Slashdot Mirror

← Back to Stories (view on slashdot.org)

Lifelock Worries After Employee Data Leaked To Web

Posted by samzenpus on from the protect-that dept.

itwbennett writes "Last week, Phoenix New Times reporter Ray Stein revealed that LifeLock CEO Todd Davis (who famously published his Social Security number in LifeLock ads) had been the victim of identity theft at least 13 times. This week, LifeLock made it clear that it's not so cavalier with its employees' personal data. The company asked the New Times to remove from its website a police report containing a redacted Social Security number, date of birth, address, and phone number of Lifelock employee Tamika Jones. In an interview, Stein said that the fact that LifeLock had to call and ask for the document to be removed reflected badly on Lifelock's service. 'I think this shows clearly that they know that it's got potential problems.'"

23 of 145 comments (clear)

  1. Really now? by Darkness404 · · Score: 4, Interesting

    Anyone who expects a service to 100% protect them from identity theft is an idiot. Its just like a virus scanner, it might be helpful but its no substitute for common sense.

    --
    Taxation is legalized theft, no more, no less.
    1. Re:Really now? by Shakrai · · Score: 5, Insightful

      it might be helpful but its no substitute for common sense.

      Common sense would be banks requiring more information than an SSN and DOB from an internet connected computer before opening lines of credit. I watched someone apply for a line of credit with Citi online and receive a $15,000 account with no verification of his identity beyond the SSN/DOB match. What's wrong with that picture?

      --
      I want peace on earth and goodwill toward man.
      We are the United States Government! We don't do that sort of thing.
    2. Re:Really now? by biryokumaru · · Score: 5, Funny

      Right on, brother!

      This is exactly what I said when they first invented banks! I mean, anyone can just walk into one of those places with a fake ID and *bam* they've got all my money! That's why I keep all my money in gold Krugerrands in a shoe box under my...

      Hey now, I'm not gonna tell you where I keep my shoe box! Now get off my lawn, you wacko!

      --
      When you're afraid to download music illegally in your own home, then the terrorists have won!
    3. Re:Really now? by NotQuiteReal · · Score: 4, Insightful

      Yup - I've been anonymous on the Internet, since, well, since it was Darpanet, or uucp, or whatever it was. Call me paranoid, but even way back in the day, I always wondered, "why would I want anyone to know X, about me?"

      If you are writing me a check, I'll give you enough info so I can cash it, otherwise, meh. Even my cable bill has a misspelling in my name I have not corrected in 14 years.

      P.S. NotQuiteReal, is not my real name... Proud alias-using "lurker" on the Internet/Usenet since 1982 (or before...)

      --
      This issue is a bit more complicated than you think.
    4. Re:Really now? by jonwil · · Score: 4, Insightful

      When I opened my bank account (here in Australia) I had to go into the branch physically and sign up for it, including showing various forms of ID.

      The only reason the US isn't as strict is that the banks have used their powerful influence to make sure that nothing gets in the way of their ability to offer vast amounts of credit (home loans, car loans, personal loans, credit cards etc) to anyone and everyone.

      They want to make getting a credit card as easy as possible.

    5. Re:Really now? by AK+Marc · · Score: 5, Interesting

      There are any number of ways that a bank could be compromised, and the data distributed. Unlike a password, or a username, or even a SSN, there is no way to change your mother's maiden name, etc.

      I opened a bank in a foreign country. They take and hash your password as you give it to them. The password is never known by anyone there, can't be retrieved and will never be seen. It's up to me to make sure I don't use it on an infected system. If it gets out, I'm pretty much on the hook for whatever is in my account when someone wipes it out. That password is worth thousands of dollars. You make sure it's secure, and you treat it as such.

      The fraud levels in the US are some of the highest in the world, and it's because the banks don't care. They make enough with the fraud and aren't held responsible for the actual harm they cause people when they put inaccurate information on credit reports.

      Let someone sue when there's an inaccuracy on their credit report (with the burden being on the person who put it there to prove it's accurate) and you'll see that crap stopped pretty quick. Make the banks pay an "oops" fee of $100 to their customers when the banks take out money because of a fraudulent transaction the customer couldn't have prevented. Hold the banks responsible for the damage they are causing through "identity theft" (which is nothing more than lax security blamed on their customers when the banks have the ability to stop nearly all identity theft). When that's done, then fraud will drop and identity theft will be gone except for the few cases where couples pretend to be the other to wipe out an account as part of a breakup.

