If you participate in the world financial system or you’re an adult who’s active on the internet, then you’ve probably been caught up in more than one data breach, and as a result you’ve probably been offered free identity-theft monitoring services on more than one occasion.
These monitoring services don’t actually do any good for most people, but for the few people whose financial identities really are stolen, they can provide an early warning that something is amiss. Since catching identity theft early is critical to minimizing the damage and time to clean it up, the services are marginally useful.
Since the offer for free monitoring is typically only for a couple of years, and since it’s reasonable to assume that large data breaches are going to occur regularly for the foreseeable future, my wife and I simply sign up for these free services every time they are offered. We assume that by the time the free offers we’re currently on run out, there’ll be another breach and another free offer that will extend our monitoring.
One of the monitoring services we’re on (I believe as a result of the Marriott breach) is “Kroll Web Watcher“. Today, Kroll sent us an alert in email, and when I logged in to check it out, this is what I found:
Kroll provides additional information about this particular alert in their FAQ:
There are so many things wrong with this. SO MANY THINGS.
It’s pretty much a given that if you sign up for accounts on web sites, your email address has been leaked in a breach. Alerting people that their email address has been “found online” is completely useless — it’s a tautology, and there’s nothing they can do about it.
Furthermore, many people intentionally publish their email addresses online. You know, because they want people to be able to contact them. If you Google for my email address, for example, you’ll find at least 300 public pages on the web that contain it. Treating “your email address is available online” as some sort of actionable risk is ridiculous.
It appears that this alert is saying that my email address and a password were found in some breach, but it doesn’t say what breach it was found in. If it did, then I could change my password on that particular web site, but instead, I’m advised to “Change the password to any online service where the email address is your User ID” (emphasis added). Are you kidding me? My password manager currently has 314 accounts for which my email address is my User ID. Surely many other people use their email address as their user ID on many web sites. This advice is ludicrously, absurdly ridiculous.
The alert advises, “Change the password to your email account and check your ‘sent’ folder to make sure there have been no unauthorized emails sent from your account.” Let’s be clear here: just because my email address was found online in a breach doesn’t mean that my email account has been compromised. In fact, the correlation between people’s email addresses being found in a breach and their email accounts being compromised is extremely low. This suggestion is completely useless.
It goes on: “If you use the same password for your email account as other accounts (i.e., password is the same for email and bank accounts), it is recommended that you change the password on those accounts as well.” This is quite literally bad advice. The right advice to give people who use the same password on multiple accounts is not, “Change your password on those accounts as well,” it’s STOP USING THE SAME PASSWORD ON MULTIPLE ACCOUNTS. Tell people to use a password manager; don’t tell them to keep engaging in the same bad habits that put their online security at risk.
The FAQ text is only slightly better: “Do not use your email account password on any other account.” Well sure, that’s good advice as far as it goes, but it doesn’t go far enough. Don’t just tell people to use a unique password for their email account. Tell people to use unique passwords for all their accounts.
Pointless alerts offering bad advice, like this one, make people less secure. Bad security advice inculcates and solidifies bad security habits. Furthermore, meaningless alerts that are not truly actionable desensitize people, making them less likely to pay attention to substantive alerts that they really do need to do something about.
As an information-security professional, one of the most important aspects of my job is educating and training the users I’m responsible for to help them develop good security habits. Stuff like this makes my job harder.
I would just like to add that to setup this monitoring, Kroll requires SSN, understandably perhaps.
But, what’s there to think that Kroll itself won’t be hacked one day and leak my SSN, therefore becoming the source of the problem?
Which they will then happily monitor for me, I’m sure, for the modest fee.
I just went to fill out the info on Kroll because of a data breach where my info was apparently part of the what was stolen, and I am hesitant to put my SS# for precisely the reason you state. I am not sure what to do at this point. I have a free offer for a year, but I super hate giving out my SS#. What did you end up doing?
If you want to be serious about credit monitoring then get the Experian app. It’s $10 a month I believe and it will give you a lot of helpful information. It will tell you exactly what was compromised and will offer solutions (like credit locking, etc.) Also, I highly recommend Dashlane. It also monitors your email and passwords online to see if theyve been stolen. On top of that you can store all of your passwords and generate a password for each account and just log in using Dashlane’s autofill. This is really helpful because if your account’s password is compromised only one account is at risk and you get an alert and can change it through Dashlane. Finally, you can store secure notes and stuff too (even documents) which has been seriously helpful for me.
