Recent reporting from AP and The Charleston Gazette demonstrates that selling snake oil will eventually catch up with you. LifeLock, an identity theft protection company based in Arizona, is facing a class-action lawsuit alleging that their services are 'inept' at preventing identity theft from taking place.

To be fair to LifeLock, it is possible to manage identity data so as to mitigate against loss, but it will only take a single breach of even a perfect security system to lose all data. The services as described on its site seem to be about simplifying already available processes -- allowing users of the service to pay others to go through the hassle of contacting credit agencies, banks and other appropriate bodies when necessary.

Is it something to build a business around, or is it sufficient to mitigate against identity theft? LifeLock seems to think so, but InfoSec experts might have a different opinion. It is certainly a good place to start, but it isn't going to stop everything, as the court case claims is happening. When the company is alleged to be turning over in excess of $100 million per year just from doing what consumers can do for free, it is bound to attract attention.

While it is admirable that the CEO of LifeLock was so confident in his service's capability that he openly advertised his Social Security Number (SSN) - 457-55-5462 - as a key part of the advertising campaign, it has since come back to haunt him with the lawsuit alleging that there has been one documented case where the CEO's identity was successfully compromised, at least 80 attempts with varying levels of success, and the basic details of his personal records associated with the SSN changed.

Mass advertising and blogging sock puppets aplenty make it difficult to identify legitimate third party observations and reporting and generally leave the impression that it is more snake oil than substance.

Unfortunately, it is becoming more and more difficult to tell the snake oil from the real when it comes to Information Security marketing. Clarke's Third and Fourth laws certainly hold true ("Any sufficiently advanced technology is indistinguishable from magic" and "For every expert there is an equal and opposite expert") with InfoSec marketing, but a good rule of thumb is that all marketing can not be trusted until you can verify with your own testing that the product does what it is being marketed as doing.

LifeLock's claims had many believing them, but they also had many who were {xref:http://fraudwar.blogspot.com/2008/05/another-law-suit-filed-against-lifelock.html|dubiouslLaw suit filed against Lifelock]] of the claims, including allegations that credit bureaus were behind a series of allegations in mid-2007 about impropriety carried out by the company founders and complaints earlier this year from one bureau that LifeLock's actions are illegal.

Perhaps the sorry state of affairs is best summed up by the experiences of one poor consumer who had their identity stolen via debit card theft. The victim was not initially a customer of LifeLock, it was the thief who opened an account with LifeLock using the card and who received the subscription.

Nothing Identity theft protection companies offer is any different from what the average user can do on their own, generally for free. Where they seem to try and differentiate themselves is in removing the hassle of doing it yourself, even if that hassle only exists in their marketing literature. Generally the only identity theft protection they offer is for financial services, but there is a whole world of identity theft opportunities that they do not protect against, including compromise of medical data and other forms of non-credit related identity theft.