      --
      Learn to love Alaska
    6. Re:Really now? by rtfa-troll · · Score: 3, Insightful

      Putting these technical restrictions to regulation is a bad idea (though some limited minimum standards is probably good). I think you have to look at the difference between the credit card system and the bank account system. You'll probably find that there's more technical protection on your bank account access, but credit card fraud worries you less and causes you fewer problems. The reason for this is that the credit card fraud is pushed to the place which is able to verify the transaction and not just the account holder; the shop and the credit card system. The security is very dynamic. If you make a small transaction in a place near where you live, it will almost always go through. If you make a large transaction in Cambodia, soon after making one at home (unless, of course you are Cambodian, in which case the same argument applies, but in New York), the company will call you directly to your mobile phone and ask you to confirm the transaction.

      The reason this works like this (which is expensive) and works so well is simple. You are allowed to reverse the transactions if they aren't yours. This pushes the liability to the bank. If the same applied to bank accounts, that you could just reverse any transaction and the bank had to prove you were liable for it, suddenly bank fraud would be massively reduced, disappear completely as a consumer problem and the criminals trying it would be pursued to the ends of the earth.

      --
      =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
    7. Re:Really now? by iamweasel · · Score: 3, Informative

      That's what we have in Finland at least. First you have to physically go to the bank to identify yourself and then you get a login/password and a physical list of key-value pairs for online banking. When you start to run out of said keys you go get another list from the bank or order one through mail. Then you change the list using a value from the previous list and input the number of the new key list.

      In order to compromise in this system someone would have to have access both to my specific key list and my login/password combination.

      Of course that doesn't help at all if someone compromises the bank's systems, but in that case it wouldn't make a difference whether I used online banking or not.

      It baffles me that something as simple as (or similar to) this is not being used as I do believe it makes online banking a whole lot more secure.

  2. Fraud Alert != Fraud Immunity by mysidia · · Score: 5, Informative

    Not everyone reviews a credit report before issuing any type of credit.

    ID thieves can potentially abuse personal information, no matter how many types of fraud alerts you put, there is no guarantee that it will be seen by every third party.

    Or the ID thief may employee social engineering and even defeat the 'fraud alert'

    Todd Davis' publishing his social security number is a gimmick, and he should understand the risks, and chose to do so anyway, clearly as a publicity stunt.

    As CEO and well-known media figure he can probably more easily deal with any ills that result than the average joe, and rely on his company to pay all the money and take all the hassle haggling with creditors of ID thief.

    Minor cost well worth the publicity.

    His SSN is also more likely to be recognized by banks, and (I suspect) he has little need to himself apply for credit, personally, otherwise he would not do it.

    As for other employees of the company.... they have not agreed to this, not agreed to the hassle, and are in a much poorer position to defend themselves against ID theft. They have every right to their privacy, and to not have media organizations publish redacted/legally sealed or legally witheld info.

    1. Re:Fraud Alert != Fraud Immunity by Shakrai · · Score: 5, Informative

      no matter how many types of fraud alerts you put

      Better than a fraud alert is the security freeze. They won't open a new account if they can't see your credit report. The security freeze shouldn't even be a major inconvenience, unless you are one of the champs that applies for every new credit and store card under the sun.

      --
      I want peace on earth and goodwill toward man.
      We are the United States Government! We don't do that sort of thing.
  3. Cringely... by Anonymous Coward · · Score: 4, Informative

    http://www.cringely.com/2010/05/lifeblocked/

  4. Re:Ya, You Betcha by DrugCheese · · Score: 3, Funny

    What it shows clearly is that Lifelock is worthless, except at taking money from morons.

    Exactly. I've been waiting for this story ever since I laughed at their first commercial.

    --
    *DrugCheese rants*
  5. If you really want protection by ksemlerK · · Score: 5, Interesting

    ...Freeze your credit reports.

    EQUIFAX Online Help: How to place a security freeze

    Experian Online Help: Security Freeze

    TransUnion Personal: Security Freeze

    Problem solved, and you're not paying $9.95 a month for a service you can easily perform yourself that is far more effective then what any of these supposed "Identity protection" companies offer.

    --
    Get your free Dropbox account with 2 GB Free storage!
    1. Re:If you really want protection by Ron+Bennett · · Score: 4, Informative

      Freezing often costs money. And each of those credit bureau charges separately. Could cost one upwards of $30 to place a freeze at all three.

      The hassles of "freezing" along with the fees to do so, is another illustration of the financial system being crooked; not designed to protect people, but rather to make credit as easy to obtain as possible with little regard to security.

      Ron

    2. Re:If you really want protection by AK+Marc · · Score: 4, Insightful

      That's $30 for a protection for life,

      Protection from what? Banks that blame a 3rd party every time they get robbed? This is no different than if a robber walks into a bank with a deposit slip from your account, writes "give me $10,000" on it, and robs the bank at gun point. Then, when the bank notices that it has your name on the deposit slip, they take it out of your account without your knowledge or permission, even when they know for sure you weren't the robber.

