Trans Union- NEMA- ID- Theft-protection-consumer-and-business by uksnow

VIEWS: 51 PAGES: 59

More Info
									Easy Steps to Fraud Prevention
NEMA Illuminations Conference
November 2007


                                                 Joseph Gurreri,
                                 Joseph.Gurreri@transunion.com
                                                   312-985-3109
<Date>       VP and GM Global Solutions Development, TransUnion
                                Chairman, IDSP (ANSI/BBB Panel)

                                                     © 2006 TransUnion LLC
                                                         All Rights Reserved
Today’s Topics

• Introduction: TransUnion and IDSP
• Criminal techniques
• Protect your consumer identity
   ▪    Deter
   ▪    Detect
   ▪    Defend
• Protect your commercial enterprise with 5 key
  principles:
   1.   Take stock
   2.   Scale down
   3.   Lock it
   4.   Pitch it
   5.   Plan ahead
                                                  2
TransUnion gives consumers, businesses and
our communities the power to achieve their goals.



     Give consumers           Give businesses the    Give countries
     greater control over     information to drive   around the world the
     their finances so they   their companies and    ability to build credit
     feel more confident      the insight to make    economies and
     and empowered            better decisions       help people achieve
                                                     dreams they never
                                                     thought possible




                                                                           3
TransUnion analytics and decision services
solve problems across your customer lifecycle.




SALES AND MARKETING   RISK         FRAUD AND IDENTITY   COLLECTIONS
SERVICES              MANAGEMENT   MANAGEMENT           MANAGEMENT




                                                                      4
What is the IDSP?


Cross-sector coordinating body focused on
   preventing ID Theft
   –   Identify common definitions
   –   Identify existing standards and best practices
   –   Analyze gaps, leading to improvements
   –   Make catalogue available to business,
       government, consumers

Jointly administered by the American National
    Standards Institute (ANSI) and the Better
    Business Bureau (BBB)
   –   ANSI – coordinator of the U.S. standardization
       system
   –   BBB – advancing trust in the marketplace
   –   Launched in September 2006




                                                        5
6
Criminal Techniques




• Technology based

• ‘Old fashioned’ human based trickery

• Combinations of both




                                         7
     Fraud Trends
     How crime pays



$1,000-$5,000: Trojan program that can transfer funds between online accounts
$500: Credit card number with PIN
$80 to $300: Change of billing data, Social Security number, home address, birth date
$150: Driver's license
$150: Birth certificate
$100: Social Security card
$7-$25: Credit card number with security code and expiration date
$7: PayPal account log-on and password

* USA Today Research, October 2006




                                                                                8
Identity Theft Techniques




   –   Dumpster dive
   –   Pick pocket
   –   Mail theft
   –   Submit a change of address form with USPS
   –   Telemarketing scams / social engineering
   –   Steal personnel records from employers
   –   Shoulder surfing
   –   Use “phishing” or fake emails to get you to provide
       personal information



                                                             9
Identity Crime Examples

   Phishing
   Phishing is a social-engineering attack, often using phony emails to lure
   victims to a spoofed (copied) Website, where personal information can be
   harvested. Creating a replica of an existing Website, users are fooled into
   submitting personal, financial, or password data. According to the FBI,
   “The hottest and most troubling new scam on the Internet.

   Pharming
   Pharming is a malicious Web redirect, in which a person trying to reach a
   legitimate commercial Website is sent to the phony site without his
   knowledge. Redirecting takes advantage of vulnerabilities in many Web
   browsers that allow phony URLs in the address bar, and of vulnerabilities in
   operating systems and Domain Name Service servers that let a third party
   point Web requests to new addresses.



                                                                           10
Identity Crime Examples
Phishing and Pharming

    According to the FBI, phishing is “The hottest and most troubling new
    scam on the Internet.” Recent victims have included:



 • Bank of America
 • Ebay
 • Best Buy
 • Citibank
 • Earthlink
    Now this fraud is expanding to include
    pharming, the fraudulent redirecting of
    consumers to a fake Web site.




