Many ID-Protection Services Fail Basic Security

Paul Wagenseil, writing for Tom's Guide: For a monthly fee, identity-protection services promise to do whatever they can to make sure your private personal information doesn't fall into the hands of criminals. Yet many of these services -- including LifeLock, IDShield and Credit Sesame -- put personal information at risk, because they don't let customers use two-factor authentication (2FA). This simple security precaution is offered by many online services. Without 2FA, anyone who has your email address and password -- which might be obtained from a data breach or a phishing email -- could log in to the account for your identity-protection service and, depending on how the service protects them, possibly steal your bank-account, credit-card and Social Security numbers.

Security has no ROI...

[ctilsie242]

Ironic that the companies that are in business to watch people's IDs seem to not care about protecting security themselves with basic account security measures. However, I think this is typical of the computer industry as a whole with "security has no ROI" a mantra sung by the PHBs.

Do these services even work? Once someone applies and gets a credit card, the damage is done... the ID theft service may not be able to do much, because the debt is already signed for and it is up to the victim to press the fraud allegations and do the police reports.

Re:

[Zaelath]

Will a brand new card let you max it the day your application is processed? I'd have thought it's a couple days to get the card in your hands and a "while" before the credit company AI will let buy 11 4K TVs.

IFF these places are as hooked in to the system as they claim, they should have plenty of time to kill the application before it's granted. I think that's a big IFF though.

Re:

[JeffTL]

You can charge to a lot of retail cards immediately - the ones you can open at the wrapstand for an extra discount or a rebate. Department stores have a lot of goods like jewelry, cosmetics, and designer clothes that are easy to liquidate after a perp uses someone else's credit to buy them. They will sometimes do extra verification before a big charge can go through, but someone with a fake driver's license and a credit report would probably be able to bluff his way through it.

Re:

[CaptainDork]

... this is typical of the computer industry as a whole with "security has no ROI" a mantra sung by the PHBs.

Precisely this.

Re:

[FFOMelchior]

> Security has no ROI except that time when it has negative ROI

Then the shareholders/c-levels dump the stock, avoid the majority of the loss for themselves, then move on to the next company to continue skimping as much as they can there. The cycle continues...

Re:

[ctilsie242]

It actually has some ROI. The C-levels find out there was a major breach, dump and short their stock, announce the breach, and walk away with a lot more jingle in their wallet. If the company tanks, they get their golden parachute as well.

Re:

[vtcodger]

"Setup Advanced Protection for Google."

You're kidding, right? Every year or three, Google tweaks its security handling and plunges me into the weird world of Google account settings to sort something or other out before it'll let me see my email. I can't make head nor tail out of much of the stuff there without a lot of research, and probably don't actually understand half the stuff I think I understand.. Neither, I'm quite sure, can 99% of Google users.

Re:

[ctilsie242]

What I'd like to see is a 2FA method that uses public/private keys. Right now, most 2FA authentication methods use a shared secret. This works well, and allows for devices to be completely air-gapped from each other, as ways to authenticate. However, it would be nice if there were a way to do this via public/keys, so if a company's repository of 2FA seeds gets compromised, it doesn't mean the attacker can generate fake 2FA codes to log on, or try them against other sites.

Re:

[viperidaenz]

I applied for a credit card once, it got held up in the mail.

The bank refused to give me the card number to use and said it required activation by bringing the physical card in to a branch before it would work.

Re:Security has no ROI...

[nnull]

That's because we have a culture and society that doesn't value privacy or security. Take for example European countries who have a higher value in privacy that security companies actually flourish there, because more people on average care about security and testing for flaws.

Meanwhile, the only security companies that flourish in the US are security camera installers who install completely open to the internet security cameras for everyone (Because it's easier to just leave the firewall open to the internet for the client, who cares? Job is done, got payed! Client is happy to be able to watch their place on their phone and forgets about all that secured network nonsense.). There's definitely zero risk assessment being done at many companies.

Ten cents per login

[tepples]

Another problem is sites that send SMS for every login attempt even for users who have a TOTP app set up as a second factor. This policy, adopted by Twitter [mashable.com] among others, hurts users who choose TOTP because the user A. carries a tablet but not a cell phone, B. lives in North America and carries a cell phone on a pay-as-you-go plan (which costs less per month than an unlimited plan) and therefore pays for each incoming text message, or C. wants to reduce exposure to the vulnerabilities of SMS [techcrunch.com]: exploiting kno

Re:

[stephanruby]

Google used to require SMS for 2FA but now appears to allow authentication using an Android device logged into Google Play Services.

You're completely incorrect.

Google already had it and was even allowing you to port their code to your own TOPT 2-factor authentication client (in addition to HOPT) to use with their service since 2010!

That's right, 2010. That is not a typo. At the time, the official RFC was still being drafted.

