Identity Theft Electronic Intrusion & Scams To Get Your Money November 2010.
-
Upload
stuart-spencer -
Category
Documents
-
view
213 -
download
0
Transcript of Identity Theft Electronic Intrusion & Scams To Get Your Money November 2010.
Identity TheftElectronic Intrusion &
Scams To Get Your Money
November 2010
• Identity Theft is a crime in which an impostor obtains key pieces of personal identifying information such as Social Security numbers and driver's license numbers and uses them for their own personal gain. This is called ID Theft.
Worst Case Scenario• Someone has stolen your identity and without your
knowledge has…. been married several times without any divorces, bought a home and is delinquent on payments, maxed out several credit cards in your name, subscribed to a kiddie porn site, purchased a car and been involved in a serious accident, gave your name on the police report, filed a false claim with the insurance company, applied for several years of bogus refunds from the IRS, asked for Social Security disability payments, made threats against the government and got you on the “no-fly” list.
How can your identity be stolen?
• There are many ways. Half of all identity theft victims have no idea how their identity was stolen.
• But from the other half who think they know how their identity was stolen, we can learn some valuable lessons.
• Many of the fears listed in the public press are not major causes of identity theft
If your Identity is stolen…
• The best single reference and guide for what you need to do is
• The Identity Theft Recovery Kit
• Free PDF download from www.spendonlife.com/idtheftkit
• I suggest you download a copy, print it out and store it somewhere you can find it.
Sources of identity theft in 2003 to 2006
• Online transactions – 1/3 of 1 %
• Garbage or dumpster diving – 1%
• Phishing – 3%
• Spyware on home computer 5%
• Misuse of data in-store or in a telephone transaction - 7%
• Stolen mail – 8%
Sources of identity theft in 2003 to 2006
• Theft by an employee – 15%
• Someone in the home – 15%
• Loss of a purse, wallet, checkbook – 30%
• However, the percentages are changing with increasing incidents coming from phishing, spyware, and hacking into commercial computers.
Financial fraud comes in two categories
• Existing accounts which are compromised– Protect yourself by examining your bank and
credit card statements carefully each month for suspicious activity.
• Newly created financial accounts of which you are not aware. – Protect yourself with free credit reports and/or
a credit freeze.
Recent Headlines
• A special agent for the FBI announced the arrest of an employee for AIG who stole a computer server with the personal information for over 900,000 policy holders.
Facebook Accounts
• Stolen accounts of Facebook users are now on sale in high volume on the black market.
• iDefense tracked an effort to sell log-in data for 1.5 million Facebook accounts on several online criminal marketplaces.
• The offers were to sell bundles of 1,000 accounts with 10 or fewer friends for $25 and with more than 10 friends for $45,
• The case points to a significant expansion in the illicit market for social networking accounts
• The Kneber botnet, a new form of malware which has so far infected over 74,000 computers worldwide and has attacked over 2,500 corporate accounts.
• The botnet extracts name, address, social security number, credit card number and other sensitive information stored on company computers.
• Merck & Co., Paramount Pictures, Juniper Networks and Cardinal Health are among some of the companies hit by the botnet.
• A woman exploited a loophole in D.C. tax office online systems to gain access to taxpayer accounts, establish herself as the owner of dozens of businesses and filed returns on their behalf.
• Within 48 hours she was able to establish herself as the owner of the 76 businesses and gain access to their business accounts.
Who are these thieves?
• Organized Crime in the US, Russia & China
• Narcotics users - strong link to meth addicts
• Opportunists who see an opening
• Desperate people taking desperate actions
• Family members or someone close to you
Total security isn’t possible
• Your credit card number is stored in the computers of dozens of businesses, and even large businesses can’t keep out hackers.
• When you hand over your credit card to your waiter, everything needed for credit card ID theft is out of your sight for several minutes.
• Expect identity theft and be ready to react
Types of vulnerabilities
• Home Computer -Electronic access to your computer by virus, worms, trojans, keystroke recorders, and other types of malware.
• Business computers – your information can be accessed by employees and hackers.
• Physical access to your financial information at home and while traveling.
Credit card records stored by companies with which you do
business
• You have no way of determining how effective security is at Joe’s Online Books or Aunt Judy’s Fashion Boutique, or Pottery Barn, or Nordstrom's.
