This document discusses the growing issue of identity theft and how personal information has become a commodity that is widely stolen and misused. It provides background on how identity theft has evolved over time, from early hacks and bank robberies to modern crimes like phishing and data breaches. The document also notes that identity theft is difficult to detect, can significantly impact victims financially and personally, and is rarely prosecuted despite its growing costs and prevalence.
1. July 13th, 2006Ft. Myer's Officer's Club 1
Identify Theft
A Primer
Issues for Today’s Society
Thomas J. Petry
Association of IT Professionals
Northern Virginia Chapter
AITPNOVA
4. July 13th, 2006Ft. Myer's Officer's Club
4
Willy Sutton
America’s most prolific bank robber
Made FBI’s first “Ten Most Wanted List”
Talented at using multiple disguises
AKA: “Willy the Actor”
AKA: “Slick Willy”
5. July 13th, 2006Ft. Myer's Officer's Club
5
The many faces of Willy
The Milkman
The Postal Worker
Telegraph Messenger
The Policeman
Maintenance Man
Many Others
When not in disguise
Immaculate dresser
Noted for being
extremely polite …
Except that …
He carried a gun!!
6. July 13th, 2006Ft. Myer's Officer's Club
6
Where the Money was …
Robbed over 100 banks from the late 1920’s
until his final arrest in 1952
Stole over $2 million over his lifetime
Well over $2 billion present day value
Served a number of prison terms
When asked: “Willy why do you rob banks?”
Reportedly said: “Because that’s where the
money is!”
7. July 13th, 2006Ft. Myer's Officer's Club
7
Sutton’s Legacy
Sutton’s Law–“Go where the money is” – taught
to med students—most likely diagnosis
The “Willie Sutton Rule” in Activity-based
Costing (ABC) of Management Accounting–
applied “Where the money is”—greatest savings
Co-authored two published books:
“I Willy”
“Where the money was-Memoirs of a bank Robber”
8. July 13th, 2006Ft. Myer's Officer's Club
8
Where the money is today …
Money is Information
Databases and Transactions
Your Personal Information (PI)
Your Protected Healthcare Information (PHI)
Your Financial Data
Information is everywhere
On Servers and data warehouses
On PCs and Laptops all over
In your emails, post box, and trash cans
Circulating on the Web
9. July 13th, 2006Ft. Myer's Officer's Club
9
What the money is today …
Personal Name, First Name, Last Name/Initial, Mothers
Maiden Name, etc. …
SSN, TIN, EIN, DEA, NCPDP, Driver’s License Numbers,
Passport Information, Birth Certificates …
Bank Account, credit card numbers, Pension/Benefit
Plans, and other Financial Information …
Home Addresses, Date/Place of Birth, Phone Numbers ...
Personal Information (Privacy Act Data) …
Protected [Healthcare] Information (PHI/PI) …
10. July 13th, 2006Ft. Myer's Officer's Club
10
How this commodity is used
Access to victim’s
money
Obtain property
and/or other assets
using victim’s ID
Mask a real thief’s ID
when committing
other crimes
Blackmail
Coercion
Extortion
Fraud
Swindles
Scams
Racketeering
11. July 13th, 2006Ft. Myer's Officer's Club
11
How this commodity is used
Obtain gainful employment …
Evade tax obligations …
Obtain legal status illegally …
Obtain legal documentation …
Obtain references …
Acts of War/Terrorism …
Illegal transfer of funds …
As many uses as there are victims …
12. July 13th, 2006Ft. Myer's Officer's Club
12
Worlds Fastest Growing Crime
Easy to do
All you need is a computer and modem
Difficult to track
No fingerprints
Hugh return on investment
Losses to businesses 2003 nearly $48 billion
Consumers reporting additional $5 billion out of pocket
Low risk
Less than 5% of reports prosecuted
13. July 13th, 2006Ft. Myer's Officer's Club
13
Deceptive
Perpetrator: “Hello, Mr. Smith, this is the Bob
from the district court, why didn’t you show up
for jury duty yesterday?”
Unsuspecting Victim: “I didn’t know I was
scheduled for jury duty? Are you sure you have
the right Mr. Smith?”
