19th century cryptographer Auguste Kerckhoffs first observed the weakness of security through obscurity, prompting Bruce Schneier to routinely demand that security systems "recover gracefully" from compromised secrets (e.g. passwords can be changed). Unfortunately, the fundamental authentication system underlying our economy hinges on the confidentiality of immutable credentials like social security number, birth date and mother's maiden name. The danger of such "brittle secrets" is that the entire system breaks under pressure. Indeed, under pressure from mostly online identity thieves, the integrity of personal identity in our economy is badly broken.
According to last month's Harris Interactive study, about 50 million Americans have been informed--mostly by their banks or government--that their personal credentials have been somehow compromised. In addition, nearly 10 million Americans are aware of specific instances in which they were victims of identity theft. As staggering as these numbers are, the actual numbers are necessarily higher than what's reported. It would be quite a stretch for you to imagine that somehow your data remain safely stored among all the vendors, doctors, banks, web sites, and government agenices whom you've engaged in your lifetime. More likely, your personal credentials are all for sale in black market exchanges like this one.
In other words, the horses are out of the barn. There's little point trying to re-tool or regulate the world's IT infrastructure to contain consumer data. Even if your concern is future generations whose identities are still safe from thieves, there are so many ways for data to leak that it's futile to expect brittle secrets like our social security numbers to be both useful and sustainably confidential. So rather than fund "extrusion detection" startups, as so many other VC's have done, I have instead looked for technology that can protect our identities in a way that does not presume the secrecy of our credentials.
Cyota, for example, protects our bank accounts after phishers have stolen our credentials; but Cyota, which secures the banks' assets, doesn't address the most common form of identity theft -- application credit fraud perpetrated against individuals. By applying for credit in our names, thieves get cars, phones, credit cards and even mortgages, leaving us to deal with the nightmare of bills, debts, liens and bad credit. For 6 years running, this is the fastest growing crime in the US (and the financial cost per episode is growing). The problem has reached such epidemic proportions that consumers, prompted in part by the data-breach-disclosure letters they receive, will pay for solutions -- even pathetically ineffective ones like credit report monitoring services.
But I did learn from Cyota that if you can't keep a secret from phishers and laptop thieves, and if you can't trust spyware-infected computers, you can still protect your assets through multi-channel authorization of risky transactions. That is, thieves can't get to your assets if you are consulted prior to withdrawals and account changes over a medium separate from that in which the transaction originated.
That's why Bessemer set out to find a company focused on putting consumers in charge of their own finances, through mechanisms that require their out-of-band authorization for any extension of credit. There are many possible mechanisms, including opt-out lists, credit fraud alerts (courtesy of the 2003 FACTA Act), and credit freezes (courtesy of California's Consumer Credit Reporting Agencies Act). We assessed many startups in the field, but the best among them is Lifelock.
Todd Davis, the CEO of Lifelock, got our attention when he disclosed his social security number on TV, proving his personal confidence in the Lifelock service. By focussing on easy enrollment, Lifelock has built by far the largest subscriber base in the industry, with stellar customer satisfaction rates that yield annual churn rates below 5%. Having subscribed my entire family to Lifelock (the kids are vulnerable, too), our finances and credit are now protected from identity thieves. Lifelock backs up its service with a guarantee that it will handle any resolution of ID theft, with a $1,000,000 warranty.
Obviously I'm excited about this investment (like the Men's Hair Club President, I'm also a customer!). Bessemer's anti-fraud practice has been consistently successful to date with Verisign, Cyota (RSA), SiteAdvisor (McAfee) and Coral Systems (Lightbridge). And this was one of those easy investment decisions where several road maps (Consumer Internet, Multi-Channel Authorization, Get Big Cheap) converged.