                                                                            11
Identity Crime Examples
First Credit Union Phish




                               Body of email:
                               • Poor grammar
                               • Bank vs. credit union
           Sender is
           master321@nerdshack.com




                                                         12
Identity Crime Examples
First Credit Union Phish




                                          Links are invalid




URL domain is .st - Sao Tome and
Principe (an island off of West Africa)



                                                              13
Identity Crime Examples
First Credit Union Phish




                                Asks for CVV
                                number and PIN




          Claims a “secure”
          site yet URL is not


                                            14
Identity Crime Examples
First Credit Union Phish




                           “Submit” on prior page
                           lands on copy of true
                           privacy page




                                             15
Identity Crime Examples
   Skimming




   A credit or debit card is handed over to pay for a bill at a restaurant or
   retail shop. The card is swiped through a legitimate credit machine.

   Source: ABCNEWS.com




                                                                                16
Identity Crime Examples
   Skimming




   The same card is then swiped through a small illegal electronic gadget
   known as a skimmer. The pager-sized device can "read" and store data
   from the magnetic strips of up to 200 cards.




                                                                        17
Identity Crime Examples
   Skimming




   The skimmer is given to a counterfeiter who downloads all the
   information onto a computer and either sends it abroad or runs up a
   cloned copy of the card.




                                                                         18
Identity Crime Examples
   Skimming




   Printing and embosser machines then put the card holder's credit card
   details onto blank plastic cards.




                                                                           19
Identity Crime Examples
   Skimming




   Another machine is used to create and encode the magnetic strip on
   the reverse of the card. Lastly an appropriate hologram is affixed to the
   card. A cloned card is then distributed and out on the streets ready for
   use.




                                                                               20
Identity Protection Techniques



Consumer
identity

Business
identity and
reputation




                                 21
Protecting Consumer Identity




                               © 2006 TransUnion LLC
                                   All Rights Reserved
© 2006 TransUnion LLC
    All Rights Reserved
WHAT CAN YOU DO?

      DETER
       Deter identity thieves by safeguarding your information


      DETECT
        Detect suspicious activity by routinely monitoring your financial
        accounts and billing statements


      DEFEND
        Defend against identity theft as soon as you suspect a problem




                                                                            24
DETER identity thieves by safeguarding your information.
                Shred financial documents before discarding them

                Protect your Social Security number

                Only carry what you need

                Be cautious when providing personal information

                Don’t use obvious passwords

                Don’t leave outgoing mail in your home mail box

                Don’t print your drivers license number or account numbers on checks

                Don’t write your PIN number on credit / ATM cards

                Don’t use birth dates for PIN numbers

                Don’t carry your SS card in your wallet

                Use Credit rather than Debit cards for purchases
                                                                            25
DETECT suspicious activity by routinely monitoring your financial
accounts and billing statements.

                 Be alert
                      Mail or bills that don’t arrive
                      Denials of credit for no reason
                 Inspect your credit report
                      Law entitles you to one free report a year from each nationwide
                      credit reporting agencies if you ask for it
                      Online: www.AnnualCreditReport.com
                 Inspect your financial statements
                      Look for charges you didn’t make




                                                                              26
DEFEND against identity theft as soon as you suspect
a problem.

             Be proactive, and subscribe to a monitoring and alert program

             Place a “Fraud Alert” on your credit reports by calling any one of the
             three nationwide credit reporting companies:
                   Equifax: 1-800-525-6285
                   Experian: 1-888-397-3742
                   TransUnion: 1-800-680-7289
                   Review reports carefully, looking for fraudulent activity
             Close accounts that have been tampered with or opened fraudulently

             File a police report
             Contact the Federal Trade Commission



                                                                                  27
28
TransUnion Credit File
   Initial Fraud Alert

   • #HK#IFCRA - Initial Fraud Alert: Action may be required under FCRA

     before opening or modifying an account

   • Requests are shared with Experian and Equifax

   • Added immediately upon receipt

   • Added for 90 days with contact phone numbers / opt out for 1 year

   • Used for proactive and account takeover frauds

   • Represent approximately 95% of total alert requests




                                                                          29
TransUnion Credit File
   File Freeze

   • Requests received by mail, telephone and by 2008 Internet

   • Added within 24 hours to 5 business days of receipt

   • Added indefinitely

   • California first to pass file freeze law in 2002 (SB168)

   • TransUnion will start October 15, 2007 offering to all US residents

   • Cost for “non-victims” to add in most states is $10.00 or less
     – DE $20 and NE $15

