Transcript Document

Identity Theft
Deter, Detect, and Defend
At Home & At Work
Introductions
• Lisa Stensland
– Manager, CIT Project Management Office
– Former member of the Association for Financial
Counseling and Planning Education
• Ray Price
– Cornell Police for 34 years
– Last 8 years in Crime Prevention, which includes
loss prevention and identity theft
Agenda
•
•
•
•
•
•
Why be concerned?
Deter – how to prevent it
Detect – how to discover it
Defend – how to fix it
Identity theft prevention at work
But what about…?
What is Identity Theft?
• When someone uses your personal
information without your permission to
commit fraud or other crime
–
–
–
–
–
Name
Social Security number
Date of birth
Credit card number
Bank account numbers
Types of Identity Theft
Credit card
25%
Phone/utilities
16%
Bank account
16%
Employment-related
14%
Fraudulent tax return
6%
Business/personal/student loan
3%
Source: Federal Trade Commission, Feb 2007
Types of Identity Theft
Internet/email
2%
Medical
2%
Auto loan
2%
Driver’s license
1%
Real estate loan
1%
Gov’t benefits
1%
Other
24%
Source: Federal Trade Commission, Feb 2007
How does Identity Theft occur?
Good, old fashioned stealing
“Dumpster Diving”
“Skimming”
“Skimming”
“Skimming”
Lost or Stolen Laptop
Credit Card Shaving
• Thieves try out 16 digit number combinations
until one works!
• Start with a stolen or deactivated credit, debit,
or bank gift card
• Generally, the thieves only have to worry
about the figuring out the last four digits of a
credit card
– The first 12 numbers typically identify the bank
and are common across many cardholders
Credit Card Shaving
• Using razor blades, thieves shave off the
numbers they need from another card
• Apply them to the stolen card with superglue
• Scratch the mag-strip so that numbers must
be entered manually from the front
“Phishing”
http://kooptickets.nl/~claudia/mycfcu.com/…..
Netherlands
“Spearphishing”
“Spearphishing”
“Spearphishing”
https://cuweblogin.cit.cornell.edu/cuwl-cgi/login2.cgi
http://turist.hr/galerija/bjelovar/index/cornel/index.html
Croatia/Hrvatska
“Phishing”
• Emails that appear to be from IRS requesting you
confirm information
• Emails that are thanking you for a recent purchase
(of something you didn’t buy)
• Phone phishing
When in doubt, ask or “call back”
Your bank will NEVER ask you for account numbers or passwords
if they initiated the communication
Is this a big problem?
The U.S. Government Reform Committee
reports
that identity
all 19 government
In 2007,
theft
According
The
victim
to
population
the
U.S.
is
departments
and agencies
reported
at
generated
the most
Department
Victims
10
will
of Justice
spend
per on
year.
least oneabout
loss
of million
personally
complaints
to the FTCidentifiable
by
Statistics,
average
of
identity
175
hours
theft
and
information since
far. Jan. 2003.
$1200
1 in
has6
recovering
now
Americans
passedfrom
will
up this
be a
drug trafficking
crime.
victim.
as data
the breaches
Only aIt
small
of the
was number
complained
about
500%
number
one
crime
in
the
were caused
hackers.
The vastinmajority
more by
than
the complaint
nation. physical thefts
of losses occurred
secondfrom
place.
of portable computers, drives and disks,
or unauthorized use of data by employees.
It’s huge.
--Identity Theft Resource Center, Facts & Statistics 2006 & FTC
True Stories…
• March 2005 - Bank of America
– 1,200,000 lost social security and account numbers were
lost
• May 2006 - Veteran’s Administration
– 26,500,000 social security numbers and DOB were lost
when a laptop was stolen
• January 2007 - TJ Maxx
– 47,500,000 credit card numbers were stolen by hackers
taking advantage of unencrypted wireless network in parking
lot
Medical ID Theft
•
•
•
•
•
April 2007, Salt Lake City
Woman delivers a baby at a local hospital
…then abandons it!
