Sophos Cloud Optix
The controversial identify theft protection company LifeLock says it has pulled down LifeLock Wallet from app stores over concerns that the app is not compliant with payment card industry standards.
A blog post from LifeLock CEO Todd Davis said all customer data would be deleted from the company’s servers and from the app itself when a user opens the app.
Davis said there was no loss of data, but that removing the app until it is fully compliant with payment card industry data security standards (PCI-DSS) is “the right thing to do.”
We have taken steps to delete all stored information for the mobile app from our servers. Even though we have no reason to believe the data has been compromised, we believe this is the right thing to do.
LifeLock Wallet was billed as a way to securely store personal data on mobile devices – such as your Social Security number, drivers license, credit cards, and passwords.
LifeLock released its wallet app after purchasing the mobile wallet platform Lemon in December 2013 for $42.6 million.
News of the app’s removal from the Google, Apple and Amazon app stores caused LifeLock’s stock to drop by 17% in the two days after the announcement on Friday, 16 May, according to Business Insider.
A LifeLock filing with the US Securities and Exchange Commission (SEC) says the company believed the app’s non-compliance with PCI-DSS would result in a violation of its 2010 settlement with the Federal Trade Commission (FTC) over false claims about its products.
Our consent order with the Federal Trade Commission (FTC) sets forth certain requirements for the security practices of LifeLock and all of its subsidiaries and for our representations to consumers about those practices.
On May 15, 2014, on our own initiative, we informed the FTC Staff of these issues, and we expect to receive further requests for information from the FTC about these issues.
It is possible that this PCI non-compliance of the Wallet mobile application could result in a determination by the FTC that we are not in full compliance with our FTC consent order.
LifeLock’s spotty history
LifeLock’s CEO, Todd Davis, gained notoriety for his company after publicly displaying his Social Security number in ads and daring anyone to steal his identity – which he said was protected against theft by his product.
In fact, someone did steal his identity in 2007, using Davis’s name to secure a $500 loan.
LifeLock’s 2010 settlement with the FTC, which cost the company $12 million in fines, was a result of misleading ads that pledged the company could “guarantee” its customers would be protected against identity theft (the guarantee came with a $1 million backing).
In fact, the FTC said, the protection “left enough holes that you could drive a truck through it.”
The company’s legal worries extend beyond its FTC settlement.
LifeLock has been sued more than 80 times in recent years, including a class action brought by shareholders claiming the company has violated its 2010 settlement with the FTC, according to Courthouse News Service.
In March 2014, LifeLock’s former chief information security officer sued the company, claiming he was fired after he objected to the company allegedly turning off ID theft alerts for its elderly customers in order to reduce the number of calls to its customer support center.
The lawsuit also claims that LifeLock’s security practices were so inadequate as to constitute “fraud” against its shareholders.
Despite the company’s mounting problems, Davis promised that LifeLock Wallet will be back.
Quick tips to prevent identity theft
Here are some simple tips to protect your identity, provided by the Identity Theft Resource Center.
- Create unique, strong passwords for all your online accounts: use at least eight characters, including a mix of letters, numbers, special characters, and upper/lowercase.
- Handle your personally identifiable information (PII) with care, and be careful who you give it to.
- Check your credit reports annually.
- Don’t carry more cards than necessary.
- Use a firewall and anti-virus software to protect your computers and mobile devices.
If you think you’ve been a victim of identity theft, contact the major credit reporting agencies, the issuer of your compromised account (bank, credit card company, etc.), and notify your local police department.
I am sure you intended to advise us to use a firewall AND antivirus software, instead of a firewall OR antivirus software.
I guess it was an _inclusive_ or (not an XOR :-), but I changed it anyway…thanks for spotting it 🙂
As an aside, the free UTM Home Edition linked to above does let you have both firewall AND anti-virus: when you download the UTM Home Edition you get a licence code that covers you for everything the UTM can do _plus_ Sophos Anti-Virus coverage (managed from the UTM) for up to 12 Windows PCs.
Just the deal if you live in a shared house and are the unofficial IT support guy, or if you are looking for a way to keep your children well-protected online.
“payment card industry data security standards”? That would be the ones so comprehensively demolished by this weeks published breaking of their Chip & Pin flag-ship security product? I feel so re-assured, now. Just checking …..
I’m not sure that PCI DSS was “comprehensively demolished” by the recent flaws highlighted in Chip and PIN implementations, nor that Chip and PIN is exactly the “flagship” of PCI DSS (since just implementing Chip and PIN does not make you anywhere near compliant).
And for all that you might consider PCI DSS weak, wouldn’t that make a product that wasn’t compliant even more worrying?
For a readable and informative view of PCI DSS, for and against, see:
http://nakedsecurity.sophos.com/pci-dss-why-it-works/
http://nakedsecurity.sophos.com/pci-dss-why-it-fails/
It always seemed to me that advertising one’s social security number was just plain stupid at best, and an invitation to disaster at worst. Mr. Davis’s own history seems to confirm that.
Case in point: Some jackball got hold of my date of birth in 1993 and managed to get a bunch of credit cards in my name. They finally caught him, but it took me eight years to clean up the mess. The damage could have been far worse with my social security number.
In that context, the antics of people who openly publish vastly more personally identifiable information about themselves on Facebook and elsewhere pegs the idiot meter.
LifeLock might well provide a service that is useful in some ways, but it can’t protect people from their own stupidity. These stories about LifeLock’s own poor judgment and misdeeds encourage me to be my own best protector.
It would have been nice for you to notify your users that the app would be useless before taking it down. I thought something was wrong with my phone. I only use the app to store information so that I don’t have to always look in my actual wallet. I should have known there would be a problem once the app changed to the name ‘lifelock’ which imo has never been as good as they claim.
What’s the gaurantee that info on Lifelock Wallet has indeed been deleted ?