Identity protection in this wired world
Described by the federal Fair
Credit Reporting Act as "the use
or attempted use of an account or
identifying information without the
Federal and state authorities alike have
labeled it the country's fastest-growing
white-collar crime since the late 1990s.
The number of people victimized annually
was last estimated at about 10 million by
the Federal Trade Commission.
It is a problem that has affected millions of
Americans, including Oprah Winfrey, Bill
Gates, and Tiger Woods. Chances are it has
hurt someone in this room.
Cost of ID Theft?
US victims spend an average of
$1,500 and 175 hours to recover
Current annual cost - $56.6
Average loss per victim $6,383.
Businesses spend an average of
$18,000 per incident.
U.S. business spend over $400
billion per year just on the
We shred financial documents and unsolicited,
pre-approved credit card offers; check credit
reports regularly; keep Social Security numbers
as private as possible; delete e-mail from
unknown senders as soon as it arrives; and
frequently update antivirus, firewall and spam-
We're All Vulnerable
We live in an age where everything
from tax records to Social Security
numbers to credit card data resides in
databases that can be hacked,
phished or pharmed by anyone with
sinister motives and enough know-
ID Theft: A Growing Concern
At least 130 reported breaches exposed
more than 55 million Americans to potential
identity theft in 2005.
Identity theft in is the fastest growing crime
in the United States.
Recent Reported Data Exposures
Department of Energy 1,500
Internal Revenue Service 291
Bank of America 1.2 million
CardSystems 40 million
Citi Financial 3.9 million
Time Warner 600,000
Department of Veterans Affairs 26.5 million
United States Air Force 33,000
ID Theft Complaints by Consumer Age
Under 18 18-29 30-39 40-49 50-59 60+
2005 Percentages by age
Deter identity thieves by
safeguarding your information.
Detect suspicious activity by
routinely monitoring your financial
accounts and billing statements.
Defend against ID theft as soon as
you suspect a problem.
Common Ways ID Theft Happens
Change of Address Scheme
This is by far the most common cause
of identity theft cases.
Lost or stolen identification
Lost or stolen schedulers
Lost or stolen PDA or computers
Lost or stolen storage devices
The Red Flag!
You have mail!
Criminals engage in "dumpster diving" -
going through your garbage cans or a
communal dumpster or trash bin -- to
obtain copies of your checks, credit card or
bank statements, or other records that
typically bear your name, address, and
even your telephone number.
These types of records make it easier for
criminals to get control over accounts in
your name and assume your identity.
Thieves target account information
embedded in ATM, debit and credit cards by
breaking into or otherwise compromising
the equipment and systems used for
The California Bankers Association reported
in 2005 that scammers had taken to
attaching wireless video cameras to the
front of ATMs in hopes of capturing your
card number and PIN from a remote
Phishing is the act of tricking someone into
giving out confidential information or tricking
them into doing something that they normally
wouldn’t do or shouldn’t do.
Gartner, a market-research firm, reports that
in the 12 months ending in May 2005, phishers
duped 2.4 million Americans into revealing
personal info, costing victims, banks and credit
card companies $929 million.
The volume of phishing e-mail has reached
astounding levels at over 1.5 billion messages
Change of Address Scheme
Rerouting your mail is easier than you might think.
If you have bank or credit card accounts, you should
be receiving monthly statements that list transactions
for the most recent month or reporting period.
Check the Post Office for change of address cards on
If you're told that your statements are being mailed
to another address that you haven't authorized, tell
the Postmaster, financial institution, or credit card
representatives immediately that you did not
authorize the change of address and that someone
may be improperly using your information.
ID thieves just ask for your personal
In one common approach, they claim
to be conducting a survey on behalf
of your bank and ask questions
designed to get your account number,
date of birth, social security number,
The rise of Internet use brings more
deceptive and misleading promotions,
bogus travel offers, contests, lotteries, and
other illegal practices on the Web.
Always use common sense. If you have a
gut feeling that something is not legitimate,
you’re probably right.
