Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Security Privacy

Many ID-Protection Services Fail Basic Security (tomsguide.com) 47

Paul Wagenseil, writing for Tom's Guide: For a monthly fee, identity-protection services promise to do whatever they can to make sure your private personal information doesn't fall into the hands of criminals. Yet many of these services -- including LifeLock, IDShield and Credit Sesame -- put personal information at risk, because they don't let customers use two-factor authentication (2FA). This simple security precaution is offered by many online services. Without 2FA, anyone who has your email address and password -- which might be obtained from a data breach or a phishing email -- could log in to the account for your identity-protection service and, depending on how the service protects them, possibly steal your bank-account, credit-card and Social Security numbers.
This discussion has been archived. No new comments can be posted.

Many ID-Protection Services Fail Basic Security

Comments Filter:
  • by ctilsie242 ( 4841247 ) on Tuesday February 13, 2018 @06:24PM (#56118659)

    Ironic that the companies that are in business to watch people's IDs seem to not care about protecting security themselves with basic account security measures. However, I think this is typical of the computer industry as a whole with "security has no ROI" a mantra sung by the PHBs.

    Do these services even work? Once someone applies and gets a credit card, the damage is done... the ID theft service may not be able to do much, because the debt is already signed for and it is up to the victim to press the fraud allegations and do the police reports.

    • Will a brand new card let you max it the day your application is processed? I'd have thought it's a couple days to get the card in your hands and a "while" before the credit company AI will let buy 11 4K TVs.

      IFF these places are as hooked in to the system as they claim, they should have plenty of time to kill the application before it's granted. I think that's a big IFF though.

      • by JeffTL ( 667728 )
        You can charge to a lot of retail cards immediately - the ones you can open at the wrapstand for an extra discount or a rebate. Department stores have a lot of goods like jewelry, cosmetics, and designer clothes that are easy to liquidate after a perp uses someone else's credit to buy them. They will sometimes do extra verification before a big charge can go through, but someone with a fake driver's license and a credit report would probably be able to bluff his way through it.
    • ... this is typical of the computer industry as a whole with "security has no ROI" a mantra sung by the PHBs.

      Precisely this.

    • I applied for a credit card once, it got held up in the mail.

      The bank refused to give me the card number to use and said it required activation by bringing the physical card in to a branch before it would work.

    • by nnull ( 1148259 ) on Wednesday February 14, 2018 @03:30AM (#56120655)

      That's because we have a culture and society that doesn't value privacy or security. Take for example European countries who have a higher value in privacy that security companies actually flourish there, because more people on average care about security and testing for flaws.

      Meanwhile, the only security companies that flourish in the US are security camera installers who install completely open to the internet security cameras for everyone (Because it's easier to just leave the firewall open to the internet for the client, who cares? Job is done, got payed! Client is happy to be able to watch their place on their phone and forgets about all that secured network nonsense.). There's definitely zero risk assessment being done at many companies.

  • Another problem is sites that send SMS for every login attempt even for users who have a TOTP app set up as a second factor. This policy, adopted by Twitter [mashable.com] among others, hurts users who choose TOTP because the user A. carries a tablet but not a cell phone, B. lives in North America and carries a cell phone on a pay-as-you-go plan (which costs less per month than an unlimited plan) and therefore pays for each incoming text message, or C. wants to reduce exposure to the vulnerabilities of SMS [techcrunch.com]: exploiting kno

    • Google used to require SMS for 2FA but now appears to allow authentication using an Android device logged into Google Play Services.

      You're completely incorrect.

      Google already had it and was even allowing you to port their code to your own TOPT 2-factor authentication client (in addition to HOPT) to use with their service since 2010!

      That's right, 2010. That is not a typo. At the time, the official RFC was still being drafted.

      Here is the PROOF:

      https://web.archive.org/web/20100915000000*/http://code.google.com/p/google-authenticator/ [archive.org]

      • by tepples ( 727027 )

        Downloading Google Authenticator did not and does not require SMS. But associating Google Authenticator with a particular Google Account requires the account's owner to have set up 2FA through SMS on that Google Account. From the instructions [google.com]:

        Set up the app

        1. If you haven’t already, turn on 2-Step Verification for your account using your phone number.

        Only the other 2FA method that uses Google Play Services instead of the Google Authenticator app [google.com] can be added without first adding a phone number.

        • Is that an admission that you were wrong? Or are you just moving the goalposts? [logicallyfallacious.com]

          Because Google requiring a cell phone number with a working SMS for an initial set up, which can be changed afterward to TOPT, HOPT, or a recovery email address (all of which Google allowed you to do in 2010 from pretty much any platform by providing the source code, even before the RFC for TOPT was officially out of draft) seems to be a very far cry from what you initially wrote:

          Another problem is sites that send SMS for every login attempt even for users who have a TOTP app set up as a second factor.
          [...]
          Google used to require SMS for 2FA but now appears to allow authentication using an Android device logged into Google Play Services.

          In fact, I would argue that Google was a pioneer i

          • by tepples ( 727027 )

            My first paragraph was about Twitter, not Google. I did not intend to lump Google and Twitter into the same category. To the extent that my comment can be read as doing so, I apologize for not having made the distinction more clearly. I have no experience with SMS-based 2FA on Google to see whether or not it continues to send SMS even after TOTP has been set up, having only used the Google Play Services-based 2FA once I was made aware that it was available.

            • I have no experience with SMS-based 2FA on Google to see whether or not it continues to send SMS even after TOTP has been set up...

              Once your phone number has been confirmed (to avoid spambots from creating new accounts), you enter your email address and corresponding password. And once that email address/password combo is deemed correct, it gives you the choice of which 2nd-factor method you want to use. And no, if you don't choose the SMS option, you won't get the code through SMS. I swear to you that's how it works. In fact, the next time you use 2FA, just click on the little black triangle next to your default method of authenticati

    • But some companies that offer 2FA appear to just not care

      I'm not going to defend Twitter. If that's what they're doing, then they're idiots.

      But I drive for Lyft (I used to drive for Uber). Lyft forces SMS 2FA for almost everything (but Uber doesn't, honestly, I'm not sure what Uber does from the consumer's perspective). And I believe that frequent SMS 2FA verification is a huge plus for Lyft.

      As a driver, I need to have a valid cell phone number to SMS or call when I pick up someone. Data works, but not always. For instance, if someone's phone inadvertently connec

  • ... provided that feature. [fortune.com]

    The Equifax Hack Exposed More Data Than Previously Reported

  • by Rick Schumann ( 4662797 ) on Tuesday February 13, 2018 @06:38PM (#56118743) Journal
    130+ million horses have already left the barn, and they doused it with gasoline and threw in a lit match on the way out (THANKS, EXPERIAN!). Frankly I'm surprised there hasn't been hundreds of thousands of cases of identity theft so far from this. As the subject line alludes to, I have little faith in any 'identity protection' service being able to do much of anything for anyone at this point in time, and how you log into their 'service' is probably the least of your worries. The mere fact that I haven't seen evidence of mass identity theft cases actually makes me more worried than if there had been, I've go no idea what these thieves are up to with all that very-much-personal data.
  • Our parents did not wrap us up in an cement box that could not be opened. Therefore they have exposed us to risks of injury, ridicule, embarrassment, death, and many other detrimental things. And a cement box would have stopped it all. They are guilty of negligence for not protecting us. (at some point everyone has to take responsibility for themselves. 2FA may be arguably more secure, but it is NOT an outright protection either - wasn't it just a few months back we saw posts about 2FA being hacked??)

Forty two.

Working...