Perpetrator: “I’m sorry. Let me verify our
records are accurate. Can you give me your
Social Security Number and Date of Birth???”
14. July 13th, 2006Ft. Myer's Officer's Club
14
Pervasive
Can affect your personal credit …
Can cost you money and time
Average Out of Pocket: $1,500.00
Average Time: 175 hours
Can cost you your job …
Can follow you later in life …
Can impact access to Security Clearances …
Can impact companies and/or for which you have a
financial interest: LLC, Inc., Corp, Co., charitable
organizations, 501C …
Can impact those you know and love …
15. July 13th, 2006Ft. Myer's Officer's Club
15
Symptoms Evade or Delay Discovery
Phone call or letter tells you’ve been approved or
denied credit for accounts you never requested
You no longer receive your credit card statements
You notice that some of your mail seems to be
missing
Your credit card statement includes charges for
things you know you never bought
A collection agency tells you the are collecting for an
account you never opened
May take more than a year to discover
16. July 13th, 2006Ft. Myer's Officer's Club
16
Deep seated history
1971 Vietnam Vet John Draper (Cap’n Crunch) learns that
toy whistle given free inside cereal box generates a 2600-
hertz signal
Same tone that accesses AT&T long distance switch
system
Builds blue box that in conjunction with whistle allow
phone hackers to make free long distance calls
Same box future founders of Apple computer used to
launch home based business selling blue boxes
18. July 13th, 2006Ft. Myer's Officer's Club
18
History of the Virus
1981 The Elk Clone virus becomes the
first computer virus found in the wild
Reputed to have spread from Texas A&M
1984 Antivirus software developer Fred
Cohen introduces the term “computer
virus”
19. July 13th, 2006Ft. Myer's Officer's Club
19
The Legion of Doom
1984 the Legion of Doom is formed
A hacker/phreaker group which operated
in the United States during the late
1980’s
Responsible for diversion of telephone
networks, copying proprietary
information from companies and
distributing hacking tutorials
20. July 13th, 2006Ft. Myer's Officer's Club
20
FTC January 2006 Report
Received more than 685,000 complaints
of consumer fraud in 2005
37% representing cases of ID Theft
True number of cases estimated to be
much higher
Cases often go undetected, unreported,
or are simply NOT prosecuted
21. July 13th, 2006Ft. Myer's Officer's Club
21
www.fightidentifytheft.com
Estimates 10 million American’s already
victimized
Average Cost to recover:
$1,500.00
175 Hours
Total cost more than $50 billion
22. July 13th, 2006Ft. Myer's Officer's Club
22
Virtual Geography
Victim lives in Arizona …
Thief lives elsewhere …
Transactions spread all over the world …
Any witnesses in Bangladesh??? …
23. July 13th, 2006Ft. Myer's Officer's Club
23
Economic Trends of ID Theft
2003 FTC Survey - 10 Million (1 in 30)
Americans had their identities stolen in
the previous year
Economic Loss approximately $48 billion
Less than 5% ever gets prosecuted
24. July 13th, 2006Ft. Myer's Officer's Club
24
Javelin Strategy & Research
Study
Number of victims decreased to 9 million
last year (2004)
Losses risen to $56.6 billion
They needs less hits, because …
They’re getting bigger bang from YOUR
bucks
25. July 13th, 2006Ft. Myer's Officer's Club
25
Arizona
One in six had their identities stolen in
the last 5 years (2006)
Approximately twice the national average
More than ½ of illegal immigrants
entering the US come through Arizona
26. July 13th, 2006Ft. Myer's Officer's Club
26
A HOT SPOT for Thieves
Maricopa County (which includes
Phoenix, Arizona) is one of the fastest
growing counties in the Nation:
Highly Mobile population
High number of Immigrants and Retirees
Heavy Traffic area for methamphetamine
27. July 13th, 2006Ft. Myer's Officer's Club
27
Arizona (Continued)
Passed the nations’ first identify theft law
in 1996
Yet their website recently still allowed
SSN and other information accessible to
anyone with an Internet Connection
Not surprising most victims do not know
how their identities are stolen
28. July 13th, 2006Ft. Myer's Officer's Club
28
Arizona (Continued)
Mid 1990’s Phoenix Population Boom
USPS Created Cluster mailboxes servicing
whole housing developments
You can jimmy one open and get
everyone’s mail at the same time
$12 million spent on new mailboxes
Many old mailboxes still remain
29. July 13th, 2006Ft. Myer's Officer's Club
29
Wireless Fraud
Some thieves drive around
neighborhoods until they find a resident’s
unsecured wireless connection
If police investigate source of fraudulent
purchase it’s tracked to the customer
who provided the connection not the
thief who placed the order
30. July 13th, 2006Ft. Myer's Officer's Club
30
Magnetic Strip Fraud
Copying of Magnetic strip from a victim’s
credit card onto the back of another
Transactions from new card charged to
victim
Name on drivers license matches name
on fraudulent card
31. July 13th, 2006Ft. Myer's Officer's Club
31
Magnetic Strip (Continued)
Even more alarming is the fact that …
The machine necessary to copy the
magnetic strip … is the same device
nearly every hotel in America uses to re-
code room key cards!!!
