December 21, 2015

The U.S. Federal Trade Commission this past week announced it reached settlements with software giant Oracle and identity protection firm LifeLock over separate charges of allegedly deceiving users and customers about security. LifeLock agreed to pay $100 million for violating a 2010 promise to cease deceptive advertising practices. Oracle’s legal troubles with the FTC stem from its failure to fully remove older, less secure versions of Java when consumers installed the latest Java software.

javamessThe FTC sued Oracle over years of failing to remove older, more vulnerable versions of Java SE when consumers updated their systems to the newest Java software.  Java is installed on more than 850 million computers, but only recently (in Aug. 2014) did the company change its updater software to reliably remove older versions of Java during the installation process.

According to the FTC’s complaint, since acquiring Java in 2010, Oracle was aware of significant security issues affecting older versions of Java SE. The FTC charges that Oracle was aware of the insufficiency of its update process.

“Internal documents stated that the ‘Java update mechanism is not aggressive enough or simply not working,’ and that a large number of hacking incidents were targeting prior versions of Java SE’s software still installed on consumers’ computers,” the FTC said “The security issues allowed hackers’ to craft malware that could allow access to consumers’ usernames and passwords for financial accounts, and allow hackers to acquire other sensitive personal information through phishing attacks.”

Few sites require Java to display content anymore, and most regular users can likely do without the program given the incessant security holes introduced by the program and its record of being abused by malicious software to infect millions of systems. See this post for a more detailed breakdown of why I’ve so often encouraged readers to junk Java, and advice for users who absolutely still need to have Java installed. If you’re not sure whether you have Java installed, check out this page that Oracle has put up to help users detect and remove installations of Java.

LIFELOCK

The FTC’s $100 million settlement with LifeLock represents a record for monetary awards obtained by the agency It stems from alleged violations of a previous deceptive advertising settlement the company reached with the FTC back in 2010.

An ad for LifeLock services.

An ad for LifeLock services.

According to the FTC, LifeLock failed to establish and maintain a comprehensive information security program to protect users’ sensitive personal information — including their social security, credit card and bank account numbers. The FTC also alleged LifeLock falsely advertised that it protected consumers’ sensitive data with the same high-level safeguards used by financial institutions, and that it would send alerts “as soon as” it received any indication that a consumer may be a victim of identity theft.

The court documents related to the latest LifeLock settlement are still sealed, so it’s unclear how exactly LifeLock allegedly failed to protect customers’ sensitive personal data. Interestingly, the lone dissenter in the LifeLock case was FTC Commissioner Maureen K. Ohlhausen, who said she disagreed with the ruling because the commission hadn’t produced evidence that LifeLock somehow failed to secure its customer data, and noted that the company has complied with payment card industry security standards for accepting and handling credit card data.

For its part, LifeLock says in a statement that “there is no evidence that LifeLock has ever had any of its customers data stolen, and the FTC did not allege otherwise.”

This October 2015 story from About.com includes interesting perspective from Virginia Attorney Ken Cuccinelli, whose investigation into LifeLock’s business practices culminated in a class-action lawsuit pitting the FTC and 34 other state attorneys general against the company. According to that interview, Cuccinelli’s beef with LifeLock seems to have centered around allegations of false advertising about the level and quality of LifeLock’s identity protection service, as opposed to any specific data security issues at LifeLock.

“The problem, according to Cuccinelli, was not so much that LifeLock offered a flawed service, but that they were misrepresenting the level of security that they in fact provided,” wrote William Deutsch. “For years, LifeLock had been claiming to be an airtight guarantee against all forms of identity theft. LifeLock’s service is most effective against new account fraud, which is why members can expect an alert when someone tries to open up a new account in their name. But according to the Federal Trade Commission, the service wasn’t as effective in securing customers against the abuse of existing accounts, nor did it offer much protection against medical and employment related fraud.”

I have consistently urged readers to understand the limitations of credit monitoring services, which countless companies offer consumers each year in response to data breaches that expose customer personal and payment data. As I’ve noted time and again, credit monitoring services are unlikely to block thieves from opening new lines of credit in your name; the most you can hope for is that these services will alert you when the thieves succeed in getting new credit using your good name.

