Identity Theft
CPEs for CPAs Program
Georgia Perimeter College
December 9, 2005
Could You Be at Risk?
Identity Theft
What is it?
Who commits it?
How does it happen?
What are the possible consequences?
How can I prevent it?
What must I do if it happens to me?
What Is Identity Theft?
n : the co-option of another person's
personal information (e.g., name, social
security number, credit card number,
passport) without that person's
knowledge and the fraudulent use of
such knowledge
-- dictionary.com
Federal Identity Theft and
Assumption Deterrence Act
18 U.S.C. § 1028(a)(7)
Federal law passed in 1998
Prohibits “knowingly transfer[ring] or us[ing],
without lawful authority, a means of
identification of another person with the intent
to commit, or to aid or abet, any unlawful
activity that constitutes a violation of Federal
law, or that constitutes a felony under any
applicable State or local law.”
Other Related Federal
Statutes
18 U.S.C. § 1028 – identification fraud
18 U.S.C. § 1029 – credit card fraud
18 U.S.C. § 1030 – computer fraud
18 U.S.C. § 1341 – mail fraud
18 U.S.C. § 1343 – wire fraud
18 U.S.C. § 1344 – financial institution
fraud
Georgia Statute §16-9-121.
Identity Fraud Law
“A person commits the offense of identity fraud when
without the authorization or permission of a person
with the intent unlawfully to appropriate resources of
or cause physical harm to that person, or of any other
person, to his or her own use or to the use of a third
party he or she:
(1) Obtains or records identifying information of a
person which would assist in accessing the resources
of the other person; or
(2) Accesses or attempts to access the resources of
the other person through the use of identifying
information.”
Identifying Information
Names (current or former)
Social Security numbers
Driver’s license numbers
Bank account/credit card numbers
Birth dates
Tax identification numbers
Medical identifications
Many other data items
Statistics
Source: Federal Trade Commission
Identity Theft Data Clearinghouse report
 Over 635,000 consumer identity theft &
fraud complaints received in 2004

61% classified as fraud, 39% identity theft.
 Up 50% since 2002.
 Reported losses of over $547 million.


27,300,000 million victims in past 5 years
Statistics (cont.)
Rank
ID Fraud Type
No. of Victims Percentage
1
Credit Card Fraud
2,068
28%
2
Bank Fraud
1,609
22%
3
Phone or Utilities Fraud
1,317
18%
4
Government Documents or Benefits
Fraud
754
10%
5
Employment-Related Fraud
556
7%
6
Loan Fraud
444
6%
Other
1,723
23%
Attempted Identity Fraud
472
6%
Statistics (cont.)
Source: GA Stop ID Theft Network

2,592 victims reported in Georgia in 2001

Seventh-highest in nation
Atlanta was 11th among major cities for
reported identity theft in 2004 according
to FTC
Statistics (cont.)
Source: ChoicePoint Data Disclosures
Report, 2005
As of Nov. 15,
125 data disclosure incidents this year
 57 million people potentially affected

Note:
Actual number of identity theft cases is
surely higher
Many other identity theft cases may be
reported as other forms of crime
Statistics (cont.)
Losses to banks and final institutions

Estimated $48 billion in 2003
Average loss per business victim

$10,200
Average loss to individual victims
$1,180
 175 or more hours resolving problems over
two or more years

Who Commits Identity Theft?
Professional thieves
Strangers
Employees of businesses
Family members and relatives
Friends/acquaintances
Who Commits Identity Theft?
An estimated nine percent of ID theft
cases involve family
Another ten percent of ID theft cases
involve someone with another form of
personal relationship (friend/
acquaintance, co-worker, etc.)
Who Commits Identity Theft?
Phillip Cummings
Employee of a New York technology
company
 Illegally downloaded thousands of credit
reports and sold information overseas
 Over 30,000 people victimized


Federal Bureau of Investigation website
Who Becomes a Victim of
Identity Theft?
Michelle Brown
Identity stolen by a receptionist from a
rental application
 The Michelle Brown Story, Lifetime
Channel

