ID Theft P E R S O N A L A N D O R G A N I Z AT I O N A L P R E V E N T I O N A N D D E T E C T I O N M i c h e l l e C u m m i n g s , C I A , C F E , C D F M

According to the National Crime Victimization Survey (NCVS) , the definition of ID Theft includes 3 general types of incidents:

• Unauthorized use or attempted use of an existing account

• Unauthorized use or attempted use of personal information to open an account

• Misuse of personal information for a fraudulent purpose

ID Fraud Facts • Approximately 7% of all adults have their identities misused annually

resulting in billions of dollars in losses.

• GAO states that a little over $5B is lost each year to tax fraud. From 2013-2014 the number of tax fraud victims jumped 36%. (Recent jump due to Intuit, Inc.)

• Criminals are becoming more organized and improving methods such as phishing and vishing fraud, hacking corporate and government networks, and hijacking personal computers (ransomware).

• Credit, debit, checking and savings accounts are not the only targets – cell and landline phone service, cable and satellite TV service, internet services, utilities, medical insurance, home mortgages, other loans, and government benefits.

How do Fraudsters obtain information?

• Stolen physical documentation

• Personal Computer or Work Computer

• Tech Devices

• Online - retail, medical, memberships

• Social Media

• Phishing, Vishing, Spoofing Schemes

• Corporate or Government Hacking

Stolen Physical Documentation • In order to steal money directly:

• Checks

• Credit/ATM cards

• PIN numbers

• Bank Account Numbers (needed to print checks)

• In order to steal identity and open new accounts:

• ID, Driver’s License

• Social Security Card

• Birth Certificate (Mother’s Maiden Name)

• Tax Statements

• Military Separation Documents or VA Documentation (VA Loans)

How do fraudsters get physical documentation?

• Your Purse or Wallet

• File Cabinet at Home/Office

• Items in the Trash (this includes company trash)

• Warren County Virtual Community School – SSNs (140 students affected)

• Dr. David Cavallaro – medical files (Hundreds affected)

• Madison Park Apartments – rental applications (Unknown number affected)

• Atlas Collections – collection files (Hundreds affected)

• Hancock Fabrics – payroll records (Unknown number affected)

• Human Resources Department/Payroll

Computer Use

• Security

• Are users separated by passwords?

• Is your password easy to find or guess?

• Who has physical access?

• Firewalls, Anti-virus

• Other ways to gain access

• Links containing viruses

• Repair tech scams

• Ransomware

What is on your personal computer?

• Bank Statements

• Monthly Personal Financials

• Tax Statements

• List of online sites and passwords

• Work information ??

• Personal identifiable information and photos

What is on your Work Computer?

• Information YOU are required to protect on behalf of others:

• Trade Secrets

• Classified Information

• Proprietary Information

• Other Sensitive Information

Tech Devices

• Skimmers

• Gas Pumps

• ATMs

• Radio Frequency Identification (RFID) Technology

• Credit card printers and associated equipment (video)

https://www.youtube.com/watch?v=V3pElQD8UZg

Skimmers and RFID Devices

Online Activities • Credit Card Purchases

• Saving credit card information in the system for future purchases

• Home Depot

• Target

• Health/Medical Records

• Personal medical data

• Aetna

• Professional/Social Memberships

• Certificate Information

• Credit Card Info

Social Media WHAT PER SONAL INFOR MATION AR E YOU POST ING?

What do Fraudsters want to know?

FACE B O O K

• Full Name

• Spouse’s and Kids’ Names

• Birthdate

• Family Pictures

• Personal/Work Updates

• 20 Question Game (Security Questions)

• Religious Affiliation

L INK E DIN

• Work History (Companies, States, Dates)

• Connections

• Work Successes

• Special Skill Set

Phishing, Vishing, Spoofing Schemes

• Phishing – the attempt to acquire sensitive information such as credit card information, passwords, and/or usernames by masquerading as a legitimate entity in an electronic communication.

• Vishing – A technique, similar to Phishing, that allows criminals to maliciously gain access to your personal information for the purposes of ID theft. Generally, criminals will send the victim a notice or leave them a message to verify information.

