I'm not sure what to make of the service, and I'm not sure I understand what regulatory regime it operates under.
They claim to aggregate multiple freely available services for protecting yourself from identity theft, etc. Its an interesting idea, though its unfortunate that the state of affairs in the US for data and personal privacy is that I have to pay money to protect myself from identity theft, rather than all of the onus being on the people already holding my data not to mess things up.
Since a friend sent this to me, I'll quote his mail and then give what I think are reasonable answers...
1. Entirely possible. It isn't clear based on past internet company bankruptcies exactly how the disposition of their private data was handled. Since they aren't necessarily regulated as a bank, money transfer agent, phone company, etc. it isn't clear to me exactly what regulations would apply to them, who buys them, etc.
This is interesting … do you think their model is credible?
The obvious vulnerabilities to me seemed like
(1) lifelock going out of business
(2) lifelock employees or affiliates compromising you
(3) a criminal learns you are a member and either
(a) also gets your phone physically or (b) gets your number transferred to a new phone account somewhere else, which can be done remotely with the phone acct number and ssn.
Then opens an account and, acting as you via your phone, allows the action.
(4) criminal compromises whatever token you use to identify yourself to lifelock, then calls up (or log in), pretends to be you, changes the contact phone number to a new number, and he’s off to the races
2. Entirely possible, and hard to evaluate without knowing a lot about how they run their internal operations. I met some folks who ran security at MBNA and they were pretty over the top. Dual-control for everything, no one with root on Unix machines, etc. Whether they do the same thing or not is certainly be an interesting question.
3. Stealing phones, etc. is a risk for most people that rely on this sort of thing. As I've written about before in this blog about 2FA for certain financial service providers, its a hard problem to solve. Banks are required to eat the losses if they get defrauded this way, not sure what would apply in the Lifelock case. It is a current problem for most folks though that if someone has access to your physical mail for example that they can intercept lots of out of band communications destined for you, thus leading to impersonation.
4. Impersonation via cracking of authentication tokens isn't unique to Lifelock. What isn't clear is what your remedies will be when your information gets stolen. Assuming their service actually works, even if your information is stolen you'll get alerted to misuse of your identity, at least for certain cases.
What most disturbs me about the service though is that I need to purchase it at all. In other countries (notably places in Europe) there are already services provided by banks and credit firms that notify you every time your report is pulled, every time someone wants to get credit in our name, etc.
In the US we don't have equivalent protections, though they have been discussed at least briefly as part of the whole identity theft and breach notification regulations going round in most states and at the federal level.
Lifelock reminds me of the service the phone companies provide you to block telephone solicitation. They will put a block on your line so someone has to listen to a special recording, put in a code, etc. before they get connected to you. What is amazing is that the telephone company is the one selling your information in the first place, and now you're paying them to stop their customers from calling you. Pretty nice protection racket if you can get it.
At least Lifelock isn't a division of Experian.