Identity TheftElectronic Intrusion &

Scams To Get Your Money

November 2010

• Identity Theft is a crime in which an impostor obtains key pieces of personal identifying information such as Social Security numbers and driver's license numbers and uses them for their own personal gain. This is called ID Theft.

Worst Case Scenario• Someone has stolen your identity and without your

knowledge has…. been married several times without any divorces, bought a home and is delinquent on payments, maxed out several credit cards in your name, subscribed to a kiddie porn site, purchased a car and been involved in a serious accident, gave your name on the police report, filed a false claim with the insurance company, applied for several years of bogus refunds from the IRS, asked for Social Security disability payments, made threats against the government and got you on the “no-fly” list.

How can your identity be stolen?

• There are many ways. Half of all identity theft victims have no idea how their identity was stolen.

• But from the other half who think they know how their identity was stolen, we can learn some valuable lessons.

• Many of the fears listed in the public press are not major causes of identity theft

If your Identity is stolen…

• The best single reference and guide for what you need to do is

• The Identity Theft Recovery Kit

• Free PDF download from www.spendonlife.com/idtheftkit

• I suggest you download a copy, print it out and store it somewhere you can find it.

Sources of identity theft in 2003 to 2006

• Online transactions – 1/3 of 1 %

• Garbage or dumpster diving – 1%

• Phishing – 3%

• Spyware on home computer 5%

• Misuse of data in-store or in a telephone transaction - 7%

• Stolen mail – 8%

Sources of identity theft in 2003 to 2006

• Theft by an employee – 15%

• Someone in the home – 15%

• Loss of a purse, wallet, checkbook – 30%

• However, the percentages are changing with increasing incidents coming from phishing, spyware, and hacking into commercial computers.

Financial fraud comes in two categories

• Existing accounts which are compromised– Protect yourself by examining your bank and

credit card statements carefully each month for suspicious activity.

• Newly created financial accounts of which you are not aware. – Protect yourself with free credit reports and/or

a credit freeze.

Recent Headlines

• A special agent for the FBI announced the arrest of an employee for AIG who stole a computer server with the personal information for over 900,000 policy holders.

Facebook Accounts

• Stolen accounts of Facebook users are now on sale in high volume on the black market.

• iDefense tracked an effort to sell log-in data for 1.5 million Facebook accounts on several online criminal marketplaces.

• The offers were to sell bundles of 1,000 accounts with 10 or fewer friends for $25 and with more than 10 friends for $45,

•  The case points to a significant expansion in the illicit market for social networking accounts

• The Kneber botnet, a new form of malware which has so far infected over 74,000 computers worldwide and has attacked over 2,500 corporate accounts.

• The botnet extracts name, address, social security number, credit card number and other sensitive information stored on company computers.

• Merck & Co., Paramount Pictures, Juniper Networks and Cardinal Health are among some of the companies hit by the botnet.

• A woman exploited a loophole in D.C. tax office online systems to gain access to taxpayer accounts, establish herself as the owner of dozens of businesses and filed returns on their behalf.

• Within 48 hours she was able to establish herself as the owner of the 76 businesses and gain access to their business accounts.

Who are these thieves?

• Organized Crime in the US, Russia & China

• Narcotics users - strong link to meth addicts

• Opportunists who see an opening

• Desperate people taking desperate actions

• Family members or someone close to you

Total security isn’t possible

• Your credit card number is stored in the computers of dozens of businesses, and even large businesses can’t keep out hackers.

• When you hand over your credit card to your waiter, everything needed for credit card ID theft is out of your sight for several minutes.

• Expect identity theft and be ready to react

Types of vulnerabilities

• Home Computer -Electronic access to your computer by virus, worms, trojans, keystroke recorders, and other types of malware.

• Business computers – your information can be accessed by employees and hackers.

• Physical access to your financial information at home and while traveling.

Credit card records stored by companies with which you do

business

• You have no way of determining how effective security is at Joe’s Online Books or Aunt Judy’s Fashion Boutique, or Pottery Barn, or Nordstrom's.

• Larger companies probably have better security, but they are also more lucrative targets.

What can I do?• When ordering over the internet or the phone, one

safeguard is to not leave behind your credit card number on the merchant’s computer.

