Identity Theft Valerie Kimball, CPA, MBA Views contained herein do not purport to reflect the position of DCAA or Dept of Defense Overview Methods Growth of Problem Source Countries Costs Laws/Prosecution Prevention Impact to CPA’s and their clients Response to a security breach Do you . . . keep your PIN in your wallet or write it on ATM/Credit Cards? only carry the ATM/credit cards you plan to use? always carefully review transactions before paying the bill? always shred bank statements and credit-card bills? Do you . . . tear up or shred pre-approved credit card forms? request and review a copy of your credit report at least once a year? check with the post office if the mail volume drops off? Leave PI in your car? Know who to call if you think you might a victim of identity theft? Does Your Firm Require the use of computer passwords? Require passwords be changed periodically? Use encrypted USB flash drives? Have security policies with a set of plans to deal with potential breaches? Methods of Identity Theft Low-tech methods Scanners, Cameras, Hackers Phishing & Phishing Lures Spear-Phishing Vishing Whaling Pharming Botnets Low Tech ID Theft Lost or stolen items Shoulder Surfing Dumpster Diving Mail Intercepts Change of Address Card Cold calls Scanners, Cameras, Hackers Skimming Devices – card readers ATM’s Gas Stations Cameras may or may not be used Hackers Failureto safeguard customer data No defense once security breached PHISHING Bulk e-mail Seek identity Speed: 14 hours Specialists divide work Opportunistic crime Anonymous Official-looking Lure: easy money PHISHING LURES Bulk bogus e-mails Spoofed web sites Black market for data Strategies Hidethe real Show the false Few barriers to entry Phishing pays SPEAR-PHISHING Lures specific victims Harder to detect Imitateknown sender Linked to sophisticated criminals Victims keep silent No way to protect pc’s SPEAR-PHISHING Cost effective Set-up fee $ 100 Server 300/month Spam program 1,200/month Addresses 1,900/month Someone always bites Goal: automation Smalleffort, big effect Customized databases of company logos for sale Vishing Newest Scam – Voice Phishing Two methods: On-line with email Automated dialing programs – cold calls Both urge call to toll-free # Automated prompt for PI Whaling Aimed at country’s top executives “Official” US District Court Subpoenas Link to download subpoena Instead downloads keystroke software Remote control software <40% anti-viruses recognized attack PHARMING Form of phishing Malicious program Secretly installed Displays correct web address Domain-name server redirects to fraudulent site Keylogger program CASTING NETS Pharmers redirect Internet traffic via Websitespelling errors Malware: Browser-in-the-Middle Slamming DNS Poisoning Alters addresses Legitimate URL = fraudulent web site Botnets Automate & Amplify Distributed by Email attachments Pirated software Freeware Programs created by small groups Harness infected pc’s Controlled by IRC Botnets Uses: Scan pc’s for sensitive data Drain online bank accounts Generate spam i.e. stock pump & dump A payload delivery system 250knew infections per day 80% of spam from Botnets DNSsec DNS security extensions Similar to IP security protocol Verifies address unaltered Under utilized Effectiveonly in tight community Impractical to secure sub-domains Effective for top-level domain .com, .org Sweden & Puerto Rico implemented GROWTH OF PROBLEM Tremendous growth in #s More data breaches 1st ½ 2008 than all of 2007 2007: 127M records Perimeter Defenses Firewalls/Anti Virus No defense once in Result: new tactics target Individual PC’s Web sites Phishing Hosts Host one or more phishing web sites Increase of 167% between 1st & 2nd ½ 2007 559% increase in detected sites in 1 year (2006 to 2007) How many undetected? Targets Financial Services Sector 66% ISP obvious target (change 3% to 18%) Frequent use of same passwords Multiple Accounts Access to all accounts End Users 44% ID, credit cards, financial details 22% bank accounts Black Market Economy Specialization of Goods & Services Outsourcing of Production Multivariate Pricing Adaptable Business Models Specialization Specialized Programmers Economies of scale Increased return on investment High Volume of new malicious code Types of Activities Phishing: most common origin Romania Outsourcing Automated Phishing Toolkits Sold in black market Hard to obtain, expensive Set of scripts to automatically set up phishing web sites 3 most popular = 26% observed attacks Multivariate Pricing Supply and Demand: $0.40 - $20 per CC Price depends