Lifelock Worries After Employee Data Leaked To Web 145
itwbennett writes "Last week, Phoenix New Times reporter Ray Stein revealed that LifeLock CEO Todd Davis (who famously published his Social Security number in LifeLock ads) had been the victim of identity theft at least 13 times. This week, LifeLock made it clear that it's not so cavalier with its employees' personal data. The company asked the New Times to remove from its website a police report containing a redacted Social Security number, date of birth, address, and phone number of Lifelock employee Tamika Jones. In an interview, Stein said that the fact that LifeLock had to call and ask for the document to be removed reflected badly on Lifelock's service. 'I think this shows clearly that they know that it's got potential problems.'"
Really now? (Score:5, Interesting)
Ya, You Betcha (Score:3, Interesting)
What it shows clearly is that Lifelock is worthless, except at taking money from morons.
If you really want protection (Score:5, Interesting)
EQUIFAX Online Help: How to place a security freeze [equifax.com]
Experian Online Help: Security Freeze [experian.com]
TransUnion Personal: Security Freeze [transunion.com]
Problem solved, and you're not paying $9.95 a month for a service you can easily perform yourself that is far more effective then what any of these supposed "Identity protection" companies offer.
Re:Really now? (Score:2, Interesting)
However, on the flipside, there are privacy issues with giving personally identifiable data to a prime hacking target (like a major lending institution.)
In order for them to validate a session as a legitimate person, they need personally identifiable data on that person. That means that they are warehousing such data, and in addition to being a target for wirefraud directly, they also become a target for identity theives of the highest order.
Knowing a little bit about data security (and security in general), there is NO SUCH THING as a perfectly secure system. Even an inoperable computer encased in 5 feet of concrete is not "Secure", since a jackhammer can grant access. You just have to be patient, and dilligent.
Thus, it is not a question of *IF* such a breach will occur, but WHEN. I am reminded of the "Malware on "Update" CD sent to a bank" covert security test last year. There are any number of ways that a bank could be compromised, and the data distributed. Unlike a password, or a username, or even a SSN, there is no way to change your mother's maiden name, etc.
Really, online banking is a very terrible idea. That's why I don't engage in it.
Identity theft will continue to be a problem as long as the internet is used to fascilitate banking. The incentive to steal an identity and get rich quick at some poor SOB's expense (especially in a foriegn country where the target's currency is "Hyper valued") will ensure that this is always so.
I might be a bit of a paranoid crank, but from where I sit, there is
1) Incentive
2) Opportunity
and therefor
3) profit
and as long as the first two hold true, the last one will always exist as well. Should it become not worth the time, or should there bey a major financial breakage where nobody has money thats worth a shit-- then 1) will go away. I suggest the far less deleterious 2) be removed-- Remove hacker opportunity to steal that data, by not having that data on public networks to begin with; EG, no online banking.
IMHO, Banks should use a dedicated, private network that does NOT have ANY endpoints connected to the public internet for just this reason.
Really, it's like having the door to your "Super sensitive, mission critical server room" outside in the public lobby, next to the bathroom. The only thing keeping people out is the lock on the door. I don't think it unreasonable to say that this is far from ideal from a security standpoint, and that a better solution is to have that door deeper in your company, well entrenched in the "employees only" section of the building.
The reason why wirefraud, and identity theft are so prevelent, is because the opportunity part of the equasion is running wild, in the name of "Convenience"-- Sure, online banking is very convenient, I am sure. It's also very convenient for the people that want to spend your money for you illicitly. It's also very convenient to dispose of toxic chemicals in a ditch somewhere too.
Sadly, people never seem to learn the intrinsic lesson here-- "Convenience" is not a justifiable reason to trump sensibility. EVER.
A simple mnemonic to think of when contemplating using the internet for something: Would trust handing that data to a total stranger on the street?
If the answer is no, then under no circumstances should you use the internet for that purpose. It's just that simple.
Re:Really now? (Score:5, Interesting)
I opened a bank in a foreign country. They take and hash your password as you give it to them. The password is never known by anyone there, can't be retrieved and will never be seen. It's up to me to make sure I don't use it on an infected system. If it gets out, I'm pretty much on the hook for whatever is in my account when someone wipes it out. That password is worth thousands of dollars. You make sure it's secure, and you treat it as such.
The fraud levels in the US are some of the highest in the world, and it's because the banks don't care. They make enough with the fraud and aren't held responsible for the actual harm they cause people when they put inaccurate information on credit reports.
Let someone sue when there's an inaccuracy on their credit report (with the burden being on the person who put it there to prove it's accurate) and you'll see that crap stopped pretty quick. Make the banks pay an "oops" fee of $100 to their customers when the banks take out money because of a fraudulent transaction the customer couldn't have prevented. Hold the banks responsible for the damage they are causing through "identity theft" (which is nothing more than lax security blamed on their customers when the banks have the ability to stop nearly all identity theft). When that's done, then fraud will drop and identity theft will be gone except for the few cases where couples pretend to be the other to wipe out an account as part of a breakup.
Re:Really now? (Score:3, Interesting)
I think your heart is in the right place, but I'm not sure your ideas make sense?
I opened a bank in a foreign country. They take and hash your password as you give it to them. The password is never known by anyone there, can't be retrieved and will never be seen. It's up to me to make sure I don't use it on an infected system. If it gets out, I'm pretty much on the hook for whatever is in my account when someone wipes it out. That password is worth thousands of dollars. You make sure it's secure, and you treat it as such.
