Slashdot Mirror

← Back to Stories (view on slashdot.org)

Many ID-Protection Services Fail Basic Security (tomsguide.com)

Posted by msmash on from the security-woes dept.

Paul Wagenseil, writing for Tom's Guide: For a monthly fee, identity-protection services promise to do whatever they can to make sure your private personal information doesn't fall into the hands of criminals. Yet many of these services -- including LifeLock, IDShield and Credit Sesame -- put personal information at risk, because they don't let customers use two-factor authentication (2FA). This simple security precaution is offered by many online services. Without 2FA, anyone who has your email address and password -- which might be obtained from a data breach or a phishing email -- could log in to the account for your identity-protection service and, depending on how the service protects them, possibly steal your bank-account, credit-card and Social Security numbers.

24 of 47 comments (clear)

  1. Security has no ROI... by ctilsie242 · · Score: 4, Interesting

    Ironic that the companies that are in business to watch people's IDs seem to not care about protecting security themselves with basic account security measures. However, I think this is typical of the computer industry as a whole with "security has no ROI" a mantra sung by the PHBs.

    Do these services even work? Once someone applies and gets a credit card, the damage is done... the ID theft service may not be able to do much, because the debt is already signed for and it is up to the victim to press the fraud allegations and do the police reports.

    1. Re:Security has no ROI... by Zaelath · · Score: 1

      Will a brand new card let you max it the day your application is processed? I'd have thought it's a couple days to get the card in your hands and a "while" before the credit company AI will let buy 11 4K TVs.

      IFF these places are as hooked in to the system as they claim, they should have plenty of time to kill the application before it's granted. I think that's a big IFF though.

    2. Re:Security has no ROI... by CaptainDork · · Score: 1

      ... this is typical of the computer industry as a whole with "security has no ROI" a mantra sung by the PHBs.

      Precisely this.

      --
      It little behooves the best of us to comment on the rest of us.
    3. Re:Security has no ROI... by viperidaenz · · Score: 1

      I applied for a credit card once, it got held up in the mail.

      The bank refused to give me the card number to use and said it required activation by bringing the physical card in to a branch before it would work.

    4. Re:Security has no ROI... by JeffTL · · Score: 1

      You can charge to a lot of retail cards immediately - the ones you can open at the wrapstand for an extra discount or a rebate. Department stores have a lot of goods like jewelry, cosmetics, and designer clothes that are easy to liquidate after a perp uses someone else's credit to buy them. They will sometimes do extra verification before a big charge can go through, but someone with a fake driver's license and a credit report would probably be able to bluff his way through it.

    5. Re:Security has no ROI... by nnull · · Score: 3, Interesting

      That's because we have a culture and society that doesn't value privacy or security. Take for example European countries who have a higher value in privacy that security companies actually flourish there, because more people on average care about security and testing for flaws.

      Meanwhile, the only security companies that flourish in the US are security camera installers who install completely open to the internet security cameras for everyone (Because it's easier to just leave the firewall open to the internet for the client, who cares? Job is done, got payed! Client is happy to be able to watch their place on their phone and forgets about all that secured network nonsense.). There's definitely zero risk assessment being done at many companies.

    6. Re:Security has no ROI... by vtcodger · · Score: 1

      "Setup Advanced Protection for Google."

      You're kidding, right? Every year or three, Google tweaks its security handling and plunges me into the weird world of Google account settings to sort something or other out before it'll let me see my email. I can't make head nor tail out of much of the stuff there without a lot of research, and probably don't actually understand half the stuff I think I understand.. Neither, I'm quite sure, can 99% of Google users.

      --
      You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
    7. Re:Security has no ROI... by ctilsie242 · · Score: 1

      It actually has some ROI. The C-levels find out there was a major breach, dump and short their stock, announce the breach, and walk away with a lot more jingle in their wallet. If the company tanks, they get their golden parachute as well.

