Identity loss

Share on:

Identity Loss

It’s a real thing and it can be really bad when it happens. The damage it can cause ranges from annoyance, loosing property all the way to ruining a life. Society has taken steps to minimize the damages and make the crimes punishable, but at this point we each need to protect ourselves more than anything else.

Being careful is most of what needs to be done. Protecting your email accounts with 2 factor authentication goes a long way. Shredding your documents with confidential information is another. The list goes on and on and I think most people are aware of the major steps to take and problems that can occur.

Over the last 20 years there have been a growing number of services that you pay to provide protection. Some of them take more active approaches. Others take more passive ones like monitoring different places for potential problems. That monitoring is what I want to talk about today.

Identity Loss Monitoring

I have subscribed to a few services like this over the last several years. They watch for potential problems in my credit score, for mentions in legal documents and most recently if any of my identifying information appears in known bad places on the Internet. That last one could be account names and passwords from a hacking attack or compromise.

All in all I have been happy with these services. Every now and then they would send me a notice that one of my email addresses showed up in a list of compromised accounts. In all but one case they were false alarms, but I would rather know to check a few times a year rather than be left open that one time in half a decade.

FUD

The problem is that these services don’t seem to be content with providing a valuable service that you need once in a while. They really want to be part of your monthly conversation no matter what. How do they do that, by grasping onto anything and sowing fear, uncertainty and doubt (FUD).

I was very happy when I only heard from them once a quarter saying “everything is all good”, and the, “you should look into this” messages when they happened. Happy enough that I had no problem with renewing my annual subscription.

Now I get regular emails with scary warnings that there is something wrong and that I need to look into it. Given the previous track record I look into each problem as soon as I get home to see what I need to do about it. The problem is that they are never really issues. They aren’t even things that the service should issue an alert for.

Let me give you some examples.

  • 8/25/2021: “Your phone number has been found compromised online.”
  • 7/15/2021: “Your email address has been found compromised online.”
  • 6/25/2021: “Your phone number has been found compromised online.”
  • 6/1/2021: “Your phone number has been found compromised online.”
  • 5/27/2021: “Your phone number has been found compromised online.”

The last report I got before this was in 2019 and it was a password had potentially been released with an email address. So I went almost 2 years from the last real warning to 3 months of FUD.

Why are these FUD? It’s basically a who cares condition. My home phone number has been publicly listed for decades, with my name and address. There are probably 60 phone books that have been published with that level of detail. Should I get 60 alerts? NO!

One of the alerts did have my wife’s name and date of birth listed. While that is potentially worrisome, it’s also completely public data. There not only was no secrecy around the date she was born, nor the day any member of the family was, it was celebrated and announced to the world. I’m sure anyone with a little research gumption could find the details in question with just a little bit of work. What we should worry about is any service that uses a birthday as proof of identity, not that it is available for hacking you out of house and home.

Finally, the email address one from 7/15. Is this something I should worry about? No, lots of people have my email address. It’s probably sold for pennies as a spam target and why I run heavy spam filters on my inbound email. It is about as public a piece of information as my name, address and phone number. Yet this service sent me an email that I was supposed to worry about a potential problem until I could see it was a false alarm. The service that cried wolf anyone?

Bad advice

At the bottom of each alert is a series of recommendations. In each one is the suggestion that I should change my password on all my accounts. While this sounds like a good idea, I’m going to argue that it isn’t.

If I start changing all my passwords I run the risk of forgetting what they are. Sure I can use a password manager, but I don’t always have access to a password manager so I have to use my brain. Over the years I know that the risk of forgetting a password after I change it is high because I don’t use all of these accounts more than once a month or year.

When I forget my password there is normally an email based recovery that I have to go through. Not ideal from a security perspective, but it is better than the damn worthless security questions that some sites use. I receive an email that says something like click on the link to set a new password. Even when I don’t need a password reset I get an email telling me that I changed it.

All of these notifications and emails are good, but if they come into my account every few weeks they become meaningless. Once your alerts become noise, you tune it out and stop taking it as a serious issue that needs your attention. Right now if I get a password updated message I know it is something I need to check on. If I changed my password like socks those valuable alerts would be lost in a sea of noise.

Now combine changing passwords with every time I get an alert about someone finding the equivalent of a phone book online and it is going to get noisy and pointless really fast. So much so that I think the user base is more open to real attacks than they were without the alerts. It literally is the online version of the boy who cried wolf.

Why the FUD?

My only guess is that some marketing person came in to the monitoring service and started talking about customer engagement. Always be contacting the customer so they don’t devalue or forget about the relationship. This is the type of BS that makes our lives messy today. It is at the root of spam and robocalls that none of us like.

Bad on the corporate actors for believing these marketers are correct. I want a service like this to fade into the background until I need it. If they only alerted me once every few years when there is a real problem, I would probably pay 10 times as much for the service. Now, I’m really not wanting to ever renew it. If I don’t renew we all know that they will send me countless emails trying to get me back. That will seal the deal and I will never do business with them again.

So we have a perfectly good service that could have improved themselves by improving the service. Instead they are ruining a good thing with marketing. I hope this is a lesson to others. When marketing gets involved be careful. You might be killing the goose tomorrow just to get a few extra golden eggs today.