Northwest Liberty News

Picking the Lock on the Shackles of Tyranny ®

LifeLock Unlocked? Leak Could Have Helped Identity Thieves Gain Access To Consumers’ Information

If you're a Lifelock member, you might want to check into it and possibly change your service.

Identity theft costs Americans millions of dollars every single year, but with the rise of ID theft protection services such as Lifelock and ID Shield, the numbers have gone down.  However, a recent leak by Lifelock may have actually aided identity thieves in obtaining Lifelock members’ information.  If you’re a Lifelock member, you might want to check into it and possibly change your service.

Nearly 60 million Americans have been affected by identity theft, according to a 2018 online survey by The Harris Poll. That same survey indicates nearly 15 million consumers experienced identity theft in 2017.

Publicly available numbers from Javelin Strategy & Research provide similar information.

Number of Identity Theft Victims And Amount Stolen
YearIndividuals Impacted (in millions)Amount Stolen (in billions)
Source: Javelin Strategy & Research

Identity theft now costs more than all other property crimes combined!

According to a report by Krebsonsecurity:

Identity theft protection firm LifeLock — a company that’s built a name for itself based on the promise of helping consumers protect their identities online — may have actually exposed customers to additional attacks from ID thieves and phishers. The company just fixed a vulnerability on its site that allowed anyone with a Web browser to index email addresses associated with millions of customer accounts, or to unsubscribe users from all communications from the company.

The upshot of this weakness is that cyber criminals could harvest the data and use it in targeted phishing campaigns that spoof LifeLock’s brand. Of course, phishers could spam the entire world looking for LifeLock customers without the aid of this flaw, but nevertheless the design of the company’s site suggests that whoever put it together lacked a basic understanding of Web site authentication and security.

LifeLock’s Web site exposed customer email addresses by tying each customer account to a numeric “subscriberkey” that could be easily enumerated. Pictured above is customer number 55,739,477. Click to enlarge.

Pictured above is a redacted screen shot of one such record (click the image to enlarge). Notice how the format of the link in the browser address bar ends with the text “subscriberkey=” followed by a number. Each number corresponds to a customer record, and the records appear to be sequential. Translation: It would be trivial to write a simple script that pulls down the email address of every LifeLock subscriber.

LifeLock is owned by Symantec, which acquired the company in 2016 for $2.3 billion.  Symantec pulled Lifelock offline after it was contacted by KrebsonSecurity.

Apparently, the leak was discovered by a 42-year-old Atlanta researcher by the name of Nathan Reese.  Krebs reported:

Reese said he discovered the data leak after receiving an email to the address he had previously used at LifeLock, and that the message offered him a discount for renewing his membership.

Clicking the “unsubscribe” link at the bottom of the email brought up a page showing his subscriber key. From there, Reese said, he wrote a proof-of-concept script that began sequencing numbers and pulling down email addresses. Reese said he stopped the script after it enumerated approximately 70 emails because he didn’t want to set off alarm bells at LifeLock.

“If I were a bad guy, I would definitely target your customers with a phishing attack because I know two things about them,” Reese said. “That they’re a LifeLock customer and that I have those customers’ email addresses. That’s a pretty sharp spear for my spear phishing right there. Plus, I definitely think the target market of LifeLock is someone who is easily spooked by the specter of cybercrime.”

This means that possibly 4.5 million Lifelock users (as of January 2017) were potentially put at risk.

In a statement from Symantec, they claim:

This issue was not a vulnerability in the LifeLock member portal. The issue has been fixed and was limited to potential exposure of email addresses on a marketing page, managed by a third party, intended to allow recipients to unsubscribe from marketing emails. Based on our investigation, aside from the 70 email address accesses reported by the researcher, we have no indication at this time of any further suspicious activity on the marketing opt-out page.

This should be troubling for users of LifeLock who paid hard-earned money to secure their identities.  However, there is a better solution, at least according to several reports.

In a report at Safe Smart Living in June 2018, Sally Jones examined the LifeLock and ID Shield to see which offered the best value for your money.

“Is the bigger company better in this case? Not necessarily,” she asked as she pointed out the following comparisons and declared the ID Shield was hands down the overall winner in terms of value, protection and services.

IDShield Vs LifeLock Plans: Detailed Comparison

Plan NameIndividualFamily Plan (2 Adults & up to 10 Minors)StandardAdvantageUltimate Plus
Visit WebsiteVisit WebsiteVisit WebsiteVisit WebsiteVisit WebsiteVisit Website
Price Per Month$9.95/month$19.95/month$9.99/month$19.99/month$29.99/month
U.S.-Based Agents 24/7CheckmarkCheckmarkCheckmarkCheckmarkCheckmark
Full Identity Recovery SupportCheckmarkCheckmarkCheckmarkCheckmarkCheckmark
SSN MonitoringCheckmarkCheckmarkCheckmarkCheckmarkCheckmark
Driver’s License MonitoringCheckmarkCheckmarkCheckmarkCheckmarkCheckmark
Credit Card Monitoring & Activity AlertsCheckmarkCheckmarkCheckmarkCheckmark
Bank Account Monitoring & Activity AlertsCheckmarkCheckmarkCheckmarkCheckmark
Address Change VerificationCheckmarkCheckmarkCheckmarkCheckmarkCheckmark
Black Market Website SurveillanceCheckmarkCheckmarkCheckmarkCheckmarkCheckmark
File Sharing Network SearchesCheckmarkCheckmarkCheckmark
Email MonitoringCheckmarkCheckmark
Lost Wallet AssistanceCheckmarkCheckmarkCheckmarkCheckmarkCheckmark
Alerts for New Account AttemptsCheckmarkCheckmarkCheckmark
Investment Account Activity AlertsCheckmark
Medical ID MonitoringCheckmarkCheckmark
Court Records ScanningCheckmarkCheckmarkCheckmarkCheckmark
Sex Offender Registry ReportsCheckmarkCheckmarkCheckmark
Fictitious Identity MonitoringCheckmarkCheckmark
Online Annual Credit Reports and Scores1 Credit Bureau3 Credit Bureau
Credit Score TrackingOne Bureau, QuarterlyOne Bureau, QuarterlyOne Bureau, Monthly
Service GuaranteeUp to $5 millionUp to $5 million
Stolen Funds ReplacementUp to $25,000Up to $100,000Up to $1 million
Personal Expense ReimbursementUp to $25,000Up to $100,000Up to $1 million
Coverage for Lawyers & ExpertsUp to $1 millionUp to $1 millionUp to $1 million

Jones was not the only one to report these findings.  A Secure Life, which has been featured on Angie’s List, CNBC, Forbes and Zillow, also came to similar conclusions.

ID Shield is affordable and works and is a service provided by Legal Shield, a company with a reputation of providing great legal advice and services since 1972.  The company also offers opportunities for average Americans to start their own businesses for just $99.

Article posted with permission from The Washington Standard

Print Friendly, PDF & Email