of potential problems?

[Michael+Kristopeit]

In an interview, Stein said that the fact that LifeLock had to call and ask for the document to be removed reflected badly on Lifelock's service. 'I think this shows clearly that they know that it's got potential problems.'"

so a service designed to protect your privacy is broken if it actively attempts to protect your privacy? I think this shows clearly that they got a proactive strategy to protect personal information.

just because the CEO is willing to stick his chin out doesn't mean i trust him to stick MY chin out.

Re:how is this a sign of potential problems?

[thedohman]

You are absolutely correct! They are doing exactly as I would expect the service to do. She got her info on a police report. The police department gave a media outlet the report in such a way that her personal information was exposed. LifeLock called the media outlet and asked to remove her data. There is no way anybody could have prevented the info from getting there in the first place... except maybe not giving the police department your SSN when reporting a crime happening to someone else.

If I was a customer of theirs, and a police department did the same to me, then LifeLock is doing exactly as I would expect them to do, if they wanted to continue getting my monthly fee.

However, Tamika is one of their own, and the police report was published in an article about them. I don't think they would even notice if it had happened to a regular customer and/or if it had not been an article concerning LifeLock.

Fraud Alert != Fraud Immunity

[mysidia]

Not everyone reviews a credit report before issuing any type of credit.

ID thieves can potentially abuse personal information, no matter how many types of fraud alerts you put, there is no guarantee that it will be seen by every third party.

Or the ID thief may employee social engineering and even defeat the 'fraud alert'

Todd Davis' publishing his social security number is a gimmick, and he should understand the risks, and chose to do so anyway, clearly as a publicity stunt.

As CEO and well-known media figure he can probably more easily deal with any ills that result than the average joe, and rely on his company to pay all the money and take all the hassle haggling with creditors of ID thief.

Minor cost well worth the publicity.

His SSN is also more likely to be recognized by banks, and (I suspect) he has little need to himself apply for credit, personally, otherwise he would not do it.

As for other employees of the company.... they have not agreed to this, not agreed to the hassle, and are in a much poorer position to defend themselves against ID theft. They have every right to their privacy, and to not have media organizations publish redacted/legally sealed or legally witheld info.

Re:Fraud Alert != Fraud Immunity

[Shakrai]

no matter how many types of fraud alerts you put

Better than a fraud alert is the security freeze. They won't open a new account if they can't see your credit report. The security freeze shouldn't even be a major inconvenience, unless you are one of the champs that applies for every new credit and store card under the sun.

Re:Fraud Alert != Fraud Immunity

[mysidia]

I'll agree a security freeze is better.

But a Credit card or Loan isn't the only type of account an ID thief can try to open fraudulently in a victim's name.

They might try to open a checking account instead, which does not involve a CRA inquiry. Instead, the inquiry would go to CheXsystems or similar, which do not provide a 'security freeze' option

The ID thief may also create a bogus instrument, such as a 'checkbook' of fake checks in victim's name.

If the ID thief is up to title fraud, they also may be able to take out certain type of mortgages on the victim's property, without a credit check.

Or "rent" out certain items in their name and not return them. In any case the bad checks /non-returned items will result in probably nastygrams for the victim, telephone calls, threats, possibly attempts at legal action.

Cringely...

http://www.cringely.com/2010/05/lifeblocked/

Ya, You Betcha

[MightyMartian]

... 'I think this shows clearly that they know that it's got potential problems.'

What it shows clearly is that Lifelock is worthless, except at taking money from morons.

Re:Ya, You Betcha

[DrugCheese]

What it shows clearly is that Lifelock is worthless, except at taking money from morons.

Exactly. I've been waiting for this story ever since I laughed at their first commercial.

If you really want protection

[ksemlerK]

...Freeze your credit reports.

EQUIFAX Online Help: How to place a security freeze

Experian Online Help: Security Freeze

TransUnion Personal: Security Freeze

Problem solved, and you're not paying $9.95 a month for a service you can easily perform yourself that is far more effective then what any of these supposed "Identity protection" companies offer.

Re:If you really want protection

[Ron+Bennett]

Freezing often costs money. And each of those credit bureau charges separately. Could cost one upwards of $30 to place a freeze at all three.

The hassles of "freezing" along with the fees to do so, is another illustration of the financial system being crooked; not designed to protect people, but rather to make credit as easy to obtain as possible with little regard to security.

Ron

Re:If you really want protection

[AK+Marc]

That's $30 for a protection for life,

Protection from what? Banks that blame a 3rd party every time they get robbed? This is no different than if a robber walks into a bank with a deposit slip from your account, writes "give me $10,000" on it, and robs the bank at gun point. Then, when the bank notices that it has your name on the deposit slip, they take it out of your account without your knowledge or permission, even when they know for sure you weren't the robber.

