Phishing and Pharming by liwenting

VIEWS: 31 PAGES: 52

									        Identity Theft


  Valerie Kimball, CPA, MBA
Views contained herein do not purport to reflect
the position of DCAA or Dept of Defense
                 Overview

   Methods
   Growth of Problem
   Source Countries
   Costs
   Laws/Prosecution
   Prevention
   Impact to CPA’s and their clients
   Response to a security breach
            Do you . . .
 keep your PIN in your wallet or write
  it on ATM/Credit Cards?
 only carry the ATM/credit cards you
  plan to use?
 always carefully review transactions
  before paying the bill?
 always shred bank statements and
  credit-card bills?
            Do you . . .
 tear up or shred pre-approved credit
  card forms?
 request and review a copy of your
  credit report at least once a year?
 check with the post office if the mail
  volume drops off?
 Leave PI in your car?
 Know who to call if you think you
  might a victim of identity theft?
          Does Your Firm

 Require the use of computer passwords?
 Require passwords be changed
  periodically?
 Use encrypted USB flash drives?
 Have security policies with a set of plans
  to deal with potential breaches?
     Methods of Identity Theft
 Low-tech methods
 Scanners, Cameras, Hackers
 Phishing & Phishing Lures
     Spear-Phishing
     Vishing
     Whaling

 Pharming
 Botnets
       Low Tech ID Theft

 Lost or stolen items
 Shoulder Surfing
 Dumpster Diving
 Mail Intercepts
 Change of Address Card
 Cold calls
Scanners, Cameras, Hackers
   Skimming Devices – card readers
     ATM’s
     Gas   Stations
 Cameras may or may not be used
 Hackers
     Failureto safeguard customer data
     No defense once security breached
                           PHISHING

   Bulk e-mail
     Seek identity
     Speed: 14 hours
     Specialists divide work

   Opportunistic crime
     Anonymous
     Official-looking
     Lure:   easy money
             PHISHING LURES

   Bulk bogus e-mails
   Spoofed web sites
   Black market for data
   Strategies
     Hidethe real
     Show the false
   Few barriers to entry
   Phishing pays
                SPEAR-PHISHING

   Lures specific victims
   Harder to detect
     Imitateknown sender
     Linked to sophisticated
      criminals
   Victims keep silent
   No way to protect pc’s
               SPEAR-PHISHING

   Cost effective
     Set-up   fee   $     100
     Server               300/month
     Spam program       1,200/month
     Addresses          1,900/month
   Someone always bites
   Goal: automation
     Smalleffort, big effect
     Customized databases of
      company logos for sale
                   Vishing
 Newest Scam – Voice Phishing
 Two methods:
     On-line
            with email
     Automated dialing programs – cold calls

 Both urge call to toll-free #
 Automated prompt for PI
                  Whaling
   Aimed at country’s top executives
   “Official” US District Court
    Subpoenas
   Link to download subpoena
     Instead downloads keystroke
      software
     Remote control software
   <40% anti-viruses recognized
    attack
                    PHARMING

   Form of phishing
   Malicious program
     Secretly installed
     Displays correct web
      address
     Domain-name server
      redirects to fraudulent
      site
     Keylogger program
                CASTING NETS

   Pharmers redirect Internet traffic via
     Websitespelling errors
     Malware: Browser-in-the-Middle
     Slamming

   DNS Poisoning
     Alters addresses
     Legitimate URL = fraudulent web site
              Botnets
         Automate & Amplify
   Distributed by
     Email attachments
     Pirated software
     Freeware

   Programs created by small groups
     Harness  infected pc’s
     Controlled by IRC
                  Botnets

   Uses:
     Scan  pc’s for sensitive data
     Drain online bank accounts
     Generate spam i.e. stock pump & dump

   A payload delivery system
     250knew infections per day
     80% of spam from Botnets
                     DNSsec
   DNS security extensions
     Similar to IP security protocol
     Verifies address unaltered

   Under utilized
     Effectiveonly in tight community
     Impractical to secure sub-domains

 Effective for top-level domain .com, .org
 Sweden & Puerto Rico implemented
        GROWTH OF PROBLEM
   Tremendous growth in #s
     More data breaches 1st ½ 2008 than all of 2007
     2007: 127M records

   Perimeter Defenses
     Firewalls/Anti
                   Virus
     No defense once in

   Result: new tactics target
     Individual     PC’s
     Web    sites
          Phishing Hosts

 Host one or more phishing web sites
 Increase of 167% between 1st & 2nd ½
  2007
 559% increase in detected sites in 1 year
  (2006 to 2007)
 How many undetected?
                    Targets
 Financial Services Sector 66%
 ISP obvious target (change 3% to 18%)
     Frequent  use of same passwords
     Multiple Accounts
     Access to all accounts

   End Users
     44% ID, credit cards, financial details
     22% bank accounts
    Black Market Economy

 Specialization of Goods & Services
 Outsourcing of Production
 Multivariate Pricing
 Adaptable Business Models
              Specialization

   Specialized Programmers
     Economies  of scale
     Increased return on investment
     High Volume of new malicious code

   Types of Activities
     Phishing:   most common origin Romania
            Outsourcing
 Automated Phishing Toolkits
 Sold in black market
 Hard to obtain, expensive
 Set of scripts to automatically set up
  phishing web sites
 3 most popular = 26% observed attacks
           Multivariate Pricing

