Personal Identity Theft in the Web-based Business World

Presenter – Rick Weatherspoon

Xtreme Computing, LLC

23 May 2006

Agenda

• Definition of ID Theft• ID Theft Statistics• Business Losses• Types of Web-based ID Theft

– Hacking & Attacking– Phishing– WarXing/War Driving

• ID Theft Reporting• Questions

23 May 2006

Identity Theft Definition

• The Deliberate Assumption of Another Person's Identity, Usually to Gain Access to their Finances, or Frame Them for a Crime

23 May 2006

ID Theft Statistics (National)

• Fastest Growing Crime in US

• U.S. Identity Fraud Crimes now total $52.6 Billion Annually *

• Per-Victim Total of $5,686

• Affects Roughly 9.3 Million Individuals in US Yearly

* Source – 2005 Study by Javelin Strategy & Research

23 May 2006

ID Theft Statistics (State)

• 5,464 Complaints Filed in Washington State (2004)

• Washington State Ranks within the Top 10 (8th)

• Complaints Rose 20% More than in 2003

23 May 2006

ID Theft Statistics (County)

0

20

40

60

80

100

120

2003 2004 2005 2006

College Place & Walla Walla County

Fraud

Identity Theft

* Source – Walla Walla Police Department; May 2006

23 May 2006

ID Theft Statistics (City)

0

50

100

150

200

250

2002 2003 2004 2005 2006

City of Walla Walla

Fraud

Identity Theft

* Source – Walla Walla Police Department; May 2006

23 May 2006

Business Losses Due to ID Theft

• Between May 2004 and May 2005, 1.5 Million Computer Users Lost $929 Million on ONLY Phishing Scams

• US Businesses Lose an Estimated $2 Billion Per Year on Clients who are Victims

• Businesses Lose an Average of $4,800 per Victim *

*Source – Washington State AGO Identity Theft Advisory Panel; January 2006

23 May 2006

Types of Web-based ID Theft

• Hacking & Attacking

• Phishing

• WarXing/War Driving

23 May 2006

Web-based Hacking & Attacking• Authentication Hacking

– Browsing– Cookie Theft– Session Hijacking– Network Sniffers– Password Cracking– Dictionary Attacks

• Google Hacking• SQL Injection• Directory Traversal

23 May 2006

Phishing• Attempts to Fraudulently Acquire Sensitive Consumer

Info Via False Web Pages, Emails, IMs, FAX, VOIP• Term Arises from Using Sophisticated Lures to “Fish” for

Consumer’s Financial Data & Passwords• Recently Targeting Banks, Online Payment Services, IRS

Letters• Common Tricks Include Misspelled URLs, use of

SubDomains, Altering Address Bars, Cross Site Scripting• Recent Scam Left Voice Messages to Call Bank with

Account & PIN Numbers over a VOIP Network

23 May 2006

Citibank Phishing Email Example

23 May 2006

Citibank Phishing Web Link

23 May 2006

Citibank Phishing – User Garbled URL

23 May 2006

Citibank Phishing – Invalid Credit Card Number

23 May 2006

Citibank Phishing Source

• Search with Whois Utility:IP : 219.148.0.0 - 219.148.159.255netname: CHINATELECOM-hedescr: CHINANET hebei province networkdescr: China Telecomdescr: No.31,jingrong streetdescr: Beijing 100032country: CNmnt-by: MAINT-CHINANET changed: hostmaster@ns.chinanet.cn.net 20030820 source: APNIC

23 May 2006

WarXing/War Driving• Searching for Wireless Networks and Access Points by

Moving Vehicle/Bike (WLAN, WiFi HotSpots)• Captures Information Packets with WiFi-based

equipment (Laptop/PDA)• Software Freely Available to Monitor, Capture, and

Analyze Clear Text and Encrypted Data (NetStumbler, AirSnort, WEPCracker, etc.)

• Majority of Wireless Networks Use Default Settings (SSIDs, Passwords, Encryption Keys, etc.)

• Legality of War Driving Not Clearly Defined in the US

23 May 2006

Wireless Network Diagram

Internet

Firewall

Laptop

Computer

Server

PDA

802.11WiFI AP

Rogue AP

CSU/DSUModem

23 May 2006

Reporting of ID Theft• FBI/Internet Fraud Complaint Center

– 1.800.251.3221– www.ifccfbi.gov

• Federal Trade Commission– 1.877.438.4338– www.consumer.gov/idtheft/

• Internet Crime Complaint Center– www.ic3.gov/complaint

• Washington State Attorney General– atg.wa.gov/consumer/idprivacy/index.shtml

• Walla Walla Police Department – Investigations– 509.527.4434

Questions?

www.xtremecomputing.us/briefings.html