Send In The Clones! The Fact and Fiction of Identity Theft About Neal O’Farrell • CEO of My Security Plan and working in information security for more than twenty five years. • Taught security to more than 3 million users in 120 countries, • Awareness programs endorsed by Department of Homeland Security and the United States Secret Service. • Creator of the nation's first Cyber Security Day, on November 4th 2002 • Founder of Think Security First!, the nation's first communitybased cyber security awareness initiative and a unique experiment in raising the security awareness of an entire city. • Creator of the Identity Theft Score About My Security Plan • My Security Plan teaches consumers and small business owners how to "plan their protection" against the threats of cybercrime and identity theft. • We also create solutions to help our partners teach their customers better security habits, so they can reduce the growing costs associated with lack of security awareness, and at the same time enhance their brand reputation and build greater customer trust. • Our content and tools can be found on numerous web sites and ISPs. • Current projects include a nationwide consumer id theft awareness campaign in partnership with NBC. • Based in Walnut Creek CA, and on the web at www.mysecurityplan.com What You’ll Learn • What is identity theft and how did we get here? • Who commits identity theft, how, and why • Hacking, phishing, and identity theft • Are we making progress, or treading water? • What next – attacks and responses • The Cost of Failure • What You Can Do To Protect Yourself • What Your Organization Can Do Send In The Clones • How big is the problem? – – – – • Gartner estimates 7 million victims annually Better Business Bureau estimates 8 million FTC estimates 10 million Harris Interactive estimates 44 million Confusion is understandable: – Different methodologies – Different motives – Different definitions • Identity cloning is a better definition – You don’t actually lose your identity – The difference helps explain the explosion in the crime • Little disagreement over the cost – $56 billion annually and rising The Busboy That Started It All • March 20th 2001, MSNBC reported the first identity theft case to gain widespread public attention • Thief assumed the identities of Oprah Winfrey and Martha Stewart, took out new credit cards in their names, and accessed their bank accounts • Stole more than $7 million from 200 of the world’s super rich - Warren Buffet and George Soros, tech tycoons Paul Allen and Larry Ellison • Used a library computer, public records, a cell phone, a fax machine, a PO Box, and a copy of Forbes Richest People • 32-year-old Abraham Abdallah was described as “a high school dropout, a New York City busboy, a pudgy, disheveled, career petty criminal.” How Identity Theft Has Changed America • Changed the way we work and communicate • Changed the way we use technology • Changed the way we trust • Changed our postal system • Changed our credit and banking system • Changed our criminals • Changed the way the police “police” • Changed our national security and sense of security How Did We Get Here? • A unique financial system with easy access to credit • Lack of awareness by consumers • Poor education and slow response by the financial community • Identity theft has been a cost of doing business • Prosecution is rare, around 5% of reported cases • The meth epidemic has fuelled growth • Organized crime and hackers have brought their own unique skills • Media exposure has created a new appetite • It’s where the money is! Why Identity Theft Is Such A Unique Crime • Anyone can commit it, and you don’t have to be a genius • Everyone does, from organized crime to mom and pop • It’s a delayed action crime, with many months between the crime and its detection • It’s often a multipart crime, starting with the theft of a single piece of information • The crime can be committed from thousands of miles away – the victim and culprit often never meet • You don’t have to own or even use a computer • It costs everybody money Identity Theft Vs. Other Crimes • Typical California city, population 64,000, 60 police officers. • Using FTC statistics, there could be 2,000 ID theft victims a year in this city. • That’s 4 times the number of burglaries, 20 times the number of assaults, and 60 times the number of thefts. • The department recently had to let go its only (part time) cybercrimes investigator. Identity Theft and Methamphetamine • Meth users see mail theft and check washing as a low risk way to pay for their habit • The best chemicals for brewing meth are also the best chemicals for washing checks • Identity thieves and fraudsters see meth users as lucrative “partners in crime” • Meth gangs see the double payoff in identity theft, and have the right connections Meth, Check Washing, and Mail Theft • In Salt Lake City, police report that 95% of all check washing is done by meth users • In Phoenix AZ police report that 99% of all check washing is by meth users • “Arizona is the number one state in the country for mail theft. Our state also is plagued with the crimes that come with it-- meth dealing and identity theft.” KGUN News Tucson, September 2003. • Nearly 90% of domestic disputes reported in Contra Costa County involve meth. Who, Why, and How • More than 50% of all identity thefts are committed by people known to the victim – family, friends, and co-workers (FTC) • 70% of thefts can be traced to workplace thefts by employees (University of Michigan) • Organized teams and gangs are responsible for a growing number of large crimes • Petty criminals understand the attraction of the crime • Opportunists can read the headlines • The “nearest and dearest” threat • Perhaps more offline thefts than online Why Identity Theft? • It’s where the money is • Anyone can commit identity theft, with no special tools, training, or skills • A bank robbery raises $3,500, an identity theft $17,000 • Payoffs can be staggering – a theft of customer identities by an employee in New York in 2003 netted him $7 million • There’s a ready market for any ID information, from credit cards to SSNs • It’s a very low-risk crime • Many believe it’s a victimless crime How Is Identity Theft Committed? • Hacking • Phishing and Pharming • Car theft • Hard drive rebuilding • Mail theft • Laptop theft • Insider crimes • Dumpster diving • Check theft • Burglary • Theft