Identity theft costs Americans millions of dollars every single year, but with the rise of ID theft protection services such as Lifelock and ID Shield, the numbers have gone down.  However, a recent leak by Lifelock may have actually aided identity thieves in obtaining Lifelock members’ information.  If you’re a Lifelock member, you might want to check into it and possibly change your service.

Nearly 60 million Americans have been affected by identity theft, according to a 2018 online survey by The Harris Poll. That same survey indicates nearly 15 million consumers experienced identity theft in 2017.

Publicly available numbers from Javelin Strategy & Research provide similar information.

Number of Identity Theft Victims And Amount Stolen
Year Individuals Impacted (in millions) Amount Stolen (in billions)
Source: Javelin Strategy & Research
2017 16.7 $16.8
2016 15.4 $16.2
2015 13.1 $15.5
2014 12.7 $16.4
2013 13.1 $19.3
2012 12.6 $22.1

Identity theft now costs more than all other property crimes combined!

According to a report by Krebsonsecurity:

Identity theft protection firm LifeLock — a company that’s built a name for itself based on the promise of helping consumers protect their identities online — may have actually exposed customers to additional attacks from ID thieves and phishers. The company just fixed a vulnerability on its site that allowed anyone with a Web browser to index email addresses associated with millions of customer accounts, or to unsubscribe users from all communications from the company.

The upshot of this weakness is that cyber criminals could harvest the data and use it in targeted phishing campaigns that spoof LifeLock’s brand. Of course, phishers could spam the entire world looking for LifeLock customers without the aid of this flaw, but nevertheless the design of the company’s site suggests that whoever put it together lacked a basic understanding of Web site authentication and security.

LifeLock’s Web site exposed customer email addresses by tying each customer account to a numeric “subscriberkey” that could be easily enumerated. Pictured above is customer number 55,739,477. Click to enlarge.

Pictured above is a redacted screen shot of one such record (click the image to enlarge). Notice how the format of the link in the browser address bar ends with the text “subscriberkey=” followed by a number. Each number corresponds to a customer record, and the records appear to be sequential. Translation: It would be trivial to write a simple script that pulls down the email address of every LifeLock subscriber.

LifeLock is owned by Symantec, which acquired the company in 2016 for $2.3 billion.  Symantec pulled Lifelock offline after it was contacted by KrebsonSecurity.

Apparently, the leak was discovered by a 42-year-old Atlanta researcher by the name of Nathan Reese.  Krebs reported:

Reese said he discovered the data leak after receiving an email to the address he had previously used at LifeLock, and that the message offered him a discount for renewing his membership.

Clicking the “unsubscribe” link at the bottom of the email brought up a page showing his subscriber key. From there, Reese said, he wrote a proof-of-concept script that began sequencing numbers and pulling down email addresses. Reese said he stopped the script after it enumerated approximately 70 emails because he didn’t want to set off alarm bells at LifeLock.

“If I were a bad guy, I would definitely target your customers with a phishing attack because I know two things about them,” Reese said. “That they’re a LifeLock customer and that I have those customers’ email addresses. That’s a pretty sharp spear for my spear phishing right there. Plus, I definitely think the target market of LifeLock is someone who is easily spooked by the specter of cybercrime.”

This means that possibly 4.5 million Lifelock users (as of January 2017) were potentially put at risk.

In a statement from Symantec, they claim:

This issue was not a vulnerability in the LifeLock member portal. The issue has been fixed and was limited to potential exposure of email addresses on a marketing page, managed by a third party, intended to allow recipients to unsubscribe from marketing emails. Based on our investigation, aside from the 70 email address accesses reported by the researcher, we have no indication at this time of any further suspicious activity on the marketing opt-out page.

This should be troubling for users of LifeLock who paid hard-earned money to secure their identities.  However, there is a better solution, at least according to several reports.

In a report at Safe Smart Living in June 2018, Sally Jones examined the LifeLock and ID Shield to see which offered the best value for your money.

“Is the bigger company better in this case? Not necessarily,” she asked as she pointed out the following comparisons and declared the ID Shield was hands down the overall winner in terms of value, protection and services.

IDShield Vs LifeLock Plans: Detailed Comparison

IDShield IDShield LifeLock LifeLock LifeLock
Plan Name Individual Family Plan (2 Adults & up to 10 Minors) Standard Advantage Ultimate Plus
Visit Website Visit Website Visit Website Visit Website Visit Website Visit Website
Price Per Month $9.95/month $19.95/month $9.99/month $19.99/month $29.99/month
U.S.-Based Agents 24/7 Checkmark Checkmark Checkmark Checkmark Checkmark
Full Identity Recovery Support Checkmark Checkmark Checkmark Checkmark Checkmark
SSN Monitoring Checkmark Checkmark Checkmark Checkmark Checkmark
Driver’s License Monitoring Checkmark Checkmark Checkmark Checkmark Checkmark
Credit Card Monitoring & Activity Alerts Checkmark Checkmark Checkmark Checkmark
Bank Account Monitoring & Activity Alerts Checkmark Checkmark Checkmark Checkmark
Address Change Verification Checkmark Checkmark Checkmark Checkmark Checkmark
Black Market Website Surveillance Checkmark Checkmark Checkmark Checkmark Checkmark
File Sharing Network Searches Checkmark Checkmark Checkmark
Email Monitoring Checkmark Checkmark
Lost Wallet Assistance Checkmark Checkmark Checkmark Checkmark Checkmark
Alerts for New Account Attempts Checkmark Checkmark Checkmark
Investment Account Activity Alerts Checkmark
Medical ID Monitoring Checkmark Checkmark
Court Records Scanning Checkmark Checkmark Checkmark Checkmark
Sex Offender Registry Reports Checkmark Checkmark Checkmark
Fictitious Identity Monitoring Checkmark Checkmark
Online Annual Credit Reports and Scores 1 Credit Bureau 3 Credit Bureau
Credit Score Tracking One Bureau, Quarterly One Bureau, Quarterly One Bureau, Monthly
Service Guarantee Up to $5 million Up to $5 million
Stolen Funds Replacement Up to $25,000 Up to $100,000 Up to $1 million
Personal Expense Reimbursement Up to $25,000 Up to $100,000 Up to $1 million
Coverage for Lawyers & Experts Up to $1 million Up to $1 million Up to $1 million

Jones was not the only one to report these findings.  A Secure Life, which has been featured on Angie’s List, CNBC, Forbes and Zillow, also came to similar conclusions.

ID Shield is affordable and works and is a service provided by Legal Shield, a company with a reputation of providing great legal advice and services since 1972.  The company also offers opportunities for average Americans to start their own businesses for just $99.

Article posted with permission from The Washington Standard

Print Friendly, PDF & Email
Please like & share:)
LifeLock Unlocked? Leak Could Have Helped Identity Thieves Gain Access To Consumers’ Information

Leave a Reply

Your email address will not be published. Required fields are marked *


Enjoy this blog? Please spread the word :)

Font Resize