Learning Center
Plans & pricing Sign in
Sign Out

aaa Identity Theft 2010


  • pg 1
									      Identity Theft
  Electronic Intrusion &
Scams To Get Your Money

      November 2010
• Identity Theft is a crime in which an
  impostor obtains key pieces of personal
  identifying information such as Social
  Security numbers and driver's license
  numbers and uses them for their own
  personal gain. This is called ID Theft.
       Worst Case Scenario
• Someone has stolen your identity and without
  your knowledge has….
  been married several times without any
  divorces, bought a home and is delinquent on
  payments, maxed out several credit cards in
  your name, subscribed to a kiddie porn site,
  purchased a car and been involved in a serious
  accident, gave your name on the police report,
  filed a false claim with the insurance company,
  applied for several years of bogus refunds from
  the IRS, asked for Social Security disability
  payments, made threats against the
  government and got you on the “no-fly” list.
    How can your identity be
• There are many ways. Half of all identity
  theft victims have no idea how their
  identity was stolen.
• But from the other half who think they
  know how their identity was stolen, we can
  learn some valuable lessons.
• Many of the fears listed in the public press
  are not major causes of identity theft
   If your Identity is stolen…
• The best single reference and guide for
  what you need to do is
• The Identity Theft Recovery Kit
• Free PDF download from
• I suggest you download a copy, print it out
  and store it somewhere you can find it.
    Sources of identity theft in
          2003 to 2006
• Online transactions – 1/3 of 1 %
• Garbage or dumpster diving – 1%
• Phishing – 3%
• Spyware on home computer 5%
• Misuse of data in-store or in a telephone
  transaction - 7%
• Stolen mail – 8%
  Sources of identity theft in
        2003 to 2006
• Theft by an employee – 15%
• Someone in the home – 15%
• Loss of a purse, wallet, checkbook – 30%

• However, the percentages are changing
  with increasing incidents coming from
  phishing, spyware, and hacking into
  commercial computers.
 Financial fraud comes in two
• Existing accounts which are compromised
  – Protect yourself by examining your bank and
    credit card statements carefully each month
    for suspicious activity.
• Newly created financial accounts of which
  you are not aware.
  – Protect yourself with free credit reports and/or
    a credit freeze.
Recent Headlines
• A special agent for the FBI announced the
  arrest of an employee for AIG who stole a
  computer server with the personal
  information for over 900,000 policy
        Facebook Accounts
• Stolen accounts of Facebook users are now on
  sale in high volume on the black market.
• iDefense tracked an effort to sell log-in data for
  1.5 million Facebook accounts on several online
  criminal marketplaces.
• The offers were to sell bundles of 1,000
  accounts with 10 or fewer friends for $25 and
  with more than 10 friends for $45,
• The case points to a significant expansion in the
  illicit market for social networking accounts
• The Kneber botnet, a new form of malware
  which has so far infected over 74,000
  computers worldwide and has attacked
  over 2,500 corporate accounts.
• The botnet extracts name, address, social
  security number, credit card number and
  other sensitive information stored on
  company computers.
• Merck & Co., Paramount Pictures, Juniper
  Networks and Cardinal Health are among
  some of the companies hit by the botnet.
• A woman exploited a loophole in D.C. tax
  office online systems to gain access to
  taxpayer accounts, establish herself as the
  owner of dozens of businesses and filed
  returns on their behalf.
• Within 48 hours she was able to establish
  herself as the owner of the 76 businesses
  and gain access to their business
       Who are these thieves?
•   Organized Crime in the US, Russia & China
•   Narcotics users - strong link to meth addicts
•   Opportunists who see an opening
•   Desperate people taking desperate actions
•   Family members or someone close to you
  Total security isn’t possible
• Your credit card number is stored in the
  computers of dozens of businesses, and
  even large businesses can’t keep out
• When you hand over your credit card to
  your waiter, everything needed for credit
  card ID theft is out of your sight for several
• Expect identity theft and be ready to react
     Types of vulnerabilities

