Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
ID Theft P E R S O N A L A N D O R G A N I Z AT I O N A L P R E V E N T I O N A N D D E T E C T I O N M i c h e l l e C u m m i n g s , C I A , C F E , C D F M
According to the National Crime Victimization Survey (NCVS) , the definition of ID Theft includes 3 general types of incidents:
• Unauthorized use or attempted use of an existing account
• Unauthorized use or attempted use of personal information to open an account
• Misuse of personal information for a fraudulent purpose
ID Fraud Facts • Approximately 7% of all adults have their identities misused annually
resulting in billions of dollars in losses.
• GAO states that a little over $5B is lost each year to tax fraud. From 2013-2014 the number of tax fraud victims jumped 36%. (Recent jump due to Intuit, Inc.)
• Criminals are becoming more organized and improving methods such as phishing and vishing fraud, hacking corporate and government networks, and hijacking personal computers (ransomware).
• Credit, debit, checking and savings accounts are not the only targets – cell and landline phone service, cable and satellite TV service, internet services, utilities, medical insurance, home mortgages, other loans, and government benefits.
How do Fraudsters obtain information?
• Stolen physical documentation
• Personal Computer or Work Computer
• Tech Devices
• Online - retail, medical, memberships
• Social Media
• Phishing, Vishing, Spoofing Schemes
• Corporate or Government Hacking
Stolen Physical Documentation • In order to steal money directly:
• Checks
• Credit/ATM cards
• PIN numbers
• Bank Account Numbers (needed to print checks)
• In order to steal identity and open new accounts:
• ID, Driver’s License
• Social Security Card
• Birth Certificate (Mother’s Maiden Name)
• Tax Statements
• Military Separation Documents or VA Documentation (VA Loans)
How do fraudsters get physical documentation?
• Your Purse or Wallet
• File Cabinet at Home/Office
• Items in the Trash (this includes company trash)
• Warren County Virtual Community School – SSNs (140 students affected)
• Dr. David Cavallaro – medical files (Hundreds affected)
• Madison Park Apartments – rental applications (Unknown number affected)
• Atlas Collections – collection files (Hundreds affected)
• Hancock Fabrics – payroll records (Unknown number affected)
• Human Resources Department/Payroll
Computer Use
• Security
• Are users separated by passwords?
• Is your password easy to find or guess?
• Who has physical access?
• Firewalls, Anti-virus
• Other ways to gain access
• Links containing viruses
• Repair tech scams
• Ransomware
What is on your personal computer?
• Bank Statements
• Monthly Personal Financials
• Tax Statements
• List of online sites and passwords
• Work information ??
• Personal identifiable information and photos
What is on your Work Computer?
• Information YOU are required to protect on behalf of others:
• Trade Secrets
• Classified Information
• Proprietary Information
• Other Sensitive Information
Tech Devices
• Skimmers
• Gas Pumps
• ATMs
• Radio Frequency Identification (RFID) Technology
• Credit card printers and associated equipment (video)
https://www.youtube.com/watch?v=V3pElQD8UZg
Skimmers and RFID Devices
Online Activities • Credit Card Purchases
• Saving credit card information in the system for future purchases
• Home Depot
• Target
• Health/Medical Records
• Personal medical data
• Aetna
• Professional/Social Memberships
• Certificate Information
• Credit Card Info
Social Media WHAT PER SONAL INFOR MATION AR E YOU POST ING?
What do Fraudsters want to know?
FACE B O O K
• Full Name
• Spouse’s and Kids’ Names
• Birthdate
• Family Pictures
• Personal/Work Updates
• 20 Question Game (Security Questions)
• Religious Affiliation
L INK E DIN
• Work History (Companies, States, Dates)
• Connections
• Work Successes
• Special Skill Set
Phishing, Vishing, Spoofing Schemes
• Phishing – the attempt to acquire sensitive information such as credit card information, passwords, and/or usernames by masquerading as a legitimate entity in an electronic communication.
• Vishing – A technique, similar to Phishing, that allows criminals to maliciously gain access to your personal information for the purposes of ID theft. Generally, criminals will send the victim a notice or leave them a message to verify information.
