Computer Fraud and Identity Theft November 24, 2009 A Presentation by: John R. Robles, CISA, CISM 787-647-3961 [email protected] Puerto

Computer Fraud and Identity Theft

November 24, 2009

A Presentation by: John R. Robles, CISA, CISM

[email protected]

www.johnrrobles.com

Puerto Rico Puerto Rico ChapterChapter

Association of Certified Fraud ExaminersPuerto Rico Chapter

mailto:[email protected]


22

Agenda

Identity Theft: A New Frontier For Hackers and Cybercrime

Identity Theft Federal Regulations FFIEC - Financial Institution Letters Identity Theft and Corporations’ Due

Diligence What Every IT Auditor Should Know About

Identity Theft The Business Model for Information Security


33

Internet Identity Theft You are identified by ones and zeroes in a computer (digital

data, not by a person or photo) Anyone can say they are you without strong authentication

techniques

Definition Identity theft can be defined as the use of information about

a person obtained from the Internet, with the purpose of identifying oneself as that person to take illegal actions



44

Why It Happens

Commit frauds directly Sell the data to others so they can commit frauds Obtain economic information and spy on bank accounts Open new credit positions Generate new forms of illegality

There is no limit to the criminal mind!



55

How It Happens - Threats and Techniques Used to Collect Personal Information

Get the data of many people through a corporate database Or, individually, by making people hand over the information,

via phishing (fraudulent emails and bogus web sites) Stealing ID documents, credit cards, personal informaiton,

passwords and PINs Disgruntled employees who know the insides of the system Unsecured wireless media (Wi-Fi, Bluetooth, etc) Facebook, MySpace, and other social media Social engineering (calling people and trying to get personal

info)



66

Theft of correspondence Intercepting emails Intercepting data in transit Penetrating computer with special programs (malware, spyware,

etc.) Obtaining information from the workplace Purchasing personal data from illegal data banks Personal identifying data and banking information, which are

often stored in the computer Phishing



77

How Identity Thieves Use Victims’ Personal Information Open bank accounts with victim’s identifying data Withdrawing money from victim’s bank accounts Charging purchases on the victim’s credit cards Hard battle to recovery good name to to reonstruct their

economic good standing



88


Reducing the Risk of Becoming a Victim

Limit personal information in purses, wallets, pockets, etc. Do not supply information to an unsolicited request Know the people to whom you are giving personal information on

the Internet Make online purchase from know companies Regularly verify credit card and bank statements Before getting rid of a computer,destroy all personal data on it Encrypt data on computer


99

Identity Theft Federal Regulations

FFIEC – Financial Institution Letters Institutions must have an Identity Theft Prevention Program Reasonable Policies, Procedures, and Practices Management Must Approve, Oversee, and Update the Program Enforcement

Cease and desist order Order directing compliance with information security standards Enforcement actions related to employees


1010

FFIEC - Financial Institution Letters

Name Date Number

Security Standards for Customers Information (based on Gramm-Leach-Bliley Act of 1999)

March14, 2001 FLI-22-2001

Final Guidance on Response Programs - Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice (Notification to Customers of Information Breach)

April 1, 2005 FIL-27-2005

Identity Theft - FDIC’s Supervisor Policy on Identity Theft

April 11, 2007 FIL-32-2007

Identity Theft Red Flags Interagency - Final Regulation and Guidelines

November 15, 2007

FIL-100-2007

Identity Theft Red Flags, Address Discrepancies, and Changes of Address Regulations – Examination Procedures

October 16, 2008

FIL-105-2008

Identity Theft Red Flags, Address Discrepancies, and Change : Frequently Asked Questions

June 11, 2009 FIL-30-2009


1111


Identity Theft Prevention Program “Covered Account” – Relationship between person and Financial institution or creditor primarily for

persona, family, or household purposes

Identify ID theft red flags (patterns, practices, and activities that indicate possible ID theft) Alerts, Notifications, and Warnings from a Credit Reporting Company Suspicious Documents Suspicious Personal Identifying Information Suspicious Account Activity Notice from other sources


1212


Detect ID theft red flags During opening of New Accounts or changes to Existing Accounts During verification and authentication By telephone, mail, Internet, or wirless system

Respond to ID Theft red flags (Prevent and Mitigate) Monitor accounts Contact customer Change passwords and security codes Close an account Not open a new account Notifying law enforcement Determine that no response is necessary


1313


Update the program Technology changes Thieves change tactics Keep Program current with identity theft risks


1414

Identity Theft and Corporations’ Due Diligence

Business Implications Consider the outcome of negative and

embarrassing information Legal and regulatory concerns Lost of confidence in the company Lose credibility and business to a competitor Lose in share price


1515

Steps Toward Prevention Shred, shred, shred Storage media no loner needed must be properly

disposed Implementation of preventive and detective controls Limit access to information Classifying data (identify personal information) Risk Assessment Take appropriate measures to reduce the risk of fraud

through ID theft

Identity Theft and Corporations’ Due Diligence


1616

What Every IT Auditor Should Know About Identity Theft

Be Aware of Regulations and Public Policy Federal laws and regulations

HIPAA, Grammm-Leach-Bliley Act, Red Flags, etc. State laws and regulations concerning privacy of

information

Concerns and Controls Perform a Risk Assessment Research and implement appropriate prevention

techniques, tools, and policies Ensure there is a Recovery Plan is data is

destroyed Establish an Incident Response Plan


1717

The Business Model for Information Security


1818

Systems Thinking

Or how systems interact in the company How does Information Security relate to the company Creativity and planning not reactivity Plan on security do not react to threats


1919

The Intentional Information Security Culture

Awareness campaigns Security Awareness activities and educational sessions Training to show security’s importance to the company

Cross-functional teams Information Security Steering Committee

Management commitment Senior management and board of directors,


2020

The Intentional Information Security Culture

Alignment of Information Security and business objectives

A risk-based approach

Balance among organization, people, process and technology

Allowance for the convergence of security strategies


2121

The Business Model for Information Security


2222

Elements

Organization Design and Strategy

People

Process

Technology

Dynamic Interconnections


2323

Dynamic Interactions

Governing

Culture

Enabling and Support

Emergence

Human factors

Architecture


2424

Current and Future Issues

Regulatory Requirements

Globalization

Growth and Scalability

Organizational Synergies

Evolving Technology


2525

Current and Future Issues

Economic Markets

Human Resources

Competition

Ever-changing Threats

Innovation


2626

What’s Next

Shifting From Functional to Intentional Security Culture

Move Technology

From To

• Unsure about the level of security the technology provides.•Seeing security-related technology as disruptive and cumbersome to use.

•Technology used is based on an assessment of the risk.•Seeing new security technology as a mean to enhance the sales process.


2727

What’s Next


Move Process

From To

•Security brought in when there is a suspected breach.•Security maintains expert knowledge.

•Security involvement in the earliest planning phases of campaigns.•Security shares its knowledge and expertise, developing broader security awareness across the enterprise.


2828

What’s Next


Move People

From To

•Security as an entity that enforces compliance.•Security as a functional expert.

•Security as a partner that creates awareness and commitment.•Security as a partner that transfer security knowledge and expertise to its sales customers.


2929

What’s Next


Move Enterprise

From To

•Limited visibility or awareness of security issues.•Security structure focused on technical expertise.

•Receiving regular updates about potential risk.•Security structure supports processes of its customers.


3030