• Home Computer -Electronic access to your
  computer by virus, worms, trojans,
  keystroke recorders, and other types of
• Business computers – your information can
  be accessed by employees and hackers.
• Physical access to your financial
  information at home and while traveling.
Credit card records stored by
companies with which you do
• You have no way of determining how
  effective security is at Joe’s Online Books
  or Aunt Judy’s Fashion Boutique, or
  Pottery Barn, or Nordstrom's.
• Larger companies probably have better
  security, but they are also more lucrative
            What can I do?
• When ordering over the internet or the phone, one
  safeguard is to not leave behind your credit card
  number on the merchant’s computer.
• Alternative payment options such as PayPal, Bill
  Me Later, Checkout by Amazon, eBillme or
  Google Checkout do not leave behind your credit
  card data.
• Since the merchants never see your credit card
  number, they can’t store it.
         “One Time Use”
       Credit Card Numbers
 ( also called virtual or disposable numbers)

• Citibank, American Express, MBNA, and
  Discover, have a service that provides a
  valid acceptable credit card number which
  is linked to your real credit card
  number……but can only be used one time
• If this “One Time Use” number is hacked
  from the merchants computer, it can’t be
               Virtual Cards
• Not for ordering theatre tickets for pick up– they
  want to see the plastic card to confirm identity.
• Also not good for airline, hotel, or rental car
  reservations who want to see the plastic card.
• But for all other kinds of online purchases, they
  are an excellent option to prevent identity theft.
• They are also very useful for subscriptions that
  want to “auto-renew” your subscriptions each
  year unless you tell them not to. When they try
  to auto-renew you, the number won’t work.
         How To Use A
 Virtual Credit Card after you
     enroll in the program
• Open the credit card program on your
  computer, enter your passwords, and get
  an image of a credit card on screen.
• The screen credit card has your name, an
  expire date, and a 3 digit security code,
  just like a physical credit card would have
 Keep your credit card numbers
   out of business computers
• Some merchants will ask if you want your
  information retained on their computers
• Or, they will ask if you want your credit
  card number retained in their files.
• If you say “NO” you will have to give the
  information again next time you purchase
  from the site, but your credit card number
  will not be compromised if their computer
  gets hacked.
                  Physical Loss
• Don’t carry every credit card you own. If you lose your wallet
  or purse you will have to cancel all that were lost, leaving you
  with no credit cards for some period of time.
• Have your spouse carry different credit cards than the ones
  you carry. If one of you lose a wallet you will have to cancel
  those cards, but your spouses’ cards will still work.
• Notify your credit card company before traveling overseas
  and have the phone numbers to cancel the cards you do
• Never write down PIN numbers and passwords and carry
  them in your wallet.
• Medicare cards still show Social Security number?
               Debit Cards
• If your debit card is lost or stolen, report it
  immediately by phone then follow up with
  notification in writing. Federal law limits
  your liability to $50 if you report your loss
• Keep receipts and compare them with
  your bank statements, and immediately
  report any discrepancies.
             Credit Cards
• If a thief gets his hands on your credit
  cards, not only can he use those to the
  maximum but he can also use the
  information on each one to create multiple
  new accounts in your name.
• As many identity theft victims already
  know, the damage that can be done once
  new accounts are opened in your name is
  far greater and takes far longer to rectify.
         Physical Security
• Although locally there is not much identity
  theft from people sifting though trash, it
  can’t hurt to shred documents containing
  – Bank account numbers
  – Brokerage account numbers
  – Your social security number
  – Credit Card offers
• When mailing checks, use a secure
  mailbox to mail them.
         Physical Security
• Although it is not widely known, you are at
  some risk of identity theft by using large
  copiers at work or at locations like Kinko’s
• Large commercial copiers have a hard
  drive that retains a copy of every
  document which is copied on the machine
• Often these hard drives are not wiped
  clean before the copier is resold.
• Personal copiers at home are safer for
  making copies of your tax returns, etc.
   Pre-approved credit card
       offers are a risk