   • Can be free for ID theft victims and in some states senior citizens

   • Issued PIN to authenticate lifts or deletion


                                                                           30
TransUnion Credit File
   File Freeze Lift (“Thaw”)

   • Requests received by mail, telephone and 2008 available 24/7 by
     Internet and IVR
   • Must have PIN to authenticate
   • Dedicated lift / delete hotline 888 909-8872
   • Processed within 15 minutes to 3 business days of receipt
   • Cost for “non-victims” to lift is no more than $10 in all states
   • Can be free to identity theft victims in some states senior citizens
   • Lift can be global or third party
     – Global permits access by all with permissible purpose during specified time frame
     – Third party generates access code (TU####) consumer provides credit issuer to
        “unlock” file during specified transaction


                                                                                           31
TransUnion Credit File
   File Freeze Deletion

   • Requests received by mail, telephone and 2008 available 24/7 by

     Internet and IVR

   • Must have PIN to authenticate

   • Dedicated lift / delete hotline 888 909-8872

   • Deleted within 24 hours to 5 business days of receipt
   • Cost for “non-victims” to delete is no more than $10 in all states




                                                                          32
Protecting Business Identity and Reputation




                                      © 2006 TransUnion LLC
                                          All Rights Reserved
Business issues

A sound data security plan is built on 5 key
   principles:

1. Take stock. Know what personal information
   you have in your files and on your computers.
2. Scale down. Keep only what you need for your
   business.
3. Lock it. Protect the information that you keep.
4. Pitch it. Properly dispose of what you no longer
   need.
5. Plan ahead. Create a plan to respond to
   security incidents.
                                                      34
1. Take Stock



 Assess what information you have who has access to it.
 Inventory all computers, laptops, flash drives, disks,
 home computers, and other equipment to find out where
 your company stores sensitive data.
 Track personal and financial payment information through
 your business
 – sales
 – information technology
 – human resources
 – accounting
 – outside service providers



                                                            35
Security Check



Question:                     Answer:

I’m not running a financial   Yes: Statutes like the
institution. Are there laws   Gramm-Leach-Bliley Act, the
that require my company to    Fair Credit Reporting Act,
keep sensitive data secure?   and the Federal Trade
                              Commission Act may require
                              you to provide reasonable
                              security for sensitive
                              information.

                              To find out more, visit
                              www.ftc.gov/privacy

                                                            36
2. Scale Down



 Keep only what you need
 Use Social Security numbers only for required and lawful
 purposes—like reporting employee taxes.
 Don’t keep customer credit card information unless you
 have a business need for it.
 Check the default settings on your software that reads
 customers’ credit card numbers and processes the
 transactions.




                                                            37
Security Check



Question:                            Answer:

We like to have accurate             Unfortunately, Yes. Keep
information about our                sensitive data in your system
customers, so we usually             only as long as you have a
create a permanent file about        business reason to have it.
all aspects of their transactions,   Once that business need is
including the information we         over, properly dispose of it. If
collected from the magnetic          it’s not in your system, it can’t
stripe on their credit cards.        be stolen by hackers. This was
Could this practice put their        the basis of the enormous TJX
information at risk?                 breach; a $10MM+ mistake
                                     over 46mm consumers.

                                                                         38
3. LOCKIT
Physical security


What’s the best way to protect the sensitive personally
 identifying information you need to keep?

 Lock the doors and watch the keys
 Require employees to put files away, log off their
 computers, and lock their file cabinets and office doors at
 the end of the day.
 Audit your storage vendors and shippers
   • ABN Amro mortgage case: $4mm+ on 2MM consumers
  Laptops
 – never leave a laptop visible in a car, at a hotel luggage stand,
   or packed in checked luggage
 – Watch it through airport security as it goes on the belt


                                                                      39
3. LOCKIT
Electronic security


 Audit entire data stream
 Regularly run up-to-date anti-virus and anti-spyware programs.
 Use Secure Sockets Layer (SSL) or another secure connection
 that protects financial information in transit
 Review the security of your web applications—the software
 used to give information to visitors to your website and to
 retrieve information from them.
 – Web applications may be particularly vulnerable to a variety of hack
   attacks.
 – In one variation called an “injection attack,” a hacker inserts
   malicious commands into what looks like a legitimate request for
   information. Once in your system, hackers transfer sensitive
   information from your network to their computers.
 Assess whether sensitive information really needs to be stored
 on a laptop.
 Require employees to store laptops in a secure place


                                                                          40
Security Check



Question:                      Answer:

We encrypt financial data      Yes. Regular email is not a
customers submit on our        secure method for sending
website. Once we receive it    sensitive data. The better
inside of our network, we      practice is to encrypt any
decrypt it and email it over   transmission that contains
the Internet to our branch     information that could be
offices in regular text. Is    used by fraudsters or ID
there a safer practice?        thieves.



