Many ID-Protection Services Fail Basic Security (tomsguide.com)

← Back to Stories (view on slashdot.org)

Many ID-Protection Services Fail Basic Security (tomsguide.com)

Posted by msmash on Tuesday February 13, 2018 @10:10AM from the security-woes dept.

Paul Wagenseil, writing for Tom's Guide: For a monthly fee, identity-protection services promise to do whatever they can to make sure your private personal information doesn't fall into the hands of criminals. Yet many of these services -- including LifeLock, IDShield and Credit Sesame -- put personal information at risk, because they don't let customers use two-factor authentication (2FA). This simple security precaution is offered by many online services. Without 2FA, anyone who has your email address and password -- which might be obtained from a data breach or a phishing email -- could log in to the account for your identity-protection service and, depending on how the service protects them, possibly steal your bank-account, credit-card and Social Security numbers.

47 comments

Min score:

Reason:

Sort:

Security has no ROI... by ctilsie242 · 2018-02-13 10:24 · Score: 4, Interesting

Ironic that the companies that are in business to watch people's IDs seem to not care about protecting security themselves with basic account security measures. However, I think this is typical of the computer industry as a whole with "security has no ROI" a mantra sung by the PHBs.
Do these services even work? Once someone applies and gets a credit card, the damage is done... the ID theft service may not be able to do much, because the debt is already signed for and it is up to the victim to press the fraud allegations and do the police reports.
1. Re:Security has no ROI... by Zaelath · 2018-02-13 10:34 · Score: 1
  
  Will a brand new card let you max it the day your application is processed? I'd have thought it's a couple days to get the card in your hands and a "while" before the credit company AI will let buy 11 4K TVs.
  IFF these places are as hooked in to the system as they claim, they should have plenty of time to kill the application before it's granted. I think that's a big IFF though.
2. Re:Security has no ROI... by CaptainDork · 2018-02-13 10:37 · Score: 1
  
  ... this is typical of the computer industry as a whole with "security has no ROI" a mantra sung by the PHBs.
  Precisely this.
  
  --
  It little behooves the best of us to comment on the rest of us.
3. Re:Security has no ROI... by Anonymous Coward · 2018-02-13 10:39 · Score: 0
  
  Security has no ROI except that time when it has negative ROI and the lawyers bury you into the ground. Better milk it while the milking is good.
4. Re:Security has no ROI... by FFOMelchior · 2018-02-13 10:43 · Score: 0
  
  > Security has no ROI except that time when it has negative ROI
  
  Then the shareholders/c-levels dump the stock, avoid the majority of the loss for themselves, then move on to the next company to continue skimping as much as they can there. The cycle continues...
5. Re:Security has no ROI... by Anonymous Coward · 2018-02-13 10:49 · Score: 0
  
  The services not only do nothing you can't do for yourself, they charge you for the privilege. Then, they hound you relentlessly when you try to cancel, to the point of refusing to cancel the service. Lookup complaints against Lifelock. It's almost as hard as cancelling Comcast.
  For the love of God, Internet... please demand useful, serious 2FA. Authenticator type apps at the very least, but preferably U2F. Yubikeys are great, the Feitian U2F is cheap. Setup Advanced Protection for Google. Lock down your facebook. Get two keys, use them.
6. Re:Security has no ROI... by viperidaenz · 2018-02-13 10:54 · Score: 1
  
  I applied for a credit card once, it got held up in the mail.
  The bank refused to give me the card number to use and said it required activation by bringing the physical card in to a branch before it would work.
7. Re:Security has no ROI... by JeffTL · 2018-02-13 11:20 · Score: 1
  
  You can charge to a lot of retail cards immediately - the ones you can open at the wrapstand for an extra discount or a rebate. Department stores have a lot of goods like jewelry, cosmetics, and designer clothes that are easy to liquidate after a perp uses someone else's credit to buy them. They will sometimes do extra verification before a big charge can go through, but someone with a fake driver's license and a credit report would probably be able to bluff his way through it.
8. Re:Security has no ROI... by nnull · 2018-02-13 19:30 · Score: 3, Interesting
  
  That's because we have a culture and society that doesn't value privacy or security. Take for example European countries who have a higher value in privacy that security companies actually flourish there, because more people on average care about security and testing for flaws.
  Meanwhile, the only security companies that flourish in the US are security camera installers who install completely open to the internet security cameras for everyone (Because it's easier to just leave the firewall open to the internet for the client, who cares? Job is done, got payed! Client is happy to be able to watch their place on their phone and forgets about all that secured network nonsense.). There's definitely zero risk assessment being done at many companies.
9. Re:Security has no ROI... by Anonymous Coward · 2018-02-13 19:42 · Score: 0
  
