asis phoenix february presentation
TRANSCRIPT
Protecting Your Identity in the Information Tracking Age
What to Know | What to Do INFORMATION SECURITY & PRIVACY OFFICE
Randell C. Smith, Jr. CISM, CISSP, PMPChief Information Security Officer | Chief Privacy OfficerCity of Phoenix
City of Phoenix
Agenda
1. Things You Need To Know (Likelihood, Impact, Consequences)
2. Things You Need to Do (Before ID Theft)
3. Things You Need to Do (After ID Theft)
4. Questions & Answers
City of Phoenix
The sky is not falling…it’s just a little closer! Charles Thompson, former CIO, City of Phoenix.
City of Phoenix
9 years with City of Phoenix
Serving as CISO and CPO
30 years with U.S. Navy(Retired Captain)
Naval Cryptologist Worked directly for
Naval Security Group Command and National Security Agency
Hold multiple industry certifications
Background
What is Identity Theft?
■ Identity theft happens when someone accesses essential elements of a person’s identifying information in order to commit theft.
■This information may include name, social security number, date of birth and mother’s maiden name.
Source: Citi Identity Theft Solutions
Has anyone here been a victim?
City of Phoenix
Consequences of Identity Theft
City of Phoenix
Partial map of the Internet based on the January 15, 2015 data found on opte.org. Each line is drawn between two nodes, representing two IP addresses.
Why be Concerned?Your Data is Everywhere
City of Phoenix
Cyber SecurityFacts
• 230,000 malware variants created everyday.(84 million created in 2015)
• Signature based technology used in
AV software, IPS devices, and Web gateways is ineffective due to polymorphic malware changing constantly.
• Drive-by downloads have become the top web threat (Water Hole Attacks).
• Phishing is the number one attack vector.
Recent Large Data Breaches
City of Phoenix
Data
Bre
ache
s > 3
0,00
0 Re
cord
s
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Identity Theft Victim Statistics
Identity Theft Victim Statistics (cont.)■ Identity fraud has grown to include theft of cell and
landline phone service; cable and satellite television service; power, water, gas and electric service; Internet payment service; medical insurance; home mortgages and rental housing; automobile, boat and other forms of financing and loans; and, government benefits.
■ Identity thieves will also use stolen identities to obtain employment and to deceive police when arrested.
Who's at risk of identity theft?
■ ANSWER – Everyone
■ 12% of Americans age 18 or older have been subject to identity theft in just the past 12 months.
■ Over half (52%) of Americans do not check their free credit report annually.
■ Just 14% of Americans say they subscribe to identity theft protection services such as Lifelock, Identity Guard, or LegalShield.
■ Just 17% of Americans check their credit regularly with one of the credit bureaus.
Who's at risk of identity theft?
■ Overall costs of identity theft to the American economy is estimated to reach $100 billion annually.
■ In 2012, more than 15 million reports were made of fraudulent use of a credit card or bank account, compared with only about a million reports of fraudulent use of personal information to open a new account, and a million reports of fraudulent use of personal information for some other purpose.
■ Most victims find out about identity theft when their bank or credit card issuer contacts them to inquire about suspicious activity on the account. At this point, extensive damage may already be done.
Legal Liability – Credit Card vs. Debit Card
■ If someone steals your actual credit card, your liability is generally limited to $50 ($0 if you report the loss before any fraudulent activity occurs). And the likelihood that you’ll even pay the $50 is minimal because most credit card issuers offer zero liability protections on fraudulent charges. Electronic Fund Transfer Act (EFTA)
■ However, if your debit card number is stolen, your losses could be much greater. Unless you notice and report the theft within the first two days, you could permanently lose the first $500 stolen from your account. After 60 days, you may be liable for the entire amount. Fair Credit Billing Act (FCBA)
You’re At Risk!
2015 Identity TheftFederal Trade Commission (FTC)
■ 47% increase in identity theft during 2015.
■ Tax or wage related identity theft was responsible for a significant portion of the increase, and according to the FTC, was “the largest and fastest growing identity theft category.
■ IRS Data Breach – May 2015. Thieves accessed 334,000 tax accounts through the IRS "Get Transcript" application, a program to acquire information about your tax returns.
What thieves do once they still your info
Federal LawIdentity Theft and Assumption Deterrence Act 1998
■ Provides penalties up to 15 years imprisonment.■ Maximum fine of $250,000
Consumer Protection Laws
Fair Credit Reporting Act (FCRA)■ Designed to protect consumers from the willful
and/or negligent inclusion of inaccurate information in their credit reports.
■ FCRA regulates the collection, dissemination, and use of consumer information, including consumer credit information.
Fair and Accurate Credit Transactions Act (FACT)■ Act allows consumers to request and obtain a
free credit report once every twelve months from each of the three nationwide consumer credit reporting companies (Equifax, Experian and TransUnion)
Child ID Theft
Child ID Theft
• The rate of identity theft for children was 35 times higher than the rate for adults in the same population.
