CSCU Module 10 Social Engineering and Identity Theftfasilkom.mercubuana.ac.id/wp-content/uploads/2017/07/CSCU-Modul… · Social Engineering and Identity Theft SimplifyingSecurity

1 Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.

Social Engineering and Identity Theft

Simplifying Security.

Module 10


OAKLAND ‐‐ Calling it the biggest they have seen, Oakland police said Monday that an identity theft operation that manufactured phony checks, IDs and credit cards has been shut down.Officials said there are potentially thousands of victims all over the Bay Area and in other states and the possibility of an untold amount of monetary loss.Police Chief Anthony Batts said breaking up the operation is particularly important to law enforcement because identity theft "puts fear in everyone," including himself.The operation, which Officer Holly Joshi called a "one‐stop shop" for identity theft, was run out of a Hayward apartment in the 21000 block of Foothill Boulevard, where resident Mishel Caviness‐Williams, 40, was arrested last week as she left the apartment. She had $4,000 in cash on her, police said.

Oakland Police Shut Down Bay Area‐Wide Identity Theft Operation

http://www.mercurynews.com

05/16/2011, 11:16:54 AM PDT


Suffolk police are seeking assistance locating a woman who allegedly took an elderly man’s debit card and used it on several occasions. Police have five felony warrants on file for Lavonda “Goosie” Moore, 37, for credit card theft, credit card fraud, criminally receiving money, third offense petit larceny and identity theft.

Police say Moore took a debit card from the victim on Hill Street on May 15 and used it on multiple occasions at an ATM and at retail stores. There also is a warrant on file for Moore for third offense petit larceny in an unrelated case.

Moore’s last known address is the 600 block of Brook Avenue. Anyone who has information on Moore’s location is asked to call Crime Line at 1‐888‐LOCK‐U‐UP. Callers to Crime Line never have to give their names or appear in court, and may be eligible for a reward of up to $1,000.

Woman Sought in Theft

http://www.suffolknewsherald.com

May 23, 2011


Identity Theft Statistics 2011

75%11.1 Million

4.8%13%

Adults Victims ofIdentity Theft

$54 billion

The Total Fraud Amount

Percent of Population Victimized by Identity Fraud

Victim Who Knew Crimes Were Committed

Fraud Attacks on ExistingCredit card Accounts

http://www.spendonlife.com

Consumer Complaint

Scenario

“I lost my purse in 2006. But surprisingly I got notices of bounced checks in 2007. About a year later, I received information that someone using my identity had bought a car. In 2008, I came to know that someone is using my Social Security Number for a number of years. A person got arrested and produced my SSN on his arrest sheet. I can’t get credit because of this situation. I was denied a mortgage, employment, credit cards and medical care for my children.”

http://www.networkworld.com


Module ObjectivesWhat is Identity Theft?

Personal Information that Can be Stolen

How do Attackers Steal Identity?

What do Attackers do with Stolen Identity?

Examples of Identity Theft

How to Find if You are a Victim of Identity Theft?

What to do if Identity is Stolen?

Reporting Identity Theft

Prosecuting Identity Theft

Guidelines for Identity Theft Protection

Guidelines for Protection from Computer Based Identity Theft

IP Address Hiding Tools


Identity Theft

What to Do if Identity Is Stolen

How to Find if You Are a Victim of Identity Theft

ReportingIdentity Theft

Protection from Identity Theft

Module Flow

Social Engineering


Criminal charges

Legal issues

It leads to denial of employment, health care facilities, mortgage, bank accounts and credit cards, etc.

Financial losses

Identity Theft Effects

Identity theft or ID fraud refers to a crime where an offender wrongfully obtains key pieces of the intended victim's personal identifying information, such as date of birth, Social Security number, driver's license number, etc., and makes gain by using that personal data

What is Identity Theft?


Personal Information that Can be Stolen

Names

Mother’s maiden name

Telephonenumbers

Passport numbers

Credit card/Bank account numbers

Social security numbers

Driving license numbers

Birth certificates Address

Date of birth


How do Attackers Steal Identity?

Hacking Theft of Personal Stuff

PhishingSocial Engineering

Fraudster pretend to be a financial institution and

send spam/ pop‐up messages to trick the user

to reveal personal information

Fraudsters may steal wallets and purses, mails including bank and credit card statements, pre‐approved credit offers, and new checks or tax information

Attackers may hack the computer systems to steal confidential personal information

It is an act of manipulating people trust to perform

certain actions or divulging private information, without

using technical cracking methods



Credit Card Fraud

Phone or Utilities Fraud Other Fraud

They may open a new phone or wireless account in the user’s name, or run up charges on his/her existing account

They may use user’s name to get utility services such as electricity, heating, or cable TV

