PowerPoint PresentationStolen Identity Refund Fraud Uses a taxpayer’s information to apply for...
Transcript of PowerPoint PresentationStolen Identity Refund Fraud Uses a taxpayer’s information to apply for...
Dr. Robert K. MinnitiDBA, CPA, CFE, Cr.FA, CVA, CFF, MAFF, CGMA, PI
President, Minniti CPA, LLC
Identity Theft
Dr. Robert K Minniti
DBA – Doctor of Business AdministrationCPA - Certified Public AccountantCFE – Certified Fraud ExaminerCrFA – Certified Forensic AccountantCFF – Certified in Financial ForensicsCVA – Certified Valuation AnalystMAFF – Master Analyst in Financial ForensicsCGMA – Charted Global Management AccountantPI – Licensed Private Investigator
Objectives
Upon completing this class you will be able to:
Recognize the various types of identity theft
Understand how criminals commit acts of tax refund identity fraud
Learn what you can do to help prevent identity theft
Fraud Triangle
Fraud Triangle Theory – Donald Cressey
To Quote William Shakespeare…
Good name, in man and woman, dear my lord / Is the immediate jewel of their souls: / Who steals my purse, steals trash; ’tis something, nothing; / ’Twas mine, ’tis his, and has been slave to thousands: / But he that filches from me my good name / Robs me of that which not enriches him / And makes me poor indeed. (Shakespeare, Othello, Act III, Scene III)
Identity Theft Is…
A crime that has increased in modern times
A crime that has become more profitable in modern times
A crime that is easier to commit because of the Internet
Identity Theft Defined
Identity theft is broadly defined as the use of one person’s identity or personally identifying information by another person without his or her permission. Identity theft is a type of fraud and can be committed against an individual or organization.
The federal criminal definition of identity theft is when someone “knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, or in connection with, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law.” [18 USC §1028(a)(7)]
Identity Theft Timeline
Until 1996, identity theft was not recognized as a crime at the state level.
Arizona was the first state in the United States to pass laws against identity theft.
On May 10, 2006, President Bush issued Executive Order 13402 that established the Identity Theft Task Force.
In 2008, the Federal Trade Commission adopted the “Red Flag Rules.”
DISCUSSION QUESTION
Has the government done enough to help prevent identity theft? What else could be done?
Polling Question #1
True or False
There are 4 parts to the fraud triangle
Identity Theft &
Fraud Statistics
CYBER FRAUD
Cyber Fraud is a term used for fraud that is committed using computers or over the internet
CYBER FRAUD IS GROWING
https://pdf.ic3.gov/2019_IC3Report.pdf
CYBER FRAUD VICTIMS
https://pdf.ic3.gov/2019_IC3Report.pdf
https://pdf.ic3.gov/2019_IC3Report.pdf
https://pdf.ic3.gov/2019_IC3Report.pdf
https://pdf.ic3.gov/2019_IC3Report.pdf
Consumer Sentinel Network Data Book – January – December 2019
Consumer Sentinel Network Data Book – January – December 2019
2019
Consumer Sentinel Network Data Book – January – December 2019
2019
Consumer Sentinel Network Data Book – January – December 2018
2018
Consumer Sentinel Network Data Book – January – December 2019
2019
Consumer Sentinel Network Data Book – January – December 2019
2019
Consumer Sentinel Network Data Book
– January – December 2019
2019
Consumer Sentinel Network Data Book – January – December 2019
2019
Consumer Sentinel Network Data Book
– January – December 2019
2019
THE NEW GENERATION OF CYBER FRAUD
Cybercrime has its own social networks with escrow services.
Malware can be licensed and receive tech support.
You can rent botnets by the hour for your own crime spree.
Pay-for-play malware infection services have appeared that quickly create botnets.
A lively market for zero-day exploits (unknown software vulnerabilities) has been established.
https://www.knowbe4.com/
EXAMPLES OF EXPLOITS
"Meltdown" (CVE-2017-5754) is a flaw that lets ordinary applications cross the security boundaries enforced at chip level to protect access to the private contents of kernel memory in Intel chips produced over the last decade.
