Presentation on theme: "Identity Theft Protection (or how to keep from being pwned) Greg Sternberg, CISSP."— Presentation transcript:
Identity Theft Protection (or how to keep from being pwned) Greg Sternberg, CISSP
Agenda Statistics Who wants your info? What we freely(!) give away How they get your info How to protect it Help! My identity was stolen! Questions?
What is Identity Theft? Fraud attempted or committed using your information without your authority It's more than just stealing your credit card info: Thieves use stolen info to become you. I.e. SSN, your account info, your medical info, your credit info or any combination Woman in Miami, FL was arrested upon returning from vacation for allegedly jumping bail on a bank robbery case One of the top complaints to the FTC for 13 years “The fastest growing white-collar crime in America” - FBI
Who Wants Your Info? Hackers Profile: mail, single, 16- 19, loner, low self-esteem Key friends are other hackers Challenge is obtaining information Ego, pride, $$$ Organized crime Big business Evade arrest Countries / nation states China, North Korea, India, Russia, Iran, Africa nations, South America, Mexico,... Disrupt business/economy, destroy infrastructure, make $$$
Identity Theft Statistics Since 2000 ID theft complaints have grown by 81% Nearly 12 million have been affected 3 million of those were dead Children are a better target for identity theft than you 2012 saw a 13% increase in fraud “The revenue from trafficking financial data has surpassed that of drug trafficking” - Secret Service March 2007 The most destructive type of ID theft is having your name, birth date, and Social Security number used to open credit accounts, tap your health insurance, or file a tax return in your name to steal your refund, among other crimes. But less than 1 percent of households experienced that form of ID theft in 2010, according to the Department of Justice U.S. Census in 2010: 114,800,000 households
The Real Problem YOU are guilty until YOU prove your innocence 12% of victims have warrants issued in their name “If an identity theft changes the address on your account and you didn't receive the bill, your dispute letter must still reach the creditor within 60 days of when the creditor would have mailed the bill.” (pg 19) Consumers are generally aware that credit cards come with generous protections -- their liability for theft is limited to $50, and even that sum is now waived by most banks. But no such broad protections are afforded to debit cards and other electronic cash- based transactions, such as funds transfers between a checking account and PayPal.com.
What We Freely(!) Give Away Social sites Geotagged pictures Detailed information about ourselves Twitter Announcing when we go on vacation Blogs Email Clicking on things we really shouldn't click on
Dear Customer:: For your security, access to Online Banking has been locked because the number of attempts to sign in exceeded the number allowed. To regain access to your internet banking, Please update and select the Reset Account link. below. We will review the activity on your account with you and upon verification, we will remove any restrictions placed on your account. To access and activate your account, simply click the link below. www.bankofamerica.com/onlinebanking/index.php?id=zxdj9b32wx The entire activation should take only 5 minutes of your time. Please complete the activation by now. Thank you for using Online Banking. Bank Of Ameria Alerts If you no longer wish to receive these e-mails, please click on this link: www.bankofamerica.com/onlinebanking/index.php?id=deactivate
Camera records PIN as it's keyed in Hidden PIN recording camera The camera hidden in the pamphlet box includes its own battery and transmission antenna
How They Get Your Info (high tech) Credit/Debit card theft Skimming – device attached to scanners Pretexting – social engineering Man-in-the-middle – intercept communications Phishing – social engineering Pharming – compromised web site which redirects user Vishing – voice phishing / robo calls Search Engine Phishing – too good to be true offers SMiShing – Spam text messages which look legit Mallware based Phishing – harmful download Phishing through Spam – spammer sends offers Spear Phishing – email phishing focused at business
How They Get Your Info (low tech) Mail theft – stolen from your mail box 1 in 80 families have stolen mail Dumpster diving – just what you think 40+% unsolicited mail is thrown away intact Social engineering – pretending to be legit; con game Shoulder surfing – at ATMs or counters Steal personal items – pick pockets, left behind 50% of people carry their SSN around
How They Get Your Info (outside your control) AOL employees fired for selling 250,000 customers information Ameriprise financial laptop stolen with 225,000 customers data on it IRS laptop stolen from office with over 100,000 customers data on it Boston Global & Worchester Telegram Gazette delivered newspapers with 240,000 subscriber data Ernest & Young laptop with 243,000 customers data on it stolen from employee's car Laptop missing from Twin Cities blood bank with 268,000 customers data on it 3.3 million student load data stolen from NM company Your car
How They Get Your Info (the con / social engineering) Grandparent scam Help! send money (and don't tell mom & dad) Income tax return Steal from home At-home workers Have I got a deal for you! Rental/Real Estate scam Mystery / Secret shopper relief fund Popup ads offering FREE AV software Forged gift cards Threaten / Guilt Jury duity, lawsuit, arrest warrant,...