• Larger companies probably have better security, but they are also more lucrative targets.
What can I do?• When ordering over the internet or the phone, one
safeguard is to not leave behind your credit card number on the merchant’s computer.
• Alternative payment options such as PayPal, Bill Me Later, Checkout by Amazon, eBillme or Google Checkout do not leave behind your credit card data.
• Since the merchants never see your credit card number, they can’t store it.
“One Time Use”Credit Card Numbers
( also called virtual or disposable numbers)
• Citibank, American Express, MBNA, and Discover, have a service that provides a valid acceptable credit card number which is linked to your real credit card number……but can only be used one time
• If this “One Time Use” number is hacked from the merchants computer, it can’t be used.
Virtual Cards • Not for ordering theatre tickets for pick up– they
want to see the plastic card to confirm identity.• Also not good for airline, hotel, or rental car
reservations who want to see the plastic card.• But for all other kinds of online purchases, they
are an excellent option to prevent identity theft.• They are also very useful for subscriptions that
want to “auto-renew” your subscriptions each year unless you tell them not to. When they try to auto-renew you, the number won’t work.
How To Use A Virtual Credit Card after you
enroll in the program• Open the credit card program on your
computer, enter your passwords, and get an image of a credit card on screen.
• The screen credit card has your name, an expire date, and a 3 digit security code, just like a physical credit card would have
Keep your credit card numbers out of business computers
• Some merchants will ask if you want your information retained on their computers
• Or, they will ask if you want your credit card number retained in their files.
• If you say “NO” you will have to give the information again next time you purchase from the site, but your credit card number will not be compromised if their computer gets hacked.
Physical Loss• Don’t carry every credit card you own. If you lose your wallet
or purse you will have to cancel all that were lost, leaving you with no credit cards for some period of time.
• Have your spouse carry different credit cards than the ones you carry. If one of you lose a wallet you will have to cancel those cards, but your spouses’ cards will still work.
• Notify your credit card company before traveling overseas and have the phone numbers to cancel the cards you do carry.
• Never write down PIN numbers and passwords and carry them in your wallet.
• Medicare cards still show Social Security number?
Debit Cards
• If your debit card is lost or stolen, report it immediately by phone then follow up with notification in writing. Federal law limits your liability to $50 if you report your loss promptly.
• Keep receipts and compare them with your bank statements, and immediately report any discrepancies.
Credit Cards
• If a thief gets his hands on your credit cards, not only can he use those to the maximum but he can also use the information on each one to create multiple new accounts in your name.
• As many identity theft victims already know, the damage that can be done once new accounts are opened in your name is far greater and takes far longer to rectify.
Physical Security
• Although locally there is not much identity theft from people sifting though trash, it can’t hurt to shred documents containing– Bank account numbers– Brokerage account numbers– Your social security number– Credit Card offers
• When mailing checks, use a secure mailbox to mail them.
Physical Security• Although it is not widely known, you are at
some risk of identity theft by using large copiers at work or at locations like Kinko’s
• Large commercial copiers have a hard drive that retains a copy of every document which is copied on the machine
• Often these hard drives are not wiped clean before the copier is resold.
• Personal copiers at home are safer for making copies of your tax returns, etc.
Pre-approved credit card offers are a risk
• If you don’t want the three major credit bureaus selling your name to advertisers and credit card companies you can call 888-567-8688 and “opt out” for 2 years.
• Or, for an even wider net to remove junk mail - Google for “Stop My Junk Mail Now” from the Privacy Council
Physical Security
• When people are going to be in your home– Lock up your wallet, credit cards, check book
and financial documents in a file or drawer.– Turn off, or password protect your computer
• Information theft often occurs from documents laying about in the home.
• It can be your housekeeper, your electrician, your neighbor, your nephews girlfriend, or someone close to you.
Identity Theft By Creating New Accounts
Hello Mr. Smith, I’d like to talk to you about your unpaid bill
with Mellon Bank
• Often this is the first indication you have a problem….particularly if you don’t have an account with Mellon Bank
• Someone may have taken out a credit card in your name and had the statements sent to a different address so you won’t find out about the existence of the card.
Unknown Credit Cards
• Because the statements demanding payment are mailed to another address you never receive them.
