Theft Protection Service Puts Users

Theft Protection Service Puts Users' Identities in Jeopardy

A service known to protect the identities of users is now realizing it might have made its users vulnerable to attack.

LifeLock's identity theft protection service suffered from a security flaw that made users' identities vulnerable to potential attackers. The even forced its parent company, Symantec, to pull part of its website down to fix the issue after it was notified by KrebsOnSecurity.

“It is a bit ironic that LifeLock is a security company focused on helping 4.5 million consumers protect their online identities," Pravin Kothari, CEO of CipherCloud said. "They need to be on top of cyber defense best practices. This poor set-up seems to have allowed anyone to harvest all of the LifeLock subscriber emails, potentially for a phishing campaign or worse."

According to Krebs, Atlanta-based security researcher Nathan Reese discovered the vulnerability when he received a newsletter from the service. Upon clicking "unsubscribe," a page that clearly showed his subscriber key popped up. That allowed Reese to write a script that sequences numbers, which was able to pull keys and their corresponding email addresses from the service.

“This is a poor programming practice, not a misconfiguration," Mounir Hahad, head of threat research at Juniper Networks said. "On a positive note, it’s good that only email addresses were leaked. These are still valuable, but not as valuable as if names were associated with them. Single email addresses with names, or even a few hundred, might not have much street value on the dark web, but a list of several million could fetch a few thousand dollars."

Hahad explains that the trouble begins when email address and subscriber IDs are cross referenced with the billions of previously leaked online accounts from other incidents, such as the Yahoo leak in 2013.

"From there, phishing campaigns can be very persuasive and may lead to people unknowingly handing out their passwords to scammers," Hahad said.

How could this have been avioided? Kothari says LifeLock should do what the financial industry does.

"They regularly hire white hat hackers to penetration test their network and external defenses," Kothari said. "This is exactly the sort of incorrect set-up and misconfiguration a reputable penetration tester would have likely discovered. It would have been quietly fixed by now - no harm, no foul. All of this hoopla over the huge potential exposure of LifeLock customer data was totally avoidable.”

About the Author

Sydny Shepard is the Executive Editor of Campus Security & Life Safety.

  • ONVIF is Reaching New Heights ONVIF is Reaching New Heights

    In this episode of SecurPod, Ralph C. Jensen and Leo Levit talk about the organization’s addition of GitHub and the milestone of more than 20,000 conformant products, as well as two Release Candidates. We also talk about the challenges ONVIF faced during this COVID-19 year and the biggest challenges they have faced.

Digital Edition

  • Security Today Magazine - May June 2021

    May June 2021


    • Tapping into Touch-free Digital
    • Deep Learning
    • Working from Home
    • Body-worn Technology
    • A Tragic Turn of Events

    View This Issue

  • Environmental Protection
  • Occupational Health & Safety
  • Infrastructure Solutions Group
  • Spaces4Learning
  • Campus Security & Life Safety