"Spectre" (CVE-2017-5753 and CVE-2017-5715), are more insidious and widespread, having been found in chips from AMD and ARM as well as Intel. Spectre could enable an attacker to bypass isolation among different applications.
https://www.knowbe4.com/
Polling Question #2
True or False
Cyber fraud cases in the US are decreasing
Types of
Identity Theft
Criminal Identity Theft
Occurs when the perpetrator, who is using a stolen identity, is arrested for a crime.
Fraudsters use victim’s identities to open businesses and bank accounts and then process stolen checks and credit cards through these accounts
Most individuals don’t find out about this type of identity theft until they are arrested for crimes they didn’t commit.
Medical Identity Theft
Uses the victim’s medical insurance.
Victim could find that he or she is uninsurable.
Issues in emergency rooms
Insurance Identity Theft
Auto insurance
Homeowners insurance
Life insurance
Business insurance
Malpractice insurance
E&O insurance
Child Identity Theft
Steals the identity of a person under legal age.
Often, children don’t find out about their identity being stolen until they apply for student loans or attempt to get a job.
Polling Question #3
True or False
Minors cannot be victims of identity theft
Professional Identity Theft
Steals the professional identity of another person.
Because professional licenses and license numbers are a matter of public record, it is relatively easy to commit this type of identity theft.
Business Identity Theft
Use the business name to obtain loans or credit.
Usually committed by insiders or current or former employees who had access to the business’ financial information.
Includes the use of spoofed or fraudulent websites to obtain personal information from victims.
Identity Theft
New Account Fraud
Uses the victim’s personal information to open new financial accounts.
Need to acquire the victim’s Social Security number to perpetrate this type of fraud.
Loan Application Fraud
Identity Theft
Account Takeover Fraud
Identity thief takes over a victim’s existing account.
Checking accounts are the easiest to takeover. All that is needed is the bank routing number and account number, both of which can be found on the front of a victim’s checks.
Polling Question #4
True or False
It is easy to duplicate credit and debit cards
Duplicate Card Fraud
You can also duplicate the new chip cards
RFID Protection
Stolen Balance Transfer Checks
Criminals steal credit card statements from mailboxes. Many of these statements include balance transfer checks from the card issuer. The thieves then use these checks to obtain cash or merchandise. Because these are checks the federal $50 limit on credit cards does not apply and the victim can be responsible for the loss.
Identity Theft
Debit Card Cracking
Criminals deposit fraudulent checks in your bank account and withdraw the funds using a debit card when the bank makes the funds available leaving the account holder on the hook for the NSF checks
Identity Cloning
Includes multiple forms of identity theft.
Individuals who are attempting to evade child support or creditors, running from the law, or otherwise attempting to conceal their true identity, clone the identity of the victim and use it openly in plain sight.
Polling Question #5
True or False
Identity thieves can steal your professional identity
Synthetic Identity Theft
Involves creating a fabricated identity, usually online.
Catfishing
Often involves using a real Social Security number that is then linked to the fabricated identity.
Identity Theft
Government Benefits Fraud
Applies for government benefits, such as Social Security or Medicare, in the name of the victim.
Includes individuals who continue to apply for and receive government benefits for deceased individuals.
Identity Theft
Government Documents Fraud
Obtains government documents, such as a driver’s license, Medicare card, Social Security card, or other document.
Documents have the name of the victim, but usually have the fraudster’s photo.
Identity Theft
Employment Fraud
Uses the victim’s name and Social Security number to obtain employment.
Often done because the perpetrator of the fraud is in the country illegally and needs legitimate documentation to obtain employment.
Identity Theft
Utility Fraud
Uses the victim’s personal information to open accounts with electric, gas, cable, phone, or other utility companies.
Bills are often sent to a fictitious address and left unpaid.
Identity Theft
Bankruptcy Fraud
The perpetrator files for bankruptcy under a stolen identity but includes debts incurred from other stolen identities in the bankruptcy in order to take advantage of the automatic stay.
Also used as a means to forestall a foreclosure.
Identity Theft
Stolen Identity Refund Fraud
Uses a taxpayer’s information to apply for refunds in the name of the victim.
Many times, false returns claim the Earned Income Tax Credit.
The IRS will send a refund based on the first return filed. Victims of this type of fraud usually find out when the IRS rejects their attempt to file their tax return electronically.
Polling Question #6
True or False
Employment fraud is uncommon in the U.S.