• If you don’t want the three major credit
  bureaus selling your name to advertisers
  and credit card companies you can call
  888-567-8688 and “opt out” for 2 years.
• Or, for an even wider net to remove junk
  mail - Google for “Stop My Junk Mail Now”
  from the Privacy Council
         Physical Security
• When people are going to be in your home
  – Lock up your wallet, credit cards, check book
    and financial documents in a file or drawer.
  – Turn off, or password protect your computer
• Information theft often occurs from
  documents laying about in the home.
• It can be your housekeeper, your
  electrician, your neighbor, your nephews
  girlfriend, or someone close to you.
Identity Theft By Creating
      New Accounts
Hello Mr. Smith, I’d like to talk
to you about your unpaid bill
      with Mellon Bank
• Often this is the first indication you have a
  problem….particularly if you don’t have an
  account with Mellon Bank
• Someone may have taken out a credit
  card in your name and had the statements
  sent to a different address so you won’t
  find out about the existence of the card.
     Unknown Credit Cards
• Because the statements demanding
  payment are mailed to another address
  you never receive them.
• When the bank finally turns over the
  delinquent account to a credit collection
  agency, they use your name and “former
  address” to track you down and call you.
• This type of identity theft is very hard to
  protect yourself against.
          What you can do
• 3 times a year, get a free credit report from
  the 3 major credit rating agencies and look
  over the statement closely for any activity
  that seems suspicious.
• Enroll in a service that monitors these
  three agencies and sends you information
  about anything unusual occurring in your
     Free Credit
          IS NOT FREE
• Heavily advertised on TV, is very misleading
  in it’s name and advertising.
• The free credit reports which are provided
  under federal law are found only at
• Free Credit will send you one
  “free credit report” but also signs you up
  for a $15 a month reporting service.
         Identity Protection
• There are many companies now offering
  Identity Protection Services or Insurance
  for a monthly fee.
• These services may be of value but you
  need to research the offerings carefully
• One summary of these services can be
  found at
Suits over ID Theft Protection
       Claims Settled
• Mar 10, 2010 Lifelock Identity Theft
  Protection agreed to pay $12 million in
  fines by FTC. Will no longer be able to
  make claims of absolute protection against
  identity theft.
• In a separate article it was revealed the
  identity of the founder (who posted his
  social security number on a billboard in
  Times Square) has been stolen 13 times.
    For Strong Protection
  Consider a “Credit Freeze”
• In California you have the right to instruct the
  three major credit agencies to not reveal any
  information about your credit status to anyone
  who inquires.
• If someone tries to open a credit card in your
  name, the card company will attempt to run a
  credit check, but they will be told they cannot
  have your information.
• Usually the card company will not issue a card if
  they cannot access your credit history.
                 Credit Freeze
• While you have the credit freeze in place you will
  have to temporarily lift the freeze if you want to
  –   Get a new credit card yourself
  –   Take out a mortgage
  –   Get a new car loan
  –   Be hired for a new job
  –   Open a new brokerage account
• All of these activities require a background credit
  check which is blocked by the credit freeze
• You can temporarily remove the freeze using a PIN
• Fees are $10 ($5 for seniors) to freeze or unfreeze
  each bureau for each person.
     Identity Theft Insurance
• In many instances of identity theft the
  personal time and effort required to refute the
  bogus claims are substantial (40 + hours)
• Most identity theft insurance policies do not
  reimburse you financial losses beyond the
  $50 federal credit card limit, or for losses
  from your savings or checking accounts.
• Read some reviews of Identity Theft
  Insurance before you decide to sign up.
    Identity Theft Insurance

• They may insure you against loss of time
  from work (not personal time) while solving
  the identity theft problem, postage, legal
  fees (if any), notary fees and other minor
  expenses, but not other financial losses.
• Some offer actual assistance in dealing
  with the problems caused by ID theft,
  others offer only advice.
What is a very common way
   for your confidential
     information to be
They ask….

and you give them
the information
   This is known as “Phishing”
       (fishing for private information)

