Original URL: https://www.theregister.com/2014/05/19/lifelock_yanks_mobile_app/

LifeLock snaps shut Wallet mobile app over credit card leak fears

Wipes servers clean of user data after PCI DSS issues

By John Leyden

Posted in Security, 19th May 2014 11:02 GMT

LifeLock has withdrawn its Wallet App and deleted user data over concerns the technology falls short of user data protection rules under the payment card industry's Data Security Standard (PCI DSS).

In a statement Todd Davis, chairman and chief exec of LifeLock, said it was suspending the app as a precaution - not in response to a security breach.

Yanking the mobile app will not affect the LifeLock ID theft protection service, which is designed to detect fraudulent abuse of credit card and non-credit related services, the firm assured customers.

Nonetheless, taking the drastic step of pulling its mobile technology is bound to raise concerns – especially since LifeLocker has yet to explain why its mobile apps were not up to snuff.

I want to make you aware of an issue that we identified related to our recently acquired LifeLock Wallet application. We have determined that certain aspects of the mobile app may not be fully compliant with payment card industry (PCI) security standards.

For that reason, we are removing the LifeLock Wallet application from the App Store, Amazon Apps, and Google Play, and when users open the LifeLock Wallet, their information will be deleted in the app.

We also want you to know that this does not in any way affect LifeLock subscription identity theft protection services.

We have taken steps to delete all stored information for the mobile app from our servers. Even though we have no reason to believe the data has been compromised, we believe this is the right thing to do. As a company dedicated to online security and safety, we are committed to doing everything we can to ensure those who trust us with their personal information can do so without question.

We believe the LifeLock Wallet provides services and functionality that users value, and we’ll be working to return a Wallet with the highest level of PCI compliance to users soon.

"This is going to be a headache for some LifeLock users, who may have put passwords and PIN codes into their LifeLock app hoping that the service would remember them on their behalf, only to now find that all the records have been wiped after a security scare," noted security industry veteran Graham Cluley, in a blog post.

"No doubt LifeLock has calculated that although it’s going to have some upset customers as a result of this action, it’s better than the potential fallout from being seen to have taken half-hearted steps to protect its users, or having sensitive information on those customers exposed."

Cluley added: "In my view, the withdrawal of the apps was the right thing to do. And, if it’s possible that sensitive information was being stored insecurely on its servers, then it’s good to hear that they’ve taken steps to ensure that it cannot be exposed." ®