Kroll Web Watcher makes people less secure

By | August 17, 2019

If you participate in the world financial system or you’re an adult who’s active on the internet, then you’ve probably been caught up in more than one data breach, and as a result you’ve probably been offered free identity-theft monitoring services on more than one occasion.

These monitoring services don’t actually do any good for most people, but for the few people whose financial identities really are stolen, they can provide an early warning that something is amiss. Since catching identity theft early is critical to minimizing the damage and time to clean it up, the services are marginally useful.

Since the offer for free monitoring is typically only for a couple of years, and since it’s reasonable to assume that large data breaches are going to occur regularly for the foreseeable future, my wife and I simply sign up for these free services every time they are offered. We assume that by the time the free offers we’re currently on run out, there’ll be another breach and another free offer that will extend our monitoring.

One of the monitoring services we’re on (I believe as a result of the Marriott breach) is “Kroll Web Watcher“. Today, Kroll sent us an alert in email, and when I logged in to check it out, this is what I found:

Kroll provides additional information about this particular alert in their FAQ:

There are so many things wrong with this. SO MANY THINGS.

It’s pretty much a given that if you sign up for accounts on web sites, your email address has been leaked in a breach. Alerting people that their email address has been “found online’ is completely useless — it’s a tautology, and there’s nothing they can do about it.

Furthermore, many people intentionally publish their email addresses online. You know, because they want people to be able to contact them. If you Google for my email address, for example, you’ll find at least 300 public pages on the web that contain it. Treating “your email address is available online” as some sort of actionable risk is ridiculous.

It appears that this alert is saying that my email address and a password were found in some breach, but it doesn’t say what breach it was found in. If it did, then I could change my password on that particular web site, but instead, I’m advised to “Change the password to any online service where the email address is your User ID” (emphasis added). Are you kidding me? My password manager currently has 314 accounts for which my email address is my User ID. Surely many other people use their email address as their user ID on many web sites. This advice is ludicrously, absurdly ridiculous.

The alert advises, “Change the password to your email account and check your ‘sent’ folder to make sure there have been no unauthorized emails sent from your account.” Let’s be clear here: just because my email address was found online in a breach doesn’t mean that my email account has been compromised. In fact, the correlation between people’s email addresses being found in a breach and their email accounts being compromised is extremely low. This suggestion is completely useless.

It goes on: “If you use the same password for your email account as other accounts (i.e., password is the same for email and bank accounts), it is recommended that you change the password on those accounts as well.” This is quite literally bad advice. The right advice to give people who use the same password on multiple accounts is not, “Change your password on those accounts as well,” it’s STOP USING THE SAME PASSWORD ON MULTIPLE ACCOUNTS. Tell people to use a password manager; don’t tell them to keep engaging in the same bad habits that put their online security at risk.

The FAQ text is only slightly better: “Do not use your email account password on any other account.” Well sure, that’s good advice as far as it goes, but it doesn’t go far enough. Don’t just tell people to use a unique password for their email account. Tell people to use unique passwords for all their accounts.

Pointless alerts offering bad advice, like this one, make people less secure. Bad security advice inculcates and solidifies bad security habits. Furthermore, meaningless alerts that are not truly actionable desensitize people, making them less likely to pay attention to substantive alerts that they really do need to do something about.

As an information-security professional, one of the most important aspects of my job is educating and training the users I’m responsible for to help them develop good security habits. Stuff like this makes my job harder.