• When the bank finally turns over the delinquent account to a credit collection agency, they use your name and “former address” to track you down and call you.
• This type of identity theft is very hard to protect yourself against.
What you can do
• 3 times a year, get a free credit report from the 3 major credit rating agencies and look over the statement closely for any activity that seems suspicious.
• Enroll in a service that monitors these three agencies and sends you information about anything unusual occurring in your name.
Free Credit Report.com IS NOT FREE
• Heavily advertised on TV, FreeCreditReport.com is very misleading in it’s name and advertising.
• The free credit reports which are provided under federal law are found only at AnnualCreditReport.com
• Free Credit Reports.com will send you one “free credit report” but also signs you up for a $15 a month reporting service.
Identity Protection• There are many companies now offering
Identity Protection Services or Insurance for a monthly fee.
• These services may be of value but you need to research the offerings carefully
• One summary of these services can be found at http://www.nextadvisor.com/identity_theft_protection_services/compare.php
Suits over ID Theft Protection Claims Settled
• Mar 10, 2010 Lifelock Identity Theft Protection agreed to pay $12 million in fines by FTC. Will no longer be able to make claims of absolute protection against identity theft.
• In a separate article it was revealed the identity of the founder (who posted his social security number on a billboard in Times Square) has been stolen 13 times.
For Strong Protection Consider a “Credit Freeze”
• In California you have the right to instruct the three major credit agencies to not reveal any information about your credit status to anyone who inquires.
• If someone tries to open a credit card in your name, the card company will attempt to run a credit check, but they will be told they cannot have your information.
• Usually the card company will not issue a card if they cannot access your credit history.
Credit Freeze• While you have the credit freeze in place you will have to
temporarily lift the freeze if you want to – Get a new credit card yourself– Take out a mortgage– Get a new car loan– Be hired for a new job– Open a new brokerage account
• All of these activities require a background credit check which is blocked by the credit freeze
• You can temporarily remove the freeze using a PIN• Fees are $10 ($5 for seniors) to freeze or unfreeze each bureau
for each person.
Identity Theft Insurance
• In many instances of identity theft the personal time and effort required to refute the bogus claims are substantial (40 + hours)
• Most identity theft insurance policies do not reimburse you financial losses beyond the $50 federal credit card limit, or for losses from your savings or checking accounts.
• Read some reviews of Identity Theft Insurance before you decide to sign up.
Identity Theft Insurance
• They may insure you against loss of time from work (not personal time) while solving the identity theft problem, postage, legal fees (if any), notary fees and other minor expenses, but not other financial losses.
• Some offer actual assistance in dealing with the problems caused by ID theft, others offer only advice.
What is a very common way for your confidential
information to be compromised?
They ask….
and you give them the information
This is known as “Phishing”(fishing for private information)
• The thieves trick you into believing they are someone else.
• They could claim to be– Your bank– The Internal Revenue Service– Your credit card company’s fraud department– The Census Bureau– EBay, Amazon, the Police, anyone
Phishing Scams
• The imposter could contact you by phone, email, mail, or in person at your front door.
• They generally have an urgent reason you need to give them the information– Your account will be closed otherwise– You will be audited if you don’t respond– Your name will be referred to a credit
collection agency if you don’t verify our information.
On the phone
• If you receive a phone call from someone who wants to “confirm” information about you or your accounts.
• Ask for their name, phone number and extension and say you will return their call. Often, if it is a scam they will hang up.
• If you do get a name and number, don’t call that number back. You still have no idea who you are talking to.
On the phone• Instead, get a phone number from the
back of your credit card, your monthly statement, the phone book, or from some other known reliable source.
• Call the known good number and ask for the fraud department. Tell them about the phone call and ask if they were trying to contact you.
Amazon Scam
Dear Amazon Customer,You have received this email because we have
reason to believe that your Amazon account has been recently compromised. In order to prevent an fraudulent activity from occurring we are required to open an investigation in this matter.
Your account is not suspended, but if in 36 hours after you receive this message your account is not confirmed we reserve the right to terminate your Amazon subscription.
To confirm your identity with us click the link below –
www.goingtomakemoneyonyou.com
IRS Scams• One new scheme is an e-mail, purporting to be from
the IRS, accusing the recipient of having underreported their income. The victim is asked to download an attachment that the sender claims is the relevant part of the victim's most recent tax return. Of course, the attachment is actually a virus.