• Spoofing – a person or program can masquerade as another by falsifying data

• CallerID, Email, Websites, GPS

Corporate and Government Hacking

• Corporate Hacks

• Adobe Systems, Ebay, Target, Home Depot

• Government Hacks

• Office of Personnel Management

• US Postal Service

• OR State Employment Office and OR Secretary of State

• US Dept of State and White House

• Weather Service

• IRS

Other Illegal Use of Your Name

• Criminal Acts in Your Name

• Terrorist Watch List

• Traffic Tickets

• Case Study – Living a Lie: ID Theft that Lasted Decades

Recent Trends

• Tax Fraud

• Committed by tax preparers

• Child ID theft

• File false tax returns

• Turbo Tax

• Credit Card Fraud

• Utility and Services Fraud

Personal ID Theft Prevention • Sleeves to protect against RFID devices

• Do not carry Social Security Card in your wallet or purse (or any other document that contains your number)

• Do not share personal information with others

• If called for confirmations – let them read info that they have first

• Protect your personal info online – secure sites only

• Check your credit report annually

• Check your Social Security Statement annually

• Use firewalls and anti-virus software on computers

• ID protection service

Consider your ID Theft Protection Options

Most complete identity theft protection service we reviewed; 3-bureau credit report monitoring; credit report/score updates every quarter; 25% discount & free 30-day trial

Best value, especially for families; full credit report monitoring; monthly Equifax credit reports and scores; 10% discount & free 14-day trial

Comprehensive identity theft protection and credit report monitoring for AARP members and family; monthly Equifax credit reports and scores; special AARP price & free 14-day trial

Thorough identity theft protection and 3-bureau credit report monitoring; annual 3-bureau credit reports and scores; monthly TransUnion credit scores; somewhat costly even with 10% discount; free* 30-day trial

Ask yourself – how much do you spend on your Grande Caramel Macchiato or your trips to the nail salon each month – then ask if you can afford this…..Can you afford not to??

Solid credit protection with monthly credit report/score updates; includes our top-rated Internet security software; 30-day trial for $1

Strong identity monitoring paired with comprehensive, 3-bureau FICO score monitoring; on the pricey side

Reasonably priced identity theft protection for individuals and families; doesn't provide credit report monitoring; 10% discount & free 14-day trial

Valuable identity theft protection and customer support for an affordable price, yet lacks in terms of credit report monitoring; 10% discount & free* 30-day trial

Somewhat pricey when compared to other services; complete restoration assistance; no insurance/guarantee or security software

An expensive option for ID theft protection and lacks in protection; only includes Experian credit report monitoring; 7-day trial for $1 with enrollment in ProtectMyID

Covers individuals and families, but poor customer service, confusing website and lack of comprehensive protection makes it less than appealing

What do I do if I am an ID fraud victim?

• If someone has used your SSN for a tax refund or job, or the IRS has sent you a notice – Contact the IRS right away.

• Report the fraud to the IRS. Send a copy of your police report or an IRS ID Theft Affidavit Form 14039 and proof of your identity.

• Other Steps:

• Put a fraud alert on your credit reports.

• Order your credit reports.

• Create an ID theft Report by filing an ID theft complaint with the FTC and filing a police report.

Considerations for Organizations

• Acceptable Use Policy

• Backup and Recovery

• Business Continuity/Disaster Recovery

• Hardware/Software Inventory

• Encryption

• Segregation of Duties

• Virus Protection

Considerations Continued…..

• Data Breach Detection and Response Plan

• Change Management/Patch

• Network Monitoring

• Risk Assessment

• Password Management (Including vendors)

• Access Restrictions

• Data Retention

• Use of Personal Devices

Best Organizational Practices • Up-to-date anti-virus software

• Properly configured firewall

• Intrusion detection and prevention software

• Educated employees about risks regarding unknown emails, web sites, and storage devices

• Utilize dual control for ACH and wire transactions

• Restrict functions for PC used for ACH and wire initiation (physical security)

• No removable media, no email, no other internet use

• Perform daily reconciliation of bank account(s)

• Provide prompt notification to bank about suspicious activity

Potential IT Audits

• Risk Assessment

• Disaster Recovery Plan

• Policies and Procedures (IT)

• Penetration/Vulnerability Test

• Password Management

• Backups

• Encryption

• Access (Physical, Logical, and Review)

Questions?