Tracking Someone Using LifeLock

Someone opened a LifeLock account in his ex-wife's name, and used the service to track her bank accounts, credit cards, and other financial activities.

The article is mostly about how appalling LifeLock was about this, but I'm more interested in the surveillance possibilities. Certainly the FBI can use LifeLock to surveil people with a warrant. The FBI/NSA can also collect the financial data of every LifeLock customer with a National Security Letter. But it's interesting how easy it was for an individual to open an account for another individual.

Posted on December 1, 2015 at 5:41 AM • 22 Comments

Comments

L. W. SmileyDecember 1, 2015 6:46 AM

Given the ease with which an unauthorized party opened the account, negligence should be argued and a tort is in order. Unfortunately this is the only language corporations understand and individuals' only recourse. But they're all slippery when it comes to product liability. Software licenses are an end run around this especially in the area personal data loss with it's emotional, and financial toll and the time, cost and difficulty to repair the damage. The ex husband's actions are another strong argument for the legitimate purpose of privacy. Of course privacy policies seem to exist more to protect corporations from discovery than to protect individuals.

Peter GalbavyDecember 1, 2015 7:17 AM

... and people wonder why the protection of personal information in the EU, as opposed to the US, is actually important.

Lisa KacholdDecember 1, 2015 7:34 AM

Seriously?

You actually believe that the pitiful amount of data available from Lifelock is going to ASSIST any government institution to investigate or track an individual?

The Department of Homeland Security and NSA have instant access to all of American financial data, as well as Akamai cached online banking transactions!

Granted these "identity protection" companies don't provide even the basic safeguards provided by algorithmics gathered by the banks own processes (Early Warning Services), they, like many security companies on the "Information Super Dirtway", only prey on the stupid, who clearly might be impressed by this blog?

Signed "Arrogant Security Professional"

TerryDecember 1, 2015 7:50 AM

I usually agree with Rush Limbaugh's conservative opinions. However, I cringe every time he gives his personal glowing advertisement for this rogue company. Unfortunately, Limbaugh is sullying his reputation in promoting it. I believe that he has most certainly heard about the fraud and mismanagement in LifeLock. Limbaugh has apparently been corrupted by LifeLock's advertisement revenue.

Peter A.December 1, 2015 7:51 AM

Anybody care to explain how this LifeLock works? How the company could have access to "bank accounts, credit cards, and other financial activities" just having someone's name, address and some ID numbers?

Andrew ConwayDecember 1, 2015 8:47 AM

Cloudmark blocked a big burst of spam today promoting Lifelock. The spam probably came from an affiliate advertiser rather than Lifelock directly but they should be more careful about where they spend their advertising dollars.

blakeDecember 1, 2015 9:05 AM

Favourite part of the article:

> [Lifelock's] CEO having the hubris to publicly share his Social Security number, claiming LifeLock would prevent him from identity theft… only to have his identity stolen at least 13 times.

So, yeah, @Lisa, even that small amount of data can be useful to someone. DHS and NSA might have their fingers all over the online pie but inter-agency channels aren't perfect, and some other agency might find this easier than the NSA request paperwork. And then there's the possibility of investigation from a non-US-agency...

timDecember 1, 2015 9:51 AM

Dealing with identify fraud earlier in the year - I briefly tried lifelock. It operates very much like any financial tracking site. Ever so often it will check your accounts and report on activity. In my case about 90% of the activity was reported as "potentially fraudulent." This raises two issues.

The first is the delay. Activity alerts on lifelike take days. So the damage has largely been done by the time lifelock gets around to it. Activity alerts I set on my accounts from my banks and credit card companies are near real time and I can quickly respond to the issue.

The other is the false positives. Every month it would flag my mortgage as "potentially fraudulent". And there is no way to whitelist the transaction.

Lifelock "offers" other services as part of its deal. LIke a monthly credit score check (which was wrong every month), checks to see if your name is part of any breaches, and information on where you live (e.g. are sex offenders living near by? PANIC!).

Cancelling Lifelock requires you to call their 800 number and wait on hold. I tried twice only to be left on hold for 10+ minutes and then I just gave up. Ironically the credit card that lifelock was being billed too was cancelled due to new fraudulent activity and the situation took care of itself. Lifelock reported the fraudulent activity the same it reported all activity. Potentially fraudulent. So PANIC!