And Now For The Scary Part Your info has probably been stolen at least once Your info is probably already out there
Some Ways To Protect Your Info Install operating system updates / anti virus software (Good and Different) Password protect your stuff Use metal lined wallets for credits cards Expect to be a victim – take steps to reduce the impact Be alert, monitor, inspect and question Keep important documents secure i.e. SSN card, birth/marriage certificates, wills, etc... Fire resistant container / bank safety deposit box URLs must start with https NEVER http The internet NEVER forgets Review monthly statements Immediately challenge them Buy a cross cut shredder and shred documents Protect medical information just like financial information
Other Ways To Protect Your Info Opt out of pre-approved credit offers 888.567.8688 / (888)5OPTOUT Obtain all three credit reports once a year 1.877.322.8228 / www.annualcreditreport.com If it's too good to be true – you're right Don't believe phone solicitors Add yourself to the National Do Not Call List: www.donotcall.gov / 1.888.382.12222 Close unnecessary accounts Don't pre-print phone number on checks Have checks mailed to a P.O. box or pick them up at the bank Before traveling long distances or out of the country tell your credit card company
Yet More Ways To Protect Your Info Guard your SSN No, they really don't need it Don't carry credit cards you don't need Limit number of credit card accounts Don't use mail boxes for sending mail Carry wallet in front pocket Purses go over both shoulders and zipped shut Be aware of people around you It's not rude to ask them to step back NEVER give your personal information over the phone or email Companies or governments will never ask for that Instead you contact them
Should I Trust Someone Else? LifeLock, Identity Guard, TrustedId, PrivacyGuard, and lots more All cost money for services that you can do free “Do-it-yourself safeguards are just as effective as paid services” - Consumer Reports magazine: January 2013
Help! My Identity Was Stolen! File a police report Get the file number Place a Fraud Alert with all three credit reports Equifax – 1.800.525.6285 / www.equifax.com Experian – 1.888.397.3742 / www.experian.com TransUnion – 1.800.680.7289 / www.tuc.com Request a freeze on all three credit reports Small charge (i.e. $5.00) May be time limited Close all accounts that have been tampered with
Help! My Identity Was Stolen! File complaint with FTC (and follow up) www.ftc.gov/idtheft 1.877.438.4338 (877.IDTHEFT) Identity Theft Clearinghouse, Federal Trade Commission, Washington, DC 20580 Log everything Keep notes of phone conversations Send mail certified Keep records of expenses and your time Consider talking to a lawyer
Resources Internet Crime Complaint Center – http://www.ic3.gov/default.aspx FPI – http://www.fbi.gov Federal Trade Commission - http://www.consumer.ftc.gov/features/feature- 0014-identity-theft Privacy Rights Clearinghouse: www.privacyrights.org MSN Money ID Theft Prevention& Survival: http://www.identitytheft.org/
More Numbers Average # of hours spent repairing identity: 330 Number of victims who have trouble removing negative info: 70% Average out of pocket loss: $631 Most credit cards cap that at $50 Internet crime increase since 2011: 50% Percentage of online users affected by cybercrime in the U.S.: 75% ID fraud arrests: 300+ per year Victims who had warrants issued for their arrest: 62% Number of SSNs bought and sold every 6 weeks in the U.S.: 10 million Cost of a stolen info (2006): Health insurance card or credit card w/ pin: $500- $600 Drivers license or SSN card: $100 Credit card with expiration data and security code: $25 PayPal account and password: $7
Drivers License Identity Theft Your driving privileges could be suspended or revoked You could be arrested for crimes you didn't commit People can open bank accounts, apply for credit cards and cash checks using your license
David Joe Hernandez In November 2004 David Joe Hernandez served four years in the Air Force. He came home and found... Arrest warrant in Arizona for driving on a revoked license Responsible for 20 delinquent account for cell phones, credit cards, utility bills and hospital bills Linked to a string of felonies, including auto theft and drug charges State regulators began garnishing 60% of his wages to pay child support to a woman in Chicago he'd never heard of A week after Hernandez started working at Best Buy, his manager informed him he was being let go because a criminal record check came back showing a felony drug conviction.
SSN Identity Theft Your SSN can be used to gain employment or report income They get the income; you get the tax bill They can file for social security benefits Can apply for credit cards Can obtain a drivers license
Medical Identity Theft You could owe thousands of dollars for a procedure you've never had You could become uninsurable You could be denied employment for conditions you don't have
Korinke Story In 2003 the Korinke family was sued by Homecoming Financial Network INC., a division of GMAC for $75,000 plus attorney fees In 2001 an impostor got hold of a line of credit, switched the address, and the Korinkes never received the outstanding bills Homecomings claimed the Korinkes had been negligent. “The Korinkes were slow to discover and report the identity theft... as such, Korinke is liable for any and all sums attributed to his negligence”