Print Friendly, PDF & Email
Share

3 thoughts on “Kroll Web Watcher makes people less secure

  1. 56kFlex

    What terrifies me is the terms of service/privacy policy if you enter its invitation to enroll or use the service.

    https://enroll.idmonitoringservice.com/terms-and-conditions

    https://enroll.idmonitoringservice.com/privacy-policy

    Information Collected from You

    a. Personal Information Which You Provide to Us or Our Agents

    During enrollment, or in order to provide a product or service, we or our agents may collect personal information from which you or your minor child (as applicable) can be identified, such as:

    name, address, phone number, and e-mail address;
    date of birth, driver’s license number, social security number, passport number, and other similar information;
    copies of government-issued photo identification, Social Security card and/or utility bill(s), where applicable;
    credit card number and other financial account data, including your consumer credit file(s), as applicable;
    your responses to security questions; the information you provide in customer service correspondence; and general feedback.
    b. Information Which May Be Collected Automatically

    This Platform, online services, applications, email messages, and advertisements, if any, may use “cookies” and other technologies such as pixel tags and web beacons to collect information about you and your activity (pixel tags and web beacons are also known as clear GIFs, action tags or web tags), such as your IP address, mobile device ID, geographic location, operating system, browser type, and service provider, and website session statistics. For more information, see the “Information Collected from Cookies and Other Technologies” section below.

    Purpose of Collection

    We and our agents will use the personal information provided by you to provide our identity monitoring, consultation, and restoration services, and for the investigation, prevention and detection of fraud.

    We and our agents will also use the information you provide us or that we collect automatically for the purpose of providing you with the products and services you have requested and for administering our relationship with you, for internal business purposes, for our product or service development and/or statistical analysis. This includes verification of your identity and address as well as charging of agreed-upon fees for our services, where applicable.

    When you close your account, we will continue to store and may use and share the collected information in accordance with this Privacy Policy and our legal and regulatory requirements. We will retain the information as long as necessary to fulfill the purposes for which it was provided, plus any reasonable length of time that is necessary to fulfill our legal, regulatory, and reasonable business purposes.

    Disclosure of Personal Information to Third Parties

    Kroll will share personal information collected from you with third parties as necessary to provide the products and services you have requested.

    In order for us to provide you with our identity monitoring, consultation, and restoration services, Kroll and/or its agents may share your personal information with its affiliated companies, with third party service providers retained by Kroll to provide services on its behalf (such as data hosting, marketing, analytics, identity monitoring, and customer service) or with others, such as credit bureaus or institutions with which you have a relationship (for instance, in order to provide you with your credit reporting history, or to discuss an issue you have with your account) or as required by law, legal process, and/or regulation.

    Certain of our identity monitoring services are provided through our third-party data and service provider, CSIdentity Corporation (“CSID”). CSID and its agents and employees may monitor your personal information you provide to see if it is detected on the dark web, in order to detect and alert you to potential identity threats. By enrolling in this service you authorize us to provide your personal information to CSID, and CSID and its agents and employees to obtain the information and reports described above, for these purposes. You may review CSID’s privacy policy here.

    We have taken reasonable steps to ensure that these affiliated companies and third- party service providers will use your personal information only to accomplish the purposes for which the information was collected. Some of these affiliates and service providers may be located outside of Canada, including in the United States and as a result your personal information may be processed and stored outside of Canada where it will be subject to applicable foreign laws.

    Your personal information may also be shared under the following circumstances: (i) if Kroll is required to do so pursuant to a subpoena or similar legal process or by law enforcement or national security or government agencies (including foreign law enforcement or national security or government agencies applicable to us, our affiliates and service providers); and (ii) in connection with investigations, or other efforts to prevent illegal activities or pertaining to public safety.

    In addition, in the event of a merger, acquisition, or any form of sale of some or all of our assets to a third party, we may also disclose your personal information to the third parties concerned or their professional advisors. In the event of such a transaction, the personal information held by Kroll will be among the assets transferred to the buyer.

    We may share aggregate, non-personal and/or de-identified information with third parties, to the extent permitted by law.

    Reply
    1. jik Post author

      I don’t see anything particularly surprising or atpyical here. They can’t search for that data on the web to check if it has been compromised if they don’t have the data to search for, right? What specifically is your concern?

      Reply
  2. Vin Jameson

    Great article! Right on point.

    I got a similar nonsensical alert from Kroll today. I’ve asked them for more details. Let’s see if they provide them.

    Glad I am not the only one who’s seen this sub-standard “protection” from Kroll.

    Reply

Leave a Reply

Your email address will not be published.