  However, I think this is typical of the computer industry as a whole with "security has no ROI" a mantra sung by the PHBs.
  That's why tools of this nature are better left to security geeks in the open source community. I use and recommend KeePass.
10. Re:Security has no ROI... by vtcodger · 2018-02-14 01:08 · Score: 1
  
  "Setup Advanced Protection for Google."
  You're kidding, right? Every year or three, Google tweaks its security handling and plunges me into the weird world of Google account settings to sort something or other out before it'll let me see my email. I can't make head nor tail out of much of the stuff there without a lot of research, and probably don't actually understand half the stuff I think I understand.. Neither, I'm quite sure, can 99% of Google users.
  
  --
  You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
11. Re:Security has no ROI... by Anonymous Coward · 2018-02-14 04:10 · Score: 0
  
  Do these services even work?
  No, they don't. Once the identity is known, the only recourse is to change the authentication methods used. (Change passwords, credit card numbers, etc. Freeze credit until it's used, etc.) You can't reverse them getting the information. (Well you could, but that involves making sure every copy of it is destroyed along with any copies made from the copies, and the whole "I'd tell ya, but then I'd have to kill ya." thing. Which is mostly illegal.)
  The best that these services do is warn you if an attempt is made to use your identity, but they in and of themselves need all of the information to use your identity to do so. So the end result is you're paying someone to hold on to your identity, and trust that they will only use it to warn you when someone else does. While having the means to protect it. Which apparently even you, the person most affected by it's misuse, lack the ability to do. So why do you expect some for profit business to do it? They will only protect your (and all of their customers) identity to point that they keep making money. If you become too much of a risk to them, I'd expect they will do their best to drop you, just like any other insurance agency trying to stay profitable. The end result is you have given your identity to a group that will only do the bare minimum to protect it, against people who only have to succeed once to cause you irreparable harm for the rest of your life, and you're paying for the privilege to boot.
  Personally, I would never use such services. Even if I was hacked. It's just one more potential source of leaks and compromise, and I would never pay for it to exist.
12. Re:Security has no ROI... by Anonymous Coward · 2018-02-14 05:18 · Score: 0
  
  There are not many companies where the lawyers have done that. In fact, even Equifax's stock was just set back to where it was in 2016. The populace forgets about the breach (well, all but those who got affected), the company can hide behind its EULAs, arbitration agreements, or the battalions of lawyers who will keep a case stuck in court for decades.
  In reality, security doesn't have any ROI. There are pretty much zero consequences for a breach. You can check out Sony and Home Depot stock prices as an assurance of that.
  A developer I know who works at a a Fortune 500 company told me: "Trust me... I know this. All my backend code runs as root, the IAM account I use for all my AWS code pretty much is a full admin, but if I stop to secure things down, I don't meet the deliverable deadline, and if I don't meet that, I get excoriated in front of everyone at tomorrow's stand-up meeting. If by some reason the company got sued due to my code causing breach, there are so many layers, I will not see any consequences. However, if I don't make what the SCRUM master demands, I get fired, assuredly."
13. Re:Security has no ROI... by ctilsie242 · 2018-02-14 05:19 · Score: 1
  
  It actually has some ROI. The C-levels find out there was a major breach, dump and short their stock, announce the breach, and walk away with a lot more jingle in their wallet. If the company tanks, they get their golden parachute as well.
14. Re:Security has no ROI... by ctilsie242 · 2018-02-14 05:27 · Score: 1
  
  What I'd like to see is a 2FA method that uses public/private keys. Right now, most 2FA authentication methods use a shared secret. This works well, and allows for devices to be completely air-gapped from each other, as ways to authenticate. However, it would be nice if there were a way to do this via public/keys, so if a company's repository of 2FA seeds gets compromised, it doesn't mean the attacker can generate fake 2FA codes to log on, or try them against other sites.
15. Re:Security has no ROI... by Anonymous Coward · 2018-02-14 05:42 · Score: 0
  
  I hate those services. $30 a month, and they do absolutely nothing, and if you try to cancel them, they ignore you. Stop paying, 90 days later, you now have some shitass collection agency after you for $1000 in fees and your credit record gets hosed.
Ten cents per login by tepples · 2018-02-13 10:32 · Score: 1