Make sure the company has a phone
number and a physical address – not just a
post office box or e-mail address.
Maybe you've heard of "pharming," in
which legitimate websites are hit with
malicious computer code that steers
those visiting them to look-alike sites.
Data can then be harvested without a
key being struck. In a twist, there's
crimeware that instead attacks
browsers (Internet Explorer, for one)
and does its pharming from there.
Another ripe target for identity thieves: the
wireless networks that more and more
companies and individuals are setting up.
Failure to block access to these networks
can allow prying eyes into your hard drive,
where you may store financial information
in programs like Quicken.
An unsecured wireless access point can
open the door to more than just data theft.
Access into your company through mobile
devices or gadgets.
But Wait! There Is More
Fake Jury Duty Con
"IRS" Phishing Scam
Internet Telephony Trickery
Child Identity Theft
The Next Targets?
Child Identity Theft
An estimated 400,000 children had their identities
stolen in 2005.
Two-thirds of child ID thefts are perpetrated by family
Instruct your children NEVER to give out any personal
information over the Internet, such as whole names,
addresses, phone numbers, school names or
Instruct your children to tell you about -- and not
respond to -- any messages they read that make
them feel uncomfortable.
Order credit reports on your child from the three
nationwide credit bureaus. The credit search should
come up empty.
Eavesdroppers and Snoopers
Eavesdroppers listen to your
conversations without your
Snoopers observe your computer
screen or items on your desk without
Bluetooth technology may provide a
speakerphone behind closed doors.
The Next Targets
Homeland Security has warned that cell
phones and other handhelds (like
BlackBerrys) are becoming increasingly
vulnerable to hackers and viruses.
Instant messaging (IM) is becoming a
More attacks on browsers with the intent of
embedding crimeware on PCs.
Popular blogs and social networking sites
Safeguard Your Information
Shred paperwork with personal information and financial documents
before you discard them.
Don’t carry your Social Security card in your wallet or write your Social
Security number on a check. Give it out only if absolutely necessary;
you can always ask to use another identifier.
Don’t give out personal information on the phone, through the mail, or
over the Internet unless you are sure who you are dealing with.
Never click on links sent in unsolicited emails; instead, type in a web
address you know.
Don’t use obvious passwords. Your mother’s maiden name, or the last
four digits of your Social Security number – all are obvious passwords.
Keep your personal information in a secure place at home, especially if
you have roommates, employ outside help, or are having work done in
If someone has stolen information
about your financial accounts, it’s best
to wait for several weeks to see what
they do with it before taking action?
The answer is?
Your best first step is to contact your
credit card companies and close your
accounts. Also, talk with your bank
about whether to close other accounts
or take other steps.
One of the best ways to protect your identity is
by using online passwords only you would know
– like your mother’s maiden name or the last
four digits of your Social Security Number?
The answer is?
This is an incorrect statement. Crooks can often
find this type of information about you … and
then, it’s “so long, identity!” It’s better to use
random numbers and letters, and commit them
If the stolen information includes your
Social Security Number, you can place
an “initial fraud alert” by calling one of
the three nationwide consumer
The answer is?
Correct! Placing such an alert can help
stop someone from opening new credit
accounts in your name.
If someone has stolen your identity,
and then you notice you’re no longer
receiving bills from creditors, this is a
sign that your identity has been
The answer is?
No! If bills stop coming, it may be a
sign that someone is still “hijacking”
your identity, and changing the
address your bills are being sent to.
The names of the three nationwide
consumer reporting companies are
Equinox, ExperiCorps, and
The answer is?
Good eye! The actual names are
Equifax, Experian, and TransUnion. If
you would like a free annual credit
report, visit annualcreditreport.com.
Identity theft refers only to the theft of
drivers’ licenses or name badges?
The answer is?
While those are types of identity theft,
the term refers to a broad variety of
criminal misuses of your name, Social
Security Number, and financial
My employer protects personally
identifying information from hackers
and other external threats. My identity
is perfectly safe right?