It’s a waste of money for most people to be spending $10 per month, or any money at all, for the Experian app or any other credit report monitoring app. Just sign up for the free identity theft protection you’re offered every time you receive yet another breach notification and you’ll be covered.
More importantly, make sure all of your credit reports are frozen. We have freezes set up for Equifax, Experian, TransUnion, NCTUE, SageStream (which, by the way, is terrible), and Innovis.
As for password managers, you’re 100% correct that people should be using them and should be using random, unique passwords for every web site. Which one you use doesn’t really matter; they’re pretty much all fine security-wise, and they pretty much all have the features you enumerated. I personally prefer Bitwarden.
How can you be sure your password manager is hack-proof?
Nothing is “hack-proof”. The relevant question is whether you are, overall, safer using a password manager than not. The data on that are clear: you are much safer if you use a password manager.
I’m a little confused – I understand about the best practices – using unique passwords, don’t respond to phishing emails, etc.
I got this one last month saying(I think) that they found my email in a server breach (Potential Site field).
It does seem that one could be changing email passwords every month if you followed their advice.
A couple questions:
What exactly triggers Kroll’s alerts?
If this doesn’t provide any real value, are there services that DO provide what they’re portending?
Thanks
Eric
Indeed. That’s why this alert is so stupid.
Well, it’s hard to say for certain, since they don’t document their service in that much detail, but this one appears to be triggered by them finding your email address on a web page anywhere on the internet. Which, as you noticed, is pretty useless.
https://haveibeenpwned.com/
Good general article on these abysmal tools. Have to say though – the others are no better than Kroll. I’ve been on free memberships with a couple of these now – they’re all the same nonsense. No protection, minimal information.
Yes. I’ve just got another stupid alert like this from Kroll.
All it means is that some site that you registered with your e-mail address has been compromised.
So, if you have jsmith123@gmail.com and you use that to register on Movietickets.com with the password “p0pc0rn” and that site gets hacked/compromised it means nothing (apart from a compromised account on that site which is most likely already public info).
It means absolutely nothing to your 50 other accounts that you registered with jsmith123@gmail.com UNLESS you used the same password (which as you state you shouldn’t).
It especially doesn’t mean anything for your actual gmail account.
The problem with their text is they being super focus to the e-mail account itself…as if someone hacked your e-mail and/or sent suspicious mails from your address.
While this certainly could happen (again, if you ignorantly used the same password), this is an unlikely occurrence.
Kroll’s is utterly useless and the fact that these companies get out of any real culpability by providing years of free services to these pieces of trash should be illegal.
Sign up for https://haveibeenpwned.com/ – you’ll get better, quicker, more accurate data.
Actually, this is not correct.
This alert from Kroll is not about some web site you are registered on being compromised. It’s about Kroll’s web crawlers seeing your email address anywhere on the internet in any context.
Which is completely moronic, as I explain in my blog posting.
What terrifies me is the terms of service/privacy policy if you enter its invitation to enroll or use the service.
https://enroll.idmonitoringservice.com/terms-and-conditions
https://enroll.idmonitoringservice.com/privacy-policy
Information Collected from You
a. Personal Information Which You Provide to Us or Our Agents
During enrollment, or in order to provide a product or service, we or our agents may collect personal information from which you or your minor child (as applicable) can be identified, such as:
name, address, phone number, and e-mail address;
date of birth, driver’s license number, social security number, passport number, and other similar information;
copies of government-issued photo identification, Social Security card and/or utility bill(s), where applicable;
credit card number and other financial account data, including your consumer credit file(s), as applicable;
your responses to security questions; the information you provide in customer service correspondence; and general feedback.
b. Information Which May Be Collected Automatically
This Platform, online services, applications, email messages, and advertisements, if any, may use “cookies” and other technologies such as pixel tags and web beacons to collect information about you and your activity (pixel tags and web beacons are also known as clear GIFs, action tags or web tags), such as your IP address, mobile device ID, geographic location, operating system, browser type, and service provider, and website session statistics. For more information, see the “Information Collected from Cookies and Other Technologies” section below.
Purpose of Collection
We and our agents will use the personal information provided by you to provide our identity monitoring, consultation, and restoration services, and for the investigation, prevention and detection of fraud.
