This document discusses protecting personal identity in the age of increased information tracking. It outlines the risks of identity theft, how thieves steal identities, and statistics on identity theft victims. Key points include that identity theft costs the US economy an estimated $100 billion annually, 47% of victims in 2015 experienced tax or wage-related identity theft, and children and the elderly are particularly vulnerable targets. The document provides tips on reducing identity theft risks and resolving identity theft issues.
Event Report - IBM Think 2024 - It is all about AI and hybrid
ASIS Phoenix February Presentation
1. Protecting Your
Identity in the
Information Tracking
Age
What to Know | What to Do
INFORMATION SECURITY &PRIVACY OFFICE
Randell C. Smith, Jr. CISM, CISSP, PMP
Chief Information Security Officer | Chief Privacy Officer
City of Phoenix
2. City of Phoenix
1. Things You Need To Know (Likelihood, Impact,
Consequences)
2. Things You Need to Do (Before ID Theft)
3. Things You Need to Do (After ID Theft)
4. Questions & Answers
3. City of Phoenix
The sky is not falling…it’s just a little
closer! Charles Thompson, former CIO, City of Phoenix.
4. City of Phoenix
9 years with City of
Phoenix
Serving as CISO and
CPO
30 years with U.S. Navy
(Retired Captain)
Naval Cryptologist
Worked directly for
Naval Security Group
Command and National
Security Agency
Hold multiple industry
certifications
Background
5. What is Identity Theft?
■ Identity theft happens when someone
accesses essential elements of a
person’s identifying information in
order to commit theft.
■ This information may include name,
social security number, date of birth
and mother’s maiden name.
Source: Citi Identity Theft Solutions
8. City of Phoenix
Partial map of
the Internet
based on the
January 15,
2015 data
found on
opte.org. Each
line is drawn
between two
nodes,
representing
two IP
addresses.
Why be Concerned?
Your Data is Everywhere
9. City of Phoenix
Cyber Security
Facts
• 230,000 malware variants created
everyday.
(84 million created in 2015)
• Signature based technology used in
AV software, IPS devices, and Web
gateways is ineffective due to
polymorphic malware changing
constantly.
• Drive-by downloads have become
the top web threat (Water Hole
Attacks).
• Phishing is the number one attack
vector.
13. Identity Theft Victim
Statistics (cont.)
■ Identity fraud has grown to include theft of cell and
landline phone service; cable and satellite television
service; power, water, gas and electric service;
Internet payment service; medical insurance; home
mortgages and rental housing; automobile, boat and
other forms of financing and loans; and, government
benefits.
■ Identity thieves will also use stolen identities to obtain
employment and to deceive police when arrested.
14. Who's at risk of identity theft?
■ ANSWER – Everyone
■ 12% of Americans age 18 or older have been subject
to identity theft in just the past 12 months.
■ Over half (52%) of Americans do not check their free
credit report annually.
■ Just 14% of Americans say they subscribe to identity
theft protection services such as Lifelock, Identity
Guard, or LegalShield.
■ Just 17% of Americans check their credit regularly with
one of the credit bureaus.
15. Who's at risk of identity theft?
■ Overall costs of identity theft to the American economy
is estimated to reach $100 billion annually.
■ In 2012, more than 15 million reports were made
of fraudulent use of a credit card or bank account,
compared with only about a million reports of
fraudulent use of personal information to open a new
account, and a million reports of fraudulent use of
personal information for some other purpose.
■ Most victims find out about identity theft when their
bank or credit card issuer contacts them to inquire
about suspicious activity on the account. At this point,
extensive damage may already be done.
16. Legal Liability – Credit Card vs. Debit
Card
■ If someone steals your actual credit card, your liability
is generally limited to $50 ($0 if you report the loss
before any fraudulent activity occurs). And the
likelihood that you’ll even pay the $50 is minimal
because most credit card issuers offer zero liability
protections on fraudulent charges. Electronic Fund
Transfer Act (EFTA)
■ However, if your debit card number is stolen, your
losses could be much greater. Unless you notice and
report the theft within the first two days, you could
permanently lose the first $500 stolen from your
account. After 60 days, you may be liable for the entire
amount. Fair Credit Billing Act (FCBA)
18. 2015 Identity Theft
Federal Trade Commission (FTC)
■ 47% increase in identity theft
during 2015.
■ Tax or wage related identity
theft was responsible for a
significant portion of the
increase, and according to the
FTC, was “the largest and
fastest growing identity theft
category.
■ IRS Data Breach – May 2015.
Thieves accessed 334,000 tax
accounts through the IRS "Get
Transcript" application, a
program to acquire information
about your tax returns.
20. Federal Law
Identity Theft and Assumption Deterrence Act 1998
■ Provides penalties up to 15 years imprisonment.
