Bad Intel And Zero Verification Leads To LifeLock Naming Wrong Company In Suspected Security Breach

from the more-'security-mediocre-practices'-from-the-biggest-name-in-ID-protectio dept

LifeLock has never been the brightest star in the identity fraud protection constellation. Its own CEO -- with his mouth writing checks others would soon be cashing with his credentials -- expressed his trust in LifeLock's service by publishing his Social Security number, leading directly to 13 separate cases of (successful) identity theft.

Beyond that, LifeLock was barely a lock. It didn't encrypt stored credentials and had a bad habit of ambulance-chasing reported security breaches in hopes of pressuring corporate victims into picking up a year's worth of coverage for affected customers. This culminated in the FTC ordering it to pay a $12 million fine for its deceptive advertising, scare tactics, and inability to keep its customers' ID info safe.

It's LifeLock's ambulance chasing that's getting it into trouble again. Rather than verify the details of a recent breach, it began sending notices to customers informing them about possibly exposed info at entirely the wrong service.

Last week, LifeLock and several other identity theft protection firms erroneously alerted their customers to a breach at cloud storage giant Dropbox.com — an incident that reportedly exposed some 73 million usernames and passwords. The only problem with that notification was that Dropbox didn’t have a breach; the data appears instead to have come from another breach revealed this week at social network Tumblr.

This isn't completely LifeLock's fault. It did send out a false alarm and finger the wrong platform, but its information came from a third party: CSID. Brian Krebs approached the identity monitoring firm to determine how it had arrived at the wrong conclusion. It appears it's turtles misinformation all the way down. CSID president of product and marketing Bryan Hjelm confirmed his company was suffering some "reputational concerns" after wrongly naming Dropbox, rather than Tumblr, as the source of the breach. But he still felt his company was doing a bang-up job in the ID protection department, despite utilizing questionable sources.

He told me that CSID relies on a number of sources online who have been accurate, early indicators of breaches past. One such actor — a sort of cyber gadfly best known by his hacker alias “w0rm” — had proven correct in previous posts on Twitter about new data breaches, Hjelm said.

In this case, w0rm posted to Twitter a link to download a file containing what he claimed were 100M records stolen from Dropbox. Perhaps one early sign that something didn’t quite add up is that the download he linked to as the Dropbox user file actually only included 73 million usernames and passwords.

In any case, CSID analysts couldn’t determine one way or the other whether it actually was Dropbox’s data. Nonetheless, they sent it out as such anyway, based on little more than w0rm’s say-so.

The problem with this bogus alert is that every step of it was automated. CSID admits it never checked out w0rm's claim by manually verifying the data dump contained what w0rm said it contained. It simply generated its alert, which was then picked up by others, like LifeLock, that rely on it for breach identification/notification. The automation continued as LifeLock sent auto-generated messages to its customers. The only manual part of this process occurred at the end user level when Dropbox customers began altering their login credentials to protect themselves from a nonexistent breach. Meanwhile, the real breach went ignored.

It's often said that humans are the weakest link in the security chain, but this incident shows that a little human intervention would have gone a long way towards heading off bogus breach notifications that made an unaffected company look like it was hiding something from its users.

Filed Under: security breach
Companies: dropbox, lifelock, tumblr

Turns Out Lifelock's CEO Has Been A Victim Of Identity Fraud 13 Times

from the is-that-in-their-ads? dept

Ah, Lifelock. The company, which was recently fined $12 million for bogus advertising and absolutely dreadful security practices (the private data that Lifelock claimed it was helping you protect was not encrypted and was available to more than just authorized employees). Of course, the most amusing thing of all was how the CEO of the company, Todd Davis, plastered his Social Security Number everywhere to show how "safe" he felt with the company's service. In the past, we had noted that this didn't actually stop him from from being a victim of identity fraud -- when someone used his well publicized SSN to get a $500 loan in his name. Oh, and then there was the story about how the CEO then personally went to the home of the guy who did this, and "coerced" a confession out of him. In doing so, it ruined the police investigation and tainted the case.

