Identity Theft Mike Carr, Esq., CISSP CSN Information Security Officer [email protected] September...

Identity TheftIdentity Theft

Mike CarrMike Carr, Esq., CISSP, Esq., CISSPCSN Information Security OfficerCSN Information Security Officer

[email protected]@nebraska.edu September 2004September 2004


We’ve all seen the We’ve all seen the commercialscommercials

… …and read the headlinesand read the headlines


• What exactly is it?What exactly is it?• How does it happen?How does it happen?• What can we do to prevent What can we do to prevent

it?it?• What should I do if I am a What should I do if I am a

victim?victim?


• What exactly is it?What exactly is it?– ID Theft is a form of fraud that ID Theft is a form of fraud that

occurs when…occurs when…• Someone pretends to be you and…Someone pretends to be you and…• You are billed for their purchasesYou are billed for their purchases• You are arrested for their crimesYou are arrested for their crimes• You are denied credit for not paying You are denied credit for not paying

your (their) billsyour (their) bills• You are accused of under-reporting You are accused of under-reporting

your wages your wages (someone gets a job & gives H/R your SSN)


• ID Theft is a federal crimeID Theft is a federal crime– 18 U.S.C. 18 U.S.C. §§1708 – Mail theft or 1708 – Mail theft or

filing a false change-of-addressfiling a false change-of-address


– Identity Theft Act - 18 U.S.C. Identity Theft Act - 18 U.S.C. §1028§1028• ““to knowingly … use … identification to knowingly … use … identification

of another person with the intent to of another person with the intent to commit, or to aid or abet, any commit, or to aid or abet, any unlawful activity that constitutes a unlawful activity that constitutes a violation of Federal lawviolation of Federal law””


• ID Theft is also a ID Theft is also a statestate crime crime– Nebraska Revised StatutesNebraska Revised Statutes

• § 28-608: Criminal Impersonation§ 28-608: Criminal Impersonation• § 28-620: Unauthorized Use of a § 28-620: Unauthorized Use of a

Financial Transaction DeviceFinancial Transaction Device

– Iowa Code: Iowa Code: § 715A.8: Identity Theft§ 715A.8: Identity Theft

– Kansas Statute Kansas Statute 21-4018: Identity Theft21-4018: Identity Theft


• And it’s getting bad…And it’s getting bad…– $47.5 $47.5 BillionBillion stolen in 2002 stolen in 2002 – 9.9 million individuals affected9.9 million individuals affected– Avg 175 hrs spent straightening Avg 175 hrs spent straightening

outout• Taking between 2-4 yearsTaking between 2-4 years


• As recently as Aug 26…As recently as Aug 26…– US DOJ’s Operation Web SnareUS DOJ’s Operation Web Snare

– June 1 through August 26 June 1 through August 26

– 150,000 victims 150,000 victims – $215M estimated losses$215M estimated losses


• Operation Web Snare Operation Web Snare IndictmentsIndictments– Internet “sales” of phantom items– Credit card trafficking via Internet

chat– Hacked into online ordering

system and placed fraudulent orders


• How does it happen?How does it happen?– Thieves get a SSN & apply for Thieves get a SSN & apply for

credit credit (“application fraud”)(“application fraud”)

– Thieves steal mail and hijack an Thieves steal mail and hijack an account account (“account takeover”)(“account takeover”)

– Thieves get bank routing & Thieves get bank routing & account numbers and transfer $$account numbers and transfer $$


• How does it happen?How does it happen?– Wallets & Purses get stolenWallets & Purses get stolen– ““Dumpster Diving” Dumpster Diving” (taken from trash)(taken from trash) – Mail TheftMail Theft

• from unsecured mailboxesfrom unsecured mailboxes• from mail processing areasfrom mail processing areas• change of address card change of address card new credit new credit

cards get re-directed to thievescards get re-directed to thieves


• How does it happen?How does it happen?– Papers left out on desksPapers left out on desks– Passwords written on Post-It Notes Passwords written on Post-It Notes – PDAs & Laptops get lost or stolenPDAs & Laptops get lost or stolen


• How does it happen?How does it happen?– ““Inside” jobsInside” jobs

• access to computer applicationsaccess to computer applications• access to storage roomsaccess to storage rooms• ““friends”, ex-spouses friends”, ex-spouses

