What is Identity Theft? When someone uses your personal information without your permission to commit fraud or other crime –Name –Social Security number –Date of birth –Credit card number –Bank account numbers Identity
Types of Identity Theft Credit card25% Phone/utilities16% Bank account16% Employment-related14% Fraudulent tax return6% Business/personal/student loan3% Source: Federal Trade Commission, Feb 2007
Types of Identity Theft Internet/email2% Medical2% Auto loan2% Driver’s license1% Real estate loan1% Gov’t benefits1% Other24% Source: Federal Trade Commission, Feb 2007
“Phishing” Emails that appear to be from IRS requesting you confirm information Emails that are thanking you for a recent purchase (of something you didn’t buy) Phone phishing When in doubt, ask or “call back” Your bank will NEVER ask you for account numbers or passwords if they initiated the communication
Most studies show that the victim population is about 10 million per year. That means every minute about 19 people become a new victim of this crime. In 2004, victims spent an average of 330 hours recovering from this crime. In 2004, 43% believe they knew their imposter. 14% of them said that it was an employee of a business who had their information. The U.S. Government Reform Committee reports that all 19 government departments and agencies reported at least one loss of personally identifiable information since Jan. 2003. Only a small number of the data breaches were caused by hackers. The vast majority of losses occurred from physical thefts of portable computers, drives and disks, or unauthorized use of data by employees. According to the U.S. Department of Justice Statistics, identity theft is now passing up drug trafficking as the number one crime in the nation. Is this a big problem? It’s huge. --Identity Theft Resource Center, Facts & Statistics 2006
True Stories… Over 63 fraud cases reported to CU Police since 2005 Many cases involve more than one incident –One case had 16!
How do you prevent Identity Theft? DETER DETECT DEFEND
How many of you... …have your Social Security card in your wallet or purse right now?
Protect your sensitive information Do NOT carry your SSN card with you Memorize PINs and passwords Beware of promotions that request sensitive information Question how SSN or other sensitive data will be used if it is requested by legitimate sources –It may not be needed!
Protect your sensitive information Shred pre-approved credit offers, receipts, bills, other records that have SSN Do not provide CC#, SSN, etc. out over email Do not click on links in unsolicited emails
How many of you......write checks to pay bills and then put them in the mailbox with the flag up?
Modify your mail habits Don’t leave mail containing checks or account information in your mailbox Use the post office mailboxes Keep an eye out for bills or statements that aren’t received in a timely manner
How many of you......have noticed fewer and fewer places actually require or check your signature on a credit card?
Modify your credit card habits Carry only cards you use regularly Sign the backs of all credit cards (or write “Check ID”) Do not loan out your cards to anyone Report lost/stolen cards immediately Keep a copy of both sides of your cards in a safe place
Modify your credit card habits Check for the “padlock” and/or “https” when purchasing online Opt out of pre-approved credit card offers Opt out of junk mail Shred all pre-approved credit card offers –Do not just tear them up!
How many of you......do not have a firewall or do not have anti-virus software on your computer at home that is up-to-date?
Safeguard your computer Use a firewall Use anti-virus software AND keep it updated Use wireless encryption Do NOT give out your NetID/password under ANY circumstances Lock your computer when you are away from your desk
Take advantage of other services available to you Credit monitoring services (not free) –Periodic emails reporting on changes to your credit report Identity Theft Insurance (proceed with care) Fraud alert –A flag on your credit report that encourages creditors to take extra steps to ensure identity has not been stolen –Can only be done if you have been a victim of identity theft Credit freeze
Credit Freeze NYS allowed starting in November 2006 Prevents lenders and others from accessing your credit report Good news – Identity thieves will be unable to establish credit in your name Bad news – so will you –Will also affect background checks and most requests for insurance
How do you find out if this has happened to you? DETER DETECT DEFEND
How many of you......have not checked your credit report in the last 12 months?
Increase monitoring Check your credit report regularly –Free from each credit bureau once per year –Pull one every 4 months (rather than all 3 at once) Monitor your bank and credit card statements closely for unauthorized transactions Keep an eye out for bills that do not arrive as expected
Increase monitoring Watch for unexpected credit cards or account statements Investigate any denial of credit situations Watch out for calls or letters about purchases that you didn’t make
How do you restore your good name? DETER DETECT DEFEND
Steps to Take Immediately close the account and request fraud dispute forms File a police report –You will need the report number when corresponding with bank/credit card company Contact one of the 3 credit reporting agencies to place a “fraud alert” on your file –The credit reporting agency is required to notify the other 2 to do the same
Steps to Take Report the theft to the Federal Trade Commission Keep copies of everything and journal all correspondence (date/time/name) –Send all written correspondence “certified mail, return receipt requested” Know your rights!
