Identity Theft

41
Identity Theft Identity Theft Its a broad category including a wide range of identity related crimes In modern usage, it is often related to identity related crimes involving credit card fraud

description

Identity Theft. Identity Theft Its a broad category including a wide range of identity related crimes In modern usage, it is often related to identity related crimes involving credit card fraud. Identity Theft. - PowerPoint PPT Presentation

Transcript of Identity Theft

Page 1: Identity Theft

Identity Theft

● Identity Theft Its a broad category including a wide range of identity

related crimes In modern usage, it is often related to identity related

crimes involving credit card fraud

Page 2: Identity Theft

Identity Theft

● Identity theft is not a new crime. It forms the basis of several of Shakespeare's comedies

● What distinguishes modern identity theft is the speed at which it happens

● The window of vulnerability for the thief is from when the false identity is used, to when the use is discovered. Today, a thief can exploit a vulnerability window only a few hours wide.

Page 3: Identity Theft

Identity Theft

● Examples of Identity theft include Obtaining credit card information for someone else

and then using it to order merchandise Obtaining identifying information from someone and

using it to obtain a credit card or other credit and using that to purchase product

Stealing an identity to work in the US. Using stolen information to spoof email or web

postings for the purpose of harming someone's rep.

Page 4: Identity Theft

Obtaining the Information

● First lets consider how information might be obtained.

● Computers are not the only source of vulnerability. Lets consider some others first

Page 5: Identity Theft

Obtaining the Information

● Dumpster diving General term for obtaining information from

discarded paper. In the day, carbons from credit card receipts were a

popular way to obtain information Discarded bank statements, ATM receipts, bills for

goods or services, even restaurant tabs.● Social Security numbers● Drivers license information● Credit card or bank account information

Page 6: Identity Theft

Obtaining Information

● People People with access to information can steal the

information to use themselves, or for resale● Sales People● Law Clerks, Insurance people, DMV clerks

Note:Many DMV's SELL info to companies. Not NY● Bank employees

One happened here recently● Anyone who has access to your social security number, or

credit card information

Page 7: Identity Theft

Obtaining Information

● Eavesdropping (None electronic) Overhearing telephone conversations “Keytopping”, as information entered in a public

computer, or an ATM

Page 8: Identity Theft

Obtaining Information

● Note: None computer methods of obtaining information are slow, and relatively labor intensive.

● This makes manual identity theft less attractive than say, mugging, to a large percentage of the disaffected.

Page 9: Identity Theft

Obtaining Information (Computer)

● Phishing Phishing EXISTS to support identity theft. That is its

purpose.● Its mistaken to assume that the target is always credit card

or account information● Anything that the thief can use to impersonate you is

valuable Social Security number Drivers license information Passwords and user ids

Page 10: Identity Theft

Obtaining Information (Computer)

Phishing is BY FAR the most common method used by identity thieves on the net.

It requires little expertiseThe returns are high for small labor

Page 11: Identity Theft

Obtaining Information (Computer)

● Other Methods Intrusion

● Gain access to a system that contains user info, then download it.

● Plant a Trojan horse that searches for information, or logs keystrokes.

Intrusion has a higher skill cost, but can yield information on thousands or even millions of individuals in a few minutes

Page 12: Identity Theft

Obtaining Information (Computer)

Eavesdropping, (includes keylogging)● We have seen, it is possible to eavesdrop on traffic on a

network● We can also plant software to log keystrokes, or other

communication on a client machine● These are inefficient methods for theft

It requires considerable skill We might have to listen to a lot of traffic to get a little useful

information Listening to a client machine is likely only to give use info on only

the number of persons using that machine● Lots of work, little payback

Page 13: Identity Theft

Obtaining Information (Computer)

● Removable Media Gives dishonest employees the ability to remove from

the workplace large amounts of data for use or resale This is similar to the case of a sales clerk stealing

carbons from credit card transactions● Laptops

When stolen can contain gigabytes of marketable data. There are many recent cases in the news.

● Again, laptop needs to belong to someone with access to interesting data.

Page 14: Identity Theft

Obtaining Information (Computer)

● Bottom Line The computer allows people to accumulate far more

interesting data, far faster, and with far less effort It makes Identity theft a very popular crime

● Over 700,000 cases last year.

Page 15: Identity Theft

Using the Data

● Once the thief has obtained your data, how may it be put to use?

Page 16: Identity Theft

Using the Data, (Bad Idea)

● Consider this The thief obtains your credit card data. An online or telephone purchase is made The thief has the goods shipped to his/her home

● What's the flaw here?

Page 17: Identity Theft

Using Data, (Bad Idea)

● If the purchase is detected as a fraud, the vendor has the address of the hacker on file

● Also, many small businesses, having been exposed to this kind of fraud, will not ship anywhere except the billing address.

● There are online clearing houses for addresses that will reship goods, for a fee.

Page 18: Identity Theft

Using Data, (Better Idea)

● Use data obtained to obtain a credit card, or line of credit. Associate your own address with the account. Bills come to your address, so it takes far longer to

identify the fraud● Owner of the identity is unaware that the card exists

Shipping is no longer a problem● The ship to address, is the billing address of the card

Page 19: Identity Theft

Using Data, (Better Idea)

● What's the problem here?

Page 20: Identity Theft

Using Data, (Better Idea)

● Again when the fraud is discovered, (it can take years in this case), the thief's address is available.

