Identity Theft Electronic Instrusion Scams

Document Sample
Identity Theft Electronic Instrusion Scams Powered By Docstoc
					      Identity Theft
  Electronic Intrusion &
Scams To Get Your Money

       February 2010
• Identity Theft is a crime in which an
  impostor obtains key pieces of personal
  identifying information such as Social
  Security numbers and driver's license
  numbers and uses them for their own
  personal gain. This is called ID Theft.
• It can start with lost or stolen wallets,
  pilfered mail, a data breach, computer
  virus, phishing, a scam, or paper
  documents thrown out by you or a
  business (dumpster diving). This crime
  varies widely, and can include check
  fraud, credit card fraud, financial identity
  theft, criminal identity theft, governmental
  identity theft, and identity fraud.
Recent Headlines
• Hundreds of credit and debit card holders
  appear to have been victims of a
  nationwide data theft carried out against
  Heartland Payment Systems, which
  processes cards for 250,000 restaurants,
  retailers and other businesses.
• The stolen data includes names, credit
  and debit card numbers and expiration
• A new cyber attack designed to steal the
  login details of users on sites such as
  Facebook and Yahoo has been flagged as
  potentially more dangerous than the
  infamous Conficker.
• The Kneber botnet, a new form of malware
  which has so far infected over 74,000
  computers worldwide and has attacked
  over 2,500 corporate accounts.
• The botnet extracts name, address, social
  security number, credit card number and
  other sensitive information stored on
  company computers.
• Merck & Co., Paramount Pictures, Juniper
  Networks and Cardinal Health are among
  some of the companies hit by the botnet.
• A special agent for the FBI announced the
  arrest of an employee for AIG who stole a
  computer server with the personal
  information for over 900,000 policy
• A woman exploited a loophole in D.C. tax
  office online systems to gain access to
  taxpayer accounts, establish herself as the
  owner of dozens of businesses and file
  returns on their behalf.
• Within 48 hours she was able to establish
  herself as the owner of the 76 businesses
  and gain access to their business
•, which handles travel
  reservations for U.S. government agencies
  has been infected with a virus. The
  departments of Agriculture, Energy,
  Health, Interior, Transportation, and
  Treasury use the site to book travel
• also is used to reimburse
  workers via direct deposit, which means
  that many federal employees' checking
  account information is stored there as well.
       Who are these thieves?
•   Organized Crime in the US and Russia
•   Narcotics users - strong link to meth addicts
•   Opportunists who see an opening
•   Desperate people taking desperate actions
•   Family members or someone close to you
• There is no accurate profile for an identity thief.
• They love the challenge, adrenaline rush and
  money…..and this may be their full time job.
• Or, it can be a casual one-time event when they are
  presented with an opportunity.
• Most thieves recognize there is much less risk in
  identity theft than most common crimes, and a
  relatively high return on the time invested.
• Of those who know how they were victimized, more
  than half of the criminals were family members, or
  other close acquaintances.
            You are at risk
• Just like you can’t totally protect your
  home from burglars, you can’t totally
  protect your identity or your finances
• However, there are things you can do
  which reduce the likelihood that you will be
  a victim of identity theft or hackers or
  electronic scams.
      Why can’t I be totally
• Because a lot of the information which
  could be used for electronic theft is not
  under your control.
• Information on your name. social security
  number, address, maiden name,
  birthplace, birthdate, and high school
  mascot, can often be found someplace on
  the internet or in computers beyond your
  Total security isn’t possible
• Your credit card number is stored in the
  computers of dozens of businesses,
• When you hand over your credit card to
  your waiter, everything needed for credit
  card ID theft is out of your sight for several
• Even large corporations with millions of
  dollars invested in security cannot keep
  hackers out of their computer systems.
     Types of vulnerabilities
• Credit card records stored at companies
  you do business with.
• Physical security of financial information
• Electronic access to your computer by
  virus, worms, trojans, keystroke recorders,
  and other types of malware.
Credit card records stored by
companies you do business
• You have no way of determining how
  effective security is at Joe’s Online Books
  or Aunt Judy’s Fashion Boutique, or
  Pottery Barn, or Nordstroms.
• Larger companies probably have better
  security, but they are also more lucrative
https versus http for financial
• When you are online and giving out
  personal or financial information, check to
  see the if the URL (internet address) you
  are communicating with starts with the
  letters “https” and not the ordinary “http”
• The “S” at the end means you are on a
  secure website which encrypts
  (scrambles) your information as it is being
  transferred via the internet, and
  unscrambles it at its destination.
• Using https for financial transactions is
  one of the most basic elements of a
  secure business web design
• If you are asked for financial information,
  credit card numbers, or anything sensitive
  by a site which doesn’t begin with https,
  you can assume they do not have any
  internet security.
• Do not do business with them over the
Can I phone my order to them?
• The lack of https is a tip off they don’t have
  good security.
• If you order by phone, your name and
  credit card number are entered into the
  businesses sales computer records.
• A business with poor security could be an
  easy target for hackers.
• Your information might not be
  compromised today, but could be at risk in
  the future.
            What can I do?
• When ordering over the internet or the phone, the
  goal is to not leave behind your credit card
  number on the merchant’s computer, even if it is a
  large well known company.
• Many sites will accept PayPal for payment. You
  set up a PayPal account, give them your credit
  card number, and after that you will no longer
  have to give your credit card number to a
  merchant who accepts PayPal.
• Since the merchants never see your credit card
  number, they can’t store it.
 “One Time Use” Credit Card
• Citibank and some other credit card
  issuers have a service that provides a
  valid acceptable credit card number which
  is linked to your real credit card
  number……but can only be used one time
• If this One Time Use” number is left on the
  merchants computer, it is of little concern.
• If the comuter is ever hacked and they
  attempt to use the card number, the
  transaction will not be approved.
     One Time Use or Virtual
          Credit Cards
• Open the credit card program on your
  computer, enter your passwords, and get
  an image of a credit card on screen.
• The screen credit card has your name, an
  expire date, and a 3 digit security code,
  just like a physical credit card would have
• This is also very useful for subscriptions
  that want to “auto-renew” your
  subscriptions if you don’t tell them not to.
Some merchants will give you
         a choice
• Some merchants will ask if you want your
  information retained on their computers
• Or, they will ask if you want your credit
  card number retained in their files.
• If you say “NO” you will have to give the
  information again next time you purchase
  from the site, but your credit card number
  is not disclosed if their computer gets
Another alternative – Prepaid
        Debit Cards
• Generally not recommended because of
  the fees incurred, but does provide
  protection against ID theft.
• You can only lose the amount in the card
  and it is of no use in trying to set up
  unauthorized accounts.
              Physical Loss
• Don’t carry every credit card you own. If you lose
  your wallet or purse you will have to cancel all that
  were lost, leaving you with no credit cards for some
  period of time
• Have your spouse carry different credit cards than
  the ones you carry. If one of you lose a wallet you
  will have to cancel those cards, but your spouses’
  cards will still work.
• Notify your credit card company before traveling
  overseas and have the phone numbers to cancel
  the cards you carry.
 Checking Account Debit Cards
• Theft of a debit card can give the thief access to
  your checking account, so use extra caution. If
  you shop on the Internet, don’t give out your
  debit card number online.
• Since purchases made with a stolen debit card
  are equivalent to someone taking cash directly
  out of your bank account, you may experience
  financial difficulties while you are working with
  your bank to reverse the charges.
               Debit Cards
• If your debit card is lost or stolen, report it
  immediately by phone then follow up with
  notification in writing. Federal law limits
  your liability to $50 if you report your loss
  promptly. Keep receipts and compare
  them with your bank statements, and
  immediately report any discrepancies. You
  will have to contact your bank to get your
  money back.
        Debit versus Credit
• If a perpetrator does get hold of your bank
  card, the damage he can do is limited by
  the amount you have sitting in the
  bank. Moreover, banks usually credit back
  the amount stolen in short order once a
  breach has been established.
        Debit Versus Credit
• If, on the other hand, a thief gets his hands
  on your credit cards, not only can he use
  those to the maximum but he can also use
  the information on each one to create
  multiple new accounts in your name. As
  many identity theft victims already know,
  the damage that can be done once new
  accounts are opened in your name is far
  greater and takes far longer to rectify.
         Physical Security
• Although locally there is not much identity
  theft from people sifting though trash, it
  can’t hurt to shred everything containing
  – Bank account numbers
  – Brokerage account numbers
  – Your social security number
  – Credit Card offers
• When mailing checks, use a secure
  mailbox to mail them.
  Reduce the amount of junk
  mail and credit card offers
         you receive
• If you don’t want the three major credit
  bureaus selling your name to advertisers
  you can call 888-567-8688 and “opt out”
  for 2 years.
• Or, for an even wider net to remove junk
  mail Google for “Stop My Junk Mail Now”
         Physical Security
• When people are going to be in your home
  – Lock up your wallet and credit cards
  – Lock up your financial and bank statements
  – Turn off your computer
• Information theft often occurs from
  documents laying about in the home.
• Unfortunately it is often someone close to
  you who is tempted
Identity Theft By Creating
      New Accounts
    How can someone get a
    credit card in my name?
• All that is needed is your social security
  number, your birth date and other
  identifying information such as your
  address and phone number. With this
  information, (and perhaps a false driver’s
  license with their own picture), they can
  apply in person for instant credit, or
  through the mail by posing as you.
Hello Mr. Smith, I’d like to talk
to you about your unpaid bill
      with Mellon Bank
• Often this is the first indication you have a
  problem….particularly if you don’t have a
  credit card or account with Mellon Bank
• Someone may have taken out a credit
  card in your name and had the statements
  sent to a different address so you won’t
  find out about the existence of the card.
     Unknown Credit Cards
• Because the statements demanding
  payment are mailed to another address
  you never receive them.
• When the bank turns over the delinquent
  account to a credit collection agency, they
  use your name and “former address” to
  track you down and call you.
• This type of identity theft is very hard to
  protect yourself against.
          What you can do
• 3 times a year, get a free credit report from
  the 3 major credit rating agencies and look
  over the statement closely for any activity
  that seems suspicious.
• Enroll in a service that monitors these
  three agencies and sends you information
  about anything unusual occurring in your
     Free Credit
          IS NOT FREE
• Heavily advertised on TV, is very misleading
  in it’s name and advertising.
• The free credit reports required by law are
  found only at
• Free Credit will send you one
  “free credit report” but also signs you up
  for a $15 a month reporting service.
Small print disclosure on Free
“When you order your free report here,
you will begin your free trial membership
in Triple Advantage SM Credit
Monitoring. If you don’t cancel your
membership within the 30-day trial
period, you will be billed $14.95 for each
month that you continue your
         Identity Protection
• There are many companies now offering
  Identity Protection Services for a monthly
• These services may be of value but you
  need to research the offerings carefully
• One summary of these services can be
  found at
  protection_services/compare.php (this is a
  paid referral site and may be biased)
    For Strong Protection
  Consider a “Credit Freeze”
• In California you have the right to instruct the
  three major credit agencies to not reveal any
  information about your credit status to anyone
  who inquires.
• If someone tries to open a credit card in your
  name, the card company will attempt to run a
  credit check, but they will be told they cannot
  have your information.
• Usually the car company will not issue a card if
  they cannot access your credit history.
                Credit Freeze
• While you have the credit freeze in place you will not
  be able to
  –   Get a new credit card
  –   Take out a mortgage
  –   Get a new car loan
  –   Be hired for a new job
  –   Open a new brokerage account
• All of these activities require a background credit
  check which is blocked.
• To remove the credit freeze usually requires 3 days
• Fees are $10 ($5 for seniors) to freeze or unfreeze
  each account for each person.
     Identity Theft Insurance
• There are insurance products being offered
  which will insure you against monetary loss due
  to identity fraud.
• Read the policies carefully. Debit/Credit card
  losses due to identity theft are limited to $50
  under federal law if reported promptly.
• Check to see whether the policy will cover
  diversion of your bank account funds, brokerage
  account, and other types of losses which may
  not protected under Federal law.
     Identity Theft Insurance
• In many instances of identity theft the
  personal time and effort required to refute the
  bogus claims are substantial (40 + hours)
• Most of the identity theft policies do not
  reimburse you for your personal time in
  resolving the problems.
• Read some reviews of Identity Theft
  Insurance before you decide to sign up.
What is a very common way
   for your confidential
     information to be
They ask, and you give
 them the information
  These are know as “Social
    Engineering” scams
• The thieves trick you into believing they
  are someone else.
• They could claim to be
  – Your bank
  – The Internal Revenue Service
  – Your credit card company’s fraud dept.
  – The Census Bureau
  – Any other organization or person
             On the phone
• If you receive a phone call from someone
  who wants to “confirm” information about
  you or your accounts.
• Ask for their name, phone number and
  extension and say you will return their call.
  Often, if it is a scam they will hang up.
• If you do get a name and number, don’t
  call that number back. You still have no
  idea who you are talking to.
            On the phone
• Instead, get a phone number from your
  paper statement, out of the phone book, or
  from some other known reliable source.
• Call the known good number and ask for
  the fraud department. Tell them about the
  phone call and ask if this person and
  phone number is a representative for the
• Ask them to transfer you to the number
  you were given.
   On the phone or by email
• Because of all the fraud and identity theft,
  no reputable company will ask you to
  confirm personal information over the
  phone or by email. If you get such a call or
  email…you should be not respond.
• Usually information request will include
  some kind of threat or deadline…..if you
  won’t confirm your EBay account
  information your account will be closed.
             Typical Scam Email
Dear Bank of America customer:

During our regularly scheduled account maintenance and
Online verification procedures, we detected a slight error in
your account information. This might be due to either of the
following reasons:
1. A recent change in your personal information ( i.e change
of address).
 2. Submitting invalid information during the initial online
banking enrollment process.

Please update and verify your information by clicking the link
Thank you,
              Amazon Scam
Dear Amazon Customer,
        You have received this email because we have
reason to believe that your Amazon account has been
recently compromised. In order to prevent an fraudulent
activity from occurring we are required to open an
investigation in this matter.
        Your account is not suspended, but if in 36 hours
after you receive this message your account is not
confirmed we reserve the right to terminate your Amazon
        To confirm your identity with us click the link below –
   Census Scams in person,
       phone or email
• The Census does not utilize emails. Any
  email from them is a fake.
• Census workers may contact you in
  person, by phone, or by mail
• Census workers may ask for basic
  financial information such as a salary
  range, but they will never ask for Social
  Security numbers, bank account numbers,
  or credit card numbers
                 IRS Scams
• One new scheme is an e-mail, purporting to be
  from the IRS, accusing the recipient of having
  underreported their income. The victim is asked
  to download an attachment that the sender
  claims is the relevant part of the victim's most
  recent tax return. Of course, the attachment is
  actually a virus.
• A similar scam relies on people's fear of an audit
  to get them to download a bogus information
  form. If the victim doesn't complete and return
  the form, the e-mailer, posing as an IRS
  representative, threatens to levy penalties and
          On the internet
• Emails are often used to lure you to a site
  that looks like a legitimate site but is not.
• When you click on a link in an email you
  have no idea who you are really in contact
  with. It may look like your Bank of America
  On-line Banking website…but it is an
  organized crime site in Russia.
• When you sign in with your name and
  password at the fake website, they have all
  they need and can now get into your bank
           On the internet
• In the past you could sometimes tell that
  the site looked crude or had misspelled
  words giving you a clue it was false
• Today the fake web sites are perfect
  replicas and not even the experts can tell
  them from the real web sites.
• Your only safety lies in how you initiate
  your contact with the web site. Don’t use
  links in emails.
          Of Doubtful Value
• Identity Theft is a large enough problem to
  attract many programs and services of
  questionable value.
• Such things as “Check Fraud Prevention Pens”
  are now available.
• Some crooks do steal checks and then use
  chemicals to erase the payee and the amount
  written. The pens prevent this erasure.
• But the incident rate of chemically erased
  checks is so low it makes the pens questionable.
• Buyer beware. Some of the protection from
  scams are scams themselves.
  Leaving your computer
 unprotected is like leaving
your door unlocked in a bad
      The Basic Minimums
• An anti-virus program with automatic
  updates and scans
• A anti-spyware program with automatic
  updates and scans
• Windows set for automatic updates and
• Don’t open (or even preview) emails from
  people you don’t know
• Don’t click on links in emails
          Additional Steps
• Don’t let your grandchildren have access
  to your computer. Their music
  downloading and file sharing activities are
  frequent sources of malware infections.
• As part of its updates - Microsoft provides
  the Malicious Software Removal Tool.
  However, when it downloads it only runs a
  quick scan. Monthly you should launch
  the tool and run a full scan and removal.
  This may take several hours.
Launch with – “Run MRT”
  Why are Microsoft Updates
• To continue with the locked door analogy,
  your anti-spyware anti-virus programs
  constantly check to see that the front door
  is locked and look around the rooms to
  see no one is hiding.
• However almost every week Microsoft
  finds out that some other door or window
  of your house is unlocked and suggests
  you go lock it (install the update)
  Why are Microsoft Updates
• But MS doesn’t come to your house and
  lock the door or window for you. You have
  to do it (install the update)
• Microsoft’s announcement of your
  unlocked door or window has also been
  broadcast to all the crooks in town.
• The crooks now know where to try to enter
  your house if you don’t take action and
  lock the door or window… installing the
Which Internet Browser are
       you using?

         NSS Labs Testing
Which Internet Browser are
       you using?

         NSS Labs Testing
Use Protected Search Providers
• Internet search providers who take you to
  sites which will install malware on your
  computer are not very helpful
• Google and Bing have features to help
  protect you from visiting malware
  downloading web sites
• Just seeing a web page is enough to
  become infected. You don’t have to click
• There are know as “drive-by downloads”
Searches using the new Bing
Search Engine from Microsoft
• "Bing's malware detection consists of two
  things," a Microsoft spokesperson said.
  "The first is Drive-by-Download detection
  where Bing warns the end-user that the
  site is hacked and won't take them directly
  to the site when they click, instead
  providing a warning. Secondly, for social
  engineering malware sites, Bing manually
  blocks such sites from showing up in the
  search results."
   Which Security Software?
• Microsoft now offers the free “Microsoft
  Security Essentials” for basic protection. It
  has won recent awards for the best FREE
  software security protection
• PAID providers such as McAfee, Norton,
  Kasperski and others receive high marks
  in comparison tests.
• Some business security analysts are now
  suggesting that the only way to keep your
  small business on-line banking totally safe is
  – Have an isolated computer which is used for
    nothing but banking transactions
  – Which is physically disconnected from the
    internet except when in use for banking.
  – Your risks at home for internet banking and
    buying are lower, but they still exist.
• I find the convenience worth the risk, but I
  still check my statements very carefully as
  soon as they arrive each month. Checking
  them frequently online is even better.
Fake Security Alerts –
   Antivirus 2009
Antivirus 2009 Can Hijack
Your Google Home Page
            Antivirus 2009
• Looks Official
• Supposedly performs a scan of your
  computer and finds numerous infections
• It is entirely fake – just an attempt to get
  you to send them money
• If this shows up on your screen, don’t click
  on anything or attempt to close the
  window, just shut off your computer
        Malware Symptoms
• Some malware reveals itself. If you are seeing
  suspicious pop-ups, unwanted toolbars,
  redirects, strange search results, inability to
  access your security provider, computer
  suddenly running very slow, or other unexpected
  behavior – you may have been tricked into
  installing malicious software on your computer
• Some malware doesn’t reveal itself. It quietly
  steals information with letting you know
• Be sure your computer is automatically scanning
  whether you have symptoms or not.
 What to do if you get infected
• If you have been doing backups of your
  personal information you have several
• The surest method to eliminate infections is
  to wipe your hard drive clean and reinstall
  windows, your application software, and
  your data. This fixes 100% of infections
• If you don’t have backups for your important
  data, you have fewer options.
    Best Automated Backup
• Carbonite – on line
  automatic backup

• Seagate Replica
  external hard drive
  with built in
  automated backup
  of your entire
  computer all the
 Without personal data backups you
    must try to fix your computer

• Turn off System Restore (prevents reinfection)
• Run the scan and repair activities in your
  security software.
• Run the malicious software removal tool
  supplied by Microsoft
• Look online for repair fixes under the name of
  the bug you are infected with
           Fixing Malware
• Run other analysis programs such as
  Spyware Doctor with Anti-Virus which is
  available as a part of Google Pack
           Fixing Malware
• If malware is preventing your computer
  from starting properly, use a bootable anti-
  virus CD to scan and clean your files. This
  sometimes works when other solutions fail

• If these steps will not fix your computer,
  get professional help.
          Another alternative
• If your computer is several years old, and
• If you have backups of your important data
• Consider whether you want to invest $100 to
  $200+ to get your computer virus fixed.
• You can buy some excellent computers now for
  under $500 which have all the latest operating
  systems and probably run faster than your
  current computer.
• A new computer may be a smarter alternative
  than investing money in fixing an old computer.
• At the least, put a limit on how much you will pay
  to have your old computer repaired.
               In summary
• Be careful revealing information
• Freeze your credit reporting
• Keep your credit card numbers out of as many
  computers as you can
• Minimize your wallet contents and don’t lose it
• Keep your computer protected and updated
• Back up your computer data so you have
  alternatives if you become infected with malware.
• Check your statements carefully when they arrive
Best Sources For Information
      on Identity Theft

• The Identity Theft Resource Center

• Federal Trade Commission -
  Fighting Back Against Identity Theft