The IRS reported receiving as many as 5 million tax returns resulting from stolen identity refund fraud for the 2013 tax year
The IRS reported that fraudulent returns were filed claiming refunds in excess of $30 billion for the 2013 tax year
Tax Return Identity Theft
In 2013 the IRS prevented $24.2 Billion in fraudulent returns from being paid
The IRS acknowledged it paid $5.8 Billion in fraudulent returns in 2013
http://www.gao.gov/assets/670/667965.pdf
As of February 2016 the IRS identified 42,148 fraudulent tax returns claiming $227 million in fraudulent refunds
In February 2016 the IRS identified an additional 35,000 e-filed returns that could be fraudulent
As of February 29, 2016 the IRS confirmed there were 31,578 fraudulent returns with refunds issued that were a result of tax return identity fraud
Tax Return Identity Theft
https://www.treasury.gov/tigta/auditreports/2016reports/201640034fr.pdf
Uses a taxpayer’s information to apply for refunds in the name of the victim.
Many times, false returns claim the Earned Income Tax Credit.
The IRS will send a refund based on the first return filed. Victims of this type of fraud usually find out when the IRS rejects their attempt to file their tax return electronically.
Tax Return Identity Theft
Case Examples:
Tampa FL - $100 million return fraud
Southern California – victimized multiple times
TurboTax – 2015 shutdown
Timetable to resolve 6 to 12 months
Tax Return Identity Theft
Businesses receive notices about:
•Amended Returns•Fictitious employees•Revised W-2s or 1099s•Notices on closed businesses
Tax Return Identity Theft
New 1099-NEC
Must be filed with the IRS by January 31. No automatic extensions
The victim’s identity is used to obtain employment, usually by someone in the country illegally
The victim usually finds out about this type of fraud when they receive an audit notice from the IRS
Case Example – False W-2
Tax Return Identity Theft
Effects of Business Identity Theft
Criminals go after businesses as well as individuals
According to the IRS fraudulent tax refund fraud for businesses has been increasing $268 million in 2016
$122 million in 2015
Over 10,000 identity theft returns for businesses had been discovered by June 1, 2017 a significant increase over the 4000 cases discovered the previous year
Polling Question #7
True or False
Criminals steal personal information to file false tax returns
How Criminals Steal
Personal Information
Identity Theft
Mail Theft
One of the oldest methods
Variation - File a change of address form with the U.S. Post Office and have the victim’s mail rerouted to another address, usually to a mailbox store.
Identity Theft
Stolen Wallet or Purse
Usually contains a driver’s license, medical insurance cards, credit cards, union cards, business cards, and often Social Security and Medicare cards.
Identity Theft
Phishing
Used to gain personal information, such as usernames, passwords, Social Security numbers, and credit card numbers, for purposes of identity theft.
Often accomplished by using fraudulent e-mail messages that appear to come from legitimate businesses or government agencies.
Phishing Examples
Phishing Example
Phishing Example
Phishing Examples
Phishing Examples
Phishing Examples
PHISHING EXAMPLES
Phishing Examples
Phishing Examples
Phishing Example
Polling Question #8
True or False
Phishing is done using email
Identity Theft
Vishing
Personal information obtained over the phone
Call to inform individuals that they have won a prize but that they need to pay taxes or shipping fees to obtain the prize.
Fake a call from a local business where an individual shops to verify credit card information on a transaction.
VISHINGVishing is similar to phishing but it occurs over the phone rather than over the internet.
Criminals try to obtain information or try to load malware on the victim’s computer.
IRS Vishing
Computer generated voice:
Hello. This call is officially a final notice from the IRS, Internal Revenue Service. The reason of this call is to inform you that IRS is filing lawsuit against you. To get more information about this case file, please call immediately on our department number 202-492-8816. I repeat 202-492-8816. Thank you.
VISHING
Mega Millions Jackpot
Human voice (heavily accented)
Yes this is _______, calling you from the Mega Millions limited. My reason to call your residence today is to let you know that you are a lucky recipient of 5.5 Million dollars and also a brand new 2015 Mercedes Benz. For further information, you need to contact the claims department at 1-876-354-53 zero-zero. That is 187635453 zero zero. As soon as you receive this message, I need you to give us a call. G-d bless you now and have a nice day.
