Identity Theft: Protection and Prevention © 2017

9/18/2017 www.IDTheftSecurity.com

www.IDTheftSecurity.comID Theft Security 1 9/18/2017 www.IDTheftSecurity.com

www.IDTheftSecurity.comID Theft Security 2 Awareness . A lack of security appreciation contributes directly to poor security awareness, most notably at the personnel level. – This is one of the leading contributors to the human error factor with most security breaches. – Security needs to be everyone’s business. – Corporations and government agencies are directly responsible for protecting personal information entrusted to them by their consumers, so measures must be taken to increase awareness in the everyday IT environment. – The most critical step to changing user behavior is to build a secure-minded culture from the ground up. – To create this culture, all employees need to be educated and tested on security threats and how their day-to-day computer use behavior can affect their organization’s security posture.

9/18/2017 www.IDTheftSecurity.com CIO Magazine

Social Engineering . Social engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery for information gathering or computer system access and in most cases the attacker never comes face-to-face with the victim. THERE IS NO PATCH FOR HUMAN GULLIBILITY . Lose something . Thieves pose as You . Gain something . Spouse . Fear/greed . Bill collector . “Principles of Influence and Persuasion . Bank . email . Utility . telephone . Merchant / Organization . in person . Fellow employee . Trojan horse/Watering holes . Government agency 9/18/2017

www.IDTheftSecurity.comID Theft Security 3

9/18/2017 www.IDTheftSecurity.com

www.IDTheftSecurity.comID Theft Security 4

9/18/2017 www.IDTheftSecurity.com

www.IDTheftSecurity.comID Theft Security 5 9/18/2017

Hack a Company w/…

. Scour all of the social networking sites for employees of target company like LinkedIn, Twitter , and Facebook.com . Find numerous people who openly discussed what they did for a living . Create a Facebook group site identified as “Employees of” the company. . Using a fictitious identity proceed to “friend,” or invite, employees to our “company” Facebook site. Membership grows exponentially each day. . By creating a group, you access to employees profiles. The “group” is a place where those who you know, like and trust are your “Friends” and in this case fellow employees who you have no reason to distrust. . Chose to use the identity of one of our Facebook-friended employees to gain access to the building. . Relative to as companies size you may be able to recreate the identity of an employee that’s not known to the branch office to breach. But the name needs to be in the system. . A little creativity, a fake business card and enough information gleaned off of Facebook, you’re in.

www.IDTheftSecurity.comID Theft Security 6 9/18/2017 www.IDTheftSecurity.com

www.IDTheftSecurity.comID Theft Security 7 9/18/2017 www.IDTheftSecurity.com

www.IDTheftSecurity.comID Theft Security 8 9/18/2017 www.IDTheftSecurity.com

Malicious insider Attacks A malicious insider is; a current or former employee, contractor, or business partner who has or had authorized access to an organization’s network system or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information. CERT. Methods/tactics: Recruiting: • System admins • New hires • Disgruntled; sabotage • Friends/relations • Opportunists: fraud • Unknowingly contribute • Theft of intellectual property • Money/incentives • Social engineering • Threats/violence “Our whole system is based on personal trust,” James Clapper, director of national intelligence said adding that there were no “mousetraps” in place to guarantee there wouldn’t be another Edward Snowden. 9/18/2017 www.IDTheftSecurity.com

www.IDTheftSecurity.comID Theft Security 9 Data Breaches

. Irresponsible/malicious insiders . 3rd party fault . Laptop theft . Physical security vulnerabilities . Loss st .9/18/2017Hacking : 21 century burglarywww.IDTheftSecurity.com

