ID-Theft-MDP-2006090101 by liuqingzhan


									Personal Privacy
  Identity protection in this wired world
Identity Theft?
Described by the federal Fair
Credit Reporting Act as "the use
or attempted use of an account or
identifying information without the
owner's permission―.
Simple Facts
 Federal and state authorities alike have
  labeled it the country's fastest-growing
  white-collar crime since the late 1990s.
 The number of people victimized annually
  was last estimated at about 10 million by
  the Federal Trade Commission.
 It is a problem that has affected millions of
  Americans, including Oprah Winfrey, Bill
  Gates, and Tiger Woods. Chances are it has
  hurt someone in this room.
Cost of ID Theft?
         US victims spend an average of
          $1,500 and 175 hours to recover

         Current annual cost - $56.6
         Average loss per victim $6,383.
         Businesses spend an average of
          $18,000 per incident.
         U.S. business spend over $400
          billion per year just on the
          insider threat.
Cyber Streetwise
We shred financial documents and unsolicited,
pre-approved credit card offers; check credit
reports regularly; keep Social Security numbers
as private as possible; delete e-mail from
unknown senders as soon as it arrives; and
frequently update antivirus, firewall and spam-
blocking software.

But …..
We're All Vulnerable
 We live in an age where everything
  from tax records to Social Security
  numbers to credit card data resides in
  databases that can be hacked,
  phished or pharmed by anyone with
  sinister motives and enough know-
ID Theft: A Growing Concern
 At least 130 reported breaches exposed
  more than 55 million Americans to potential
  identity theft in 2005.
 Identity theft in is the fastest growing crime
  in the United States.
Recent Reported Data Exposures
   Department of Energy 1,500
   Internal Revenue Service 291
   ChoicePoint 145,000
   Bank of America 1.2 million
   CardSystems 40 million
   Citi Financial 3.9 million
   Time Warner 600,000
   Department of Veterans Affairs 26.5 million
   United States Air Force 33,000
ID Theft Complaints by Consumer Age



  Under 18   18-29      30-39      40-49       50-59   60+
                     2005 Percentages by age
Be Vigilant
 Deter identity thieves by
  safeguarding your information.
 Detect suspicious activity by
  routinely monitoring your financial
  accounts and billing statements.
 Defend against ID theft as soon as
  you suspect a problem.
Common Ways ID Theft Happens
   Common Theft
   Dumpster Diving
   Skimming
   Phishing Schemes
   Change of Address Scheme
   Pretexting
   Work-at-Home Swindle
   Pharming
   Unwanted Guests
Common Theft
 This is by far the most common cause
  of identity theft cases.
 Lost or stolen identification
 Lost or stolen schedulers
 Lost or stolen PDA or computers
 Lost or stolen storage devices
 Company insiders

