Life Unlocked
The Tempe, Ariz., company, famous for using its chief executive's Social Security number in its advertising as a demonstration of the effectiveness of its service, has agreed to spend $12 million to settle claims of deceptive advertising and unfair business practices, msnbc.com's Bob Sullivan reported in his "The Red Tape Chronicles" column March 9. The claims were brought by the Federal Trade Commission and 35 state attorneys general.
Jon Leibowitz, the FTC's chairman, said at a news conference that any of the one million clients who signed up with LifeLock since 2005 are eligible for a refund of their fees. "We're taking all the money they had," he said.
The FTC took issue with LifeLock's advertising, which it said implies more sweeping protection than the company actually offers. For example, though LifeLock's service could deter identity thieves from opening new loans, it did not address fraud on existing accounts. It also did not address medical and employment identity theft.
Another issue was LifeLock's own security practices, according to the FTC's complaint. While it did not plaster client's Social Security numbers on billboards, it did not keep that data perfectly secure either, the FTC said. LifeLock transmitted the data in clear text over the Internet, did not have a strong password policy or access controls, did not regularly install security patches and did not use antivirus or antispyware software, the FTC said in its complaint. LifeLock also did not properly secure paper records, it said.
LifeLock's CEO, Todd Davis, told Sullivan that his company no longer engages in any of the practices that the FTC described as risky or deceptive. The settlement "has no impact on current practices or products," he said.
Floor64's tech news blog Techdirt said that one further issue is that many of LifeLock's customers may not have specifically sought out its service.
"LifeLock would prey on firms who had recently had data breaches, and suggest they sign up customers for a 'free' year of LifeLock — thereby putting their data at risk yet again" by making that data vulnerable to LifeLock's own flawed security practices, Floor64's president and chief executive, Mike Masnick, wrote. "Basically, it sounds like rather than protect your identity, LifeLock put you at greater risk."
Keylogging for Kids
Montgomery County, Md., school officials are facing a tricky security situation: keyloggers are being planted on their computers, but since the keyloggers are hardware — not software — antivirus software can't spot them.
The keyloggers in question are small USB devices that are placed between the end of the keyboard cable and the USB port to which it connects, The Washington Post reported March 10. The devices, available online for $69, record every character typed, including passwords.
The issue came to light when the grades of 54 students were found to have been changed in 35 teachers' records at Winston Churchill High School, the Post reported, leading school officials to suspect that students were responsible.
The school system considered using tokens that generate one-time passwords; many companies, including banks, use the same technology to protect sensitive data. Since the passwords expire as they are used, they would be useless to someone who had to retrieve a keylogger later.
