Identity Theft: What Agencies Need to Know about the Threat...
Transcript of Identity Theft: What Agencies Need to Know about the Threat...
Moderated By:
Lafe Low
Custom Editorial Manager
FCW
Identity Theft: What Agencies Need to
Know about the Threat LandscapeSeptember 17, 2015
Sponsored by:
PRESENTERS
Lisa Schifferle
Attorney, Division of Consumer and Business Education
Federal Trade Commission
Eva Velasquez
CEO
Identity Theft Resource Center
Larry Benson
Author of Fraud of the Day, Director of Strategic Alliances
LexisNexis Risk Solutions
What We Will Cover
• Understanding Identity Theft in a New Way
– Scope of the problem
– CSN Databook Insights
– Classic view• Financial
• Utility
– Big picture – other types• Government or Employment
• Medical
• Criminal
• How Do Thieves Get Information?
• How Agencies Can Assist Id Theft & Data Breach Victims
• Resources
What is the FTC?
• The Federal Trade Commission is a small, independent federal government agency
• The agency’s Bureau of Consumer
Protection (BCP) is one of the
nation’s consumer protection
agencies
• FTC operates Consumer
Sentinel complaints database
What is ITRC?
Based in San Diego, ITRC offers victim assistance,
training and enterprise consulting throughout the
United States. Operating as a non-profit, 501(c) (3)
corporation, the ITRC’s mission is to:
– Provide best-in class victim assistance at no charge to
consumers.
– Educate consumers, corporations, government agencies,
and other organizations on best practices for identity theft
and fraud detection, reduction and mitigation.
– Serve as a relevant national resource on consumer issues
related to cybersecurity, data breaches, social media,
fraud, scams, and other issues.
Scope of ID Theft Problem
• #1 consumer complaint to the FTC for 15 consecutive
years (2000 to 2014)
• 13% of the total consumer complaints for 2014 were
related to identity theft
Source: Federal Trade Commission’s 2014 Consumer Sentinel
Network Data Book
Scope of the Problem
• $16 billion stolen from
12.7 million victims
according to Javelin
Strategy & Research
How Victims’ Information is Misused(based on 2014 Consumer Sentinel Data)
0.0%
10.0%
20.0%
30.0%
40.0%
50.0%
60.0%20
03
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
Figure 1: How Victims' Information is Misused2003 to 2014
GovernmentDocuments BenefitsFraud
Total Financial
Phone or Utilities Fraud
Employment-RelatedFraud
Not represented in this chart is the FTC’s category identified as “other identity theft”
which includes, but is not limited to, such sub-categories as uncertain (11.2%),
miscellaneous (3.3%), medical (1.0%), and evading the law (0.9%).
Identity Theft: Classic View
Identity theft is when someone wrongfully obtains and
uses another person's personal data in some way that
involves fraud or deception, typically for economic gain.
For example:
• New lines of credit, loans, and mortgages
• Existing account takeover, checking/debit fraud
• Tenancy and utilities
Financial Identity Theft
Order Credit Reports
Equifax
Experian
TransUnion
Contact Creditors /
Merchants / Collection
Agencies
Submit paperwork:
Police Report
Affidavit
Supporting
Documentation
File police report
for identity theft
Request copy of
incident report
Creditors
report to
CRAs to
remove
accounts
Clearing Fraudulent Utility Accounts
• Includes electric/gas/water, cable TV, cell phones, landlines, internet, and satellite TV
• Use procedure for clearing fraudulent financial accounts:
– Send blocking letter to CRAs if the account appears on victim’s credit report
– Send dispute letter and request for business records to utility provider
Identity Theft: The Big Picture
Identity theft also occurs when an imposter gains access
to personal identifying information and uses it for:
Government Identity Theft• Government Documents or Benefits Fraud
(Tax- or Wage-related Fraud)
• Fraudulent documents (i.e. DMV)
• Usually discovered through IRS notice or denial of public benefits
Job-related/Employment identity theft• Use of personal identifying information to obtain or retain employment
• Conceal true identity from others who perform background checks
• Avoidance of child support
• Immigration issues
Tax- or Wage-Related Fraud
Contact IRS Identity
Protection Unit
Contact SSA; remove fraudulent earnings
SSA Form 7050
SSA Form 7008
File a Police Report for Identity Theft
Obtain copy of
incident report
File IRS Form 14039
Then…
Contact Revenue Department
State where employment services rendered
Not every U.S.
