LifeLock’s Digital Wallet Not (Completely) Secure: Deleting Software From App Stores

LifeLock recently alerted its customers that its digital wallet — a piece of smartphone software that holds folks’ personal credentials — is not PCI compliant.

That means, according to a consensus in the payments industry, the technology is just not safe for people to use.

As a result, the Arizona company is deleting the software from all of the app stores, Google Play and Amazon, included. Separately, LifeLock is also deleting customers personal information from its internal servers. Just to be sure.

The payments card industry standard dictates how payment card information should be stored.

From a disclosure:

We have determined the app is not fully compliant with payment card industry (PCI) security standards, and we are taking immediate steps to correct this and ensure the ongoing safety of your personal information. 

It’s important for you to know that we have no reason to believe your personal information, including credit card numbers and other data, has been compromised as a result of the PCI compliance issue. 

This does not affect [a customer’s] ability to use your credit cards or other information you have uploaded to LifeLock Wallet.

Late last year, LifeLock acquired Lemon Wallet for $42.6 million. (Read the TechCrunch story, here.)

More on payments card standard (from Wikipedia):

The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle cardholder information for the major debitcreditprepaide-purseATM, and POS cards.

Defined by the Payment Card Industry Security Standards Council, the standard was created to increase controls around cardholder data to reduce credit card fraudvia its exposure. Validation of compliance is performed annually, either by an external Qualified Security Assessor (QSA) that creates a Report on Compliance (ROC) for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.

It’s worth keeping in mind that PCI standards are the bare minimum that every business has to comply with — from the deli on the corner to, yes, even Target before and after its infamous data breach debacle.

The LifeLock snafu also calls into question Lemon Wallet’s founder, Wences Casaresthe same dude behind Bitcoin vault Xapo.

Just another reason for top banking regulators, both state and federal, to be concerned.


FTC, LabMD Medical Record Security Fight Illustrates Agency’s Role in Consumer Protection


Two years in the making, a fight between the FTC and a shuttered, Atlanta medical testing company is set to take place next week.

In 2012, the Federal Trade Commission, in its mission to protect consumers’ most sacred financial and medical details, originally accused LabMD of improperly handing the digital records of roughly 10,000 customers.

LabMD fought back. Asking a federal district court to stop the investigation.

But, in a ruling this week, a judge ordered the administrative hearing to go forward.

From GovInfoSecurity:

Continue reading

BillGuard Unveils Data Breach Alert; Android Software


BillGuard — a consumer analytics start-up that offers fraud alerts to consumers — recently launched a data breach alert feature to its users.

Already the company has flagged more than a million in fraudulent charges that banks missed in the wake of the Target breach, according to the company’s chief executive, Yaron Samid. The company also unveiled new Android smartphone software.

From an email:

BillGuard found over $1M in fraudulent charges (not grey) that the banks missed since the Target breach. I can name the banks by % fraud found and provide examples of the fraud. Crowdsourced post-transaction monitoring works were bank anti fraud tech fails. Banks catch about 1/3 of fraud preemptively, cardholders have to catch the rest on their own after it posts to their cards. 

Some background from an April 2013 story:


Bankers: How You Beat the Target Breach

I’ve heard several methods that could potentially beat the criminals that cracked Target’s security and stole as many as 40 million bank customer’s information.

This is the best idea I’ve seen:

The system would give issuers the chance to separate out card present and card not present (online) transactions and give a heads up to any bank whose at-the-counter PAN was used to make a digital purchase — or vice versa.

No need for EMV. No added layer of security. Just different information on the mag stripe than at the front of the card.

When Zero-Liability isn’t Really the Case: Target Breach

In the wake of the Target breach, I was reminded that zero-liability on credit and debit cards isn’t necessarily, well, zero-liability.

James Wester, a research director at IDC Financial Insights, sent me a note. “There are costs,” he wrote. “Both direct and indirect.”

He’s right.

There is a difference between consumer liabilities for credit and debit cards, as well as how card issuers treat fraudulent transactions.

(From Wester’s email:)

Credit card liability is zero dollars and any dispute will likely mean your credit balance is reinstated while the dispute is settled. Not so with debit cards. Liability on debit cards is only zero if reported before any charges are made. Before two days liability goes up to $50. Before 60 days the maximum liability is $500. After that any monies lost are gone for good.

Continue reading

Hacked Network Security Company Bit9 Wooed Bank Business

An internet network security company that once wooed bank’s business has been hacked, and was being used by criminals to help spread malicious software, according to the tech blog KrebsOnSecurity.

Bit9 confirmed the news in a blog post — explaining that “due to an operational oversight within Bit9, we failed to install our own product on a handful of computers within our network.

“As a result, a malicious third party was able to illegally gain temporary access to one of our digital code-signing certificates that they then used to illegitimately sign malware.”

From @BrianKrebs:

Bit9, a company that provides software and network security services to the U.S. government and at least 30 Fortune 100 firms, has suffered an electronic compromise that cuts to the core of its business: helping clients distinguish known “safe” files from computer viruses and other malicious software.

At one time, Bit9 boasted financial services clients, such Omgeo, Putnam Investments and Thomson Financial. The company was also one of Bank Technology News magazine’s top 10 companies to watch in 2008.

Continue reading

Dominican Street Gangs Responsible For Visa, MasterCard Breach, Reports Say

From Krebs on Security: 

Update, 12:15 p.m. ET: The Wall Street Journal is reporting that the breached processor was Global Payments Inc., which processes credit and debit cards for banks and merchants. Prior to the publication of this blog post, I had heard this name from one source, but did not include it in my story because I could not get confirmation from a second source. Global Payments has not returned calls seeking comment. CNN is reporting that the company’s stock (GPN) fell 9 percent today before trading was halted on its shares.

Also am hearing that law enforcement investigators believe that this breach may be somehow connected to Dominican street gangs in and around New York City. This comes from two reliable sources.

Additionally, sources are reporting that the bulk of the fraudulent activity appears to be centering around commercial credit and debit cards (those issued to businesses). More updates as this story develops.


Since when did former drug dealers start stealing credit card numbers, and hacking into processors?

I get that you need ‘feet on the street’ to use these fraudulent white plastic cards, but  is this the new face of high-tech bank robberies?

Several alleged members of Trinitarios drug gang, target of 41 indictments by the U.S. attorney's office, are in police custody outside 26th Precinct stationhouse in Harlem. >Several alleged members of Trinitarios drug gang, target of 41 indictments… (Watts/News) — From

P.S.  I’m continually in awe of Brian Krebs, a former Washington Post reporter turned blogger. He broke this story and he continues to do incredible work on his website,