They may get a job using legitimate user’s Social Security number

They may give legitimate user’s information to police during an arrest and if they do not turn up for their court date, a warrant for arrest is issued on legitimate user’s name

They may open new credit card accounts in the name of the user and do not pay the bills



Bank/Finance Fraud

Government Documents Fraud

They may create counterfeit checks using victim’s name or account number

They may open a bank account in victim’s name and issue the checks

They may clone an ATM or debit card and make electronic withdrawals on victim’s name

They may take a loan on victims’ name

They may get a driving license or official ID card issued on legitimate user’s name but with their photo

They may use victim’s name and Social Security number to get government benefits

They may file a fraudulent tax return using legitimate user information


Same Name: TRENT CHARLES ARSENAUL

Original Identity Theft

Identity Theft Example


Identity Theft



Social Engineering



Module Flow


Social Engineering

Types of Social Engineering

Social Engineers Attempt to Gather

Social Engineering

Sensitive information such as credit card details, social security number, etc.

Passwords

Other personalinformation

Human based social engineering

Computer based social engineering

Social engineering is the art of convincing peopleto reveal confidential information

It is the trick used to gain sensitive information by exploiting the basic human nature


Social Engineering Example

Hi, we are from CONSESCO Software. We are hiring new

people for our software development team. We got your contact number

from popular job portals. Please provide details of your job profile,

current project information,social security number, and your

residential address.


Criminal as Phone Banker

Hi, I am Mike calling from CITI Bank. Due to increasing threat perception, we are updating our systems with new

security features. Can you provide me your personal details to verify that you

are real Stella.Thanks Mike, Here are my details. Do you

need anything else?


Authority Support Example

Hi, I am John Brown. I'm with the external auditors Arthur Sanderson. We've been told by corporate to do a surprise inspection of your disaster recovery

procedures.

Your department has 10 minutes to show me how you would recover from a

website crash.


Technical Support Example

A man calls a company’s help desk and says he has forgotten his password. He adds that if he misses the deadline on a big

advertising project, his boss might fire him.

The help desk worker feels sorry for him and quickly resets the password,

unwittingly giving the attacker clear entrance into the corporate

network


Human-Based Social Engineering

Eavesdropping Shoulder surfing Dumpster diving

Eavesdropping is unauthorized listening of conversations or reading of messages

It is interception of any form of communication such as audio, video, or written

Shoulder surfing is the procedure where the attackers look over the user’s shoulder to gain critical information such as passwords, personal identification number, account numbers, credit card information, etc.

Attacker may also watch the user from a distance using binoculars in order to get the pieces of information

Dumpster diving includes searching for sensitive information at the target company’s trash bins, printer trash bins, user desk for sticky notes, etc.

It involves collection of phone bills, contact information, financial information, operations related information, etc.


Spam Email

Instant Chat

Messenger

Chain Letters

Hoax Letters

Pop‐up Windows

Windows that suddenly pop up while surfing the Internet and ask for users’ information to login or sign‐in

Hoax letters are emails that issue warnings to the user on new viruses, Trojans, or worms that may harm the user’s system

Chain letters are emails that offer free gifts such as money and software on the condition that the user has to forward the mail to the said number of persons

Gathering personal informationby chatting with a selected online user to get information such as birth dates and maiden names

Irrelevant, unwanted, and unsolicited email to collect the financial information, social security numbers, and network information

Computer-Based Social Engineering


Computer-Based Social Engineering: Phishing

An illegitimate email falsely claiming to be from a legitimate site attempts to acquire the user’s personal or account information

Phishing emails or pop‐ups redirect users to fake webpages of mimicking trustworthy sites that ask them to submit their personal information

Fake Bank Webpage


Phony Security AlertsPhony Security Alerts are the emails or pop‐up windows that seem to be from a reputed hardware or software manufacturers like Microsoft, Dell, etc.,

It warns/alerts the user that the system is infected and thus will provide with an attachment or a link in order to patch the system

Scammers suggest the user to download and install those patches

The trap is that the file contains malicious programs that may infect the user system


Computer-Based Social Engineering through Social Networking Websites

Computer‐based social engineering is carried out through social networking websites such as Orkut, Facebook, MySpace, LinkedIn, Twitter, etc.

Attackers use these social networking websites to exploit users’ personal information


Identity Theft





Module Flow

Social Engineering



Bill collection agencies contact you for overdue debts you never incurred

You receive bills, invoices, or receipts addressed to you for goods or services you haven’t asked for

You no longer receive your credit card or bank statements

You notice that some of your mail seems to be missing

Your request for mortgage or any other loan is rejected citing your bad credit history despite you having a good credit record



You get something in the mail about an

apartment you never rented, a house you never bought, or a job

you never held

You lose important documents such as your passport or driving license

You identify irregularities in your credit card

and bank statements

You are denied for social benefits

citing that you are already claiming

You receive credit card

statement with new account


Identity Theft





Module Flow

Social Engineering


What to do if Identity is Stolen?

