Please don’t buy this: identity theft protection services

With an ever-increasing tempo of third-party breaches spilling consumer data all across the dark web, a natural impulse for a security-savvy user is to do something proactive to protect their sensitive information. After Equifax, there was an explosion of interest in credit monitoring and identity theft protection services. But most of these services offer limited value for the money, and in many cases, are subsidiaries of entities prone to leaking information in the first place. Sometimes doing something isn’t always the best option.

What do they do?

Before we get into the problems with identity theft protection services, let’s break down which services are actually offered, and in exchange for what. Identity protection services usually start by collecting your personal information, including the following:

  • your birthdate
  • your social security number
  • your address
  • your email address(es)
  • your phone number(s)

A company like Lifelock would then use “proprietary technology that searches for a wide range of threats to your identity.” (Sidenote: Subsuming an entire discussion of one’s product under “technology that searches” is usually a red flag, albeit a small one.) If any threats are found, they will notify you and provide some handholding to rectify the situation. In addition, they offer an insurance policy that provides reimbursement of any monetary losses. Starting price for these services runs around $109 per year.

IdentityWorks is another service run by one of the major credit bureaus, Experian. IdentityWorks has an introductory product for $9.99 per month that offers credit monitoring, a credit lock (something different from a freeze), identity theft insurance, and a customer service line for fraud resolution.

IdentityForce tends to be ranked higher in comparison to other services. They provide credit monitoring, bank account monitoring (not found in most other products), change of address monitoring, court record monitoring, as well as general personal information protection. Their recovery services are mostly the same though, including a customer service line for fraud resolution, identity theft protection insurance, and stolen funds replacement up to $1 million, depending on where you live. Standard cost is $17.95 per month.

Why shouldn’t I buy it?

Brian Krebs, a security researcher who’s arguably one of the biggest public targets for identity theft and financial crime, wrote a blog on credit monitoring services, stating that while some of these and other ID protection services are helpful for those who’ve already been snaked by ID thieves, they don’t do much to prevent the crime from happening in the first place.

Searching the darknet for your personal information is something advertised by almost all of these companies. What they don’t disclose is that a darknet site is almost always hosted on a “bulletproof” hosting service that will not respond to takedown requests or legal threats. So while essentially anybody can fire up the TOR browser and find your social security number on a dark website, almost nobody (including those in ID protection services) can actually do anything about it. All they can do is alert you.

Our big issue with paying for an identity theft protection service—besides the fact that the service doesn’t actually protect against identity theft—is that the insurance you would be forking out for is coverage most users already have under Visa and Mastercard zero liability rules. Another is the narrow focus on credit, typically to the exclusion of bank accounts, mortgage loans, and tax fraud. Lastly, account application notifications can’t actually prevent creditors from doing a “hard pull” on your credit, which dings your credit score.

Who else is looking at your data?

Somewhat more concerning is the lack of transparency concerning where these companies draw their data for analysis and alerting. Lifelock, in particular, outsources its credit monitoring services to… Equifax. In September of this year, the LA Times reported the relationship with Lifelock and Equifax, noting that in some instances, purchasing services would require the end user to give Equifax more information than it would otherwise have.

Does anyone, anywhere, want to give more personal data to Equifax?

How many competing companies also rely on the credit bureaus for monitoring services? While Equifax was the loudest and most recent breach in memory, odds are good that the other credit bureaus operating on an identical business model have identical security practices. As a reminder, Experian offers its own service, IdentityWorks, backed by data services it does not disclose and personal information you did not consent to give.

As well as the red flags above, there’s some slightly more ambiguous questions regarding these services that users should evaluate before purchase. For example: Is it a responsible threat model to protect against third-party data breaches by handing over, even more, data to a third party? Doesn’t that create ostensibly the biggest online target in the world?

And looking at the problem from another angle: If the biggest players in the industry rely on agreements with credit bureaus to do at least a portion of their monitoring, why aren’t the bureaus doing this for all of us? Given that Transunion, Equifax, and Experian took it upon themselves to collect our financial data without consent, don’t they have a responsibility to protect it with industry standard best practices? As a reminder, Equifax was not breached by an arcane APT attack. They were breached by negligence.


