Identity Theft Deter, Detect, and Defend At Home & At Work

1. Identity TheftDeter, Detect, and Defend At Home & At Work

2. Introductions • Lisa Stensland, OIT – Project Management • Ray Price, CU Police • Andrea Beesing, OIT – IT Security • Sandy Eccleston, DFA • Jamie Churchill, DFA • Pat McClary, Counsel’s Office • Norma Schwab, Counsel’s Office • Kenna Morehouse, Treasurer’s Office • Carolann Saggese, Treasurer’s Office • Chuck Alridge, CU Police • Debi Benson, DFA • George Sutfin, CU Police

3. Agenda • Why be concerned? • Deter – how to prevent it • Detect – how to discover it • Defend – how to fix it • Identity theft prevention at work • But what about…?

4. What is Identity Theft? • When someone uses your personal information without your permission to commit fraud or other crime • Name • Social Security number • Date of birth • Credit card number • Bank account numbers Identity

5. Types of Identity Theft Source: Federal Trade Commission, Feb 2007

6. Types of Identity Theft Source: Federal Trade Commission, Feb 2007

7. How does Identity Theft occur?

8. Good, old fashioned stealing

9. “Dumpster Diving”

10. “Skimming”

11. “Phishing” http://219.166.162.37/icons/www.wachovia.com/… Australia

12. “Phishing” http://boaupdate.pochta.ru Russia

13. “Phishing” http://kooptickets.nl/~claudia/mycfcu.com/….. Netherlands

14. “Phishing” • Emails that appear to be from IRS requesting you confirm information • Emails that are thanking you for a recent purchase (of something you didn’t buy) • Phone phishing When in doubt, ask or “call back” Your bank will NEVER ask you for account numbers or passwords if they initiated the communication

15. Is this a big problem? The U.S. Government Reform Committee reports that all 19 government departments and agencies reported at least one loss of personally identifiable information since Jan. 2003. Only a small number of the data breaches were caused by hackers. The vast majority of losses occurred from physical thefts of portable computers, drives and disks, or unauthorized use of data by employees. In 2004, 43% believe they knew their imposter. 14% of them said that it was an employee of a business who had their information. Most studies show that the victim population is about 10 million per year. That means every minute about 19 people become a new victim of this crime. According to the U.S. Department of Justice Statistics, identity theft is now passing up drug trafficking as the number one crime in the nation. In 2004, victims spent an average of 330 hours recovering from this crime. It’s huge. --Identity Theft Resource Center, Facts & Statistics 2006

16. True Stories… • Over 63 fraud cases reported to CU Police since 2005 • Many cases involve more than one incident • One case had 16!

17. Has anyone here been a victim?

18. DETER DETECT DEFEND How do you prevent Identity Theft?

19. How many of you... …have your Social Security card in your wallet or purse right now?

20. Protect your sensitive information • Do NOT carry your SSN card with you • Memorize PINs and passwords • Beware of promotions that request sensitive information • Question how SSN or other sensitive data will be used if it is requested by legitimate sources • It may not be needed!

21. Protect your sensitive information • Shred pre-approved credit offers, receipts, bills, other records that have SSN • Do not provide CC#, SSN, etc. out over email • Do not click on links in unsolicited emails

22. How many of you... ...write checks to pay bills and then put them in the mailbox with the flag up?

23. Modify your mail habits • Don’t leave mail containing checks or account information in your mailbox • Use the post office mailboxes • Keep an eye out for bills or statements that aren’t received in a timely manner

24. How many of you... ...have noticed fewer and fewer places actually require or check your signature on a credit card?

25. Modify your credit card habits • Carry only cards you use regularly • Sign the backs of all credit cards (or write “Check ID”) • Do not loan out your cards to anyone • Report lost/stolen cards immediately • Keep a copy of both sides of your cards in a safe place

26. Modify your credit card habits • Check for the “padlock” and/or “https” when purchasing online • Opt out of pre-approved credit card offers • Opt out of junk mail • Shred all pre-approved credit card offers • Do not just tear them up!

27. How many of you... ...do not have a firewall or do not have anti-virus software on your computer at home that is up-to-date?