Credit monitoring services are useful for ID theft victims who are seeking help in removing fraudulent inquiries from their credit report. But if you want true protection against new account fraud committed in your name, place a security freeze on your credit file with the major credit bureaus. This article explains more about what’s involved in a security freeze and how to protect you and your family.


38 thoughts on “Oracle, LifeLock Settle FTC Deception Charges

  1. Sam

    In Canada at this time you cannot get a security freeze on your credit file. You can only get alerts and ONLY after proving to them that you have been a victim of fraud.

    I’m supposing that’s because Canadians don’t get victimized the way Americans do. Anyone know anything about that or have an opinion on this morbid state of affairs?

    1. JCitizen

      I’m normally not interested in government intervention in general, but as far as personal ID I’m rabid about heavy regulation of the consumer credit reporting agencies – they have been ducking regulations for decades with one promise after another, and I think it is high time to lower the boom on them!

      I’m a member of the Consumers Union political action committee, and I hope to get them on board to advocate for this! Anyone can join this group, and you don’t have to purchase the magazine or other services of Consumers Union to make a big difference! If anyone is having trouble with Life-Lock or any other credit reporting service or company – contact the CFPB here: http://www.consumerfinance.gov/complaint/

    2. timeless

      Afaict, the answer is that the Canadian banking industry and its regulators are incompetent.

      The most depressing account I’ve found is this one:
      http://www.cbc.ca/news/canada/british-columbia/rbc-customer-s-bank-accounts-looted-3-times-by-identity-thieves-1.2901012

      wrt credit card cloning, Home Depot impacted Canada too:
      http://globalnews.ca/news/1582758/fraud-turns-up-on-canadian-credit-cards-following-home-depot-breach/

      The general guide on fraud looks pretty much like the US guide, minus any useful way to freeze w/o already being a victim:
      http://www.rcmp-grc.gc.ca/scams-fraudes/victims-guide-victimes-eng.htm

  2. JCitizen

    The founder of Life-Lock has a shady past already, so what did they expect?

    As far as Oracle goes – I can’t blame them, because I don’t know how many businesses complain when they can not get some application or another to work with the new Java, so keeping the older more vulnerable version is almost a prerequisite. Of course it is all Apache’s bag now! I lot of IT types simply include the old version in EMET and pray!

    Speaking of EMET – has anyone else had to replace it with Malwarebytes Anti-exploit yet?

  3. Krav

    Brian, you are once again ignoring the true value of an identity protection service and focusing on nothing but credit monitoring. While you are correct that a freeze is more effective than monitoring, even a freeze can only prevent 15-20% of identity theft. For those issues that don’t involve checking your credit, a freeze does nothing.

    What you blatantly ignore when reviewing services like Lifelock is that they have experts who can help you with medical, criminal, and all the other types of id theft out there, the kind that a freeze does nothing for. So what do you want victims of those types of fraud to do, call you?

    Top end id theft protection will cover all types, not just financial. They will not only advise you how to clear it up, they will actually do the work for you. I recommend researching how these companies actually work before advising your readers to stay away, as you may actually be doing more harm than good.

    1. BrianKrebs Post author

      Pretty unfair criticism, IMHO. I’ve always outlined what these services are good for. What I have been trying to do is not discourage people from identity protection services, but to let them know the limitations of those services, and that people can’t expect to just be passive (sign up for a service) and stop ID theft.

    2. MikeS

      Krav: Please take your own advice and read and research what Brian has said about identity protection services. Both in this essay and in prior ones. You sound like a spin-doctor for one of these companies and it is really disgusting to see this stuff appear here. It insults the readers intelligence.

    3. IA Eng

      HA ! If these “services” have to stand up in front of a Federal entity and hand back 100 million dollars and pretty much admit they are using deceptive measures to lure people in to their “services” – I’ll take my business elsewhere.

      Sure – this is just one of those services out there. NONE of which appeal to me.

      With a Freeze available, and proper planning prior to having a Freeze in place one can go for MANY years without having to make a major change.

      We all have our opinions about these services. Nothing here is written in stone as gospel, its opinions and perceptions of the data that is presented. There are many other services and blogs for that matter – that might better entertain your tastes.

    4. Jeff

      Krav –

      Just one follow up for you since you probably work for one of those companies. Can any of those companies call a credit card company on behalf of one of its clients?