Baby tests positive for methamphetamine
Hospital identifies mother as Anndorie Sachs and
tracks her down
• Anndorie says she did not have a baby recently
• DCFS threatens to take away her other 4 children,
aged 2-7
Medical ID Theft (cont)
• Good news
– Accusations were dropped
– Anndorie was absolved of paying the bill
• Bad news
– Anndorie’s medical records were altered to show the blood
type and medical record of a complete stranger
– Anndorie has a blood clotting disorder
– The hospitals insist that they have fixed the issue, but
Anndorie can’t be sure because they need to PROTECT the
PRIVACY of the IDENTITY THIEF!
Scrap Paper
• March 10, 2008
• School teacher purchases box of scrap paper
for her fourth grade students - $20
• What she really gets?
• Medical records of 28 hospital patients!
Has anyone here been a victim?
DETER
DETECT
DEFEND
How do you prevent Identity Theft?
How many of you...
…have your Social Security card
in your wallet or purse
right now?
Protect your sensitive information
• Do NOT carry your SSN card with you
• Memorize PINs and passwords
• Beware of promotions that request sensitive
information
• Question how SSN or other sensitive data will
be used if it is requested by legitimate
sources
– It may not be needed!
Protect your sensitive information
• Shred pre-approved credit
offers, receipts, bills, other
records that have SSN
• Do not provide CC#, SSN,
etc. out over email
• Do not click on links in
unsolicited emails
How many of you...
...write checks to pay bills
and then
put them in the mailbox with the
flag up?
Modify your mail habits
• Don’t leave mail containing checks or account
information in your mailbox
• Use the post office mailboxes
• Keep an eye out for bills or statements that
aren’t received in a timely manner
Consider Online Banking & Bill
Payment
• Computers don’t steal identities, human
beings do
• Minimize the number of people that have the
opportunity to access your information
• Online banking & bill payment is secure as
long as you see:
– “https” in the address – ‘s’ = secure… OR …
– Padlock in lower right corner of browser
How many of you...
...have noticed fewer and
fewer places actually
require or check your
signature on a credit
card?
Modify your credit card habits
• Carry only cards you use regularly
• Sign the backs of all credit cards
– AND write “Check ID”
• Do not loan out your cards to anyone
• Report lost/stolen cards immediately
• Keep a copy of both sides of your cards in a
safe place
Modify your credit card habits
• Check for the “padlock” and/or “https” when
purchasing online
• Opt out of pre-approved credit card offers
• Opt out of junk mail
• Shred all pre-approved credit card offers
– Do not just tear them up!
How many of you...
...do not have a firewall
or
do not have anti-virus software on your computer at
home that is up-to-date?
Safeguard your computer
•
•
•
•
Use a firewall
Use anti-virus software AND keep it updated
Use wireless encryption
Configure your computer to NOT remember
logins/passwords
• Lock your computer when you are away from
your desk
• Use different (and complex) passwords for
different accounts
Password Protection
• The Imperva Application Defense Center (ADC)
Study
• December 2009, 32 million passwords were
breached at rockyou.com and posted online
• Analysis was performed on these passwords
resulting in some startling findings
http://www.imperva.com/docs/WP_Consumer_Password_Worst_Practices.pdf
Study Findings
• 30% of users chose passwords whose length is <= 6
characters
• 60% of users use limited set of alpha-numeric
characters
• 50% of users use names, slang words, dictionary
words, or simple key sequences
• In just 110 attempts, a hacker would typically be able
to gain access to one new account every second, or
17 minutes to break 1000 accounts
http://www.imperva.com/docs/WP_Consumer_Password_Worst_Practices.pdf
Password Protection
http://www.imperva.com/docs/WP_Consumer_Password_Worst_Practices.pdf
Password Recommendations
• Passwords should contain at least 8
characters
• Passwords should contain a mix of 4 different
types of characters
– Upper case, lower case, numeric, special
characters like !@#$%^&
• Do not use names, dictionary words, key
sequences, or any part of your name or email
address
Password Recommendations
• For keeping track of multiple passwords,
develop an “algorithm” using a favorite word
or phrase
– Pet’s name: “C0dy”
– Citibank account: C0dy@citibank
– Fidelity account: C0dy@fidelity
• You can have a different complex (using
capital letters and symbols) password for
each account AND it’s easy to remember
Take advantage of other preventative
services available to you
• Fraud alerts
– A flag on your credit report that encourages
creditors to take extra steps to ensure identity has
not been stolen
– A 90-day fraud alert can be placed anytime you
think you may become a victim of ID theft
– An ‘extended alert’ can be placed on for 7 years requires a police report
Credit Freeze
• NYS allowed starting in November 2006
• It is a lock on your credit report that prevents
lenders and others from accessing it
• Good news – Identity thieves will be unable to
establish credit in your name
• Bad news – Neither will you (unless you
“thaw” your report for a nominal charge)
– May additionally affect background checks and
most requests for insurance
DETER
DETECT
DEFEND
How do you find out if this has
happened to you?
