The Post-Equifax Marketing Push: Identity Protection Services

Security News ThreatsCybercrime Uncategorized

In the aftermath of the breach, many Americans — half of whom may have had sensitive details exposed in the attack — are trying to make sense of the offers flowing in from identity theft services.

But these services vary greatly, both in reputation and in offerings, according to fraud and privacy experts. Signing up also requires consumers to entrust yet another corporate entity with their most sensitive data — many of the same details stolen in the Equifax breach — while entering into legal agreements filled with fine print that leads consumers to give up many rights.

Some of the more prominent services also have questionable histories. The Government Accountability Office counts at least 16 federal enforcement actions taken against providers of identity theft protection — financial institutions among them — for various infractions, according to a March report.

For weeks, we have been asking Equifax dozens of questions about credit freezes, credit locks and the trouble readers have been having with its various systems. The company has responded — to some of them.

LifeLock, for instance, paid $100 million in 2015 to settle charges by the Federal Trade Commission that it failed to secure its users’ most sensitive data and used deceptive advertising (for the second time). This year, Equifax and TransUnion agreed to pay a combined $23 million to settle a regulator’s allegations that they tricked consumers into paying for credit scores of questionable value.

“I personally think it’s a waste of money,” said Avivah Litan, a security analyst at the technology research firm Gartner. She was referring to services that say they scan the dark web, the hard-to-find regions of the internet where, among other things, criminals trade stolen information.

“I just assume my data is being sold on the dark web,” Ms. Litan said. “You should just assume it is stolen,” she added, and act accordingly.

An estimated 17.6 million people, or about 7 percent of United States residents 16 or older, were victims of identity theft in 2014, according to a Bureau of Justice Statistics report, the latest available. In the vast majority of cases, an unauthorized person tried to gain access to an existing account, such as a bank or credit card account.

There are several ways for consumers to protect themselves without buying anything at all, though some experts believe that some independent services can be helpful in certain circumstances.

So what exactly do they do?

Most identity protection services include some sort of credit monitoring, generally hiring one or more of the big bureaus to track your files for any recent changes. So if there is suspicious activity — new credit accounts, a big increase in what you owe, a delinquency — you’ll learn about it after the fact.

But identity protection companies promise to go well beyond credit monitoring, with scans of the dark web, public databases, court records, social media and other obscure places. They’re looking for a variety of items, which might include Social Security numbers, addresses, emails, phone numbers (former ones, too), dates of birth, medical identification numbers and other personal identifying information. They might find it for sale by criminals — or already in use.

Despite all the scanning and monitoring that these services claim to do, they aren’t necessarily going to prevent a crime. In some ways, learning that your stolen data is on the dark web is like finding your empty wallet after thieves made off with your cash. You can’t get your Social Security number back. But a red flag may be raised after something suspicious happens.

“The answer is not a silver bullet,” said Johan Roets, chief executive of Intersections, the parent company of Identity Guard, an identity protection service. “My product is trying to coach people along the way.” It has three alerts — low, medium and critical — that tell consumers why something matters and what to do about it.

10 Steps to Help Protect Your Identity

Here are some things you can do to safeguard your identity.

Some providers monitor the United States Postal Service’s change-of-address database, according to the Government Accountability Office report, so consumers can correct changes made by someone trying to improperly redirect their mail.

But consumers need to be able to trust that the companies will protect the information they are scanning for. Identity Guard asks consumers to provide 26 pieces of personal data, though Mr. Roets says that data remains on its operational servers and never touches the internet.

Identity protection services can be particularly helpful after a theft, experts said. “They will take serious ongoing cases of ID theft, especially cross-state, and will help clear it up and shut it down,” said Pam Dixon, executive director of the World Privacy Forum, a nonprofit research group.

IDShield works in this area, in addition to providing identity monitoring. “If something bad happens, we do all the work to restore the identity,” said Jeff Bell, the chief executive officer of LegalShield, IDShield’s parent company. “We don’t catch them in the act, but now we are immediately talking to whoever is making the loan or selling the product and telling them there is a problem here.”

IDShield works with Kroll, which has licensed private investigators covering every state. The investigators get a limited power of attorney so they can work on the customer’s behalf with banks, government agencies and other institutions, Mr. Bell explained. The investigators’ tasks will vary depending on the complexity of the case, but they might also search for additional instances of identity theft and dispute the errors with companies and agencies, including the credit bureaus.

If a person with an existing problem wants to hire IDShield, he or she pays a one-time fee of $899, and then a monthly rate of either $9.95 or $19.95. Existing customers are covered by the monthly fee if a problem arises. But again, the risk never goes away entirely, so those monthly fees can add up.

A credit freeze, a topic that my colleague Ron Lieber has covered in depth, will prevent some fraud without the monthly fees: It allows consumers to turn off access to their credit files at each of the three bureaus, which blocks thieves from taking out a loan or opening other accounts in their name.

Even putting your files on ice, however, won’t protect against several other types of fraud that experts like Ms. Litan, from Gartner, worry about even more. That includes the takeover of financial accounts and cellphones (which are used to gain access to bank and other accounts), and fraud related to tax refunds, Social Security payments and other government benefits.

When I took Experian’s pitch and entered my work email address into its dark web scanner, lo and behold, it said my email had shown up in this mysterious netherworld three times last year.

Its recommendation? Strengthen my passwords and sign up for its dark web surveillance and identity theft protection services.

Continue reading the main story