Thankfully, it now turns out that there were twelve other opportunities to taint evidence. Yes, it's now come out that the CEO who proudly gave away his SSN because his own company would protect him has been a victim of identity fraud at least 13 times. And they say 13 is an unlucky number...

The stories go on and on, with lots of people using his Social Security Number to open up various accounts -- many of which it appears he didn't find out about until collections agencies came calling. Could there be any worse advertising for Lifelock than this? It's even pissing off the police

"It's unfortunate he chose to conduct business in that way," [Albany police] spokeswoman Phyllis Banks said. "It's not fair to [AT&T] because they're losing a pretty substantial amount of money."

Update: Lifelock, as per usual, is trying to spin this in a positive way, sending over a PR statement about how we should really pay attention to all the times his identity wasn't used fraudulently. Very convincing.

Filed Under: identity fraud, todd davis
Companies: lifelock

LifeLock Has To Pay $12 Million For Bogus Advertising, Little Actual Protection And Awful Security

from the feel-safer? dept

AdamR was the first of a few of you to point out that the FTC (along with 35 state attorneys general) has fined Lifelock $12 million for a variety of misdeeds, starting with bogus advertising. This should be no surprise to Techdirt readers, as the discussions around LifeLock have always raised a lot more questions than were answered. It kicked off with the fact that LifeLock's CEO, who proudly places his Social Security Number on ads to "prove" how convinced he is that LifeLock will protect him... was a victim of identity fraud himself. Oh, and there was also the stuff about how one of the founder's of the company had a past that involved doing bad things with the private information of his own customers. And then there was the story about how the CEO of LifeLock, after having his own identity fraudulently used, went to the home of the guy who did it to "coerce a confession."

But the bigger questions were about the service itself. All it really did was put a fraud block on your credit, which you could do for free. It didn't stop people from using your existing credit cards if they had access to the information, or from taking out loans in your name (which is what happened to the CEO) -- even though its advertisements implied you'd be safe from such situations (which are more common than someone taking out a credit card in your name). Oh, and then there was the fact that the fraud reports that Lifelock would put on accounts were found to be illegal.

All that looks pretty bad -- and it gets worse as you read the details of the FTC slapdown. There was the questionable advertising, which went beyond just false implied promises -- to sending out letters that tried to claim that the recipient's info "wasn't safe" as a scare tactic. On top of that, apparently, LifeLock itself wasn't particularly secure with how it handled its customers private information. This fact looks even worse when you realize that LifeLock would prey on firms who had recently had data breaches, and suggest they sign up customers for a "free" year of LifeLock -- thereby putting their data at risk yet again. Not only was the data not properly handled, but LifeLock falsely claimed that the data was encrypted and only authorized employees would have access. Neither turned out to be true. Basically, it sounds like rather than protect your identity, LifeLock put you at greater risk.

Filed Under: identity theft
Companies: lifelock

Lifelock Found To Be Illegally Placing Fraud Alerts On Credit Profiles

from the oops dept

There are all sorts of questions about Lifelock, the company that claims to help protect you from identify theft. There were the stories that the founders of the company had previously been involved in identity fraud operations. And, of course, there's the whole issue with the company's CEO becoming a victim of identity fraud, while out promoting the service, by happily displaying his social security number in ads. In response to this, rather than letting the police handle the situation, the CEO hunted down the guy who impersonated him with a camera crew and coerced a "confession" out of the guy. This basically ruined the police investigation and they gave up prosecuting the case, saying that the evidence was tainted. Oh yeah, and there's the matter of the class action lawsuit against the company from customers who realized that Lifelock doesn't do much to actually prevent identity theft.

However, it's still surprising to find out that a court has ruled that Lifelock's fraud alert services are illegal. The lawsuit was brought by Experian, one of the big credit rating agencies, complaining that Lifelock abuses the fraud alert process. By law, the credit ratings agencies need to agree to put a free fraud alert on an account at the request of the account holder if they feel they're at risk of identity fraud. The alert requires anyone trying to open a new line of credit to first confirm with the customer before being able to extend the line of credit (basically, if someone tries to open a new credit card, the cardholder gets a call to make sure they really wanted it).