How many of you...
...have not checked your credit
report in the last 12 months?
Increase monitoring
• Check your credit report regularly
– Free from each credit bureau once per year
(Equifax, TransUnion, Experian)
– Pull one every 4 months (rather than all 3 at once)
• Monitor your bank and credit card statements
closely for unauthorized transactions
• Keep an eye out for bills that do not arrive as
expected
Increase monitoring
• Watch for unexpected credit cards or account
statements
• Investigate any denial of credit situations
• Watch out for calls or letters about purchases
that you didn’t make
• Consider credit monitoring services offered
by banks, credit card companies, reporting
credit reporting agencies
Lifelock … Think Twice
• CEO publicizes his SSN demonstrating
confidence in their service
• $1M Total Service Guarantee
• Most of what they do you can do for yourself
for free
• Scandal surrounded co-founder (no longer on
staff) for allegedly stealing the identity of his
father
• April 2008 - Class Action Lawsuit - Deceptive
Advertising
Lifelock $1 Million Total Service
Guarantee
• COVERS - Cost for lawyers, investigators, case
managers
• NOT cover - Lost wages or business profits
• NOT cover - Loss of business or lost opportunities
• NOT cover - Direct out-of-pocket expenses like
postage stamps, gas or mileage to go to local
authorities, or any notary public fees, etc.
• NOT cover - Any direct losses as a result of the theft
DETER
DETECT
DEFEND
How do you restore your good name?
Steps to Take
•
•
Immediately close the account and request fraud
dispute forms
File a police report
–
•
You will need the report number when corresponding with
bank/credit card company
Contact one of the 3 credit reporting agencies to
place a “fraud alert” on your file
–
The credit reporting agency is required to notify the other 2
to do the same
Steps to Take
• Report the theft to the Federal Trade
Commission
• Keep copies of everything and journal
all correspondence (date/time/name)
– Send all written correspondence “certified
mail, return receipt requested”
• Know your rights!
Credit Card Liability
• Covered under Fair Credit Billing Act
(FCBA)
• Your maximum liability under federal
law for unauthorized use is $50
• If you report lost/stolen cards before
they are used, your liability is $0
• If the loss is only of the card number
and not the card, your liability is $0
Debit Card Liability
• Covered under Electronic Fund Transfer Act
(EFTA)
• Liability depends on how quickly you report
the loss
• It does not matter if you ran it through as
“credit”!
• It does not matter if you “signed” rather than
used PIN number!
Debit Card Liability
Timeframe
Liability
Before card is used
$0
Within 2 business days of lost/stolen card
$50
After 2 business days, up to 60 days after
statement including unauthorized charges is
mailed
$500
After 60 days after statement including
unauthorized charges is mailed
NO LIMIT
Investment Liability
• There are currently NO federal liability
protections against fraudulent use of your
investment or retirement accounts!