• The thieves trick you into believing they
  are someone else.
• They could claim to be
  – Your bank
  – The Internal Revenue Service
  – Your credit card company’s fraud department
  – The Census Bureau
  – EBay, Amazon, the Police, anyone
           Phishing Scams
• The imposter could contact you by phone,
  email, mail, or in person at your front door.
• They generally have an urgent reason you
  need to give them the information
  – Your account will be closed otherwise
  – You will be audited if you don’t respond
  – Your name will be referred to a credit
    collection agency if you don’t verify our
             On the phone
• If you receive a phone call from someone
  who wants to “confirm” information about
  you or your accounts.
• Ask for their name, phone number and
  extension and say you will return their call.
  Often, if it is a scam they will hang up.
• If you do get a name and number, don’t
  call that number back. You still have no
  idea who you are talking to.
            On the phone
• Instead, get a phone number from the
  back of your credit card, your monthly
  statement, the phone book, or from some
  other known reliable source.
• Call the known good number and ask for
  the fraud department. Tell them about the
  phone call and ask if they were trying to
  contact you.
              Amazon Scam
Dear Amazon Customer,
        You have received this email because we have
reason to believe that your Amazon account has been
recently compromised. In order to prevent an fraudulent
activity from occurring we are required to open an
investigation in this matter.
        Your account is not suspended, but if in 36 hours
after you receive this message your account is not
confirmed we reserve the right to terminate your Amazon
        To confirm your identity with us click the link below –
                 IRS Scams
• One new scheme is an e-mail, purporting to be
  from the IRS, accusing the recipient of having
  underreported their income. The victim is asked
  to download an attachment that the sender
  claims is the relevant part of the victim's most
  recent tax return. Of course, the attachment is
  actually a virus.
• A similar scam relies on people's fear of an audit
  to get them to download a bogus information
  form. If the victim doesn't complete and return
  the form, the e-mailer, posing as an IRS
  representative, threatens to levy penalties and
            Other Scams
• Bogus Job Offers – Thieves will place fake
  employment ads and get you to fill out an
  application including your Social Security
  number, home address, work history,
  education history, mothers maiden name.
• File Sharing or Peer to Peer Software –
  the people accessing your music files may
  also have access to other files on your
          On the internet
• Emails are often used to lure you to a site
  that looks like a legitimate site but is not.
• When you click on a link in an email you
  have no idea who you are really in contact
  with. It may look like your Bank of America
  On-line Banking website…but it is an
  organized crime site in Russia.
• When you sign in with your name and
  password at the fake website, they have all
  they need and they can now loot your bank
    On line Banking Security
• Two-step verification is offered as an option by
  many online banks. An online banking customer
  can have a verification code sent to his or her
  mobile phone when a login attempt is initiated.
  In order to complete the login process
  successfully, the customer must supply the code
  sent to the mobile device in addition to a user
  name and password.
• The two-step is significantly more secure than
  just using a one-step log on (name and
  password) which can be compromised by
  keystroke recording malware.
  Leaving your computer
 unprotected is like leaving
your doors unlocked in a bad

    The internet is a bad
 neighborhood and the bad
   guys are on the prowl.
   Symantec Internet Security
   Threat Report of April 2010
• Attacks on Adobe PDF viewers represented 49% of all
  attacks, followed closely by attacks on Internet Explorer
• New Browser Vulnerabilities Identified – Mozilla Firefox
  169, Apple Safari 94, MS Internet Explorer 45, Google
  Chrome 41, and Opera 25
• Even though it had lower vulnerabilities than other web
  browsers Internet Explorer was still the most frequently
  attacked. Attacks are related to market share and
  availability of exploit code.
• Of the 374 vulnerabilites identified in web browsers in
  2009, 14% remain unpatched as of April 2010.
The bare minimum to protect
      your computer
• A security program configured for
  automatic updates and scans.
• Windows configured for automatic updates
  and installation.
• Don’t open (or even preview) emails from
  people you don’t know
• Don’t click on links in emails, facebook, or
  strange websites.
          Additional Steps
• Don’t let your grandchildren have access
  to your computer. Their music
  downloading and file sharing activities are
  frequent sources of malware infections.
• Many infections are now being transmitted
  by clicking links in Facebook and other
  social interaction websites.
  Why are Microsoft Updates
• Your malware security programs check to
  see that the front door to your computer is
• However almost every week Microsoft
  finds out that a side door into your
  computer is unlocked and suggests you go
  lock it (download and install the security

• Your antivirus cannot protect you
  if you do not install the Microsoft
  Windows updates.
           Other things to do
• Keep your Adobe Reader updated, or….
• Use alternatives such as the free Foxit PDF Reader.
  Foxit seems to be more nimble in responding to PDF
  security threats than Adobe.
• Foxit PDF Reader 4.2 presents a warning message
  whenever an executable command embedded in a PDF
  document is run. Safe Mode (default setting) will disable
  the execution of all external commands.
        Other things to do
• Instead of Internet Explorer, use less
  popular browsers like Firefox or Chrome.
  Although they also have vulnerabilities,
  fewer attacks are directed at them.
• You can have multiple browsers on your
  computer. They don’t interfere with each
  Browser Block Rate for
Socially Engineered Malware