    8. Re:Security has no ROI... by ctilsie242 · · Score: 1

      What I'd like to see is a 2FA method that uses public/private keys. Right now, most 2FA authentication methods use a shared secret. This works well, and allows for devices to be completely air-gapped from each other, as ways to authenticate. However, it would be nice if there were a way to do this via public/keys, so if a company's repository of 2FA seeds gets compromised, it doesn't mean the attacker can generate fake 2FA codes to log on, or try them against other sites.

  2. Ten cents per login by tepples · · Score: 1

    Another problem is sites that send SMS for every login attempt even for users who have a TOTP app set up as a second factor. This policy, adopted by Twitter among others, hurts users who choose TOTP because the user A. carries a tablet but not a cell phone, B. lives in North America and carries a cell phone on a pay-as-you-go plan (which costs less per month than an unlimited plan) and therefore pays for each incoming text message, or C. wants to reduce exposure to the vulnerabilities of SMS: exploiting known SS7 protocol security problems or social engineering the user's cellular carrier into issuing a replacement. But some companies that offer 2FA appear to just not care.

    The following approach approach fixes cases A and B:

    1. Enter username
    2. Enter password
    3. A form with a field for a number from a TOTP app and a button "Send a text message instead"

    Google used to require SMS for 2FA but now appears to allow authentication using an Android device logged into Google Play Services.

    1. Re:Ten cents per login by stephanruby · · Score: 1

      Google used to require SMS for 2FA but now appears to allow authentication using an Android device logged into Google Play Services.

      You're completely incorrect.

      Google already had it and was even allowing you to port their code to your own TOPT 2-factor authentication client (in addition to HOPT) to use with their service since 2010!

      That's right, 2010. That is not a typo. At the time, the official RFC was still being drafted.

      Here is the PROOF:

      https://web.archive.org/web/20100915000000*/http://code.google.com/p/google-authenticator/

    2. Re:Ten cents per login by tepples · · Score: 1

      Downloading Google Authenticator did not and does not require SMS. But associating Google Authenticator with a particular Google Account requires the account's owner to have set up 2FA through SMS on that Google Account. From the instructions:

      Set up the app

      1. If you haven’t already, turn on 2-Step Verification for your account using your phone number.

      Only the other 2FA method that uses Google Play Services instead of the Google Authenticator app can be added without first adding a phone number.

    3. Re:Ten cents per login by stephanruby · · Score: 1

      But some companies that offer 2FA appear to just not care

      I'm not going to defend Twitter. If that's what they're doing, then they're idiots.

      But I drive for Lyft (I used to drive for Uber). Lyft forces SMS 2FA for almost everything (but Uber doesn't, honestly, I'm not sure what Uber does from the consumer's perspective). And I believe that frequent SMS 2FA verification is a huge plus for Lyft.

      As a driver, I need to have a valid cell phone number to SMS or call when I pick up someone. Data works, but not always. For instance, if someone's phone inadvertently connects to a Starbucks free hotspot but the user doesn't sign in, the data wouldn't be working. Or let's say, the user's cell provider gets too congested for some reason and they throttle his data connection, then that could mean a serious delay in that person getting the update that I'm parked in front and that I'm waiting for him/her.

      So the solution is to use both data and sms when notifying a passenger that the car is there. And that's what Lyft does. And for that to work, that's why Lyft requires SMS 2FA frequently. It makes things so much easier and so much less stressful for the driver that way.

      Of course, if you're traveling and only using a wifi tablet to call a car, then you're not going to like Lyft (you'll use Uber instead). And as a Lyft driver, I actually don't have a problem with that. And for other non-taxi/non-delivery apps using SMS-only 2FA, then they're just being stupid (probably for the sake of gaining as much accurate advertising data as possible). Consumers need to call them out on it.

    4. Re:Ten cents per login by stephanruby · · Score: 1

      Is that an admission that you were wrong? Or are you just moving the goalposts?

      Because Google requiring a cell phone number with a working SMS for an initial set up, which can be changed afterward to TOPT, HOPT, or a recovery email address (all of which Google allowed you to do in 2010 from pretty much any platform by providing the source code, even before the RFC for TOPT was officially out of draft) seems to be a very far cry from what you initially wrote:

      Another problem is sites that send SMS for every login attempt even for users who have a TOTP app set up as a second factor.
      [...]
      Google used to require SMS for 2FA but now appears to allow authentication using an Android device logged into Google Play Services.