32. July 13th, 2006Ft. Myer's Officer's Club
32
Spamming, Spoofing, and Phishing
20% overall increase in May of 2006
64% of servers used to relay spam and phishing
emails located in Taiwan
US responsible for just 23%
China is in third place containing just 3% of all
spam servers
Rapid increase related to use of randomized
image-based stock spam using pictures to avoid
anti-spam detection
33. July 13th, 2006Ft. Myer's Officer's Club
33
SPAM Costs
SPAM currently accounts for close to
80% of all email traffic
Causes close to 5 billion in economic
losses annually
SPAM similar to pollution
Spammers profit from their activities at
the expense of the rest of the population
34. July 13th, 2006Ft. Myer's Officer's Club
34
Spam Sophistication Increase
TINY URL: A free web redirection service that
has long helped people shrink overly long
internet addresses into tiny ones
Ghost Spam
Viruses at an all time low (less than 1%)
Spam at an all time high (87.74%)
Increase came from BOTNET of more than
150,000 compromised PCs and peaked on May
22nd, 2006
35. July 13th, 2006Ft. Myer's Officer's Club
35
Veterans Administration
May 3rd, 2006 26.6 million records stolen
Stolen from the private residence of VA
employee who had taken the data home without
authorization
Including service-member records contained on
un-encrypted CDs
Ultimate cost perhaps $500 million
Ultimately recovered—Breach assessment
ongoing.
36. July 13th, 2006Ft. Myer's Officer's Club
36
VA (Continued)
VA contends no protected healthcare
information was compromised
http://www.myhealthevet.va.gov/
permits you to register with exact same
information that was stolen from their
own computers
37. July 13th, 2006Ft. Myer's Officer's Club
37
Cyber Café Grab and Run
San Francisco police logged 18 computer
robberies in 2004
48 logged in 2005
18 logged as of March of 2006
2006 expected to surpass 70
38. July 13th, 2006Ft. Myer's Officer's Club
38
Cyber Café Grab and Run (Continued)
Whenever culture changes – Crime follows
Where else do you have a $1,000.00 item sitting
on a table?
Easy to resell giving access to quick cash!
Even otherwise law-abiding people are tempted
to buy $3,000 laptops for $200 to $300 on the
street!
39. July 13th, 2006Ft. Myer's Officer's Club
39
Connections to Drug Use
In past drug users might go to
convenience store with a gun
They would be on surveillance camera
They might get shot
They might get pulled over with a broken
tail-light
Now they just sit in front of a computer
40. July 13th, 2006Ft. Myer's Officer's Club
40
Connections (Continued)
Increase in mailbox break-ins by
tweakers (methamphetamine users)
Raids on methamphetamine labs
increasingly have discovered stacks of
stolen mail and notebooks filled with
credit card information
41. July 13th, 2006Ft. Myer's Officer's Club
41
Connections (Continued)
Acetone (an ingredient used in
methamphetamine production) washes
the ink off checks (a simple means of id
fraud)
The people who run these labs have
technical knowledge
Access to grunts for stealing mail and
other id theft sources
42. July 13th, 2006Ft. Myer's Officer's Club
42
Why don’t you know?