  and …
The Red Flag!
   You have mail!
   Checks
   Bills
   Account information
   Pre-approved
Dumpster Diving
 Criminals engage in "dumpster diving" -
  going through your garbage cans or a
  communal dumpster or trash bin -- to
  obtain copies of your checks, credit card or
  bank statements, or other records that
  typically bear your name, address, and
  even your telephone number.
 These types of records make it easier for
  criminals to get control over accounts in
  your name and assume your identity.
 Thieves target account information
  embedded in ATM, debit and credit cards by
  breaking into or otherwise compromising
  the equipment and systems used for
  processing payments.
 The California Bankers Association reported
  in 2005 that scammers had taken to
  attaching wireless video cameras to the
  front of ATMs in hopes of capturing your
  card number and PIN from a remote
Phishing Schemes
 Phishing is the act of tricking someone into
  giving out confidential information or tricking
  them into doing something that they normally
  wouldn’t do or shouldn’t do.
 Gartner, a market-research firm, reports that
  in the 12 months ending in May 2005, phishers
  duped 2.4 million Americans into revealing
  personal info, costing victims, banks and credit
  card companies $929 million.
 The volume of phishing e-mail has reached
  astounding levels at over 1.5 billion messages
  a day.
Change of Address Scheme
 Rerouting your mail is easier than you might think.
 If you have bank or credit card accounts, you should
  be receiving monthly statements that list transactions
  for the most recent month or reporting period.
 Check the Post Office for change of address cards on
 If you're told that your statements are being mailed
  to another address that you haven't authorized, tell
  the Postmaster, financial institution, or credit card
  representatives immediately that you did not
  authorize the change of address and that someone
  may be improperly using your information.
 ID thieves just ask for your personal
 In one common approach, they claim
  to be conducting a survey on behalf
  of your bank and ask questions
  designed to get your account number,
  date of birth, social security number,
Work-at-Home Swindle
 The rise of Internet use brings more
  deceptive and misleading promotions,
  bogus travel offers, contests, lotteries, and
  other illegal practices on the Web.
 Always use common sense. If you have a
  gut feeling that something is not legitimate,
  you’re probably right.
 Make sure the company has a phone
  number and a physical address – not just a
  post office box or e-mail address.
 Maybe you've heard of "pharming," in
  which legitimate websites are hit with
  malicious computer code that steers
  those visiting them to look-alike sites.
  Data can then be harvested without a
  key being struck. In a twist, there's
  crimeware that instead attacks
  browsers (Internet Explorer, for one)
  and does its pharming from there.
Unwanted Guests
 Another ripe target for identity thieves: the
  wireless networks that more and more
  companies and individuals are setting up.
 Failure to block access to these networks
  can allow prying eyes into your hard drive,
  where you may store financial information
  in programs like Quicken.
 An unsecured wireless access point can
  open the door to more than just data theft.
 Access into your company through mobile
  devices or gadgets.
But Wait! There Is More
   Fake Jury Duty Con
   Medicare Fraud
   "IRS" Phishing Scam
   Internet Telephony Trickery
   Grant Flimflams
   Child Identity Theft
   The Next Targets?
Child Identity Theft
 An estimated 400,000 children had their identities
  stolen in 2005.
 Two-thirds of child ID thefts are perpetrated by family
 Instruct your children NEVER to give out any personal
  information over the Internet, such as whole names,
  addresses, phone numbers, school names or
 Instruct your children to tell you about -- and not
  respond to -- any messages they read that make
  them feel uncomfortable.
 Order credit reports on your child from the three
  nationwide credit bureaus. The credit search should
  come up empty.
Eavesdroppers and Snoopers
 Eavesdroppers listen to your
  conversations without your
 Snoopers observe your computer
  screen or items on your desk without
  your knowledge.
 Bluetooth technology may provide a
  speakerphone behind closed doors.
The Next Targets
 Homeland Security has warned that cell
  phones and other handhelds (like
  BlackBerrys) are becoming increasingly
  vulnerable to hackers and viruses.
 Instant messaging (IM) is becoming a
  popular target.
 More attacks on browsers with the intent of
  embedding crimeware on PCs.
 Popular blogs and social networking sites
Safeguard Your Information
   Shred paperwork with personal information and financial documents
    before you discard them.
   Don’t carry your Social Security card in your wallet or write your Social
    Security number on a check. Give it out only if absolutely necessary;
    you can always ask to use another identifier.
   Don’t give out personal information on the phone, through the mail, or
    over the Internet unless you are sure who you are dealing with.
   Never click on links sent in unsolicited emails; instead, type in a web
    address you know.
   Don’t use obvious passwords. Your mother’s maiden name, or the last
    four digits of your Social Security number – all are obvious passwords.
   Keep your personal information in a secure place at home, especially if
    you have roommates, employ outside help, or are having work done in
    your house.
 If someone has stolen information
  about your financial accounts, it’s best
  to wait for several weeks to see what
  they do with it before taking action?

The answer is?

  Your best first step is to contact your
  credit card companies and close your
  accounts. Also, talk with your bank
  about whether to close other accounts
  or take other steps.
 One of the best ways to protect your identity is
  by using online passwords only you would know
  – like your mother’s maiden name or the last
  four digits of your Social Security Number?

The answer is?

   This is an incorrect statement. Crooks can often
   find this type of information about you … and
   then, it’s “so long, identity!” It’s better to use
   random numbers and letters, and commit them
   to memory.
 If the stolen information includes your
  Social Security Number, you can place
  an “initial fraud alert” by calling one of
  the three nationwide consumer
  reporting companies?

The answer is?

  Correct! Placing such an alert can help
  stop someone from opening new credit
  accounts in your name.
 If someone has stolen your identity,
  and then you notice you’re no longer
  receiving bills from creditors, this is a
  sign that your identity has been

The answer is?

  No! If bills stop coming, it may be a
  sign that someone is still “hijacking”
  your identity, and changing the
  address your bills are being sent to.
 The names of the three nationwide
  consumer reporting companies are
  Equinox, ExperiCorps, and

The answer is?

