Identify Theft


Published on

Identity Theft Presentation at Infosec Cyprus 2007.

Published in: Economy & Finance, Technology
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Identify Theft

    1. Identity Theft Jorge Sebastião Founder and CEO
    2. May 2006 – Veterans Administration laptop with personal information on 26.5M veterans is stolen. “Total losses could top $500M.” – VA Secretary Nicholson Jan 2007- Hackers stole data from at least 45.7 million credit and debit cards at retailer T.J.Maxx – total costs could exceed $1.0B May 2006 – CIO, CSO fired Ohio University 137,000 student accounts compromised
    3. More Stats <ul><li>2007 Breaches ID Theft Resource Center as of: Oct 2007 </li></ul><ul><li>Total Breaches: 305 </li></ul><ul><li>Records Exposed: 76,734,967 </li></ul>
    4. News
    5. More sophisticated Attacks
    6. What happens when Hackers grow UP? Criminals
    7. ATM Attack-1
    8. ATM Attack-2?
    9. Skimmer • Capacity > 2500 credit cards • 40 hours Operations • Panic button can deleted information to avoid prosecution. • Cost = $500
    10. Credit Cards for Sale
    11. Identity Theft brokers
    12. What Is Identity Theft? <ul><li>Acquisition of key pieces of someone’s identifying information to impersonate them. </li></ul><ul><li>Includes: </li></ul><ul><ul><li>Name </li></ul></ul><ul><ul><li>Address </li></ul></ul><ul><ul><li>Date of Birth </li></ul></ul><ul><ul><li>Social Security Number </li></ul></ul><ul><ul><li>Driver Licenses </li></ul></ul><ul><ul><li>Student Memberships </li></ul></ul><ul><ul><li>Mother’s Maiden Name </li></ul></ul><ul><ul><li>Credit Card Number </li></ul></ul><ul><ul><li>ATM PIN’s </li></ul></ul><ul><ul><li>Bank Account Numbers </li></ul></ul>
    13. ID Theft– The old way <ul><li>Stolen wallets + purses </li></ul><ul><li>Pickpocket </li></ul><ul><li>Stolen mail (snail mail) </li></ul><ul><li>“ Dumpster Diving” and “Trash Rips” </li></ul><ul><li>Telephone scams </li></ul>
    14. ID Theft– New Way Phishing / Pharming Hijack/Skimming
    15. Online Applications Role **2007 top 5-WOASP attacks <ul><li>Online skimming </li></ul><ul><li>Mal-ware </li></ul><ul><li>Key loggers </li></ul><ul><li>Social Engineering </li></ul><ul><li>Wireless phishing </li></ul><ul><li>Botnets </li></ul><ul><li>Spyware </li></ul>Victim's browser sends a pre-authenticated request to a vulnerable web application, which then executes hostile actions in the browser. Cross Site Request Forgery (CSRF) 5 Attackers can manipulate information exposed as a URL or form parameter without authorization. Insecure Direct Object Reference 4 Include hostile code and data in file accepted by web application, resulting in devastating attacks, such as total server compromise. Malicious File Execution 3 Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. Injection Flaws 2 XSS flaws occur whenever an application takes user supplied data & sends it to a web browser without first validating that content. Cross Site Scripting (XSS) 1
    16. Social Engineering
    17. Social Engineering <ul><li>… 70 percent of those asked said they would reveal their computer passwords for a … </li></ul>Schrage, Michael. 2005. Retrieved from Bar of chocolate
    18. People is the biggest problem?
    19. WHAT CAN YOU DO? <ul><li>DETER - Deter identity thieves by safeguarding your information </li></ul><ul><li>DETECT – Detect suspicious activity by routinely monitoring your financial accounts and billing statements </li></ul><ul><li>DEFEND - Defend against identity theft as soon as you suspect a problem </li></ul>
    20. DETER = Protect <ul><li>Shred all documents. Cross shred is preferred. </li></ul><ul><li>Do not carry extra credit cards. </li></ul><ul><li>Don’t give personal information over the telephone, or internet. </li></ul><ul><li>Remove mail promptly from mailbox. </li></ul><ul><li>Deposit outgoing mail at Post Office. </li></ul><ul><li>Don’t leave receipts at the point of sale. </li></ul><ul><li>Memorize pins, social security numbers, and passwords. </li></ul><ul><li>Sign all new credit cards. </li></ul><ul><li>Match receipts to monthly billing statements. </li></ul><ul><li>Notify Financial Institutions in advance of address changes. </li></ul><ul><li>Keep your information secure </li></ul>
    21. DETECT <ul><li>Be alert </li></ul><ul><ul><li>Mail or bills that don’t arrive </li></ul></ul><ul><ul><li>Denials of credit for no reason </li></ul></ul><ul><li>Inspect your credit report </li></ul><ul><ul><li>Law entitles you to one free report a year from each nationwide </li></ul></ul><ul><ul><li>credit reporting agencies if you ask for it </li></ul></ul><ul><ul><li>Online: by phone: … </li></ul></ul><ul><ul><li>or by mail: … </li></ul></ul><ul><li>Inspect your financial statements </li></ul><ul><ul><li>Look for charges you didn’t make </li></ul></ul>
    22. DEFEND = Respond <ul><li>Place a “Fraud Alert” on your credit reports by calling any one of the </li></ul><ul><li>three nationwide credit reporting companies: </li></ul><ul><ul><li>Equifax </li></ul></ul><ul><ul><li>Experian </li></ul></ul><ul><ul><li>TransUnion </li></ul></ul><ul><ul><li>Review reports carefully, looking for fraudulent activity </li></ul></ul><ul><li>Close accounts that have been tampered with or opened fraudulently </li></ul><ul><li>File a police report </li></ul><ul><li>Contact the Federal Trade Commission </li></ul>
    23. Online Resources
    24. Old ID Systems ID CARD CPR CARD Driving License
    25. Replaced by Modern ID Systems <ul><li>Driving License </li></ul><ul><li>CPR CARD </li></ul><ul><li>ID CARD </li></ul>Storage CHIP All external information is duplicated In the Chip in addition to other data of the combined cards. <ul><li>ELECTRONIC SECURITY </li></ul><ul><li>encryption </li></ul>Biometrics
    26. Biometrics also victim
    27. Banks Credit Card Technological Safeguards Truncation of Account Numbers CISP Verified By Visa Issuers’ Clearinghouse Advanced Authorization CVV Address Verification CVV2 Technology Innovations
    28. Free Services to customers
    29. End User Awareness
    30. Questions? [email_address]