Internal Revenue Service (IRS) not required to
notify you if you SSN is being used. Even if
they know
Data breaches in the last year have exposed PI
of more than 80 million Americans
In most states organizations are NOT required
to tell consumers their Ids have been
compromised
43. July 13th, 2006Ft. Myer's Officer's Club
43
Why don’t you know?
Only 17 states have passed “credit
freeze” laws enabling consumers to
prevent banks or credit agencies from
issuing new accounts in their names
44. July 13th, 2006Ft. Myer's Officer's Club
44
Why don’t you know?
Business historically successfully opposes
such legislation
Banks energetically extending more
credit to more people with fewer hassles
Providing Retailers and Consumers with
instantaneous, nearly-anonymous access
to credit
45. July 13th, 2006Ft. Myer's Officer's Club
45
The Secret list of SSN Fraud
Hundreds of thousands of American’s SSNs “borrowed” by
illegal aliens to obtain employment
Several US Government agencies know and will not notify
victims. In fact according to law, Social Security
Administration (SSA) and IRS cannot tell victims
Average victim’s SSN shared about 30 times
$420 billion in accounting limbo of FICA taxes in SSA’s
Earnings Suspense File (ESF)
9 million Americans affected in 2002 by ESF
50%-80% of suspense due to illegal aliens
46. July 13th, 2006Ft. Myer's Officer's Club
46
The Secret List (Continued)
Over 500,000 tax returns filed in 2005
with wrong SSNs
IRS simply notifies filer in writing
Rightful card holder not told because
there is no way to know why the wrong
number was used
47. July 13th, 2006Ft. Myer's Officer's Club
47
Credit Reports Don’t Help
In cases of SSN-only theft, the SSA and IRS won’t tell you
Credit reports only impacted if thief takes it to the next
step up the economic ladder securing credit …
… Even then only you may not know until they miss a
payment
In fact credit reports expressly leave off this kind of fraud
Lenders, however, may know before you do, as they see
ALL accounts opened under same SSN
48. July 13th, 2006Ft. Myer's Officer's Club
48
Immigration Reform and Control Act of 1986
Workers must produce Social Security Card or similar
identity verification when obtaining employment (I-9)
Employers are supposed to verify that the card is
legitimate, but many don’t
Law created black market for counterfeit Social Security
Cards and inadvertently kicked off an identity theft crisis
90% of time numbers are already used by a real person
Remaining % of time they still might be issued to others
in the future
PASS OUT SAMPLE I-9 FORMS TO PARTICIPANTS
49. July 13th, 2006Ft. Myer's Officer's Club
49
The crisis continues …
In 2002 the IRS sent out 900,000 letters to
companies who had workers using erroneous
names or numbers
IE: number did not match name and date of
birth
Letters confused employers and employees alike
Some workers fled immediately
Other employers fired employees on the spot
50. July 13th, 2006Ft. Myer's Officer's Club
50
The crisis continues …
Immigration rights groups objected, pointing out
that inclusion in a no-match list was not an
automatic indicator of illegal status
The effort did little to reduce the earnings suspense
file or fix SSN accounting so the agency backed off
Meanwhile, the IRS which is charged with enforcing
the requirement that employers collect accurate SSN
data, has never once levied a fine against a
corporation for failing to do so
51. July 13th, 2006Ft. Myer's Officer's Club
51
The dilemma to fix
Best way to reduce ESF would be to provide a
path to legal status for undocumented workers
Removing items from the EFS increases future
liabilities for Social Security
2002 ESF represents undocumented wages on
$56 billion earnings represent free money with
no future payout liabilities
52. July 13th, 2006Ft. Myer's Officer's Club
52
The Governments Position
Telling the number’s rightful owner might create more
panic then necessary
There’s not a lot of good advice agencies could offer
There is little a victim could do at that point
