Identify Theft

Identity Theft Jorge Sebastião Founder and CEO

May 2006 – Veterans Administration laptop with personal information on 26.5M veterans is stolen. “Total losses could top $500M.” – VA Secretary Nicholson Jan 2007- Hackers stole data from at least 45.7 million credit and debit cards at retailer T.J.Maxx – total costs could exceed $1.0B May 2006 – CIO, CSO fired Ohio University 137,000 student accounts compromised

More Stats

2007 Breaches ID Theft Resource Center as of: Oct 2007

Total Breaches: 305

Records Exposed: 76,734,967

News

More sophisticated Attacks

What happens when Hackers grow UP? Criminals

ATM Attack-1

ATM Attack-2?

Skimmer • Capacity > 2500 credit cards • 40 hours Operations • Panic button can deleted information to avoid prosecution. • Cost = $500

Credit Cards for Sale

Identity Theft brokers

What Is Identity Theft?

Acquisition of key pieces of someone’s identifying information to impersonate them.

Includes:

Name

Address

Date of Birth

Social Security Number

Driver Licenses

Student Memberships

Mother’s Maiden Name

Credit Card Number

ATM PIN’s

Bank Account Numbers

ID Theft– The old way

Stolen wallets + purses

Pickpocket

Stolen mail (snail mail)

“ Dumpster Diving” and “Trash Rips”

Telephone scams

ID Theft– New Way Phishing / Pharming Hijack/Skimming

Online Applications Role **2007 top 5-WOASP attacks

Online skimming

Mal-ware

Key loggers

Social Engineering

Wireless phishing

Botnets

Spyware

Victim's browser sends a pre-authenticated request to a vulnerable web application, which then executes hostile actions in the browser. Cross Site Request Forgery (CSRF) 5 Attackers can manipulate information exposed as a URL or form parameter without authorization. Insecure Direct Object Reference 4 Include hostile code and data in file accepted by web application, resulting in devastating attacks, such as total server compromise. Malicious File Execution 3 Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. Injection Flaws 2 XSS flaws occur whenever an application takes user supplied data & sends it to a web browser without first validating that content. Cross Site Scripting (XSS) 1

Social Engineering

… 70 percent of those asked said they would reveal their computer passwords for a …

Schrage, Michael. 2005. Retrieved from http://www.technologyreview.com/articles/05/03/issue/review_password.asp?p=1 Bar of chocolate

People is the biggest problem?

WHAT CAN YOU DO?

DETER - Deter identity thieves by safeguarding your information

DETECT – Detect suspicious activity by routinely monitoring your financial accounts and billing statements

DEFEND - Defend against identity theft as soon as you suspect a problem

DETER = Protect

Shred all documents. Cross shred is preferred.

Do not carry extra credit cards.

Don’t give personal information over the telephone, or internet.

Remove mail promptly from mailbox.

Deposit outgoing mail at Post Office.

Don’t leave receipts at the point of sale.

Memorize pins, social security numbers, and passwords.

Sign all new credit cards.

Match receipts to monthly billing statements.

Notify Financial Institutions in advance of address changes.

Keep your information secure

DETECT

Be alert

Mail or bills that don’t arrive

Denials of credit for no reason

Inspect your credit report

Law entitles you to one free report a year from each nationwide

credit reporting agencies if you ask for it

Online: www.AnnualCreditReport.com by phone: …

or by mail: …

Inspect your financial statements

Look for charges you didn’t make

DEFEND = Respond

Place a “Fraud Alert” on your credit reports by calling any one of the

three nationwide credit reporting companies:

Equifax

Experian

TransUnion

Review reports carefully, looking for fraudulent activity

Close accounts that have been tampered with or opened fraudulently

File a police report

Contact the Federal Trade Commission

Online Resources

Old ID Systems ID CARD CPR CARD Driving License

Replaced by Modern ID Systems

Driving License

CPR CARD

ID CARD

Storage CHIP All external information is duplicated In the Chip in addition to other data of the combined cards.

ELECTRONIC SECURITY

encryption

Biometrics

Biometrics also victim

Banks Credit Card Technological Safeguards Truncation of Account Numbers CISP Verified By Visa Issuers’ Clearinghouse Advanced Authorization CVV Address Verification CVV2 Technology Innovations

Free Services to customers

End User Awareness

Questions? [email_address]