It’s difficult not to be concerned about identity theft in the modern era. Individuals, businesses and even governments are being hacked with regularity, which is why it’s no surprise that identity theft protection services like Credit Sesame and LifeLock have been popping up in recent years, offering to keep our identities safe for a monthly fee.
Unfortunately, as Tom’s Guide reports, many of these services put personal information at risk by failing to offer two-factor authentication (2FA) for customers. With two-factor authentication, you have to verify any login attempt with an app on your phone, but without it, anyone who has your email address and password can access your account. Once inside, they could steal your bank account information, credit cards numbers and more.
“An identity-theft-protection service has two things of value to an attacker: The personal information that can be used to steal your identity is all in one place, and it’s also where you log in to set up notifications for the service,” principal security strategist at Duo Security, Wendy Nather, told Tom’s Guide. “So, if someone can log in to that account, they can get the information they need to steal your identity, and at the same time, they can turn off or redirect the alerts that the service might have sent you. It’s like giving a burglar the key to your home alarm system.”
Having reviewed six such services, Tom’s Guide found that only two currently offer 2FA security: IdentityForce and ID Watchdog. Identity Guard offers 2FA on its mobile app, but not on its website. The other three are all considering it.
LifeLock says that implementing 2FA “is a priority,” but couldn’t provide a launch window. Credit Sesame says that it is “actually exploring various implementations of 2FA right now,” and plans to launch it in “the near future.” IDShield says that 2FA is “on its backlog of items,” but has no timetable for launch.
Even if you find 2FA to be cumbersome or superfluous, an online identity theft protection service seems like it would be one area where virtually anyone would be willing to deal with an extra step to keep private information out of the hands of bad actors. The fact that three of the most popular services don’t offer it at all is incredibly scary.