on source and rarity EU cost more than US US CC = 62% cards advertised EU ID’s cost 50% more than US EU citizens cross borders w/o passports Bulk & Bundled Pricing Bulk pricing Credit Cards 50/$40, 500/$200 ID 50/$100 (3rd most common item for sale) Value Added Bank accounts with higher balances Business Accounts EU accounts Bank Accounts w/PIN Adaptable Business Model Ads for Credit Cards down 22% High Profile Reports lost data Credit Card Co’s better monitoring Quicker to inform of suspicious activity Not always accepted as payment Ads for Accounts with PI up 21% SOURCE COUNTRIES Top countries: United States 31% China/Korea 9.0% United Kingdom 2.1% Layers of organization Low members in U.S. Lead to high members International crime Hard to prosecute E-mail systems fail to reveal history COSTS for Individuals Financial Costs 9.9M victims 2008 $496 per = $4.9B Criminal ID Theft Victim may be unaware Victim’s name never removed from record Always linked to thief as alias Costs for Businesses Financial Data Breach = $6.3M $197 per record Security measures cost billions Legal Liability Non-Financial Costs Reputation Loss of customers Business disruption Laws 1998 ID Theft & Assumption Deterrence Made ID theft a separate crime against victim 2000 Internet False ID Prevention Act Addresses websites that distribute counterfeit ID and credentials 2003 Federal Fair & Accurate Credit Transactions Act TRACKING & PROSECUTION Wire fraud or Identity theft statutes (AIT 18 USC) Crime already committed Anti-Phishing Act of 2005 5 year jail term $250,000 in fines Enforcement Originate overseas No jurisdiction Exception-Case in Brazil TRACKING & PROSECUTION ID Theft Task Force 5/10/2006 15Federal Dept. & Agencies Comprehensive national strategy Strategic Plan Data Protection Avoiding Data Misuse Victim Assistance Deterrence-increase prosecution/punishment TRACKING & PROSECUTION ID Theft Enforcement & Restitution Act of 2008 Authorityto seek restitution for victims time spent addressing harm suffered Prosecution for corp. ID theft Cybercrime provisions: malicious spyware, keyloggers, cyber-extortion Personal Prevention Vigilance: monitor accounts Protect PI Move Online – cancel paper Who’s Watching – awareness Guard Liability Use Credit Reports Shred all documents with PI & pre- approved applications INDUSTRY Technology: Most impact over short- term Security Measures Multi-factor authentication Mutual authentication Digital certificate Business Prevention Domain Names Renew Frequently Investigate Similar Cardholder Use Patterns Software Symantec Bank of America CONSUMER EDUCATION Consumer Awareness Critical Most people don’t realize they’re being defrauded Teach them how to protect themselves Difference between legitimate and “spoofed” sites Install updates Frequently Emerging Measures Biometric Features I-Card – Industry wide Secure digital ID Overseen by 3rd party User controls info Available now New Internet Original designers Academia and military use Not world’s communication & commerce Little attention to security Current system Anonymous Focus on patching current system A Fresh Start Advanced network Academia, Federal & Industry Test running by 8/09 Improved Security Effectivetracking No central point of control No one organization will run Less Privacy/Anonymity Impact to CPA’s Costs-Benefit Analysis Risk Analysis Data Life Cycle Determine & Implement Plan AICPA Privacy Principles Risk Analysis Security Standards Removable Media Laptops Secure servers Backup media Passwords Encryption Data Life Cycle Collection & Transmission Storage & Access to data Data sharing & Duplication Destruction AICPA Privacy Principles Management Notice Choice & Consent Collection Use & Retention AICPA Privacy Principles Access Disclosure Security Quality Monitor & Enforce Risk Reduction Risk can’t be eliminated Reduce Risk by Privacy Practices & Procedures Demonstrated Commitment to Privacy Protection Have a Plan Response Team Ready to Act Response to Breach Notify Response Team Coordinate with Legal Counsel Proactive Response Consider Nature of compromise Type of info taken Likelihood of misuse Potential damage Need for notification Notification Consult w/Law enforcement Designate Contact Person Notify potential victims How, what, where, when How to reach contact person Response taken What victim should do Conclusion ID Theft a Growing Problem For Individuals and Companies Policies: Prevent, Detect, Respond Consumers and Businesses Make education and awareness a priority Use Advanced Technology Identity Theft Questions? Comments?