Lifelock offers nothing one can't get by themselves from their own bank or online or just being diligent.

Dirk PraetDecember 1, 2015 10:58 AM

@ Lisa Kachold

You actually believe that the pitiful amount of data available from Lifelock is going to ASSIST any government institution to investigate or track an individual?

For starters, and from the referenced article: "their son found a five-page Excel spreadsheet on his computer — of her bank accounts, credit cards and other financial activities...It also included his ex-wife’s passwords and answers to her security questions." That's hardly peanuts, I'd say, and over here enough to warrant a full investigation if any private company would be holding such data without your knowledge or consent.

Second: why would your government bother collecting this information - or rather use selectors on some secret program(s) - if they can already get it from private companies, and without any legal hastle, especially when CISA becomes law ?

Anyway, I guess it must be a mild relief to the OPM breach victims that the White House awarded the credit monitoring and identity theft protection contract to another company than this bunch of lamers.

The Department of Homeland Security and NSA have instant access to all of American financial data, as well as Akamai cached online banking transactions!

A word of warning: whenever making claims on this blog involving the words "direct" or instant" access, please explicitly reference programs and authority. Failing to do so generally summons one @Rolf Weber to the forum, which you may wish to avoid.

Karl LembkeDecember 1, 2015 11:46 AM

This would make an interesting left-handed ad for LifeLock:

"Hurry and sign up, to prevent someone else from signing up in your name!"

DarthDecember 1, 2015 12:18 PM

>>"Hurry and sign up, to prevent someone else from signing up in your name!"

Sounds like an ad for Turbo Tax and the IRS to me.

Slime Mold with MustardDecember 1, 2015 12:28 PM

I recall the commercials with the founder sprouting off his SSN and wondering why I would trust a foreigner who settled in Texas?

RE: OPM Hack

The media reports said that the records didn't include military, but I got a letter ( I have been out more than twenty years ). I haven't replied yet. I'm already covered from the three different times my medical PII has been hacked : (

LessThanObviousDecember 1, 2015 1:51 PM

Do the FBI or NSA actually need anyone's permission to look at data held by the credit reporting agencies? Considering how much data credit reporting agencies share, I'd find it hard to believe government agencies wouldn't be tapped into this currently. This is pretty much as the same data you would get from Lifelock.

That said it would also be very easy to run a credit check and get info on someone like an ex-wife. They base all the security checks on what you know which could be trivial to answer correctly for someone who knows your life and finances that intimately.

HJohnDecember 1, 2015 3:43 PM

@Less ThanObvious: "That said it would also be very easy to run a credit check and get info on someone like an ex-wife. They base all the security checks on what you know which could be trivial to answer correctly for someone who knows your life and finances that intimately."
_________________

Definitely very easy for a spouse (and by extension, an ex spouse to have).

It's also very easy for key individuals in business to have. Personally identifying information, by definitely, must be used to identify a person. There are simply times when it must be disclosed in order to personally identify oneself, and there will always be people who have access to it. Consequently, there will always be untrustworthy people who obtain positions of trust because one doesn't know they can't be trusted.

Treating identifiers like SSN, name, address, etc., as if they are authenticators like passwords is inherently problematic.

JBDecember 1, 2015 4:03 PM

Terry,
Opinions are easy to have. I can name 10 people in 10 seconds with opinions similar to Limbaugh's but at least 10 times his intelligence level. His advocacy of Lifelock is on par with his level of analysis of everything else.

If you want conservative opinions from actually intelligent people, you have a lot of better choices.

Not wanting to start a conservative-liberal political argument, just pointing out that Limbaugh is not someone you want to take advice from on any topic, even if you agree with him on politics.

Dirk PraetDecember 1, 2015 6:11 PM

@ Karl Lembke

"Hurry and sign up, to prevent someone else from signing up in your name!"

+1

The OPM victims are even more foobared if the Chinese (or whoever was behind the heist) at some point had the same brilliant idea as that victim's husband.

AnuraDecember 1, 2015 6:26 PM

This is why we need a system for verifying identity that relies on actual secrets, not just information that is moderately difficult for a complete stranger to obtain.

Coyne TibbetsDecember 2, 2015 12:20 AM

@Schneier: "...but I'm more interested in the surveillance possibilities. Certainly the FBI can use [whatever company] to surveil people with a warrant. The FBI/NSA can also collect the [personal] data of every [whatever company] customer with a National Security Letter."