• 10.2% of children have had their Social Security numbers stolen
• Child IDs were used to purchase homes and automobiles, open credit card accounts, secure employment and obtain driver’s licenses.
• Children are easy targets. Their identities are often a blank slate.
• The probability of discovery is low. Parents typically don’t monitor a child’s identity and the crime can go undiscovered for many years.
• The potential impact on a child’s future is profound. A stolen identity can destroy or damage a child’s ability to get a student loan, acquire a mobile phone, obtain a job, secure a place to live, and more.
Child ID Theft
Child ID Theft
Medical ID Theft - Definition
■The fraudulent use of an individual’s personally identifiable information (PII), such as name, Social Security number, and medical insurance identity number to obtain medical goods or services, or to fraudulently bill for medical goods or services using an unlawfully obtained medical identity.
Medical ID Theft Statistics
■ Rapidly growing; impacts almost 6% of Americans.
■ About 2 million Americans fall victim to medical ID theft every year
■ 31% say they allow family members to use their IDs to get medical services (aka familial fraud)
• 45% of medical ID theft victims end up paying their health-care provider or insurer for charges incurred by the thieves
■ 50% of victims say they know the person who victimized them
Signs of Medical ID Theft
■ Explanation of Benefits (EOB) statement, Medicare Summary Notice, or bill for medical services you didn’t receive• Check the name of the provider, the date of service,
and the service provided
■ Call from a debt collector about a medical debt you don’t owe
■ Medical collection notices on your credit report that you don’t recognize
■ Notice from your health plan saying you reached your benefit limit
■ Denial of insurance because your medical records show a condition you don’t have
■ Numerous errors in your medical records
How to Resolve Medical ID Theft
■ Get copies of your medical records and check them for errors Contact each doctor, clinic, hospital, pharmacy, laboratory,
health plan, and location where a thief may have used your information
If a thief got a prescription in your name, ask for records from the health care provider who wrote the prescription and the pharmacy that filled it
■ Ask each of your health plans and medical providers for a copy of the “accounting of disclosures” for your medical records – a record of who got copies of your records from the provider The accounting shows who has copies of your mistaken records
and whom you need to contact
Elderly ID Theft Statistics
■Older people make appealing financial targets because they typically have higher credit lines, greater home equity and more financial resources than younger populations.
■The mature market (50 years and older) represents 36 percent of all ID Theft victims making it the single largest demographic of ID Theft victims.
Who’s Tracking You?Tracking Cookies
■ Data that is distributed and shared across two or more unrelated Web sites for the purpose of gathering information to present customized data to you.
■ Not harmful like malware, worms, or viruses, but can be a privacy concern. Example, if you go to a Web site that hosts online advertising from a third-party vendor, the third-party vendor can place a cookie on your computer.
■ An advertising company can determine indirectly all the sites you have been to if they have cookies present on those sites.
■ Because browser-based cookies are easy to detect and delete, some advertisers are now using “flash-based” cookies which are not stored on your computer like browser-based cookies.
■ Result, they are harder to find and delete. Banks and online finance sites store flash cookies on their users' computers to authenticate account owners and prevent fraud since fraudsters would merely have a user's login and password but no access to the user's computer.
■ Acts as a second level of authentication in addition to the user's login and password.
Who’s Tracking You?Flash cookies: a cause for concern?
■ Most social networking tracking occurs through Javascript social buttons like “Like” and “Tweet” buttons.
■ Connections are made to entirely different companies than the website you’re actually visiting.
■ More than a quarter–26.3%–of what your browser does when you load a website is respond to requests for your personal information, leaving the remaining 73.7% for things you want your browser doing, like loading videos, articles, and photos.
Who’s Tracking You?Social networking tracking
Who’s Tracking You?Web beacon -- a 1-pixel image
■Web beacons are tiny image files invisible to users and are used to transmits information to advertisers. Commonly used in emails.
■Tracking can get information as detailed as where your mouse has been on a page to your sexual orientation.
■WSJ examined 1,000 top websites and found that approximately 75 percent of them featured social networking code that can match users’ online identities with their web-browsing activities, and nearly 25% of the web’s 70 most popular sites shared personal data, like name and email address, with third-party companies.
