
LifeLock CEO’s Identity Stolen 13 Times - edw519
http://www.wired.com/threatlevel/2010/05/lifelock-identity-theft?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stories+2%29%29&utm_content=My+Yahoo
======
bullseye
I wrote an application for a banking client a few years ago that required a
valid SSN. In addition to using the information available on ssa.gov to check
the validity of a number, I built a simple filter to exclude valid, but
otherwise fraudulent numbers. While none of the steps I took are a bulletproof
measure against identity theft, they do lighten the load a bit.

I cross-referenced the SSN death index to ensure dead people had not risen
from the grave to apply for credit. I also excluded the popular "fake" SSNs
used in advertising
([http://en.wikipedia.org/wiki/Social_Security_number#SSNs_inv...](http://en.wikipedia.org/wiki/Social_Security_number#SSNs_invalidated_by_use_in_advertising)),
and _I most definitely added Todd Davis's number to the list_. This last step
seemed like a no-brainer given all of the publicity at the time.

While I can understand a small boutique store not going to those lengths to
prevent a fraudulent account, I am a little surprised that AT&T and Verizon
were among the casualties.

~~~
mey
According to the SSNVS service information, you are supposed to only use this
information for correctly completing IRS W-2.

Verifying the SSN using that service for banking (as I'm reading it) is a
clear violation of the system.

Reference (<http://www.ssa.gov/employer/ssnvshandbk/ssnvs_bso.htm>)

If you were using a different service I'd be interested, as we are always
looking for new ways to do validation of accounts.

~~~
bullseye
We weren't able to use the online verification service , which is the reason I
wrote the program I described. It didn't validate a "good" SSN, but rather
filtered out bad ones.

<http://www.ssa.gov/> and <http://www.socialsecurity.gov> both have a lot of
useful information about structure and allocation of SSNs if you are looking
to do something similar.

------
chime
The entire identify-theft problem can be solved by a very simple mechanism. If
I apply for a loan for a car, the dealer takes my info and tries to run my
credit online. Immediately I get an automated phone call that says "Dealer ABC
is trying to sign you up for service: AUTOLOAN. To allow this service, enter
your 4 digit pin." If I do not have my cellphone, I can directly call a 1-800
number, enter my SSN + PIN and confirm the sign up. I do NOT have to provide
any vendor with my PIN.

Who manages/offers this service? Experian/TransUnion etc. could do this for a
very small fee. Sure, there would be the issue of lost PINs, unavailability of
Internet access, not having your cell on you etc. but I think it could work
very well. Right now, it is possible for someone to find out my SSN# from a
piece of paper from a trashcan and immediately buy a phone in my name. At
least I can change my pin if someone finds out.

~~~
recampbell
Heh.

There was such a product provided by Debix (<http://debix.com>). It relied
upon a law called the Fair Credit Reporting Act which allowed consumers to
place a fraud alert on their credit file, which the creditor was supposed to
call. Debix placed the fraud alert on behalf of consumers, but directed the
creditor to call Debix which delivered the credit request using exactly such
an authentication mechanism that you describe. This was 2003.

Lifelock used the same mechanism (though without the phone authentication,
IIRC). Experian sued Lifelock saying that the FCRA did not allow for
_companies_ to set fraud alerts on behalf of consumers, only consumers were
allowed to set them. In May of last year, a judge agreed with Experian, and
Lifelock later settled and stopped using fraud alerts.
<http://www.finextra.com/news/fullstory.aspx?newsitemid=20078>

Unfortunately, this ruling also meant that Debix could no longer set fraud
alerts, so they had to cancel this product.

The truth is such a product creates friction in the instant credit market,
which is a huge source of income for credit bureaus. So they have very little
incentive to slow that process down and would rather just catch any exceptions
using monitoring.

The credit bureaus are an industry crying out for disruption. These guys are
dinosaurs and are living it large because there is no real alternative.
Unfortunately, they also seem to have plenty of political capital to prevent
any real legislative reform in this area.

Disclosure: I used to work for Debix and have ownership in the company.

~~~
Oxryly
Would you recommend Debix's OnCall service? How does it work?

------
sriramk
the real issue here is everyone assuming social security numbers are meant to
be 'secret'. It is a terrible way to authenticate someone. There have been
recent studies to show how non-random someone's number actually is.

Someone recently suggested the 'nuclear' option of making everyone's social
security number public and forcing all institutions to figure out a better
model. This may be too extreme but something like that may be necessary

~~~
orblivion
Hell, they might as well. Our college used them as ID numbers for the first
year I was there. We wrote it on all our tests. Forget about it, that stuff
isn't secure.