How do you think the companies are making money in this financial environment? With all the restrictions on subsidizing international competition, the government needs some way to justify distribution of tax money to keep all these companies afloat. What better way than buying information in order to regulate the subjects?

Clive RobinsonDecember 2, 2015 3:09 AM

@ Coyne Tibbets,

What better way than buying information in order to regulate the subjects?

Yes I've been thinking about this probable symbiotic relationship for a while.

Specifically what happens when either the company does not want to sell at the price the Government offers, or the Government wants to avoid "Tipping off".

My thinking on this started some years ago when a story came out in the UK about how Tony Blair and Gordon Brown were going to squeeze more money out of the middle classes to by votes from the poor and rich (ie promise new faux services for the poor put pay the rich to run the services very profitably).

The bare bones of the story was, raising land taxes is bad news in the UK it topples Governments. So how do you squeeze those who are rich enough to be squeezed but not rich enough to have off shore trusts etc to protect their wealth.

The answer, they were going to get hold of "store loyalty card data" (you are either very middle class or aspirational to have one) and analyse how people spent there money, then use this to calculate land tax in micro and nano regions. A further wheeze was to inspect homes, if you did them up nicely or had a nice view then you would pay surcharges (but it would not go the other way if say the council contractors built a refuse plant at the bottom of your garden). Thankfully the leaking of the "discussion paper" pole axed the idea.

But once some policy wonk has an idea like that they don't let go, it's just so bad they can only see it as their defining moment to "Dare to go where others have not". It's another PFI moment... So you just know it's going to come back to haunt the citizens yet again.

So I have had quite a time to mull it over, and I concluded, that for it to work as intended then it would have to be done so as not to "Tip Off" the citizenship again.

Thus why not set it up as a "data analytics" business to not just covertly generate the data the Government wants, but to act also as a peofit center, to sell on the analytics results to others.

However there is a catch, people on mass behave in odd ways when it comes to debt. There is enough evidence to show that people spend more with a loyalty card than they would otherwise, and worse will buy at a much marked up price because of the expectation of what they are going to spend their loyalty points on... Thus the ownership of a loyalty card is in effect a hole in the pocket for most people out of which they loose a lot.

Now such perverse logic is likely to cause an odd effect. If you assume that the Government did put micro/nano land taxing in based on loyalty card spending, loyalty card spending would go up as people tried to save more money...

And before you think I've a screw lose, have a look at CHP systems, and other utilities where the bill is not individualy metered. In almost all cases people over use, to in effect "get their fair share" even if it means opening the windows to let heat out rather than turn the heating down...

So yes I think Governments will buy the data in a covert way, but will also try to make a profit off of it. This however is where the UK and US Governments will differ. In the UK the government will own it and the profit for a while before selling it off at a knock down price. Whilst in the US they will covertly slip the plans to "the favourd few" contributors to campaign funds so they get an overly fat government contract...

So maybe symbiotic is not the right word, perhaps mutually parasitic. A bit like those wasps that lay the eggs in other species...

blakeDecember 2, 2015 6:19 AM

@Anura

> we need a system for verifying identity that relies on actual secrets

How would you know that the person giving you a verification secret is actually who they claim to be? It might just end up locking victims out of their own data even harder.

AnuraDecember 2, 2015 1:28 PM

@blake

How do you know that when you walk into a bank, they are actually a bank and not just someone pretending to be a bank to steal all your money?

PjoDecember 3, 2015 6:29 PM

Marilynne Robinson: ‘This is a culture that is saturated with the ability to know, that at the same time turns its back on the whole privilege of knowing.’ 

http://www.theguardian.com/books/2015/nov/15/marilynne-robinson-interview-givenness-of-everything

Seems to me that something similar could be said of privacy -- in America. Not so much in Europe.

Why?

Because in America if it can be monetised it will be. In Europe we are keen to avoid repeating historical mistakes (facilitating any future Stasi, say, though it would be unlikely to be German).

As a European one can only watch slack-jawed at the rhetoric from the fear-mongers running for the Republican nomination for president. The prospect of what one these could do given access to private data on a large scale would worry me if I was American.

The "story" about government surveillance of store data in the UK sounds to me like the ravings of a paranoid lunatic like Rush Limbaugh or Alex Jones.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.