VISHING
DISGUISING A VOICE
When criminals want to disguise their voices over the phone it is easy to do because there are numerous “Apps for that”
SMISHING
Smishing is similar to phishing and vishing but it is done using text messages rather than phone calls or email. Criminals try to obtain information or try to load malware on the victim’s computer.
SMISHING
Spoofing
Term used to describe fraudulent e-mail activity in which the sender’s address or other parts of the e-mail header are altered to appear as though the e-mail originated from a different source
Commonly used by spammers to hide the origin of an e-mail
SPOOFING EXAMPLE
https://www.knowbe4.com/
SPOOFING A PHONE NUMBER
https://www.spoofcard.com/apps
Polling Question #9
True or False
It is easy to spoof a phone number
Identity Theft
Piggy Backing
Fraudster calls you representing there is an issue with your account
Fraudster then transfers you to the fraud department with a three way call
Fraudster then listens in while you provide your personal information to your financial institution
Identity Theft
Pharming
A virus or malicious software is secretly loaded onto the victim’s computer and hijacks the web browser.
When the victim types in the address of a legitimate website, he or she is rerouted to a fictitious copy of the website without realizing it.
Identity Theft
Shoulder Surfing
Individuals access the Internet in public places.
The perpetrator can obtain credit card or other information typed into a laptop or PDA or provided verbally over the phone by standing nearby.
Information sent over public wireless networks can be intercepted.
Identity Theft
Social Media Data Mining
Uses social media websites to gather information on victims.
Considerable amounts of personal information posted on social media sites.
Friends and relatives inadvertently post the victim’s personal information on their social media sites.
Identity Theft
Obituary Surfing
Search the obituaries online and in local papers.
Less risk of being caught because there is often no one monitoring the credit and banking activities of the deceased individual.
Identity Theft
Free Public Wi-Fi
Set up free public Wi-Fi networks in airports, near hotels, and in other public places.
Information on victim’s computers and other electronic devices is hacked.
Can gain control of e-mail accounts, bank accounts, social media accounts, and so on.
Polling Question #10
True or False
Criminals use social media to gather information about victims
Finding Information on the InternetOnce a criminal gets your number, they can find all kinds of interesting information.
Watching WebcamsIt is easy to watch unsecured webcams
Obtaining User Names & Passwords
DISCUSSION QUESTION
What information can be found in a search of public records?
CASE STUDY
This case study has three goals: To provide you with skills and resources for conducting investigations of public records
and information
To make you aware of just how much of your personal information is easily obtainable on the Internet.
To provide an example of how an identity thief can gather enough information to steal your identity.
Identity Theft
Malware in Charging Stations
One of the new methods of stealing information is to load malware into public charging stations. When the victim plugs in to a USB port to charge their mobile devices, malware is loaded onto their device while it is charging.
Identity Theft
Cell Phone Cloning
Devices allow a criminal to clone a smartphone if he or she can get within three feet of a phone that is turned on
Make a copy of all the information contained on the cell phone and use that information to steal the victim’s identity
Identity Theft
Hacking & Data Breaches
Steal personal information from government and business computers.
Employees copy the personal information contained on their employer’s computers and sell the information.
Polling Question #11
True or False
Vishing is done over the phone
http://www.idtheftcenter.org/ITRC-Surveys-Studies/2015databreaches.html
Identity Theft
Pretexting
The perpetrator poses as a legitimate government official, corporate employee, or member of a legitimate business and calls victims asking for personal information.
Convince the victim that the information is needed to complete a transaction.
Convince the victim that someone is trying to access their account and that he or she needs to verify personal information to prevent a loss.
Identity Theft
Dumpster Diving
Search trash cans for documents that contain personal information.
Bank statements, credit card statements, and other financial information are sometimes found in the trash.
Identity Theft
Fraudulent Recruiter Scam
Retrieve the victims’ contact information from their online resumes and send them e-mails posing as recruiters.
Identity Theft
Fraudulent Employment Scam
Get the victim’s name and contact information from the posted resume and e-mail what appears to be a legitimate offer of employment.
Identity Theft
Internet Dating Scams
The perpetrator preys on lonely individuals by posing as “supermodel” potential boyfriends or girlfriends from outside the United States.
Ask for money to help clear passport issues in his or her home country so he or she can come to America and marry the love of his or her life.
