ID Theft

And What You Can Do About It

Barry CaplinChief Information Security Officer

Minnesota Department of Human Servicesbarry.caplin@state.mn.us

Slides on InfoLink

What we will cover

• What is ID Theft?• How does it happen?• Facts, more facts• What to do if you are a victim?• How to protect yourself.• Questions.

Identity theft and identity fraud are terms used to refer to all types of crime in which someone wrongfully obtains and uses another person's personal data in some way that involves fraud or deception, typically for economic gain.

How Is It Done

• Shoulder Surfing - observation• Dumpster Diving• Mis-delivered or “public access” mail• Mailbox theft• Stolen purse, wallet, PDA, laptop• Social Engineering• Internet• By known or unknown thieves!

• ID Theft was not a federal crime until 1998• Not a high-tech crime - but technology helps• Not a new crime• Check Fraud

What Do “They” Want?

• Social Security number• Full Name• Bank Acct numbers• Credit Card numbers• Phone Calling Card numbers• Pre-approved Credit applications• Blank Checks• Other Identifying numbers or info

12/20/03 Associated Press

Cancer Patient Accused Of Stealing IdentitiesMan Apparently Used Identities To Purchase Phones

LANSING, Mich. -- A cancer patient was charged December 18 with stealing the identities of other patients at a Detroit hospital, the Associated Press reports.

The Michigan attorney general's office charged Frank James Horton, 36, with one count of obtaining the personal identity information with the intent to unlawfully use the information, and one count of obtaining phone services with the intent to avoid charges.

Horton, who has been a patient at Karmanos Cancer Institute in Detroit, is accused of taking the identities between August 2002 and July 2003 and using them to obtain cell phones and telephone land lines. There were nine victims; some had their identities stolen, and Horton attempted to steal others, authorities said.

The investigation is ongoing and may result in further charges.

The attorney general's office received a complaint from a family member of one of the victims sometime in late summer or early fall after the person noticed bills that seemed out of the ordinary. The hospital's security staff was then able to determine how the information was being taken once they knew the name of the patient involved.

The facility put new security measures in place to prevent future identity thefts, but a hospital spokesman wouldn't provide details. The attorney general's office spokesman said he didn't know what information Horton obtained from the other patients, but it was enough to establish a phone account.

Facts

• 9.9M victims in 2008 (up after 3 yr down-trend)

• Total fraud costs up ($48B US)• $496 consumer cost per incident (down 31%)

– Faster detection, lower fraud amount, quicker resolution

• $4849 mean fraud loss per victim

More Facts

• But… faster use of stolen info• Still more offline than online

– 43% lost/stolen wallets– 11% online– 13% “friendly theft”

More Facts

How your ID is being used:– New Account Fraud – credit cards, loans– Account Theft – ID misuse

What If...

If you think your Identity has been stolen…

• Contact one of the three major credit bureaus• Close suspect accounts• File a police report• File a complaint with the FTC

by phone and in writing!

(from the FTC website)

MN Law

Identity Theft Law – § 609.527, 2006-07• Defines penalties, restitution, reporting

Credit Freeze Law – SB 2002• No fees if report filed• Others $5 to place or change freeze• www.consumersunion.org/pdf/security/securityMN.pdf

What Can You Do?

What Can You Do?

Get your Credit Report• Look for, and correct, incorrect information• Three Credit Reporting Agencies:

– Equifax– Experian– TransUnion

• Other Credit alert services

Credit Reports

• Fair Credit Reporting Act (FCRA) provides for 1 free report from each of the 3 reporting agencies each 12 months.

• https://www.annualcreditreport.com/

Credit Reports

You are also entitled to a free copy of your credit report if you:

• Are unemployed and intend to apply for employment within 60 days.

• Are receiving public welfare assistance.

Credit Reports

You are also entitled to a free copy of your credit report if you:

• Believe your file contains inaccurate information due to fraud.

• Have had a denial of credit or insurance, within the past 60 days.