God, I hope most banks don't rely on such weak security? The bank where I have my business account gave me a security token that I've got to use in addition to a username/password to login. Before I do anything major like account transfers or wires, I've got to use the security token again. Interactive Brokers trading offers security tokens as well though I haven't used theirs--I have a lookup page from them that serves the same function though.
Admittedly my personal banks do not use a security token, otp, etc. Most of them DO require usage of a pin code or csv code off a credit card/bank card before you can make account changes.
If freaking Blizzard can release a battle.net mobile authenticator for iphone/blackberry/etc, banks certainly should be able to. It's annoying.
The fraud levels in the US are some of the highest in the world, and it's because the banks don't care.
Are they really?
Let someone sue when there's an inaccuracy on their credit report (with the burden being on the person who put it there to prove it's accurate) and you'll see that crap stopped pretty quick.
Uh, really? You CAN sue, and it happens (google). First of all, you have a clear set of rights as laid out under the Fair Credit Reporting Act (it's been amended and updated, but is NOT new). If you're not familiar with your legally protected rights and options, take a look at it, I think you might not be quite as disgruntled. Your rights include the credit report companies being REQUIRED to give you a written explanation (or fixing the error) when you notify them of a mistake. And so on. If they ignore you, they get in trouble.
There are plenty of types of identity theft that are not the customers fault, nor should the bank be able to catch.
Make the banks pay an "oops" fee of $100 to their customers when the banks take out money because of a fraudulent transaction the customer couldn't have prevented.
That would be awesome. I'd set up an arrangement where my friends would steal my identity. They'd give whatever they got back to me, and we'd split the $100. Nobody would possibly take advantage of that system!
Hold the banks responsible for the damage they are causing through "identity theft" (which is nothing more than lax security blamed on their customers when the banks have the ability to stop nearly all identity theft). When that's done, then fraud will drop and identity theft will be gone except for the few cases where couples pretend to be the other to wipe out an account as part of a breakup
It's your statement here that makes me think maybe you're missing what exactly identity theft is? It doesn't HAVE to be because of "lax security" at a bank. That's certainly a problem, yes, but not by any means the sole cause! Instead of thinking about it as "identity theft" think of it as impersonating somebody else. My wife's family was hit by identity theft when a piano teacher's trash was gone through by a criminal. Inside the trash was a ripped up and voided check. Who's liable in this situation? Between going through trash, malware, malware, professional hacking rings, weak security from VENDORS, public records, giving too much data to vendors/organizations/etc, there is a LOT of information out there. Not even getting into social engineering...
Identity theft is going to be a problem as long as the
Re:Really now? (Score:3, Interesting)
What I have for my British Nationwide [nationwide.co.uk] account (a building society rather than a bank, but that's mainly semantics) is a small, calculator-lookalike card-reader that takes my ATM card and PIN and is used to sign any transactions or other significant operations involving money.
Say I want to transfer money to a non-Nationwide account, I have to:
Login by entering my customer number, passphrase and three randomly selected digits of a secret six-digit code,
Set up the transfer, put my ATM card (with chip) into the card-reader and enter my PIN.
Press 'Sign', enter the reference (typically the account number), press OK, enter the amount of money being transferred, press OK and then type the eight-digit code it gives me into the online banking service to authorise the transfer.
It's still vulnerable to man-in-the-middle attacks, but someone would have to be a bit thick to wonder why what appears to be their online banking service suddenly wants them to transfer lots of money somewhere.
Also, yes, it takes forever to do anything.
Re:Really now? (Score:3, Interesting)
Most of Europe has something like this, either a keyfob, or a TAN list.
However, it a rare sight for an American bank to offer much if anything more than username/password protection. You might find a bank that asks a question from your challenge/response list, or asks you to select the answer on a random list, where the text is a bitmap (to help foil malware that doesn't have an OCR engine.) Anything more than that, good luck.
What is ironic is that Blizzard offers a keyfob and/or an app for the iPhone and Android. Why can't banks here in the US protect their customers more than a game company protects theirs?
Re:No different than the DNC registery (Score:5, Interesting)
With fraud alerts, banks/lenders/etc are recommended to do some verification work, but they aren't *required* to do so. Some institutions might skip the verification and thus allow more ID theft to go on. Better to freeze your credit entirely. It costs some money to place, thaw and remove (how much depends on your state and whether or not you've been a victim of ID theft), but it is definitely worthwhile. As a bonus, since credit card companies can't see your credit information, they won't "pre-approve" you for credit cards and send those blank forms which then need to be shredded lest some ID thief steal them.
Of course, the credit agencies hate security freezes. They want you to place fraud alerts because they can still sell your credit information and you can still sign up for store credit cards on the fly. That's why their lobbyists will fight any bill that promises to make security freezes less expensive or easier to obtain.
Re:No different than the DNC registery (Score:3, Interesting)
Re:No different than the DNC registery (Score:3, Interesting)
Do I get mega-win for being the first commenter (as 'BootyFooz') in the original article [phoenixnewtimes.com] to point out the flawed PDF 'blackouts', revealing SSN, drivers license, and DOB info for both the CEO and the other Lifelock employee?!
The Lifelock thing is clearly a scam founded by a guy who was already lifetime-banned from the credit repair industry. The only thing they did was use robo-dialers to call one credit reporting agency to set fraud alerts on subscribers's credit reports, and when the credit reporting agency stopped them from doing that, they now have no service at all except a false promise with a false $1 million guarantee. They had $12 million in liquid assets once, but a government fine completely cleaned out their bank accounts (yet allowed them to stay in business), so they couldn't even pay this guarantee even though their fine print says they really don't have to pay it anyway.