Credit Card Liability Covered under Fair Credit Billing Act (FCBA) Your maximum liability under federal law for unauthorized use is $50 If you report lost/stolen cards before they are used, your liability is $0 If the loss is only of the card number and not the card, your liability is $0
Debit Card Liability Covered under Electronic Fund Transfer Act (EFTA) Liability depends on how quickly you report the loss It does not matter if you ran it through as “credit”! It does not matter if you “signed” rather than used PIN number!
Debit Card Liability TimeframeLiability Before card is used$0 Within 2 business days of lost/stolen card$50 After 2 business days, up to 60 days after statement including unauthorized charges is mailed $500 After 60 days after statement including unauthorized charges is mailed NO LIMIT
Investment Liability There are currently NO federal liability protections against fraudulent use of your investment or retirement accounts! Check with your bank or brokerage to see what they offer for liability protection
How does this apply to work? Current federal and state law –Family Educational Rights and Privacy Act (FERPA) –Health Insurance Portability and Accountability Act (HIPAA) –Gramm-Leach-Bliley Act (GLBA) –NY Data Security and Notification Law (12/8/05) Growing social expectations due to rise in identity theft awareness Need to protect Cornell’s reputation
How does this apply to work? Cornell must notify and report if protected data is reasonably believed to have been inappropriately accessed Protected data includes –Name with Social security number Credit card number Bank account number with associated PIN Drivers license number
Examples March 2005 - Bank of America –1,200,000 lost social security and account numbers were lost May 2006 - Veteran’s Administration –26,500,000 social security numbers and DOB were lost when a laptop was stolen January 2007 - TJ Maxx –47,500,000 credit card numbers were stolen by hackers taking advantage of unencrypted wireless network in parking lot
Precautions to take Identify the sensitive data on your system – do you really need it? –Social Security Numbers –Credit card numbers –Drivers license numbers Make sure your IT staff is aware that you manage sensitive data Work with your local IT staff to ensure your system is protected
Precautions to take Before performing any action on your computer ask if there’s a chance this action might put the data at risk –Clicking on e-mail attachments –Turning off the firewall, anti-virus –Installing programs from the internet If you work from home using personal computers –YOU are responsible for the security of your computer –Enable encryption on home wireless networks –Ensure sensitive data is encrypted
Precautions to take NEVER share your NetID/password Use a complex password Do not use your NetID/password for non- Cornell systems Do not email credit card numbers Keep P-card/credit card applications and paper checks locked up
Precautions to take Shred documents that are no longer needed – use shredder bins Keep a close eye for data stored on laptops Change your screensaver to lock your computer when you are away
Tools available to you Policies for keeping access to your confidential information as secure as possible Tools for avoiding exposure due to system compromises
Policies for securing data Draft Policies –Authentication of Information Technologies Resources Interim Policy: http://www.cit.cornell.edu/policy/interim/Authentica tionITR.html http://www.cit.cornell.edu/policy/interim/Authentica tionITR.html –Information Security of Institutional Data: http://www.cit.cornell.edu/oit/policy/drafts/InstData. html http://www.cit.cornell.edu/oit/policy/drafts/InstData. html
Spider Open source (free) software developed by IT Security Office Identifies files on your system containing SSN’s and credit card numbers so you can remove them Use with guidance from your local technical support staff http://www.cit.cornell.edu/computer/security/t ools/http://www.cit.cornell.edu/computer/security/t ools/
Anti-Spyware and Anti-Virus Software Guards against software which installs itself on your computer to gather information about you without your knowledge Automatically updated as malware evolves Cornell licenses Symantec Anti-Virus –Includes anti-spyware with version 10.0 –License covers home systems More info: http://www.cit.cornell.edu/computer/security/spyware/ http://www.cit.cornell.edu/computer/security/spyware/
Departmental security assessment service Offered by IT Security Office Assessment of current environment Assist in development of local solutions and architectures To schedule contact: –email@example.com@cornell.edu
Online Purchases –Safe if you look for https and padlock! Online Banking/Bill Payment –Safe if you look for https and padlock –Minimize human interaction –Your sensitive data will get to the systems either way
But what about…? Credit Monitoring Services –$9-12 per month to alert you of changes to your credit report –Does not protect you - simply notifies you if ID theft has already happened Identity Theft Insurance –Insurance riders –Zander Insurance ID Theft Program –Lifelock
But what about…? Insurance riders –Cover expenses incurred for cleaning up ID theft (phone calls, mail, copies, etc.) –May or may not cover lost wages –Read policy carefully!
But what about…? Zander Insurance Identity Theft Program –$6.50 per month –Provides an advocate that will work with your bank/creditors on your behalf to clean up ID theft –Covers expenses and lost wages/personal/ vacation time
But what about…? Lifelock ($10 per month) –CEO publicizes his SSN demonstrating confidence in their service –They don’t do anything for you that you can’t do for yourself FREE Fraud alerts (every 90 days) Pull annual credit reports Opt outs for junk mail and pre-approved credit card –Only paid out 3 claims according to a recent article –Scandal surrounded co-founder (no longer on staff)