The Cyberside of Identity Theft

GAAE Conference

Georgia Perimeter College

February 1, 2008

Who Is at Risk?

You Are!!!

Identity Theft

What is it?

Growing incidence of high-tech

How does it happen?

How can I prevent it?

What Is Identity Theft?

n : the co-option of another person's personal information (e.g., name, social security number, credit card number, passport) without that person's knowledge and the fraudulent use of such knowledge

-- dictionary.com

Federal Identity Theft and Assumption Deterrence Act18 U.S.C. § 1028(a)(7)

Federal law passed in 1998

Prohibits “knowingly transfer[ring] or us[ing], without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law.”

Georgia Statute §16-9-121. Identity Fraud Law

“A person commits the offense of identity fraud when without the authorization or permission of a person with the intent unlawfully to appropriate resources of or cause physical harm to that person, or of any other person, to his or her own use or to the use of a third party he or she: (1) Obtains or records identifying information of a person which would assist in accessing the resources of the other person; or(2) Accesses or attempts to access the resources of the other person through the use of identifying information.”

Identifying Information (Partial List)

Names (current or former)

Social Security numbers

Driver’s license numbers

Bank account/credit card numbers

Birth dates

Tax identification numbers

Medical identifications

Statistics

Source: Federal Trade Commission Identity Theft Data Clearinghouse reportOver 674,300 consumer identity theft &

fraud complaints received in 200636% classified as identity theft, 64% as other

fraud.Reported losses of over $1.1 billion (up from

$547 million two years earlier).

Statistics (cont.)

Georgia's statistics8,084 cases reported to FTC in 2006

Sixth-highest in nation

ID Theft in Atlanta -- 2006

Atlanta-Sandy Springs-Marietta, GA Metropolitan Statistical Area

Theft Type Complaints Percentage

Credit Card Fraud 1,398 24.5 % Bank Fraud 1,142 20.0 % Phone or Utilities Fraud 913 16.0 % Government Documents

or Benefits Fraud 767 13.4 % Employment-Related Fraud 467 8.2 % Loan Fraud 292 5.1 % Other Identity Theft 1,404 24.6 % Attempted Identity Theft 339 5.9 % Total: 5,710

Statistics (cont.)

Losses to banks and final institutionsEstimated $48 billion in 2003

Average loss per business victim$10,200

Average loss to individual victims$1,180175 or more hours resolving problems over

two or more years

Who Commits Identity Theft?

Professional thieves

Strangers

Employees of businesses

Family members and relatives

Friends/acquaintances

How Does Identity Theft Occur?

Non-technological methods still used“Dumpster diving”Dishonest employeesMail theft/interceptionMasquerading and “Social hacking”“Shoulder surfers”Telemarketing scams

How Does Identity Theft Occur? (cont.)

Technologically-based theft is growing exponentiallyWireless invasion/interceptionMalicious software“Phishing” and “Pharming” schemes

Wireless Invasion/ Interception

Unsecured wi-fi networksPublic, “open private” or poorly secured

Unsecured computersMissing password protection

“Clear data” transmissionsFailure to use encryption techniquesFailure to use secure sites

Malicious Software

Keyloggers and screenloggersmonitor data as user inputs it, send data to

remote servers for exploitation

Email/IM redirectors intercept legitimate communications, relay

copies to unintended destinations

Session hijackers and web trojansmimic legitimate websites but aren't

Malicious Software (cont.)

System reconfiguration attacksmodify network settings on user's computer

“Pharming” -- redirection to a fake website

Data Characteristics

Used in conjunction with malicious softwareCertain programs store data in known locationsMany types of data follow specific patterns

“Phishing”Attn My Dear Mr Mike Aurelius,

I apologize if the contents hereunder are contrary to your moral ethics, but please treat it with absolute secrecy and personal courtesy. I am Johnson Kumalo an Auditor in a commercial Bank, in the process of auditing ourbank accounts this quarter, I and one of my colleagues recently discovered that there is a dormant account valued at the sum £10,000,000.00 (Ten Million British Pound Sterling) and after due verification of this account wediscovered that the account owner is late and that is why the account has been dormant and as such a £10,000,000.00 has been lying in the bank unclaimed.

