1 Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
Social Engineering and Identity Theft
Simplifying Security.
Module 10
2 Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
OAKLAND ‐‐ Calling it the biggest they have seen, Oakland police said Monday that an identity theft operation that manufactured phony checks, IDs and credit cards has been shut down.Officials said there are potentially thousands of victims all over the Bay Area and in other states and the possibility of an untold amount of monetary loss.Police Chief Anthony Batts said breaking up the operation is particularly important to law enforcement because identity theft "puts fear in everyone," including himself.The operation, which Officer Holly Joshi called a "one‐stop shop" for identity theft, was run out of a Hayward apartment in the 21000 block of Foothill Boulevard, where resident Mishel Caviness‐Williams, 40, was arrested last week as she left the apartment. She had $4,000 in cash on her, police said.
Oakland Police Shut Down Bay Area‐Wide Identity Theft Operation
http://www.mercurynews.com
05/16/2011, 11:16:54 AM PDT
3 Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
Suffolk police are seeking assistance locating a woman who allegedly took an elderly man’s debit card and used it on several occasions. Police have five felony warrants on file for Lavonda “Goosie” Moore, 37, for credit card theft, credit card fraud, criminally receiving money, third offense petit larceny and identity theft.
Police say Moore took a debit card from the victim on Hill Street on May 15 and used it on multiple occasions at an ATM and at retail stores. There also is a warrant on file for Moore for third offense petit larceny in an unrelated case.
Moore’s last known address is the 600 block of Brook Avenue. Anyone who has information on Moore’s location is asked to call Crime Line at 1‐888‐LOCK‐U‐UP. Callers to Crime Line never have to give their names or appear in court, and may be eligible for a reward of up to $1,000.
Woman Sought in Theft
http://www.suffolknewsherald.com
May 23, 2011
4 Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
Identity Theft Statistics 2011
75%11.1 Million
4.8%13%
Adults Victims ofIdentity Theft
$54 billion
The Total Fraud Amount
Percent of Population Victimized by Identity Fraud
Victim Who Knew Crimes Were Committed
Fraud Attacks on ExistingCredit card Accounts
http://www.spendonlife.com
Consumer Complaint
Scenario
“I lost my purse in 2006. But surprisingly I got notices of bounced checks in 2007. About a year later, I received information that someone using my identity had bought a car. In 2008, I came to know that someone is using my Social Security Number for a number of years. A person got arrested and produced my SSN on his arrest sheet. I can’t get credit because of this situation. I was denied a mortgage, employment, credit cards and medical care for my children.”
http://www.networkworld.com
6 Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module ObjectivesWhat is Identity Theft?
Personal Information that Can be Stolen
How do Attackers Steal Identity?
What do Attackers do with Stolen Identity?
Examples of Identity Theft
How to Find if You are a Victim of Identity Theft?
What to do if Identity is Stolen?
Reporting Identity Theft
Prosecuting Identity Theft
Guidelines for Identity Theft Protection
Guidelines for Protection from Computer Based Identity Theft
IP Address Hiding Tools
7 Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
Identity Theft
What to Do if Identity Is Stolen
How to Find if You Are a Victim of Identity Theft
ReportingIdentity Theft
Protection from Identity Theft
Module Flow
Social Engineering
8 Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
Criminal charges
Legal issues
It leads to denial of employment, health care facilities, mortgage, bank accounts and credit cards, etc.
Financial losses
Identity Theft Effects
Identity theft or ID fraud refers to a crime where an offender wrongfully obtains key pieces of the intended victim's personal identifying information, such as date of birth, Social Security number, driver's license number, etc., and makes gain by using that personal data
What is Identity Theft?
9 Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
Personal Information that Can be Stolen
Names
Mother’s maiden name
Telephonenumbers
Passport numbers
Credit card/Bank account numbers
Social security numbers
Driving license numbers
Birth certificates Address
Date of birth
10 Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
How do Attackers Steal Identity?