■ Maximum fine of $250,000
21. Consumer Protection Laws
Fair Credit Reporting Act (FCRA)
■ Designed to protect consumers from the willful
and/or negligent inclusion of inaccurate
information in their credit reports.
■ FCRA regulates the collection, dissemination,
and use of consumer information, including
consumer credit information.
Fair and Accurate Credit Transactions Act (FACT)
■ Act allows consumers to request and obtain a
free credit report once every twelve months
from each of the three nationwide consumer
credit reporting companies (Equifax, Experian
and TransUnion)
23. Child ID Theft
• The rate of identity theft for children was 35 times higher than
the rate for adults in the same population.
• 10.2% of children have had their Social Security numbers
stolen
• Child IDs were used to purchase homes and automobiles,
open credit card accounts, secure employment and obtain
driver’s licenses.
• Children are easy targets. Their identities are often a blank
slate.
• The probability of discovery is low. Parents typically don’t
monitor a child’s identity and the crime can go undiscovered for
many years.
• The potential impact on a child’s future is profound. A stolen
identity can destroy or damage a child’s ability to get a student
loan, acquire a mobile phone, obtain a job, secure a place to
live, and more.
26. Medical ID Theft - Definition
■ The fraudulent use of an individual’s
personally identifiable information
(PII), such as name, Social Security
number, and medical insurance
identity number to obtain medical
goods or services, or to fraudulently
bill for medical goods or services
using an unlawfully obtained medical
identity.
27. Medical ID Theft Statistics
■ Rapidly growing; impacts almost 6% of Americans.
■ About 2 million Americans fall victim to medical ID
theft every year
■ 31% say they allow family members to use their IDs to
get medical services (aka familial fraud)
• 45% of medical ID theft victims end up paying their
health-care provider or insurer for charges incurred by
the thieves
■ 50% of victims say they know the person who
victimized them
28. Signs of Medical ID Theft
■ Explanation of Benefits (EOB) statement, Medicare
Summary Notice, or bill for medical services you didn’t
receive
• Check the name of the provider, the date of service,
and the service provided
■ Call from a debt collector about a medical debt you don’t
owe
■ Medical collection notices on your credit report that you
don’t recognize
■ Notice from your health plan saying you reached your
benefit limit
■ Denial of insurance because your medical records show a
condition you don’t have
■ Numerous errors in your medical records
29. How to Resolve Medical ID Theft
■ Get copies of your medical records and check them for
errors
Contact each doctor, clinic, hospital, pharmacy, laboratory,
health plan, and location where a thief may have used your
information
If a thief got a prescription in your name, ask for records from
the health care provider who wrote the prescription and the
pharmacy that filled it
■ Ask each of your health plans and medical providers for
a copy of the “accounting of disclosures” for your
medical records – a record of who got copies of your
records from the provider
The accounting shows who has copies of your mistaken records
and whom you need to contact
30. Elderly ID Theft Statistics
■ Older people make appealing financial
targets because they typically have higher
credit lines, greater home equity and more
financial resources than younger
populations.
■ The mature market (50 years and older)
represents 36 percent of all ID Theft victims
making it the single largest demographic of
ID Theft victims.
31. Who’s Tracking You?
Tracking Cookies
■ Data that is distributed and shared across two or
more unrelated Web sites for the purpose of
gathering information to present customized data to
you.
■ Not harmful like malware, worms, or viruses, but
can be a privacy concern. Example, if you go to a
Web site that hosts online advertising from a third-
party vendor, the third-party vendor can place a
cookie on your computer.
■ An advertising company can determine indirectly all
the sites you have been to if they have cookies
present on those sites.
32. ■ Because browser-based cookies are easy to detect
and delete, some advertisers are now using “flash-
based” cookies which are not stored on your
computer like browser-based cookies.
■ Result, they are harder to find and delete. Banks and
online finance sites store flash cookies on their
users' computers to authenticate account owners
and prevent fraud since fraudsters would merely
have a user's login and password but no access to
the user's computer.
■ Acts as a second level of authentication in addition
to the user's login and password.
Who’s Tracking You?
Flash cookies: a cause for concern?
33. ■ Most social networking tracking occurs through Javascript
social buttons like “Like” and “Tweet” buttons.
■ Connections are made to entirely different companies than
the website you’re actually visiting.
■ More than a quarter–26.3%–of what your browser does
when you load a website is respond to requests for your
personal information, leaving the remaining 73.7% for things
you want your browser doing, like loading videos, articles,
and photos.
Who’s Tracking You?
Social networking tracking
34. Who’s Tracking You?
Web beacon -- a 1-pixel image
■ Web beacons are tiny image files invisible to
users and are used to transmits information to
advertisers. Commonly used in emails.
■ Tracking can get information as detailed as
where your mouse has been on a page to your
sexual orientation.
