Identity Theft Protection(or how to keep from being pwned)

Greg Sternberg, CISSP

Agenda

Statistics Who wants your info? What we freely(!) give

away How they get your info How to protect it Help! My identity was

stolen! Questions?

What is Identity Theft? Fraud attempted or committed using

your information without your authority

It's more than just stealing your credit card info: Thieves use stolen info to become you.

I.e. SSN, your account info, your medical info, your credit info or any combination

Woman in Miami, FL was arrested upon returning from vacation for allegedly jumping bail on a bank robbery case

One of the top complaints to the FTC for 13 years

“The fastest growing white-collar crime in America” - FBI

Who Wants Your Info?

Hackers Profile: mail, single, 16-19, loner, low

self-esteem Key friends are other hackers Challenge is obtaining information Ego, pride, $$$

Organized crime Big business Evade arrest

Countries / nation states China, North Korea, India, Russia,

Iran, Africa nations, South America, Mexico, ...

Disrupt business/economy, destroy infrastructure, make $$$

Identity Theft Statistics Since 2000 ID theft complaints have grown

by 81% Nearly 12 million have been affected

3 million of those were dead Children are a better target for identity theft than

you 2012 saw a 13% increase in fraud “The revenue from trafficking financial data

has surpassed that of drug trafficking” - Secret Service March 2007

The most destructive type of ID theft is having your name, birth date, and Social Security number used to open credit accounts, tap your health insurance, or file a tax return in your name to steal your refund, among other crimes. But less than 1 percent of households experienced that form of ID theft in 2010, according to the Department of Justice U.S. Census in 2010: 114,800,000 households

The Real Problem

YOU are guilty until YOU prove your innocence 12% of victims have warrants issued in their

name “If an identity theft changes the address

on your account and you didn't receive the bill, your dispute letter must still reach the creditor within 60 days of when the creditor would have mailed the bill.” (pg 19) Consumers are generally aware that credit

cards come with generous protections -- their liability for theft is limited to $50, and even that sum is now waived by most banks. But no such broad protections are afforded to debit cards and other electronic cash-based transactions, such as funds transfers between a checking account and PayPal.com.

What We Freely(!) Give Away

Social sites Geotagged pictures Detailed information

about ourselves Twitter

Announcing when we go on vacation

Blogs Email

Clicking on things we really shouldn't click on

Message Page 1 of 1 From: Internal Revenue Service [mailto:admin@irs.gov] Sent: Wednesday, March 01, 2006 12:45 PM To: john.doe@jdoe.com Subject: IRS Notification - Please Read This . After the last annual calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of $63.80. Please submit the tax refund request and allow us 6-9 days in order to process it. A refund can be delayed for a variety of reasons. For example submitting invalid records or applying after the deadline. To access the form for your tax refund, please click here Regards,Internal Revenue Service

© Copyright 2006, Internal Revenue Service U.S.A. All rights reserved.. 3/13/2006

Dear Customer::

For your security, access to Online Banking has been locked because the number of attempts to sign in exceeded the number allowed. To regain access to your internet banking, Please update and select the Reset Account link. below.

We will review the activity on your account with you and upon verification, we will remove any restrictions placed on your account.

To access and activate your account, simply click the link below.

www.bankofamerica.com/onlinebanking/index.php?id=zxdj9b32wx

The entire activation should take only 5 minutes of your time. Please complete the activation by now.

Thank you for using Online Banking.Bank Of Ameria Alerts

If you no longer wish to receive these e-mails, please click on this link:www.bankofamerica.com/onlinebanking/index.php?id=deactivate

ATM examples

ATM examples

Camera records PIN as it's keyed in

Hidden PIN recording camera

The camera hidden in the pamphlet box includes its own battery and transmission antenna

How They Get Your Info(high tech)

Credit/Debit card theft Skimming – device attached to scanners Pretexting – social engineering Man-in-the-middle – intercept communications Phishing – social engineering Pharming – compromised web site which redirects user Vishing – voice phishing / robo calls Search Engine Phishing – too good to be true offers SMiShing – Spam text messages which look legit Mallware based Phishing – harmful download Phishing through Spam – spammer sends offers Spear Phishing – email phishing focused at business

How They Get Your Info(low tech)

Mail theft – stolen from your mail box 1 in 80 families have stolen mail

Dumpster diving – just what you think 40+% unsolicited mail is thrown away intact

Social engineering – pretending to be legit; con game

Shoulder surfing – at ATMs or counters Steal personal items – pick pockets, left

behind 50% of people carry their SSN around

All I Need Is A Picture

How They Get Your Info(outside your control)

AOL employees fired for selling 250,000 customers information Ameriprise financial laptop stolen with 225,000 customers data

on it IRS laptop stolen from office with over 100,000 customers data

on it Boston Global & Worchester Telegram Gazette delivered

newspapers with 240,000 subscriber data Ernest & Young laptop with 243,000 customers data on it

stolen from employee's car Laptop missing from Twin Cities blood bank with 268,000

customers data on it 3.3 million student load data stolen from NM company Your car

How They Get Your Info(the con / social engineering)

Grandparent scam Help! send money (and don't tell mom & dad)

Income tax return Steal from home

At-home workers Have I got a deal for you! Rental/Real Estate scam Mystery / Secret shopper <insert here> relief fund Popup ads offering FREE AV software Forged gift cards Threaten / Guilt

Jury duity, lawsuit, arrest warrant, ...