Polling Question #12
True or False
Criminals will pose as recruiters to obtain your personal information
Identity Theft
Nigerian Government Letter
Pose as officials of the Nigerian government, or another government, and ask the victim for help in moving funds out of the country
Claim that they need to move the money to keep it from being confiscated
Identity Theft
Long Lost Relative
Pose as a barrister from England or another country and claim that the victim is the sole surviving relative of their deceased client
Tell the victim that he or she is inheriting a large sum of money as the only surviving heir of a rich relative
Identity Theft
Charity Frauds
Set up fake websites for nonexistent charities and then spam for victims.
Stories of victims of the California wildfires, Hurricane Katrina, and other natural disasters are posted on the website.
Identity Theft
Lottery Frauds
Send the victim an e-mail, which is usually spam or spoofed, informing the victim that he or she has won a large sum of money in a lottery.
The victim is told the lottery commission needs personal information to verify the funds are being sent to the correct winner.
Identity Theft
Corporate Prize Scam
Similar to the lottery scam, with the prize coming from a corporation or source other than a lottery
Claim that the victim’s e-mail address was selected to receive a prize and ask for personal information to verify the identity of the winner or complete tax forms on the prize won
Identity Theft
Spoofing
Term used to describe fraudulent e-mail activity in which the sender’s address or other parts of the e-mail header are altered to appear as though the e-mail originated from a different source
Commonly used by spammers to hide the origin of an e-mail
Identity Theft
Skimming
Attaches a device to a machine that records the information on the card’s magnetic strip.
Information can be imprinted on other cards.
Miniature cameras used to capture the PINs entered by the victims.
Polling Question #13
True or False
Credit card skimmers copy information from credit cards
Identity Theft
Cell Phone Cameras
The perpetrator uses the camera on his or her cell phone to take photos of credit cards and checks belonging to customers who are standing in line ahead of them in retail establishments.
Can duplicate a check on a laser printer.
American Express cards are the most vulnerable to this type of theft because the 4-digit security code is on the front of the card.
Sockpuppets
COMPUTER GENERATED PHOTOS
https://petapixel.com/2018/12/17/these-portraits-were-made-by-ai-none-of-these-people-exist/
Polling Question #14
True or False
A sockpuppet is used to create a fake identity on the internet
Identity Theft
Malware in Charging Stations
One of the new methods of stealing information is to load malware into public charging stations. When the victim plugs in to a USB port to charge their mobile devices, malware is loaded onto their device while it is charging.
Identity Theft
Cell Phone Cloning
Devices allow a criminal to clone a smartphone if he or she can get within three feet of a phone that is turned on
Make a copy of all the information contained on the cell phone and use that information to steal the victim’s identity
Identity Theft
Fake Census Workers
Posing as U.S. Census personnel and asking for information that is misrepresented as being necessary for the census
Usually continue to ask questions until the victim starts to be hesitant or questions why the information is needed
Identity Theft
Obituary Surfing
Search the obituaries online and in local papers.
Less risk of being caught because there is often no one monitoring the credit and banking activities of the deceased individual.
Identity Theft
Free Public Wi-Fi
Set up free public Wi-Fi networks in airports, near hotels, and in other public places.
Information on victim’s computers and other electronic devices is hacked.
Can gain control of e-mail accounts, bank accounts, social media accounts, and so on.
Polling Question #15
True or False
Charging stations are always safe to use
Ransomware
Ransomware is placed on computers to encrypt your data until a ransom is paid for the decryption key
CryptoLocker is one example of ransomware.
CryptoWall 2.0 is one of the newer versions
The FBI estimates that ransomware is a $1 Billion a year fraud
http://money.cnn.com/2016/04/15/technology/ransomware-cyber-security/index.html?section=money_technology
RANSOMWARE
Scareware (Pop-ups)
PC Cyborg (1998)
TeslaCrypt (Gamers)
Locky (Email)
Wannacry (Windows flaw)
https://www.knowbe4.com/
CryptoLocker
Ransomware
RANSOMWARE ATTACKS EMAIL
https://www.knowbe4.com/
Ransomware
Typical ransomware software uses RSA 2048 encryption to encrypt files. Just to give you an idea of how strong this is, an average desktop computer is estimated to take around 6.4 quadrillion years to crack an RSA 2048 key.
https://www.knowbe4.com/
Polling Question #16
True or False
Ransomware encrypts the data on your computer
Data Breaches
The release or taking of data from a secure source to an unsecured third-party location (Computer).