Here is the PROOF:

https://web.archive.org/web/20100915000000*/http://code.google.com/p/google-authenticator/ [archive.org]

Re:

[tepples]

Downloading Google Authenticator did not and does not require SMS. But associating Google Authenticator with a particular Google Account requires the account's owner to have set up 2FA through SMS on that Google Account. From the instructions [google.com]:

Set up the app

1. If you haven’t already, turn on 2-Step Verification for your account using your phone number.

Only the other 2FA method that uses Google Play Services instead of the Google Authenticator app [google.com] can be added without first adding a phone number.

Re:

[stephanruby]

Is that an admission that you were wrong? Or are you just moving the goalposts? [logicallyfallacious.com]

Because Google requiring a cell phone number with a working SMS for an initial set up, which can be changed afterward to TOPT, HOPT, or a recovery email address (all of which Google allowed you to do in 2010 from pretty much any platform by providing the source code, even before the RFC for TOPT was officially out of draft) seems to be a very far cry from what you initially wrote:

Another problem is sites that send SMS for every login attempt even for users who have a TOTP app set up as a second factor.
[...]
Google used to require SMS for 2FA but now appears to allow authentication using an Android device logged into Google Play Services.

In fact, I would argue that Google was a pioneer i

Re:

[tepples]

My first paragraph was about Twitter, not Google. I did not intend to lump Google and Twitter into the same category. To the extent that my comment can be read as doing so, I apologize for not having made the distinction more clearly. I have no experience with SMS-based 2FA on Google to see whether or not it continues to send SMS even after TOTP has been set up, having only used the Google Play Services-based 2FA once I was made aware that it was available.

Re:

[stephanruby]

I have no experience with SMS-based 2FA on Google to see whether or not it continues to send SMS even after TOTP has been set up...

Once your phone number has been confirmed (to avoid spambots from creating new accounts), you enter your email address and corresponding password. And once that email address/password combo is deemed correct, it gives you the choice of which 2nd-factor method you want to use. And no, if you don't choose the SMS option, you won't get the code through SMS. I swear to you that's how it works. In fact, the next time you use 2FA, just click on the little black triangle next to your default method of authenticati

Re:

[stephanruby]

But some companies that offer 2FA appear to just not care

I'm not going to defend Twitter. If that's what they're doing, then they're idiots.

But I drive for Lyft (I used to drive for Uber). Lyft forces SMS 2FA for almost everything (but Uber doesn't, honestly, I'm not sure what Uber does from the consumer's perspective). And I believe that frequent SMS 2FA verification is a huge plus for Lyft.

As a driver, I need to have a valid cell phone number to SMS or call when I pick up someone. Data works, but not always. For instance, if someone's phone inadvertently connec

Equifax already ...

[CaptainDork]

... provided that feature. [fortune.com]

The Equifax Hack Exposed More Data Than Previously Reported

Post-Experian: Endless whack-a-mole

[Rick Schumann]

130+ million horses have already left the barn, and they doused it with gasoline and threw in a lit match on the way out (THANKS, EXPERIAN!). Frankly I'm surprised there hasn't been hundreds of thousands of cases of identity theft so far from this. As the subject line alludes to, I have little faith in any 'identity protection' service being able to do much of anything for anyone at this point in time, and how you log into their 'service' is probably the least of your worries. The mere fact that I haven't seen evidence of mass identity theft cases actually makes me more worried than if there had been, I've go no idea what these thieves are up to with all that very-much-personal data.

Re:

[Rick Schumann]

LOL, yeah, I do mean Equifax. They're all bastards, though, easy to confuse one for the other. ;-)

Re:

[Rick Schumann]

Oh, shut it. xD

Re:

[fyngyrz]

You have to admit that "LifeLock" is well-named. They have you locked up, all right.

Re: LifeLock is backed by Equifax

[Brockmire]

Can someone explain this ^H^H^H shit I see on Slashdot? I keep seeing and seems to have no useful purpose. Thanks

Re: LifeLock is backed by Equifax

[Brockmire]

Thanks. That makes me feel younger than I am. To the other user, I'm a nano simpleton.

More on strike forms

[fyngyrz]

From time to time, you'll also see ^W which means "delete previous word."

I meant to say that^W this.

On a site that supports more useful HTML than slashdot does such as SoylentNews [soylentnews.org], you can use the HTML tags <STRIKE> and </STRIKE> or <DEL> and </DEL> to display text with a strike-through line, which is the modern way to express the same idea.

Here is an example [soylentnews.org] (at the bottom of the page.)

parents should be jailed?

[sgrover]

Our parents did not wrap us up in an cement box that could not be opened. Therefore they have exposed us to risks of injury, ridicule, embarrassment, death, and many other detrimental things. And a cement box would have stopped it all. They are guilty of negligence for not protecting us. (at some point everyone has to take responsibility for themselves. 2FA may be arguably more secure, but it is NOT an outright protection either - wasn't it just a few months back we saw posts about 2FA being hacked??)

Re: United third world states of A

[Brockmire]

You're an idiot. You didn't have to talk to or pay Equifax for the luxury of having your data stolen. They are a fucking credit bureau. It sounds like you think only these extra protection services were compromised, and you'd be wrong.