Saturday, November 18, 2006

Preventing Identity Theft

19th century cryptographer Auguste Kerckhoffs first observed the weakness of security through obscurity, prompting Bruce Schneier to routinely demand that security systems "recover gracefully" from compromised secrets (e.g. passwords can be changed). Unfortunately, the fundamental authentication system underlying our economy hinges on the confidentiality of immutable credentials like social security number, birth date and mother's maiden name. The danger of such "brittle secrets" is that the entire system breaks under pressure. Indeed, under pressure from mostly online identity thieves, the integrity of personal identity in our economy is badly broken.

According to last month's Harris Interactive study, about 50 million Americans have been informed--mostly by their banks or government--that their personal credentials have been somehow compromised. In addition, nearly 10 million Americans are aware of specific instances in which they were victims of identity theft. As staggering as these numbers are, the actual numbers are necessarily higher than what's reported. It would be quite a stretch for you to imagine that somehow your data remain safely stored among all the vendors, doctors, banks, web sites, and government agenices whom you've engaged in your lifetime. More likely, your personal credentials are all for sale in black market exchanges like this one.

In other words, the horses are out of the barn. There's little point trying to re-tool or regulate the world's IT infrastructure to contain consumer data. Even if your concern is future generations whose identities are still safe from thieves, there are so many ways for data to leak that it's futile to expect brittle secrets like our social security numbers to be both useful and sustainably confidential. So rather than fund "extrusion detection" startups, as so many other VC's have done, I have instead looked for technology that can protect our identities in a way that does not presume the secrecy of our credentials.

Cyota, for example, protects our bank accounts after phishers have stolen our credentials; but Cyota, which secures the banks' assets, doesn't address the most common form of identity theft -- application credit fraud perpetrated against individuals. By applying for credit in our names, thieves get cars, phones, credit cards and even mortgages, leaving us to deal with the nightmare of bills, debts, liens and bad credit. For 6 years running, this is the fastest growing crime in the US (and the financial cost per episode is growing). The problem has reached such epidemic proportions that consumers, prompted in part by the data-breach-disclosure letters they receive, will pay for solutions -- even pathetically ineffective ones like credit report monitoring services.

But I did learn from Cyota that if you can't keep a secret from phishers and laptop thieves, and if you can't trust spyware-infected computers, you can still protect your assets through multi-channel authorization of risky transactions. That is, thieves can't get to your assets if you are consulted prior to withdrawals and account changes over a medium separate from that in which the transaction originated.

That's why Bessemer set out to find a company focused on putting consumers in charge of their own finances, through mechanisms that require their out-of-band authorization for any extension of credit. There are many possible mechanisms, including opt-out lists, credit fraud alerts (courtesy of the 2003 FACTA Act), and credit freezes (courtesy of California's Consumer Credit Reporting Agencies Act). We assessed many startups in the field, but the best among them is Lifelock.

Todd Davis, the CEO of Lifelock, got our attention when he disclosed his social security number on TV, proving his personal confidence in the Lifelock service. By focussing on easy enrollment, Lifelock has built by far the largest subscriber base in the industry, with stellar customer satisfaction rates that yield annual churn rates below 5%. Having subscribed my entire family to Lifelock (the kids are vulnerable, too), our finances and credit are now protected from identity thieves. Lifelock backs up its service with a guarantee that it will handle any resolution of ID theft, with a $1,000,000 warranty.

Obviously I'm excited about this investment (like the Men's Hair Club President, I'm also a customer!). Bessemer's anti-fraud practice has been consistently successful to date with Verisign, Cyota (RSA), SiteAdvisor (McAfee) and Coral Systems (Lightbridge). And this was one of those easy investment decisions where several road maps (Consumer Internet, Multi-Channel Authorization, Get Big Cheap) converged.

Technorati Tags:
Blogged with Flock


  1. Nice Post.
    There is always a Human factor and system factor connected with the Identity Theft.
    The best process would be give the Users the choice of the medium or method they want to disclose their identity.
    Its not only the average online Users who are attacked but also the University Students
    and here is the simple guide to protect your Identity because in the end it the users who are at risk not the system.

  2. David,
    Identity theft has gotten a lot of press, much of that fueld by the credit card companies (a citibank TV commercial with a voice-over comes to mind, no?).

    It seems to me that Lifelock preys on on the consumer fear generated by this press (and real incidents of ID theft).