Data Breaches
Outsiders – 62% of incidents
Insiders – 11% of incidents
Accidental loss – 25% of incidents
State sponsored – 2% of incidents
Data Breaches
The average cost of a data breach in 2019 was $3.92 million
Smaller data breaches with less than 10,000 records stolen cost an average of $2.2 million
Larger data breaches with more than 50,000 records stolen cost an average of $6.4 million
Note: The study only looked at data breaches where <100,000 records were stolen
2019 Cost of Data Breach Study: Global Analysis, Benchmark research sponsored by IBM, Independently conducted by Ponemon Institute LLC
Data Breaches
2018 Cost of Data Breach Study: Global Analysis, Benchmark research sponsored by IBM, Independently conducted by Ponemon Institute LLC
Data Breaches
Target
• Nov to Dec 2013
• Estimated 70,000,000 stolen debit and credit card numbers
• Including customer’s names, PIN Numbers, CVV codes, etc.
• Cost to Target could be in excess of $3.6 billion
Data Breaches
Home Depot
• September 2014
• Malware installed on computers at 2,200 Home Depot stores
• 56.000.000 records stolen
• Credit and debit card numbers stolen
Data Breaches
Anthem Blue Cross/Blue Shield
• Estimated 80,000,000 records stolen
• Customers’ names, dates of birth, member ID numbers, social security numbers, addresses, phone numbers, and other personal information
Data Breaches
AOL
• April 2014
• Estimated 50,000,000 stolen user IDs and Passwords
• Including customer’s names, birthdates and other personal information
• Information from users address books was also stolen
Data Breaches
Chase Bank
• July 2014
• Estimated 76,000,000 records stolen
• Customers’ names, addresses, phone numbers, and other personal information
Data Breaches
Adobe
• October 2013
• Estimated 38,000,000 stolen user IDs and Passwords
• Including customer’s names, credit card information and other personal information
Data Breaches
Veterans of Foreign Wars
• April 2014
• The office of The Veterans Of Foreign Wars Of The United States notified members that an unauthorized party accessed VFW's webserver through the use of a trojanand malicious code.
• The hacker, thought to be in China, was able to download tables containing the names, addresses, Social Security numbers of approximately 55,000 VFW members.
Data Breaches
Equifax
September 2017
Estimated 147 million consumers affected
Personal information contained in credit reports
Offering free credit freezes
Chief Information Officer, Jun Ying charged with insider trading for selling $1 million in stock after the breach was discovered but before the information was publicly disclosed
Data Breaches
Ashley Madison
• August 2015
• Estimated 36,000,000 records stolen
• Stolen data being used for phishing attacks and blackmail
Data Breaches
Green’s Accounting
• The office of Brent Green, CPA was burglarized on April 6, 2014 where the burglars took a network server computer and hard drives containing personal information of their clients. Their server was unencrypted and contained Social Security numbers, names, and addresses of both individuals and their independents.
Other Data Breaches
• StumbleUpon
• American Express
• Kaiser Permanente
• California DMV
• Auburn University
• Dropbox
• IRS
• Health Source of Ohio
• DNC & Clinton Campaign
• Office of Personnel Mgmt
• Yahoo
• Capital One
• City of Detroit
• Apple
• Discover Financial Services
• Experian
• California Child Support Service
Polling Question #17
True or False
Data breaches cost victims money
How Data Breaches Occur
Computer Virus
A computer virus is usually hidden in a computer program and performs functions such as copying or deleting data files. A computer virus creates copies of itself that it inserts in data files or other programs.
How Data Breaches Occur
Trojan Horse
A Trojan horse is a malware program that is disguised as something else. Users assume it is a beneficial program when it fact it is not. Trojans horses are often used to insert spyware onto computers.
How Data Breaches Occur
Computer Worms
A computer worm is a type of malware that transmits itself over networks and the internet to infect more computers with the malware.
How Data Breaches Occur
Rootkits
Rootkits are used to modify the operating system to hide malware from the computer users. Some contain code that prevents the malware from being removed from the computer.