Hacking Theft of Personal Stuff
PhishingSocial Engineering
Fraudster pretend to be a financial institution and
send spam/ pop‐up messages to trick the user
to reveal personal information
Fraudsters may steal wallets and purses, mails including bank and credit card statements, pre‐approved credit offers, and new checks or tax information
Attackers may hack the computer systems to steal confidential personal information
It is an act of manipulating people trust to perform
certain actions or divulging private information, without
using technical cracking methods
11 Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
What do Attackers do with Stolen Identity?
Credit Card Fraud
Phone or Utilities Fraud Other Fraud
They may open a new phone or wireless account in the user’s name, or run up charges on his/her existing account
They may use user’s name to get utility services such as electricity, heating, or cable TV
They may get a job using legitimate user’s Social Security number
They may give legitimate user’s information to police during an arrest and if they do not turn up for their court date, a warrant for arrest is issued on legitimate user’s name
They may open new credit card accounts in the name of the user and do not pay the bills
12 Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
What do Attackers do with Stolen Identity?
Bank/Finance Fraud
Government Documents Fraud
They may create counterfeit checks using victim’s name or account number
They may open a bank account in victim’s name and issue the checks
They may clone an ATM or debit card and make electronic withdrawals on victim’s name
They may take a loan on victims’ name
They may get a driving license or official ID card issued on legitimate user’s name but with their photo
They may use victim’s name and Social Security number to get government benefits
They may file a fraudulent tax return using legitimate user information
13 Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
Same Name: TRENT CHARLES ARSENAUL
Original Identity Theft
Identity Theft Example
14 Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
Identity Theft
What to Do if Identity Is Stolen
How to Find if You Are a Victim of Identity Theft
Social Engineering
ReportingIdentity Theft
Protection from Identity Theft
Module Flow
15 Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
Social Engineering
Types of Social Engineering
Social Engineers Attempt to Gather
Social Engineering
Sensitive information such as credit card details, social security number, etc.
Passwords
Other personalinformation
Human based social engineering
Computer based social engineering
Social engineering is the art of convincing peopleto reveal confidential information
It is the trick used to gain sensitive information by exploiting the basic human nature
16 Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
Social Engineering Example
Hi, we are from CONSESCO Software. We are hiring new
people for our software development team. We got your contact number
from popular job portals. Please provide details of your job profile,
current project information,social security number, and your
residential address.
17 Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
Criminal as Phone Banker
Hi, I am Mike calling from CITI Bank. Due to increasing threat perception, we are updating our systems with new
security features. Can you provide me your personal details to verify that you
are real Stella.Thanks Mike, Here are my details. Do you
need anything else?
18 Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
Authority Support Example
Hi, I am John Brown. I'm with the external auditors Arthur Sanderson. We've been told by corporate to do a surprise inspection of your disaster recovery
procedures.
Your department has 10 minutes to show me how you would recover from a
website crash.
19 Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
Technical Support Example
A man calls a company’s help desk and says he has forgotten his password. He adds that if he misses the deadline on a big
advertising project, his boss might fire him.
The help desk worker feels sorry for him and quickly resets the password,
unwittingly giving the attacker clear entrance into the corporate
network
20 Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
Human-Based Social Engineering
Eavesdropping Shoulder surfing Dumpster diving
Eavesdropping is unauthorized listening of conversations or reading of messages
It is interception of any form of communication such as audio, video, or written
Shoulder surfing is the procedure where the attackers look over the user’s shoulder to gain critical information such as passwords, personal identification number, account numbers, credit card information, etc.
Attacker may also watch the user from a distance using binoculars in order to get the pieces of information
Dumpster diving includes searching for sensitive information at the target company’s trash bins, printer trash bins, user desk for sticky notes, etc.
It involves collection of phone bills, contact information, financial information, operations related information, etc.