      When the answer is an emphatic no, come back and tell us how either doing a freeze or keeping track of your own accounts, use of cards, and getting your free reports is any less effective than paying for any of those.

      1. Krav

        Actually Jeff, yes they can. A recovery agent is given limited power of attorney and can contact not just a credit card company, but most other entities related to identity theft (credit bureaus, collectors, hospitals, etc….)

        Brian, sorry if my initial comment came off as attacking, I really am a big fan of the work you do. My issue is that I’ve never heard you mention the benefits of id theft recovery services, you just seemt focus on the credit monitoring aspect, which I agree is not of much value.

        I know they seem like a useless expense, but doesn’t all insurance? Since there is no way to prevent identity theft (again, a freeze only works on about 15%) doesn’t it make sense to have an expert available in case of worst case scenario?

        I have worked for a recovery service yes, but not LL (not a fan of their business practices myself). My point is simply that this type of coverage offers a lot more than credit monitoring, and when cleaning up id theft can take dozens of hours, it sure would be nice to have someone available to make those calls for you.

  4. Rick

    The FTC deemed Oracle liable for not removing older versions of Java because of the security implications? Does that mean that they’re going to go after companies that don’t provide any sort of updates at all? Or shouldn’t they have sued Microsoft into the stone age for historically providing insecure software?

    Bad precedent here….

  5. Uncle Al

    Oracle refrained contemptibly for more than a year to remove out-of-date AND DANGEROUS versions of Java SE, motivating companies such as SingularLabs to create programs that removed those versions left behind after Java versions were updated. Java 7 update 26 was a prime example, causing an excessive number of my customers to spend lots to remove the malware injected afterwards by drive-by infections. Oracle should burn for that.
    Brian, I think you are being kind to LifeLock. Whether one has LifeLock or does not have LifeLock or any other solution, they cannot be passive about protecting their own identity. I am convinced that the particular individual will do a better job than any of the services offering. Therefore, LifeLock’s value is nil.

  6. Likes2LOL

    Rush Limbaugh’s been shilling for LifeLock for years… I wonder if “El Rushbo” will disclose anything about this, or just continue to be a shamelessly complicit recipient of their advertising bucks? 😉 Mark Levin shills for them, too.

    P.S. LifeLock “Ultimate” wasn’t deemed absolute enough, so they upped the ante to “Ultimate Plus” — only $29.99 /month…

    LifeLock Ultimate Plus™ — https://www.lifelock.com/products/lifelock-ultimate-plus/

  7. IA Eng

    Yes I remember the days when you’d install a newer version of Java and assume that the software would update or remove older versions of the Java software. Then when removing the old software, it would rip out some useful active code from the newest java installed, and it would force you to remove all and start all over. Not a big deal, the engineering team was informed and future updates were all stripped out and applied accordingly.

    I see a handful of larger corporations getting away from Java and going to HTML5. Its a better, quicker platform for most of the applications we use.

    I don’t understand the patch misery status of Oracle. They might like patching things on a constant basis. They hand out a boatload of patches for Oracle on quarterly basis. Java fits right in there as a software that requires constant tweeking in order to work correctly, for a short period of time.

  8. Jane Carpenter

    Can’t count the many times we’ve received a call from local police about an identity theft victim and they can’t resist adding that the person had id theft “protection” services at the time the info was used!
    Folks need to read the websites: every one has a disclaimer that no one can prevent identity theft. What does that tell you? The problem is that the state regulators can’t tell if the “restoration” services are in violation of any existing laws because every company claims that it has some “special” proprietary something they do and therefore can’t reveal what exactly it is.

  9. Peterb

    Java is still a huge problem for most corporate environments.

    Climate control, payroll systems, admin panels, PLC programmers are just a handful of things I have to deal with on a daily basis that all require some specific out of date version of java to run properly. Some of these systems costs tens of thousands of dollars and have no upgrade paths available. Just getting them to run properly in the first place is chore, add in the weekly java updates which seemingly break everything in their wake just makes me despise everything that Oracle has any involvement in.

    1. Paul O

      +1000, I deal with this non-sense every day. In some applications we have to use, Java 7 update 42 is as high as I can go, or…
      Error Java Virtual Machine must be Installed.

