Security Watch

Life Unlocked

Signing up for identity theft prevention services from LifeLock Inc. may have increased risk for some clients.

The Tempe, Ariz., company, famous for using its chief executive's Social Security number in its advertising as a demonstration of the effectiveness of its service, has agreed to spend $12 million to settle claims of deceptive advertising and unfair business practices, msnbc.com's Bob Sullivan reported in his "The Red Tape Chronicles" column March 9. The claims were brought by the Federal Trade Commission and 35 state attorneys general.

Jon Leibowitz, the FTC's chairman, said at a news conference that any of the one million clients who signed up with LifeLock since 2005 are eligible for a refund of their fees. "We're taking all the money they had," he said.

The FTC took issue with LifeLock's advertising, which it said implies more sweeping protection than the company actually offers. For example, though LifeLock's service could deter identity thieves from opening new loans, it did not address fraud on existing accounts. It also did not address medical and employment identity theft.

Another issue was LifeLock's own security practices, according to the FTC's complaint. While it did not plaster client's Social Security numbers on billboards, it did not keep that data perfectly secure either, the FTC said. LifeLock transmitted the data in clear text over the Internet, did not have a strong password policy or access controls, did not regularly install security patches and did not use antivirus or antispyware software, the FTC said in its complaint. LifeLock also did not properly secure paper records, it said.

LifeLock's CEO, Todd Davis, told Sullivan that his company no longer engages in any of the practices that the FTC described as risky or deceptive. The settlement "has no impact on current practices or products," he said.

Floor64's tech news blog Techdirt said that one further issue is that many of LifeLock's customers may not have specifically sought out its service.

"LifeLock would prey on firms who had recently had data breaches, and suggest they sign up customers for a 'free' year of LifeLock — thereby putting their data at risk yet again" by making that data vulnerable to LifeLock's own flawed security practices, Floor64's president and chief executive, Mike Masnick, wrote. "Basically, it sounds like rather than protect your identity, LifeLock put you at greater risk."

Keylogging for Kids

Montgomery County, Md., school officials are facing a tricky security situation: keyloggers are being planted on their computers, but since the keyloggers are hardware — not software — antivirus software can't spot them.

The keyloggers in question are small USB devices that are placed between the end of the keyboard cable and the USB port to which it connects, The Washington Post reported March 10. The devices, available online for $69, record every character typed, including passwords.

The issue came to light when the grades of 54 students were found to have been changed in 35 teachers' records at Winston Churchill High School, the Post reported, leading school officials to suspect that students were responsible.

The school system considered using tokens that generate one-time passwords; many companies, including banks, use the same technology to protect sensitive data. Since the passwords expire as they are used, they would be useless to someone who had to retrieve a keylogger later.

However, school officials determined this approach would be too expensive to implement.

Another method they considered — switching off the computers' USB ports — would not work because it would also render the schools' keyboards useless.

Behind Bars

One of the people behind the massive TJX Cos. Inc. breach, a former programmer for Barclays PLC's Barclays Bank, has been sentenced to a four-year prison term.

Humza Zaman, 33, helped the cybercrime mastermind Albert Gonzalez steal data from TJX, Computerworld reported Friday. Zaman is one of 11 people arrested last year in connection with the theft, and is believed to have received 10% of the $600,000 to $800,000 generated by the scheme.

Zaman's role was to cash out the money obtained from the stolen card data by making automated teller machine withdrawals from fraudulent bank accounts set up by Gonzalez, the article said. Zaman then shipped the cash to Gonzalez after taking his 10% fee.

Zaman pleaded guilty last April to charges of money laundering, unlawful access to computers, identity theft and wire fraud, the article said. In addition to the four-year prison term, Zaman will have three years of court supervision after his release and must pay a $75,000 fine.

In March 2008, while working at Barclays, Zaman offered transaction records to Gonzalez, but that data may never have been used, according to court records. Prosecutors characterized Zaman as being motivated by a drug problem that demanded more money than his six-figure salary could supply.

Secret's Out

A data breach at HSBC PLC's Swiss subsidiary might have put some customers at risk not just for identity theft but also for charges of tax evasion, the Associated Press reported last week.

Information on 24,000 customers of HSBC Private Bank (Suisse) SA was stolen by one of the bank's former tech employees, who French authorities identified as Herve Falciani. The French government said last year that it received account data on 3,000 French clients of HSBC from Falciani and other sources. Though the data has since been returned to HSBC, a company spokesman told the AP that the French government may still have copies.

The affected accounts were opened before October 2006; the stolen information includes data on 9,000 accounts that have since been closed.

The article said foreign account holders could face prosecution by their own governments once the information is exposed, as Switzerland's strict bank secrecy laws are sometimes exploited by tax evaders to hide funds. And while French authorities said the stolen account data it obtained would "not be used inappropriately," the article said that officials have not explicitly said they would not use the data to pursue tax-evasion charges.