Who Becomes a Victim of Identity
Theft?
Abigail Kelly
Identity stolen by her sister
 Lost her job as a result of arrest warrant for
unpaid bills
 Obtained civil judgement against sister
 60 Minutes story, September 12, 2004

Who Becomes a Victim of Identity
Theft?
Bryonn Bain
Harvard Law School graduate, poet,
adjunct professor at NYU
 Arrested in NYC in 1999 for a crime that he
and friends witnessed someone else
commit


Charges were dismissed five months later after
four court appearances

http://www.villagevoice.com/issues/0017/bain.php
Who Becomes a Victim of Identity
Theft?
Byronn Bain (cont.)




Identity stolen at least seven times after initial
arrest
Arrested on three outstanding warrants in
November, 2002
Released only after court appearance where
assistant DA recognized him as a law school
classmate
http://www.villagevoice.com/issues/0339/bain.php
How Does Identity Theft
Occur?
Many non-technological methods
“Dumpster diving”
 Dishonest employees
 Mail theft/interception
 Masquerading and “Social hacking”
 “Shoulder surfers”
 Telemarketing scams

How Does Identity Theft
Occur? (cont.)
Technological methods

Wireless communication interception
Cell phones
 Wireless networks

Camera phones
 Software

Viruses/Hijacking
 Spyware

How Does Identity Theft
Occur? (cont.)
More technological methods
Credit card “skimming”
 Spy cameras in ATMs
 “Phishing” and “Pharming”

Example of “Phishing”
Email received 12/7/2004
Supposedly from Suntrust Bank
Indicates possible fraudulent use of my
account
Example of “Phishing” (cont.)
Example of “Phishing” (cont.)
<IMG height=43 alt="" hspace=0
src="http://www.suntrust.com/images/Common/release3/logo_home.gif" width=127
border=0><BR>
<IMG height=5 alt="" hspace=0
src="http://www.suntrust.com/images/Common/release3/common_header_yellowspan.gif"
width=836 border=0>
<table cellSpacing="0" cellPadding="0" <p>Please click the link below to reactivate your
account: </p> <p align="left">
<a href="http://64.49.197.9/update/">
https://www.suntrust.com/internetBanking/RequestRouter?requestCmdId=Reactivate </a>
</p>
<p align="left">Sincerely, <br>
SunTrust Security Department
Potential Consequences to
Victims
Financial
Civil
Criminal
Financial Consequences
Direct monetary losses
Often least of victim’s problems
 Usually limited if fraud reported in timely
fashion

Financial Consequences
Credit cards
No liability if reported before misuse
 $50 per credit card if reported after misuse

Financial Consequences
ATM/Debit cards
No liability if reported before misuse
 $50 per card if reported within two
business days
 $500 per card if reported within 60 days of
statement showing unauthorized
transaction

Financial Consequences
Checks

Bank is liable for losses from forged
checks, IF you notify them in timely
manner
Financial Consequences (cont.)
Indirect monetary losses
Lost time/wages
 Costs of photocopying/mailing
 Attorney’s fees

Credit
Denial of credit based on erroneous
information
 Increased rates for loans/mortgages

Civil Consequences
Lawsuits
Loss of current job
Failure to be hired for new job
Criminal Consequences
Approximately 15% of victims obtain a
criminal record due to identity theft
Almost impossible to completely remove
criminal record once it is in law
enforcement databases
How Can I Prevent It?
Total prevention is impossible!
Minimize risks as much as possible
Protect four primary areas
Information
 Property
 Documents
 Technology

Protect Your Information
Do not give out information
unnecessarily!