                                                             41
3. LOCKIT
Password Management


 Require “strong” passwords.
 Use password-activated screen savers to lock
 employee computers after a period of inactivity.
 Lock out users who don’t enter the correct
 password within a designated number of log-on
 attempts.
 Train, train, train employees
 – Don’t share login or passwords
 – Don’t fall for social engineering tricks



                                                    42
Security Check



Question:                   Answer:

Our account staff needs     No. Individual userID and
access to our database of   strong password protocol is
customer financial          imperative. Hackers will first
information. To make it     try words like “password,”
easier we have a            your company name, the
department-level common     software’s default password,
password. Is that           and other easy-to-guess
acceptable security?        choices. They’ll also use
                            programs that run through
                            common English words and
                            dates.

                                                             43
3. LOCKIT
Wireless and Remote Access



  Determine if you use wireless devices like
 inventory scanners or cell phones to connect to
 your computer network or to transmit sensitive
 information.
  Encrypting transmissions from wireless devices
 to your computer network may prevent an
 intruder from gaining access through a process
 called “spoofing”—impersonating one of your
 computers to get access to your network.

                                                   44
3. LOCKIT
Detecting Breaches


  Monitor incoming traffic for signs that someone
 is trying to hack in: consider using an intrusion
 detection system. To be effective, it must be
 updated frequently to address new types of
 hacking.
  Monitor outgoing traffic for signs of a data
 breach. Watch for unexpectedly large amounts
 of data being transmitted from your system to an
 unknown user.


                                                     45
3. LOCKIT
Employee Training

 Annual training and certification.
 – Don’t forget satellite offices, temporary help, and seasonal
   workers.
 – Tell them how to report suspicious activity and publicly reward
   employees who alert you to vulnerabilities.
 – Warn about phone phishing. Train them to be suspicious of
   unknown callers claiming to need data to process an order.
 – For computer security tips, tutorials, and quizzes for everyone on
   your staff, visit www.OnGuardOnline.gov.
 Check references or do background checks
 Require annual signature on company’s confidentiality and security
 standards
 Limit access to personal information to employees with a “need to
 know.”
 Exit and termination – disable passwords, and collect keys and
 identification cards as part of the check-out routine

                                                                  46
  Security Check



Question:                                       Answer:
I’m not really a “tech” type. Are there steps   Yes. There are relatively simple fixes to
our in-house computer people can take to        protect your computers from some of the
protect our system from common hack             most common vulnerabilities. For
attacks?                                        example, a threat called an “SQL injection
                                                attack” can give fraudsters access to
                                                sensitive data on your system, but can be
                                                thwarted with a simple change to your
                                                computer. Bookmark the websites of
                                                groups like the Open Web Application
                                                Security Project, www.owasp.org, or
                                                SANS (SysAdmin, Audit, Network,
                                                Security) Institute’s Twenty Most Critical
                                                Internet Security Vulnerabilities,
                                                www.sans.org/top20, for up-to-date
                                                information on the latest threats—and
                                                fixes. And check with your software
                                                vendors for patches that address new
                                                vulnerabilities.



                                                                                             47
4. PITCH IT

Properly dispose of what you no longer need
  Protect against “dumpster diving”
  Contract with a storage and disposal company
  When disposing of old computers and portable storage
 devices, use wipe utility programs. Deleting files using the
 keyboard or mouse commands usually isn’t sufficient
 because the files may continue to exist on the computer’s
 hard drive and could be retrieved easily.
  If you use consumer credit reports for a business
 purpose, you may be subject to the FTC’s Disposal Rule.
 For more information, see Disposing of Consumer Report
 Information? New Rule Tells How at ww.ftc.gov/privacy



                                                                48
Security Check



Question:                        Answer:

My company collects credit       No. Have you wiped all
applications from customers.     traces from the data flow? A
The form requires them to        full audit if your data trail is
give us lots of financial        required resulting in a full
information. Once we’re          disposal procedure that is
finished with the                comprehensive. Shred,
applications, we’re careful to   never ‘throw away’.
throw them away. Is that
sufficient?