 Supply and Demand: $0.40 - $20 per CC
 Price depends on source and rarity
     EU cost more than US
     US CC = 62% cards advertised
     EU ID’s cost 50% more than US
     EU citizens cross borders w/o passports
       Bulk & Bundled Pricing

   Bulk pricing
     Credit Cards 50/$40, 500/$200
     ID 50/$100 (3rd most common item for sale)

   Value Added
     Bank accounts with higher balances
     Business Accounts
     EU accounts
     Bank Accounts w/PIN
    Adaptable Business Model

   Ads for Credit Cards down 22%
     High Profile Reports lost data
     Credit Card Co’s better monitoring
     Quicker to inform of suspicious activity
     Not always accepted as payment

   Ads for Accounts with PI up 21%
          SOURCE COUNTRIES
   Top countries:
     United States 31%
     China/Korea    9.0%
     United Kingdom 2.1%
   Layers of organization
     Low members in U.S.
     Lead to high members
   International crime
     Hard to prosecute
     E-mail systems fail to
      reveal history
          COSTS for Individuals

   Financial Costs
     9.9M victims 2008
     $496 per = $4.9B

   Criminal ID Theft
     Victim may be unaware
     Victim’s name never
      removed from record
     Always linked to thief as
      alias
        Costs for Businesses
   Financial
     Data Breach = $6.3M
     $197 per record
     Security measures cost billions
     Legal Liability

   Non-Financial Costs
     Reputation
     Loss of customers
     Business disruption
                      Laws

   1998 ID Theft & Assumption Deterrence
     Made   ID theft a separate crime against victim
   2000 Internet False ID Prevention Act
     Addresses  websites that distribute counterfeit
      ID and credentials
   2003 Federal Fair & Accurate Credit
    Transactions Act
    TRACKING & PROSECUTION

   Wire fraud or Identity theft
    statutes (AIT 18 USC)
       Crime already committed
   Anti-Phishing Act of 2005
       5 year jail term
       $250,000 in fines
   Enforcement
       Originate overseas
       No jurisdiction
       Exception-Case in Brazil
    TRACKING & PROSECUTION

   ID Theft Task Force 5/10/2006
     15Federal Dept. & Agencies
     Comprehensive national strategy

   Strategic Plan
     Data  Protection
     Avoiding Data Misuse
     Victim Assistance
     Deterrence-increase prosecution/punishment
    TRACKING & PROSECUTION

   ID Theft Enforcement & Restitution Act of
    2008
     Authorityto seek restitution for victims time
      spent addressing harm suffered
     Prosecution for corp. ID theft
     Cybercrime provisions: malicious spyware,
      keyloggers, cyber-extortion
      Personal Prevention
 Vigilance: monitor accounts
 Protect PI
 Move Online – cancel paper
 Who’s Watching – awareness
 Guard Liability
 Use Credit Reports
 Shred all documents with PI & pre-
  approved applications
                     INDUSTRY

   Technology: Most
    impact over short-
    term
   Security Measures
     Multi-factor
      authentication
     Mutual authentication
     Digital certificate
        Business Prevention

   Domain Names
     Renew   Frequently
     Investigate Similar

 Cardholder Use Patterns
 Software
     Symantec
     Bank   of America
         CONSUMER EDUCATION

   Consumer Awareness
    Critical
       Most people don’t realize
        they’re being defrauded
       Teach them how to protect
        themselves
       Difference between
        legitimate and “spoofed”
        sites
       Install updates Frequently
         Emerging Measures

 Biometric Features
 I-Card – Industry wide
     Secure  digital ID
     Overseen by 3rd party
     User controls info
     Available now
                New Internet

   Original designers
     Academia    and military use
     Not world’s communication & commerce
     Little attention to security

   Current system
     Anonymous
     Focus   on patching current system
                  A Fresh Start
   Advanced network
     Academia,  Federal & Industry
     Test running by 8/09

   Improved Security
     Effectivetracking
     No central point of control
     No one organization will run

   Less Privacy/Anonymity
          Impact to CPA’s

 Costs-Benefit Analysis
 Risk Analysis
 Data Life Cycle
 Determine & Implement Plan
     AICPA   Privacy Principles
                Risk Analysis

   Security Standards
     Removable   Media
     Laptops
     Secure servers
     Backup media
     Passwords
     Encryption
          Data Life Cycle

 Collection & Transmission
 Storage & Access to data
 Data sharing & Duplication
 Destruction
    AICPA Privacy Principles

 Management
 Notice
 Choice & Consent
 Collection
 Use & Retention
    AICPA Privacy Principles

 Access
 Disclosure
 Security
 Quality
 Monitor & Enforce
                Risk Reduction
 Risk can’t be eliminated
 Reduce Risk by
     Privacy Practices & Procedures
     Demonstrated Commitment to Privacy
      Protection
   Have a
     Plan
     Response   Team Ready to Act
          Response to Breach
 Notify Response Team
 Coordinate with Legal Counsel
 Proactive Response
 Consider
     Nature  of compromise
     Type of info taken
     Likelihood of misuse
     Potential damage
     Need for notification
                Notification

 Consult w/Law enforcement
 Designate Contact Person
 Notify potential victims
     How, what, where, when
     How to reach contact person
     Response taken
     What victim should do
                  Conclusion

   ID Theft a Growing Problem
     For   Individuals and Companies
   Policies: Prevent, Detect, Respond
     Consumers and Businesses
     Make education and awareness a priority
     Use Advanced Technology
           Identity Theft

 Questions?
 Comments?

								
To top