• A similar scam relies on people's fear of an audit to get them to download a bogus information form. If the victim doesn't complete and return the form, the e-mailer, posing as an IRS representative, threatens to levy penalties and interest.
Other Scams• Bogus Job Offers – Thieves will place fake
employment ads and get you to fill out an application including your Social Security number, home address, work history, education history, mothers maiden name.
• File Sharing or Peer to Peer Software – the people accessing your music files may also have access to other files on your computer.
On the internet• Emails are often used to lure you to a site that
looks like a legitimate site but is not.
• When you click on a link in an email you have no idea who you are really in contact with. It may look like your Bank of America On-line Banking website…but it is an organized crime site in Russia.
• When you sign in with your name and password at the fake website, they have all they need and they can now loot your bank account.
On line Banking Security• Two-step verification is offered as an option by
many online banks. An online banking customer can have a verification code sent to his or her mobile phone when a login attempt is initiated. In order to complete the login process successfully, the customer must supply the code sent to the mobile device in addition to a user name and password.
• The two-step is significantly more secure than just using a one-step log on (name and password) which can be compromised by keystroke recording malware.
Leaving your computer unprotected is like leaving
your doors unlocked in a bad neighborhood.
The internet is a bad neighborhood and the bad
guys are on the prowl.
Symantec Internet Security Threat Report of April 2010
• Attacks on Adobe PDF viewers represented 49% of all attacks, followed closely by attacks on Internet Explorer
• New Browser Vulnerabilities Identified – Mozilla Firefox 169, Apple Safari 94, MS Internet Explorer 45, Google Chrome 41, and Opera 25
• Even though it had lower vulnerabilities than other web browsers Internet Explorer was still the most frequently attacked. Attacks are related to market share and availability of exploit code.
• Of the 374 vulnerabilites identified in web browsers in 2009, 14% remain unpatched as of April 2010.
The bare minimum to protect your computer
• A security program configured for automatic updates and scans.
• Windows configured for automatic updates and installation.
• Don’t open (or even preview) emails from people you don’t know
• Don’t click on links in emails, facebook, or strange websites.
Additional Steps
• Don’t let your grandchildren have access to your computer. Their music downloading and file sharing activities are frequent sources of malware infections.
• Many infections are now being transmitted by clicking links in Facebook and other social interaction websites.
Why are Microsoft Updates Important
• Your malware security programs check to see that the front door to your computer is locked.
• However almost every week Microsoft finds out that a side door into your computer is unlocked and suggests you go lock it (download and install the security update)
YOU MUST DO BOTH
• Your antivirus cannot protect you if you do not install the Microsoft Windows updates.
Other things to do• Keep your Adobe Reader updated, or…. • Use alternatives such as the free Foxit PDF Reader.
Foxit seems to be more nimble in responding to PDF security threats than Adobe.
• Foxit PDF Reader 4.2 presents a warning message whenever an executable command embedded in a PDF document is run. Safe Mode (default setting) will disable the execution of all external commands.
Other things to do• Instead of Internet Explorer, use less
popular browsers like Firefox or Chrome. Although they also have vulnerabilities, fewer attacks are directed at them.
• You can have multiple browsers on your computer. They don’t interfere with each other.
Browser Block Rate for Socially Engineered Malware
• 2010 Test Results– Internet Explorer blocked 85%– Mozilla Firefox blocked 29%– Apple Safari blocked 29%– Google Chrome blocked 17%– Opera blocked less than 1%
• Testing by NSS Labs Inc
Use Protected Search Providers
• Google and Bing have features to help protect you from visiting malware downloading web sites
• Just seeing a bad web page is enough to become infected. You don’t have to click anything.
• There are know as “drive-by downloads”
Malware Symptoms
• Some malware reveals itself - Suspicious pop-ups, unwanted toolbars, redirects, strange search results, inability to access your security provider, computer suddenly running very slow, other unexpected behaviors
• Some malware doesn’t reveal itself. It quietly steals information without letting you know
• Be sure your computer is automatically scanning whether you have symptoms or not.