                                                                    49
5. PLAN AHEAD


Create a plan for responding to security
 incidents.
  Have a plan in place to respond to security
 incidents. Designate a senior member of your
 staff to coordinate and implement the response
 plan.
  Contract with a mitigation company in advance.
  Consider whom to notify in the event of an
 incident, both inside and outside your
 organization.
 – consumers, law enforcement, customers, credit bureaus
 – other businesses such as suppliers or customers
                                                       50
Data Breaches
Reputational risk




                    51
Security Check



Question:                                Answer:
I own a small business. Aren’t these     No. There’s no one-size-fits-all approach
precautions going to cost me a mint to   to data security, and what’s right for you
implement?                               depends on the nature of your business
                                         and the kind of information you collect
                                         from your customers.
                                         Some of the most effective security
                                         measures—using strong passwords,
                                         locking up sensitive paperwork, training
                                         your staff, etc.—will cost you next to
                                         nothing and you’ll find free or low-cost
                                         security tools at non-profit websites
                                         dedicated to data security.
                                         Furthermore, it’s cheaper in the long run to
                                         invest in better data security than to lose
                                         the goodwill of your customers, defend
                                         yourself in legal actions, and face other
                                         possible consequences of a data breach.


                                                                                      52
Identity Theft Prevention and
Identity Management
Standards Panel

Joseph V. Gurreri III    James McCabe
     Chair, IDSP          Director, IDSP
 VP, Global Solutions   American National
   Development &        Standards Institute
     Consulting
     TransUnion                               © 2006 TransUnion LLC
                                                  All Rights Reserved
What is the IDSP?


Cross-sector coordinating body focused on
   preventing ID Theft
   –   Identify common definitions
   –   Identify existing standards and best practices
   –   Analyze gaps, leading to improvements
   –   Make catalogue available to business,
       government, consumers

Jointly administered by the American National
    Standards Institute (ANSI) and the Better
    Business Bureau (BBB)
   –   ANSI – coordinator of the U.S. standardization
       system
   –   BBB – advancing trust in the marketplace
   –   Launched in September 2006




                                                        54
IDSP Charter
Table of key issues


        In Scope             Out of Scope
Inventory of existing   Modification of existing
standards               standards

Index standards         Rank ordering
                        standards

Gap Analysis of         Developing new
current standards       standards




                                              55
IDSP Founding Partners
A diverse group of organizations




                                   56
IDSP Steering Committee
Composition

    Chairman – Joseph V. Gurreri, III, TransUnion
    Founding Partners
    At Large Members
AARP                          Fellowes, Inc.
Accredited Standards          General Services
Committee X9                  Administration
Affinion Group                KPMG
Alliance for                  National Institute of Standards
Telecommunications Industry   and Technology
Solutions                     North American Security
AOL                           Products Organization
ARMA International            Pay By Touch
Center for Democracy and      Telecommunications Industry
Technology                    Assn.
Debix                         Underwriters Laboratories Inc.




                                                       57
Working Groups
Definitions


WG 1 Issuance
    – Standards relating to issuance of
      identity documents by government
      and commercial entities
WG 2 Exchange
    – Standards relating to acceptance
      and exchange of identity information
WG 3 Maintenance
    – Standards relating to ongoing
      maintenance and management of
      identity information


                                      58
RESOURCES

These websites and publications have more information on
 securing sensitive data:
• Ansi.org/idsp
• FTC.GOV
• National Institute of Standards and Technology (NIST)’s Computer
  Security Resource Centerwww.csrc.nist.gov
• NIST’s Risk Management Guide for Information Technology
  Systemswww.csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
• Department of Homeland Security’s National Strategy to Secure
  Cyberspacewww.dhs.gov/xlibrary/assets/
  National_Cyberspace_Strategy.pdf
• SANS (SysAdmin, Audit, Network, Security) Institute’s Twenty Most Critical
  Internet Security Vulnerabilitieswww.sans.org/top20
• United States Computer Emergency Readiness Team (US-CERT)www.us-
  cert.gov
• Carnegie Mellon Software Engineering Institute’s CERT Coordination
  Centerwww.cert.org/other_sources
• Center for Internet Security (CIS)www.cisecurity.org
• The Open Web Application Security Projectwww.owasp.org
• Institute for Security Technology Studieswww.ists.dartmouth.edu
• OnGuard Onlinewww.OnGuardOnline.gov


                                                                           59

								
To top