9/18/2017

www.IDTheftSecurity.comID Theft Security 10 Criminal Hackers

• Albert Gonzalez 170 million records • Buried $1 Million • Doing 20 years

9/18/2017 www.IDTheftSecurity.com

www.IDTheftSecurity.comID Theft Security 11

9/18/2017 www.IDTheftSecurity.com

www.IDTheftSecurity.comID Theft Security 12

9/18/2017 www.IDTheftSecurity.com

Password Manager

. Dictionary attacks: These rely on software that automatically plugs common words into password fields. . Password cracking becomes almost effortless with a tool like John the Ripper or similar programs. . Cracking security questions: When you click the “forgot password” link within a webmail service or other site, you’re asked to answer a question or series of questions. The answers can often be found on your social media profile. This is how Sarah Palin’s Yahoo account was hacked. . Simple passwords: When 32 million passwords were exposed in a breach last year, almost 1% of victims were using “123456.” The next most popular password was “12345.” Other common choices are “111111,” “1234567,” “12345678,” “123456789,” “princess,” “qwerty,” and “abc123.” Many people use first names as passwords, usually the names of spouses, kids, other relatives, or pets, all of which can be deduced with a little research. . Reuse of passwords across multiple sites: Reusing passwords for email, banking, and social media accounts can lead to identity theft. Two recent breaches revealed a password reuse rate of 31% among victims. . Social engineering: Social engineering is an elaborate type of lying. An alternative to traditional hacking, it is the act of manipulating others into performing certain actions or divulging confidential information. . There are a number of ways to create more secure passwords. One option is to create passwords based on a formula, using a familiar name or word, plus a familiar number, plus the first four words of the website where that password will be used. Mix in a combination of upper and lowercase letters, and you have a secure password. Using this formula, your Bank of America password could be “Dog7Bank,” for example. (Add one capital letter and an asterisk to your password, and it can add a couple of centuries to the time it would take for a password cracking program to come up with it.)

9/18/2017 www.IDTheftSecurity.com

www.IDTheftSecurity.comID Theft Security 13

9/18/2017 www.IDTheftSecurity.com

Hacking for Money . Social engineering . Phishing . Weak credentials

. Insecure passwords . Unpatched OS . Vera . NO PASSWORDs 9/18/2017 www.IDTheftSecurity.com

www.IDTheftSecurity.comID Theft Security 14 9/18/2017 www.IDTheftSecurity.com

www.IDTheftSecurity.comID Theft Security 15 Identity Theft

Identity Theft

Definition; Identity theft and identity fraud are terms used to refer to all types of crime in which someone wrongfully obtains and uses another person's personal data in some way that involves fraud or deception, typically for9/18/2017 economic gain. www.IDTheftSecurity.com

Perpetrators

9/18/2017

www.IDTheftSecurity.comID Theft Security 16 Perpetrators

9/18/2017

Perpetrators

9/18/2017

www.IDTheftSecurity.comID Theft Security 17 PerpetratorsPerpetrators

9/18/2017

PerpetratorsPerpetrators

9/18/2017

www.IDTheftSecurity.comID Theft Security 18

Perpetrators

9/18/2017

Perpetrators

9/18/2017

www.IDTheftSecurity.comID Theft Security 19 Perpetrators

9/18/2017

Perpetrators

9/18/2017

www.IDTheftSecurity.comID Theft Security 20 Perpetrators

9/18/2017

Perpetrators

9/18/2017

www.IDTheftSecurity.comID Theft Security 21 Perpetrators

9/18/2017

Perpetrators Perpetrators

9/18/2017

www.IDTheftSecurity.comID Theft Security 22 Perpetrators

9/18/2017

Perpetrators

9/18/2017

www.IDTheftSecurity.comID Theft Security 23 Victims Story • I have been a victim of Identity Theft. Without making this E-mail 10 pages long, this all started in 1983, with a warrant for my arrest, it escalated to my drivers license being suspended in the state of Minnesota in 1986, and an arrest warrant in the State Of Kansas. I had a criminal history report run by the Minnesota Bureau of Criminal Apprehension, which came back with a 10 page report linked to my name, with various felonies including Criminal Sexual Conduct and Grand Theft. The person who has been using my name and date of birth is someone that I was “friends” with as a child. Over the course of the past 20 odd years, I have had my drivers license flagged with the DMV, so that picture ID must be provided if someone gives my name, as well as carrying a file folder with me, in the off chance that I get stopped by the police. I also have my driving record checked once a year to make sure that everything on it is accurate. Paul G. January 20 9/18/2017

Flawed System

SSN + Credit + Fake ID

www.IDTheftSecurity.comID Theft Security 24 Identity Theft Types

. New Account Fraud Using another's personal identifying information (SSN) to obtain products and services using that person’s good credit standing

. Account Takeover Fraud Using another persons account numbers such as a credit card number to obtain products and services using that person’s existing accounts or extracting funds from a persons bank account.

