Exclusive: Many ID-Protection Services Fail Basic Security
For a monthly fee, identity-protection services promise to do whatever they can to make sure your private personal information doesn't fall into the hands of criminals.
Yet many of these services — including LifeLock, IDShield and Credit Sesame — put personal information at risk, because they don't let customers use two-factor authentication (2FA). This simple security precaution is offered by many online services.
Two-factor authentication often involves a smartphone and a computer. Credit: Golubovystock/Shutterstock
Without 2FA, anyone who has your email address and password — which might be obtained from a data breach or a phishing email — could log in to the account for your identity-protection service and, depending on how the service protects them, possibly steal your bank-account, credit-card and Social Security numbers.
"It's like giving a burglar the key to your home alarm system." — Wendy Nather, security strategist, Duo Security
"An identity-theft-protection service has two things of value to an attacker: The personal information that can be used to steal your identity is all in one place, and it's also where you log in to set up notifications for the service," said Wendy Nather, principal security strategist at Duo Security.
"So, if someone can log in to that account, they can get the information they need to steal your identity, and at the same time, they can turn off or redirect the alerts that the service might have sent you," she added. "It's like giving a burglar the key to your home alarm system."
ID-protection companies respond
This is often necessary, because people are sloppy with passwords, and criminals have already grabbed hundreds of millions of username-password combinations.
"Implementing two-factor authentication for LifeLock is a priority, and we are working to make that security option available to our subscribers." — LifeLock
Of the six identity-protection services we recently reviewed, only two, IdentityForce and ID Watchdog, offer two-factor authentication to their customers. A third, Identity Guard, offers 2FA on its mobile apps but not its website. The other three could tell us only that they were considering the feature.
IdentityForce does this the right way. Screenshot: Brian Nadel/Tom's Guide
LifeLock, the largest identity-protection service, responded to Tom's Guide with the following statement:
"Implementing two-factor authentication for LifeLock is a priority, and we are working to make that security option available to our subscribers. In the interim, LifeLock subscribers may take advantage of additional security options such as thumbprint recognition."
"We are actually exploring various implementations of 2FA right now," said Credit Sesame. "I cannot say at this point that we will have 100 percent of our accounts covered by 2FA by a specific period of time, because we have many accounts that are not covered today. We would, at a minimum, like to make 2FA an option for 100 percent of users in the near future."
"IDShield does have two-factor authentication on its backlog of items to build/provide for their members," said an IDShield spokesperson. "They do not yet have a launch date for when this will be available."
Why 2FA is so important
Two-factor authentication adds a new element to the website login process, especially when you're using a new computer or logging in from a new location. In addition to your regular password, you'll need to input a code texted to your mobile phone or generated by a smartphone app, or a physical USB security key created specifically for 2FA implementation.
LifeLock has a great interface, but there's something missing. Screenshot: Brian Nadel/Tom's Guide
Once you've used two-factor authentication successfully, the website will ask to "recognize" the new computer so you won't have to use the second factor again on that device. The entire method makes it much harder for random thieves to hijack your account, even if they have your password.
Amazon, Apple, Facebook, Google, Microsoft and Twitter all offer 2FA. So why not these services?
"A criminal can steal or guess a password, but they are far less likely to be able to capture your text messages or unique tokens generated by an app on your smartphone," said Chester Wisniewski, principal research scientist at antivirus firm Sophos.
In the past few years, numerous high-profile online services — including Amazon, Apple, Dropbox, Facebook, Google, Microsoft, Twitter and Yahoo — have begun to offer 2FA to their users. Many banks use the security feature as well. Like identity-protection services, most of these services hold and protect valuable personal information about their users.
"Multifactor authentication should be available on nearly every service and platform, especially those that deal with sensitive personal or financial information," Wisniewski said. "Phishing is incredibly hard to defend against, and 2FA or multifactor authentication is our most effective defense."
Putting your identity at risk
When you sign up for an identity-protection service, you give the services many valuable pieces of information so that the service can monitor online criminal marketplaces for any sign that the information has been stolen.
These pieces of information may include your full name, your place and date of birth, your current address, several previous addresses, your Social Security number, your telephone number, your passport and driver's-license numbers, and the numbers of your bank and credit-card accounts. If you're signing up for a family plan, the service will need the same information for your spouse or partner and, in applicable categories, for your children.
Granted, most of the services will at least partly obscure your Social Security number when they display it on the website after you log in. But while IDShield and LifeLock replace all nine digits of a Social Security number with asterisks or dots, Identity Guard displays the last four digits, the only somewhat random part of most Social Security numbers.
That may not seem like such a big deal, but until 2011, the first five digits of a Social Security number were determined by in which state and roughly when the number was issued. Unfortunately, Identity Guard displays the issuing state and time period on the same screen as the last four digits of the Social Security number. With that additional information, you could guess the entire Social Security number pretty quickly, especially if it was issued in a small state.
Identity Guard tells you too much about your Social Security number. (We added the black rectangles.) Screenshot: Brian Nadel/Tom's Guide
All of the services also have access to your credit files with one or more of the credit-reporting agencies, and these files contain much of the personal information mentioned above. Some identity-protection services ask for access to your Facebook, Twitter and other social media accounts, so that they can monitor those as well.
"I don't like the trend that I can secure my Facebook and Twitter identity, but not my actual identity." — Chester Wisniewski, principal research scientist, Sophos
"These companies are a treasure trove for crooks and need to be super vigilant," Wisniewski said, adding that someone who broke into your identity-protection account "could disable or redirect your notifications of fraud and pretty much gain access to everything necessary to steal your identity."
An overdue change
None of the identity-protection services that lacked 2FA would tell us why they hadn't adopted it yet. But the security experts we spoke to agreed that it's overdue.
"I checked out LifeLock this morning," said Sean Sullivan, a research analyst at antivirus maker F-Secure. "It's surprising not to see 2FA/MFA offered. At the very least, their own apps could be used as the additional factor — there's no need for an additional 3rd-party auth-app."
"Now that it is 2018, it is time for multifactor to be available everywhere, especially where financial or personal information is involved," Wisniewski said. "People deserve the opportunity to opt in to being safer. I don't like the trend that I can secure my Facebook and Twitter identity, but not my actual identity."