• Alternative payment options such as PayPal, Bill Me Later, Checkout by Amazon, eBillme or Google Checkout do not leave behind your credit card data.

• Since the merchants never see your credit card number, they can’t store it.

“One Time Use”Credit Card Numbers

( also called virtual or disposable numbers)

• Citibank, American Express, MBNA, and Discover, have a service that provides a valid acceptable credit card number which is linked to your real credit card number……but can only be used one time

• If this “One Time Use” number is hacked from the merchants computer, it can’t be used.

Virtual Cards • Not for ordering theatre tickets for pick up– they

want to see the plastic card to confirm identity.• Also not good for airline, hotel, or rental car

reservations who want to see the plastic card.• But for all other kinds of online purchases, they

are an excellent option to prevent identity theft.• They are also very useful for subscriptions that

want to “auto-renew” your subscriptions each year unless you tell them not to. When they try to auto-renew you, the number won’t work.

How To Use A Virtual Credit Card after you

enroll in the program• Open the credit card program on your

computer, enter your passwords, and get an image of a credit card on screen.

• The screen credit card has your name, an expire date, and a 3 digit security code, just like a physical credit card would have

Keep your credit card numbers out of business computers

• Some merchants will ask if you want your information retained on their computers

• Or, they will ask if you want your credit card number retained in their files.

• If you say “NO” you will have to give the information again next time you purchase from the site, but your credit card number will not be compromised if their computer gets hacked.

Physical Loss• Don’t carry every credit card you own. If you lose your wallet

or purse you will have to cancel all that were lost, leaving you with no credit cards for some period of time.

• Have your spouse carry different credit cards than the ones you carry. If one of you lose a wallet you will have to cancel those cards, but your spouses’ cards will still work.

• Notify your credit card company before traveling overseas and have the phone numbers to cancel the cards you do carry.

• Never write down PIN numbers and passwords and carry them in your wallet.

• Medicare cards still show Social Security number?

Debit Cards

• If your debit card is lost or stolen, report it immediately by phone then follow up with notification in writing. Federal law limits your liability to $50 if you report your loss promptly.

• Keep receipts and compare them with your bank statements, and immediately report any discrepancies.

Credit Cards

• If a thief gets his hands on your credit cards, not only can he use those to the maximum but he can also use the information on each one to create multiple new accounts in your name. 

• As many identity theft victims already know, the damage that can be done once new accounts are opened in your name is far greater and takes far longer to rectify.

Physical Security

• Although locally there is not much identity theft from people sifting though trash, it can’t hurt to shred documents containing– Bank account numbers– Brokerage account numbers– Your social security number– Credit Card offers

• When mailing checks, use a secure mailbox to mail them.

Physical Security• Although it is not widely known, you are at

some risk of identity theft by using large copiers at work or at locations like Kinko’s

• Large commercial copiers have a hard drive that retains a copy of every document which is copied on the machine

• Often these hard drives are not wiped clean before the copier is resold.

• Personal copiers at home are safer for making copies of your tax returns, etc.

Pre-approved credit card offers are a risk

• If you don’t want the three major credit bureaus selling your name to advertisers and credit card companies you can call 888-567-8688 and “opt out” for 2 years.

• Or, for an even wider net to remove junk mail - Google for “Stop My Junk Mail Now” from the Privacy Council

Physical Security

• When people are going to be in your home– Lock up your wallet, credit cards, check book

and financial documents in a file or drawer.– Turn off, or password protect your computer

• Information theft often occurs from documents laying about in the home.

• It can be your housekeeper, your electrician, your neighbor, your nephews girlfriend, or someone close to you.

Identity Theft By Creating New Accounts

Hello Mr. Smith, I’d like to talk to you about your unpaid bill

with Mellon Bank

• Often this is the first indication you have a problem….particularly if you don’t have an account with Mellon Bank

• Someone may have taken out a credit card in your name and had the statements sent to a different address so you won’t find out about the existence of the card.

Unknown Credit Cards

• Because the statements demanding payment are mailed to another address you never receive them.

• When the bank finally turns over the delinquent account to a credit collection agency, they use your name and “former address” to track you down and call you.

• This type of identity theft is very hard to protect yourself against.

