1 / 41

Identity Theft

Identity Theft. Identity Theft Its a broad category including a wide range of identity related crimes In modern usage, it is often related to identity related crimes involving credit card fraud. Identity Theft.

aira
Download Presentation

Identity Theft

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Identity Theft • Identity Theft • Its a broad category including a wide range of identity related crimes • In modern usage, it is often related to identity related crimes involving credit card fraud

  2. Identity Theft • Identity theft is not a new crime. It forms the basis of several of Shakespeare's comedies • What distinguishes modern identity theft is the speed at which it happens • The window of vulnerability for the thief is from when the false identity is used, to when the use is discovered. Today, a thief can exploit a vulnerability window only a few hours wide.

  3. Identity Theft • Examples of Identity theft include • Obtaining credit card information for someone else and then using it to order merchandise • Obtaining identifying information from someone and using it to obtain a credit card or other credit and using that to purchase product • Stealing an identity to work in the US. • Using stolen information to spoof email or web postings for the purpose of harming someone's rep.

  4. Obtaining the Information • First lets consider how information might be obtained. • Computers are not the only source of vulnerability. Lets consider some others first

  5. Obtaining the Information • Dumpster diving • General term for obtaining information from discarded paper. • In the day, carbons from credit card receipts were a popular way to obtain information • Discarded bank statements, ATM receipts, bills for goods or services, even restaurant tabs. • Social Security numbers • Drivers license information • Credit card or bank account information

  6. Obtaining Information • People • People with access to information can steal the information to use themselves, or for resale • Sales People • Law Clerks, Insurance people, DMV clerks • Note:Many DMV's SELL info to companies. Not NY • Bank employees • One happened here recently • Anyone who has access to your social security number, or credit card information

  7. Obtaining Information • Eavesdropping (None electronic) • Overhearing telephone conversations • “Keytopping”, as information entered in a public computer, or an ATM

  8. Obtaining Information • Note: None computer methods of obtaining information are slow, and relatively labor intensive. • This makes manual identity theft less attractive than say, mugging, to a large percentage of the disaffected.

  9. Obtaining Information (Computer) • Phishing • Phishing EXISTS to support identity theft. That is its purpose. • Its mistaken to assume that the target is always credit card or account information • Anything that the thief can use to impersonate you is valuable • Social Security number • Drivers license information • Passwords and user ids

  10. Phishing is BY FAR the most common method used by identity thieves on the net. It requires little expertise The returns are high for small labor Obtaining Information (Computer)

  11. Obtaining Information (Computer) • Other Methods • Intrusion • Gain access to a system that contains user info, then download it. • Plant a Trojan horse that searches for information, or logs keystrokes. • Intrusion has a higher skill cost, but can yield information on thousands or even millions of individuals in a few minutes

  12. Obtaining Information (Computer) • Eavesdropping, (includes keylogging) • We have seen, it is possible to eavesdrop on traffic on a network • We can also plant software to log keystrokes, or other communication on a client machine • These are inefficient methods for theft • It requires considerable skill • We might have to listen to a lot of traffic to get a little useful information • Listening to a client machine is likely only to give use info on only the number of persons using that machine • Lots of work, little payback

  13. Obtaining Information (Computer) • Removable Media • Gives dishonest employees the ability to remove from the workplace large amounts of data for use or resale • This is similar to the case of a sales clerk stealing carbons from credit card transactions • Laptops • When stolen can contain gigabytes of marketable data. There are many recent cases in the news. • Again, laptop needs to belong to someone with access to interesting data.

  14. Obtaining Information (Computer) • Bottom Line • The computer allows people to accumulate far more interesting data, far faster, and with far less effort • It makes Identity theft a very popular crime • Over 700,000 cases last year.

  15. Using the Data • Once the thief has obtained your data, how may it be put to use?

  16. Using the Data, (Bad Idea) • Consider this • The thief obtains your credit card data. • An online or telephone purchase is made • The thief has the goods shipped to his/her home • What's the flaw here?

  17. Using Data, (Bad Idea) • If the purchase is detected as a fraud, the vendor has the address of the hacker on file • Also, many small businesses, having been exposed to this kind of fraud, will not ship anywhere except the billing address. • There are online clearing houses for addresses that will reship goods, for a fee.

  18. Using Data, (Better Idea) • Use data obtained to obtain a credit card, or line of credit. • Associate your own address with the account. • Bills come to your address, so it takes far longer to identify the fraud • Owner of the identity is unaware that the card exists • Shipping is no longer a problem • The ship to address, is the billing address of the card

  19. Using Data, (Better Idea) • What's the problem here?

  20. Using Data, (Better Idea) • Again when the fraud is discovered, (it can take years in this case), the thief's address is available. • Again, remailing drops are available. They have been part of the underclass landscape in this country since before Capone ruled in Chicago

  21. Using Data, (Good Idea) • Sell the data to someone else • Lower profit • Insulated from the dangers of using the data

  22. Using Data, (Good Idea) • There are information brokerage sites where information can be bought sold and traded. This includes credit card info, other ID info and information on remailers and reshippers. • Typically these are chat rooms or web forums that exist only for days, or even hours. • Data can be disposed of minutes after it is obtained • Current prices • 40 cents for a CC number, 15 to 100 dollars for an identity.