Ask why a piece of information is needed


You can refuse to give information, but you may
not receive the service in return
Do not use your Social Security number as
an identification number

Needed by IRS, SSA
Protect Your Information
(cont.)
Make sure you know who is requesting
the information

Are they legitimate?
Do not give out personal information
unless you initiate the call/email
Protect Your Information
(cont.)
Do not give out personal information
over a cell phone
Protect Your Information
(cont.)
Be especially cautious with
Social Security number
 Passport number
 Bank/credit account numbers

These are the most dangerous items in
the wrong hands
Protect Your Information
(cont.)
Check your credit reports regularly
Federal law allows you one free copy of
each bureau’s credit report annually

See http://www.annualcreditreport.com/ for
information
Georgia law allows you TWO free
copies of each credit report annually

Must contact each credit bureau separately
Protecting Your Information
(cont.)
Optimal method for checking credit
reports
Per Clark Howard’s suggestion
 Every four months, request one credit
report

Protect Your Information
(cont.)
Why check all three credit reports?
Not all creditors report to all credit reporting
agencies
 Information on one report may be
inaccurate even if it is correct on the other
reports
 Incorrect information must be cleared up
on each report separately

Protect Your Information
(cont.)
Should you use a credit monitoring
service?
In most cases, no
 Exception is if you are already a victim of
identity fraud

Note: credit bureaus will try to sell you
credit monitoring when you request free
reports. Be aware!
Protect Your Information
(cont.)
Run a public records search annually
Available free from ChoicePoint
 Allows you to check publicly available data
about yourself for accuracy
 Can provide clues that identity fraud has
occurred

Protect Your Information
(cont.)
Guard PINs and other identifiers from spying
Consider using electronic bill delivery/ bill
paying services



Removes possibility of mail theft
Allows earlier detection of unauthorized activity
Encourages more careful monitoring of financial
activity
Protect Your Information
(cont.)
Keep a record of all bank/credit account
numbers along with phone numbers
Keep a photocopy of your wallet
contents and passport in a safe place
Protect Your Information
(cont.)
Opt out of sharing personal information

Pre-screened credit offers


Credit Bureau marketing lists


Call 1-888-5-OPTOUT
Write each credit bureau
Telemarketing offers
http://www.donotcall.gov/
 Registration good for five years

Protect Your Information
(cont.)
More opt-out options


Direct mail marketing

http://www.the-dma.org/consumers/offmailinglist.htm

Registration good for five years
Email marketing
http://www.dmaconsumers.org/offemaillist.html
 Regustration good for one year

Protect Your Information
(cont.)
Omit personal identifying information
from resumes and job applications
You will eventually have to provide this if
hired
 Should not be needed until late in hiring
process
 If demanded early, do you really want to
work there?

Protect Your Property
Keep property secured at all times
Purses/briefcases/wallets
 Electronics

Special Considerations for
Mail
Use a locked mailbox, or pick up mail
promptly
Place all outgoing mail in secured
mailbox
Keep track of billing cycles
Make sure all expected mail is actually
received
Protect Your Property (cont.)
Carry only necessary items in
purse/wallet
Minimize number of credit cards
 Do not routinely carry Social Security card,
passport or birth certificate


Only carry if you need it that day
Protect Your Property (cont.)
Do not carry checkbook unless
absolutely necessary
Includes deposit slips and carbons as well
 Documents contain bank routing
information
 With this, thieves can easily completely
loot your bank account

Protect Your Documents
Store identifying documents in a safe,
locked place
Home: locked cabinet

Especially important if you do not trust other
occupants or have outsiders in the home
Protect Your Documents
Business: locked filing cabinet with
limited key access
Critical because of business liability
 Georgia law – up to $10,000 fine PLUS
unlimited civil liability

Protect Your Documents
(cont.)
Shred personal documents before
throwing away
Credit card statements/receipts
 “Courtesy” checks
 Credit offers
 Old cancelled checks
 Expired credit cards
 Any document with identifying information

Protect Your Documents
(cont.)
Shred business documents before
throwing away
Client/customer information
 Outdated files
 Any document with identifying information

Protect Your Technology
Technology protection is a complex
issue!
Mixture of safeguards required to
handle different types of problems
Protect Your Technology
(cont.)
Physical security
Control access to computers
 Minimize storage of sensitive data on
laptop computers

Protect Your Technology
(cont.)
Keep safeguards up to date
Operating system updates
 Security program updates

New types of attacks arise weekly
Schedule automatic updates and use
them
Personal Electronics
Password protection is a minimum level
Inconvenience of entering password
outweighed by security
Set up a password on PDAs