This is a free service, which lasts for 3 months -- at which point you need to proactively renew it. One of Lifelock's services is putting that alert on your accounts and promptly renewing it when the 3 months are up. Even though anyone can set their own up for free, for some people it's worth paying Lifelock to manage that process. Experian claimed it was an abuse, well beyond what the law was intended for, and that it was costing the company a ton of money to manage all of these requests. The judge agreed, noting that the lawmakers did not appear to intend for individuals to have middlemen place and manage fraud alerts.

While I'm somewhat skeptical of Lifelock, the idea that a company can't manage such alerts for an individual seems somewhat silly and counterproductive. The issue, though, probably isn't so much with the ruling, but with the law. Perhaps Congress should simply fix it and make it clear that if you want to pay some company to manage such alerts for you, that's perfectly fine.

Filed Under: credit reports, fraud alert
Companies: experian, lifelock

Are Companies Responsible For Actions Of Affiliates?

from the lawsuits-galore dept

Back in May we wrote about how shoe store DSW was suing Zappos over potential trademark infringement done by an affiliate -- and now we've got another similar story. The company NameSafe is suing competitor LifeLock over Google ads that make use of NameSafe's name. While we've seen plenty of lawsuits where Google was incorrectly sued over ads based on competitor search terms, this case actually does seem a little more reasonable on those points: rather than suing Google, NameSafe is suing LifeLock, and NameSafe can probably make a half-decent case that the ads could be seen as confusing or deceptive.

However, where this case gets more interesting is on the question of whether LifeLock is to blame -- or if it's the fault of an affiliate marketer, as LifeLock claims. LifeLock says that it terminated the affiliate's account and also reminded all of its affiliates that this type of activity goes against their reseller agreements. That seems like a reasonable response, but for now the lawsuit against LifeLock continues, which will inevitably raise questions about whether or not a company is responsible for the actions of its affiliates and resellers. It seems like common sense to say no -- that the liability should remain with those who actually did the action -- but we've seen stranger decisions from courts before, so it may not be clear cut here.

Filed Under: advertising, affiliates, google ads, liability
Companies: lifelock, namesafe

Will Lifelock's CEO Get To Be A Part Of The Class Action Lawsuit Against Lifelock?

from the he-could-qualify dept

You may recall the story of Lifelock, the company that heavily advertises its service which charges you $10/month to get services that you can get on your own for free from credit agencies. This is the one where the CEO gives out his Social Security number in every advertisement to show how confident he is in the service. Of course, what he leaves out is that Lifelock failed to stop identity fraud carried out against him (oops). Oh yeah, also the stuff about how the company's founder was being investigated for fraud (and potential identity fraud) at a previous company.

So, it should come as little surprise that some customers of Lifelock aren't particularly pleased with the company and have filed a class action lawsuit against the company, claiming deceptive advertising, and noting that it doesn't really provide much security. One additional nugget of information: the identity fraud against the CEO that we mentioned earlier is just the tip of the iceberg. The CEO's social security number is apparently now widely in use among identity scammers. Well, maybe he'll get some money out of the class action lawsuit, since it appears that he was misled by his own advertising...

Filed Under: class action, identity fraud
Companies: lifelock

Does LifeLock Charge Extra To Coerce Suspected Identity Thieves?

from the smooth-move dept

LifeLock, a company that sells some identity theft protection services that consumers could get for free, got some bad press last month. Not only did it come out that one of the company's founders had allegedly stolen personal information from customers of another business he owned, it was also disclosed that LifeLock's services failed to protect the company's CEO from identity theft. A man in the Dallas area used the CEO's social security number -- which is prominently displayed in LifeLock's marketing materials -- to obtain a $500 loan, and police were waiting to get some subpoenaed information when the CEO took things into his own hands. He showed up at the fraudster's house with a film crew, and apparently coerced a confession out of the guy, who police say is mentally disabled. The confession is legally worthless, and police and prosecutors say it's tainted the case, so they're not going to proceed with their investigation, and have no plans to arrest the suspect. So, it would appear, that not only do LifeLock's anti-identity theft measures not work, the company also manages to bungle the prosecution of identity thieves.

Filed Under: identity theft
Companies: lifelock