Banks are stealing from their customers when they are robbed. When "identity theft" is treated as it really is, simple fraud, then the world will be a better place. If Congress had balls (and they don't have balls, just pockets with checks in them from the banks), they'd pass a law where every contact with a customer because of a fraudulent account opened by a 3rd party earned them a $100 fine to be paid to the customer, they'd figure out security pretty damn quick. Instead, it's cheaper to screw the lives of their customers (or often, even non customers) because they are too cheap and lazy to have actual security.

"Identity theft" is where the bank performs legalized fraud to harm people because the bank got robbed due to their own negligence.

Re:If you really want protection

[ksemlerK]

Unless it is a mortgage, or another purchase in excess of $50000, the credit granter will typically only check with one bureau. Inquire about which bureau they are checking with, so you don't end up spending unnecessary money. It usually only takes 15 minutes to unfreeze a credit line, so place the call, and go have a cigarette. By the time that you come back in, it will be open, and they can run the credit score. After you are approved for the loan, place another call, and freeze your credit score again.

POTENTIAL problems?

[Chas]

No. At this point, potential has surpassed threshold and achieved REAL problem status.

Anyhoo, Lifelock is a scam. Plain and simple.
They'll take your money right enough, but they really can't deliver on their promises to protect you and your information.
They're like insurance salesmen. They're simply trying for quantity and trying to live on margins, hoping that they don't get hit big by some massive info theft that they can't cover up or make disappear.
Once they get a breach of a truly significant portion of their customer's data, expect to see them fold up shop like all the old fly-by-night insurance salesmen in the Depression.

Re:POTENTIAL problems?

[SlappyBastard]

In fairness, whole industries are built around telling customers the exact lie they want to hear.

Re:POTENTIAL problems?

[GNUALMAFUERTE]

http://computer.howstuffworks.com/windows-vista.htm

Oh Really?

Police fail to properly redact data

[logjon]

Where is that story? Oh, lifelock is an easier target. I understand.

Re:No different than the DNC registery

[Mr.+Freeman]

You're an idiot, it has nothing to do with no-call lists or any such thing.

It puts a "fraud alert" on your accounts and renews it every 90 days or however long they last for. Something you can easily do yourself for free. Basically having a fraud alert makes banks, lenders, etc. actually do SOME amount of work to verify your identity rather than blindly allowing anyone with a social security number to get a loan in the owner of that number's name.

Re:No different than the DNC registery

Basically having a fraud alert makes banks, lenders, etc. actually do SOME amount of work to verify your identity rather than blindly allowing anyone with a social security number to get a loan in the owner of that number's name.

Not entirely true. It theoretically requires banks, lenders, etc do some work before opening a new account. In practice, they usually skip this step. Trust me, I know from experience. I opened a new bank account while I had a fraud alert on my files, yet I was never contacted to confirm that I indeed opened that account. When I pressed the credit reporting agencies on it, I was told that the fraud alert system is more of a "best practice" type of thing, and that companies were in no way obligated to actually follow the guidelines.

Re:No different than the DNC registery

[Jason+Levine]

With fraud alerts, banks/lenders/etc are recommended to do some verification work, but they aren't *required* to do so. Some institutions might skip the verification and thus allow more ID theft to go on. Better to freeze your credit entirely. It costs some money to place, thaw and remove (how much depends on your state and whether or not you've been a victim of ID theft), but it is definitely worthwhile. As a bonus, since credit card companies can't see your credit information, they won't "pre-approve" you for credit cards and send those blank forms which then need to be shredded lest some ID thief steal them.

Of course, the credit agencies hate security freezes. They want you to place fraud alerts because they can still sell your credit information and you can still sign up for store credit cards on the fly. That's why their lobbyists will fight any bill that promises to make security freezes less expensive or easier to obtain.

Re:No different than the DNC registery

[Attila+Dimedici]

Very good point, my sister had her identity stolen. She put a fraud alert on with the credit reporting agencies. She, also, regularly obtained her credit report. On one of her reports, she saw that a major Department store chain had requested her credit report. She contacted their credit processing headquarters for our region to tell them that she had not requested credt from them and told them not to issue her any. Several months later she got a bill for around $2,000. It turns out that the person who stole her ID, lived in a different region and the people she talked to just blew my sister off because the application wasn't in their database. The chain ended up out that money and it didn't cause my sister more than the minor inconvenience of informing the chain that she had never asked for nor used the credit card in question.

Re:No different than the DNC registery

[qubezz]

Do I get mega-win for being the first commenter (as 'BootyFooz') in the original article to point out the flawed PDF 'blackouts', revealing SSN, drivers license, and DOB info for both the CEO and the other Lifelock employee?!

The Lifelock thing is clearly a scam founded by a guy who was already lifetime-banned from the credit repair industry. The only thing they did was use robo-dialers to call one credit reporting agency to set fraud alerts on subscribers's credit reports, and when the credit reporting agency stopped them from doing that, they now have no service at all except a false promise with a false $1 million guarantee. They had $12 million in liquid assets once, but a government fine completely cleaned out their bank accounts (yet allowed them to stay in business), so they couldn't even pay this guarantee even though their fine print says they really don't have to pay it anyway.