Entry required when powered on
Personal Electronics (cont.)
Set up login password on ALL
computers
Do not allow “guest” accounts on
computers
 With Windows, accounts can be bypassed
 Never allow automatic login

Personal Electronics (cont.)
If possible, set up BIOS password on
laptops
Cannot start up laptop without entering
password
 Caution: if you forget this password, NO
ONE can get into your computer

Password Choices
Choose passwords that are
Combinations of letters, numbers, and
symbols
 Do not contain any identifying data

Birth dates
 Family members’ names/variations


Are at least eight to ten characters long
Password Security
Do not write down passwords or PINs

Especially don’t keep written passwords or
PINs with the item using them!
Do NOT give ANYONE your password
or PIN
Changing Passwords
Do not use the same password for
everything
Change your passwords regularly
However, it’s better to use a “good”
password badly than to use “bad”
passwords well
Data Files
Do not make sensitive files accessible
through network
Disable file sharing
 If files must be shared, password-protect
them

Data Files (cont.)
Simply deleting a file is not enough!
Files remain in the Recycle/Trash bin after
deletion
 Recovery from here is simple
 Must either specifically delete files from
Recycle Bin or empty Recycle Bin

Additional Protection for
Companies
Authenticate all access to sensitive
electronic data

Require ID and password for access
Disable network access of terminated
employees IMMEDIATELY
Additional Protection for
Companies (cont.)
Limit physical and logical access to
company databases
Create, implement, and enforce a
specific data access policy

“need to know” basis for data access
Discarding Computer
Equipment
Computer hard drives
Data can be recovered even after
formatting
 Only safe way to ensure removal is to use
a data wiping utility


Darik’s Boot and Nuke claims to wipe drives to
DOD standards

http://dban.sourceforge.net/
Discarding Data Disks
Removeable data disks can be
recovered and read
Physically destroy disks before
discarding
Shred if possible
 CDs can be microwaved for no more than
three seconds to destroy data

World Wide Web Security
Make sure the web site you are using is
the one you think you are using
Don’t click on links in emails unless you
can be sure you are going to that site
 Manually type in URL into your browser
 If the URL indicates a numeric address
instead of a domain name, BEWARE

World Wide Web Security
(cont.)
Make sure you are using Secure Socket
technology if sending personal
information to a trusted web site

Indicated by
Lock icon at bottom of browser window
 https:// prefix on site URL (not http://)

I’m a Victim –
What Do I Do Now?
Some measures apply to all cases
Others only for certain situations
Record-keeping
Send all correspondence


Certified mail
Return receipt requested
Keep EXCELLENT documentation

Log all phone contacts



Company name, contact name, date, time
Keep copies of all correspondence you send
File ANYTHING you receive that MAY relate to the
situation
For All Cases
Immediate steps

Within 30 days
Long-term steps

Over next several months/years
File a Police Report
Contact local law enforcement
Georgia law requires that
Law enforcement must take report
 Report must be forwarded to Governor’s
Office of Consumer Affairs
 Consumer Affairs will forward to Georgia
Crime Information Center

File a Police Report (cont.)
Get copies of the law enforcement
report
Keep for your records
 Send copies to creditors when reporting
fraudulent activity

Notify Credit Bureaus
All three credit bureaus should be
alerted
Equifax – http://www.equifax.com/
 Experian – http://www.experian.com
 TransUnion – http://www.transunion.com

Notify Credit Bureaus
Call first, follow up in writing

Certified mail, return receipt
Request fraud alerts on your files
Normal duration of fraud alert is 90 –
180 days

Request, in writing, extension for seven
years
Notify Creditors
Call first, follow up in writing
Notify ALL creditors
Banks
 Credit card companies
 Other lenders
 Phone companies
 Utilities
 ISPs and other service providers

Notify Creditors
Existing creditors
Report fraudulent activity immediately
 Cancel existing account
 Request replacement cards with new
account numbers

Notify Creditors
Fraudulently obtained accounts
Take action as soon as you discover
existence of account
 State that you never requested account
 Provide with copy of police report and
fraud affadavit
 Request that account be closed
 Get confirmation in writing