Steps to Prevent Identity Theft
■ Memorize PINs and passwords■ Beware of promotions that request sensitive
information■ Question how SSN or other sensitive data will be
used if it is requested by legitimate sources■ Shred pre-approved credit offers, receipts, bills, other
records that have SSN■ Do not provide CC#, SSN, etc. out over email■ Do not click on links in unsolicited emails
Steps to Prevent Identity Theft
■ Don’t carry your SSN card with you■ Request a drivers license number ■ Only carry what you use■ Photo copy all cards in your wallet■ Select hard to guess PINs and passwords■ Don’t leave mail sitting in an unprotected box■ Don’t give out private information over the phone■ Order your credit reports■ Use caution when providing ANY sensitive
information
Steps to Prevent Identity Theft
■ Use the post office mailboxes■ Keep an eye out for bills or statements that
aren’t received in a timely manner■ Sign the backs of all credit cards (or write
“Check ID”)■ Do not loan out your cards to anyone■ Report lost/stolen cards immediately■ Keep a copy of both sides of your cards in a
safe place
Steps to Prevent Identity Theft
■ Check for the “padlock” and/or “https” when purchasing online
■ Opt out of pre-approved credit card offers■ Opt out of junk mail■ Shred all pre-approved credit card offers■ Watch out for calls or letters about purchases
that you didn’t make
Safeguard your computer
■ Use a firewall■ Use anti-virus software AND keep it updated■ Use wireless encryption■ Do NOT give out your NetID/password under ANY
circumstances■ Lock your computer when you are away from your
desk■ Don’t open files from unknown sources■ Use complex passwords■ Erase computer hard drive before disposing of
computers and destroy peripheral storage devices before disposal
Credit Freeze
■ Prevents lenders and others from accessing your credit report
■ Good news – Identity thieves will be unable to establish credit in your name
■ Bad news – so will you
■ Will also affect background checks and most requests for insurance
Preventing Identity Theft
ID Theft prevention tips when traveling
What to Do After Identity Theft
Place an Initial Fraud Alert• Contact 1 of the credit reporting companies.• Report that you are an identity theft victim.• Ask the company to put a fraud alert on your credit file.• Confirm that the company you call will contact the other 2 companies.
Placing a fraud alert is free. The initial fraud alert stays on your credit report for 90 days. Be sure the credit reporting companies have your current contact information so they can get in touch with you.
Order Your Free Credit Reports• Contact each of the 3 nationwide credit reporting companies.• Explain that you placed an initial fraud alert.• Order your free copy of your credit report. Ask each company to show
only the last 4 digits of your Social Security number on your report.
Credit Reporting CompaniesExquifax 1-800-525-6285Experian 1-888-397-3742TransUnion 1-800-680-7289
(http://www.consumer.ftc.gov/articles/0274-immediate-steps-repair-identity-theft)
IdentityTheft.Gov
■ Simplified step-by-step checklist tailored to the specific type of identity theft consumers are facing.
■ Advice is customized for individual needs.
■ The site will automatically generate affidavits and pre-fill letters and forms to be sent to credit bureaus, businesses, police, debt collectors and the IRS. Should a consumer’s recovery run into issues, the site will suggest alternative approaches.
■ Once a consumer completes their initial report on the site, they will receive follow up e-mails and can return to their personalized plan online to continue the recovery process.
IdentityTheft.Gov
45
ID Theft Recovery Practices
■ Review statements■ Promptly contact financial institution(s) to note
errors/discrepancies■ Close or cancel accounts■ Stop payments on outstanding checks■ Establish new account numbers and passwords■ Get a copy of the police report■ Notify postal service if mail was involved■ Notify Social Security Administration if SSN was used■ Notify DMV if driver’s license number was use
46
ID Theft Recovery-Recordkeeping
■ Keep records/notes/copies of all contact information- names- dates- follow up notes
■ Maintain copies of all documentation
Identity Theft Recovery Services
Third party services offered to help victims of ID fraud reclaim their identity.
• Fraud Alert Reminders - The company will remind you when the fraud alert on your account is about to expire so you can renew it.
• Fraud Specialist - The company provides access to fraud specialists to help you manage your fraud case.
• Identity Theft Insurance - The company offers insurance to reimburse you for costs related to restoring your identity.
• Lost Wallet Protection - The company offers assistance with canceling and replacing lost or stolen debit/credit cards.
http://www.reviews.com/identity-theft-protection-services/
LifeLock | AllClear ID | Identity Force | ID Patrol | Trusted ID | ID WatchDog
Password Insecurity
The 25 most popular passwords 2013
1. 123456 11. 123123 21. password1
2. password 12. admin 22. princess
3. 12345678 13. 1234567890 23. azerty
4. qwerty 14. letmein 24. trustno1
5. abc123 15. photoshop 25. 00000
6. 123456789 16. 1234
7. 111111 17. monkey
8. 1234567 18. shadow
9. iloveyou 19. sunshine
10. adobe123 20. 12345
The Future and Identity Theft
Mobile Payments ID Theft Concerns
Questions & AnswersR
epro
duce
d by
per
mis
sion
. Ple
ase
see
ww
w.S
ecur
ityC
arto
on.c
om fo
r mor
e m
ater
ial
Questions & Answers