• Spoofing – a person or program can masquerade as another by falsifying data
• CallerID, Email, Websites, GPS
Corporate and Government Hacking
• Corporate Hacks
• Adobe Systems, Ebay, Target, Home Depot
• Government Hacks
• Office of Personnel Management
• US Postal Service
• OR State Employment Office and OR Secretary of State
• US Dept of State and White House
• Weather Service
• IRS
Other Illegal Use of Your Name
• Criminal Acts in Your Name
• Terrorist Watch List
• Traffic Tickets
• Case Study – Living a Lie: ID Theft that Lasted Decades
Recent Trends
• Tax Fraud
• Committed by tax preparers
• Child ID theft
• File false tax returns
• Turbo Tax
• Credit Card Fraud
• Utility and Services Fraud
Personal ID Theft Prevention • Sleeves to protect against RFID devices
• Do not carry Social Security Card in your wallet or purse (or any other document that contains your number)
• Do not share personal information with others
• If called for confirmations – let them read info that they have first
• Protect your personal info online – secure sites only
• Check your credit report annually
• Check your Social Security Statement annually
• Use firewalls and anti-virus software on computers
• ID protection service
Consider your ID Theft Protection Options
Most complete identity theft protection service we reviewed; 3-bureau credit report monitoring; credit report/score updates every quarter; 25% discount & free 30-day trial
Best value, especially for families; full credit report monitoring; monthly Equifax credit reports and scores; 10% discount & free 14-day trial
Comprehensive identity theft protection and credit report monitoring for AARP members and family; monthly Equifax credit reports and scores; special AARP price & free 14-day trial
Thorough identity theft protection and 3-bureau credit report monitoring; annual 3-bureau credit reports and scores; monthly TransUnion credit scores; somewhat costly even with 10% discount; free* 30-day trial
Ask yourself – how much do you spend on your Grande Caramel Macchiato or your trips to the nail salon each month – then ask if you can afford this…..Can you afford not to??
Solid credit protection with monthly credit report/score updates; includes our top-rated Internet security software; 30-day trial for $1
Strong identity monitoring paired with comprehensive, 3-bureau FICO score monitoring; on the pricey side
Reasonably priced identity theft protection for individuals and families; doesn't provide credit report monitoring; 10% discount & free 14-day trial
Valuable identity theft protection and customer support for an affordable price, yet lacks in terms of credit report monitoring; 10% discount & free* 30-day trial
Somewhat pricey when compared to other services; complete restoration assistance; no insurance/guarantee or security software
An expensive option for ID theft protection and lacks in protection; only includes Experian credit report monitoring; 7-day trial for $1 with enrollment in ProtectMyID
Covers individuals and families, but poor customer service, confusing website and lack of comprehensive protection makes it less than appealing
What do I do if I am an ID fraud victim?
• If someone has used your SSN for a tax refund or job, or the IRS has sent you a notice – Contact the IRS right away.
• Report the fraud to the IRS. Send a copy of your police report or an IRS ID Theft Affidavit Form 14039 and proof of your identity.
• Other Steps:
• Put a fraud alert on your credit reports.
• Order your credit reports.
• Create an ID theft Report by filing an ID theft complaint with the FTC and filing a police report.
Considerations for Organizations
• Acceptable Use Policy
• Backup and Recovery
• Business Continuity/Disaster Recovery
• Hardware/Software Inventory
• Encryption
• Segregation of Duties
• Virus Protection
Considerations Continued…..
• Data Breach Detection and Response Plan
• Change Management/Patch
• Network Monitoring
• Risk Assessment
• Password Management (Including vendors)
• Access Restrictions
• Data Retention
• Use of Personal Devices
Best Organizational Practices • Up-to-date anti-virus software
• Properly configured firewall
• Intrusion detection and prevention software
• Educated employees about risks regarding unknown emails, web sites, and storage devices
• Utilize dual control for ACH and wire transactions
• Restrict functions for PC used for ACH and wire initiation (physical security)
• No removable media, no email, no other internet use
• Perform daily reconciliation of bank account(s)
• Provide prompt notification to bank about suspicious activity
Potential IT Audits
• Risk Assessment
• Disaster Recovery Plan
• Policies and Procedures (IT)
• Penetration/Vulnerability Test
• Password Management
• Backups
• Encryption
• Access (Physical, Logical, and Review)
Questions?