1 / 52

Personal Privacy

Personal Privacy. Identity protection in this wired world. Identity Theft?. Described by the federal Fair Credit Reporting Act as "the use or attempted use of an account or identifying information without the owner's permission“. Simple Facts.

nesler
Download Presentation

Personal Privacy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Personal Privacy Identity protection in this wired world

  2. Identity Theft? Described by the federal Fair Credit Reporting Act as "the use or attempted use of an account or identifying information without the owner's permission“.

  3. Simple Facts • Federal and state authorities alike have labeled it the country's fastest-growing white-collar crime since the late 1990s. • The number of people victimized annually was last estimated at about 10 million by the Federal Trade Commission. • It is a problem that has affected millions of Americans, including Oprah Winfrey, Bill Gates, and Tiger Woods. Chances are it has hurt someone in this room.

  4. Cost of ID Theft? • US victims spend an average of $1,500 and 175 hours to recover www.fightidentitytheft.com • Current annual cost - $56.6 billion www.bbbonline.org. • Average loss per victim $6,383. • Businesses spend an average of $18,000 per incident. • U.S. business spend over $400 billion per year just on the insider threat.

  5. Cyber Streetwise We shred financial documents and unsolicited, pre-approved credit card offers; check credit reports regularly; keep Social Security numbers as private as possible; delete e-mail from unknown senders as soon as it arrives; and frequently update antivirus, firewall and spam-blocking software. But …..

  6. We're All Vulnerable • We live in an age where everything from tax records to Social Security numbers to credit card data resides in databases that can be hacked, phished or pharmed by anyone with sinister motives and enough know-how.

  7. ID Theft: A Growing Concern • At least 130 reported breaches exposed more than 55 million Americans to potential identity theft in 2005. • Identity theft in is the fastest growing crime in the United States.

  8. Recent Reported Data Exposures • Department of Energy 1,500 • Internal Revenue Service 291 • ChoicePoint 145,000 • Bank of America 1.2 million • CardSystems 40 million • Citi Financial 3.9 million • Time Warner 600,000 • Department of Veterans Affairs 26.5 million • United States Air Force 33,000

  9. ID Theft Complaints by Consumer Age

  10. Be Vigilant • Deter identity thieves by safeguarding your information. • Detect suspicious activity by routinely monitoring your financial accounts and billing statements. • Defend against ID theft as soon as you suspect a problem.

  11. Common Ways ID Theft Happens • Common Theft • Dumpster Diving • Skimming • Phishing Schemes • Change of Address Scheme • Pretexting • Work-at-Home Swindle • Pharming • Unwanted Guests

  12. Common Theft • This is by far the most common cause of identity theft cases. • Lost or stolen identification • Lost or stolen schedulers • Lost or stolen PDA or computers • Lost or stolen storage devices • Company insidersand …

  13. The Red Flag! • You have mail! • Checks • Bills • Account information • Pre-approved

  14. Dumpster Diving • Criminals engage in "dumpster diving" ­ going through your garbage cans or a communal dumpster or trash bin -- to obtain copies of your checks, credit card or bank statements, or other records that typically bear your name, address, and even your telephone number. • These types of records make it easier for criminals to get control over accounts in your name and assume your identity.

  15. Skimming • Thieves target account information embedded in ATM, debit and credit cards by breaking into or otherwise compromising the equipment and systems used for processing payments. • The California Bankers Association reported in 2005 that scammers had taken to attaching wireless video cameras to the front of ATMs in hopes of capturing your card number and PIN from a remote location.

  16. Phishing Schemes • Phishing is the act of tricking someone into giving out confidential information or tricking them into doing something that they normally wouldn’t do or shouldn’t do. • Gartner, a market-research firm, reports that in the 12 months ending in May 2005, phishers duped 2.4 million Americans into revealing personal info, costing victims, banks and credit card companies $929 million. • The volume of phishing e-mail has reached astounding levels at over 1.5 billion messages a day.

