Identity theft costs Americans millions of dollars every single year, but with the rise of ID theft protection services such as Lifelock and ID Shield, the numbers have gone down. However, a recent leak by Lifelock may have actually aided identity thieves in obtaining Lifelock members’ information. If you’re a Lifelock member, you might want to check into it and possibly change your service.
Nearly 60 million Americans have been affected by identity theft, according to a 2018 online survey by The Harris Poll. That same survey indicates nearly 15 million consumers experienced identity theft in 2017.
Publicly available numbers from Javelin Strategy & Research provide similar information.
|Number of Identity Theft Victims And Amount Stolen|
|Year||Individuals Impacted (in millions)||Amount Stolen (in billions)|
|Source: Javelin Strategy & Research|
According to a report by Krebsonsecurity:
Identity theft protection firm LifeLock — a company that’s built a name for itself based on the promise of helping consumers protect their identities online — may have actually exposed customers to additional attacks from ID thieves and phishers. The company just fixed a vulnerability on its site that allowed anyone with a Web browser to index email addresses associated with millions of customer accounts, or to unsubscribe users from all communications from the company.
The upshot of this weakness is that cyber criminals could harvest the data and use it in targeted phishing campaigns that spoof LifeLock’s brand. Of course, phishers could spam the entire world looking for LifeLock customers without the aid of this flaw, but nevertheless the design of the company’s site suggests that whoever put it together lacked a basic understanding of Web site authentication and security.
Pictured above is a redacted screen shot of one such record (click the image to enlarge). Notice how the format of the link in the browser address bar ends with the text “subscriberkey=” followed by a number. Each number corresponds to a customer record, and the records appear to be sequential. Translation: It would be trivial to write a simple script that pulls down the email address of every LifeLock subscriber.
LifeLock is owned by Symantec, which acquired the company in 2016 for $2.3 billion. Symantec pulled Lifelock offline after it was contacted by KrebsonSecurity.
Apparently, the leak was discovered by a 42-year-old Atlanta researcher by the name of Nathan Reese. Krebs reported:
Reese said he discovered the data leak after receiving an email to the address he had previously used at LifeLock, and that the message offered him a discount for renewing his membership.
Clicking the “unsubscribe” link at the bottom of the email brought up a page showing his subscriber key. From there, Reese said, he wrote a proof-of-concept script that began sequencing numbers and pulling down email addresses. Reese said he stopped the script after it enumerated approximately 70 emails because he didn’t want to set off alarm bells at LifeLock.
“If I were a bad guy, I would definitely target your customers with a phishing attack because I know two things about them,” Reese said. “That they’re a LifeLock customer and that I have those customers’ email addresses. That’s a pretty sharp spear for my spear phishing right there. Plus, I definitely think the target market of LifeLock is someone who is easily spooked by the specter of cybercrime.”
This means that possibly 4.5 million Lifelock users (as of January 2017) were potentially put at risk.
In a statement from Symantec, they claim:
This issue was not a vulnerability in the LifeLock member portal. The issue has been fixed and was limited to potential exposure of email addresses on a marketing page, managed by a third party, intended to allow recipients to unsubscribe from marketing emails. Based on our investigation, aside from the 70 email address accesses reported by the researcher, we have no indication at this time of any further suspicious activity on the marketing opt-out page.
This should be troubling for users of LifeLock who paid hard-earned money to secure their identities. However, there is a better solution, at least according to several reports.
In a report at Safe Smart Living in June 2018, Sally Jones examined the LifeLock and ID Shield to see which offered the best value for your money.
“Is the bigger company better in this case? Not necessarily,” she asked as she pointed out the following comparisons and declared the ID Shield was hands down the overall winner in terms of value, protection and services.
IDShield Vs LifeLock Plans: Detailed Comparison
|Plan Name||Individual||Family Plan (2 Adults & up to 10 Minors)||Standard||Advantage||Ultimate Plus|
|Visit Website||Visit Website||Visit Website||Visit Website||Visit Website||Visit Website|
|Price Per Month||$9.95/month||$19.95/month||$9.99/month||$19.99/month||$29.99/month|
|U.S.-Based Agents 24/7|
|Full Identity Recovery Support|
|Driver’s License Monitoring|
|Credit Card Monitoring & Activity Alerts|
|Bank Account Monitoring & Activity Alerts|
|Address Change Verification|
|Black Market Website Surveillance|
|File Sharing Network Searches|
|Lost Wallet Assistance|
|Alerts for New Account Attempts|
|Investment Account Activity Alerts|
|Medical ID Monitoring|
|Court Records Scanning|
|Sex Offender Registry Reports|
|Fictitious Identity Monitoring|
|Online Annual Credit Reports and Scores||1 Credit Bureau||3 Credit Bureau|
|Credit Score Tracking||One Bureau, Quarterly||One Bureau, Quarterly||One Bureau, Monthly|
|Service Guarantee||Up to $5 million||Up to $5 million|
|Stolen Funds Replacement||Up to $25,000||Up to $100,000||Up to $1 million|
|Personal Expense Reimbursement||Up to $25,000||Up to $100,000||Up to $1 million|
|Coverage for Lawyers & Experts||Up to $1 million||Up to $1 million||Up to $1 million|
Jones was not the only one to report these findings. A Secure Life, which has been featured on Angie’s List, CNBC, Forbes and Zillow, also came to similar conclusions.
ID Shield is affordable and works and is a service provided by Legal Shield, a company with a reputation of providing great legal advice and services since 1972. The company also offers opportunities for average Americans to start their own businesses for just $99.
Article posted with permission from The Washington Standard