~~~
RK
My brother had his identity stolen while he was in school. The perpetrator
turned out to be a person who worked in the registrar's office!

When I started grad school they used SSN as the ID number too. I went to the
registrar and asked them to change mine. They said they couldn't do it
because, as a TA, I was considered an employee and they "had to" use my SSN.
You can imagine I wasn't happy.

------
keltex
Unfortunately these "credit monitoring services" are basically useless. The
only real solution is to "freeze your credit" which makes credit inaccessible
to anyone unless you provide an unlock code (which temporarily "thaws" your
credit). The cost ranges from $3-$10 per person per bureau to freeze a credit
report which is considerably cheaper than the $10/month lifelock service. More
information on how to do this here:

<http://clarkhoward.com/topics/credit_freeze_states.html>

~~~
natrius
Isn't that kind of extortion? "We've collected all of this data about you, and
we'll give it to anyone unless you pay us some protection money."

~~~
kareemm
absolutely. i've had "build a better credit bureau" on my ideas list for a
couple years now. it's a multi-billion dollar industry that could be waaaay
more consumer-friendly.

~~~
run4yourlives
It is consumer friendly.

Credit bureaus are designed to protect lenders, not lendees.

~~~
kareemm
lenders are customers, not consumers. but lendees are customers in teh same
way facebook's users are customers.

experian and transunion build a business off the backs of consumer data.
consumers are reliant on their records, but generally have to pay to get
access to them, even to correct a report.

like i said - it's a big, staid, slow-changing opaque industry. looking at it
through the right lens makes for a big opportunity.

~~~
run4yourlives
>lenders are customers, not consumers.

I think you need to re-read that, then explain the difference.

A "consumer" is not a class of person, it is the act of being a customer.

------
prodigal_erik
> It’s not fair to [AT&T] because they’re losing a pretty substantial amount
> of money.

AT&T isn't even bothering to check photo ID. Being defrauded is a risk they
have _eagerly_ assumed. Presumably they make more money this way, despite
fraud.

~~~
matwood
Exactly. I put a majority of the blame on these companies that for some reason
can't be bothered to check an ID.

On the back of my debit and credit card I sign it with "Check ID" since the
cashier is supposed to at minimum verify the signature. I've had cards stolen
multiple times and have had them used before I could cancel them. So much for
verifying the signature.

~~~
prodigal_erik
The way I've heard it, your signature on the card is actually your acceptance
of the contract with the issuing bank, so they are Not Okay with "check id"
there instead. The merchant is just expected to verify that the card has been
signed, not try to match signatures (doing that correctly requires very rare
expertise).

~~~
matwood
Obviously I don't expect them to do a point by point comparison of the
signature, but they are supposed to at least make sure it's there. Writing
'Check ID' should get them to check my ID every time, but so few even look at
the card.

This is a funny prank where a guy went out trying to get people to actually
look at the back of the card :)

<http://www.zug.com/pranks/credit_card/index2.html>

------
ajg1977
Shocking! Next we'll probably find out that the guy from Video Professor
doesn't actually have a doctorate..

~~~
orblivion
Well you gotta admit, you can't accuse this guy of lying, or not putting his
money where his mouth is.

~~~
mahmud
Your American "identity" is a very cheap business expense if you know you have
an "offshore" ID, accounts, and private Island. Cash out, burn house and move
out.

------
ciupicri
There's something that I don't understand about these identity theft cases. If
I didn't really sign any document, why should I be held responsible just
because someone else used something public (non-private) about me?

P.S. To be more clear: the company giving the loan should prove that I signed
the documents, not I that I didn't sign them. The presumption of innocence if
you will.

~~~
smallblacksun
Legally, you aren't. The issue is the time and expense in proving that you
didn't sign anything.

~~~
matwood
This is why I think companies that incorrectly send you to collections or give
credit to someone using your identity should not only be on the hook for the
money they lost but also liable to the person they are forcing to clear their
name.

Years ago I rented at a crappy apartment complex. When I left their check out
basically meant you always owed them ~$200. I paid and moved out of state. 6
months later I get a collections call saying I didn't pay the bill. I told
them I paid it, she said it wasn't and said it was going on my report unless I
paid that day. Luckily I paid by check and my bank (like all banks I guess
now) keeps canceled checks online for pretty much ever. So now I had to go
back 6 months and find this check then call the apartment then the collections
agency, etc... A HUGE hassle and time waster for me all because the apartment
complex employed incompetent people.

