Cscu module 10 social engineering and identity theft
- 2. 2 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
OAKLAND ‐‐ Calling it the biggest they have seen, Oakland police said Monday that an identity theft operation that
manufactured phony checks, IDs and credit cards has been shut down.
Officials said there are potentially thousands of victims all over the Bay Area and in other states and the possibility of an
untold amount of monetary loss.
Police Chief Anthony Batts said breaking up the operation is particularly important to law enforcement because identity theft
"puts fear in everyone," including himself.
The operation, which Officer Holly Joshi called a "one‐stop shop" for identity theft, was run out of a Hayward apartment in
the 21000 block of Foothill Boulevard, where resident Mishel Caviness‐Williams, 40, was arrested last week as she left the
apartment. She had $4,000 in cash on her, police said.
Oakland Police Shut Down Bay Area‐Wide Identity Theft Operation
http://www.mercurynews.com
05/16/2011, 11:16:54 AM PDT
- 10. 10 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
How do Attackers Steal Identity?
Hacking Theft of Personal Stuff
PhishingSocial Engineering
Fraudster pretend to be a
financial institution and
send spam/ pop‐up
messages to trick the user
to reveal personal
information
Fraudsters may steal
wallets and purses, mails
including bank and credit
card statements, pre‐
approved credit offers, and
new checks or tax
information
Attackers may hack the
computer systems to
steal confidential
personal information
It is an act of manipulating
people trust to perform
certain actions or divulging
private information, without
using technical cracking
methods
- 11. 11 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
What do Attackers do with Stolen
Identity?
Credit Card
Fraud
Phone or Utilities
Fraud
Other Fraud
They may open a new
phone or wireless account
in the user’s name, or run
up charges on his/her
existing account
They may use user’s name
to get utility services such
as electricity, heating, or
cable TV
They may get a job using
legitimate user’s Social
Security number
They may give legitimate
user’s information to police
during an arrest and if they
do not turn up for their
court date, a warrant for
arrest is issued on
legitimate user’s name
They may open new
credit card accounts in
the name of the user and
do not pay the bills
- 12. 12 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
What do Attackers do with Stolen
Identity?
Bank/Finance
Fraud
Government
Documents Fraud
They may create counterfeit checks
using victim’s name or account number
They may open a bank account in
victim’s name and issue the checks
They may clone an ATM or debit card
and make electronic withdrawals on
victim’s name
They may take a loan on victims’ name
They may get a driving license or
official ID card issued on legitimate
user’s name but with their photo
They may use victim’s name and
Social Security number to get
government benefits
They may file a fraudulent tax return
using legitimate user information
- 20. 20 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Human-Based Social Engineering
Eavesdropping Shoulder surfing Dumpster diving
Eavesdropping is
unauthorized listening of
conversations or reading
of messages
It is interception of any
form of communication
such as audio, video, or
written
Shoulder surfing is the
procedure where the
attackers look over the
user’s shoulder to gain
critical information such as
passwords, personal
identification number,
account numbers, credit
card information, etc.
Attacker may also watch the
user from a distance using
binoculars in order to get
the pieces of information
Dumpster diving includes
searching for sensitive
information at the target
company’s trash bins,
printer trash bins, user
desk for sticky notes, etc.
It involves collection of
phone bills, contact
information, financial
information, operations
related information, etc.
- 23. 23 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Phony Security Alerts
Phony Security Alerts are the emails or
pop‐up windows that seem to be from
a reputed hardware or software
manufacturers like Microsoft, Dell, etc.,
It warns/alerts the user that the
system is infected and thus will
provide with an attachment or a link in
order to patch the system
Scammers suggest the user to
download and install those patches
The trap is that the file contains
malicious programs that may infect the
user system
- 26. 26 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
How to Find if You are a Victim
of Identity Theft?
Bill collection agencies contact you for overdue debts you never incurred
You receive bills, invoices, or receipts addressed to you for goods or services
you haven’t asked for
You no longer receive your credit card or bank statements
You notice that some of your mail seems to be missing
Your request for mortgage or any other loan is rejected citing your bad credit
history despite you having a good credit record
- 27. 27 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
How to Find if You are a Victim
of Identity Theft?
You get something in
the mail about an
apartment you never
rented, a house you
never bought, or a job
you never held
You lose important
documents such as
your passport or
driving license
You identify
irregularities in
your credit card
and bank
statements
You are denied for
social benefits
citing that you are
already claiming
You receive
credit card
statement with
new account
- 29. 29 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
What to do if Identity is Stolen?
Contact the credit reporting agencies
http://www.experian.com
http://wwwc.equifax.com
http://www.transunion.com
Immediately inform credit bureaus
and establish fraud alerts
Request for a credit report Review the credit reports and alert
the credit agencies
Freeze the credit reports with credit
reporting agencies
Contact all of your creditors and
notify them of the fraudulent activity
Change all the passwords of online
accounts
Close the accounts that you know or
believe have been tampered with or
opened fraudulently
- 30. 30 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
What to Do if Identity Is Stolen?
File a report with the
local police or the police
in the community where
the identity theft took
place
File a complaint with
identity theft and
cybercrime reporting
agencies such as the
FTC
Take advice from police
and reporting agencies
about how to protect
yourself from further
identity compromise
Ask the credit card
company about new
account numbers
Tell the debt collectors
that you are a victim of
fraud and are not
responsible for the
unpaid bill
Ask the bank to report the
fraud to a consumer
reporting agency such as
ChexSystems that compiles
reports on checking
accounts
- 34. 34 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Internet Crime Complaint Center
http://www.ic3.gov
The Internet Crime Complaint
Center’s (IC3) mission is to serve as a
vehicle to receive, develop, and refer
criminal complaints regarding the
rapidly expanding arena of cyber
crime
The Internet Crime Complaint Center
(IC3) is a partnership between the
Federal Bureau of Investigation (FBI),
the National White Collar Crime
Center (NW3C), and the Bureau of
Justice Assistance (BJA)
- 35. 35 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Prosecuting Identity Theft
Begin the process by
contacting the bureaus,
banks, or any other
organizations who may
be involved
File a formal complaint
with the organization
and with the police
department
Regularly update
yourself regarding
the investigation
process to ensure
that the case is
being dealt with
properly
Obtain a copy of the
police complaint to
prove to the
organizations that
you have filed an
identity theft
complaint
File a complaint with
the Federal Trade
Commission and
complete affidavits
to prove your
innocence on the
claims of identity
theft and fraudulent
activity
Contact the District
Attorney's office for
further prosecuting
the individuals who
may be involved in
the identity theft
- 39. 39 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module Summary
Identity theft is the process of using someone else’s personal information for the
personal gain of the offender
Criminals look through trash for bills or other paper with personal information on it
Criminals call the victim impersonating a government official or other legitimate
business people and request personal information
Keep the computer operating system and other applications up to date
Do not reply to unsolicited email that asks for personal information
Use strong passwords for all financial accounts
Review bank/credit card statements/credit reports regularly