Why IDNotify Identity Theft Monitoring is Garbage

Last year, I subscribed with IDNotify because it was included in a package I bought from TurboTax.

I now periodically receive e-mails that tell me I have alerts and that I should log into the site to view my alerts.

When I view my alerts, they’re almost all of the form:

Compromised Email Address

/!\ Email Addresses: Ja**co@jaraco.com Date Found: 07/17/2017

Your email address has been found compromised online. We monitor online properties to identify the illegal trading and selling of your personal information, and unfortunately we have found a match that may indicate possible identity theft. Below you will find additional information on next steps to take to ensure your personal information is secure.

Additional Info

The following data was found compromised with your email address.

Email JA**CO@JARACO.COM Password ********

Can you guess what e-mail address is masked there? ;) I have near-zero confidence that those 8 asterix characters represent an 8 character password, and zero confidence they would tell me if I asked.

And their advice:

Immediately change the password for the email address that was found compromised. If you use that email for online accounts, you will also want to change the passwords on those accounts.

That’s completely unheplful for a variety of reasons:

  1. As you might guess, that’s my e-mail address. I use that address on every account. Therefore, they’re suggesting that I need to change my password on every service I use.
  2. I get these alerts sporadically, sometimes two weeks apart. I can’t possibly be resetting my password on every service at this frequency.
  3. Clearly all they have is my e-mail address and some password. But without providing me that password (or even a hint as to what password it is), it could represent my most important accounts or could be something irrelevant like a grocery store loyalty program.
  4. The hackers and IDNotify apparently have access to the information that would help me take action on this issue, but I do not.

Without a bit more context, the result is these alerts amount to “Be afraid and waste your time”. There’s no actionable information here.

Months ago, I called their customer service to complain about this failure in their design, but the agent was only to re-iterate what the site already recommends or to suggest that I change my e-mail address (f that). This failure is systemic.

If I used a unique e-mail address on every site I visit, this information might be useful. But I don’t have the time or energy for that.

Don’t bother with IDNotify. It’s garbage.

Written on July 26, 2017