If you participate in the world financial system or you’re an adult who’s active on the internet, then you’ve probably been caught up in more than one data breach, and as a result you’ve probably been offered free identity-theft monitoring services on more than one occasion.
These monitoring services don’t actually do any good for most people, but for the few people whose financial identities really are stolen, they can provide an early warning that something is amiss. Since catching identity theft early is critical to minimizing the damage and time to clean it up, the services are marginally useful.
Since the offer for free monitoring is typically only for a couple of years, and since it’s reasonable to assume that large data breaches are going to occur regularly for the foreseeable future, my wife and I simply sign up for these free services every time they are offered. We assume that by the time the free offers we’re currently on run out, there’ll be another breach and another free offer that will extend our monitoring.
One of the monitoring services we’re on (I believe as a result of the Marriott breach) is “Kroll Web Watcher“. Today, Kroll sent us an alert in email, and when I logged in to check it out, this is what I found:
Kroll provides additional information about this particular alert in their FAQ:
There are so many things wrong with this. SO MANY THINGS.
It’s pretty much a given that if you sign up for accounts on web sites, your email address has been leaked in a breach. Alerting people that their email address has been “found online” is completely useless — it’s a tautology, and there’s nothing they can do about it.
Furthermore, many people intentionally publish their email addresses online. You know, because they want people to be able to contact them. If you Google for my email address, for example, you’ll find at least 300 public pages on the web that contain it. Treating “your email address is available online” as some sort of actionable risk is ridiculous.
It appears that this alert is saying that my email address and a password were found in some breach, but it doesn’t say what breach it was found in. If it did, then I could change my password on that particular web site, but instead, I’m advised to “Change the password to any online service where the email address is your User ID” (emphasis added). Are you kidding me? My password manager currently has 314 accounts for which my email address is my User ID. Surely many other people use their email address as their user ID on many web sites. This advice is ludicrously, absurdly ridiculous.
The alert advises, “Change the password to your email account and check your ‘sent’ folder to make sure there have been no unauthorized emails sent from your account.” Let’s be clear here: just because my email address was found online in a breach doesn’t mean that my email account has been compromised. In fact, the correlation between people’s email addresses being found in a breach and their email accounts being compromised is extremely low. This suggestion is completely useless.
It goes on: “If you use the same password for your email account as other accounts (i.e., password is the same for email and bank accounts), it is recommended that you change the password on those accounts as well.” This is quite literally bad advice. The right advice to give people who use the same password on multiple accounts is not, “Change your password on those accounts as well,” it’s STOP USING THE SAME PASSWORD ON MULTIPLE ACCOUNTS. Tell people to use a password manager; don’t tell them to keep engaging in the same bad habits that put their online security at risk.
The FAQ text is only slightly better: “Do not use your email account password on any other account.” Well sure, that’s good advice as far as it goes, but it doesn’t go far enough. Don’t just tell people to use a unique password for their email account. Tell people to use unique passwords for all their accounts.
Pointless alerts offering bad advice, like this one, make people less secure. Bad security advice inculcates and solidifies bad security habits. Furthermore, meaningless alerts that are not truly actionable desensitize people, making them less likely to pay attention to substantive alerts that they really do need to do something about.
As an information-security professional, one of the most important aspects of my job is educating and training the users I’m responsible for to help them develop good security habits. Stuff like this makes my job harder.