The answer is?
While reasonable controls may be in
place protecting the corporate
perimeter, the REAL threat comes from
the “Trusted” employee with access
and control of this information.
Individual Quick Facts
It’s important to protect your personal information, and to take certain steps
quickly to minimize the potential damage from identity theft if your
information is accidentally disclosed or deliberately stolen:
Close compromised credit card accounts immediately.
If someone steals your social security number (SSN), contact one of the three nationwide
consumer reporting agencies — Equifax, Experian, or TransUnion — and place an initial
fraud alert on your credit reports.
Monitor your credit report. Keep in mind that fraudulent activity may not show up right away.
Consult with your financial institution about handling the effects on bank or brokerage
Contact relevant government agencies to cancel and replace any stolen drivers licenses or
other identification documents, and to ―flag‖ your file.
Watch for signs of identity theft: late or missing bills, receiving credit cards that you didn’t
apply for, being denied credit or offered less favorable terms for no apparent reason, or
getting contacted by debt collectors or others about purchases you didn’t make.
Tell Tale Signs
You are receiving credit cards that you
didn't apply for.
You are being denied credit, or being
offered less favorable credit terms, like a
high interest rate, for no apparent reason.
You are getting calls or letters from debt
collectors or businesses about
merchandise or services you didn't buy.
Here's What To Do
File a report with your local police or the police in the
community where the identity theft took place. Get a copy
of the report or at the very least, the number of the report,
to submit to your creditors and others that may require
proof of the crime.
Contact the fraud departments of any one of the three
consumer reporting companies to place a fraud alert on
your credit report.
Close the accounts that you know or believe have been
tampered with or opened fraudulently.
File your complaint with the FTC. The FTC maintains a
database of identity theft cases used by law enforcement
agencies for investigations.
Loss of productivity
Loss of intellectual property
Damage to reputation
Damage to business
Attacks are perpetrated by people with
trusted insider status.
Insiders pose a far greater threat to
organizations in terms of potential cost per
occurrence and total potential cost than
attacks mounted from outside.
Insider threat motivators
Trust and physical access
Inside Attackers Profile
17-60 years old
Holds a technical position (86%
May or may not be married (50/50
Racially and ethnically diverse
In 92 percent of the incidents investigated, revenge was
the primary motivator.
Sixty-two percent of the attacks were planned in
Eighty percent exhibited suspicious or disruptive
behavior to their colleagues or supervisors before the
Only 43 percent had authorized access (by policy, not
necessarily via system control).
Sixty-four percent used remote access to carry out the
Most incidents required little technical sophistication.
Employee social security numbers
Employee salary data
Employee banking data
Employee health data
Customer credit card data
Customer banking data
Customer credit history data
Corporate financial information
SOX - Sarbanes-Oxley
PCI – Payment Card Industry
HIPAA - Health Insurance Portability
and Accountability Act
GLBA - Gramm-Leach Bliley Act
DOI – Department of Insurance
State specific regulations
Internal attacks cost U.S. business
$400 billion per year, according to a
national fraud survey conducted by
The Association of Certified Fraud
$348 billion can be tied directly to
Organizational Quick Facts
It’s important to protect your customer’s and employee’s information, and to
take certain steps quickly to minimize the potential damage from critical
information if it is accidentally disclosed or deliberately stolen:
Although white collar criminal charges are usually
brought against individuals, corporations may also be
subject to sanctions for these types of offenses.
Encourage open communication regarding issues of
misconduct, and provide a confidential and anonymous
mechanism for stakeholders to report fraud without
fear of retaliation.
Be prepared to promptly review, assess, investigate
and resolve reported issues.
Set policies and train stakeholders on important
policies related to organizational risk.
Decide who will be notified about tips or
2005 Law Enforcement Contact
Victims Did Made
Not Notify 30%
Beating the Thieves
Install security software and stay current with the latest patches.
