Personal Identity Theft in the Web-based Business World

Presenter – Rick Weatherspoon

Xtreme Computing, LLC

2 June 2006

Agenda

• Definition of ID Theft• ID Theft Statistics• Business Losses• Types of Web-based ID Theft

– Hacking & Attacking– Phishing– WarXing/War Driving

• ID Theft Reporting• Questions

2 June 2006

Identity Theft Definition

• The Deliberate Assumption of Another Person's Identity, Usually to Gain Access to their Finances, or Frame Them for a Crime

2 June 2006

ID Theft Statistics (National)

• Fastest Growing Crime in US

• U.S. Identity Fraud Crimes now total $52.6 Billion Annually *

• Per-Victim Total of $5,686

• Affects Roughly 9.3 Million Individuals in US Yearly

* Source – 2005 Study by Javelin Strategy & Research

2 June 2006

ID Theft Statistics (State)

• 2,909 Complaints Filed in Oregon State (2004)

• Oregon State Ranks within the Top 10 (9th)

• Complaints Rose 20% More than in 2003

2 June 2006

ID Theft Statistics (County)

* Source – Wallowa County Sheriff; May 2006

0

1

2

3

4

5

6

7

8

2002 2003 2004 2005 2006

Wallowa County

Fraud

Identity Theft

2 June 2006

Business Losses Due to ID Theft

• Between May 2004 and May 2005, 1.5 Million Computer Users Lost $929 Million on ONLY Phishing Scams

• US Businesses Lose an Estimated $2 Billion Per Year on Clients who are Victims

• Businesses Lose an Average of $4,800 per Victim *

*Source – Washington State AGO Identity Theft Advisory Panel; January 2006

2 June 2006

Types of Web-based ID Theft

• Hacking & Attacking

• Phishing

• WarXing/War Driving

2 June 2006

Web-based Hacking & Attacking• Authentication Hacking

– Browsing– Cookie Theft– Session Hijacking– Network Sniffers– Password Cracking– Dictionary Attacks

• Google Hacking• SQL Injection• Directory Traversal

2 June 2006

Phishing• Attempts to Fraudulently Acquire Sensitive Consumer

Info Via False Web Pages, Emails, IMs, FAX, VOIP• Term Arises from Using Sophisticated Lures to “Fish” for

Consumer’s Financial Data & Passwords• Recently Targeting Banks, Online Payment Services, IRS

Letters• Common Tricks Include Misspelled URLs, use of

SubDomains, Altering Address Bars, Cross Site Scripting• Recent Scam Left Voice Messages to Call Bank with

Account & PIN Numbers over a VOIP Network

2 June 2006

Citibank Phishing Email Example

2 June 2006

Citibank Phishing Web Link

2 June 2006

Citibank Phishing – User Garbled URL

2 June 2006

Citibank Phishing – Invalid Credit Card Number

2 June 2006

Citibank Phishing Source

• Search with Whois Utility:IP : 219.148.0.0 - 219.148.159.255netname: CHINATELECOM-hedescr: CHINANET hebei province networkdescr: China Telecomdescr: No.31,jingrong streetdescr: Beijing 100032country: CNmnt-by: MAINT-CHINANET changed: hostmaster@ns.chinanet.cn.net 20030820 source: APNIC

2 June 2006

WarXing/War Driving• Searching for Wireless Networks and Access Points by

Moving Vehicle/Bike (WLAN, WiFi HotSpots)• Captures Information Packets with WiFi-based

equipment (Laptop/PDA)• Software Freely Available to Monitor, Capture, and

Analyze Clear Text and Encrypted Data (NetStumbler, AirSnort, WEPCracker, etc.)

• Majority of Wireless Networks Use Default Settings (SSIDs, Passwords, Encryption Keys, etc.)

• Legality of War Driving Not Clearly Defined in the US

2 June 2006

Wireless Network Diagram

Internet

Firewall

Laptop

Computer

Server

PDA

802.11WiFI AP

Rogue AP

CSU/DSUModem

2 June 2006

Reporting of ID Theft• FBI/Internet Fraud Complaint Center

– 1.800.251.3221– www.ifccfbi.gov

• Federal Trade Commission– 1.877.438.4338– www.consumer.gov/idtheft/

• Internet Crime Complaint Center– www.ic3.gov/complaint

• Oregon State Department of Justice– http://www.doj.state.or.us/

• Wallowa County Sheriff Department – 541.426.3131

Questions?

www.xtremecomputing.us/briefings.html