Identity theft protection firm 'exposes customers to phishing attacks'

LifeLock web authentication blunder leaves subscriber email addresses exposed

What happens when a company you trust to safeguard your identity actually ends up being the very organisation that leaves you vulnerable to attack?

That's what customers of identity theft protection company LifeLock appear to be discovering, after researchers learned that a flaw in the company's website could be leaving customers vulnerable to spearphishing attacks.

The flaw was first reported by security expert Brian Krebs, who was alerted to it by US researcher Nathan Reese. Reese discovered the flaw after clicking on an unsubscribe link in one of LifeLock's emails, which took him to a page where he could update his email marketing preferences.

The URL for this preference centre featured a unique subscriber key, a numerical identifier used by LifeLock to internally catalogue customers. By changing this value in the URL, Reese was able to access the preference centre for other LifeLock subscribers - which meant that he could also see their email addresses.

"It would be trivial to write a simple script that pulls down the email address of every LifeLock subscriber," Krebs said. "The design of the company's site suggests that whoever put it together lacked a basic understanding of website authentication and security."

"If I were a bad guy, I would definitely target your customers with a phishing attack because I know two things about them," said Reese. "That they're a LifeLock customer and that I have those customers' email addresses. That's a pretty sharp spear for my spearphishing right there. Plus, I definitely think the target market of LifeLock is someone who is easily spooked by the specter of cybercrime."

Readers may remember LifeLock as the company whose former CEO Todd Davis was so confident in its services that he ran numerous ads featuring his genuine social security number. He had his identity stolen at least 13 times.

LifeLock is now owned by security firm Symantec following a $2.3 billion acquisition in 2016, and as of January 2017, the company had more than 4.5 million subscribers. IT Pro has approached Symantec for comment.

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Recommended

X-rated phishing attacks just keep growing
phishing

X-rated phishing attacks just keep growing

4 Jun 2021
Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021
eBay, Apple, Microsoft, Facebook, and Google were phishers’ top targets in 2020
phishing

eBay, Apple, Microsoft, Facebook, and Google were phishers’ top targets in 2020

20 Apr 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
HPE wins networking contract with Birmingham 2022 Commonwealth Games
Network & Internet

HPE wins networking contract with Birmingham 2022 Commonwealth Games

15 Oct 2021