Protecting Your Identity

What is IA?

• Committee on National Security Systems definition:– Measures that protect and defend information and information

systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation.

• CIA model– Confidentiality: prevent disclosure from unauthorized

individuals or systems

– Integrity: Information cannot be modified without authorization

– Availability: Information must be accessible when needed

– Authentication: establishing information as authentic

– Non-repudiation: ensuring that a party cannot refute that information is genuine.

What is Identity Theft?

• Identity theft occurs when someone uses your personally identifying information, like your name, Social Security number, or credit card number, without your permission, to commit fraud or other crimes

• The FTC estimates that as many as 9 million Americans have their identities stolen each

• Typical Identity theft crimes– Rent an apartment

– Obtain a credit card or other types of debt

– Establish a telephone account

– Get various types of identifications in the victim’s name

– Steal financial assets

What is Identity Theft?

• Costs of Identity Theft– Legal fees

– Exorbitant amount of time

– Lost job opportunities

– Denial of all types of financial resources

– False accusations, and potential arrests for crimes not committed

How Does it Occur?

• In most cases attackers need personally identifiable information (PII) or personal documents in order to impersonate the victim.

• Name, Address, DOB, Birthplace, License Number, Credit Card Number, SSN

• Where could an attacker find this information?

• Could you be an easy target?

Generation Stereotype

• Millennial Generation (Us)– Users of instant communication technology

• Myspace, Twitter, Facebook, Text, IM, e-mail

– Tech savvy• Video Games (PC, Xbox, Playstation)

• MMOs (Second Life, WOW, Lineage, Maple Story)

• P2P file sharing

• 90 percent own a computer in US

• Spend more time online than watching TV

• How much information about you is stored on somebody else’s servers?

• What methods of protection are in place?

Contemporary High Risk Areas

• On-line shopping• Malware• Credit Card Applications

– Online incentives

– in person incentives

– mail applications

• Physical Assets– Laptops, cellphones, ipods...

– Wallet, purse, checkbook...

• Social Networking • Online Gaming• File sharing

Social Engineering

• The process of using social skills to convince people to reveal access credentials or other valuable information

• Common Social Engineering Techniques– Confidence Trick– Pretexting– Baiting– Quid Pro Quo– Phishing

• Spear Phishing

• Whaling

• Phone Phishing

Phishing

• An attempt to obtain personal or financial information by using fraudulent means, usually by posing as a legitimate entity.

• Targets– PII

• Methods– Bank Account Credentials

– E-mail Login Credentials

– Social Networking Login Credentials

• Why?

Phishing Email Example

Phishing Email Example

Phishing Email Example

Phishing Logon Example

Phishing

• Phishing can take many forms:– E-mails from websites or services you use frequently– Bogus job offers– They might appear to be from a friend or someone

you know (Spear Phishing)– They might ask you to call a number (Phone Phishing)– They usually contain official looking logos– They usually links to phony websites that ask for

personal information– Physical Mail

Red Flags• “Verify your account”

• “Click the link for account access”

• “If you don’t respond, your account will be suspended”

• “Suspicious activity alert”

• Pop ups

• Deceptive URLs

– www.mircosoft.com

– www.facesbook.com

– www.192.168.XX.XX/citibank.com/code.html

• Masked URLs

Identity Theft

• What are other method’s of stealing someone’s identity?– Non Technical

• Dumpster Diving (Storage Media and Documents)

• Skimming

• Pickpocketing/Theft

• Shoulder surfing

• Changing Mailing Address

– Technical• Hacking

• Malware

• Password Cracking

• Packet sniffing

Prevention

• Shred all your important information \

• Don’t access personal info in public places

• Use privacy screens when necessary

• Have your checks delivered to your bank

• Properly destroy storage media (hard drives,flash drives, cds...)

Prevention

• Drop off payment checks at the post office

• Note when new credit cards are to be received

• Cancel old credit cards

• Use strong passwords

• Don’t post personally identifiable info on the internet.

• Install proper anti-malware software

Prevention

• Carry only necessary information with you

• Do not give out personal information unless necessary

• Monitor your accounts

• Order your credit report at least twice a year

• Know the site you are visiting (pay attention to URLs)

• Ensure PII info is encrypted (SSL, TLS)

Annual Credit Report

• Request your Credit Report Online – https://www.annualcreditreport.com

• To Request your Credit Report by Phone– Call 1-877-322-8228

• To Request your Credit Report by Mail– Annual Credit Report Request Service

P.O. Box 105281Atlanta, GA 30348-5281

Recovering From Identity Theft

• What are the steps I should take if I'm a victim of identity theft?– Place a fraud alert on your credit reports, and

review your credit reports– Close the accounts that you know, or believe,

have been tampered with or opened fraudulently

– File a complaint with the Federal Trade Commission

– File a report with your local police or the police in the community where the identity theft took place

Anti-Phishing Phil

http://wombatsecurity.com/antiphishing_phil/index.html

Questions