Docstoc

Phishing and Pharming

Document Sample
Phishing and Pharming Powered By Docstoc
					        Identity Theft


  Valerie Kimball, CPA, MBA
Views contained herein do not purport to reflect
the position of DCAA or Dept of Defense
                 Overview

   Methods
   Growth of Problem
   Source Countries
   Costs
   Laws/Prosecution
   Prevention
   Impact to CPA’s and their clients
   Response to a security breach
            Do you . . .
 keep your PIN in your wallet or write
  it on ATM/Credit Cards?
 only carry the ATM/credit cards you
  plan to use?
 always carefully review transactions
  before paying the bill?
 always shred bank statements and
  credit-card bills?
            Do you . . .
 tear up or shred pre-approved credit
  card forms?
 request and review a copy of your
  credit report at least once a year?
 check with the post office if the mail
  volume drops off?
 Leave PI in your car?
 Know who to call if you think you
  might a victim of identity theft?
          Does Your Firm

 Require the use of computer passwords?
 Require passwords be changed
  periodically?
 Use encrypted USB flash drives?
 Have security policies with a set of plans
  to deal with potential breaches?
     Methods of Identity Theft
 Low-tech methods
 Scanners, Cameras, Hackers
 Phishing & Phishing Lures
     Spear-Phishing
     Vishing
     Whaling

 Pharming
 Botnets
       Low Tech ID Theft

 Lost or stolen items
 Shoulder Surfing
 Dumpster Diving
 Mail Intercepts
 Change of Address Card
 Cold calls
Scanners, Cameras, Hackers
   Skimming Devices – card readers
     ATM’s
     Gas   Stations
 Cameras may or may not be used
 Hackers
     Failureto safeguard customer data
     No defense once security breached
                           PHISHING

   Bulk e-mail
     Seek identity
     Speed: 14 hours
     Specialists divide work

   Opportunistic crime
     Anonymous
     Official-looking
     Lure:   easy money
             PHISHING LURES

   Bulk bogus e-mails
   Spoofed web sites
   Black market for data
   Strategies
     Hidethe real
     Show the false
   Few barriers to entry
   Phishing pays
                SPEAR-PHISHING

   Lures specific victims
   Harder to detect
     Imitateknown sender
     Linked to sophisticated
      criminals
   Victims keep silent
   No way to protect pc’s
               SPEAR-PHISHING

   Cost effective
     Set-up   fee   $     100
     Server               300/month
     Spam program       1,200/month
     Addresses          1,900/month
   Someone always bites
   Goal: automation
     Smalleffort, big effect
     Customized databases of
      company logos for sale
                   Vishing
 Newest Scam – Voice Phishing
 Two methods:
     On-line
            with email
     Automated dialing programs – cold calls

 Both urge call to toll-free #
 Automated prompt for PI
                  Whaling
   Aimed at country’s top executives
   “Official” US District Court
    Subpoenas
   Link to download subpoena
     Instead downloads keystroke
      software
     Remote control software
   <40% anti-viruses recognized
    attack
                    PHARMING

   Form of phishing
   Malicious program
     Secretly installed
     Displays correct web
      address
     Domain-name server
      redirects to fraudulent
      site
     Keylogger program
                CASTING NETS

   Pharmers redirect Internet traffic via
     Websitespelling errors
     Malware: Browser-in-the-Middle
     Slamming

   DNS Poisoning
     Alters addresses
     Legitimate URL = fraudulent web site
              Botnets
         Automate & Amplify
   Distributed by
     Email attachments
     Pirated software
     Freeware

   Programs created by small groups
     Harness  infected pc’s
     Controlled by IRC
                  Botnets

   Uses:
     Scan  pc’s for sensitive data
     Drain online bank accounts
     Generate spam i.e. stock pump & dump

   A payload delivery system
     250knew infections per day
     80% of spam from Botnets
                     DNSsec
   DNS security extensions
     Similar to IP security protocol
     Verifies address unaltered

   Under utilized
     Effectiveonly in tight community
     Impractical to secure sub-domains

 Effective for top-level domain .com, .org
 Sweden & Puerto Rico implemented
        GROWTH OF PROBLEM
   Tremendous growth in #s
     More data breaches 1st ½ 2008 than all of 2007
     2007: 127M records

   Perimeter Defenses
     Firewalls/Anti
                   Virus
     No defense once in

   Result: new tactics target
     Individual     PC’s
     Web    sites
          Phishing Hosts

 Host one or more phishing web sites
 Increase of 167% between 1st & 2nd ½
  2007
 559% increase in detected sites in 1 year
  (2006 to 2007)
 How many undetected?
                    Targets
 Financial Services Sector 66%
 ISP obvious target (change 3% to 18%)
     Frequent  use of same passwords
     Multiple Accounts
     Access to all accounts

   End Users
     44% ID, credit cards, financial details
     22% bank accounts
    Black Market Economy

 Specialization of Goods & Services
 Outsourcing of Production
 Multivariate Pricing
 Adaptable Business Models
              Specialization

   Specialized Programmers
     Economies  of scale
     Increased return on investment
     High Volume of new malicious code

   Types of Activities
     Phishing:   most common origin Romania
            Outsourcing
 Automated Phishing Toolkits
 Sold in black market
 Hard to obtain, expensive
 Set of scripts to automatically set up
  phishing web sites
 3 most popular = 26% observed attacks
           Multivariate Pricing