How Data Breaches Occur
Backdoors
A backdoor is a route into a computer that circumvents the user authentication process and allows hackers open access to the system once it is installed.
How Data Breaches Occur
Common ways to access a computer
Hacking
Social Networking
Lost Jump Drives
Charging Stations
Phishing
Data Breach Legal Issues
ARS 44-7501Applies to all businesses operating in Arizona
Applies to personal information
Notice must be made without unreasonable delay
Written
Telephonic
Electronic
ARS 13-1373Bars employers and others from using or printing more than five numbers that are reasonably identifiable as being part of a Social Security number.
Data Breach Legal Issues
Fair and Accurate Credit Transactions ActDisposal Rule
All employers regardless of size, must effectively destroy all documents or other media that contains personal information obtained from a consumer report before disposing of it
This includes names, phone numbers, addresses, account numbers, SSNs,
Other Federal LawsGramm-Leach-Bliley
HIPAA
Data Breach Legal Issues
Civil Liability
Courts have ruled that a plaintiff need not prove their personal information was used, the fact that they would need to pay monitor their credit/accounts and take proactive actions such as obtaining new cards is sufficient grounds for damages.
Additional damages could be awarded if the information is used for identity theft (Average $22,346 per identity stolen)
Data Breach Legal Issues
Businesses Must
Use reasonable procedures to secure data
Procedures must be documented in writing
All processes – collection, use, storage, etc.
Should be audited
Cannot delegate this responsibility
Are 100% liable for actions of employees
Stolen Data
Stolen user IDs and passwords can sell for $5 to $20 on the darknet.
Stolen credit and debit card numbers can sell from $5 to $100 on the darknet.
Card numbers and user IDs are purchased with BitCoins to make it difficult to trace the funds.
Identity thieves also purchase insurance ID information, driver’s license numbers, and other personal information.
Polling Question #18
True or False
Companies must protect personal information
Purchasing Credit Card Numbers
http://validshop.su
Purchase Credit Card Numbers
http://validshop.su
Purchase Credit Card Numbers
http://www.freshtools.su
Purchase IDs & Passwords
Credential Stuffing
Obtaining Fake IDs
Obtaining Fake IDs
https://www.zdnet.com/article/cybercrime-market-selling-full-digital-fingerprints-of-over-60000-users/
CRIMINALS SELL FINGERPRINTS ON THE DARKNET
PASSWORD SPRAYING
Most commonly used passwords 2019
https://techviral.net/common-passwords-might-surprise/
Credential Stuffing
Polling Question #19
True or False
Password stuffing is one way to hack a computer
INTERNET STRUCTURE
www.cybertraining365.com
SURFACE NET
Searchable websites
Publicly available sites
News websites
Media websites
Government information sites
THE DEEP NET
Corporate portals
Online banking websites
Health care websites
Utility websites
Basically, any website requiring authorization to enter the site.
THE DARK NET
Hidden websites
https://thehiddenwiki.org/
https://darkwebnews.com/deep-web-links/
Peer-to-peer networks
Illegal websites
Black Market
Drugs
Weapons
User IDs and passwords
Credit card numbers
Fake IDs
THE HIDDEN WIKI
The Feds go after darknet sites
How to hide online activity
Using an anonymous network for sending e-mail and surfing the web
The Onion Router Network (TOR)
The Invisible Internet Project (I2P)
The Amnesic Incognito Live System (TAILS)
Freenet
How TOR works
How TOR works
How TOR works
Polling Question #20
True or False
It is safe to surf the darknet
LEARNING OBJECTIVE
Identify the agencies and organizations where you should report identity theft.
REPORTING IDENTITY THEFT
File a police report.
If the victim has identity theft insurance, notify the insurance company of the claim.
Contact banks and financial institutions and have all credit and debit cards reissued with new numbers.
REPORTING IDENTITY THEFT (CONTINUED)
File an Identity Theft Affidavit with the FTC
www.consumer.ftc.gov/articles/pdf-0094-identity-theft-affidavit.pdf
Or call 1-877-ID-Theft
REPORTING IDENTITY THEFT (CONTINUED)
Contact the credit bureaus and place a fraud alert on the credit report. TransUnion: www.transunion.com, 1.800.680.7289
Experian: www.experian.com, 1.888.EXPERIAN (397.3742)
Equifax: www.equifax.com, 1.800.525.6285
REPORTING IDENTITY THEFT (CONTINUED)
If the theft involved the Internet, file a complaint with the Internet Crime Complaint Center at www.ic3.gov/default.aspx
Call the Social Security hotline at 800.269.0271 to report a stolen Social Security number.