Challenges remain:
On determining who is rightful owner and who is
imposter
Finding correct contact information for victims
Dealing with restrictions under the Privacy Act
Credit Bureaus site same concerns
53. July 13th, 2006Ft. Myer's Officer's Club
53
HIPAA Security Issues
Protected Healthcare Information (PHI)
Privacy Act Information (circa 1974)
Both involve Personal Information (PI)
Either one potential for ID Theft
54. July 13th, 2006Ft. Myer's Officer's Club
54
HIPAA and FERPA
HIPAA had provision to exclude
educational records covered by FERPA
Supreme Court ruled education records
include only institutional records, grade
point averages, test scores, and
disciplinary actions
Most if not all school health records may
therefore by subject to HIPAA
55. July 13th, 2006Ft. Myer's Officer's Club
55
Global Exposure
Neither Linux or Windows are safe from
Organized Hacking
Networks are exposed to Distributed
Denial of Service Attacks (DDOS) and
other vulnerabilities
B2B Commerce exposes entire supply
chain as the result of a single partners
security practices
56. July 13th, 2006Ft. Myer's Officer's Club
56
Internal Processes
Looking and tightening up internal
processes needs to be an ongoing
activity
Information Security involves more than
the computer systems
57. July 13th, 2006Ft. Myer's Officer's Club
57
Cost of breach
Historically assessed at $3.00/per subject
CA confidentiality of medical records act
sets the failure of record confidentiality
at $1,000.00/per subject
Enforcement of large scale breach would
bankrupt most providers and plans
58. July 13th, 2006Ft. Myer's Officer's Club
58
Cost of enforcement
Obviously large scale enforcement can’t
and won’t be enforced
Except in the case of the government
Kaiser paid $200,000.00 for breach of
only 150 members
Where does your organization set this
value?
59. July 13th, 2006Ft. Myer's Officer's Club
59
PC Vulnerabilities
Most users don’t use Encryption
Most email clients and downloaded packages
proliferate multiple copies of files throughout
the PC
Delete doesn’t really delete
Empty trash can doesn’t really delete
Reformat Hard drive doesn’t really delete
FDISK hard drive doesn’t really delete
60. July 13th, 2006Ft. Myer's Officer's Club
60
The Laptop Security Problem
The laptop is increasingly the computer
of choice for both businesses and
consumer buyers
As laptops proliferate, laptop theft
increases
Considerable confusion exists regarding
the level of protection that exists and
what is required
61. July 13th, 2006Ft. Myer's Officer's Club
61
Classes of Protective
Technology
User Authentication
Physical Locking Devices
Data Encryption Techniques
Monitoring, Tracing and Tracking
Alarms
Most if not all are not used …
62. July 13th, 2006Ft. Myer's Officer's Club
62
National DO NOT CALL
registry
National Do Not Call Registry
http://www.donotcall.gov
Takes up to 1 month to proliferate
registration
Protects you for up to 5 years
63. July 13th, 2006Ft. Myer's Officer's Club
63
CAN-SPAM Act of 2003
Controlling the Assault of Non-Solicited
Pornography and Marketing Act
Establishes requirements/penalties for those
who send commercial email
Exemptions for Transactional or Relationship
messages
Effective January 1, 2004
Currently no equivalent National DO NOT EMAIL
registry
64. July 13th, 2006Ft. Myer's Officer's Club
64
What CAN-SPAM requires
Bans false or misleading header information
Prohibits deceptive subject lines
Requires your email give recipients an opt-out
method
Requires commercial email be identified as
advertisements
Includes sender’s valid physical postal address
65. July 13th, 2006Ft. Myer's Officer's Club
65
Penalties
Each violation subject to up to $11,000
Also subject to laws banning false or
misleading advertising
Provided for additional fines for
commercial e-mailers who also do any of
the following (see next slide)
66. July 13th, 2006Ft. Myer's Officer's Club
66
Additional Fines
“Harvest” email addresses from websites
Generate email addresses using a “dictionary
attack”