 Supply and Demand: $0.40 - $20 per CC
 Price depends on source and rarity
     EU cost more than US
     US CC = 62% cards advertised
     EU ID’s cost 50% more than US
     EU citizens cross borders w/o passports
       Bulk & Bundled Pricing

   Bulk pricing
     Credit Cards 50/$40, 500/$200
     ID 50/$100 (3rd most common item for sale)

   Value Added
     Bank accounts with higher balances
     Business Accounts
     EU accounts
     Bank Accounts w/PIN
    Adaptable Business Model

   Ads for Credit Cards down 22%
     High Profile Reports lost data
     Credit Card Co’s better monitoring
     Quicker to inform of suspicious activity
     Not always accepted as payment

   Ads for Accounts with PI up 21%
          SOURCE COUNTRIES
   Top countries:
     United States 31%
     China/Korea    9.0%
     United Kingdom 2.1%
   Layers of organization
     Low members in U.S.
     Lead to high members
   International crime
     Hard to prosecute
     E-mail systems fail to
      reveal history
          COSTS for Individuals

   Financial Costs
     9.9M victims 2008
     $496 per = $4.9B

   Criminal ID Theft
     Victim may be unaware
     Victim’s name never
      removed from record
     Always linked to thief as
      alias
        Costs for Businesses
   Financial
     Data Breach = $6.3M
     $197 per record
     Security measures cost billions
     Legal Liability

   Non-Financial Costs
     Reputation
     Loss of customers
     Business disruption
                      Laws

   1998 ID Theft & Assumption Deterrence
     Made   ID theft a separate crime against victim
   2000 Internet False ID Prevention Act
     Addresses  websites that distribute counterfeit
      ID and credentials
   2003 Federal Fair & Accurate Credit
    Transactions Act
    TRACKING & PROSECUTION

   Wire fraud or Identity theft
    statutes (AIT 18 USC)
       Crime already committed
   Anti-Phishing Act of 2005
       5 year jail term
       $250,000 in fines
   Enforcement
       Originate overseas
       No jurisdiction
       Exception-Case in Brazil
    TRACKING & PROSECUTION

   ID Theft Task Force 5/10/2006
     15Federal Dept. & Agencies
     Comprehensive national strategy

   Strategic Plan
     Data  Protection
     Avoiding Data Misuse
     Victim Assistance
     Deterrence-increase prosecution/punishment
    TRACKING & PROSECUTION

   ID Theft Enforcement & Restitution Act of
    2008
     Authorityto seek restitution for victims time
      spent addressing harm suffered
     Prosecution for corp. ID theft
     Cybercrime provisions: malicious spyware,
      keyloggers, cyber-extortion
      Personal Prevention
 Vigilance: monitor accounts
 Protect PI
 Move Online – cancel paper
 Who’s Watching – awareness
 Guard Liability
 Use Credit Reports
 Shred all documents with PI & pre-
  approved applications
                     INDUSTRY

   Technology: Most
    impact over short-
    term
   Security Measures
     Multi-factor
      authentication
     Mutual authentication
     Digital certificate
        Business Prevention

   Domain Names
     Renew   Frequently
     Investigate Similar

 Cardholder Use Patterns
 Software
     Symantec
     Bank   of America
         CONSUMER EDUCATION

   Consumer Awareness
    Critical
       Most people don’t realize
        they’re being defrauded
       Teach them how to protect
        themselves
       Difference between
        legitimate and “spoofed”
        sites
       Install updates Frequently
         Emerging Measures

 Biometric Features
 I-Card – Industry wide
     Secure  digital ID
     Overseen by 3rd party
     User controls info
     Available now
                New Internet

   Original designers
     Academia    and military use
     Not world’s communication & commerce
     Little attention to security

   Current system
     Anonymous
     Focus   on patching current system
                  A Fresh Start
   Advanced network
     Academia,  Federal & Industry
     Test running by 8/09

   Improved Security
     Effectivetracking
     No central point of control
     No one organization will run

   Less Privacy/Anonymity
          Impact to CPA’s

 Costs-Benefit Analysis
 Risk Analysis
 Data Life Cycle
 Determine & Implement Plan
     AICPA   Privacy Principles
                Risk Analysis

   Security Standards
     Removable   Media
     Laptops
     Secure servers
     Backup media
     Passwords
     Encryption
          Data Life Cycle

 Collection & Transmission
 Storage & Access to data
 Data sharing & Duplication
 Destruction
    AICPA Privacy Principles

 Management
 Notice
 Choice & Consent
 Collection
 Use & Retention
    AICPA Privacy Principles

 Access
 Disclosure
 Security
 Quality
 Monitor & Enforce
                Risk Reduction
 Risk can’t be eliminated
 Reduce Risk by
     Privacy Practices & Procedures
     Demonstrated Commitment to Privacy
      Protection
   Have a
     Plan
     Response   Team Ready to Act
          Response to Breach
 Notify Response Team
 Coordinate with Legal Counsel
 Proactive Response
 Consider
     Nature  of compromise
     Type of info taken
     Likelihood of misuse
     Potential damage
     Need for notification
                Notification

 Consult w/Law enforcement
 Designate Contact Person
 Notify potential victims
     How, what, where, when
     How to reach contact person
     Response taken
     What victim should do
                  Conclusion

   ID Theft a Growing Problem
     For   Individuals and Companies
   Policies: Prevent, Detect, Respond
     Consumers and Businesses
     Make education and awareness a priority
     Use Advanced Technology
           Identity Theft

 Questions?
 Comments?