– Obtained from Credit BureausObtained from Credit Bureaus• thief poses as landlord, etc.thief poses as landlord, etc.• credit headers containing SSN soldcredit headers containing SSN sold


• How does it happen?How does it happen?– SSNs, etc. get read from SSNs, etc. get read from

unencrypted eMailunencrypted eMail– ““phishing” phishing” (bogus online forms)(bogus online forms) – PCs accessed via unsecured PCs accessed via unsecured

home wireless networks home wireless networks (war (war driving)driving)

– ““trojan” computer viruses from trojan” computer viruses from eMail attachmentseMail attachments or Peer-to- or Peer-to-Peer file sharing Peer file sharing


• What can we do?What can we do?1.1. Try to Try to prevent itprevent it from happening from happening

2.2. Discover itDiscover it quickly if it does quickly if it does happenhappen

3.3. Report itReport it if it happens if it happens


• Try to Try to prevent itprevent it– Don’t give personal info unless Don’t give personal info unless youyou

initiate the callinitiate the call– Buy and use a shredder Buy and use a shredder (if realistic)(if realistic)

– Don’t carry SSN card with youDon’t carry SSN card with you– Use a password vs. mother’s maiden Use a password vs. mother’s maiden

namename– Put outgoing mail in Put outgoing mail in securedsecured mailbox mailbox


• Try to Try to prevent itprevent it– Keep wallet/purse in “safe” place at workKeep wallet/purse in “safe” place at work– Opt out of pre-screened credit card Opt out of pre-screened credit card

offers (1-888-5-OPTOUT) offers (1-888-5-OPTOUT) – Password protect your PC and filesPassword protect your PC and files– Keep your passwords secretKeep your passwords secret– Only shop on secure websitesOnly shop on secure websites– Don’t eMail personal or confidential Don’t eMail personal or confidential

informationinformation


• Try to Try to prevent itprevent it– Use a personal firewall on your PCUse a personal firewall on your PC– Secure your wireless network at homeSecure your wireless network at home– Watch out for “shoulder surfing”Watch out for “shoulder surfing”– Don’t put passwords on Post-It NotesDon’t put passwords on Post-It Notes– Watch out for future versions of camera Watch out for future versions of camera

phones phones (snapping pics of your checkbook, (snapping pics of your checkbook, etc.)etc.)


• Try to Try to prevent itprevent it– Follow the “Follow the “Golden Rules of eMailGolden Rules of eMail””

1.1. NeverNever open attachments from strangers open attachments from strangers

2.2. NeverNever open from friends if unexpected open from friends if unexpected

3.3. If you are going to open itIf you are going to open it

-- -- NeverNever open directly – save 1st open directly – save 1st


• Detect itDetect it early early– Call if bills don’t come on timeCall if bills don’t come on time– Review monthly statementsReview monthly statements– Write to get credit report Write to get credit report – Review credit report annuallyReview credit report annually

• Look for new accts andLook for new accts and• Denied accts where you didn’t Denied accts where you didn’t

applyapply


• And then And then report itreport it (if it (if it happens)happens)– Contact credit bureau fraud deptsContact credit bureau fraud depts

• Close fraudulent or tampered acctsClose fraudulent or tampered accts

– Contact credit card companies & banksContact credit card companies & banks– File a police and Postal Inspector reportFile a police and Postal Inspector report

• get a copy to send to creditorsget a copy to send to creditors

– File an impersonation reportFile an impersonation report– Contact Dept of Motor VehiclesContact Dept of Motor Vehicles


• It’s “funny” It’s “funny” untiluntil– It happens to you orIt happens to you or– A mistake on your part allows it to A mistake on your part allows it to

happen to someone elsehappen to someone else• And the University gets suedAnd the University gets sued• And/or . . . And/or . . .

people lose their jobs because of itpeople lose their jobs because of it


More info available atMore info available at

www.consumer.gov/idtheftwww.consumer.gov/idtheft and

www.idtheftcenter.orgwww.idtheftcenter.org


csn.nebraska.edu/securitycsn.nebraska.edu/security

Identity Theft Mike Carr, Esq., CISSP CSN Information Security Officer [email protected] September...

Documents

Transcript of Identity Theft Mike Carr, Esq., CISSP CSN Information Security Officer [email protected] September...