21 Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
Spam Email
Instant Chat
Messenger
Chain Letters
Hoax Letters
Pop‐up Windows
Windows that suddenly pop up while surfing the Internet and ask for users’ information to login or sign‐in
Hoax letters are emails that issue warnings to the user on new viruses, Trojans, or worms that may harm the user’s system
Chain letters are emails that offer free gifts such as money and software on the condition that the user has to forward the mail to the said number of persons
Gathering personal informationby chatting with a selected online user to get information such as birth dates and maiden names
Irrelevant, unwanted, and unsolicited email to collect the financial information, social security numbers, and network information
Computer-Based Social Engineering
22 Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
Computer-Based Social Engineering: Phishing
An illegitimate email falsely claiming to be from a legitimate site attempts to acquire the user’s personal or account information
Phishing emails or pop‐ups redirect users to fake webpages of mimicking trustworthy sites that ask them to submit their personal information
Fake Bank Webpage
23 Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
Phony Security AlertsPhony Security Alerts are the emails or pop‐up windows that seem to be from a reputed hardware or software manufacturers like Microsoft, Dell, etc.,
It warns/alerts the user that the system is infected and thus will provide with an attachment or a link in order to patch the system
Scammers suggest the user to download and install those patches
The trap is that the file contains malicious programs that may infect the user system
24 Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
Computer-Based Social Engineering through Social Networking Websites
Computer‐based social engineering is carried out through social networking websites such as Orkut, Facebook, MySpace, LinkedIn, Twitter, etc.
Attackers use these social networking websites to exploit users’ personal information
25 Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
Identity Theft
What to Do if Identity Is Stolen
How to Find if You Are a Victim of Identity Theft
ReportingIdentity Theft
Protection from Identity Theft
Module Flow
Social Engineering
26 Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
How to Find if You are a Victim of Identity Theft?
Bill collection agencies contact you for overdue debts you never incurred
You receive bills, invoices, or receipts addressed to you for goods or services you haven’t asked for
You no longer receive your credit card or bank statements
You notice that some of your mail seems to be missing
Your request for mortgage or any other loan is rejected citing your bad credit history despite you having a good credit record
27 Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
How to Find if You are a Victim of Identity Theft?
You get something in the mail about an
apartment you never rented, a house you never bought, or a job
you never held
You lose important documents such as your passport or driving license
You identify irregularities in your credit card
and bank statements
You are denied for social benefits
citing that you are already claiming
You receive credit card
statement with new account
28 Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
Identity Theft
What to Do if Identity Is Stolen
How to Find if You Are a Victim of Identity Theft
ReportingIdentity Theft
Protection from Identity Theft
Module Flow
Social Engineering
29 Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
What to do if Identity is Stolen?
Contact the credit reporting agencies http://www.experian.com http://wwwc.equifax.com http://www.transunion.com
Immediately inform credit bureaus and establish fraud alerts
Request for a credit report Review the credit reports and alert the credit agencies
Freeze the credit reports with credit reporting agencies
Contact all of your creditors and notify them of the fraudulent activity
Change all the passwords of online accounts
Close the accounts that you know or believe have been tampered with or opened fraudulently
30 Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
What to Do if Identity Is Stolen?
