Post on 24-Dec-2015
Social Security Numbersand Identity Theft
Brett Coryell, Deputy CIO Emory University
University Technology Services
introduction
2
Source: www.zanderinsurance.com
have you seen him?
3
Source: www.lifelock.com
Is this really a good idea?As far as I can tell, this is his real SSN.(Notice he recommends you not share yours, though.)
history
4
7 7 3 - 0 0 - 4 3 2 7
Area• Georgia 252-260• also 667-665• 700-728 for RR• 772 is highest
Group• unusual • SSA has lists• 252-260 are full
Serial• given in order
Source: Wikipedia, Social Security Administration
theft
She left her card at the café …
Average take for identity theft is greater than the average bank robbery.
Source: AM New York; videos from various internet sites
financial impact
6
Source: Federal Trade Commission report; Privacy Rights Clearinghouse
These are estimates by victims of how much the thief got.
Median value = $500, per FTC study.
Other estimates come in closer to $5700 on average.
One published account is as high as $6400 on average.
financial impact
7
Source: Federal Trade Commission 2006 report on Identity Theft
Many but not all credit card victims incurred no out of pocket expense.
Other costs include:• Time spent • Harassment (collectors)• Credit report fixes• Loan rejection• Banking problems• Insurance problems• Utilities cut off• Criminal investigation (12%)
time
8
Source: Federal Trade Commission 2006 report on Identity Theft
30% reported spending less than 1 hour cleaning up.
Median time was 4 hours.
If you had a new account opened in your name, 60% spent more than 10 hours.
A study by the Privacy Rights Clearinghouse says average time was 25 hours in 2007.
who does this stuff?
The most common thief was someone they know.
Risk factors for victims:• high income• well educated• woman• single adult• “more” kids
Source: Purdue University, Federal Trade Commission
who does this stuff?
10
Source: Federal Trade Commission 2006 report on Identity Theft
Emory
11
Legitimate and legal uses of social security numbers:• Payroll / taxes• Financial aid
Other protected data:• Health information• Student records
Some departments have reduced or eliminated their non-essential use of SSN.
get geeky
Firewall? Like that could stop me …
Actually, yes, quite often it does. It’s not always intruders we’re worried about, though.
Source: AM New York; videos from various internet sites
protection
13
SciQuest
Fin
HR
OPUS
Shadow
This diagram is a somewhat idealized version of our systems.
Emory does have some good practices and policies in place.Access to SSN in the warehouse is limited.Bypassing the warehouse or using SSN as an identifier creates risk
Areas of concern:• Printed reports• Emory Card• Local vendors• File transfers• Shadow databases• Desktops and laptops
be on the lookout
14
remember him?
15
Source: www.lifelock.com; Indiana Code
Is this a felony? No, but consider this section of Indiana law:
You must “… disclose a breach … following discovery … [that] any state resident[‘s] … unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person.”
the law
16
1. Right to Privacy Act (1974)a) Prevents state agencies (usually) from requiring your SSNb) Does not prevent employers from asking for it.
2. Georgia code (10-1-393.8) -- a person, firm, or corporation shall nota) May not intentionally communicate any person’s SSNb) Require a person to transmit SSN over the Internet unless the connection is
secure and the SSN is encrypted.c) Require an SSN to access a website unless a password or PIN is also used
3. Exceptions for state and federal law, setting up and deleting accounts, applications, enrollments, checking accuracy of SSN’s, etc.
4. No burden on “interactive computer service providers” and telcos to monitor.
5. Georgia code (10-1-912) requires notification if we discover a breach of security that leads us to reasonably believe that unencrypted data was seen by an unauthorized person. Extra notice if we go over 10,000 people.
enough Larry
Enough Larry for everyone?
What do you actually do if Larry’s got your number?
Source: AM New York; videos from various internet sites
digital citizenComputer• Use strong passwords• Watch for phishing (ask me)• Run spyware and antivirus• Look for secure checkouts• Use a software based firewall
Personal• Be stingy with your info• Check your credit reports• Watch your bank accounts• Don’t carry your SSN card• Get, and use, a shredder
Extra credit (or paranoia)• Use different credit card online• Use two or more banks
18
digital citizenIn our community• Adopt good trends
• Biometrics
• 2 factor authentication
• Challenge inappropriate use
• With vendors
• In our own systems
• Educate those around you
19
resources
20
FTC Website has videos, publications, and more.
resources
21
Consider Identity Theft insurance. You saw Lifelock. Here is another company. This one offers a counselor to help you with the paperwork.
anti-resource?
22
One of several catchy commercials, this service is actually NOT free.
Offered by Experian.
resources
23
39 states plus DC have laws requiring credit freeze.
$10 to place, suspend, or remove freeze in Georgia.
resources
24
1. IRS, if tax ID theft: phishing@irs.gov
2. Social Security Administration – 800-269-0271http://www.ssa.gov/ssnumber
3. U.S. Postal Inspectors, if USPS involved – 800-275-8777
4. State Department, if passport involved
5. If checks missing or involveda) TeleCheck – 800-710-9898b) Certegy, Inc. – 800-437-5120c) International Check Services – 800-631-9656
6. If Emory’s private information is involved, discuss with your manager and Emory’s Chief Information Security Officer, Brad Sanford (Brad.Sanford@emory.edu)
Source: Purdue University
resources
25
1. Clark Howard (consumer advocate), for news and alertshttp://www.clarkhoward.com (see “Identity Theft” at bottom of home page)
2. For consumer activism, check publisher of Consumer Reportshttp://www.financialprivacynow.org
3. Security freeze instructions:Security Freeze Instructions for EquifaxSecurity Freeze Instructions for ExperianSecurity Freeze Instructions for TransUnion
4. Florida identity theft victim’s kit:http://myfloridalegal.com/idkitprintable.pdf
?Questions
26
?Appendix
27
resources
28
resources
29
IRS fraud
30
Source: www.yahoo.com, www.bankrate.com
Playing FlashHELP
31
This presentation has an Adobe Flash file (.swf) in it.
Playing Flash inside a presentation requires the Adobe Flash player to be installed and that the specific location of the file is in the Properties section. Be sure to copy the .swf file and modify the animation properties when you move this presentation to a new computer.
Details are in the speaker’s notes for this slide.
anti-resource?
32
New car
anti-resource?
33
Pirate commercial
bustierre
Leather bustierre
Source: AM New York; videos from various internet sites
motorcycles
Cibibank motorcycles
Source: AM New York; videos from various internet sites