■ WSJ examined 1,000 top websites and found
that approximately 75 percent of them featured
social networking code that can match users’
online identities with their web-browsing
activities, and nearly 25% of the web’s 70 most
popular sites shared personal data, like name
and email address, with third-party companies.
35. Steps to Prevent Identity Theft
■ Memorize PINs and passwords
■ Beware of promotions that request sensitive
information
■ Question how SSN or other sensitive data will be
used if it is requested by legitimate sources
■ Shred pre-approved credit offers, receipts, bills, other
records that have SSN
■ Do not provide CC#, SSN, etc. out over email
■ Do not click on links in unsolicited emails
36. Steps to Prevent Identity Theft
■ Don’t carry your SSN card with you
■ Request a drivers license number
■ Only carry what you use
■ Photo copy all cards in your wallet
■ Select hard to guess PINs and passwords
■ Don’t leave mail sitting in an unprotected box
■ Don’t give out private information over the phone
■ Order your credit reports
■ Use caution when providing ANY sensitive
information
37. Steps to Prevent Identity Theft
■ Use the post office mailboxes
■ Keep an eye out for bills or statements that
aren’t received in a timely manner
■ Sign the backs of all credit cards (or write
“Check ID”)
■ Do not loan out your cards to anyone
■ Report lost/stolen cards immediately
■ Keep a copy of both sides of your cards in a
safe place
38. Steps to Prevent Identity Theft
■ Check for the “padlock” and/or “https” when
purchasing online
■ Opt out of pre-approved credit card offers
■ Opt out of junk mail
■ Shred all pre-approved credit card offers
■ Watch out for calls or letters about purchases
that you didn’t make
39. Safeguard your computer
■ Use a firewall
■ Use anti-virus software AND keep it updated
■ Use wireless encryption
■ Do NOT give out your NetID/password under ANY
circumstances
■ Lock your computer when you are away from your
desk
■ Don’t open files from unknown sources
■ Use complex passwords
■ Erase computer hard drive before disposing of
computers and destroy peripheral storage devices
before disposal
40. Credit Freeze
■ Prevents lenders and others from accessing your
credit report
■ Good news – Identity thieves will be unable to
establish credit in your name
■ Bad news – so will you
■ Will also affect background checks and most
requests for insurance
42. What to Do After Identity Theft
Place an Initial Fraud Alert
• Contact 1 of the credit reporting companies.
• Report that you are an identity theft victim.
• Ask the company to put a fraud alert on your credit file.
• Confirm that the company you call will contact the other 2 companies.
Placing a fraud alert is free. The initial fraud alert stays on your credit
report for 90 days. Be sure the credit reporting companies have your
current contact information so they can get in touch with you.
Order Your Free Credit Reports
• Contact each of the 3 nationwide credit reporting companies.
• Explain that you placed an initial fraud alert.
• Order your free copy of your credit report. Ask each company to show
only the last 4 digits of your Social Security number on your report.
Credit Reporting Companies
Exquifax 1-800-525-6285
Experian 1-888-397-3742
TransUnion 1-800-680-7289
(http://www.consumer.ftc.gov/articles/0274-
immediate-steps-repair-identity-theft)
43. IdentityTheft.Gov
■ Simplified step-by-step checklist tailored to the specific
type of identity theft consumers are facing.
■ Advice is customized for individual needs.
■ The site will automatically generate affidavits and pre-
fill letters and forms to be sent to credit bureaus,
businesses, police, debt collectors and the IRS. Should
a consumer’s recovery run into issues, the site will
suggest alternative approaches.
■ Once a consumer completes their initial report on the
site, they will receive follow up e-mails and can return
to their personalized plan online to continue the
recovery process.
45. 45
ID Theft Recovery Practices
■ Review statements
■ Promptly contact financial institution(s) to note
errors/discrepancies
■ Close or cancel accounts
■ Stop payments on outstanding checks
■ Establish new account numbers and passwords
■ Get a copy of the police report
■ Notify postal service if mail was involved
■ Notify Social Security Administration if SSN was used
■ Notify DMV if driver’s license number was use
46. 46
ID Theft Recovery-Recordkeeping
■ Keep records/notes/copies of all contact information
- names
- dates
- follow up notes
■ Maintain copies of all documentation
47. Identity Theft Recovery Services
Third party services offered to help victims of ID fraud
reclaim their identity.
• Fraud Alert Reminders - The company will remind you when the fraud alert
on your account is about to expire so you can renew it.
• Fraud Specialist - The company provides access to fraud specialists to help
you manage your fraud case.
• Identity Theft Insurance - The company offers insurance to reimburse you
for costs related to restoring your identity.
• Lost Wallet Protection - The company offers assistance with canceling and
replacing lost or stolen debit/credit cards.
http://www.reviews.com/identity-theft-protection-services/
LifeLock | AllClear ID | Identity Force | ID Patrol | Trusted ID | ID WatchDog