Good to see a company being proactive over security rather than waiting for a breach.
LifeLock snaps shut Wallet mobile app over credit card leak fears
LifeLock has withdrawn its Wallet App and deleted user data over concerns the technology falls short of user data protection rules under the payment card industry's Data Security Standard (PCI DSS). In a statement Todd Davis, chairman and chief exec of LifeLock, said it was suspending the app as a precaution - not in response …
-
-
-
Monday 19th May 2014 12:36 GMT Tom 13
@ fred_larson_65
Life Lock is the 800 pound gorilla for prevention of identity theft and bank accounts. If you signed up for their services and you don't know that, you're too stupid for me to care about. Many people consider their measures to be over the top. Sign up for their service and you may not be able to get a loan yourself if you don't tell them first via their verification process. If you're one of those people, you shouldn't be using them. But they should be an option for people who want that level of security.
-
-
Monday 19th May 2014 11:34 GMT fred_larson_65
This is crazy, how can they do this without asking the customer? Imagine someone coming to your house and taking your car, because it is not safe enough. Absolute customer disrespect. Luckily I use an offline password manager Sticky Password which does the same like LifeLock and no data can be deleted without my notice or permission.
-
-
Tuesday 20th May 2014 16:17 GMT Jamie Jones
Wouldn't a less drastic solution be to just switch the thing off, or even just uplug its net connection until a full audit can take place?
Additionally, shouldn't they have offline backups of the data?
I'm probably a bit more sympathetic to the situation than Fred is, but he makes a good point, and I don't understand his downvotes..
-
-
-
Monday 19th May 2014 12:32 GMT JCF2009
"We have determined that certain aspects of the mobile app may not be fully compliant with payment card industry (PCI) security standards."
What? The PCI standard is such a minimal level of security (like don't store the user's PIN in plaintext) that if the app weren't compliant it would deserve to be shut down.
-
Monday 19th May 2014 14:46 GMT Fatman
"Lifelock"
You mean this Lifelock:
http://www.phoenixnewtimes.com/2010-05-13/news/cracking-life-lock-even-after-a-12-million-penalty-for-deceptive-advertising-the-tempe-company-can-t-be-honest-about-its-identity-theft-protection-service/full/
What else is new!
IIRC, they can't offer that 'guarantee' in New York state.
-
Monday 19th May 2014 14:58 GMT Steve Knox
PCI DSS is a BARE MINIMUM
Target and other recent targets were in full compliance with PCI DSS, yet they were still pwned because they were lax in areas where the PCI standards wrongly allow them to be lax.
So for a company whose reputation is based entirely on securing their customers' data, not even meeting the bare minimum, known-to-be flawed PCI standards is an epic fail.
-
Tuesday 20th May 2014 02:04 GMT John Tserkezis
When I was looking for an 'electronic wallet', one of the key manditory features I was looking for, was local storage of the encrypted file. The key never leaves the phone, I'm the only one responsable for keeping it backed up, and backing it up is as easy as copying a file.
The cloud serves many places, this is not one of them.
-
Wednesday 21st May 2014 16:05 GMT Anonymous Coward
Clarity on things PCI
* PCI has no jurisdiction over you the consumer. It only has a say for companies/banks (and 3rd parties) involved with issuing cards and accepting transactions. If your phone or PC is insecure PCI has no say. If your retailer wants to use a phone to take payments they do.
* It sounds like Lifelock may have a problem with the cloud part. The challenge is where do they fit in the industry. All those companies/banks are under contract to the likes of Visa and MC or to someone who is. They may not even be allowed to keep that data unless they are under contract. I've no idea how that works but I'm sure the card companies have done everything they can legally and contractually to keep control. Perhaps, it may be as simple as Lifelock taking payments with cards means everything they do with cards must comply. If they didn't expect to have to meet all the security requirements they could have had a big surprise during an audit.
* On the whole mobile wallet security has been far worse than PCI. So many have been developed without even considering PCI let alone trying to meet the requirements. Once companies realize they aren't subject to it they can make up their own rules. Consumers should realise this. Caveat emptor.
* PCI doesn't even consider phones or tablets secureable. COTS payment applications running on them can't be certified.
* PCI does allow for secure devices and applications that encrypt the data for the bank before giving it to the phone/tablet. Most devices that claim to do this aren't certified. In fact world wide there are something like 4 or 5 such certified devices.
* Companies that get breached aren't compliant with PCI. Most of the headlines you read scream at you that more than one critical requirement was not met. Not the dot the i's and cross the t's stuff either.
* While it's easy to dis PCI, the thing is very big, very complicated, and burdensome (If you don't believe me, go to the site there are like 4 or 5 standards a couple of hundred pages each and hundreds of supporting documents. Light bed time reading indeed). There's a ton of room for honest mistake and for screwups let alone bad actors. It will never be perfect; they do keep toughening it up, and they'll probably always be behind. That isn't excusing anyone - it just is what it is.
-
Tuesday 27th May 2014 10:18 GMT renrutnoj
Clarity on things PCI
Wow, nice to see somebody who knows what they are talking about around PCI but also tempers it with some reality.
PCI does however recommend using PA (payment application) DSS document as a guide when developing/deploying mobile payment/issuing applications. I found the P2PE (point-to-point-encryption) docs useful too.
This topic is closed for new posts.
Biting the hand that feeds IT
