Transcript Slide 1

Safety in Cyberspace
Offline and Online Threats and Some Pretty Good Prevention
Phillip Dunkelberger
President & CEO
September 2006
Identity Theft – Fastest Growing Crime
• 90 million Americans had their personal info compromised since Feb. 2005
• 9.9 million Americans victim to identity theft, costing them $5 BILLION and
nearly 40 hours to resolve
• Identity theft cost US businesses $48 BILLION in losses
• Takes 12 months, on average, for a victim of identity theft to notice the crime
• 12% of victims know the perpetrator – friends, family, neighbors
WHAT IS ENABLING THIS?...People are unaware of the threats they face
© 2006 PGP Corporation
Identity Threats:
All Shapes and Sizes
Two Real-world Examples
Willie Sutton – cuz that’s where the money “was”
Internet Designed for Simplicity, not Security
– Technology an enabler for good…and bad
• Internet created to easily share information, not the commerce engine its become
Type of threats defined
• Offline threats
– Stealing information directly from you
• Online threats
– Phishing, Pharming and Spyware
© 2006 PGP Corporation
Threats to your Identity
So what are they after?
With identity theft, sensitive info is:
• Bank account numbers
• Credit card numbers
• Personal financial and medical data
• Credit history
• The gold standard: Social Security Number (SSN)
© 2006 PGP Corporation
Offline Threats
Offline Threat: Largest Percentage of Losses
• “Dumpster diving” looking for bank or credit card info
• Taking statements from your mailbox
• Also theft of wallets or laptop computers
– Goal isn’t just cash or hardware, but access to credit card numbers and SSN
– If crook gets SSN, as a widely accepted unique identifier, criminal can apply for
MORE credit cards and bank accounts in your name
Consequences of offline threats?
© 2006 PGP Corporation
Solutions for Offline Threat
• VERY Simple
– Locking mailbox
– Shredder
– List of toll free (and toll) phone numbers for your financial institutions
– Never, EVER carry anything with you that contains your Social Security number
• Simple
– Credit monitoring services
– Be mindful of billing cycles
– PLEASE encrypt your hard drive
• But what’s encryption…
© 2006 PGP Corporation
Online Threats
• “Phishing” – falsely sending email; claiming to be a legitimate business;
scam to get users to provide private information
– The phisher then uses that info to deplete or clean out the account,
disappearing without a trace
• “Pharming” – criminal redirects web traffic to a bogus site to collect user
information to deplete victims’ acct
• Spyware – alters browsers so traffic goes to a look-alike, bogus website
– 1000% increase in Adware, which often carries malicious codes
– Celebrity sites are the worst offenders
© 2006 PGP Corporation
Solutions for Online Threats
• Help from large financials to prevent phishing
– they would not contact customers via email and if they did, no link
provided
• Remedies for spyware:
– get a good antispyware utility and use it: Symantec, LavaSoft, Webroot,
PCTools.com
– Be careful downloading software from unknown publishers
• Never, ever give out personal identity information to anyone that calls
you for solicitation or on line
– Call the company’s 800 number on the back of your credit card or
statement
© 2006 PGP Corporation
“Advice” from the government
Richard Goldberg, Fraud & Identity Theft Chief, U.S. Att’y General’s Office
1.
2.
3.
4.
5.
Cancel all of your credit cards and bank accounts
Pay cash for everything
Disconnect all electrical, water, gas, phone, and cable TV services
Grow all of your own food and generate your own power
Move into a cave
…Interesting advice, not practical
© 2006 PGP Corporation
Examine business/professional relationships
•
For the large financial institutions, this is reasonably easy.
– All licensed banks, brokerages, etc. have privacy policies in place and
periodically send them to you
•
Harder for smaller, community based institutions, credit unions, etc
•
The offshore call center support
– Transfer of client information
– Increasingly popular across industries
© 2006 PGP Corporation
Are your providers protecting your information?
Questions for your providers – are you protecting my financial and medical
history information:
1.Exactly what financial and medical history is retained and for how
long?
2.How many people have access to it and are they bonded?
3.How often are the security measures audited?
4.If data is stored offsite, with who and for how long?
© 2006 PGP Corporation
…But you’re still vulnerable
• Businesses, governments and institutions need to better protect
your/their data because people are part of the equation
– Stolen laptops at the University of California, the Veteran’s administration
and other institutions
– There is very little you can do personally to prevent the “lost laptop” scam
from victimizing you
– Your SSN and other personal data probably resides on a hundred
laptops as we speak sitting in car trunks and brief cases around the
world
– The only thing you CAN do is to minimize the amount of time such
information is useful to the criminals that trade in it
• This again simply requires you monitor your credit card bills carefully and your
credit report.
© 2006 PGP Corporation
Data Mining
• “Process of finding patterns of information contained in large databases”
• Private-sector information brokers selling consumer data to the federal
government
– Violation of Privacy Act of 1974?
• Individual privacy is directly affected by the collection, maintenance, use, and
dissemination of personal information by Federal agencies
– 2002, Justice Dept. paid ChoicePoint $11M for customer data
• Subsequently suffered a data breach
– Lexis Nexis owns/sells a database with 324 million individuals (including SSN)
• Subsequently suffered a data breach
• EPIC believes federal agencies circumventing privacy protection laws by
privatizing this function
© 2006 PGP Corporation
Legislative Environment:
Making it illegal doesn’t make it go away
• International Community Policy: Strong in E.U. and Japan
– Protection is better; legislation more uniform
• US Identity Theft Policy: Patchwork
– Identity Theft Penalty Enhancement Act, 2004
– 34 states have passed laws enforcing data security
– Nearly 40 bills pending on spyware, phishing and general identity theft and data protection issues
• California leads the way: SB 1386
– Puts pressure on companies to protect data
• Ponemon Study
– Average cost of breach to companies - $14 million
– 54% of costs associated with increased customer turnover and lower new customer acquisition
– 20 percent of customers immediately terminated their accounts with vendors that lost their
information
• Call to action: contact your elected officials
– Stronger protection for consumers with good safe harbors for businesses
© 2006 PGP Corporation
The Future
Combating identity theft will require:
• Better education for the consumer
– More Citibank commercials
• Better use of technology
– Carnegie Mellon’s new anti-phishing software
• More action from the legislature: more laws/stiffer penalties
– Legislation that warrants best practices among the holders of your information
• Better use of consent
– Understand what you disclose vs. what you protect
© 2006 PGP Corporation
Helpful Resources
Online Resources:
• www.csialliance.org – CSIA – Cyber Security Industry Alliance
• www.epic.org – EPIC – Electronic Privacy Information Center
• FightIdentityTheft.com – overview of laws, resources, credit report, credit
monitoring services
• www.consumer.gov – Federal Trade Commission’s site
• www.privacy.ca.gov/cover/identitytheft.htm - CA Office of Privacy Protection
• www.congress.org to locate contact info for elected officials
• www.privacyrights.org/identity.htm - Privacy Rights Clearinghouse
• www.idtheftcenter.org – Identify Theft Resource Center
• www.antiphishing.org/resources.html - Anti-Phishing Working Group
• www.cifas.org.uk - UK Fraud Prevention Service
• www.ponemon.org – Ponemon Institute
© 2006 PGP Corporation
© 2006 PGP Corporation • Confidential