Sunday, October 21, 2007

Lifelock offers consumer identify protection

Although I usually don’t promote specific companies on these blogs, I do mention them when they seem newsworthy.

Recently, a company named Lifelock has been advertising on some cable stations that it protects consumer identify. Of one goes to the website, one sees a picture of the CEO Todd Davis with his social security number in large typeface. The implication is that one can safely post one’s SSN if one uses the service, which as of today is $10 a month (or $110 a year) for individuals (less for minors).

The website does have an internal link explaining how it works. It appears that it does for the customer what the customer really can do for himself or herself. Essentially, it sets and manages consumer fraud alerts with the major credit reporting companies. It also arranges to have the consumer’s name removed from pre-approved junk mail and credit card lists.

Now, consumers can order one free report a year from each of the three major companies (Equifax, Experian, Trans-Union). Sometimes there are complications in getting all three to work. Companies charge a little to provide FICO or Vantage credit scores. Consumers can do these other things manually but they are probably clumsy to do. One thing that I recall from my days at Chilton in Dallas in the 1980s (now Experian) is the multitude of separate bureaus, some owned by the major companies and some affiliated. I worked on the member billing systems for six years in the 1980s and the interbureau stuff was quite intricate. I don’t know if this could have a practical effect on consumer security today.

I still think that the main trick to protecting consumers is to set up mandatory preferred contact addresses (for consumers who want them) , like the USPS NCOA, and have a highly secured agency or contractor manage them, and require credit grantors to notify consumers of contracts at these addresses.

Monday, October 08, 2007

Identity Protection Safeguard questions; RSA

I’ve always wonder how effective those security questions that many websites require to reissue or let users reset their own passwords. The Sunday, Oct. 7, 2007 “Style & Arts” Section M of The Washington Post has a front page story by Monica Hesse, “This Is Your Life: As Determined By Confounding Identity-Protecting Safeguards.” The article mentions Chillicothe as a home town – well, if that’s Ohio (well within “Days of our Lives” territory) it’s a station on the old Erie Canal – but it doesn’t have to be Ohio.

The article discusses a company called Verid, with is RSA Identity Verification (“Remote Security Authentication”). The company can search public records databases (although many localities have been removing these from the Internet) for other questions to really challenge the visitor for sensitive clients. The philosophy behind the design of the questions is a subject of some interest. Programmers and geeks may not be sensitive to the kind of questions that people can answer and that are the most effective screeners. This sounds like a real field for research.

Tuesday, October 02, 2007

Concern over social announcements in newspapers: that's overdoing it

Monday, The Washington Times, in an insert about cybersecurity for teens, provided considerable discussion of consumer protection for adults, as well. (The blogger entry is here.) The issue was critical even of people announcing weddings, debutante parties, and similar results in local newspapers, as making the subjects targets. This does seem like carrying things a bit far. Newspapers have made social announcements like these for decades without problems. It seems, again, that the underlying problem is carelessness of financial institutions and lenders in identifying customers and following up with proper notification.

In fact, the practice of banks of charging penalties for missing credit card payments by even one day (more acute now as banks have shortened the payment date by five days) may have an upside: it encourages online banking (actually supported by the article) and encourages visitors to check their balances online almost daily, making a heist by hackers less likely. The main hitch is that people who do online banking realize that banks will not ask them to update information with emails, and that all such emails are really phishing attacks, which are really very common and are often sent as spam even to people who do not have accounts at the subject banks. (Often the spam has each bank’s separate embedded trademark image – itself a violation of federal law and an obvious civil trademark infringement and prospective dilution according to recent law -- but the same text.) Since these emails usually result offshore, they have been difficult to shut down.

On Saturday, Sept. 29, NBC4 in Washington had a “community shred” at RFK stadium in Washington (ironically after the Nats ‘s last game there, as they get a new stadium next year). The only problem was that on the same day Washington sponsored a triathlon and driving to the stadium around closed streets got me trapped in a maze.