      1. Bob

        I can beat that. Until recently, we had software that required Java6 on 64bit machines. Unfortunately, we haven’t been able to update that software. So the clients are still stuck on 6. We are slated to upgrade in the summer.

        1. Jim

          I can top even that. We have a video switch that requires java 4 (yes, that is correct) to run in an large, highly customized operational training environment using real-time systems.

          When we updated the computers with the custom software installed with Java 7, the custom app broke. Alas, the requirements document say it requires “at least” java 6, which wasn’t installed. Installing java 6 didn’t work because the custom software installer doesn’t properly check to see what version of java 4 is installed.

          I literally had to trace the installation on a clean system (no java, no custom software) to find out the software was dropping java 4 in and running with it.

          When I explained what I’d found to the vendor, they basically said “sorry.” No support. Wouldn’t even convert the java 4 installation to an embedded java so I could load the current java version for all other uses.

          So the end result is we’ve blocked internet access for the systems with custom software and have to either block java upgrades or reinstall the custom software each time.

          Yeah, I love java. About as much as a root canal.

  10. meh

    I’ve complained about the Java updater for years.. What kind of moron thinks that someone in a smaller environment is going to log on as administrator individually on each machine 3 times a month to update Java? Other solutions exist, but they are generally going to be cost prohibitive for organizations with less than 1000 employees.

  11. M. Ramirez

    Okay guys.
    Simple Question:
    IS LifeLock Ultimate Plus worth it?
    I pay for my spouse and I and Jr. protection $63.00 per month.
    In addition I gather my own annual credit reports, update my freezes on our credit, and reconcile my accounts almost daily.

    $63.00 a month may not sound like a lot of money–but in my situation it is! AM I WASTING it giving it to LifeLock???

    1. Pccapso

      In my opinion, it is a waste. If you are already keeping an eye and are aware of what is going on there is no reason to waste the extra money. Also, LifeLock does not protect you from anything, they are there to take your money and help you clean up after something happens.

    2. E.G.

      M. Ramirez,

      In my opinion, yes, your money could easily be used for other things. All of these ID protection services are cases of “closing the door after the horse has gotten out” scenarios.

      There are other things that you could be doing, all of them cheap or free. My bank’s ID protection is $3/month–although I just use that as a back-up. It’s still a case of notifying you days later about an attack. they will shut down–the good ones anyway–transactions that look suspicious. Freeze your credit with the credit agencies–free. Use a preloaded debit card for online purchases. Notify your card issuers when traveling abroad. Respond to NO ONE online asking for ANY identifying information. Use cash when you can. Use the pump closest to the window, or go inside to pay for gas. Your new doctor does not need your SS number, as much as they would like to tell you differently. Use two-step authentication for every site you use a card on.

      Still, they get through. Pay attention to card dumps, which Brian here always reports–do not trust the company to notify you. If you find that your store was included in the breach, replace your card. Lastly, check your online balance at least every week, and investigate unknown charges.

      Lifelock charges a lot of money for something that is easy to do–it’s just a question of getting into the habit of doing it.

      1. M. Ramirez

        Thank you E. G. for your TIME and ADVICE!

        I just pulled up common types of ID Theft and how to prevent before the theft and how to rectify in case of ID Theft.
        But I will utilize all your suggestions as well. I could use my money more than LifeLock!
        Thanks Again!

    3. D. S.

      It sounds like you are doing a lot on your own already. There are lots of cheaper alternatives to LifeLock. LifeLock’s services are the most expensive because it has to pay for its massive marketing and legal expenses. There are 100+ companies that offer ID protection and almost all of them are cheaper than LifeLock. LifeLock is primarily just a branded reseller of other companies’ services. Some services are free. If you have a MasterCard, you can get free ID theft alerts from CSID. LifeLock also uses CSID to generate alerts. Blue Cross Blue Shield has announced that it will begin to offer free ID theft protection to all members on 1/1/16.

  12. George S

    Does anyone know what the government does with these fines, such as the $100M to be paid by LifeLock?
    Have a suspicion that people harmed by LifeLock see very little, if any, of it.