• Tax Identity Theft Tax-related scams have increased by over 700% since 2008. Two million fraudulent tax returns were filed in 2011 alone, at a cost of two billion dollars.

. Child Identity Theft Studies show child identity theft is affecting over 500,000 kids every year.

Identity Theft Types

. Medical Identity Theft The deadliest form of identity theft. 1.5 Million victims every year. The motivation of the thief is medical procedures or any form of attention regarding healthcare

. Criminal Identity Theft Someone commits a crime and uses the assumed name another person. The thief in the act of the crime or upon arrest poses as the identity theft victim.

. Business or commercial identity theft Using a businesses name to obtain credit or even billing those businesses clients for products and services.

. Identity Cloning Encompasses all forms of identity theft. The thief is actually living and functioning as the victim on purpose

www.IDTheftSecurity.comID Theft Security 25 Legal Forms of ID Circulating

• 49 versions of Social Security card • 14,000 types of birth certificates • 200 plus forms of driver’s licenses • 14 states no photo • Signature?

Forgery

What is a signature?

9/18/2017 www.IDTheftSecurity.com

www.IDTheftSecurity.comID Theft Security 26

Fake IDs Fake

www.IDTheftSecurity.com

www.IDTheftSecurity.comID Theft Security 27

Fake IDs Fake

www.IDTheftSecurity.com

Fake Id Fake Ids

9/18/2017

www.IDTheftSecurity.comID Theft Security 28 Public Records

. 28%: Government Accountability Office estimated of public records available online

9/18/2017 www.IDTheftSecurity.com

Jeb Bush SSN

9/18/2017

www.IDTheftSecurity.comID Theft Security 29 Colin Powell SSN

9/18/2017

Porter Goss CIA SSN

9/18/2017

www.IDTheftSecurity.comID Theft Security 30 Fraud Schemes

Scams (how they get your data) • Social Engineering • Social Media Identity Theft • P2P file sharing • Spyware • Phishing • Card Fraud/Skimming • Second hand devices 9/18/2017 www.IDTheftSecurity.com

How a Thief Obtains the Parts Mail

. Stealing incoming mail . Stealing outgoing mail . Incorrectly getting mail . Changing mailing address

9/18/2017

www.IDTheftSecurity.comID Theft Security 31 How a Thief Obtains the Parts Dumpster diving

. Going through your rubbish . Someone-else’s rubbish

9/18/2017

How a Thief Obtains the Parts Theft

. Steal from your home - known - unknown . Steal a wallet or pocketbook . From Inside an organization

9/18/2017

www.IDTheftSecurity.comID Theft Security 32 How a Thief Obtains the Parts Readily available info

. Phone book, 411 . Online, birthday sites, ancestor sites . Public records, courts, tax assessors

9/18/2017

How a Thief Obtains the Parts Covertly

. From your license plate . Intercepting cordless or cellular transmissions . CID Spoof . Internet hacking

9/18/2017. Phishing

www.IDTheftSecurity.comID Theft Security 33 Social Media Identity Theft

. 400 social media sites . Account takeover . Infected links . Exposing data . Financial gain, harassment

Phishing

9/18/2017

www.IDTheftSecurity.comID Theft Security 34

Phishing

9/18/2017

Phishing

9/18/2017

www.IDTheftSecurity.comID Theft Security 35

Phishing

9/18/2017 www.IDTheftSecurity.com

Phishing

9/18/2017 www.IDTheftSecurity.com

www.IDTheftSecurity.comID Theft Security 36 RSA PHISHING SCAM

.APT .Excel/Adobe flash .Social search .Spearphish .Installed a RAT 9/18/2017.Junk mail www.IDTheftSecurity.com

Whats in your SPAM folder?