REPORTING IDENTITY THEFT (CONTINUED)
Order a background check: Instant Checkmate
Been Verified
Intelius
People Finders
Truth Finder
US Search
REPORTING TAX RETURN IDENTITY THEFT
File Form 14039: Identity Theft Affidavit with the IRS.
REPORTING TAX RETURN IDENTITY THEFT
File Form 14039: Identity Theft Affidavit with the IRS.
By Mail: Internal Revenue Service
P.O. Box 9039
Andover, MA 01810-0939
By Fax: (855) 807-5720
Include copies of any IRS notices or letters and real return
REPORTING TAX RETURN IDENTITY THEFT
Report it to the State.
Remember to file a report with the state department of revenue
Sometimes criminals file fraudulent returns with other states as new residents, part year residents or as non-residents
If you live in an area such as New York City with local income taxes remember to report to the local taxing authority
REPORTING TAX RETURN IDENTITY THEFT
States with no income tax:1. Alaska
2. Florida
3. Nevada
4. South Dakota
5. Texas
6. Washington
7. Wyoming
REPORTING TAX RETURN IDENTITY THEFT
States with tax on dividends and investments:1. New Hampshire
2. Tennessee
See reference manual for how to report on a state by state basis.
Polling Question #21
True or False
You should report all instances of identity theft
DISCUSSION QUESTION
Are there other resources you know of to report identity theft?
Preventing Identity Theft: Individuals
Encrypt phone calls Ostel
Open Whisper Systems
Create burner phone #s to hide real # Burner (www.burnerapp.com)
Ready Sim
Preventing Identity Theft: Individuals
Encrypt emails and text messages W-3 Anonymous Remailer
BITSMS
Ultimate Privacy
Counter Mail
Proton Mail
Lelantos
Preventing Identity Theft: Individuals
Never give out personal information to someone you do not know.
Beware of deals that are “too good to be true.”
Beware of any sales pitch in which you have to “act now.”
Beware of employment offers from companies to which you have not applied.
Beware of work-at-home job offers promising large incomes.
Preventing Identity Theft: Individuals
Beware of any job opportunity that requires you to pay an upfront fee.
Beware of investments promising unrealistic returns.
Before sending a payment to a company, check them out with the Better Business Bureau.
Do not reply to emails or click on links in emails from unknown sources.
Never clink on a link to a bank or financial institution from a website or email. Use your “favorites” link or enter the website address manually.
Preventing Identity Theft: Individuals
Remember that the IRS will never ask for personal information in an email or over the phone.
Beware of “winning” something that requires an upfront fee to receive your prize.
Shred all bank, credit card, brokerage, and loan statements.
Shred all applications for credit cards and loans received in the mail.
Never provide your PIN—legitimate companies will not ask for this.
Preventing Identity Theft: Individuals
Do not carry your Social Security card in your wallet.
Review EOB statements received from insurance companies and call regarding any unrecognized services.
Cover the keypad with your hand when entering your PIN.
Order a credit report quarterly and review all new accounts, balances, and inquiries—this can be done online at www.annualcreditreport.com or by calling 1.877.322.8228.
Preventing Identity Theft: Individuals
Google your name to see what is on the Internet.
Install a firewall on your computer.
Install a good anti-virus program on your computer and keep it up-to-date.
Don’t enter personal information in pop-up windows.
Encrypt your home and office wireless networks using WPA2.
Do not send personal information over public WiFi networks.
Preventing Identity Theft: Individuals
Password protect your smartphone.
Consider using a secure phone such as Blackphone2.
Check URLs before providing credit card information to ensure the site is secure (https://).
Enroll in a back-up or wiping program that backs up your smartphone and will allow you to remotely erase the information on a lost or stolen phone.
DISCUSSION QUESTION
What are some precautions an individual can take to help prevent identity theft?
Polling Question #22
True or False
Keeping your personal information secure is one way to prevent identity theft
Cyber Security Internal Controls
Any Questions?