Thursday, May 22

Know what you're protecting against

You know that advertisement where the CEO (Todd Davis) gives out his social security number and tells you how secure it is because he uses his company's product to protect his identity information? Well, there have been 20 people who used his social security number to get a drivers license. And there was one "guy in Texas who duped an online payday loan operation last year into giving him $500 using Davis' Social Security number".

Today, I read a few articles (including this one and this one) that suggest that LifeLock should be chastised because it doesn't protect you against everything that one might think it should. My first reaction was to agree with the writers. I always knew there was no way for a product to protect your SSN against any or all unwanted uses. And they shouldn't claim it does. And ha ha for Mr. Davis' identity being compromised.

But, then I read Davis' rebuttal, "There's nothing on my actual credit report about uncollected funds, no outstanding tickets or warrants or anything" and I realized that this isn't really a case of a product not doing what it claims to do. It's a case of mis-aligned expectations about what a product can (or should) do.

It reminded me of all the times I've heard that some strong authentication technique isn't effective because it's susceptible to man-in-the-middle techniques. Sure it is, but that's the wrong problem. SSL was developed to solve that problem. There are certainly issues with SSL (mostly around user experience and education about how it works), but strong authentication is not the answer.

In the same way, there are problems with relying on SSN as authentication. And LifeLock won't protect against that. But, if it keeps your credit report clean, then maybe it's doing what it's supposed to. I haven't really followed the ads and I have no idea what the company promises its customers, but I thought I'd use this opportunity to remind you of the old cliche – there is no silver bullet. Analyze your risks and know which types of threats a security solution will be effective at protecting you against.

Correctly aligned expectations yield happy customers.

3 comments:

Anonymous said...

Very true - and not just a problem in the security or even the applications world. Every time you promise something you have to realize that you have just created an expectation, and you need to manage it.

It just 'hurts' people that much more when their expectations aren't met in the security realm...

Anonymous said...

Matt,
I appreciate your blog post in the sense that I too agree this is a case of mis-aligned assumptions. Nowhere does LifeLock state it will protect you from all identity abuses, and I like to think most people are smart enough to understand the valuable point that there is no silver bullet. If LifeLock did protect against all evils, the company wouldn’t need to offer a million dollar guarantee.

However, LifeLock does offer a second-layer of protection for one’s identity. I don’t feel as though I can leave things up to the credit bureaus to protect my identity-I just had to dispute a lean on a property I don’t own in a state I’ve never lived because the credit bureau made a mistake.

In addition to the cases you mentioned, LifeLock is also being sued by Experian which I blogged about here: http://www.gocsiblog.com/?p=261. Experian and other cynics’ number one complaint against LifeLock is that the company charges customers for services they can do on their own for free. Anyone that can read will see this is clearly stated on LifeLock’s Web site: “Some of what we do, you can do yourself for free. The difference is that the only thing we think about is how to protect your Identity. Think of it this way: all of us can change our own oil, but most of us have it done by specialists. We'd like to think that what we do is more complicated than changing oil, but you get the idea.” To see an overview of the services you can do yourself for free or let LifeLock do for you, take a look at my first blog piece on the topic: http://www.gocsiblog.com/?p=242.

Anonymous said...

matt,
well said
the total security solution may or may not ultimately include identity(/credit?) protection services like LifeLock. Identity protection will only be achieved once the cost of fraud is borne by the institutions whose weak identity protections now inflict billions of dollars of fraud loss on US consumers. Asking the consumer to invest in sophisticated and complex identity protection will only mitigate the problem, ie 'clean credit report' vs solving the problem, ie '20 people running around the country with your identity on their driver's licenses'. Only a miniscule fraction of consumers will have the wherewithal to completely avoid the risk of identity theft as long as the institutions that cause the risk bear little of the financial consequences.