  17. Change of Address Scheme • Rerouting your mail is easier than you might think. • If you have bank or credit card accounts, you should be receiving monthly statements that list transactions for the most recent month or reporting period. • Check the Post Office for change of address cards on file. • If you're told that your statements are being mailed to another address that you haven't authorized, tell the Postmaster, financial institution, or credit card representatives immediately that you did not authorize the change of address and that someone may be improperly using your information.

  18. Pretexting • ID thieves just ask for your personal information. • In one common approach, they claim to be conducting a survey on behalf of your bank and ask questions designed to get your account number, date of birth, social security number, etc.

  19. Work-at-Home Swindle • The rise of Internet use brings more deceptive and misleading promotions, bogus travel offers, contests, lotteries, and other illegal practices on the Web. • Always use common sense. If you have a gut feeling that something is not legitimate, you’re probably right. • Make sure the company has a phone number and a physical address – not just a post office box or e-mail address.

  20. Pharming? • Maybe you've heard of "pharming," in which legitimate websites are hit with malicious computer code that steers those visiting them to look-alike sites. Data can then be harvested without a key being struck. In a twist, there's crimeware that instead attacks browsers (Internet Explorer, for one) and does its pharming from there.

  21. Unwanted Guests • Another ripe target for identity thieves: the wireless networks that more and more companies and individuals are setting up. • Failure to block access to these networks can allow prying eyes into your hard drive, where you may store financial information in programs like Quicken. • An unsecured wireless access point can open the door to more than just data theft. • Access into your company through mobile devices or gadgets.

  22. But Wait! There Is More • Fake Jury Duty Con • Medicare Fraud • "IRS" Phishing Scam • Internet Telephony Trickery • Grant Flimflams • Child Identity Theft • The Next Targets?

  23. Child Identity Theft • An estimated 400,000 children had their identities stolen in 2005. • Two-thirds of child ID thefts are perpetrated by family members. • Instruct your children NEVER to give out any personal information over the Internet, such as whole names, addresses, phone numbers, school names or photographs. • Instruct your children to tell you about -- and not respond to -- any messages they read that make them feel uncomfortable. • Order credit reports on your child from the three nationwide credit bureaus. The credit search should come up empty.

  24. Eavesdroppers and Snoopers • Eavesdroppers listen to your conversations without your knowledge. • Snoopers observe your computer screen or items on your desk without your knowledge. • Bluetooth technology may provide a speakerphone behind closed doors.

  25. The Next Targets • Homeland Security has warned that cell phones and other handhelds (like BlackBerrys) are becoming increasingly vulnerable to hackers and viruses. • Instant messaging (IM) is becoming a popular target. • More attacks on browsers with the intent of embedding crimeware on PCs. • Popular blogs and social networking sites like MySpace.com.

  26. Safeguard Your Information • Shred paperwork with personal information and financial documents before you discard them. • Don’t carry your Social Security card in your wallet or write your Social Security number on a check. Give it out only if absolutely necessary; you can always ask to use another identifier. • Don’t give out personal information on the phone, through the mail, or over the Internet unless you are sure who you are dealing with. • Never click on links sent in unsolicited emails; instead, type in a web address you know.  • Don’t use obvious passwords. Your mother’s maiden name, or the last four digits of your Social Security number – all are obvious passwords. • Keep your personal information in a secure place at home, especially if you have roommates, employ outside help, or are having work done in your house.

  27. Question • If someone has stolen information about your financial accounts, it’s best to wait for several weeks to see what they do with it before taking action? The answer is? • Your best first step is to contact your credit card companies and close your accounts. Also, talk with your bank about whether to close other accounts or take other steps.

  28. Question • One of the best ways to protect your identity is by using online passwords only you would know – like your mother’s maiden name or the last four digits of your Social Security Number? The answer is? • This is an incorrect statement. Crooks can often find this type of information about you … and then, it’s “so long, identity!” It’s better to use random numbers and letters, and commit them to memory.