Get Credit Reports
Should be automatically sent at no
charge when fraud alert is filed
Review carefully for inaccurate
information

Remember that some inaccurate
information may predate the crime
Dispute all inaccurate information in
writing
Report the Crime
Federal Trade Commission
http://www.consumer.gov/
 Fill out FTC’s ID Theft Affidavit

Many companies will accept as documentation
 Others insist on their own paperwork

Report the Crime
U.S. State Department (passport
agency)
Notify whether or not you have a passport
 http://www.state.gov/

Social Security Administration
If Social Security number is compromised
 http://www.ssa.gov/

Report the Crime (cont.)
U.S. Postal Inspection Service/
local Post Office

If mail fraud or change of address is
involved

http://www.usps.com/postalinspectors/welcome2.htm

Also consider renting a locked post office
box
Report the Crime (cont.)
Department of Motor Vehicles
If a motor vehicle is involved
 http://www.dmvs.ga.gov/

Internal Revenue Service/
Georgia Department of Revenue
If fraudulent tax returns are involved
 http://www.irs.gov/
 http://www2.state.ga.us/departments/DOR/

Special Steps
Bank accounts

If checks are stolen or misused, contact ALL check
approval agencies







CheckRite: (800) 766-2748
Chexsystems: (800) 428-9623
CheckCenter/CrossCheck: (800) 843-0760
Certigy/Equifax: (800) 437-5120
International Check Services: (800) 526-5380
SCAN: (800) 262-7771
TeleCheck: (800) 710-9898
When Criminal Activity is
Involved
In addition to the above, you MUST take
additional steps
Failure to do this could result in
Arrest
 Jail time
 Significant expense to repeatedly clear
your record

When Criminal Activity is
Involved (cont.)
Have local law enforcement confirm
your identity
Fingerprints
 Photograph
 Copies of identifying information

Have them send information to other
jurisdictions involved as well
When Criminal Activity is
Involved (cont.)
Request a “key name switch” in
databases

Entry should be under impostor’s actual
name

If not known, as “John/Jane Doe”
Make sure your name is listed as an alias,
not as real name
 Include local, state, federal databases

When Criminal Activity is
Involved (cont.)
Obtain a clearance document

Called by different names:
Clearance letter – Mis ID
 Certificate of release


Make multiple copies of this document
Carry a copy with you at ALL times
 Make sure a trusted friend/family member has
a copy

When Criminal Activity is
Involved (cont.)
If all else fails, hire a criminal defense
attorney with experience in this area

If the perpetrator is caught, you can ask for
this (and other) expenses as restitution
Long-Term Damage Control
Do NOT pay any fraudulent charges/bills/
checks

Use Fair Credit Reporting Act provisions to your
advantage
Continue to get credit reports regularly
(at least every six months)
Carefully monitor all financial activity
Long-Term Damage Control
(cont.)
Carefully monitor mail
Do NOT change your Social Security
number

Causes many more problems than it solves
Resources -- Federal
Agencies
Federal Trade Commission

http://www.consumer.gov/idtheft/
Department of Justice

http://www.usdoj.gov/criminal/fraud/idtheft.html
Social Security Administration

http://www.ssa.gov/pubs/idtheft.htm
U.S. Postal Inspection Service

http://www.usps.com/postalinspectors/welcome2.htm
Resources – State Agencies
Georgia Stop Identity Theft Network

http://www.stopidentitytheft.org/
Resources -- Nonprofit
Organizations
Better Business Bureau

http://www.bbbonline.org/IDTheft/
Identity Theft Resource Center

http://www.idtheftcenter.org/index.shtml
Privacy Rights Clearinghouse

http://www.privacyrights.org/identity.htm
Acknowledgements
Andrew Sledge, Desktop Technician,
OIT, Georgia Perimeter College

Spyware and computer security
information
Hunter Eidson, System Administrator,
Georgia Perimeter College

Computer security information
In Closing
This presentation is available online at
http://www.gpc.edu/~jbenson/presentations/idtheft.ppt