Always be suspicious of unsolicited e-mail.
Monitor the volume and origin of pop-up ads. A change may signal something
Visit the FBI's new Web site, lookstoogoodtobetrue.gov, for tips.
Use debit cards like credit cards, i.e., with a signature, not a PIN code.
If you live in one of the 20 states where it's possible, place a freeze on credit
reports. This stops any credit activity in your name unless you specifically initiate
Keep an eye out for "skimmers" lurking in places where you use cards or keep
customer credit information.
Enable encryption on wireless routers immediately upon setting up a home or
Shop only on secure Web sites (look for the padlock or "https" in the address
bar); use credit, not debit, cards; don't store your financial info in an "account" on
the Web site.
Be mindful of the insider threat!
Identity Triad – Recommended personal credit review cycle.
T-1 T-2 T-3
http://www.experian.com http://www.equifax.com http://www.transunion.com
T-1 = January, February, March, April
T-2 = May, June, July, August
T-3 = September, October, November, December
Monitor Your Credit Report
Review and monitor your credit report!
Visit www.annualcreditreport.com to obtain your free
Citi Credit Monitoring Service:
Credit Expert: http://www.creditexpert.com
Credit Manager: www.experian.com
If you suspect you are a victim place a fraud alert on
your credit report.
Michael D. Peters
Director of Security Services
Lazarus Alliance Inc.
Michael is a founding member of Lazarus Alliance Incorporated. He has more than 20 years of networking and
system development experience. He is an MBA, CISSP and is certified in several products which include Sun
More than 14 years of his experience has been devoted to information and network security for organizations
from United States Defense, Healthcare, Software Development, Manufacturing, Transportation, Insurance,
Communications, and Financial markets.
Michael received his MBA in Information Technology Management from Western Governors University.
He is the creator of "SafetyNET" which is a UNIX based intrusion prevention appliance suite available only from
The innovator behind the Holistic Operational Readiness Security Evaluation (HORSE) project and Wiki.
A contributing author to the Sun Microsystems BigAdmin community, Wikipedia, Snort.org, SANS.org, and The
White Hat Encyclical.
Michael D. Peters is currently the President of the Kentuckiana chapter of the Information Systems Security
Association (ISSA) and WGU Alumni InfoSec Forum Moderator.
Guest speaker on matters of security especially concerning compliance, auditing, investigation, and best
practices for secure computing to various organizations, Public Radio, technical institutions, and in University
Lazarus Alliance Inc.
Lazarus Alliance Incorporated offers professional services and products dealing exclusively in the areas of
Security Architecture and Engineering, Compliance Auditing, Risk Assessments, Penetration Testing,
Incident Response, Forensic Analysis, and Disaster Recovery. Delivering security with integrated products
and expert services to ASSESS, PROTECT, EMPOWER and MANAGE business processes and information
The Lazarus Alliance professional security assessment auditor.s provide expert assistance to your
organization in all areas of information protection and assurance. We are focused on helping companies in all
industries improve their current security posture. Providing the compliance resources our clients require for
ISO 17799, HIPAA, Sarbanes Oxley, Gramm-Leach-Bliley, and other legislation is the heart of the Lazarus
Alliance security audit practice.
The Lazarus Alliance research and development engineers have created world-class security solutions.
Lazarus Alliance protects your digital assets and business processes. We offer the SafetyNET suite of
Intrusion Prevention and Intrusion Detection appliances that are available only from Lazarus Alliance. Our
customers benefit from personal attention, zero-day solutions, and ingenious security solutions.
The Lazarus Alliance consulting service team empowers our clients with the expert knowledge our
consultant's provide. The Lazarus Alliance consulting team provides more than security products and
services, they provide value added expert level advice and information during the life cycle with our client's
engagements and customer relationships.
The Lazarus Alliance security service organization teams provides managed security services to our
customers leveraging the expertise and knowledge of the Lazarus Alliance research and development
engineers, the Lazarus Alliance security consultants, and security service team.