Lecture72011
advertisement
Computer Vulnerabilities & Criminal Activity Identity Theft & Credit Card Fraud 7.2 October 24, 2011 Definition of Identity Theft A person commits the crime of identity theft if, without the authorization, consent, or permission of the victim, and with the intent to defraud for his or her own benefit or the benefit of a third person, he or she does any of the following: 1. Obtains, records, or accesses identifying information that would assist in accessing financial resources, obtaining identification documents, or obtaining benefits of the victim. 2. Obtains goods or services through the use of identifying information of the victim. 3. Obtains identification documents in the victim's name. US Legal Definitions Identity Theft and Assumption Deterrence Act 18 U.S.C § 1028 Makes it a federal crime to: “knowingly transfers or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law” Connecticut Criminal Law - Identity Theft http://law.justia.com/connecticut/codes/title53a/sec53a -129a.html Protected Information Name Date of birth Personal identification numbers (PIN) Social Security number Electronic identification codes Driver's license number Automated or electronic signatures Financial services account numbers, including checking and savings accounts Biometric data Credit or debit card numbers Passwords Fingerprints Parent's legal surname prior to marriage States with Mandatory ID Theft Investigation California Louisiana Minnesota Motivation for Identity Theft Financial Desires Greed Strain Theory Individuals Committing Identity Theft Individuals May have some relationship to the victim Often have no prior criminal record Illegal Immigrants Methamphetamine Users Career Criminals Gangs Hells Angels MS-13 Foreign Organized Crime Groups Asia Eastern Europe Victims of Identity Theft Higher education / higher income Age 22 - 59 Married Basically, individuals most likely to have a good credit rating / credit history Methods of Obtaining Identity Information Dumpster Diving Skimming Phishing Change of Address Theft of Personal Property Pretexting / Social Engineering How the Internet is used for ID Theft Hackers Interception of transmissions - retailer to credit card processor Firewall penetration - data search Access to underlying applications Social Engineering / Phishing / Pretexting Malware / Spyware / Keystroke Loggers Crimes Following Identity Theft Credit Card Fraud Phone/Utility Fraud Bank/Finance Fraud Government Document Fraud Employment Fraud Medical Fraud Misrepresentation during arrest Problem with Identity Theft Investigation Lapse of time between crime and the time the crime is reported Monetary amount Jurisdiction Anonymity Identity Theft Investigation http://www.ftc.gov/bcp/edu/microsites/idthef t/law-enforcement/investigations.html Identity Theft Data Clearing House Identity Theft Transaction Records Subpoena or victim’s permission Request for documents Must be in writing Authorized by the victim Be sent address specified by the business Allow the business 30 days to respond Credit Card Fraud “Wide-ranging term for theft and fraud committed using a credit card or any similar payment mechanism as a fraudulent source of funds in a transaction.” Wikipedia “Carding” “The unauthorized use of credit and debit card account information to fraudulently purchase goods and services.” DATA BREACHES:WHAT THE UNDERGROUND WORLD OF “CARDING” REVEALS - US DOJ Carding Terminology Dumps - information electronically copied from the magnetic stripe on the back of credit and debit cards. Track 1 is alpha-numeric and contains the customer’s name and account number Track 2 is numeric and contains the account number, expiration date, the secure code (known as the CVV),and discretionary institution data. PIN - Personal Information Number BIN - Bank Information Number Carding Terminology cont. Full Info” or “Fulls” - a package of data about a victim, including for example address, phone number, social security number, credit or debit account numbers and PINs, credit history report, mother’s maiden name, and other personal identifying information How Credit Card Information Obtained Online In bulk from hackers who have compromised large databases http://www.privacyrights.org/ar/ChronDataBreac hes.htm Phishing Malware Types of Carding Carding Online Using stolen credit cards to purchase goods & services online Carding to a drop - having goods sent to another physical address Cobs - changing billing address with credit card company Types of Carding cont. In-Store Carding Presenting a counterfeit credit card that had been encoded with stolen account information to a cashier at a physical retail store location More risky Higher level of sophistication Types of Carding cont. Cashing The act of obtaining money, rather than retail goods and services, with the unauthorized use of stolen financial information Pin Cashing - Using dump information to encode a strip on a card to use at ATMs Types of Carding cont. Gift Card Vending Purchasing gift cards from retail merchants at their physical stores using counterfeit credit cards and reselling such cards for a percentage of their actual value Sales maybe online or face-to-face Carding Forums Online Tutorials on different types of carding-related activities Private and public message posting enabling members to buy and sell blocks of stolen account information and other goods and services Hyperlinks for hacking tools and downloadable computer code to assist in network intrusions; Other exploits such as source code for phishing webpages Lists of proxies Areas designated for naming and banning individuals who steal from other members Carding Websites (all disabled) www.shadowcrew.com www.carderplanet.com www.CCpowerForums.com www.theftservices.com www.cardersmarket.com Sample Carding Web Sites