And Now For The Scary Part

Your info has probably been stolen at least once

Your info is probably already out there

Some Ways To Protect Your Info

Install operating system updates / anti virus software (Good and Different) Password protect your stuff Use metal lined wallets for credits cards Expect to be a victim – take steps to reduce the impact

Be alert, monitor, inspect and question Keep important documents secure

i.e. SSN card, birth/marriage certificates, wills, etc... Fire resistant container / bank safety deposit box URLs must start with https NEVER http The internet NEVER forgets Review monthly statements

Immediately challenge them Buy a cross cut shredder and shred documents Protect medical information just like financial information

Other Ways To Protect Your Info Opt out of pre-approved credit offers

888.567.8688 / (888)5OPTOUT Obtain all three credit reports once a year

1.877.322.8228 / www.annualcreditreport.com If it's too good to be true – you're right Don't believe phone solicitors Add yourself to the National Do Not Call List:

www.donotcall.gov / 1.888.382.12222 Close unnecessary accounts Don't pre-print phone number on checks Have checks mailed to a P.O. box or pick them up at

the bank Before traveling long distances or out of the country

tell your credit card company

Yet More Ways To Protect Your Info

Guard your SSN No, they really don't need it

Don't carry credit cards you don't need Limit number of credit card accounts

Don't use mail boxes for sending mail Carry wallet in front pocket Purses go over both shoulders and zipped shut Be aware of people around you

It's not rude to ask them to step back NEVER give your personal information over the phone or email

Companies or governments will never ask for that Instead you contact them

Should I Trust Someone Else? LifeLock, Identity Guard,

TrustedId, PrivacyGuard, and lots more

All cost money for services that you can do free

“Do-it-yourself safeguards are just as effective as paid services” - Consumer Reports magazine: January 2013

Help! My Identity Was Stolen!

File a police report Get the file number

Place a Fraud Alert with all three credit reports Equifax – 1.800.525.6285 / www.equifax.com Experian – 1.888.397.3742 / www.experian.com TransUnion – 1.800.680.7289 / www.tuc.com

Request a freeze on all three credit reports Small charge (i.e. $5.00) May be time limited

Close all accounts that have been tampered with

Help! My Identity Was Stolen!

File complaint with FTC (and follow up) www.ftc.gov/idtheft 1.877.438.4338 (877.IDTHEFT) Identity Theft Clearinghouse, Federal Trade

Commission, Washington, DC 20580 Log everything

Keep notes of phone conversations Send mail certified Keep records of expenses and your time

Consider talking to a lawyer

Resources

Internet Crime Complaint Center – http://www.ic3.gov/default.aspx

FPI – http://www.fbi.gov Federal Trade Commission -

http://www.consumer.ftc.gov/features/feature-0014-identity-theft

Privacy Rights Clearinghouse: www.privacyrights.org

MSN Money ID Theft Prevention& Survival:

http://www.identitytheft.org/

Questions?(And maybe even answers!)

Supporting Slides

More Numbers

Average # of hours spent repairing identity: 330 Number of victims who have trouble removing negative info: 70% Average out of pocket loss: $631

Most credit cards cap that at $50 Internet crime increase since 2011: 50% Percentage of online users affected by cybercrime in the U.S.: 75% ID fraud arrests: 300+ per year Victims who had warrants issued for their arrest: 62% Number of SSNs bought and sold every 6 weeks in the U.S.: 10 million Cost of a stolen info (2006):

Health insurance card or credit card w/ pin: $500-$600 Drivers license or SSN card: $100 Credit card with expiration data and security code: $25 PayPal account and password: $7

Drivers License Identity Theft

Your driving privileges could be suspended or revoked

You could be arrested for crimes you didn't commit

People can open bank accounts, apply for credit cards and cash checks using your license

David Joe Hernandez

In November 2004 David Joe Hernandez served four years in the Air Force. He came home and found... Arrest warrant in Arizona for driving on a

revoked license Responsible for 20 delinquent account for

cell phones, credit cards, utility bills and hospital bills

Linked to a string of felonies, including auto theft and drug charges

State regulators began garnishing 60% of his wages to pay child support to a woman in Chicago he'd never heard of

A week after Hernandez started working at Best Buy, his manager informed him he was being let go because a criminal record check came back showing a felony drug conviction.

SSN Identity Theft

Your SSN can be used to gain employment or report income

They get the income; you get the tax bill

They can file for social security benefits

Can apply for credit cards

Can obtain a drivers license

Medical Identity Theft

You could owe thousands of dollars for a procedure you've never had

You could become uninsurable

You could be denied employment for conditions you don't have

Korinke Story In 2003 the Korinke family was sued by

Homecoming Financial Network INC., a division of GMAC for $75,000 plus attorney fees

In 2001 an impostor got hold of a line of credit, switched the address, and the Korinkes never received the outstanding bills

Homecomings claimed the Korinkes had been negligent. “The Korinkes were slow to discover and report the identity theft ... as such, Korinke is liable for any and all sums attributed to his negligence”