Contact the credit reporting agencies http://www.experian.com http://wwwc.equifax.com http://www.transunion.com

Immediately inform credit bureaus and establish fraud alerts

Request for a credit report Review the credit reports and alert the credit agencies

Freeze the credit reports with credit reporting agencies

Contact all of your creditors and notify them of the fraudulent activity

Change all the passwords of online accounts

Close the accounts that you know or believe have been tampered with or opened fraudulently


What to Do if Identity Is Stolen?

File a report with the local police or the police in the community where the identity theft took place

File a complaint with identity theft and cybercrime reporting agencies such as the FTC

Take advice from police and reporting agencies about how to protect yourself from further identity compromise

Ask the credit card company about new account numbers

Tell the debt collectors that you are a victim of fraud and are not responsible for the unpaid bill

Ask the bank to report the fraud to a consumer reporting agency such as ChexSystems that compiles reports on checking accounts


Identity Theft





Module Flow

Social Engineering


Federal Trade CommissionThe Federal Trade Commission, the nation's consumer protection agency, collects complaints about companies, business practices, and identity theft

http://www.ftc.gov


econsumer.gov

http://www.econsumer.gov

econsumer.gov is a portal for youas a consumer to report complaints about onlineand related transactionswith foreign companies


Internet Crime Complaint Center

http://www.ic3.gov

The Internet Crime Complaint Center’s (IC3) mission is to serve as a vehicle to receive, develop, and refer criminal complaints regarding the rapidly expanding arena of cyber crime

The Internet Crime Complaint Center (IC3) is a partnership between the Federal Bureau of Investigation (FBI), the National White Collar Crime Center (NW3C), and the Bureau of Justice Assistance (BJA)


Prosecuting Identity Theft

Begin the process by contacting the bureaus, banks, or any other organizations who may be involved

File a formal complaint with the organization and with the police department

Regularly update yourself regarding the investigation process to ensure that the case is being dealt with properly

Obtain a copy of the police complaint to prove to the organizations that you have filed an identity theft complaint

File a complaint with the Federal Trade Commission and complete affidavits to prove your innocence on the claims of identity theft and fraudulent activity

Contact the District Attorney's office for further prosecuting the individuals who may be involved in the identity theft


Identity Theft




IP Hiding Tools

Module Flow

Social Engineering


Hiding IP Address Using Quick Hide IP Tool

http://www.quick‐hide‐ip.com

Quick Hide IP hides your internet identity so you can surf the web while hiding you real IP and location

It redirects the Internet traffic through anonymous proxies

Quick Hide IP. Websites you are visiting see the IP address of the proxy server instead of your own IP address


UltraSurfhttp://www.ultrareach.com

Hide The IPhttp://www.hide‐the‐ip.com

Hide My IPhttp://www.hide‐my‐ip.com

Hide IP NG http://www.hide‐ip‐soft.com

IP Hiderhttp://www.iphider.org

TORhttp://www.torproject.org

Anti Trackshttp://www.giantmatrix.com

Anonymizer Universal http://www.anonymizer.com

IP Address Hiding Tools


Module Summary

Identity theft is the process of using someone else’s personal information for the personal gain of the offender

Criminals look through trash for bills or other paper with personal information on it

Criminals call the victim impersonating a government official or other legitimate business people and request personal information

Keep the computer operating system and other applications up to date

Do not reply to unsolicited email that asks for personal information

Use strong passwords for all financial accounts

Review bank/credit card statements/credit reports regularly


Keep your Social Security card, passport, license, and other valuable personal information hidden and locked up

Ensure that your name is not present in the marketers’ hit lists

Shred papers with personal information instead of throwing them away

Never give away social security information or private contact informationon the phone – unless YOU initiated the phone call

Confirm who you are dealing with, i.e., a legitimate representative or a legitimate organization over the phone

Carry only necessary credit cards

Cancel cards seldom used

Review credit reports regularly

Identity Theft Protection Checklist


Do not reply to unsolicited email requests for personal information

Do not give personal information over the phone

Review bank/credit card statements regularly

Do not carry your Social Security card in your wallet

Shred credit card offers and “convenience checks” that are not useful

Do not store any financial information on the system and use strong passwords for all financial accounts

Check the telephone and cell phone bills for calls you did not make

Read before you click, stop pre‐approved credit offers, and read website privacy policies

Identity Theft Protection Checklist


Install antivirus software and scan the system regularly

Enable firewall protection

Check for website policies before you enter

Keep the computer operating system and other applications up to date

Be careful while opening email attachments

Clear the browser history, logs, and recently opened files every time

Check for secured websites while transmitting sensitive information

Computer Based Identity Theft ProtectionChecklist