Use scripts or other automated ways to register
for multiple email or user accounts
Relay emails through a computer or network
without permission
67. July 13th, 2006Ft. Myer's Officer's Club
67
The Consumer Privacy Legislation Forum
The CPL Forum
Formed by a dozen high-powered
companies both inside and outside tech
industry
Includes Google, eBay, Microsoft, Sun
Microsystems, Symantec, Oracle,
Hewlett-Packard, Intel and others
Signed letter to Congress requesting a
new federal consumer privacy law
68. July 13th, 2006Ft. Myer's Officer's Club
68
CPL Forum Members
Eastman Kodak
eBay Inc
Eli Lilly and Co
Google
Hewitt and Assoc
Hewlett-Packard
Intel
Microsoft
Oracle Corp
Proctor & Gamble
Sun Microsystems
Symantec
69. July 13th, 2006Ft. Myer's Officer's Club
69
The CPL Forum Letter’s Text
“… The time has come for a serious process to
consider comprehensive harmonized federal
privacy legislation to create a simplified, uniform
but flexible legal framework to allow for the free
flow of information and commerce, while
providing protection for consumers from
increasing incidents of identify theft, fraud and
intrusions of privacy … “
70. July 13th, 2006Ft. Myer's Officer's Club
70
CPL Forum Timing …
Announcement comes at a time when studies
reveal a decline of consumer trust on the
Internet
May 2006 national survey by the Cyber Security
Industry Alliance reports 94% of people polled
cite identity theft as a serious problem
Only 24% feel businesses are placing the right
emphasis on protecting information
71. July 13th, 2006Ft. Myer's Officer's Club
71
The Letter’s Goals?
Protect the privacy of consumers, while
insulating them from being “brought to
their knees” by class-action lawsuits
Appear to be motivated from a desire for
protection from civil actions in the event
of a privacy breach as much as ensuring
Internet users keep using the Web for
commerce
72. July 13th, 2006Ft. Myer's Officer's Club
72
The Future for ID Theft Protection
Public Key Infrastructure (PKI) required
With Biometrics redundancy
Current Credit Card, retail, banking, and
electronic commerce Infrastructure(s) are
grossly inadequate to handle future potential
risks
Current Legal System overly complicated and
difficult to prosecute!
73. July 13th, 2006Ft. Myer's Officer's Club
73
What to do if you’re a victim
Contact the IRS/Review your Tax Files
Place Credit Fraud Alerts
Obtain Consolidated Credit Reports
Contact your Credit Card Companies
Contact Banks and Financial Institutions
Contact each of your creditors
74. July 13th, 2006Ft. Myer's Officer's Club
74
Seven Steps
Check your credit report
Place a Fraud Alert
Contact each company where you think you’ve
been a victim
File a police report
Document Everything
Contact the FTC, Post Office, SSA, IRS
Contact the major check verification companies
75. July 13th, 2006Ft. Myer's Officer's Club
75
Prevention
Closely Guard your PI
Keep “safe copies” of your PI
Shred all hard copies of your PI
Guard your passwords
Don’t keep hard copies of your passwords
Use Strong Passwords
Destroy and Never sell or recycle data storage
media …
76. July 13th, 2006Ft. Myer's Officer's Club
76
Prevent ID Theft
Burn or Shred. Never recycle PI
Opt out of telemarketing
Ask credit cards to stop sending
convenience checks
Review your credit report 1-2 months
before making application for credit
Review free credit report annually
77. July 13th, 2006Ft. Myer's Officer's Club
77
Prevent ID Theft (Continued)
Don’t give PI at checkout line
Delete any emails that ask for PI
Hang up on Telemarketers
Limit the number of credit cards you hold
Most of the time you can’t prevent,
someone else has leaked your info, so be
prepared
78. July 13th, 2006Ft. Myer's Officer's Club
78
Prevent ID Theft
Shop at only secure sites
Protect Pins and Passwords
Use alternative ID for casual web surfing
Learn to recognize phishing messages
Use cash instead of credit
Get off the lists
79. July 13th, 2006Ft. Myer's Officer's Club 79
Questions
Thomas (Pete) Petry
AITP NOVA
TJPetry@yahoo.com
(202) 367-5971