What you can do

• 3 times a year, get a free credit report from the 3 major credit rating agencies and look over the statement closely for any activity that seems suspicious.

• Enroll in a service that monitors these three agencies and sends you information about anything unusual occurring in your name.

Free Credit Report.com IS NOT FREE

• Heavily advertised on TV, FreeCreditReport.com is very misleading in it’s name and advertising.

• The free credit reports which are provided under federal law are found only at AnnualCreditReport.com

• Free Credit Reports.com will send you one “free credit report” but also signs you up for a $15 a month reporting service.

Identity Protection• There are many companies now offering

Identity Protection Services or Insurance for a monthly fee.

• These services may be of value but you need to research the offerings carefully

• One summary of these services can be found at http://www.nextadvisor.com/identity_theft_protection_services/compare.php

Suits over ID Theft Protection Claims Settled

• Mar 10, 2010 Lifelock Identity Theft Protection agreed to pay $12 million in fines by FTC. Will no longer be able to make claims of absolute protection against identity theft.

• In a separate article it was revealed the identity of the founder (who posted his social security number on a billboard in Times Square) has been stolen 13 times.

For Strong Protection Consider a “Credit Freeze”

• In California you have the right to instruct the three major credit agencies to not reveal any information about your credit status to anyone who inquires.

• If someone tries to open a credit card in your name, the card company will attempt to run a credit check, but they will be told they cannot have your information.

• Usually the card company will not issue a card if they cannot access your credit history.

Credit Freeze• While you have the credit freeze in place you will have to

temporarily lift the freeze if you want to – Get a new credit card yourself– Take out a mortgage– Get a new car loan– Be hired for a new job– Open a new brokerage account

• All of these activities require a background credit check which is blocked by the credit freeze

• You can temporarily remove the freeze using a PIN• Fees are $10 ($5 for seniors) to freeze or unfreeze each bureau

for each person.

Identity Theft Insurance

• In many instances of identity theft the personal time and effort required to refute the bogus claims are substantial (40 + hours)

• Most identity theft insurance policies do not reimburse you financial losses beyond the $50 federal credit card limit, or for losses from your savings or checking accounts.

• Read some reviews of Identity Theft Insurance before you decide to sign up.

Identity Theft Insurance

• They may insure you against loss of time from work (not personal time) while solving the identity theft problem, postage, legal fees (if any), notary fees and other minor expenses, but not other financial losses.

• Some offer actual assistance in dealing with the problems caused by ID theft, others offer only advice.

What is a very common way for your confidential

information to be compromised?

They ask….

and you give them the information

This is known as “Phishing”(fishing for private information)

• The thieves trick you into believing they are someone else.

• They could claim to be– Your bank– The Internal Revenue Service– Your credit card company’s fraud department– The Census Bureau– EBay, Amazon, the Police, anyone

Phishing Scams

• The imposter could contact you by phone, email, mail, or in person at your front door.

• They generally have an urgent reason you need to give them the information– Your account will be closed otherwise– You will be audited if you don’t respond– Your name will be referred to a credit

collection agency if you don’t verify our information.

On the phone

• If you receive a phone call from someone who wants to “confirm” information about you or your accounts.

• Ask for their name, phone number and extension and say you will return their call. Often, if it is a scam they will hang up.

• If you do get a name and number, don’t call that number back. You still have no idea who you are talking to.

On the phone• Instead, get a phone number from the

back of your credit card, your monthly statement, the phone book, or from some other known reliable source.

• Call the known good number and ask for the fraud department. Tell them about the phone call and ask if they were trying to contact you.

Amazon Scam

Dear Amazon Customer,You have received this email because we have

reason to believe that your Amazon account has been recently compromised. In order to prevent an fraudulent activity from occurring we are required to open an investigation in this matter.

Your account is not suspended, but if in 36 hours after you receive this message your account is not confirmed we reserve the right to terminate your Amazon subscription.

To confirm your identity with us click the link below –

www.goingtomakemoneyonyou.com

IRS Scams• One new scheme is an e-mail, purporting to be from

the IRS, accusing the recipient of having underreported their income. The victim is asked to download an attachment that the sender claims is the relevant part of the victim's most recent tax return. Of course, the attachment is actually a virus.