  Good eye! The actual names are
  Equifax, Experian, and TransUnion. If
  you would like a free annual credit
  report, visit
 Identity theft refers only to the theft of
  drivers’ licenses or name badges?

The answer is?

  While those are types of identity theft,
  the term refers to a broad variety of
  criminal misuses of your name, Social
  Security Number, and financial
 My employer protects personally
  identifying information from hackers
  and other external threats. My identity
  is perfectly safe right?

The answer is?

  While reasonable controls may be in
  place protecting the corporate
  perimeter, the REAL threat comes from
  the “Trusted” employee with access
  and control of this information.
Individual Quick Facts
It’s important to protect your personal information, and to take certain steps
quickly to minimize the potential damage from identity theft if your
information is accidentally disclosed or deliberately stolen:
      Close compromised credit card accounts immediately.

      If someone steals your social security number (SSN), contact one of the three nationwide
       consumer reporting agencies — Equifax, Experian, or TransUnion — and place an initial
       fraud alert on your credit reports.

      Monitor your credit report. Keep in mind that fraudulent activity may not show up right away.

      Consult with your financial institution about handling the effects on bank or brokerage

      Contact relevant government agencies to cancel and replace any stolen drivers licenses or
       other identification documents, and to ―flag‖ your file.

      Watch for signs of identity theft: late or missing bills, receiving credit cards that you didn’t
       apply for, being denied credit or offered less favorable terms for no apparent reason, or
       getting contacted by debt collectors or others about purchases you didn’t make.
Tell Tale Signs
 You are receiving credit cards that you
  didn't apply for.
 You are being denied credit, or being
  offered less favorable credit terms, like a
  high interest rate, for no apparent reason.
 You are getting calls or letters from debt
  collectors or businesses about
  merchandise or services you didn't buy.
Here's What To Do
   File a report with your local police or the police in the
    community where the identity theft took place. Get a copy
    of the report or at the very least, the number of the report,
    to submit to your creditors and others that may require
    proof of the crime.

   Contact the fraud departments of any one of the three
    consumer reporting companies to place a fraud alert on
    your credit report.

   Close the accounts that you know or believe have been
    tampered with or opened fraudulently.

   File your complaint with the FTC. The FTC maintains a
    database of identity theft cases used by law enforcement
    agencies for investigations.
Corporate concerns
   Loss of productivity
   Loss of intellectual property
   Damage to reputation
   Loss revenue
   Executive responsibility
   Legal implications
   Damage to business
Trusted agents
 Attacks are perpetrated by people with
  trusted insider status.
     Employees
     Ex-employees
     Contractors
     Business partners
 Insiders pose a far greater threat to
  organizations in terms of potential cost per
  occurrence and total potential cost than
  attacks mounted from outside.
Insider threat motivators
   Trust and physical access
   Challenge
   Curiosity
   Revenge
   Financial gain
Inside Attackers Profile
 Male
 17-60 years old
 Holds a technical position (86%
 May or may not be married (50/50
 Racially and ethnically diverse
Additional statistics
 In 92 percent of the incidents investigated, revenge was
  the primary motivator.
 Sixty-two percent of the attacks were planned in
 Eighty percent exhibited suspicious or disruptive
  behavior to their colleagues or supervisors before the
 Only 43 percent had authorized access (by policy, not
  necessarily via system control).
 Sixty-four percent used remote access to carry out the
 Most incidents required little technical sophistication.
Data handled
   Employee social security numbers
   Employee salary data
   Employee banking data
   Employee health data
   Customer credit card data
   Customer banking data
   Customer credit history data
   Financial transactions
   Corporate financial information
Compliance implications
 SOX - Sarbanes-Oxley
 PCI – Payment Card Industry
 HIPAA - Health Insurance Portability
  and Accountability Act
 GLBA - Gramm-Leach Bliley Act
 DOI – Department of Insurance
 State specific regulations
Current numbers
 Internal attacks cost U.S. business
  $400 billion per year, according to a
  national fraud survey conducted by
  The Association of Certified Fraud
 $348 billion can be tied directly to
  privileged users.
Organizational Quick Facts
It’s important to protect your customer’s and employee’s information, and to
take certain steps quickly to minimize the potential damage from critical
information if it is accidentally disclosed or deliberately stolen:
      Although white collar criminal charges are usually
       brought against individuals, corporations may also be
       subject to sanctions for these types of offenses.
      Encourage open communication regarding issues of
       misconduct, and provide a confidential and anonymous
       mechanism for stakeholders to report fraud without
       fear of retaliation.
      Be prepared to promptly review, assess, investigate
       and resolve reported issues.
      Set policies and train stakeholders on important
       policies related to organizational risk.
      Decide who will be notified about tips or
2005 Law Enforcement Contact
                    Notified But
                    Report Was
                     Not Made
                               Notified And
                               Report Was
      Victims Did                 Made
       Not Notify                  30%
Beating the Thieves
   Install security software and stay current with the latest patches.
   Always be suspicious of unsolicited e-mail.
   Monitor the volume and origin of pop-up ads. A change may signal something
   Visit the FBI's new Web site,, for tips.
   Use debit cards like credit cards, i.e., with a signature, not a PIN code.
   If you live in one of the 20 states where it's possible, place a freeze on credit
    reports. This stops any credit activity in your name unless you specifically initiate
   Keep an eye out for "skimmers" lurking in places where you use cards or keep
    customer credit information.
   Enable encryption on wireless routers immediately upon setting up a home or
    corporate network.
   Shop only on secure Web sites (look for the padlock or "https" in the address
    bar); use credit, not debit, cards; don't store your financial info in an "account" on
    the Web site.
   Be mindful of the insider threat!
                    Identity Triad – Recommended personal credit review cycle.