Identity theft monitoring services sound great on the surface. They’re not that expensive and seem to provide peace of mind against an avalanche of ever-more damaging breaches. But they don’t, at present, protect against the worst impacts of identity theft—the theft itself. Instead, they duplicate free services and, worst of all, let the credit bureaus off the hook for improving their security.

Please don’t buy this. Instead, you can stay relatively safe by learning about credit freezes and other steps to take in order to protect your identity when data is stolen or tax fraud is committed.

This is a Security Bloggers Network syndicated blog post authored by William Tsing. Read the original post at: Malwarebytes Labs

5 thoughts on “Please don’t buy this: identity theft protection services

  • November 28, 2017 at 3:32 pm

    As someone who has been in the security industry for almost 30 years, this has to be one of the worst articles I’ve read regarding security in a very long time. Truly one of the dumbest conclusions I’ve ever read.

    You simply cannot get the same level of protection and more specifically the services to help you resolve an issue when it does happen from the “free” offerings and credit freezes. I’m guessing the author (William Tsing) has never had to try and recover his identity after having it stolen. It’s not easy and can take months to try and do it on your own. With a service like LifeLock (my personal preference) it can be addressed in a couple of hours to at most a couple of days. I should know…I’m in their commercials telling my story.

    I will agree that services like LifeLock won’t prevent your identity from being stolen 100% of the time, but it will greatly reduce the potential for compromise. More importantly, as stated earlier, they have teams of agents to assist you for when something does happen.

    IMHO – Based on the above, Mr Tsing should be removed from submitting articles to security publications until he gets a clue.

  • November 28, 2017 at 3:50 pm

    Dennis, you have your opinion and Mr Tsing has his. The fact that you advertise for Lifelock makes you less than impartial yourself. I have heard good and bad about Lifelock and similar services

    • November 29, 2017 at 12:35 pm

      The fact I give an unpaid testimonial and am not a paid actor or advertiser shouldn’t mean a thing. If you’ve ever had to recover from an identity theft you would understand why this article is crap.

      I’ve also heard good and bad about Lifelock and other similar services. That shouldn’t matter. There’s always going to be pros an cons for any and all services including antimalware/antivirus, firewall, web filtering, operating systems, etc. The point of identity theft protection services is to provide consumers with protection and remediation. Are they 100% effective at keeping your identity from being stolen? No. And if anyone made that claim they’d be a moron. Just like no antivirus software will keep your system 100% safe from malware. Even with machine learning (AI) being included or featured in many solutions…they still aren’t 100% effective.

      My comment about this being one of the worst articles regarding security still stands even with your “impartial” comment. What you’re missing is the fact that Mr Tsing is making a purchasing statement which many people will consider him to be an expert because he is shown to be in an informed and expert in the industry – regardless of his actual skills, abilities, or knowledge….which I am publicly challenging and questioning. I’m not afraid to go head to head with anyone via phone, webinar or on a stage. I’ve been doing this for a long time and will gladly admit when I’m wrong but will also defend my stance when I know I’m right. If anyone wants to discuss this they only have to contact me and we can have an intelligent conversation.

      • November 29, 2017 at 12:41 pm

        Dennis don’t assume you are the only one who has suffered identity theft. I have and so have millions of others. Whether paid or not, you are spokesperson for this company and therefore subject to scrutiny as such. I don’t know the author of this article, but you disparaging him personally is not very professional, sorry.

        • November 29, 2017 at 4:16 pm

          Alan, never said I was the only one and never made a claim stating anything of the sort. Not sure why you think I’m making an assumption like that.

          I understand my stance as a person in their commercials and how I am perceived as a spokesperson which makes me subject to scrutiny…just as an author who writes an article is also subject to the same kind of scrutiny. It comes with the territory of publishing, be it an article, writing a book, posting a blog, or any other means of public exposure. When you go public with anything you put yourself and your reputation on the line with every post, blog, article, etc.

          I’m sure I’m not the only person who feels this way but apparently I’m the only person who decided to say something and as you are a perfect example for proving my point…made myself open to public scrutiny. Which I’m guessing is the reason why nobody else posted anything.

Comments are closed.