Tuesday, April 03, 2007

Identity Theft Protection?

A friend sent me a link today about an Identity Theft Protection service called Lifelock. http://www.lifelock.com.

I'm not sure what to make of the service, and I'm not sure I understand what regulatory regime it operates under.

They claim to aggregate multiple freely available services for protecting yourself from identity theft, etc. Its an interesting idea, though its unfortunate that the state of affairs in the US for data and personal privacy is that I have to pay money to protect myself from identity theft, rather than all of the onus being on the people already holding my data not to mess things up.

Since a friend sent this to me, I'll quote his mail and then give what I think are reasonable answers...

This is interesting … do you think their model is credible?

The obvious vulnerabilities to me seemed like

(1) lifelock going out of business

(2) lifelock employees or affiliates compromising you

(3) a criminal learns you are a member and either

(a) also gets your phone physically or (b) gets your number transferred to a new phone account somewhere else, which can be done remotely with the phone acct number and ssn.

Then opens an account and, acting as you via your phone, allows the action.

(4) criminal compromises whatever token you use to identify yourself to lifelock, then calls up (or log in), pretends to be you, changes the contact phone number to a new number, and he’s off to the races

1. Entirely possible. It isn't clear based on past internet company bankruptcies exactly how the disposition of their private data was handled. Since they aren't necessarily regulated as a bank, money transfer agent, phone company, etc. it isn't clear to me exactly what regulations would apply to them, who buys them, etc.

2. Entirely possible, and hard to evaluate without knowing a lot about how they run their internal operations. I met some folks who ran security at MBNA and they were pretty over the top. Dual-control for everything, no one with root on Unix machines, etc. Whether they do the same thing or not is certainly be an interesting question.

3. Stealing phones, etc. is a risk for most people that rely on this sort of thing. As I've written about before in this blog about 2FA for certain financial service providers, its a hard problem to solve. Banks are required to eat the losses if they get defrauded this way, not sure what would apply in the Lifelock case. It is a current problem for most folks though that if someone has access to your physical mail for example that they can intercept lots of out of band communications destined for you, thus leading to impersonation.

4. Impersonation via cracking of authentication tokens isn't unique to Lifelock. What isn't clear is what your remedies will be when your information gets stolen. Assuming their service actually works, even if your information is stolen you'll get alerted to misuse of your identity, at least for certain cases.

What most disturbs me about the service though is that I need to purchase it at all. In other countries (notably places in Europe) there are already services provided by banks and credit firms that notify you every time your report is pulled, every time someone wants to get credit in our name, etc.

In the US we don't have equivalent protections, though they have been discussed at least briefly as part of the whole identity theft and breach notification regulations going round in most states and at the federal level.

Lifelock reminds me of the service the phone companies provide you to block telephone solicitation. They will put a block on your line so someone has to listen to a special recording, put in a code, etc. before they get connected to you. What is amazing is that the telephone company is the one selling your information in the first place, and now you're paying them to stop their customers from calling you. Pretty nice protection racket if you can get it.

At least Lifelock isn't a division of Experian.



1 comment:

Igor Drokov said...

Andy,

Whilst I agree with the idea that services like this should be a part of customer protection offered (free of extra charge) by the service provider, it is interesting how the grass is always greener on the other side ;)

Here in the UK, US regulations are often quoted as an example of better customer protection. E.g. Ross Anderson's recently commented:

"US cardholders are treated much better than customers here - over there, the store will have to write to them and apologise. Here, cardholders might not have been told at all were it not that some US cardholders also had their data stolen from the computer centre in Watford. We need a breach reporting law in the UK"

and that

"the UK government agreed to support the EU Payment Services Directive, which (unless the European Parliament amends it) looks set to level down consumer protection against card fraud in Europe to the lowest common denominator."

It is worth reading the post in full: TK Maxx and banking regulation.

At least in the US, following recent customer data breach disclosures, as far as I know, affected customers were offered a free subscription to Experian or similar services.

Whereas I am not aware of any free similar service in the UK. In fact, the opposite is true, my bank recently has started persistently offering me to buy an "Identity Fraud" insurance that will include credit profile alerts...