state requires
state tax filings
Employment Identity Theft
Obtain copy of incident report
File a Police Report for Identity Theft
Contact
Social Security Administration (SSA)
Contact Department of Revenue where
employment services were rendered
Remove Fraudulent Earnings
File SSA Form 7008
Notify IRS Identity Protection
Specialized Unit
May need to file IRS Form 14039
Request Earnings Statement Report
SSA Form 7050
Work with ID
theft
coordinator, if
affected
What to Do if You are a Victim
• Get a copy of your earnings record from SSA
• Mark impostor activity, provide supporting documentation, request corrected statement
• Provide corrected earnings statement and supporting documents to IRS
• Request that your SSN be flagged
• IRS Identity Protection Specialized Unit: 800-908-4490
Identity Theft: The Big Picture
Identity theft also occurs when an imposter gains access to personal
identifying information and uses it for:
Medical identity theft
– Occurs when a thief uses another’s identity or health
insurance to receive care
– Dangerous because thief’s medical records become merged
with victim’s records
– May be difficult to remedy because of HIPAA concerns
Medical Identity Theft
Contact Medicare/
MedicalReport Fraud to
Medicare Fraud
800-447-8477
Submit paperwork:
Police report
Affidavit
Supporting Documents
File police report
for Identity Theft
Request copy of
incident report
Work with Medicare to
resolve issue
& contact any other
involved agencies
Obtain
Clearance
Letter
What to Do if You are a Victim
• Report theft to local law enforcement and get a copy of report.
• Request medical records from your regular provider as a baseline for comparison.
• Request your medical records and privacy policy from each provider that gave care to the thief. Important: Do not mention identity theft at this point.
• Review records and write providers who gave care to their requesting correction or segregation and flagging of records.
• Confirm that records have been corrected.
Identity Theft: The Big Picture
Identity theft also occurs when an imposter gains access
to personal identifying information and uses it for:
Criminal identity theft
o False information on background checks
o Fraudulent arrest records
o Fraudulent arrest warrants
Criminal Identity Theft
Obtain arrest record
Submit paperwork to
arresting agency
Request clearance letter from arresting
agency Request victim
name moved to
Alias (AKA), not
offender
Contact
Arresting Agency
Request copy of incident report
File police report for identity theft/ criminal
impersonation
Fingerprints,
biometric
information
may be
collected
Old-fashioned Techniques
• Lost or stolen wallets
• Theft by family or friends
• Dumpster diving – obtaining personal
information from the trash
• Stolen mail
• Buying it from a corrupt insider at a bank,
hotel, car rental agency, or other business
28
Data breaches
Outsider Theft
• A database where your personal information is on file
• A company that does not handle your financial data securely
Insider Theft
• An employee processes your purchase then steals the information
• Disgruntled or corrupt insider
• Once inside, often free to search and steal data
Hacking, or breaking into computer systems, occurs when intruders
find the weakest link:
• Vulnerable system
• Unsecured network
• Phishing
Data breach examples affecting government
• OPM breach
• Anthem breach
• Lost or stolen laptops
• Check out FTC’s “Start with Security” guide
Phishing and Malware
• Phishing: Sending authentic-looking but fraudulent e-mail designed to trick the respondent into giving out sensitive personal information.
• 9.2 million Americans were victims of phishing schemes in 2012
• Malware: refers to harmful or unwanted software that's installed on your computer without your knowledge. Once a computer has been compromised by malware, cyber criminals can attempt to access your personal information by logging your keystrokes or monitoring your computer’s activity.
Imposter scams = #3 complaint in Consumer Sentinel
• IRS Imposter Scams
• Other Government Imposter Scams
– Government employee receives phone call saying that someone from the FTC is calling to give them money as a result of the OPM data breach
• Phishing Scams sent to Government Emails
– Government employee receives email that appears to be from Human Resources asking him to send name, address, phone number, and bank account for direct deposit
Phishing - examples
35
• The act of copying electronically transmitted data on the
magnetic strip of a credit card, to enable valid electronic
payment authorization to occur between a merchant and the
issuing financial institution.
• Skimming devices are often difficult to detect
• Point of Sale (POS) locations which are vulnerable include
gas stations or other unattended locations such as ATM
machines
Skimming
What is IdentityTheft.gov?
• Federal government’s one-stop resource to help you report and recover from identity theft.
• Provides – detailed advice, such as
• Getting a credit report
• Getting an Identity Theft Affidavit
• Getting a police report
– easy-to-print checklists, and
– sample letters
First Steps
• Visit IdentityTheft.gov/databreach
• Take advantage of credit monitoring offer
• Check your credit report
– annualcreditreport.com
• Place a fraud alert
Next Steps –
depend on info exposed
• Next year, try to file your taxes early – before a scammer
can.
• Consider placing a credit freeze.
(1) Contact companies where fraud
occurred
• Contact fraud department, not customer service
• Instruct company to immediately close or freeze the
accounts that have been fraudulently opened or used
• Send written dispute including an Identity Theft
Affidavit
• Request closure letter from company describing
results of its actions
Fraud Alert vs. Credit Freeze
• One call
• Creditors must take
“reasonable steps” to
verify identity
• Less effective
• 90 days (renewable) or
7 years
• Write each bureau
• No one can apply for new
credit – must thaw the
report
• More effective
• Effective until thawed
• Possible fees
(3) Report to the FTC
• FTC provides Hotline Phone Counselors and Web-
based Consumer Guidance to help victims recover
• To file an ID Theft Complaint with the FTC:– www.ftc.gov/idtheft or 877-ID-THEFT
• ID Theft Complaint will generate and populate an “ID
Theft Affidavit” for victim’s use
• FTC does not take enforcement actions on behalf of
individuals
(4) File a Police Report
• Call the local police as soon as possible
• Request copy of official police report to create
Identity Theft Report
FTC Disclaimer
• Views expressed in by the FTC staff presenter are not
necessarily those of the Commission or any
Commissioners.