• 2010 Test Results
  – Internet Explorer blocked 85%
  – Mozilla Firefox blocked 29%
  – Apple Safari blocked 29%
  – Google Chrome blocked 17%
  – Opera blocked less than 1%
• Testing by NSS Labs Inc
Use Protected Search Providers
• Google and Bing have features to help
  protect you from visiting malware
  downloading web sites
• Just seeing a bad web page is enough to
  become infected. You don’t have to click
• There are know as “drive-by downloads”
         Malware Symptoms
• Some malware reveals itself - Suspicious pop-
  ups, unwanted toolbars, redirects, strange
  search results, inability to access your security
  provider, computer suddenly running very slow,
  other unexpected behaviors
• Some malware doesn’t reveal itself. It quietly
  steals information without letting you know
• Be sure your computer is automatically scanning
  whether you have symptoms or not.
 NSS Security Lab Testing 2010
• Malware protection products vary widely in
  their abilities. Nationally advertised
  products vary between 54% and 90% in
  effectiveness in detection and protection
  – Top rated was Trend Micro’s Titanium
    Maximum Security at 90.1%
  – However last year it was 96.4% effective. The
    software isn’t getting worse, the threats are
    evolving at a rapid pace and are becoming
    more sophisticated.
       NSS Security Testing
• Based on all factors, traditional web malware
  has between a 10% and a 45% chance of
  getting past your typical AV with a typical user.
• Software vulnerability exploits have a 25% to
  97% chance of compromising the typical
• Most exploits use openings that were previously
  patched, but the user hasn’t downloaded and
  installed the patch.
• Expect the use of exploits to increase because
  of their effectiveness.
 What to do if you get infected
• If you get infected and you have backup of
  your personal data you have two choices
  – Try to remove the infection
  – Reinstall Windows and reload your data
• If you do not have backup you only have
  one choice
  – Try and remove the infection
         Backup Your Data
• I back up my data to an external hard drive
  with an automated program that records
  all changes to my files
• I also have “cloud backup” (Mozy and
  Carbonite are good choices) in case of fire
  or some type of problem with my local
• This “belt and suspender” approach
  makes me more comfortable
  The bad guys are winning!
• Unfortunately, most computers are going
  to become infected at some point.
• The most trustworthy fix is to reload you
  operating system, and then reload your
  application software, and then reload your
• This is a long slow process.
• You can speed up the process if you have
  a spare external hard drive.
    A clone drive to speed up
   recovering from an infection
• Set up your computer the way you like it, update all
  the security patches, install the software you like to
  use, and organize you data files the way you want.
  This is your base recovery point.
• Then use a program like Acronis True Image Home
  to make a clone of your drive. Continue creating
  backups of your changing data.
• When malware strikes, wipe the drive clean, install
  the cloned drive contents, run updates and reinstall
  your data from your backup.
• This is a much faster way to recover from infection
The Next Frontier For Identity
 Theft – Your Smart Phone
• Smart phones are just small handheld
  computers and they can be hacked just
  like other computers
• Mobile malware is still rare today, but…..
• Hackers at Def Con Conference Exploit
  Android Bug
• JailbreakMe “the most advanced iPhone
  exploit ever published.”
       Smartphone Security
• Many consumers are wary about how secure
  mobile banking is and yet some bypass data
  charges and access online banking via WiFi on
  their smartphones, which makes them
  susceptible to man-in-the-middle attacks and
  malware. Some consumers also delete cookies
  from their mobile phones, making this method of
  authentication unreliable. Because of these
  factors and others – and because criminals can
  often spoof authentication or seize control of
  banking sessions – layered security is needed
  for authentication on mobile devices.
               In summary
• Check your statements carefully when they arrive
• Be careful revealing information
• Freeze your credit reporting
• Keep your credit card numbers out of as many
  computers as you can
• Minimize your wallet contents and don’t lose it
• Keep your computer protected and updated
• Back up your computer data so you have
  alternatives if you become infected with malware.
 Action Steps If Your Identity
          Is Stolen
• Immediately contact by phone, and then
  follow up with a letter to -
  – Your financial institutions
  – Your creditors
  – All three major credit bureaus – put a fraud
    alert on your account.
  – The police – ask them to file a identity theft
    report and get a copy of the report and report
• Document and save all your actions
                References & Help
•   The Identity Theft Resource Center
•   Federal Trade Commission -         Fighting Back Against Identity Theft
•   Google for “Stop My Junk Mail Now” from
•   Consumer Federation of America – Are ID Theft Services Worth The Cost?
•   Use Don’t use
•   Credit Freeze
•   Symantec Global Internet Security Threat Report April 2010
•   The Safest Browser,2817,2351669,00.asp
•   NSS Labs 2010 Testing
•   Security Recommendations for IE 9
•   Business Copier Image Recording
•   Smartphone Security -

To top