      Banks are stealing from their customers when they are robbed. When "identity theft" is treated as it really is, simple fraud, then the world will be a better place. If Congress had balls (and they don't have balls, just pockets with checks in them from the banks), they'd pass a law where every contact with a customer because of a fraudulent account opened by a 3rd party earned them a $100 fine to be paid to the customer, they'd figure out security pretty damn quick. Instead, it's cheaper to screw the lives of their customers (or often, even non customers) because they are too cheap and lazy to have actual security.

      "Identity theft" is where the bank performs legalized fraud to harm people because the bank got robbed due to their own negligence.

      --
      Learn to love Alaska
  6. POTENTIAL problems? by Chas · · Score: 3, Insightful

    No. At this point, potential has surpassed threshold and achieved REAL problem status.

    Anyhoo, Lifelock is a scam. Plain and simple.
    They'll take your money right enough, but they really can't deliver on their promises to protect you and your information.
    They're like insurance salesmen. They're simply trying for quantity and trying to live on margins, hoping that they don't get hit big by some massive info theft that they can't cover up or make disappear.
    Once they get a breach of a truly significant portion of their customer's data, expect to see them fold up shop like all the old fly-by-night insurance salesmen in the Depression.

    --


    Chas - The one, the only.
    THANK GOD!!!
    1. Re:POTENTIAL problems? by SlappyBastard · · Score: 3, Insightful

      In fairness, whole industries are built around telling customers the exact lie they want to hear.

      --
      I scream. You scream. I assume that means we're both acquainted with the problem. We proceed.
    2. Re:POTENTIAL problems? by GNUALMAFUERTE · · Score: 3, Funny

      http://computer.howstuffworks.com/windows-vista.htm

      Oh Really?

      --
      WTF am I doing replying to an AC at 5 A.M on a Friday night?
  7. Re:how is this a sign of potential problems? by thedohman · · Score: 5, Insightful

    You are absolutely correct! They are doing exactly as I would expect the service to do. She got her info on a police report. The police department gave a media outlet the report in such a way that her personal information was exposed. LifeLock called the media outlet and asked to remove her data. There is no way anybody could have prevented the info from getting there in the first place... except maybe not giving the police department your SSN when reporting a crime happening to someone else.

    If I was a customer of theirs, and a police department did the same to me, then LifeLock is doing exactly as I would expect them to do, if they wanted to continue getting my monthly fee.

    However, Tamika is one of their own, and the police report was published in an article about them. I don't think they would even notice if it had happened to a regular customer and/or if it had not been an article concerning LifeLock.

  8. Police fail to properly redact data by logjon · · Score: 5, Informative

    Where is that story? Oh, lifelock is an easier target. I understand.

    --
    The stories and info posted here are artistic works of fiction and falsehood.
    Only fools would take it as fact.
  9. Re:No different than the DNC registery by Mr.+Freeman · · Score: 4, Informative

    You're an idiot, it has nothing to do with no-call lists or any such thing.

    It puts a "fraud alert" on your accounts and renews it every 90 days or however long they last for. Something you can easily do yourself for free. Basically having a fraud alert makes banks, lenders, etc. actually do SOME amount of work to verify your identity rather than blindly allowing anyone with a social security number to get a loan in the owner of that number's name.

    --
    -1 disagree is not a modifier for a reason. -1 troll, flaimbait, redundant, overrated are NOT acceptable substitutes.
  10. Re:No different than the DNC registery by Anonymous Coward · · Score: 4, Informative

    Basically having a fraud alert makes banks, lenders, etc. actually do SOME amount of work to verify your identity rather than blindly allowing anyone with a social security number to get a loan in the owner of that number's name.

    Not entirely true. It theoretically requires banks, lenders, etc do some work before opening a new account. In practice, they usually skip this step. Trust me, I know from experience. I opened a new bank account while I had a fraud alert on my files, yet I was never contacted to confirm that I indeed opened that account. When I pressed the credit reporting agencies on it, I was told that the fraud alert system is more of a "best practice" type of thing, and that companies were in no way obligated to actually follow the guidelines.

  11. Re:No different than the DNC registery by Jason+Levine · · Score: 4, Interesting

    With fraud alerts, banks/lenders/etc are recommended to do some verification work, but they aren't *required* to do so. Some institutions might skip the verification and thus allow more ID theft to go on. Better to freeze your credit entirely. It costs some money to place, thaw and remove (how much depends on your state and whether or not you've been a victim of ID theft), but it is definitely worthwhile. As a bonus, since credit card companies can't see your credit information, they won't "pre-approve" you for credit cards and send those blank forms which then need to be shredded lest some ID thief steal them.

    Of course, the credit agencies hate security freezes. They want you to place fraud alerts because they can still sell your credit information and you can still sign up for store credit cards on the fly. That's why their lobbyists will fight any bill that promises to make security freezes less expensive or easier to obtain.

    --
    My sci-fi novel, Ghost Thief, is now available from Amazon.com.