• Check with your bank or brokerage to see
what they offer for liability protection
• You would need to work through legal/justice
system to recovery your funds
Identity Theft Protection at Cornell
How does this apply to working at
Cornell?
• Current federal and state law
–
–
–
–
Family Educational Rights and Privacy Act (FERPA)
Health Insurance Portability and Accountability Act (HIPAA)
Gramm-Leach-Bliley Act (GLBA)
NY Data Security and Notification Law (12/8/05)
• Growing social expectations due to rise in identity
theft awareness
• Need to protect Cornell’s reputation
New York Data Security and
Notification Law
• Cornell must notify and report in writing to affected
individuals if personal information is acquired, or
reasonably believed to have been acquired, by a
person without valid authorization
• Protected data includes
– Name with
• Social security number
• Credit card number
• Bank account number with associated PIN
• Driver’s license number
Why do we care?
Why do we care?
Precautions to take
• Identify the sensitive data on your system –
do you really need it
• Clean up OLD data - archive to DVD if it is
needed
• Make sure your IT staff is aware if you
manage sensitive data
• Work with your local IT staff to ensure your
system is protected
Precautions to take
• If you think performing an action may put your system
at risk, check with your local IT support provider
– Clicking on e-mail attachments
– Turning off the firewall, anti-virus
– Installing programs from the internet
• If you work from home using personal computers
– YOU are responsible for the security of your computer
– Enable encryption on home wireless networks
– Ensure sensitive data is encrypted
Precautions to take
• Perform the password recommendations
already discussed
• NEVER share your NetID/password with
ANYONE
• Do not use your Cornell NetID/password for
non-Cornell systems
• Configure your computer to NOT remember
logins/passwords
• Do not email sensitive data
Precautions to take
• Be extra cautious with laptops
• Change your screensaver to lock your
computer when you are away
• Use a firewall
• Use anti-virus software AND keep it updated
• Use wireless encryption
• Shred documents that are no longer needed
Tools available to you
•
•
•
•
Policies
Spider & Identity Finder
Anti-Spyware and Anti-Virus Software
Departmental Security Assessments
Policies relating to Data Security
•
•
•
•
•
4.12 – Data Stewardship and Custodianship
5.3 – Use of Escrowed Encryption Keys
5.4.1 – Security of IT Resources
5.4.2 - Reporting Electronic Security Incidents
5.8 - Authentication of Information Technologies
Resources Interim Policy
• 5.10 - Security of Electronic University Administrative
Information (Interim)
http://www.dfa.cornell.edu/dfa/treasurer/policyoffice/poli
cies/volumes/informationtech/admininfo.cfm
Spider & Identity Finder
• Spider - Open source (free) software
developed by IT Security Office http://www.cit.cornell.edu/services/spider/
• Identity Finder – Licensed by the University http://www.cit.cornell.edu/services/idfinder/
• Identifies files on your system containing
SSN’s and credit card numbers so you can
remove them
• Use with guidance from your local technical
support staff
Anti-Spyware and Anti-Virus Software
• Guards against software which installs itself on your
computer to gather information about you without
your knowledge
• Automatically updated as malware evolves
• Cornell licenses Symantec Endpoint Protection for
PCs and Norton AntiVirus for Macs
– License covers employee home systems!!
• http://www.cit.cornell.edu/security/computer/antivirus.
cfm
Departmental security assessment service
• Offered by IT Security Office
• Assessment of current environment
• Assist in development of local solutions and
architectures
• To schedule contact:
– [email protected]
Current University Initiatives
• PCI Compliance
– Improving security credit card processing
practices and systems
• University Data Cleanup and Inventory
– Development of a regular process for proactively
monitoring and cleaning up/securing sensitive
data
• Campus Data Encryption & Key Escrow
In closing…
Deter, Detect, Defend
• Take preventions steps to keep your
data secure
• Monitor regularly for identity theft
• Act quickly if you think your identity has
been compromised
• While at work, treat the sensitive data of
those you serve with the highest level of
protection
Questions?
http://www.cit.cornell.edu/security/identitytheft/