      In fact, I would argue that Google was a pioneer in providing this kind of convenience with 2FA. And it should be applauded for doing that, and not be put in the same category as Twitter for not even supporting that feature in the first place.

    5. Re:Ten cents per login by tepples · · Score: 1

      My first paragraph was about Twitter, not Google. I did not intend to lump Google and Twitter into the same category. To the extent that my comment can be read as doing so, I apologize for not having made the distinction more clearly. I have no experience with SMS-based 2FA on Google to see whether or not it continues to send SMS even after TOTP has been set up, having only used the Google Play Services-based 2FA once I was made aware that it was available.

    6. Re:Ten cents per login by stephanruby · · Score: 1

      I have no experience with SMS-based 2FA on Google to see whether or not it continues to send SMS even after TOTP has been set up...

      Once your phone number has been confirmed (to avoid spambots from creating new accounts), you enter your email address and corresponding password. And once that email address/password combo is deemed correct, it gives you the choice of which 2nd-factor method you want to use. And no, if you don't choose the SMS option, you won't get the code through SMS. I swear to you that's how it works. In fact, the next time you use 2FA, just click on the little black triangle next to your default method of authentication, and you'll be given a bunch of choices (this is in case you ever put your phone's sim card into a non-Android phone, or in case you don't have your phone/tablet on you).

      That kind of outdated information about SMS came mostly from pissed off Apple fanboys that were upset that Android users told them that it didn't matter how secure their iphone/iPad/Macbook were if their iCloud/Apple account didn't even have 2-factor authentication in the first place.

  3. Equifax already ... by CaptainDork · · Score: 1

    ... provided that feature.

    The Equifax Hack Exposed More Data Than Previously Reported

    --
    It little behooves the best of us to comment on the rest of us.
  4. Post-Experian: Endless whack-a-mole by Rick+Schumann · · Score: 4, Insightful

    130+ million horses have already left the barn, and they doused it with gasoline and threw in a lit match on the way out (THANKS, EXPERIAN!). Frankly I'm surprised there hasn't been hundreds of thousands of cases of identity theft so far from this. As the subject line alludes to, I have little faith in any 'identity protection' service being able to do much of anything for anyone at this point in time, and how you log into their 'service' is probably the least of your worries. The mere fact that I haven't seen evidence of mass identity theft cases actually makes me more worried than if there had been, I've go no idea what these thieves are up to with all that very-much-personal data.

    1. Re:Post-Experian: Endless whack-a-mole by Rick+Schumann · · Score: 2

      LOL, yeah, I do mean Equifax. They're all bastards, though, easy to confuse one for the other. ;-)

    2. Re:Post-Experian: Endless whack-a-mole by Rick+Schumann · · Score: 1

      Oh, shut it. xD

  5. Re: LifeLock is backed by Equifax by Brockmire · · Score: 1

    Can someone explain this ^H^H^H shit I see on Slashdot? I keep seeing and seems to have no useful purpose. Thanks

  6. Re: United third world states of A by Brockmire · · Score: 1

    You're an idiot. You didn't have to talk to or pay Equifax for the luxury of having your data stolen. They are a fucking credit bureau. It sounds like you think only these extra protection services were compromised, and you'd be wrong.

  7. Re: LifeLock is backed by Equifax by Brockmire · · Score: 1

    Thanks. That makes me feel younger than I am. To the other user, I'm a nano simpleton.

  8. More on strike forms by fyngyrz · · Score: 1

    From time to time, you'll also see ^W which means "delete previous word."

    I meant to say that^W this.

    On a site that supports more useful HTML than slashdot does such as SoylentNews, you can use the HTML tags <STRIKE> and </STRIKE> or <DEL> and </DEL> to display text with a strike-through line, which is the modern way to express the same idea.

    Here is an example (at the bottom of the page.)

    --
    I've fallen off your lawn, and I can't get up.