back to article LifeLock snaps shut Wallet mobile app over credit card leak fears

LifeLock has withdrawn its Wallet App and deleted user data over concerns the technology falls short of user data protection rules under the payment card industry's Data Security Standard (PCI DSS). In a statement Todd Davis, chairman and chief exec of LifeLock, said it was suspending the app as a precaution - not in response …

COMMENTS

This topic is closed for new posts.
  1. Sir Barry
    Thumb Up

    Good to see a company being proactive over security rather than waiting for a breach.

    1. fred_larson_65

      Really? You like your data being wiped out without any notice or permission?

      1. Captain Scarlet Silver badge

        Well if you have any smartphone nowadays its something you have to live with when using third party apps via an app store (Only one I am not sure about is Nokia as I am a BB and Google user)

      2. Tom 13

        @ fred_larson_65

        Life Lock is the 800 pound gorilla for prevention of identity theft and bank accounts. If you signed up for their services and you don't know that, you're too stupid for me to care about. Many people consider their measures to be over the top. Sign up for their service and you may not be able to get a loan yourself if you don't tell them first via their verification process. If you're one of those people, you shouldn't be using them. But they should be an option for people who want that level of security.

      3. Sir Barry

        Ref Really?

        Yeah, really.

        I would prefer a data wipe instead of my bank account being cleaned out.

        There's no pleasing some people, you're bleating about a company taking a responsible attitude towards customer security, but if they remained lax and indifferent you would bleat about that too.

  2. fred_larson_65

    This is crazy, how can they do this without asking the customer? Imagine someone coming to your house and taking your car, because it is not safe enough. Absolute customer disrespect. Luckily I use an offline password manager Sticky Password which does the same like LifeLock and no data can be deleted without my notice or permission.

    1. Don Jefe

      No. There's not a court on Earth that wouldn't side with a business for taking drastic action to protect other customers. That goes for Sticky Password too. Your permission is not required.

      1. Jamie Jones Silver badge

        Wouldn't a less drastic solution be to just switch the thing off, or even just uplug its net connection until a full audit can take place?

        Additionally, shouldn't they have offline backups of the data?

        I'm probably a bit more sympathetic to the situation than Fred is, but he makes a good point, and I don't understand his downvotes..

      2. fred_larson_65

        For me this no freedom.

  3. JCF2009

    "We have determined that certain aspects of the mobile app may not be fully compliant with payment card industry (PCI) security standards."

    What? The PCI standard is such a minimal level of security (like don't store the user's PIN in plaintext) that if the app weren't compliant it would deserve to be shut down.

  4. Fatman

    "Lifelock"

    You mean this Lifelock:

    http://www.phoenixnewtimes.com/2010-05-13/news/cracking-life-lock-even-after-a-12-million-penalty-for-deceptive-advertising-the-tempe-company-can-t-be-honest-about-its-identity-theft-protection-service/full/

    What else is new!

    IIRC, they can't offer that 'guarantee' in New York state.

  5. Steve Knox
    FAIL

    PCI DSS is a BARE MINIMUM

    Target and other recent targets were in full compliance with PCI DSS, yet they were still pwned because they were lax in areas where the PCI standards wrongly allow them to be lax.

    So for a company whose reputation is based entirely on securing their customers' data, not even meeting the bare minimum, known-to-be flawed PCI standards is an epic fail.

  6. Nate Amsden

    Lemon

    Was just looking at when this service launched and apparently they got the product by acquiring a company named "Lemon" for $42M late last year.

    What an ironic name

  7. John Tserkezis

    When I was looking for an 'electronic wallet', one of the key manditory features I was looking for, was local storage of the encrypted file. The key never leaves the phone, I'm the only one responsable for keeping it backed up, and backing it up is as easy as copying a file.

    The cloud serves many places, this is not one of them.

  8. Anonymous Coward
    Anonymous Coward

    PCI rules

    Actually, the PCI rules say that you can't store the PIN number at all.

  9. Anonymous Coward
    Anonymous Coward

    Clarity on things PCI

    * PCI has no jurisdiction over you the consumer. It only has a say for companies/banks (and 3rd parties) involved with issuing cards and accepting transactions. If your phone or PC is insecure PCI has no say. If your retailer wants to use a phone to take payments they do.

    * It sounds like Lifelock may have a problem with the cloud part. The challenge is where do they fit in the industry. All those companies/banks are under contract to the likes of Visa and MC or to someone who is. They may not even be allowed to keep that data unless they are under contract. I've no idea how that works but I'm sure the card companies have done everything they can legally and contractually to keep control. Perhaps, it may be as simple as Lifelock taking payments with cards means everything they do with cards must comply. If they didn't expect to have to meet all the security requirements they could have had a big surprise during an audit.

    * On the whole mobile wallet security has been far worse than PCI. So many have been developed without even considering PCI let alone trying to meet the requirements. Once companies realize they aren't subject to it they can make up their own rules. Consumers should realise this. Caveat emptor.

    * PCI doesn't even consider phones or tablets secureable. COTS payment applications running on them can't be certified.

    * PCI does allow for secure devices and applications that encrypt the data for the bank before giving it to the phone/tablet. Most devices that claim to do this aren't certified. In fact world wide there are something like 4 or 5 such certified devices.

    * Companies that get breached aren't compliant with PCI. Most of the headlines you read scream at you that more than one critical requirement was not met. Not the dot the i's and cross the t's stuff either.

    * While it's easy to dis PCI, the thing is very big, very complicated, and burdensome (If you don't believe me, go to the site there are like 4 or 5 standards a couple of hundred pages each and hundreds of supporting documents. Light bed time reading indeed). There's a ton of room for honest mistake and for screwups let alone bad actors. It will never be perfect; they do keep toughening it up, and they'll probably always be behind. That isn't excusing anyone - it just is what it is.

  10. renrutnoj

    Clarity on things PCI

    Wow, nice to see somebody who knows what they are talking about around PCI but also tempers it with some reality.

    PCI does however recommend using PA (payment application) DSS document as a guide when developing/deploying mobile payment/issuing applications. I found the P2PE (point-to-point-encryption) docs useful too.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2021