What Can You Do?

Look at your bills– Does the statement make sense?– Did you buy that? Did you shop there?– Did you not receive a bill for a card you own?– Did you receive a bill for a card you don’t own?

• Question it if something seems wrong.

What Can You Do?

Care with Credit Cards

• Separate credit cards– one just for use online

• Cut up old cards• ??? Don’t sign your cards - instead write

“please ask for picture ID”

What Can You Do?

Be Stingy with Personal Information

• “need to know”• don’t put SSN or other ID numbers on checks• phone or online request for your info - did

you make the call?

What Can You Do?

Shred it!• Credit card receipts• Utility and other bills• Unneeded medical forms• Pre-approved credit offers• anything else with ID numbers or personal

info

What Can You Do?

Weigh your Wallet (or Purse)• Don’t carry SS card or Birth Certificate

except when needed.• Carry only the cards you need.• Try to minimize the personal info - but use

common sense.• Know what’s in there

Do This!

Make a copy of, or write down the info from all the personal identifiers in your wallet/purse and put it in a safe place at home. If your wallet is stolen you’ll know who to contact.

What Can You Do?

Report Theft

• If something gets stolen, report it!– You need to know who to call!

• Timely reporting will help you later

What Can You Do?

Use care online• Don’t email personal information• Choose passwords without personal info• Use virus protection at home• Don’t “click here to unsubscribe” from spam

- it verifies to the spammer that you exist• Online shopping – reputable vendors• Delete doesn’t really delete

Phishing

Phishing

• Looks real, but rarely is• From a familiar business (not)• May threaten to close account, warn of fraud

or virus• Legitimate businesses will not ask for your

private info via email• Vishing

Phishing

Phishing

<IMG src="http://pics.ebaystatic.com/aw/pics/x.gif">

<P>Please sign in to your eBay account and update your billing information:<IMG src="http://pics.ebaystatic.com/aw/pics/x.gif">

<A href="http://www.account-info.ne1.net/"> http://signin.ebay.com/eBayISAPI.dll?SignIn&amp;ssPageName=h:h:sin:US" &gt;

Note: ne1.net is in Denmark

Phishing

<a href="http://update.llimited-service.com/images/SignOn.htm">

https://hb.affinityplus.org/SignOn.html</a>

Note: the domain llimited-service.com has been removed from the Internet!

What Can You Do?

ID Theft Insurance

• Does not prevent ID Theft!

• Does not cover theft expenses

• Covers out of pocket credit repair expenses

• May help with credit repair activities

• Included in some homeowner/renter policies

• Some consumer advocates say not worth the money

What Can You Do?

Be stingy with personal information• Online personal info can be removed by

request - yahoo.com, white pages, etc.• Facebook/Social Networking• IM (Instant Messaging/chat)• Close old, unused accounts• Opt-out and Do Not Call - see the info sheet

What Can You Do?

Watch your Postal mail

• Pick up new checks at the bank, don’t have them mailed.

• Don’t mail checks from home mailbox.• Pick up your mail promptly.

What Can You Do?

Know who’s listening or watching when...• Providing personal info over the phone.• Entering a PIN/password.• Writing down personal info/filling out

forms.

• You don’t need to be paranoid… just aware.

What Can You Do?

Don’t fall to Social Engineering• Email/phishing scams

• Phone call for money/donations, or join a list – check into it!

• Letter indicating something that is too good to be true…

What Can You Do?

You’ve done all that you can

but...

Hackers breach Heartland Payment credit card system

By Byron Acohido, USA TODAY, Feb. 2009

Heartland Payment Systems (HPY) on Tuesday disclosed that intruders hacked into the computers it uses to process 100 million payment card transactions per month for 175,000 merchants.

Tech security experts said the breach could set a record. Retail giant TJX lost 94 million customer records to hackers in 2007.

What Can You Do?

• Reduce – your Identity Exposure

• Record – monitor bills and credit reports

• Report – problems or suspected fraud

Discussion?