  29. Question • If the stolen information includes your Social Security Number, you can place an “initial fraud alert” by calling one of the three nationwide consumer reporting companies? The answer is? • Correct! Placing such an alert can help stop someone from opening new credit accounts in your name.

  30. Question • If someone has stolen your identity, and then you notice you’re no longer receiving bills from creditors, this is a sign that your identity has been restored? The answer is? • No! If bills stop coming, it may be a sign that someone is still “hijacking” your identity, and changing the address your bills are being sent to.

  31. Question • The names of the three nationwide consumer reporting companies are Equinox, ExperiCorps, and TransAmerica? The answer is? • Good eye! The actual names are Equifax, Experian, and TransUnion. If you would like a free annual credit report, visit annualcreditreport.com.

  32. Question • Identity theft refers only to the theft of drivers’ licenses or name badges? The answer is? • While those are types of identity theft, the term refers to a broad variety of criminal misuses of your name, Social Security Number, and financial information.

  33. Question • My employer protects personally identifying information from hackers and other external threats. My identity is perfectly safe right? The answer is? • While reasonable controls may be in place protecting the corporate perimeter, the REAL threat comes from the “Trusted” employee with access and control of this information.

  34. Individual Quick Facts • Close compromised credit card accounts immediately. • If someone steals your social security number (SSN), contact one of the three nationwide consumer reporting agencies — Equifax, Experian, or TransUnion — and place an initial fraud alert on your credit reports. • Monitor your credit report. Keep in mind that fraudulent activity may not show up right away. • Consult with your financial institution about handling the effects on bank or brokerage accounts. • Contact relevant government agencies to cancel and replace any stolen drivers licenses or other identification documents, and to “flag” your file. • Watch for signs of identity theft: late or missing bills, receiving credit cards that you didn’t apply for, being denied credit or offered less favorable terms for no apparent reason, or getting contacted by debt collectors or others about purchases you didn’t make. It’s important to protect your personal information, and to take certain steps quickly to minimize the potential damage from identity theft if your information is accidentally disclosed or deliberately stolen:

  35. Tell Tale Signs • You are receiving credit cards that you didn't apply for. • You are being denied credit, or being offered less favorable credit terms, like a high interest rate, for no apparent reason. • You are getting calls or letters from debt collectors or businesses about merchandise or services you didn't buy.

  36. Here's What To Do • File a report with your local police or the police in the community where the identity theft took place. Get a copy of the report or at the very least, the number of the report, to submit to your creditors and others that may require proof of the crime. • Contact the fraud departments of any one of the three consumer reporting companies to place a fraud alert on your credit report. • Close the accounts that you know or believe have been tampered with or opened fraudulently. • File your complaint with the FTC. The FTC maintains a database of identity theft cases used by law enforcement agencies for investigations.

  37. Corporate concerns • Loss of productivity • Loss of intellectual property • Damage to reputation • Loss revenue • Executive responsibility • Legal implications • Damage to business

  38. Trusted agents • Attacks are perpetrated by people with trusted insider status. • Employees • Ex-employees • Contractors • Business partners • Insiders pose a far greater threat to organizations in terms of potential cost per occurrence and total potential cost than attacks mounted from outside.

  39. Insider threat motivators • Trust and physical access • Challenge • Curiosity • Revenge • Financial gain

  40. Inside Attackers Profile • Male • 17-60 years old • Holds a technical position (86% chance) • May or may not be married (50/50 chance) • Racially and ethnically diverse

  41. Additional statistics • In 92 percent of the incidents investigated, revenge was the primary motivator. • Sixty-two percent of the attacks were planned in advance. • Eighty percent exhibited suspicious or disruptive behavior to their colleagues or supervisors before the attack. • Only 43 percent had authorized access (by policy, not necessarily via system control). • Sixty-four percent used remote access to carry out the attack. • Most incidents required little technical sophistication.