9/18/2017 www.IDTheftSecurity.com

www.IDTheftSecurity.comID Theft Security 37 Spyware

.Scareware: Fake Anti-virus .Ransomware: hold data for extortion .Remote assistance scams .Keyloggers: Spyware Software .Keycatchers: Hardware 9/18/2017 www.IDTheftSecurity.com

9/18/2017 www.IDTheftSecurity.com

www.IDTheftSecurity.comID Theft Security 38 Spyware

9/18/2017 www.IDTheftSecurity.com

KeyCatchers

www.IDTheftSecurity.com

www.IDTheftSecurity.comID Theft Security 39 30% of fraud losses are from card counterfeiting against ATMs

Uri Rivner 9/18/2017 www.IDTheftSecurity.com RSA Consumer Solutions

9/18/2017 www.IDTheftSecurity.com

www.IDTheftSecurity.comID Theft Security 40 9/18/2017 www.IDTheftSecurity.com

9/18/2017 www.IDTheftSecurity.com

www.IDTheftSecurity.comID Theft Security 41 9/18/2017 www.IDTheftSecurity.com Skimmed from KrebsOnSecurity.com

9/18/2017 www.IDTheftSecurity.com Skimmed from KrebsOnSecurity.com

www.IDTheftSecurity.comID Theft Security 42 ATM Skimming

Raw Data http://www.youtube.com/watch?v=5zJRzSqad-A 9/18/2017 www.IDTheftSecurity.com

Second Hand Devices

• Printers • Craigslist • 30 devices • 30 mile radius of Boston • Basic forensics • Half provided data

www.IDTheftSecurity.comID Theft Security 43 Protection

. Credit protection . Know your assets . Paper management . Patch management . eBanking . Mobile device management . Laptops . Strong authentication . Zombies . Password management . Firewalls . Wireless . Physical security . Backup data . Viruses . Vulnerability assessments . Spyware . Employee monitoring . Windows update www.IDTheftSecurity.com

Credit

. Check credit reports 3 times annually . AnnualCreditReport.com . Dispute inaccuracies . Spouse/child credit report . Credit monitoring . Credit freeze . Fraud alerts

9/18/2017 www.IDTheftSecurity.com

www.IDTheftSecurity.comID Theft Security 44 Credit Freezes

. Locks credit . Slows loan process . State Security Freeze . https://www.experian.com/freeze/center.html . https://www.freeze.equifax.com/Freeze/jsp/SFF_Pe rsonalIDInfo.jsp . http://www.transunion.com/personal-credit/credit- disputes/credit-freezes.page

9/18/2017 www.IDTheftSecurity.com

Credit Cards

. Check statements / refute unauthorized charges within 60 days . Use credit cards instead of debit cards . Pay attention to the expiration date of credit cards and look for arrival of new cards . Sign all new cards immediately . Destroy black carbon credit receipts . 9/18/2017Thin out your wallet www.IDTheftSecurity.com

www.IDTheftSecurity.comID Theft Security 45 Mail

. Lock mailbox . Place mail in secure outgoing mailboxes or at the PO . Call the post office if you go more than 4 days without mail . Pay attention to delivery dates of all bills . Get removed from the Direct Marketing Associations lists 9/18/2017 www.IDTheftSecurity.com

Shredding Data

. All throwaway documents- contract an authorized disposal company for secure disposal . Ask all public and private entities about policies for disposal . Opt out of and destroy pre-approved credit card offers . Photocopy all documents in your wallet/purse . Reconcile bills and statements diligently and timely . Secure all receipts, legal documents and account numbers; tax docs, cancelled checks . Unlist name and number from phonebook . Eliminate paper statements . Thoroughly erase data from discarded hard drives . www.killdisk.com or a sledge hammer . McAfee Shredder and Norton WipeInfo

www.IDTheftSecurity.comID Theft Security 46 Banking

. Bank Online . Use automatic bill payment, auto payroll deposit . Use Quickbooks/Mint . Deliver bank orderd checks to the bank, not your home . Be aware of people shoulder surfing at an ATM shoulder

www.IDTheftSecurity.com

9/18/2017 www.IDTheftSecurity.com

www.IDTheftSecurity.comID Theft Security 47 Wireless Security . Wi-fi is insecure

. 300-500 ft range

. Free wi-fi

. evil twins

. Secure Mobiles

. Virtual Private Network

. (VPN)

