It’s no secret that data breaches have become so common that people tend to think, “Oh, another one,” and get on with their lives. What is surprising is how few executives of Internet companies we trust with our data have responded with better authentication to protect users.
Ironically, some of the least-protected sites are those that sell services to protect your identity: credit monitoring sites.
All Americans should consider theirSocial Security Number, date of birth, home address, phone number, the vehicles they’ve owned, schools they’ve attended, children’s names … all these “secret identifiers” to have long been compromised, and trivially available to criminals.
Pet names, friends’ names, hobbies, and other information is easily gained, sometimes from breaches of other websites you’ve told the answers.
Which is why it is so surprising that leading credit monitoring sites like Lifelock and Experian do not provide what we in the security field have concluded is the only currently effective way to stop account takeover: two-factor authentication, or 2FA.
Lifelock says this is an important issue, but continues to not introduce it. Must be very important.
Remember, Lifelock has every type of data about its members that Equifax had on its members, and then some. And it would appear that Lifelock is as careful with its security as was Equifax.
That consumers can accomplish at no cost much of what Lifelock accomplishes is a separate matter.
When you ask its salespeople why, they’ll tell you that they have layers of security, and they ask lots of secret questions to prevent account takeover. This would be great were the answers to all those secret questions not readily available to criminals at low to no cost.
The answers to all your secret questions are readily available to criminals at low to no cost.
All those moronic “secret questions” are “First-Factor identifiers:” they are something you know. As the most junior information security intern understands, a second factor, or, “something you have,” means that in addition to your username and password, the criminals need to get hold of either a piece of hardware (like a USB key), or your mobile phone.
The best practice is to use a hardware device (like a Universal Two Factor USB key from a vendor like Yubico, for as little as $10), or at least an application (free) from makers like Google, Microsoft, or Duo Security.
For the user (and the real reason sites like Lifelock won’t implement 2FA is that they’re scared it will cost them too much money on user helpdesk calls, or slow their rate of growth) the experience is simple: When you log in, you enter your username, your password, and then click the Approve message on your authenticator app (or enter the one-time code it generates), or press the lighted disk on your Yubikey.
This offers rock solid protection against account takeover.
In an effort to save money, some credit monitoring sites (like Identity Force) will choose instead of those methods to simply send you an SMS message. In fact, this may be worse than nothing at all, because stealing your mobile phone number is actually easier than stealing your secret data. Identity Force are also hypocritical bastards for denying this, and also allowing reset through leaving you a voicemail.
So why hasn’t it been done? Why haven’t these vendors who claim to be concerned about your data done what security professionals call fundamental first-step table-stakes security?
The only way we will ever know the answer is through public pressure — call your identity protection provider and ask them why. When enough people do that, they will recognize this is a genuine consumer concern, and be forced to act.
Legislators can help, by demanding that sites that hold sensitive information like account data provide strong, and true two-factor authentication.