Transcript Document

Identity Theft
Deter, Detect, and Defend
At Home & At Work
Introductions
•
•
Lisa Stensland, OIT – Project Management
Ray Price, CU Police
•
•
•
•
•
•
•
•
•
•
Andrea Beesing, OIT – IT Security
Sandy Eccleston, DFA
Jamie Churchill, DFA
Pat McClary, Counsel’s Office
Norma Schwab, Counsel’s Office
Kenna Morehouse, Treasurer’s Office
Carolann Saggese, Treasurer’s Office
Chuck Alridge, CU Police
Debi Benson, DFA
George Sutfin, CU Police
Agenda
•
•
•
•
•
•
Why be concerned?
Deter – how to prevent it
Detect – how to discover it
Defend – how to fix it
Identity theft prevention at work
But what about…?
What is Identity Theft?
• When someone uses your personal
information without your permission to
commit fraud or other crime
–
–
–
–
–
Name
Social Security number
Date of birth
Credit card number
Bank account numbers
Types of Identity Theft
Credit card
Phone/utilities
Bank account
Employment-related
Fraudulent tax return
Business/personal/student loan
25%
16%
16%
14%
6%
3%
Source: Federal Trade Commission, Feb 2007
Types of Identity Theft
Internet/email
2%
Medical
2%
Auto loan
2%
Driver’s license
1%
Real estate loan
1%
Gov’t benefits
1%
Other
24%
Source: Federal Trade Commission, Feb 2007
How does Identity Theft occur?
Good, old fashioned stealing
“Dumpster Diving”
“Skimming”
“Phishing”
http://219.166.162.37/icons/www.wachovia.com/…
Australia
“Phishing”
http://boaupdate.pochta.ru
Russia
“Phishing”
http://kooptickets.nl/~claudia/mycfcu.com/…..
Netherlands
“Phishing”
• Emails that appear to be from IRS requesting
you confirm information
• Emails that are thanking you for a recent
purchase (of something you didn’t buy)
• Phone phishing
When in doubt, ask or “call back”
Your bank will NEVER ask you for account numbers or
passwords if they initiated the communication
Is this a big problem?
The U.S. Government Reform Committee
reports that all 19 government
InMost
2004,
studies
43% to
believe
show
that
theythe
departments
According
and
the
agencies
U.S.
reported at
In
victim
knew
2004,
population
victims
imposter.
spent
is about
an identifiable
least
Department
onetheir
loss
of
of Justice
personally
average
10
million
of
330
per
hours
year.
Statistics,
information
identity
since
theft
Jan. 2003.
14%
recovering
ofis
them
from
that
thisup
it
crime.
was
nowsaid
passing
andrug
That
employee
means
of
every
a business
minute
Only
a small
trafficking
number
as
of
the
the data breaches
who
about
had
19
their
people
information.
become
a new
were
number
caused
one
bycrime
hackers.
in the
The
vast majority
victimnation.
of this crime.
of losses
occurred
from physical thefts
of portable computers, drives and disks,
or unauthorized use of data by employees.
It’s huge.
--Identity Theft Resource Center, Facts & Statistics 2006
True Stories…
• Over 63 fraud cases reported to CU Police
since 2005
• Many cases involve more than one incident
– One case had 16!
Has anyone here been a victim?
DETER
DETECT
DEFEND
How do you prevent Identity Theft?
How many of you...
…have your Social Security card
in your wallet or purse
right now?
Protect your sensitive information
• Do NOT carry your SSN card with you
• Memorize PINs and passwords
• Beware of promotions that request sensitive
information
• Question how SSN or other sensitive data will
be used if it is requested by legitimate
sources
– It may not be needed!
Protect your sensitive information
• Shred pre-approved
credit offers, receipts,
bills, other records that
have SSN
• Do not provide CC#,
SSN, etc. out over
email
• Do not click on links in
unsolicited emails
How many of you...
...write checks to pay bills
and then
put them in the mailbox with the
flag up?
Modify your mail habits
• Don’t leave mail containing checks or account
information in your mailbox
• Use the post office mailboxes
• Keep an eye out for bills or statements that
aren’t received in a timely manner
How many of you...