• A similar scam relies on people's fear of an audit to get them to download a bogus information form. If the victim doesn't complete and return the form, the e-mailer, posing as an IRS representative, threatens to levy penalties and interest.

Other Scams• Bogus Job Offers – Thieves will place fake

employment ads and get you to fill out an application including your Social Security number, home address, work history, education history, mothers maiden name.

• File Sharing or Peer to Peer Software – the people accessing your music files may also have access to other files on your computer.

On the internet• Emails are often used to lure you to a site that

looks like a legitimate site but is not.

• When you click on a link in an email you have no idea who you are really in contact with. It may look like your Bank of America On-line Banking website…but it is an organized crime site in Russia.

• When you sign in with your name and password at the fake website, they have all they need and they can now loot your bank account.

On line Banking Security• Two-step verification is offered as an option by

many online banks. An online banking customer can have a verification code sent to his or her mobile phone when a login attempt is initiated. In order to complete the login process successfully, the customer must supply the code sent to the mobile device in addition to a user name and password.

• The two-step is significantly more secure than just using a one-step log on (name and password) which can be compromised by keystroke recording malware.

Leaving your computer unprotected is like leaving

your doors unlocked in a bad neighborhood.

The internet is a bad neighborhood and the bad

guys are on the prowl.

Symantec Internet Security Threat Report of April 2010

• Attacks on Adobe PDF viewers represented 49% of all attacks, followed closely by attacks on Internet Explorer

• New Browser Vulnerabilities Identified – Mozilla Firefox 169, Apple Safari 94, MS Internet Explorer 45, Google Chrome 41, and Opera 25

• Even though it had lower vulnerabilities than other web browsers Internet Explorer was still the most frequently attacked. Attacks are related to market share and availability of exploit code.

• Of the 374 vulnerabilites identified in web browsers in 2009, 14% remain unpatched as of April 2010.

The bare minimum to protect your computer

• A security program configured for automatic updates and scans.

• Windows configured for automatic updates and installation.

• Don’t open (or even preview) emails from people you don’t know

• Don’t click on links in emails, facebook, or strange websites.

Additional Steps

• Don’t let your grandchildren have access to your computer. Their music downloading and file sharing activities are frequent sources of malware infections.

• Many infections are now being transmitted by clicking links in Facebook and other social interaction websites.

Why are Microsoft Updates Important

• Your malware security programs check to see that the front door to your computer is locked.

• However almost every week Microsoft finds out that a side door into your computer is unlocked and suggests you go lock it (download and install the security update)

YOU MUST DO BOTH

• Your antivirus cannot protect you if you do not install the Microsoft Windows updates.

Other things to do• Keep your Adobe Reader updated, or…. • Use alternatives such as the free Foxit PDF Reader.

Foxit seems to be more nimble in responding to PDF security threats than Adobe.

• Foxit PDF Reader 4.2 presents a warning message whenever an executable command embedded in a PDF document is run. Safe Mode (default setting) will disable the execution of all external commands.

Other things to do• Instead of Internet Explorer, use less

popular browsers like Firefox or Chrome. Although they also have vulnerabilities, fewer attacks are directed at them.

• You can have multiple browsers on your computer. They don’t interfere with each other.

Browser Block Rate for Socially Engineered Malware

• 2010 Test Results– Internet Explorer blocked 85%– Mozilla Firefox blocked 29%– Apple Safari blocked 29%– Google Chrome blocked 17%– Opera blocked less than 1%

• Testing by NSS Labs Inc

Use Protected Search Providers

• Google and Bing have features to help protect you from visiting malware downloading web sites

• Just seeing a bad web page is enough to become infected. You don’t have to click anything.

• There are know as “drive-by downloads”

Malware Symptoms

• Some malware reveals itself - Suspicious pop-ups, unwanted toolbars, redirects, strange search results, inability to access your security provider, computer suddenly running very slow, other unexpected behaviors

• Some malware doesn’t reveal itself. It quietly steals information without letting you know

• Be sure your computer is automatically scanning whether you have symptoms or not.