• Any answers to questions are the opinion of the staff
presenter and not the Commission’s or any
Commissioner’s.
The War Against Identity Theft and Identity FraudTrue Government Challenges and Ways to Combat It
Larry Benson, Author of Fraud of the Day &Director of Strategic Alliances, LexisNexis Risk Solutions
CA
M2
01
3
Government Issued Benefits and Payments
54
Recent data indicates more than half are currently receiving some kind of government assistance
Almost 40 million tax refunds worth nearly $125 billion were issued as of Feb. 20, 2015, according to the IRS
52%of Americans
have received government
benefits this year
Pew Research Center
166 Americans are receiving government assistance
million
Currently, more than half of all Americans are receiving benefits
(from at least one of the six best-known federal entitlement programs)
The War Against Identity Fraud
CA
M2
01
3
Why Government is Different than the Private Sector
55
•Government cannot choose its customers
•Government identity fraud does not show up on credit reports
•Bias is towards payment – speed of transaction – with as little friction to the citizen as possible
•Benefits and payments driven by legislative mandates
The War Against Identity Fraud
CA
M2
01
3
In Line: Building the Physical Foundation
56
Access to government services were in a physical location only, processes were manual
• Face-to-face interactions
• In-person verification and authentication
• All paper-based
• Benefits paid by check
• Identity fraud could still be perpetrated
Result:Moderate
security
High
cost
Low
convenience
The War Against Identity Fraud
CA
M2
01
3
Online: Reducing the Need for the Physical Location/In-Person Process
57
Transitioned from in line to online – limited the need for the physical location or in-person process
• Application to government benefits and payments online
• Increased efficiency for agencies, citizens
• Decreased processing time
• Security was assumed
• Offered good intentions, but increased identity fraud negatively impacts citizens
Goal:Security? Low
cost
High
convenience
The War Against Identity Fraud
CA
M2
01
3
Moving from Inline to Online: Costs Shift from Initial Intake to Back Office
58
Inline
Online
Intake Registration
• Cumbersome process with manual labor and paperwork
Eligibility Assessment
• Government worker individual case assessment
Payments & Recertification
• Administer payments after validation
Back Office
Back Office
Intake Registration
• Cost savings by automating enrollment process
Eligibility Assessment
• Government worker individual case assessment
Payments & Recertification
• Increased costs due to high level of fraud and administrative complaints
The War Against Identity Fraud
CA
M2
01
3
Reality: Delivered High Convenience…for Fraudsters
59
Low
security
High costHigh
convenience
While delivery costs decreased, the costs associated with identity fraud for both the government and citizen increased dramatically.
The War Against Identity Fraud
Welfare fraud cost the state millions of dollarsBy Tamara Sacharczyk
CA
M2
01
3
The Battle to Protect Identities Has Been Lost
60
We can still win the war on identity fraud
IDENTITIES TAKEN
145,000,000 eBay breach
80,000,000 Anthem breach
21,000,000+ Government breach
1,000,000 fingerprintsGovernment breach
827,000,000+ Record breaches since 2005
Doctor’s office
Job applications
Rental agreements
Home utilities
Insurance policies
IDENTITIES GIVEN
The War Against Identity Fraud
CA
M2
01
3
Protecting Against Identity Fraud
61
New Approach
• Go back to the “brick and mortar” mentality through ID-based technology
• Create a multi-layered authentication approach (i.e. Knowledge-Based/ID Quiz, ID Possession Based, ID Biometrics, ID Contextual/Geolocation Based, ID Analytics Based; Contributory Based)
• Integrate the traditional (public records) with government provided data sources; incorporating sophisticated algorithms
• Facilitate cross-jurisdictional information sharing
• Tie all of this together into a comprehensive solution
Traditional Approach
• Identity fraud is dynamic; traditional approach is static and fraud is only addressed after it occurs
• Increased impact on call centers/backend operations
• Issue goes well beyond credit monitoring – government program fraud does not show up on credit reports
• Need to intercept fraud before it occurs
The War Against Identity Fraud
CA
M2
01
3
Establishing a New Reality
62
Goal:
High security Low costHigh convenience
The War Against Identity Fraud
CA
M2
01
3
Thank You
63
Resources:
• IdentityGov – www.identitygov.com
•Fraud of the Day – www.fraudoftheday.com
• Identity Cross Checks• Known Association with Fraud
• Active in Programs Across States
Larry BensonAuthor of Fraud of the Day & Director of Strategic Alliances, LexisNexis Risk Solutions Phone: [email protected]
The War Against Identity Fraud