    But I don't really get how a patchwork of free services (opt-outs, credit reports, refusing spam mail), some blatantly gimmicky marketing (the CEO's ploy, the language on the website, the $1 million dollar guarantee) provide a value-add to the consumer. In fact, financial institutions are required by regulation to protect the consumer in the event of unauthorized transactions.

    A lot of marketing to consumer fear, and little substance in the service. What is it that excites you about this company?

  3. Crimson,

    1. All security companies--online and offline--address fears we have about threats. The question is whether the threat is real, and several sources, including federal agencies, report that identity theft impacts about 5 million Americans every year.

    2. You are right that Lifelock's product is a "patchwork of free services." However, these service are more effective than you imply. For example, if you have a good faith concern that you may be a victim of ID theft, Lifelock can help you maintain fraud alerts on your credit profiles so that creditors must effect an out-of-band authorization before extending credit in your name. The strength of this defense emboldens Lifelock to back up their service with a $1m warranty. Certainly, consumers can procure all these services without Lifelock, including the renewal of the fraud alerts every 90 days as required by law. Personally, I'd rather pay the $110 per year so that I don't have to figure out all the details, spend my time managing the process, and risk making a mistake.

    3. You say that there is no risk because financial institutions protect consumers from fraud. First, that is simply not true. There are some fraudulent transactions that financial institutions decline to cover. But regardless, the damages go way beyond the specific debts accrued by the thief--victims of ID theft end up paying all kinds of fees and legal bills, not to mention the disruption of a low credit score while they fight the credit agencies to restore their good name.

    The founder of Lifelock was actually arrested and imprisoned as a result of ID theft perpetrated in his name. What good was his credit card issuer's "fraud limit"?

    That's why I'm excited by this investment!

  4. Anonymous11:32 AM

    From this story it appears that the founder of Lifelock has filed for personal bankruptcy and does not have a very clean reputation.

    Did you do a background check on him before the investment?

  5. Anon,
    When we invested, the founder was no longer on the board or a controlling shareholder. However, we certainly did check him out. I posted a more complete response here.

  6. To the Anonymous commenter above, outside of the founder of Lifelock there are many other people in the credit reporting/credit protection industry who have way more sketchy backgrounds than what you'd like to think.

    It's sad, but that's the way it is. If you talk about the background of one person running a company which holds onto/protects people's personal information, you really should look into the background of the people running the companies who you have given your social security number to in the past:

    Credit card companies, health insurance companies, doctor's office(s), etc.

    That tends to be stuff you don't think about because those companies aren't challenging an industry which is really entrenched in protecting their position in the market.

  7. Anonymous6:26 PM

    What most people fail to realize is that credit related ID Theft gets all the news attention but is responsible for only 50% of the ID Theft occurrences. Medical ID Theft, Employment, Utility, Wireless, IRS and Social Security Fraud are all on the rise and are completely unprotected by LifeLock's product and guarantee. Even if you become a victim of creedit related ID Theft their guarantee and services only apply if they are a direct result from the faiilure or defect of their service...which is placing fraud alert on your credit report. So if you become a victim because the lender does not check your credit report,(like many credit card companies) or they do and ignore the fraud alert,(as occurs frequently) then there is no protection. Just ask the President of the company that has had his identity stolen and in essence would not have been protected due to this exact situation. They are all hype and really are a pariah of the industry. My company does sell a competing plan but my advise to all is to find a plan that covers all ID theft regardless of the type and takes over all the work if you do become a victim. This is known as a fully managed restoration plan and several companies offer this type of service. Sice there is no way to eliminate the risk of ID Theft having a plan that is broad in what it does protect if the event occurs is the way to go. Otherwise you are better of keeping your money and going without. Check out a recent article in Kiplinger's ("Do I really need ID Theft?")which reaffirms this opinion.

  8. Jeff,

    Your facts are simply wrong. Lifelock does extend its guarantee to the incidents of fraud you mentioned. The specific instance you mention--when a creditor fails to check a credit report that has been flagged with a fraud alert--has indeed happened on rare occasion and Lifelock has in fact paid out every claim. (In fact it was this very specific possibility that inspired Lifelock to issue a guarantee in the first place.)

    As for your characterization of Lifelock as "a pariah of the industry," I will respond to your infantile name calling by simply pointing out that Lifelock is now in fact the market leader.

    Here's some free VC advice: find a more sustainable strategy for your business than lying about the competition.