  23. Dateline Example • The program Dateline aired a two part program, “To Catch an ID thief”. It is available on the Dateline website for viewing on your PC • Example • They obtained false credit cards from a firm • The use of these numbers was tracked • They made the numbers available on an information brokerage site. • Within MINUTES, hundreds of purchases had been made

  24. Dateline Example • Note: How quickly the data was used • A window of opportunity of an hour, would still permit thousands of dollars of purchases • Note: All the firms they bought from permitted them to ship to an address other than the billing address. • There are actually firms that seem to specialize in selling to pirates – as there always have been.

  25. Dateline Example • Reshipper • Dateline tracked several purchases. All reshippers. • Dateline looked at two of them • Both reshippers were people that had internet romances going • They reshipped the goods at the request of their finances • Both finances did not exist and were traced to internet cafes in Western Africa. • Most purchases also shipped to Western Africa, where they were resold

  26. Using Data, (Other) • If userids and passwords are stolen, its possible for the id thief to make use of them • Accessing accounts, (ex. Email), to obtain other valuable information • Intrusions on machines associated with the ids to mine information • Impersonation of the holder of the id for malicious reason.

  27. Using Data, (Other) • Examples • Sending email to your boss or friends • Embarrassing politicians or Celebrity by sending email to journalists • Posting inflammatory or obscene material to blogs, or forums

  28. Using Data, (Social Security Number) • An undocumented individual can use your SSN to obtain work. • Give your social security number as his/her own • Use both your name and SSN for a more secure alter ego • You can not detect this until the IRS bring you in on suspicion of tax evasion • You have omitted income on your tax form • You have paid to little tax

  29. Using Data, (SSN) • Again, the burden of proof may be on you. • Curious Note: • SSN numbers are NOT unique • They are recycled • They are issued regionally • Occasionally, mistakes are made and two people, both living, get the same number. • Chaos reigns.

  30. My Favourite Scam • Two individuals reprogrammed an ATM machine and simply put it in a local mall • The machine would accept the card and the PIN. Then print an error message and return the card • It stored all the card information and PIN's • They retrieved the machine and extracted the data • Burned credit cards (trivial by the way) • Used cards and PIN's to make withdrawals.

  31. ID Theft – The Law • Laws lag behind new kinds of crime • ID theft laws are less than 10 years old • They do not exist in all states • They are incomplete • New scams are created every day • Some ID theft can be prosecuted under fraud laws, but not all

  32. ID Theft – The Law • In most cases, unlike other kinds of theft, the burden of proof is on the victim to prove that the crime occurred • In many cases, Law enforcement is reluctant to help • They are not set up for cyber crime • There may not be a crime as such • The law on this changes constantly

  33. Preventing ID Theft • There is not certain way to prevent ID theft. • Many elements are beyond your control • How well vendors keep your data secured • How honest people with access to your data are • DMV • Insurance or medical people • Bankers • NSA • Etc. • Security of the networks your data travels over

  34. Preventing ID Theft • Don't fall for Phishing • By far the most common attack • Know the common scams • Be wary of any request for information regardless of the source • Keep your spam filters up • This is the number one recommendation on all sites

  35. Preventing ID theft • Monitor your accounts for unusual activity • Look for purchases • Password or address changes • Monitor your credit reports • Obtain your credit reports frequently • This will expose accounts and loans in your name • It can help expose unusual activity on existing accounts

  36. Preventing ID Theft • Make purchases only on trusted sites. • Your safety depends on how well they protect your data. Never forget that • Read privacy policies • I know they are long boring and obscure • You need to know were your data are going, or might go. • Most vendors are, Opt Out. i.e. You have to tell them not to distribute your data

  37. Preventing ID theft • Secure your network • Very true for wireless. Remember war drivers • Use encryption whenever possible • Don't send info to web sites that do not use encryption for sensitive info. • Be aware of your browsers signal for secure web pages, and check it during transactions • Hide behind NAT whenever possible.

  38. Preventing ID Theft • Don't put sensitive information on non secure websites • Myspace and FaceBook come to mind • Keep in mind that public sites are public and that your credit card information is not the only thing interesting to an identity thief • If it appears on a credit card application, or a loan application, it should not be online

  39. Preventing ID theft • On secure websites, (Banks, Paypal, etc.) • Use good passwords • Do not use one password for several sites • Use the optional security questions • Can help if the password is changed on you • Helps establish your identity

  40. Prevent ID Theft • On Bank Accounts and Credit card accounts • Set email Alerts if possible • Alert if overdrawn or nearly so • Alert if purchase above a certain amount

  41. Prevent ID Theft • In the Material World • Shred everything • Don't discard anything with useful information on it • Don't keep anything with useful information in an unlocked place • Be wary of anything with your Social Security number on it, like a badge. Guard your SSN like your first born child. • Be wary of people looking over your shoulder • Keytopping

More Related