Another problem is sites that send SMS for every login attempt even for users who have a TOTP app set up as a second factor. This policy, adopted by Twitter among others, hurts users who choose TOTP because the user A. carries a tablet but not a cell phone, B. lives in North America and carries a cell phone on a pay-as-you-go plan (which costs less per month than an unlimited plan) and therefore pays for each incoming text message, or C. wants to reduce exposure to the vulnerabilities of SMS: exploiting known SS7 protocol security problems or social engineering the user's cellular carrier into issuing a replacement. But some companies that offer 2FA appear to just not care.
The following approach approach fixes cases A and B:
1. Enter username
2. Enter password
3. A form with a field for a number from a TOTP app and a button "Send a text message instead"
Google used to require SMS for 2FA but now appears to allow authentication using an Android device logged into Google Play Services.
1. Re:Ten cents per login by Anonymous Coward · 2018-02-13 10:53 · Score: 0
  
  I would add to this having the username NOT be the email address. It should be different and separate.
2. Re:Ten cents per login by stephanruby · 2018-02-13 12:06 · Score: 1
  
  Google used to require SMS for 2FA but now appears to allow authentication using an Android device logged into Google Play Services.
  You're completely incorrect.
  Google already had it and was even allowing you to port their code to your own TOPT 2-factor authentication client (in addition to HOPT) to use with their service since 2010!
  That's right, 2010. That is not a typo. At the time, the official RFC was still being drafted.
  Here is the PROOF:
  https://web.archive.org/web/20100915000000*/http://code.google.com/p/google-authenticator/
3. Re:Ten cents per login by tepples · 2018-02-13 12:33 · Score: 1
  
  Downloading Google Authenticator did not and does not require SMS. But associating Google Authenticator with a particular Google Account requires the account's owner to have set up 2FA through SMS on that Google Account. From the instructions:
  
  Set up the app
  1. If you haven’t already, turn on 2-Step Verification for your account using your phone number.
  Only the other 2FA method that uses Google Play Services instead of the Google Authenticator app can be added without first adding a phone number.
4. Re:Ten cents per login by stephanruby · 2018-02-13 12:37 · Score: 1
  
  But some companies that offer 2FA appear to just not care
  I'm not going to defend Twitter. If that's what they're doing, then they're idiots.
  But I drive for Lyft (I used to drive for Uber). Lyft forces SMS 2FA for almost everything (but Uber doesn't, honestly, I'm not sure what Uber does from the consumer's perspective). And I believe that frequent SMS 2FA verification is a huge plus for Lyft.
  As a driver, I need to have a valid cell phone number to SMS or call when I pick up someone. Data works, but not always. For instance, if someone's phone inadvertently connects to a Starbucks free hotspot but the user doesn't sign in, the data wouldn't be working. Or let's say, the user's cell provider gets too congested for some reason and they throttle his data connection, then that could mean a serious delay in that person getting the update that I'm parked in front and that I'm waiting for him/her.
  So the solution is to use both data and sms when notifying a passenger that the car is there. And that's what Lyft does. And for that to work, that's why Lyft requires SMS 2FA frequently. It makes things so much easier and so much less stressful for the driver that way.
  Of course, if you're traveling and only using a wifi tablet to call a car, then you're not going to like Lyft (you'll use Uber instead). And as a Lyft driver, I actually don't have a problem with that. And for other non-taxi/non-delivery apps using SMS-only 2FA, then they're just being stupid (probably for the sake of gaining as much accurate advertising data as possible). Consumers need to call them out on it.
5. Re:Ten cents per login by stephanruby · 2018-02-13 16:08 · Score: 1
  
  Is that an admission that you were wrong? Or are you just moving the goalposts?
  Because Google requiring a cell phone number with a working SMS for an initial set up, which can be changed afterward to TOPT, HOPT, or a recovery email address (all of which Google allowed you to do in 2010 from pretty much any platform by providing the source code, even before the RFC for TOPT was officially out of draft) seems to be a very far cry from what you initially wrote:
  
  Another problem is sites that send SMS for every login attempt even for users who have a TOTP app set up as a second factor.
  [...]
  Google used to require SMS for 2FA but now appears to allow authentication using an Android device logged into Google Play Services.
  In fact, I would argue that Google was a pioneer in providing this kind of convenience with 2FA. And it should be applauded for doing that, and not be put in the same category as Twitter for not even supporting that feature in the first place.
6. Re:Ten cents per login by tepples · 2018-02-14 02:54 · Score: 1
  
