After years of legal trouble over its business practices, LifeLock has allegedly exposed its users to a new threat through an unsecure website, exposing its users’ personal information at risk.
The latest in a series of embarrassing flaws and exaggerations by LifeLock may be the most serious as it appears to have put its entire user base at risk for serious harm. According to the website Krebos on Security, “the design of the company’s site suggests that whoever put it together lacked a basic understanding of Webs site authentication and security.”
Nathan Reese an independent security researcher uncovered the problem after trying to unsubscribe to a typical marketing email sent to him as a former LifeLock customer. Reese determined that the email’s unsubscribe link with its unique subscriber key allowed him to reverse engineer the system and get LifeLock to provide him with other email addresses in its database. Reese then wrote and successfully tested a simple automated computer script, that began submitting subscriber keys to LifeLock and retrieving the associated email addresses of real people.
According to Krebos, “If I were a bad guy, I would definitely target your customers with a phishing attack because I know two things about them,” Reese said. “That they’re a LifeLock customer and that I have those customers’ email addresses. That’s a pretty sharp spear for my spear phishing right there. Plus, I definitely think the target market of LifeLock is someone who is easily spooked by the specter of cybercrime.”
Reese is referring to two separate threats from LifeLock’s failure. First hackers may have used the emails of LifeLock customers to send masquerade as LifeLock itself and send out believable renditions of LifeLock emails to those members asking them to provide access to their accounts, download virus software, keyloggers or other malware onto their computers or click on dangerous web links that cause further damage. Second, suspecting that these users are extra sensitive to security concerns, they might employ fear tactics and misinformation to strike at the deepest fears of these users.
These are exactly the types of tricks used by hackers to gain control over your computer and cause real harm. Using ransomware attacks, they can install software that erases or encrypts your entire hard drive unless you pay them in untraceable bitcoin to restore your computer. They can install keyloggers that capture all your activity including the names and passwords to all your accounts. They can install software that secretly activates the camera and microphone on your computer or smartphone to spy on you. The damage is limited only by the hacker’s ingenuity.
In response to the Krebos inquiry, LifeLock representatives have stated that the vulnerability has been addressed this this was not its member portal website but one of its vendors and that there is no indication of any suspicious activity beyond Mr. Reese’s test.
At MyProfyle, we believe this carelessness is further proof that everyone’s information is at risk from many different sources and that we are all exposed multiple times per year. The solution to identity fraud is not to try to lock your identity or seek unobtainable privacy but to control your identity – not just your credit – by putting yourself in the position know of, approve or decline activity conducted in your name. That’s MyProfyle Free For Life ™ Identity Protection.