28. Safeguard your computer • Use a firewall • Use anti-virus software AND keep it updated • Use wireless encryption • Do NOT give out your NetID/password under ANY circumstances • Lock your computer when you are away from your desk

29. Take advantage of other services available to you • Credit monitoring services (not free) • Periodic emails reporting on changes to your credit report • Identity Theft Insurance (proceed with care) • Fraud alert • A flag on your credit report that encourages creditors to take extra steps to ensure identity has not been stolen • Can only be done if you have been a victim of identity theft • Credit freeze

30. Credit Freeze • NYS allowed starting in November 2006 • Prevents lenders and others from accessing your credit report • Good news – Identity thieves will be unable to establish credit in your name • Bad news – so will you • Will also affect background checks and most requests for insurance

31. DETER DETECT DEFEND How do you find out if this has happened to you?

32. How many of you... ...have not checked your credit report in the last 12 months?

33. Increase monitoring • Check your credit report regularly • Free from each credit bureau once per year • Pull one every 4 months (rather than all 3 at once) • Monitor your bank and credit card statements closely for unauthorized transactions • Keep an eye out for bills that do not arrive as expected

34. Increase monitoring • Watch for unexpected credit cards or account statements • Investigate any denial of credit situations • Watch out for calls or letters about purchases that you didn’t make

35. DETER DETECT DEFEND How do you restore your good name?

36. Steps to Take • Immediately close the account and request fraud dispute forms • File a police report • You will need the report number when corresponding with bank/credit card company • Contact one of the 3 credit reporting agencies to place a “fraud alert” on your file • The credit reporting agency is required to notify the other 2 to do the same

37. Steps to Take • Report the theft to the Federal Trade Commission • Keep copies of everything and journal all correspondence (date/time/name) • Send all written correspondence “certified mail, return receipt requested” • Know your rights!

38. Credit Card Liability • Covered under Fair Credit Billing Act (FCBA) • Your maximum liability under federal law for unauthorized use is $50 • If you report lost/stolen cards before they are used, your liability is $0 • If the loss is only of the card number and not the card, your liability is $0

39. Debit Card Liability • Covered under Electronic Fund Transfer Act (EFTA) • Liability depends on how quickly you report the loss • It does not matter if you ran it through as “credit”! • It does not matter if you “signed” rather than used PIN number!

40. Debit Card Liability

41. Investment Liability • There are currently NO federal liability protections against fraudulent use of your investment or retirement accounts! • Check with your bank or brokerage to see what they offer for liability protection

42. Identity Theft Protection at Work

43. How does this apply to work? • Current federal and state law • Family Educational Rights and Privacy Act (FERPA) • Health Insurance Portability and Accountability Act (HIPAA) • Gramm-Leach-Bliley Act (GLBA) • NY Data Security and Notification Law (12/8/05) • Growing social expectations due to rise in identity theft awareness • Need to protect Cornell’s reputation

44. How does this apply to work? • Cornell must notify and report if protected data is reasonably believed to have been inappropriately accessed • Protected data includes • Name with • Social security number • Credit card number • Bank account number with associated PIN • Drivers license number

45. Examples • March 2005 - Bank of America • 1,200,000 lost social security and account numbers were lost • May 2006 - Veteran’s Administration • 26,500,000 social security numbers and DOB were lost when a laptop was stolen • January 2007 - TJ Maxx • 47,500,000 credit card numbers were stolen by hackers taking advantage of unencrypted wireless network in parking lot

46. Why do we care?

47. Why do we care?

48. Precautions to take • Identify the sensitive data on your system – do you really need it? • Social Security Numbers • Credit card numbers • Drivers license numbers • Make sure your IT staff is aware that you manage sensitive data • Work with your local IT staff to ensure your system is protected

49. Precautions to take • Before performing any action on your computer ask if there’s a chance this action might put the data at risk • Clicking on e-mail attachments • Turning off the firewall, anti-virus • Installing programs from the internet • If you work from home using personal computers • YOU are responsible for the security of your computer • Enable encryption on home wireless networks • Ensure sensitive data is encrypted

50. Precautions to take • NEVER share your NetID/password • Use a complex password • Do not use your NetID/password for non-Cornell systems • Do not email credit card numbers • Keep P-card/credit card applications and paper checks locked up