...have noticed fewer and
fewer places actually
require or check your
signature on a credit
card?
Modify your credit card habits
• Carry only cards you use regularly
• Sign the backs of all credit cards (or write
“Check ID”)
• Do not loan out your cards to anyone
• Report lost/stolen cards immediately
• Keep a copy of both sides of your cards in a
safe place
Modify your credit card habits
• Check for the “padlock” and/or “https” when
purchasing online
• Opt out of pre-approved credit card offers
• Opt out of junk mail
• Shred all pre-approved credit card offers
– Do not just tear them up!
How many of you...
...do not have a firewall
or
do not have anti-virus software on your
computer at home that is up-to-date?
Safeguard your computer
•
•
•
•
Use a firewall
Use anti-virus software AND keep it updated
Use wireless encryption
Do NOT give out your NetID/password under
ANY circumstances
• Lock your computer when you are away from
your desk
Take advantage of other services
available to you
• Credit monitoring services (not free)
– Periodic emails reporting on changes to your credit report
• Identity Theft Insurance (proceed with care)
• Fraud alert
– A flag on your credit report that encourages creditors to take
extra steps to ensure identity has not been stolen
– Can only be done if you have been a victim of identity theft
• Credit freeze
Credit Freeze
• NYS allowed starting in November 2006
• Prevents lenders and others from accessing
your credit report
• Good news – Identity thieves will be unable to
establish credit in your name
• Bad news – so will you
– Will also affect background checks and most
requests for insurance
DETER
DETECT
DEFEND
How do you find out if this has
happened to you?
How many of you...
...have not checked your credit
report in the last 12 months?
Increase monitoring
• Check your credit report regularly
– Free from each credit bureau once per year
– Pull one every 4 months (rather than all 3 at once)
• Monitor your bank and credit card statements
closely for unauthorized transactions
• Keep an eye out for bills that do not arrive as
expected
Increase monitoring
• Watch for unexpected credit cards or account
statements
• Investigate any denial of credit situations
• Watch out for calls or letters about purchases
that you didn’t make
DETER
DETECT
DEFEND
How do you restore your good name?
Steps to Take
•
•
Immediately close the account and request fraud
dispute forms
File a police report
–
•
You will need the report number when corresponding with
bank/credit card company
Contact one of the 3 credit reporting agencies to
place a “fraud alert” on your file
–
The credit reporting agency is required to notify the other 2
to do the same
Steps to Take
•
•
Report the theft to the Federal Trade
Commission
Keep copies of everything and journal all
correspondence (date/time/name)
– Send all written correspondence “certified mail,
return receipt requested”
•
Know your rights!
Credit Card Liability
• Covered under Fair Credit Billing Act (FCBA)
• Your maximum liability under federal law for
unauthorized use is $50
• If you report lost/stolen cards before they are
used, your liability is $0
• If the loss is only of the card number and not
the card, your liability is $0
Debit Card Liability
• Covered under Electronic Fund Transfer Act
(EFTA)
• Liability depends on how quickly you report
the loss
• It does not matter if you ran it through as
“credit”!
• It does not matter if you “signed” rather than
used PIN number!
Debit Card Liability
Timeframe
Liability
Before card is used
$0
Within 2 business days of lost/stolen card
$50
After 2 business days, up to 60 days after
statement including unauthorized charges is
mailed
$500
After 60 days after statement including
unauthorized charges is mailed
NO LIMIT
Investment Liability
• There are currently NO federal liability
protections against fraudulent use of your
investment or retirement accounts!
• Check with your bank or brokerage to see
what they offer for liability protection
Identity Theft Protection at Work
How does this apply to work?
• Current federal and state law
–
–
–
–
Family Educational Rights and Privacy Act (FERPA)
Health Insurance Portability and Accountability Act (HIPAA)
Gramm-Leach-Bliley Act (GLBA)
NY Data Security and Notification Law (12/8/05)
• Growing social expectations due to rise in identity
theft awareness
• Need to protect Cornell’s reputation
How does this apply to work?