NSS Security Lab Testing 2010

• Malware protection products vary widely in their abilities. Nationally advertised products vary between 54% and 90% in effectiveness in detection and protection – Top rated was Trend Micro’s Titanium

Maximum Security at 90.1%– However last year it was 96.4% effective. The

software isn’t getting worse, the threats are evolving at a rapid pace and are becoming more sophisticated.

NSS Security Testing• Based on all factors, traditional web malware

has between a 10% and a 45% chance of getting past your typical AV with a typical user.

• Software vulnerability exploits have a 25% to 97% chance of compromising the typical machine.

• Most exploits use openings that were previously patched, but the user hasn’t downloaded and installed the patch.

• Expect the use of exploits to increase because of their effectiveness.

What to do if you get infected

• If you get infected and you have backup of your personal data you have two choices– Try to remove the infection– Reinstall Windows and reload your data

• If you do not have backup you only have one choice– Try and remove the infection

Backup Your Data

• I back up my data to an external hard drive with an automated program that records all changes to my files

• I also have “cloud backup” (Mozy and Carbonite are good choices) in case of fire or some type of problem with my local backup.

• This “belt and suspender” approach makes me more comfortable

The bad guys are winning!

• Unfortunately, most computers are going to become infected at some point.

• The most trustworthy fix is to reload you operating system, and then reload your application software, and then reload your data.

• This is a long slow process.• You can speed up the process if you have a

spare external hard drive.

A clone drive to speed up recovering from an infection

• Set up your computer the way you like it, update all the security patches, install the software you like to use, and organize you data files the way you want. This is your base recovery point.

• Then use a program like Acronis True Image Home to make a clone of your drive. Continue creating backups of your changing data.

• When malware strikes, wipe the drive clean, install the cloned drive contents, run updates and reinstall your data from your backup.

• This is a much faster way to recover from infection

The Next Frontier For Identity Theft – Your Smart Phone

• Smart phones are just small handheld computers and they can be hacked just like other computers

• Mobile malware is still rare today, but…..

• Hackers at Def Con Conference Exploit Android Bug

• JailbreakMe “the most advanced iPhone exploit ever published.”

Smartphone Security

• Many consumers are wary about how secure mobile banking is and yet some bypass data charges and access online banking via WiFi on their smartphones, which makes them susceptible to man-in-the-middle attacks and malware. Some consumers also delete cookies from their mobile phones, making this method of authentication unreliable. Because of these factors and others – and because criminals can often spoof authentication or seize control of banking sessions – layered security is needed for authentication on mobile devices.

In summary• Check your statements carefully when they arrive• Be careful revealing information • Freeze your credit reporting• Keep your credit card numbers out of as many

computers as you can• Minimize your wallet contents and don’t lose it• Keep your computer protected and updated• Back up your computer data so you have

alternatives if you become infected with malware.

Action Steps If Your Identity Is Stolen

• Immediately contact by phone, and then follow up with a letter to -– Your financial institutions– Your creditors– All three major credit bureaus – put a fraud alert

on your account.– The police – ask them to file a identity theft report

and get a copy of the report and report number

• Document and save all your actions

References & Help• The Identity Theft Resource Center www.idtheftcenter.org

• Federal Trade Commission - Fighting Back Against Identity Theft www.ftc.gov/bcp/edu/microsites/idtheft/

• Google for “Stop My Junk Mail Now” from PrivacyCouncil.org

• Consumer Federation of America – Are ID Theft Services Worth The Cost? http://www.consumerfed.org/elements/www.consumerfed.org/file/id_theft_study_pr_3-18-09.pdf

• Use www.annualcreditreport.com. Don’t use www.freecreditreport.com

• Credit Freeze www.privacy.ca.gov/res/docs/pdf/cis10securityfreeze.pdf

• Symantec Global Internet Security Threat Report April 2010 http://www.symantec.com/business/theme.jsp?themeid=threatreport

• The Safest Browser http://www.pcmag.com/article2/0,2817,2351669,00.asp

• NSS Labs 2010 Testing http://nsslabs.com/browser-security

• Security Recommendations for IE 9 http://www.eweek.com/c/a/Security/Seven-IE-9-Security-Recommendations-for-Microsoft-496281/

• Business Copier Image Recording http://www.youtube.com/watch?v=iC38D5am7go

• Smartphone Security - https://www.javelinstrategy.com/news/pressroom