Upload
adrian-cole
View
213
Download
0
Tags:
Embed Size (px)
Citation preview
Personal Identity Theft in the Web-based Business World
Presenter – Rick Weatherspoon
Xtreme Computing, LLC
2 June 2006
Agenda
• Definition of ID Theft• ID Theft Statistics• Business Losses• Types of Web-based ID Theft
– Hacking & Attacking– Phishing– WarXing/War Driving
• ID Theft Reporting• Questions
2 June 2006
Identity Theft Definition
• The Deliberate Assumption of Another Person's Identity, Usually to Gain Access to their Finances, or Frame Them for a Crime
2 June 2006
ID Theft Statistics (National)
• Fastest Growing Crime in US
• U.S. Identity Fraud Crimes now total $52.6 Billion Annually *
• Per-Victim Total of $5,686
• Affects Roughly 9.3 Million Individuals in US Yearly
* Source – 2005 Study by Javelin Strategy & Research
2 June 2006
ID Theft Statistics (State)
• 2,909 Complaints Filed in Oregon State (2004)
• Oregon State Ranks within the Top 10 (9th)
• Complaints Rose 20% More than in 2003
2 June 2006
ID Theft Statistics (County)
* Source – Wallowa County Sheriff; May 2006
0
1
2
3
4
5
6
7
8
2002 2003 2004 2005 2006
Wallowa County
Fraud
Identity Theft
2 June 2006
Business Losses Due to ID Theft
• Between May 2004 and May 2005, 1.5 Million Computer Users Lost $929 Million on ONLY Phishing Scams
• US Businesses Lose an Estimated $2 Billion Per Year on Clients who are Victims
• Businesses Lose an Average of $4,800 per Victim *
*Source – Washington State AGO Identity Theft Advisory Panel; January 2006
2 June 2006
Web-based Hacking & Attacking• Authentication Hacking
– Browsing– Cookie Theft– Session Hijacking– Network Sniffers– Password Cracking– Dictionary Attacks
• Google Hacking• SQL Injection• Directory Traversal
2 June 2006
Phishing• Attempts to Fraudulently Acquire Sensitive Consumer
Info Via False Web Pages, Emails, IMs, FAX, VOIP• Term Arises from Using Sophisticated Lures to “Fish” for
Consumer’s Financial Data & Passwords• Recently Targeting Banks, Online Payment Services, IRS
Letters• Common Tricks Include Misspelled URLs, use of
SubDomains, Altering Address Bars, Cross Site Scripting• Recent Scam Left Voice Messages to Call Bank with
Account & PIN Numbers over a VOIP Network
2 June 2006
Citibank Phishing Source
• Search with Whois Utility:IP : 219.148.0.0 - 219.148.159.255netname: CHINATELECOM-hedescr: CHINANET hebei province networkdescr: China Telecomdescr: No.31,jingrong streetdescr: Beijing 100032country: CNmnt-by: MAINT-CHINANET changed: [email protected] 20030820 source: APNIC
2 June 2006
WarXing/War Driving• Searching for Wireless Networks and Access Points by
Moving Vehicle/Bike (WLAN, WiFi HotSpots)• Captures Information Packets with WiFi-based
equipment (Laptop/PDA)• Software Freely Available to Monitor, Capture, and
Analyze Clear Text and Encrypted Data (NetStumbler, AirSnort, WEPCracker, etc.)
• Majority of Wireless Networks Use Default Settings (SSIDs, Passwords, Encryption Keys, etc.)
• Legality of War Driving Not Clearly Defined in the US
2 June 2006
Wireless Network Diagram
Internet
Firewall
Laptop
Computer
Server
PDA
802.11WiFI AP
Rogue AP
CSU/DSUModem
2 June 2006
Reporting of ID Theft• FBI/Internet Fraud Complaint Center
– 1.800.251.3221– www.ifccfbi.gov
• Federal Trade Commission– 1.877.438.4338– www.consumer.gov/idtheft/
• Internet Crime Complaint Center– www.ic3.gov/complaint
• Oregon State Department of Justice– http://www.doj.state.or.us/
• Wallowa County Sheriff Department – 541.426.3131