  42. Data handled • Employee social security numbers • Employee salary data • Employee banking data • Employee health data • Customer credit card data • Customer banking data • Customer credit history data • Financial transactions • Corporate financial information

  43. Compliance implications • SOX - Sarbanes-Oxley • PCI – Payment Card Industry • HIPAA - Health Insurance Portability and Accountability Act • GLBA - Gramm-Leach Bliley Act • DOI – Department of Insurance • State specific regulations

  44. Current numbers • Internal attacks cost U.S. business $400 billion per year, according to a national fraud survey conducted by The Association of Certified Fraud Examiners. • $348 billion can be tied directly to privileged users.

  45. Organizational Quick Facts • Although white collar criminal charges are usually brought against individuals, corporations may also be subject to sanctions for these types of offenses. • Encourage open communication regarding issues of misconduct, and provide a confidential and anonymous mechanism for stakeholders to report fraud without fear of retaliation. • Be prepared to promptly review, assess, investigate and resolve reported issues. • Set policies and train stakeholders on important policies related to organizational risk. • Decide who will be notified about tips or incidents. It’s important to protect your customer’s and employee’s information, and to take certain steps quickly to minimize the potential damage from critical information if it is accidentally disclosed or deliberately stolen:

  46. 2005 Law Enforcement Contact

  47. Beating the Thieves • Install security software and stay current with the latest patches. • Always be suspicious of unsolicited e-mail. • Monitor the volume and origin of pop-up ads. A change may signal something sinister. • Visit the FBI's new Web site, lookstoogoodtobetrue.gov, for tips. • Use debit cards like credit cards, i.e., with a signature, not a PIN code. • If you live in one of the 20 states where it's possible, place a freeze on credit reports. This stops any credit activity in your name unless you specifically initiate it. • Keep an eye out for "skimmers" lurking in places where you use cards or keep customer credit information. • Enable encryption on wireless routers immediately upon setting up a home or corporate network. • Shop only on secure Web sites (look for the padlock or "https" in the address bar); use credit, not debit, cards; don't store your financial info in an "account" on the Web site. • Be mindful of the insider threat!

  48. Identity Triad – Recommended personal credit review cycle. http://www.experian.com http://www.equifax.com http://www.transunion.com T-1 = January, February, March, April T-2 = May, June, July, August T-3 = September, October, November, December

  49. Monitor Your Credit Report • Review and monitor your credit report! • Visit www.annualcreditreport.com to obtain your free credit report • Citi Credit Monitoring Service: http://www.creditmonitoring.citi.com • Credit Expert: http://www.creditexpert.com • Credit Manager: www.experian.com • www.transunion.com • www.equifax.com • If you suspect you are a victim place a fraud alert on your credit report.

  50. Michael D. Peters MBA, CISSP Director of Security Services Lazarus Alliance Inc. About Michael • Michael is a founding member of Lazarus Alliance Incorporated. He has more than 20 years of networking and system development experience. He is an MBA, CISSP and is certified in several products which include Sun Microsystems UNIX. • More than 14 years of his experience has been devoted to information and network security for organizations from United States Defense, Healthcare, Software Development, Manufacturing, Transportation, Insurance, Communications, and Financial markets. • Michael received his MBA in Information Technology Management from Western Governors University. • He is the creator of "SafetyNET" which is a UNIX based intrusion prevention appliance suite available only from Lazarus Alliance. • The innovator behind the Holistic Operational Readiness Security Evaluation (HORSE) project and Wiki. • A contributing author to the Sun Microsystems BigAdmin community, Wikipedia, Snort.org, SANS.org, and The White Hat Encyclical. • Michael D. Peters is currently the President of the Kentuckiana chapter of the Information Systems Security Association (ISSA) and WGU Alumni InfoSec Forum Moderator. • Guest speaker on matters of security especially concerning compliance, auditing, investigation, and best practices for secure computing to various organizations, Public Radio, technical institutions, and in University classrooms.

More Related