• Cornell must notify and report if protected
data is reasonably believed to have been
inappropriately accessed
• Protected data includes
– Name with
•
•
•
•
Social security number
Credit card number
Bank account number with associated PIN
Drivers license number
Examples
• March 2005 - Bank of America
– 1,200,000 lost social security and account numbers were
lost
• May 2006 - Veteran’s Administration
– 26,500,000 social security numbers and DOB were lost
when a laptop was stolen
• January 2007 - TJ Maxx
– 47,500,000 credit card numbers were stolen by hackers
taking advantage of unencrypted wireless network in parking
lot
Why do we care?
Why do we care?
Precautions to take
• Identify the sensitive data on your system – do you
really need it?
– Social Security Numbers
– Credit card numbers
– Drivers license numbers
• Make sure your IT staff is aware that you manage
sensitive data
• Work with your local IT staff to ensure your system is
protected
Precautions to take
• Before performing any action on your computer ask if
there’s a chance this action might put the data at risk
– Clicking on e-mail attachments
– Turning off the firewall, anti-virus
– Installing programs from the internet
• If you work from home using personal computers
– YOU are responsible for the security of your computer
– Enable encryption on home wireless networks
– Ensure sensitive data is encrypted
Precautions to take
• NEVER share your NetID/password
• Use a complex password
• Do not use your NetID/password for nonCornell systems
• Do not email credit card numbers
• Keep P-card/credit card applications and
paper checks locked up
Precautions to take
• Shred documents that are no longer needed
– use shredder bins
• Keep a close eye for data stored on laptops
• Change your screensaver to lock your
computer when you are away
Tools available to you
• Policies for keeping access to your
confidential information as secure as possible
• Tools for avoiding exposure due to system
compromises
Policies for securing data
• Draft Policies
– Authentication of Information Technologies
Resources Interim Policy:
http://www.cit.cornell.edu/policy/interim/Authentica
tionITR.html
– Information Security of Institutional Data:
http://www.cit.cornell.edu/oit/policy/drafts/InstData.
html
Spider
• Open source (free) software developed by IT
Security Office
• Identifies files on your system containing
SSN’s and credit card numbers so you can
remove them
• Use with guidance from your local technical
support staff
• http://www.cit.cornell.edu/computer/security/to
ols/
Anti-Spyware and Anti-Virus Software
• Guards against software which installs itself on your
computer to gather information about you without
your knowledge
• Automatically updated as malware evolves
• Cornell licenses Symantec Anti-Virus
– Includes anti-spyware with version 10.0
– License covers home systems
• More info:
http://www.cit.cornell.edu/computer/security/spyware/
Departmental security assessment service
• Offered by IT Security Office
• Assessment of current environment
• Assist in development of local solutions and
architectures
• To schedule contact:
– [email protected]
But what about…?
But what about…?
• Online Purchases
– Safe if you look for https and padlock!
• Online Banking/Bill Payment
– Safe if you look for https and padlock
– Minimize human interaction
– Your sensitive data will get to the systems either
way
But what about…?
• Credit Monitoring Services
– $9-12 per month to alert you of changes to your credit report
– Does not protect you - simply notifies you if ID theft has
already happened
• Identity Theft Insurance
– Insurance riders
– Zander Insurance ID Theft Program
– Lifelock
But what about…?
• Insurance riders
– Cover expenses incurred for cleaning up ID theft
(phone calls, mail, copies, etc.)
– May or may not cover lost wages
– Read policy carefully!
But what about…?
• Zander Insurance Identity Theft Program
– $6.50 per month
– Provides an advocate that will work with your
bank/creditors on your behalf to clean up ID theft
– Covers expenses and lost wages/personal/
vacation time
But what about…?
• Lifelock ($10 per month)
– CEO publicizes his SSN demonstrating confidence in their
service
– They don’t do anything for you that you can’t do for yourself
FREE
• Fraud alerts (every 90 days)
• Pull annual credit reports
• Opt outs for junk mail and pre-approved credit card
– Only paid out 3 claims according to a recent article
– Scandal surrounded co-founder (no longer on staff)
In closing…
Deter, Detect, Defend
At Home and At Work
• Keep your sensitive data secure
• Monitor regularly for identity theft
• Act quickly if you think your identity
has been compromised
Questions?