           T-1                          T-2                       T-3

T-1 = January, February, March, April
T-2 = May, June, July, August
T-3 = September, October, November, December
Monitor Your Credit Report
 Review and monitor your credit report!
 Visit to obtain your free
  credit report
 Citi Credit Monitoring Service:
 Credit Expert:
 Credit Manager:
 If you suspect you are a victim place a fraud alert on
  your credit report.
Michael D. Peters
Director of Security Services
Lazarus Alliance Inc.

About Michael

     Michael is a founding member of Lazarus Alliance Incorporated. He has more than 20 years of networking and
      system development experience. He is an MBA, CISSP and is certified in several products which include Sun
      Microsystems UNIX.

     More than 14 years of his experience has been devoted to information and network security for organizations
      from United States Defense, Healthcare, Software Development, Manufacturing, Transportation, Insurance,
      Communications, and Financial markets.

     Michael received his MBA in Information Technology Management from Western Governors University.

     He is the creator of "SafetyNET" which is a UNIX based intrusion prevention appliance suite available only from
      Lazarus Alliance.

     The innovator behind the Holistic Operational Readiness Security Evaluation (HORSE) project and Wiki.

     A contributing author to the Sun Microsystems BigAdmin community, Wikipedia,,, and The
      White Hat Encyclical.

     Michael D. Peters is currently the President of the Kentuckiana chapter of the Information Systems Security
      Association (ISSA) and WGU Alumni InfoSec Forum Moderator.

     Guest speaker on matters of security especially concerning compliance, auditing, investigation, and best
      practices for secure computing to various organizations, Public Radio, technical institutions, and in University
Lazarus Alliance Inc.
   Lazarus Alliance Incorporated offers professional services and products dealing exclusively in the areas of
    Security Architecture and Engineering, Compliance Auditing, Risk Assessments, Penetration Testing,
    Incident Response, Forensic Analysis, and Disaster Recovery. Delivering security with integrated products
    and expert services to ASSESS, PROTECT, EMPOWER and MANAGE business processes and information
   The Lazarus Alliance professional security assessment auditor.s provide expert assistance to your
    organization in all areas of information protection and assurance. We are focused on helping companies in all
    industries improve their current security posture. Providing the compliance resources our clients require for
    ISO 17799, HIPAA, Sarbanes Oxley, Gramm-Leach-Bliley, and other legislation is the heart of the Lazarus
    Alliance security audit practice.
   The Lazarus Alliance research and development engineers have created world-class security solutions.
    Lazarus Alliance protects your digital assets and business processes. We offer the SafetyNET suite of
    Intrusion Prevention and Intrusion Detection appliances that are available only from Lazarus Alliance. Our
    customers benefit from personal attention, zero-day solutions, and ingenious security solutions.
   The Lazarus Alliance consulting service team empowers our clients with the expert knowledge our
    consultant's provide. The Lazarus Alliance consulting team provides more than security products and
    services, they provide value added expert level advice and information during the life cycle with our client's
    engagements and customer relationships.
   The Lazarus Alliance security service organization teams provides managed security services to our
    customers leveraging the expertise and knowledge of the Lazarus Alliance research and development
    engineers, the Lazarus Alliance security consultants, and security service team.

To top