Jan 19 2008
I’m not the only one who sees the irony
Dan Goodin was at the Fortify documentary earlier this week and draws some of the same conclusions I do about the loss of JC Penney’s customer data. And more importantly, he actually knows the names of the players, something I’m terrible at remembering.
NotEnough commented on my earlier post that GE Money is offering a year’s credit monitoring for those affected, which he says is not long enough. He’s specifically talking about SSN’s, which don’t have a expiration date, can be set aside for a year or two and used to commit identity fraud when no one’s actively looking for that data set anymore. This is part of why statistical correlation between a specific breach and identity theft is so hard. I’d like to see if anyone has done an academic survey of the difference in level of identity theft in populations that have been victims of a breach and the general population, specifically over the long term.
It’s becoming more obvious to me that despite many companies best efforts, my data is going to be at risk at some point in my lifetime. That feels cynical, but as a security professional, I know it’s just realistic. There are too many places that my data is being stored, too many connections being made, too many possible points of failure in the systems. I’ve never been a big fan of paying a monthly fee to make sure my credit is safe, but given that my information may already be a commodity somewhere in cyberspace (or Russia), a small inconvenience and a few dollars a month might not be a bad price to pay for peace of mind. Corporate America obviously can’t keep my data and credit safe, so it’s up to me to take steps of my own.
Rich Mogull recently switched to Debix and I’ll get him to talk about why and what they offer on the next podcast. At this point, I’m not even sure what the proper questions are to ask when choosing a credit protection service, but I’m sure Rich’ll help me understand. I already know I’m not going to choose LifeLock, but I am interested in knowing what other solutions are out there. I want something I can live with long term, especially since the problem isn’t going to go away any time soon.
Technorati Tags: security, McKeay, JC Penney, identity theft
The two main competitors to Lifelock are Trusted ID and the LoudSiren Debix team. If you choose the latter sign up thru LoudSiren and in addition to the $25,000 AIG insurance you will have a $1,000,000 Debix guarantee. The important questions to ask are what does the insurance cover, or how strong is the guarantee? How do the fraud alert systems differ in terms of approving your credit or declining a thief. What is the price in year one and in subsequent years. LoudSiren is the best value but Trusted Id does have an extra option to freeze your accounts that may be a selling feature for some. They do charge extra though, $154.5 compared to $99. Prices are cheaper in the first year 109.95 and $89 if you use an affiliate link such as the one at http://www.identitytheftlabs.com. Identity Theft Labs also has a good comparison chart and reviews. It is important to distinguish between sizzle and steak, cake and icing. All offerings have value added features.
I have to agree with you one hundred percent. Our information is out there and is likely to be compromised. This is why identity insurance is a must. Fraud alerts are definitely the best protection available but not full proof. Credit monitoring is not proactive and not a solution. It can mitigate the damage though. Freezes are another option but are best reserved for those who have experienced an attack. Hope this gives you some ideas about what to talk about.
So who’s watching (or regulating) the credit/identity monitoring companies? I’ve considered the possible value these services might have for me as well, but I can’t help thinking, “Whose watching the watchers?” What happens when one of these companies loses a tape with thousands of SSNs, account info, etc…? Thanks for the link to identitytheftlabs.com although why should I believe the information presented there when there is no way to identify who is operating the site. Who knows, maybe Gideon Yu and Launny Steffens own all three of these service/insurance providers.
“Identity insurance”? Is that anything like “Alien Abduction Insurance”? No disrespect meant, but where does it end?
I am not nay-saying the idea of proactively monitoring (being responsible?) for one’s own identity and information. Reality is that there will always be incidents like “lost tapes” that go unreported because someone thought, “It was just one tape. No big deal.”
I enjoy your blog and look forward to continued discussions.
Peace and Cheers,
Mark T. Palmer