● Again, remailing drops are available. They have been part of the underclass landscape in this country since before Capone ruled in Chicago

Page 21: Identity Theft

Using Data, (Good Idea)

● Sell the data to someone else Lower profit Insulated from the dangers of using the data

Page 22: Identity Theft

Using Data, (Good Idea)

● There are information brokerage sites where information can be bought sold and traded. This includes credit card info, other ID info and information on remailers and reshippers. Typically these are chat rooms or web forums that

exist only for days, or even hours. Data can be disposed of minutes after it is obtained Current prices

● 40 cents for a CC number, 15 to 100 dollars for an identity.

Page 23: Identity Theft

Dateline Example

● The program Dateline aired a two part program, “To Catch an ID thief”. It is available on the Dateline website for viewing on your PC

● Example They obtained false credit cards from a firm

● The use of these numbers was tracked They made the numbers available on an information

brokerage site. Within MINUTES, hundreds of purchases had been

made

Page 24: Identity Theft

Dateline Example

● Note: How quickly the data was used A window of opportunity of an hour, would still

permit thousands of dollars of purchases Note: All the firms they bought from permitted them

to ship to an address other than the billing address.● There are actually firms that seem to specialize in selling to

pirates – as there always have been.

Page 25: Identity Theft

Dateline Example

● Reshipper Dateline tracked several purchases. All reshippers.

● Dateline looked at two of them Both reshippers were people that had internet

romances going● They reshipped the goods at the request of their finances● Both finances did not exist and were traced to internet cafes

in Western Africa. Most purchases also shipped to Western Africa,

where they were resold

Page 26: Identity Theft

Using Data, (Other)

● If userids and passwords are stolen, its possible for the id thief to make use of them Accessing accounts, (ex. Email), to obtain other

valuable information Intrusions on machines associated with the ids to

mine information Impersonation of the holder of the id for malicious

reason.

Page 27: Identity Theft

Using Data, (Other)

● Examples Sending email to your boss or friends Embarrassing politicians or Celebrity by sending

email to journalists Posting inflammatory or obscene material to blogs, or

forums

Page 28: Identity Theft

Using Data, (Social Security Number)

● An undocumented individual can use your SSN to obtain work. Give your social security number as his/her own Use both your name and SSN for a more secure alter

ego● You can not detect this until the IRS bring you in

on suspicion of tax evasion You have omitted income on your tax form You have paid to little tax

Page 29: Identity Theft

Using Data, (SSN)

● Again, the burden of proof may be on you.● Curious Note:

SSN numbers are NOT unique● They are recycled● They are issued regionally

Occasionally, mistakes are made and two people, both living, get the same number.

● Chaos reigns.

Page 30: Identity Theft

My Favourite Scam

● Two individuals reprogrammed an ATM machine and simply put it in a local mall The machine would accept the card and the PIN.

Then print an error message and return the card It stored all the card information and PIN's

● They retrieved the machine and extracted the data Burned credit cards (trivial by the way) Used cards and PIN's to make withdrawals.

Page 31: Identity Theft

ID Theft – The Law

● Laws lag behind new kinds of crime ID theft laws are less than 10 years old They do not exist in all states They are incomplete

● New scams are created every day● Some ID theft can be prosecuted under fraud

laws, but not all

Page 32: Identity Theft

ID Theft – The Law

● In most cases, unlike other kinds of theft, the burden of proof is on the victim to prove that the crime occurred

● In many cases, Law enforcement is reluctant to help They are not set up for cyber crime There may not be a crime as such

● The law on this changes constantly

Page 33: Identity Theft

Preventing ID Theft

● There is not certain way to prevent ID theft. Many elements are beyond your control

● How well vendors keep your data secured● How honest people with access to your data are

DMV Insurance or medical people Bankers NSA Etc.

● Security of the networks your data travels over

Page 34: Identity Theft

Preventing ID Theft

● Don't fall for Phishing By far the most common attack Know the common scams Be wary of any request for information regardless of

the source Keep your spam filters up This is the number one recommendation on all sites

Page 35: Identity Theft

Preventing ID theft

● Monitor your accounts for unusual activity Look for purchases Password or address changes

● Monitor your credit reports Obtain your credit reports frequently

● This will expose accounts and loans in your name● It can help expose unusual activity on existing accounts

Page 36: Identity Theft

Preventing ID Theft

● Make purchases only on trusted sites. Your safety depends on how well they protect your

data. Never forget that● Read privacy policies

I know they are long boring and obscure You need to know were your data are going, or might

go. Most vendors are, Opt Out. i.e. You have to tell them

not to distribute your data

Page 37: Identity Theft

Preventing ID theft

● Secure your network Very true for wireless. Remember war drivers Use encryption whenever possible

● Don't send info to web sites that do not use encryption for sensitive info.

Be aware of your browsers signal for secure web pages, and check it during transactions

Hide behind NAT whenever possible.

Page 38: Identity Theft

Preventing ID Theft

● Don't put sensitive information on non secure websites Myspace and FaceBook come to mind Keep in mind that public sites are public and that your

credit card information is not the only thing interesting to an identity thief

● If it appears on a credit card application, or a loan application, it should not be online

Page 39: Identity Theft

Preventing ID theft

● On secure websites, (Banks, Paypal, etc.) Use good passwords Do not use one password for several sites Use the optional security questions

● Can help if the password is changed on you● Helps establish your identity

Page 40: Identity Theft

Prevent ID Theft

● On Bank Accounts and Credit card accounts Set email Alerts if possible

● Alert if overdrawn or nearly so● Alert if purchase above a certain amount

Page 41: Identity Theft

Prevent ID Theft

● In the Material World Shred everything

● Don't discard anything with useful information on it● Don't keep anything with useful information in an unlocked

place Be wary of anything with your Social Security

number on it, like a badge. Guard your SSN like your first born child.

Be wary of people looking over your shoulder● Keytopping