9/18/2017

9/18/2017 www.IDTheftSecurity.com

www.IDTheftSecurity.comID Theft Security 48 Anti-Virus

.Install virus protection and keep it automatically updated* .Default configurations .Beware of Scareware

9/18/2017 www.IDTheftSecurity.com

Windows Update

9/18/2017 www.IDTheftSecurity.com

www.IDTheftSecurity.comID Theft Security 49 Internet Browser

. Be careful about which Web sites you visit. Sites devoted to illegal or questionable subjects, such as hacker sites, sites for downloading pirated music or software, and pornographic sites are most likely to contain malicious code . Do not conduct financial transactions or send private information over the Web unless the site is secure (which is usually indicated by a HttpS or a “lock” icon in the browser’s status bar). . Configure your browser’s security settings for safe browsing. . Configure your browser’s privacy settings to avoid unwanted cookies and pop-up ads. . Enable checking of digital signatures on drivers and other programs you download.

9/18/2017 www.IDTheftSecurity.com

9/18/2017

www.IDTheftSecurity.comID Theft Security 50 Mobile Security

9/18/2017

Resources

To be removed from direct mail lists National Check Fraud Service Direct Marketing Association 1 843 571 2143 Mail Removal List POB 9008 SCAN 1 800 262 7771 Farmingdale NY, 11735 TELECHECK 1 800 710 9898 www.the-dma.org CROSSCHECK 1 707 586 0551

To be remove from telemarketing lists EQUIFAX 1 800 437 5120 DMA Telephone NO CALL LIST INTERNATIONAL CHECK POB 9014 Farmingdale, NY 11735 1 800 526 5380

To Opt Out of Pre-Approved CC Offers 1 888 5 OPTOUT FCC www.fcc.gov Federal Trade Commission (FTC) Identity Theft Clearing House 1 888 CALL FCC Washington DC, 20580 1 877 ID THEFT Social Security Administration (SSA) www.consumer.gov/idtheft 1 877 FTC HELP POB 17768 www.ftc.gov Baltimore, MD 21235

Postal Service Mail Hold 1 800 269 0271 or 1 800 772 1213 1 800 275 8777 Postal Inspector www.usps.gov/websites/depart/inspect US Bankruptcy Administration www.usdoj.gov/ust 9/18/2017 www.IDTheftSecurity.com

www.IDTheftSecurity.comID Theft Security 51 Resources

3 free credit reports a year (one from each bureau) www.AnnualCreditReport.com POB 105281 Atlanta GA 30348 877 322 8228

Credit Bureaus

EXPERIAN (Formally TRW) POB 1017 Allen, TX 75013 To report fraud or request a report: 888 397 3742 or 800 682 7654 www.EXPERIAN.com

EQUIFAX POB 740241 Atlanta, GA 30374 To report fraud or request a report: 800 685 1111 OR 800 525 6285 www.EQUIFAX.com

TRANS UNION POB 97328 Jackson, MS 39238 To report fraud or request a report: 800 680 7289 or 800 888 4213 www.TRANSUNION.com9/18/2017 www.IDTheftSecurity.com

Robert Siciliano ROBERT SICILIANO, CEO of IDTheftSecurity.com is fiercely committed to informing, educating, and empowering Americans so they can be protected from violence and crime in the physical and virtual worlds. His “tell it like it is” style is sought after by major media outlets, executives in the C-Suite of leading corporations, meeting planners, and community leaders to get the straight talk they need to stay safe in a world in which physical and virtual crime is commonplace. Siciliano is accessible, real, professional, and ready to weigh in and comment at a moment’s notice on breaking news.

Siciliano’s media credentials include hard hitting and provocative contributions to The Today Show, CBS Early Show, CNN, MSNBC, CNBC, Fox News, Inside Edition, EXTRA, Tyra Banks, Sally Jessie, Montel, Maury, Howard Stern, The Wall Street Journal, USA Today, Forbes,9/18/2017 BusinessWeek, Cosmopolitan,www.IDTheftSecurity.com Good Housekeeping, Reader’s Digest, Consumer Digest, Smart Money, the New York Times, the Washington Post, and many more.