The kicker was that the girl trying to collect from me said "people make
mistakes and you can't blame them." Um, when I make a mistake and forget to
pay a bill you guys jump all over me. You make a mistake and it's still my
problem to solve.

------
jsdalton
I knew I'd seen this ad somewhere before:
[http://37signals.com/svn/posts/353-fly-on-the-wall-
lifelock-...](http://37signals.com/svn/posts/353-fly-on-the-wall-lifelock-
motionbox-print-stylesheets-shoe-repair-posts-dordoni-table-and-daring-
fireball-ad)

~~~
ajg1977
I think you're probably just being snarky, but it is a pretty great marketing
concept.

After all, it's not always the case that product->quality ==
marketing->quality.

~~~
jsdalton
Actually, I remember reading it and having the exact same reaction the 37
signals guys did in their thread -- so I certainly wasn't immune to the
marketing ploy myself.

------
pwhelan
If it has only been 13 times, he's lucky. Don't go challenging criminals to
screw you over and giving them a crucial piece of information.

Got what he deserved, especiall yconsidering he was fined for deceptive
advertising because of crappy security.

~~~
jotto
i guess this could serve as a kind of honeypot so the company can observe the
attacks on this guy and then improve the service. but according to the FTC in
this article their service doesn't work so apparently it was nothing more than
a marketing stunt.

------
smiler
Good job he's got a $1 million compensation fund to cover him.

~~~
recampbell
Read the fine print. This covers Lifelocks costs in trying to restore your
credit, not any loses you sustain due to having your identity stolen.

<http://www.lifelock.com/our-guarantee>

Money quote: "Under the Terms and Conditions, NO money passes directly to our
LifeLock members."

[http://www.lifelock.com/about-us/about-lifelock/terms-and-
co...](http://www.lifelock.com/about-us/about-lifelock/terms-and-conditions)

"LifeLock will retain and pay for those third party professional services that
are reasonably necessary in LifeLock's judgment to assist you in restoring
losses or recovering your lost out-of-pocket expenses caused by such fraud. "

Disclosure: I worked for and have ownership in a competitor to Lifelock.

~~~
alexyim
"Policy change!"

------
DanielBMarkham
Davis -- the human identity-theft honeypot.

We need more of him.

~~~
Tichy
Maybe he could have used a fake SSN that says "fraud going on" loud and clear.
Are honeypot SSNs possible?

------
kwyjibo
It's really funny that a SSN is enough in the USA to get somebody else in so
much trouble.

Doesn't work in the other countries, as long as you don't send in copies of
your passport or identity card to claim a fake lottery win ;).

------
pedalpete
What I find so surprising is the low dollar amounts that were racked up.

Sub 10k in fraudulent charges on an SSN that is published? Like this?

According to Wikipedia, Identity theft doesn't result in the high dollar
figures I was expecting
[http://en.wikipedia.org/wiki/Identity_theft#Spread_and_impac...](http://en.wikipedia.org/wiki/Identity_theft#Spread_and_impact)

------
lukeqsee
This goes to show how crafty identity thieves really are -- and how stupid it
is to let them get any bit of private data. If they can steal his identity,
why not yours? He has staked his reputation on LifeLock's services, and lost.
Maybe this will knock some sense into the share-all generation.

~~~
pxlpshr
Exactly why people have a right to be up in arms about Facebook changing
privacy policies without allowing users to opt-in voluntarily.

Identity theft is a serious issue, most young techies haven't been a victim
simply because time and risk haven't converged. It can impact your life for
years, making it extremely difficult to get a mortgage, car loan, or even land
a job in some cases.

~~~
lukeqsee
Yup. I myself am a "young techy" I started out not caring about the little
bits of data I let out. But now I'm really clamping down, identity theft is
too real to take a risk.

------
robinduckett
Similar thing happened to Jeremy Clarkson when he put his full bank account
details in his newspaper column, thinking that no one could actually withdraw
money from his account - he was wrong, someone used his details to sign up for
charity direct debits.

------
rmorrison
While there are obviously some issues with LifeLock, I really appreciate the
confidence he has in his product.

I wish there was a way for all CEOs to do something similar. Too bad it's kind
of difficult for, say, a social web service.

------
maxklein
Why don't you just implement ID cards like in europe and skip this social
security nonsense? And ID card has your face and height on it, making it more
difficult for someone to pass as you.

------
melling
Seems like <http://www.lifelock.com> is getting a little slow.

Everyone is seeing if his ss# is still there?

------
RabidChihuahua
Oh...so much for that security.