  13. Greg D.

    Lifelock begins all their advertisements with the statement “nobody can prevent all identity theft.” Then why people assume Lifelock can prevent all identity theft, I have no idea. It’s your fault if you sign up for something which you have no idea how it works. Another case of caveat emptor.

  14. Kyle

    #1: Oracle never claimed the installers removed previous versions
    #2: The choice to not remove it was one to accommodate the userbase which, much of it liked multiple versions installed for compatibility reasons.

    As much as I hate to defend Oracle after they attacked the RE security community, this is like suing Mark Zuckerberg a facebook account because it CAN lead to swatting – if people CHOOSE to take those risks, it’s NOT a matter of irresponsibility on the part of the company state but a personal choice and not one the nanny-state should be able to so-called “remedy” by taking their money.

    1. Fred Mora

      Entirely agree with Kyle. For us poor people dealing with archaic, critical systems requiring old JREs with no upgrade path, the behavior of the Oracle installer is a feature, not a bug.

      It just looks like the FTC went after an easy, juicy target to pad its achievement list.

      I’d be more impressed if they went after actual fraud, but that would require work.

    2. Tex

      Please, of course an updater should replace previous versions. If that is a problem, not replacing previous version should be an option.
      I have no J2SE, Java 2, Java SE or Java Runtime Environment programs listed in my Control Panel Uninstall. But I have half a dozen Java folders with program files.
      Oracle’s uninstall tool (https://java.com/en/download/help/uninstall_java.xml) says that I do not have any Java installed. Am I to believe that after this settlement?

      1. SeymourB

        I find it infinitely amusing that any company in this day and age is posting a removal tool that requires their software to be installed to use the removal tool.

        Sadly many uninstallers leave files & registry keys behind, it’s hardly an Oracle specific phenomenon. But that’s why removal tools exist, to clear up those remnants. Only Oracle is schizophrenic enough to require you to install their software in order to use their tool.

  15. Mike

    I LOVE to hear that LifeLock is being held accountable. with very little research, you will see that the founder of Lifelock is a criminal; https://en.wikipedia.org/wiki/LifeLock; I know that Wikipedia is not a perfect source, but there are plenty more sources available.

  16. Not Really My Name

    They hyperbole in the comments make be laugh. LOVE, criminal, shilling, harmed, etc.

    Lifelock started out issuing and renewing credit freezes for their customers. This was a pretty effective way to mitigate issues. As a customer, I personally experienced this when the bank I was using for a mortgage refinance needed my assistance in obtaining my credit report after I gave them permission to pull one.

    The process Lifelock was using was cutting into the credit bureau’s ability to monetize the credit data they managed. Experian successfully sued Lifelock on the grounds that the law did not allow Lifelock to issue credit freezes on behalf of their customers. Subsequently Lifelock was reduced to passive credit monitoring, the same service they provide by all monitoring services.

    The FTC exists to shakedown businesses pure and simple. They are not the Justice Dept. and hve no law enforcement capabilities whatsoever. You either come to a payment agreement with them or they sue you in civil court. If you choose to go the latter route, your business will get investigated/shaken down by other Federal agencies like the IRS. $100 million is a huge fine, but still costs less than fighting an entity which uses finances itself with your money and can drag its investigation on indefinitely.

    An FTC shakedown is not like a class action lawsuit, where compensation is awarded to those who can demonstrate injury. The money “will be provided to the FTC for use in further consumer redres”.

    1. Ella Vader

      As further proof that the FTC is nothing more than a payola enforcement unit, it should be noted that LL must pay a hefty fine, but is NOT required to change any of their practices. This fact was included in earlier stories, but is now absent. So what does that say about the profit margins of LL that they can afford to pay $100M in shakedown fees to continue business as usual?

  17. Mike Korzen

    The NYT just made a big thing about 191 million names from voter records. Most people do not know that this information is public record, and in the past, used to contain social security numbers ! These data basese were on “micro fiche” 50 years ago for most counties in the USA, and were used for many lawful purposes.

  18. kevin

    Not a schilling but a customer of capital one quicksilver. I received 2 emails that surprised and delighted me, my cable bill jumped 20$ and so I logged in (auto-pay here) and they let me know. Second was a generous tip I gave to a bartender (he comped me) about 30%. First time I saw that. And I got my cable bill back in line to boot.!!!

Comments are closed.