NSS Security Lab Testing 2010
• Malware protection products vary widely in their abilities. Nationally advertised products vary between 54% and 90% in effectiveness in detection and protection – Top rated was Trend Micro’s Titanium
Maximum Security at 90.1%– However last year it was 96.4% effective. The
software isn’t getting worse, the threats are evolving at a rapid pace and are becoming more sophisticated.
NSS Security Testing• Based on all factors, traditional web malware
has between a 10% and a 45% chance of getting past your typical AV with a typical user.
• Software vulnerability exploits have a 25% to 97% chance of compromising the typical machine.
• Most exploits use openings that were previously patched, but the user hasn’t downloaded and installed the patch.
• Expect the use of exploits to increase because of their effectiveness.
What to do if you get infected
• If you get infected and you have backup of your personal data you have two choices– Try to remove the infection– Reinstall Windows and reload your data
• If you do not have backup you only have one choice– Try and remove the infection
Backup Your Data
• I back up my data to an external hard drive with an automated program that records all changes to my files
• I also have “cloud backup” (Mozy and Carbonite are good choices) in case of fire or some type of problem with my local backup.
• This “belt and suspender” approach makes me more comfortable
The bad guys are winning!
• Unfortunately, most computers are going to become infected at some point.
• The most trustworthy fix is to reload you operating system, and then reload your application software, and then reload your data.
• This is a long slow process.• You can speed up the process if you have a
spare external hard drive.
A clone drive to speed up recovering from an infection
• Set up your computer the way you like it, update all the security patches, install the software you like to use, and organize you data files the way you want. This is your base recovery point.
• Then use a program like Acronis True Image Home to make a clone of your drive. Continue creating backups of your changing data.
• When malware strikes, wipe the drive clean, install the cloned drive contents, run updates and reinstall your data from your backup.
• This is a much faster way to recover from infection
The Next Frontier For Identity Theft – Your Smart Phone
• Smart phones are just small handheld computers and they can be hacked just like other computers
• Mobile malware is still rare today, but…..
• Hackers at Def Con Conference Exploit Android Bug
• JailbreakMe “the most advanced iPhone exploit ever published.”
Smartphone Security
• Many consumers are wary about how secure mobile banking is and yet some bypass data charges and access online banking via WiFi on their smartphones, which makes them susceptible to man-in-the-middle attacks and malware. Some consumers also delete cookies from their mobile phones, making this method of authentication unreliable. Because of these factors and others – and because criminals can often spoof authentication or seize control of banking sessions – layered security is needed for authentication on mobile devices.
In summary• Check your statements carefully when they arrive• Be careful revealing information • Freeze your credit reporting• Keep your credit card numbers out of as many
computers as you can• Minimize your wallet contents and don’t lose it• Keep your computer protected and updated• Back up your computer data so you have
alternatives if you become infected with malware.
Action Steps If Your Identity Is Stolen
• Immediately contact by phone, and then follow up with a letter to -– Your financial institutions– Your creditors– All three major credit bureaus – put a fraud alert
on your account.– The police – ask them to file a identity theft report
and get a copy of the report and report number
• Document and save all your actions
References & Help• The Identity Theft Resource Center www.idtheftcenter.org
• Federal Trade Commission - Fighting Back Against Identity Theft www.ftc.gov/bcp/edu/microsites/idtheft/
• Google for “Stop My Junk Mail Now” from PrivacyCouncil.org
• Consumer Federation of America – Are ID Theft Services Worth The Cost? http://www.consumerfed.org/elements/www.consumerfed.org/file/id_theft_study_pr_3-18-09.pdf
• Use www.annualcreditreport.com. Don’t use www.freecreditreport.com
• Credit Freeze www.privacy.ca.gov/res/docs/pdf/cis10securityfreeze.pdf
• Symantec Global Internet Security Threat Report April 2010 http://www.symantec.com/business/theme.jsp?themeid=threatreport
• The Safest Browser http://www.pcmag.com/article2/0,2817,2351669,00.asp
• NSS Labs 2010 Testing http://nsslabs.com/browser-security
• Security Recommendations for IE 9 http://www.eweek.com/c/a/Security/Seven-IE-9-Security-Recommendations-for-Microsoft-496281/
• Business Copier Image Recording http://www.youtube.com/watch?v=iC38D5am7go
• Smartphone Security - https://www.javelinstrategy.com/news/pressroom