The idea of presenting a foreigner to act as his next of kin came into our mind, as you know the said deceased is a foreigner as well. Hence, that is how and why we have contacted you to present you as his next of kin, so thatthe £10,000,000.00 will be paid to you and we can both disburse the fund according to the percentage we will agree upon. In view of this, I am seeking for your co-operation and understanding to stand as the next of kin toour deceased customer, to enable us claim the fund from my bank. Hence, if this proposal is OK by you and you do not wish to take undue advantage of my trust, then I hope to bestow on you. Please kindly get back to meimmediately only through my personal contact email; johnsonkumalo@executivemail.co.za

On getting your response, we shall agree on the percentage ratio on which we shall disburse the £10,000,000.00 between us, as we intend to invest part of our own share in a real estate or any lucrative business in yourcountry, and we would appreciate if you can put us in the right part where we can invest our own share in your country. I will not contact any person or company until I hear from you, so as to enable me decides on what to donext.Be rest assured that this business is 100% risk free.We wait for your prompt response.

Best Regards,Johnson Kumalo.

Private Email: johnsonkumalo@executivemail.co.za

NB: PLEASE NOTE THAT IT DOES NOT MATTER IF YOU ARE NOT RELATED TO MY LATE CLIENT.THE FUNDS WILL STILL BE PAID TO YOU, SINCE I AM PRESENTING YOU AS HIS NEXT OF KIN.

________________________________

Χρησιμοποιείτε Yahoo!Βαρεθήκατε τα ενοχλητικά μηνύ ματα (spam); Το Yahoo! Mail διαθέτει την καλύτερη δυνατή προστασία κατά των ενοχλητικών μηνυμάτων http://login.yahoo.com/config/mail?.intl=gr

How Can I Prevent It?

Total prevention is impossible!

Minimize risks as much as possible

Use common sense!!!

Protect Your Information

Do not give out information unless you must!

Ask why a piece of information is neededYou can refuse to give information, but you

may not receive the service in returnDo not use your Social Security number as

an identification numberNeeded by IRS, SSA

Protect Your Information (cont.)

Make sure you know who is requesting the informationAre they legitimate?

Do not give out personal information unless you initiate the call/email/web site visit

Protect Your Information (cont.)

Be especially cautious with the “big three”:Social Security numberPassport numberBank/credit account numbers

Protect Your Technology

Control access to computers and networksPasswordsMinimize visibility

Minimize storage of sensitive data on insecure systems If you must, encrypt it!

Protect Your Data

Never send important data to unsecure sitesLook for https: as the start of the web

address

When using public computersAlways close programs you've usedAlways log out properlyAlways clear cache and other private data

Further Reading

GetNetWisehttp://getnetwise.org/

Protecting Your Identity in the Virtual Worldhttp://www.bbbonline.org/idtheft/virtual.asp

The Crimeware Landscapehttp://antiphishing.org/reports/APWG_Crime

wareReport.pdf

Resources -- Federal Agencies

Federal Trade Commission http://www.consumer.gov/idtheft/

Department of Justice http://www.usdoj.gov/criminal/fraud/idtheft.html

Social Security Administration http://www.ssa.gov/pubs/idtheft.htm

U.S. Postal Inspection Service http://www.usps.com/postalinspectors/welcome2.htm

Resources – State Agencies

Georgia Stop Identity Theft Networkhttp://www.stopidentitytheft.org/

Resources -- Nonprofit Organizations

Better Business Bureauhttp://www.bbbonline.org/IDTheft/

Identity Theft Resource Centerhttp://www.idtheftcenter.org/index.shtml

Privacy Rights Clearinghousehttp://www.privacyrights.org/identity.htm

Opt-Out Resources

http://www.dmaconsumers.org/offemaillist.html

Email marketing

http://www.the-dma.org/ consumers/offmailinglist.htm

Direct mail marketing

http://www.donotcall.gov/Telemarketing offers

Write each credit bureau individually

Credit Bureau marketing lists

1-888-5-OPTOUTPre-screened credit offers

In Closing

This presentation is available online athttp://www.gpc.edu/~jbenson/presentations/idtheftgaae.ppt