Wednesday, May 21, 2008

ID Theft in the news...

Infoworld took a look at Check Point Software's ZoneAlarm Forcefield, and ultimately walked away unimpressed.

Unfortunately, although ForceField does offer some real improvements over the other products I've reviewed, it wasn't enough to stop malware from infecting my test systems. In less than a minute, by clicking only my third malicious Web site link, my test system was silently compromised without so much as a chirp out of ForceField.
The writer admits to being skeptical about 'sandbox' security clients,

I've reviewed similar over-marketed and under-effective virtualized or "sandbox" security clients over the years (most notably GreenBorder, subsequently acquired by Google), all of which promised to provide superior protection against all malicious Internet threats.
Ultimately, our outlook is that previously proposed solutions fall short thanks to limited security features beyond 'site classification' (prompting the user that a site is safe or 'risky' based on white-list/black-list rules and inaccurate logic) and rudimentary key-logger defenses. No solution to date has offered network level protection, or a secure DNS/Directory to ensure that the user is going only to safe sites. No solution to date offered kernel-level security and the ability to defend itself from attack. SafeCentral is a different kind of sandbox. I hope we have a chance to get this reviewer and others to take a look at SafeCentral.

In other news, LifeLock is facing a new class-action lawsuit claiming that it has made false and misleading claims about the level of 'protection' it provides.

"While LifeLock has only publicly acknowledged that Davis' identity was compromised on one occasion, there are more than 20 driver's licenses that have been fraudulently obtained [using his personal information]," the suit states.

"Furthermore, a simple background check performed using Davis' Social Security number reveals that his entire personal profile has been compromised to the extent that the birth date associated with his Social Security number is Nov. 2, 1940, which would [inaccurately] make Davis 67 years old."
To be honest, I'm not sure this lawsuit has merit. I don't view the claims of LifeLock and the myriad of other 'identity insurers' to be PREVENTATIVE at all. They claim to help you discover identity fraud quickly, and mitigate the financial losses associated with a breach (though disguising it as protection). They do nothing to actually STOP identity theft from taking place. Ultimately, they're like an alarm system - it only goes off only after a crime has begun. A layered approach is best: start with good defensive measures to protect your identity from theft, and then layer on monitoring/insurance to buffer against a breach.

I'm not sure whether these articles help us by raising the 'noise-level' for the need for greater identity security, or hurt us by defining the problem as 'unsolvable' and establishing a poor reputation for companies associated with Identity Theft/Fraud solutions. Leave a comment and let me know your take.

No comments: