Stealing Your Identity FAST FACTS

1
Stealing Your IdentityFAST FACTS

• What you dont know can cost you your life

2
Interaction is Good

• Please ask questions as we go, others may benefit
  from your query
• No such thing as a stupid question This is a
  very difficult subject
• Lets try to stay on topic, but side discussions
  are welcome

3
Overview

• Introduction
• Current situation How bad is it really ??
• How does ID theft happen
• Why should you protect your information
• How does ID theft affect you
• How to protect your information
• What to do if you are a victim of ID theft

4
Introduction

• Why trust me ??
• More than 25 years experience in security
• Industry Certified
• CISSP
• CISM
• ISSAP
• ISSMP
• CEH
• IAM
• IEM

5
Why Alternate Identity

• Anonymous
• Financial Gain
• Revenge

6
Your Identity

• Social Security Number
• Passport
• Birth Certificate
• Drivers License
• Diploma
• Credit Cards
• Bank Accounts

7
Methods

• Obtaining New Identity
• Inheriting Identity
• Stealing Identity

8
Obtaining Social Security Numbers

• New SSN
• Through Identity Theft
• Juvenile Application Method
• International Citizens
• Witness Protection Program

9
International Citizens

• Genuine Passports
• Dominica and St.Kitts/Nevis
• Venezuela
• Camouflage Passports
• British Honduras
• Zanzibar
• New Granada
• Rhodesia
• Lottery

10
New SSN Through Identity Theft

• Police Reports
• Credit Reports
• FTC Reports
• Name Changes

11
Other Identifications

• Drivers License
• Professional ID

12
Other Identifications

• Birth Certificate

13
Other Identifications

• Credit Cards

14
Other Identifications

• Degrees and Certificates
• Life Experience Degree
• Rocheville University

15
The Address

• PO Boxes public or private
• Rural Routes
• International Addresses
• Property
• Private
• Industrial
• Vacant
• Office buildings
• Broom closets
• Other

16
Stealing an Identity

• Postal System
• Shoulder Surfing
• Garbage
• Hacking
• Social Engineering
• Inheritance

17
Stealing an identity

• Finding the SSN
• Mail System
• Purchasing
• Terminally ill
• Public Records
• DMV
• Tax records
• Internet
• www.bestpeoplesearch.com
• www.docusearch.com
• www.gum-shoes.com
• www.secret-info.sslrx.com
• www.zabasearch.com
• www.familytreesearcher.com

18

• Part II

19
How Bad is it

• ID Theft FBI/FTC 1 Crime Very real threat
• Federal and state agencies are passing the buck
• Scans and mass mailers will find you
• Scanning and hacking systems are freely available
  on the internet

20
How Bad is it..

• General weak information security practices
  everywhere
• The Internet is NOT the most common vector
  Physical theft is a much greater risk
• Hackers, criminals and even terrorists are
  actively looking for you
• Watch out for scams

21
(No Transcript)
22
Hacking on the Internet

• Google search results
• Hacker 12,500,000 hits
• Hacking Windows 2000
  271,000 hits
• Hacker tools 757,000
  hits
• Hacking tools 697,000
  hits
• Hacking Microsoft
  545,000 hits
• Hacking Linux 12,290,000 hits
• Hacking Mac
  266,000 hits
• Hacker Exploits
  103,000 hits
• Computer Vulnerabilities 403,000
  hits

23
SPAM Dominates Internet Traffic

• In April of 2004, SPAM
• topped 82 of all U.S. email.
• Spam is estimated to cost U.S. corporations in
  excess of 10 billion in lost productivity.

24
Reputation Money Diversion of Resources
Legal and Regulatory
25
The VIRUS Threat

• 95 of all businesses are
• affected by viruses each year.
• By number, there are well over 100,000 known
  computer viruses.
• Variations of 180 of the most potent viruses pose
  the greatest threat.
• Viruses are no longer recreational but
• a growing tool of organized criminals
• who use zombie computers.

26
The ZOMBIE Threat

• Hackers dont use their own computer systems.
• HACKERS USE YOUR COMPUTERS.
• More and more hackers are gaining access to large
  entities by entering through a small business or
  home computer system.

27
Shortened Response Time

• Writers of malicious code are developing viruses
  as soon as weaknesses become apparent.
• January 2003 -- The Slammer virus appears
• several months after Microsoft releases a patch
• for a vulnerability.
• August 2005 - "IRCBOT.WORM" and "RBOT.CBQ
  surface, exploiting flaws announced
• by Microsoft less than five days prior.

28
Why Hack any Business ?

• Because we have made it easy and
• it is the most inconspicuous way to hack.
• Inadequate or no firewalls to overcome
• Easy or no passwords
• No Intrusion Detection systems
• The vast majority of businesses and home users
• are completely unprotected and
  ignorant.

29
Phishing
30
Phishing
31
Phishing
32
Phishing
33
Phishing
34
The 7 Top Errors in Addressing Risks
35
100 Security vs. Reality

• No Silver Bullet
• Requires constant vigilance
• Nothing is truly secure
• Tradeoff of functionality/convenience
• More security Higher cost

36
How Does ID Theft Happen

• Criminals get information through businesses
• Stealing employee records
• Bribing to access these records
• Hacking into organizations computers

37
How Does ID Theft Happen

• Types of information that can be stolen
• Names
• Addresses
• Date of birth
• Social security numbers
• Phone numbers
• ID cards (passport, driver license, bank card,
  more)
• Passwords (mothers maiden name, pin codes, more)
• Credit Cards

38
How Does ID Theft Happen
Theft

• Steal wallets and purses
• containing id, credit cards, bank cards, checks
• Steal personal information from your home
• Steal mail from your mailbox
• Pre approved credit offers, new checks, bank
  statements, tax info, social security
  infomore..

39
How Does ID Theft Happen
Dumpster Diving

• Criminals rummage through trash to obtain
• Credit card applications
• Bills
• Bank statements
• Sticky Notes
• Other valuable documents

40
How Does ID Theft Happen
Social Engineering

• Criminals pose as
• Government Officials
• Legitimate business people
• Cable Company
• Online Provider
• Phone Company

41
How Does ID Theft Happen
Who and Why

• Who
• Prior criminals branching out
• First time criminals
• Neighbors
• Co-Workers
• Friends and Family
• Why
• Financial gain
• Revenge
• Challenge

42
How does ID theft affect you

• Impacts associated with ID theft.
• Loss of funds
• Negative impact to credit rating
• Loss of time
• Denied jobs
• Denied loans
• Tickets and warrants
• Check writing privileges

43
How to protect your information

• Protection software
• Protection hardware
• Passwords
• E-mail security
• Web browser security
• Internet purchasing security
• Encryption
• Secure deletion (guard your trash)
• Snail mail security
• Credit card and check security
• Telephone security

44
Electronic Information Security

• Protection hardware
• Protection Software
• Patch, Patch, Patch
• Use strong passwords
• Encrypt where feasible
• Beware of free credit reports
• Dont give out valid information via e-mail, web
  or otherwise fake it when you can.

45
The ring (fortress Model)

• Think of walls around a fortress or castle
• Never put an unprotected system on the internet
  you are an accident waiting to happen.
• Not protecting systems may become a crime Due
  Care Act 1977

46
Protection Software

• Personal firewalls
• Anti virus
• Spyware/Adware blockers
• Others
• Content filters
• Pop up blockers
• Cookie crushers
• History scrubbers

47
Protection Hardware

• Hardware Firewalls
• Routers/modems
• VPN
• Wireless
• USB Tokens
• 2 Way Authentication
• Biometrics

48
Internet Purchasing Security

• Get a webmail (or otherwise separate) account
  for all personal transactions
• keeps primary e-mail cleaner and less noisy
• More than one may be needed
• Only use credit cards with fraud protection
• Consider using one-time credit card numbers
• Use strong passwords

49
E-mail Security

• Use special/restricted account for financial
  activity
• Dont unsubscribe to spam
• Watch for phishing and other online scams
• Microsoft
• Paypal, Ebay
• Various banks
• Trust no one even friends/family
• Learn attachment types
• (.exe, .zip, .com, bat, .scr.)
• Concerned Just dont open it !!!

50
Web Browser Security

• You can easily be hacked through your web browser
  Quickly becoming most common threat factor
• Dont click OK/Yes on any prompt without
  reading it very carefully
• Dont click on pop-ups, use AltF4 or Alttab to
  pop unders
• Clean out cookies regularly
• Do not allow browser to store passwords
• Ensure padlock is visible before entering any
  sensitive information
• Consider an alternate browser such as Firefox

51
Encryption

• Password safes
• Store all passwords in a safe location accessed
  by a single password
• Hold multiple safes in one location
• File encryption
• Encrypt specific files
• Encrypt entire drives or partitions
• E-mail encryption (PGP, Gnupg)
• Encrypt content attached to e-mail
• Encrypt entire e-mail

52
Secure Deletion

• Donating to charity ?
• Giving your old system to friends ?
• Throwing away an old hard drive ?
• Dont forget to scrub your data
• What is in your garbage ?
• Purchase a shredder

53
Snail Mail Security

• Dont leave mail in mailbox for long periods of
  time
• Lock your mailbox if you can
• Pay online or direct debit/deposit if you can
• Shred all sensitive information with a cross-cut
  shredder even free offers
• Request non-SSN unique identifiers for all bills
• Periodic change of address form, just to be safe

54
Check Security

• Use initials on checks instead of first name
• Only use the last 4 digits of your credit card
  number in the For/Memo space to pay checks to
  credit card company
• Use work phone number and address on checks
  instead of home number (or use PO Box even
  better!)
• Never put your SSN on your checks
• Shred any voided check

Tip photocopy all items in your wallet and keep
on file
55
Credit Card Security

• Write down all toll free numbers
• Dont sign credit cards, use PHOTO ID REQUIRED
  instead
• Handle credit card receipts carefully like cash
• Shred all pre-approved offers
• Shred all unused credit card checks
• Shred anything with account info/number

56
Telephone Security

• Cord vs. Cordless phones
• Encrypted handset-to-base is the only secure
  cordless (not cell/mobile) phone
• Wireless/cordless traffic is easy to scan
• Digit grabbers capture touchpad entries
• Mobile/Cell phones
• Mobile/cell traffic is easy to intercept
• Bluetooth issues for mobile/cell phones
• Viruses, DoS, Cross-talk
• War-nibbling, Snarfing
• Phone scams
• a.k.a. Social Engineering
• Yes/No recording
• Fake charities
• Phone phishing

57
Wireless Security

• Use Encryption
• Log events
• Use Mac addressing
• Upgrade to WPA

58
Home Network Security Checklist

• Use a hardware firewall
• Use a software firewall (w/IDS)
• Patch, patch, patch - automatically
• Use anti-virus and keep it updated (or
  auto-update)
• Use a spyware/adware blocker
• Harden operating system
• Dont use Admin account by default assign
  specific users
• Strong passwords upper and lower case, numbers,
  special characters
• Disable unnecessary services
• Test your system periodically
• Microsoft Baseline Security Analyzer
• GRC Shields Up!
• Configure wireless to be secure
• Strong WEP key
• MAC address restrictions
• Wardriving happens

59
What To Do If Youre A Victim

• Contact all creditors immediately!
• Change account information/number
• Remove SSN as identifier
• Establish a password, if possible
• Contact Credit Bureaus and get a Fraud Alert put
  on your account
• Experian, Equifax, Trans Union
• Contact Federal agencies
• Social Security Administration, Federal Bureau of
  Investigation, Federal Trade Commission, Secret
  Service, etc
• Contact Police , FBI
• Contact your Legislators
• Monitor all accounts very closely (daily)

60
What To Do If Youre A Victim

• Create a checklist and log --
• Document all agencies and companies contacted
• Document exactly what they are going to do to
  remedy your issue and when they expect to have it
  done (verify)
• Get name of contact person you speak with every
  time you call it may change
• Record every phone number you call and if you get
  transferred, write down the new number
• Record time, number and duration of calls
• Take extensive notes or record conversation
• Be persistent! Ask to speak with a supervisor.
  Dont take no for an answer unless you
  absolutely have to

61
Fraud Reporting Resources

• Experian (formerly TRW)
• http//www.experian.com 888.397.3742
• Equifax
• http//www.equifax.com 800.525.6285
• Trans Union
• http//www.transunion.com 800.680.7289
• Social Security Administration
• http//www.consumer.gov/idtheft/ 800.269.0271
• Federal Trade Commission
• https//rn.ftc.gov/pls/dod/widtpubl.startup?Z_ORG
  _CODEPU03 1.877.IDTHEFT (438.4338)
• Federal Bureau of Investigation
• http//www.fbi.gov
• Secret Service
• http//www.ustreas.gov/usss

62
Microsoft Security Resources

• Microsoft Update Center
• http//v4.windowsupdate.microsoft.com/en/default.a
  sp
• Microsoft Security Center
• http//www.microsoft.com/security/
• Microsoft Office Updates
• http//office.microsoft.com/productupdates
• Microsoft Security Bulletin Service
• http//www.microsoft.com/technet/security/bulletin
  /notify.asp
• Microsoft Security Tools and Checklists
• http//www.microsoft.com/technet/security/tools/to
  ols.asp
• Microsoft Baseline Security Analyzer
• www.microsoft.com/technet/security/
  tools/tools/MBSAHome.ASP
• Microsoft HFNetCheck
• http//www.microsoft.com/technet/security/tools/to
  ols/hfnetchk.asp

63
Other Security Resources

• US CERT US Computer Emergency Response Team
• http//www.us-cert.gov/
• The I3P Security in the News
• http//www.thei3p.org/news/today.html
• DHS Daily Report - Department of Homeland
  Security daily report
• http//www.nipc.gov/dailyreports/dailyindex.htm
• SANS Internet Storm Center - Internet weather
  report
• http//www.incidents.org
• Packet Storm Security Information site
• http//www.packetstormsecurity.net
• Security Tracker - Comprehensive list of all
  known vulnerabilities
• http//www.securitytracker.com
• World Virus Map - Interactive map of all current
  viruses
• http//www.trendmicro.com/map
• Security Focus
• http//www.securityfocus.com

64
Hackers password cracking tools decode

• Over the network tools 3-4000 words per min
• On the local computer
• 1.4 MM passwords per 4 min

65
Security Alert Overload

• The average Security Professional spends 2.5
  hours a day tracking information.
• 1997 Internet Security Systems X-Force reported
  an average of 20 vulnerabilities a month.
• 2004 Symantec documented more than 1,237 new
  vulnerabilities between Jan. 1 and June 30, an
  average of 48 new vulnerabilities per week. 70
  were considered easy to exploit, and
• 96 were considered moderately
• or highly severe.

66
CEBIC Technologies, Inc.

• Protecting your networks and your data
• Managed Virus Services
• Symantec, McAfee, TrendMicro system-wide updating
• Configuration
• Live updates
• Subscriptions
• Managed Intrusion Detection
• Intrusion detection and protection services
  (Patching)
• File sharing Permissions, Encryption, Passwords
• Content Management Anti-Spyware Management
• Hardware firewalls
• Computer Network Systems Health
• Monitoring

67
CEBIC Technologies Inc.