“I’m Todd Davis, CEO of LifeLock. And ..-…-…. is my real social security number.”
This was the full page advertisement in New York Times Sunday magazine. Except the SSN was not blanked out and this was no careless redaction error. LifeLock had developed an identity theft solution so reliable that the CEO was willing to disclose his own social security number to prove it. Brave indeed: SSN is by far more dangerous than the credit card numbers for many reasons: the card networks have already accepted the risk of payment card fraud and absorb losses (at least in the US; your mileage may vary by jurisdiction), cards can be revoked and the damages are bounded by the spending limits on cards. SSN on the other hand enables so-called “new account fraud” because it is used as an authenticator: knowing the SSN for a person counts as proof of being that person. Lenders are happy to extend credit based on this ludicrous authentication protocol and there is no Visa/Mastercard to underwrite that risk by refunding consumers for losses. (Full disclosure: more on this distinction appears in a chapter this blogger contributed to an upcoming book by Stanford press.)
This distinction has implications for a breach. Having a credit card number made public is easily recoverable and often with minimal damage. In the 2006 FTC Survey on identity theft, the median losses from existing card fraud were exactly $0. It would not be quite as impressive if the LifeLock CEO had published his credit card number in the newspaper, except it may run a foul of the card-holder agreement in case there are any requirements towards “due diligence” in security. But the social security number is an identifier US residents are stuck with for life. It can not be revoked or easily changed. If any protection service could control the risk to the point that an individual can publish their SSN in a newspaper, that would have been a major breakthrough.
Today a Wired article shows it’s too early for celebration. LifeLock is getting sued on behalf of three customers who claim that the service does not work. The attorney filing the charges points to the fact that the there have been 87 attempts to fraudulently use the identity of the CEO– including one that succeeded where the perpetrator succeeded in taking out a payday loan in Texas. In addition the article concedes:
“Davis said it’s possible driver’s licenses have been issued to other people in his name because of the widespread availability of his personal information – and because of what he described as the flimsy mechanisms in place to report that kind of fraud.”
This is not completely surprising: virtually all of the identity theft protection services depend on the triumvirate of credit bureaus for detection. Any new loan applications will be reported to these companies (in fact even the existence of a credit-check prior to granting the loan is recorded) and can be periodically queried. But a new driver’s license will not appear on the radar. This is not surprising: SSN is used in an open, distributed ecosystem without a centralized clearing point. Payment card networks have complete visibility into all transactions involving the card. Actions involving the SSN can only be reconstructed by putting together fragments of records from data brokers such as the credit reporting bureaus, Axciom, Choicepoint and Seisint (now owned by Lexis-Nexis) The case against LifeLock suggests that this patchwork solution is far from being a reliable identity theft defense.