  My first paragraph was about Twitter, not Google. I did not intend to lump Google and Twitter into the same category. To the extent that my comment can be read as doing so, I apologize for not having made the distinction more clearly. I have no experience with SMS-based 2FA on Google to see whether or not it continues to send SMS even after TOTP has been set up, having only used the Google Play Services-based 2FA once I was made aware that it was available.
7. Re:Ten cents per login by stephanruby · 2018-02-15 00:02 · Score: 1
  
  I have no experience with SMS-based 2FA on Google to see whether or not it continues to send SMS even after TOTP has been set up...
  Once your phone number has been confirmed (to avoid spambots from creating new accounts), you enter your email address and corresponding password. And once that email address/password combo is deemed correct, it gives you the choice of which 2nd-factor method you want to use. And no, if you don't choose the SMS option, you won't get the code through SMS. I swear to you that's how it works. In fact, the next time you use 2FA, just click on the little black triangle next to your default method of authentication, and you'll be given a bunch of choices (this is in case you ever put your phone's sim card into a non-Android phone, or in case you don't have your phone/tablet on you).
  That kind of outdated information about SMS came mostly from pissed off Apple fanboys that were upset that Android users told them that it didn't matter how secure their iphone/iPad/Macbook were if their iCloud/Apple account didn't even have 2-factor authentication in the first place.
Equifax already ... by CaptainDork · 2018-02-13 10:33 · Score: 1

... provided that feature.

The Equifax Hack Exposed More Data Than Previously Reported

--
It little behooves the best of us to comment on the rest of us.
Post-Experian: Endless whack-a-mole by Rick+Schumann · 2018-02-13 10:38 · Score: 4, Insightful

130+ million horses have already left the barn, and they doused it with gasoline and threw in a lit match on the way out (THANKS, EXPERIAN!). Frankly I'm surprised there hasn't been hundreds of thousands of cases of identity theft so far from this. As the subject line alludes to, I have little faith in any 'identity protection' service being able to do much of anything for anyone at this point in time, and how you log into their 'service' is probably the least of your worries. The mere fact that I haven't seen evidence of mass identity theft cases actually makes me more worried than if there had been, I've go no idea what these thieves are up to with all that very-much-personal data.
1. Re:Post-Experian: Endless whack-a-mole by Anonymous Coward · 2018-02-13 11:52 · Score: 0
  
  I think you mean Thanks Equifax.. Experian "only" lost 15 million T-Mobile users' data.
2. Re:Post-Experian: Endless whack-a-mole by Rick+Schumann · 2018-02-13 12:46 · Score: 2
  
  LOL, yeah, I do mean Equifax. They're all bastards, though, easy to confuse one for the other. ;-)
3. Re:Post-Experian: Endless whack-a-mole by Anonymous Coward · 2018-02-13 22:12 · Score: 0
  
  It's "confuse one WITH the other"...
  But then, you are American, aren't you...
4. Re:Post-Experian: Endless whack-a-mole by Rick+Schumann · 2018-02-14 05:15 · Score: 1
  
  Oh, shut it. xD
LifeLock is backed by Equifax by Anonymous Coward · 2018-02-13 10:42 · Score: 0

... and both are designed to collect, not protect, and then monetize identities.
1. Re:LifeLock is backed by Equifax by fyngyrz · 2018-02-13 10:45 · Score: 0
  
  You have to admit that "LifeLock" is well-named. They have you locked up, all right.
  
  --
  I've fallen off your lawn, and I can't get up.
2. Re: LifeLock is backed by Equifax by Anonymous Coward · 2018-02-13 10:51 · Score: 0
  
  We are all being loc^H^H^Hfucked by Lifelock et al. Up, down, forwards, backwards, and sideways.
3. Re: LifeLock is backed by Equifax by Brockmire · 2018-02-13 12:12 · Score: 1
  
  Can someone explain this ^H^H^H shit I see on Slashdot? I keep seeing and seems to have no useful purpose. Thanks
4. Re: LifeLock is backed by Equifax by Anonymous Coward · 2018-02-13 13:02 · Score: 0
  