We and our agents will also use the information you provide us or that we collect automatically for the purpose of providing you with the products and services you have requested and for administering our relationship with you, for internal business purposes, for our product or service development and/or statistical analysis. This includes verification of your identity and address as well as charging of agreed-upon fees for our services, where applicable.
When you close your account, we will continue to store and may use and share the collected information in accordance with this Privacy Policy and our legal and regulatory requirements. We will retain the information as long as necessary to fulfill the purposes for which it was provided, plus any reasonable length of time that is necessary to fulfill our legal, regulatory, and reasonable business purposes.
Disclosure of Personal Information to Third Parties
Kroll will share personal information collected from you with third parties as necessary to provide the products and services you have requested.
In order for us to provide you with our identity monitoring, consultation, and restoration services, Kroll and/or its agents may share your personal information with its affiliated companies, with third party service providers retained by Kroll to provide services on its behalf (such as data hosting, marketing, analytics, identity monitoring, and customer service) or with others, such as credit bureaus or institutions with which you have a relationship (for instance, in order to provide you with your credit reporting history, or to discuss an issue you have with your account) or as required by law, legal process, and/or regulation.
Certain of our identity monitoring services are provided through our third-party data and service provider, CSIdentity Corporation (“CSID”). CSID and its agents and employees may monitor your personal information you provide to see if it is detected on the dark web, in order to detect and alert you to potential identity threats. By enrolling in this service you authorize us to provide your personal information to CSID, and CSID and its agents and employees to obtain the information and reports described above, for these purposes. You may review CSID’s privacy policy here.
We have taken reasonable steps to ensure that these affiliated companies and third- party service providers will use your personal information only to accomplish the purposes for which the information was collected. Some of these affiliates and service providers may be located outside of Canada, including in the United States and as a result your personal information may be processed and stored outside of Canada where it will be subject to applicable foreign laws.
Your personal information may also be shared under the following circumstances: (i) if Kroll is required to do so pursuant to a subpoena or similar legal process or by law enforcement or national security or government agencies (including foreign law enforcement or national security or government agencies applicable to us, our affiliates and service providers); and (ii) in connection with investigations, or other efforts to prevent illegal activities or pertaining to public safety.
In addition, in the event of a merger, acquisition, or any form of sale of some or all of our assets to a third party, we may also disclose your personal information to the third parties concerned or their professional advisors. In the event of such a transaction, the personal information held by Kroll will be among the assets transferred to the buyer.
We may share aggregate, non-personal and/or de-identified information with third parties, to the extent permitted by law.
I don’t see anything particularly surprising or atpyical here. They can’t search for that data on the web to check if it has been compromised if they don’t have the data to search for, right? What specifically is your concern?
My concern is almost all of that text, but one thing is:
“When you close your account, we will continue to store and may use and share the collected information in accordance with this Privacy Policy and our legal and regulatory requirements. We will retain the information as long as necessary to fulfill the purposes for which it was provided, plus any reasonable length of time that is necessary to fulfill our legal, regulatory, and reasonable business purposes.”
What’s this part? “We will retain the information as long as necessary to fulfill the purposes for which it was provided”. Does that mean they will store your information forever? Because “to fulfill the purposes for which it was provided” is an ongoing process until you die, or even after that too. Plus what does “reasonable business purposes” mean?
So it appears when they sell their company years from now all your personal information from your closed account years prior will be transferred to the new owner too. Let’s just hope new owners have the same or better morals than Kroll.
If someone could hack into Kroll, what a pirate’s booty there. Present and past information. They must have a large internet target on their back.
This sounds like a blatant violation of GDPR policy. Unless I’m missing something they should allow you to request deletion of all your personal data. If I remember GDPR correctly the “forget me” request must be honored. There are some exceptions, typically where it is required by law to retain the data, but it is hardly the case here.
1) Depending on how the terms of the privacy policy are implemented in practice it may not be a GDPR violation. What they say in the privacy policy they will do is not necessarily the same as what they will actually do if someone submits a GDPR data-deletion request to them.
2) This product is primarily targeted at people in the U.S. so I doubt they care a great deal about the GDPR.
Great article! Right on point.
I got a similar nonsensical alert from Kroll today. I’ve asked them for more details. Let’s see if they provide them.
Glad I am not the only one who’s seen this sub-standard “protection” from Kroll.