File a report with the local police or the police in the community where the identity theft took place
File a complaint with identity theft and cybercrime reporting agencies such as the FTC
Take advice from police and reporting agencies about how to protect yourself from further identity compromise
Ask the credit card company about new account numbers
Tell the debt collectors that you are a victim of fraud and are not responsible for the unpaid bill
Ask the bank to report the fraud to a consumer reporting agency such as ChexSystems that compiles reports on checking accounts
31 Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
Identity Theft
What to Do if Identity Is Stolen
How to Find if You Are a Victim of Identity Theft
ReportingIdentity Theft
Protection from Identity Theft
Module Flow
Social Engineering
32 Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
Federal Trade CommissionThe Federal Trade Commission, the nation's consumer protection agency, collects complaints about companies, business practices, and identity theft
http://www.ftc.gov
33 Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
econsumer.gov
http://www.econsumer.gov
econsumer.gov is a portal for youas a consumer to report complaints about onlineand related transactionswith foreign companies
34 Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
Internet Crime Complaint Center
http://www.ic3.gov
The Internet Crime Complaint Center’s (IC3) mission is to serve as a vehicle to receive, develop, and refer criminal complaints regarding the rapidly expanding arena of cyber crime
The Internet Crime Complaint Center (IC3) is a partnership between the Federal Bureau of Investigation (FBI), the National White Collar Crime Center (NW3C), and the Bureau of Justice Assistance (BJA)
35 Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
Prosecuting Identity Theft
Begin the process by contacting the bureaus, banks, or any other organizations who may be involved
File a formal complaint with the organization and with the police department
Regularly update yourself regarding the investigation process to ensure that the case is being dealt with properly
Obtain a copy of the police complaint to prove to the organizations that you have filed an identity theft complaint
File a complaint with the Federal Trade Commission and complete affidavits to prove your innocence on the claims of identity theft and fraudulent activity
Contact the District Attorney's office for further prosecuting the individuals who may be involved in the identity theft
36 Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
Identity Theft
What to Do if Identity Is Stolen
How to Find if You Are a Victim of Identity Theft
ReportingIdentity Theft
IP Hiding Tools
Module Flow
Social Engineering
37 Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
Hiding IP Address Using Quick Hide IP Tool
http://www.quick‐hide‐ip.com
Quick Hide IP hides your internet identity so you can surf the web while hiding you real IP and location
It redirects the Internet traffic through anonymous proxies
Quick Hide IP. Websites you are visiting see the IP address of the proxy server instead of your own IP address
38 Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
UltraSurfhttp://www.ultrareach.com
Hide The IPhttp://www.hide‐the‐ip.com
Hide My IPhttp://www.hide‐my‐ip.com
Hide IP NG http://www.hide‐ip‐soft.com
IP Hiderhttp://www.iphider.org
TORhttp://www.torproject.org
Anti Trackshttp://www.giantmatrix.com
Anonymizer Universal http://www.anonymizer.com
IP Address Hiding Tools
39 Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module Summary
Identity theft is the process of using someone else’s personal information for the personal gain of the offender
Criminals look through trash for bills or other paper with personal information on it
Criminals call the victim impersonating a government official or other legitimate business people and request personal information
Keep the computer operating system and other applications up to date
Do not reply to unsolicited email that asks for personal information
Use strong passwords for all financial accounts
Review bank/credit card statements/credit reports regularly
40 Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
Keep your Social Security card, passport, license, and other valuable personal information hidden and locked up
Ensure that your name is not present in the marketers’ hit lists
Shred papers with personal information instead of throwing them away
Never give away social security information or private contact informationon the phone – unless YOU initiated the phone call
Confirm who you are dealing with, i.e., a legitimate representative or a legitimate organization over the phone
Carry only necessary credit cards
Cancel cards seldom used
Review credit reports regularly
Identity Theft Protection Checklist
41 Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
Do not reply to unsolicited email requests for personal information
Do not give personal information over the phone
Review bank/credit card statements regularly
Do not carry your Social Security card in your wallet
Shred credit card offers and “convenience checks” that are not useful
Do not store any financial information on the system and use strong passwords for all financial accounts
Check the telephone and cell phone bills for calls you did not make
Read before you click, stop pre‐approved credit offers, and read website privacy policies
Identity Theft Protection Checklist
42 Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
Install antivirus software and scan the system regularly
Enable firewall protection
Check for website policies before you enter
Keep the computer operating system and other applications up to date
Be careful while opening email attachments
Clear the browser history, logs, and recently opened files every time
Check for secured websites while transmitting sensitive information
Computer Based Identity Theft ProtectionChecklist