  ^H is the old visual representation of Backspace (Delete for Apple, because Apple), the on-screen glyph for ASCII character 0x8. On connections which did not support even backspace editing (yes, they existed) these characters would appear as part of the text stream, showing that the user tried to erase some typed characters. The joke, long in the tooth as it is, is to start typing one word (usually something impolite or not-PC), follow it with the correct number of âoe^Hâs to âoeeraseâ it, and then type a more acceptable word.
5. Re: LifeLock is backed by Equifax by Anonymous Coward · 2018-02-13 17:18 · Score: 0
  
  emacs user I presume?
6. Re: LifeLock is backed by Equifax by Brockmire · 2018-02-13 17:35 · Score: 1
  
  Thanks. That makes me feel younger than I am. To the other user, I'm a nano simpleton.
parents should be jailed? by sgrover · 2018-02-13 10:51 · Score: 0

Our parents did not wrap us up in an cement box that could not be opened. Therefore they have exposed us to risks of injury, ridicule, embarrassment, death, and many other detrimental things. And a cement box would have stopped it all. They are guilty of negligence for not protecting us. (at some point everyone has to take responsibility for themselves. 2FA may be arguably more secure, but it is NOT an outright protection either - wasn't it just a few months back we saw posts about 2FA being hacked??)
1. Re: parents should be jailed? by Anonymous Coward · 2018-02-13 11:02 · Score: 0
  
  Yours should have done that, literaly. The human gene pool quality would have been a bit better.
2. Re:parents should be jailed? by Anonymous Coward · 2018-02-13 22:34 · Score: 0
  
  "Our parents did not wrap us up in an cement box that could not be opened."
  Instead they put their children into cotton-lined boxes, so that their children are now complaining of cotton-induced allergy...
United third world states of A by Anonymous Coward · 2018-02-13 11:30 · Score: 0

I understand ./ has become a fucking tabloid for more than a decade, so everything here is a ridiculous exxageration to generate rage so idiots can become addicted to this crap. After digging a bit on the equifax disaster, I found several blogs that told it in a more reasonable way: equifax is a scam used only by poor & uneducated miserables with no financial culture, or culture of any kind for that matter. It sadly makes sense then that they are so egregious in fucking up their own "customers" and ripping them off again and again. Savvy people do not contract or need anything at equifax, was the impression I got. Is this about the same misery level? ID-protection? How stupid, desperate or ignorant must you be to believe this crap works? The USA are backwards in so many ways that I stopped counting the day the sick buffoon became elected, a year ago. But this level of scam is today illegal in the EU. Data-protection laws are something no scammy bunch of bastards wants to tangle with. Why doesn't the fucking USA have data protection laws like the ones in Europe, instead of ID-protection private companies that are scams? Fuck you america, become a first world country already.
1. Re: United third world states of A by Brockmire · 2018-02-13 12:16 · Score: 1
  
  You're an idiot. You didn't have to talk to or pay Equifax for the luxury of having your data stolen. They are a fucking credit bureau. It sounds like you think only these extra protection services were compromised, and you'd be wrong.
Identity Thieves Need Harsher Punishments by Anonymous Coward · 2018-02-13 20:10 · Score: 0

The current punishments top out at 30 years in prison and that's only for the worst of the worst. Sentences of 5 to 10 years are more typical and that's just not enough. Instead 30 years ought to be the minimum and depending upon the severity it should go up from there to either life without parole or hundreds of years. This crime costs our economy billions of dollars in lost productivity and efforts spent defending against and recovering from these thefts. The punishments meted out to convicted identity thieves should be commensurate with those loses.
PGP Login by Anonymous Coward · 2018-02-13 21:28 · Score: 0

I'm still waiting to be able to simply upload my public key upon account creation and then have the server on subsequent logins send a challenge, that I decrypt with my private key and send back as authentication. One key to rule them all, only one password needed for all websites, it's 2FA too since key (have) and passphrase (know) and it'd be a general killer feature. So why don't we have it for like the last 20 years??
Sunds like they are employing APK security by Anonymous Coward · 2018-02-14 01:30 · Score: 0

Sounds like these companies learned how to do security from APK and have fully implemented the APK school of computer security.
More on strike forms by fyngyrz · 2018-02-14 03:03 · Score: 1

From time to time, you'll also see ^W which means "delete previous word."

I meant to say that^W this.
On a site that supports more useful HTML than slashdot does such as SoylentNews, you can use the HTML tags <STRIKE> and </STRIKE> or <DEL> and </DEL> to display text with a strike-through line, which is the modern way to express the same idea.
Here is an example (at the bottom of the page.)

--
I've fallen off your lawn, and I can't get up.