of credit card receipts • E-mail and internet scams Hacking And Identity Theft • Organized crime gangs, from Russia (6,000 gangs approx.) to Bolivia • Professional hackers selling any information for a gain • Disgruntled insiders, often after they’ve left the workplace • Opportunists scanning home computers for open doors • Petty criminals keeping up with the times • Traditional hackers/virus authors seeking profit for the risk • New partnerships between organized crime, virus authors, spammers etc. Hacking Incidents On The Rise • More than 50 of the reported data breaches in the last year attributed to hacking • Hacking accounted for the largest number of compromised personal records in the last 12 months – 43 million approximately • Well-known brands include DSW Shoes, Polo Ralph Lauren, BJ’s Wholesale • Educational institutions a major target • Card Systems was one of the biggest to date, at 40 million customers exposed Hacking For Cash • Russian hacker Maxus stole 300,000 credit card records from CD Universe in 1999. • Demanded a ransom of $100,000, then gave away 25,000 credit card records free on the web (The Maxus Credit Card Pipeline) • Stolen data networks have flourished in the open, including Network Terrorism Forum, Shadowcrew, Carderplanet, Dark Profits, and Mazafaka • Shadowcrew had 4,000 members, 1.5 million stolen credit cards, and created $4 million in losses • Ransom trojans offer specific instructions to avoid data deletion or encryption How Data Selling Networks Work • A new generation of organized crime that never meets • Credit card numbers are posted on public web sites for either purchase or “joint venture” • In a joint venture, other network members use stolen numbers to send good to drop sites for pick up, goods are sold and proceeds shared with the original poster • Sellers required to prove their credibility with multiple dummy runs • Criminal community operates a rating/review system for sellers and data • Sites accept request for specific types of stolen information and will also sell complete phishing web sites and emails Phishing And Identity Theft • Jan ’05 – Jan ’06, more than 190,000 different phishing attacks reported (The Anti Phishing Working Group) • January ’06 saw 4 times as many new phishing web sites as Jan ’05 (The Anti Phishing Working Group) • January ’06 – 101 brands hijacked by phishers (The Anti Phishing Working Group) • January ’06 – the highest recorded number of phishing-based keylogger Trojans (184) • The U.S. is the largest host of phishing web sites (36.57%) followed by China (8.98%) and Korea (7.7%) (Websense) • Don’t forget its cousins pharming and phowning Why Phishing Works • "Why Phishing Works" study (Harvard University/UC Berkeley) 90% of subjects were unable to pick out a highly effective phishing email when simply judging whether or not it was genuine • Spoofed Bank Of the West e-mail with phishing Web site www.bankofthevvest.com (with a double "v" instead of "w"), a padlock in the content, spoofed VeriSign logo and certificate validation seal, and a pop-up consumer security alert. 91% of participants guessed it was legitimate. • Presented with a genuine E*Trade e-mail that directed recipients to a legitimate secure site with a simple, graphic-free design optimized for mobile browsers, 77 percent of participants guessed it to be a fake. • Nearly a quarter of participants in the research study didn't look at the address bar, status bar or security indicators on the phishing sites. One Recent Phishing Trip • First half of March 2006 experts tracked a single hacker group stealing between 1.5 and 2 megabytes of text data from victims each day.* – Roughly 1,000 credit card numbers or login credentials for Web mail and online banking sites. • The third week in March, when the latest IE exploit surfaced, the same group's dead drops increased to 80 to 115 megabytes of stolen data each day. • On just one day phishers stole 13,677 accounts, including 3,536 credit card account numbers, 255 Paypal accounts, 1,038 eBay accounts; 93 user names and passwords for Bank of America online accounts; and login credentials for some 2,609 Hotmail e-mail accounts. • But is all this really identity theft, or just credit card fraud? *Washington Post/Secure Science Corp. March 2006 From Phishing To Phowning • Phishers are moving from email to VoIP to trap unwary users • Instead of directing users to phony web site, offers users a phony phone number to call • An easy scam to set up: – Create a VoIP account, such as Vonage – Install a voice recognition system – Manage with a PC-based PBX – Create an elaborate and convincing call-in system • For the phisher, a faster deployment, lower cost, and less risk • Lack of awareness and familiarity makes the crime more effective • This could represent an entirely new class of cyber attack *Washington Post/Secure Science Corp. March 2006 Mail Theft • Opportunists and meth users looking for anything of value • Organized local gangs planning attacks, monitoring routes • Impersonation of mail staff • Theft or hijacking of mail vans • Theft by neighbors • Thefts from businesses Insider Crimes • 50-70% of identity thefts traced to trusted insiders. • That means family, friends, co-workers, and employees • This type of attack is much easier to hide, harder to trace • Knowing a friend or colleague is the culprit adds to the victim impact • Small businesses are especially vulnerable • Even employers have resorted to identity theft • First major insider theft cost an estimated $100 million in losses Burglary • Expect identity theft to drive a new wave of burglary, especially by meth users • ID theft by burglary is a much easier crime to conceal • It’s a more profitable crime, because information can be sold many times over • It’s a crime that leaves little evidence, and can go undetected for months or even years • The merchandise has no protection and can’t be engraved with an SSN Hard Drive Rebuilding • Few computer users properly erase their hard drives before dumping or selling their computer • Most old hard drives contain some useful information • A study by MIT found nearly 50% of used drives purchased had usable data including medical correspondence, pornography and 5,000 credit card numbers • A Nevada woman bought a used computer with prescription records on 2,000 customers • Many identity thieves focus solely on purchasing old computers Are We Making Progress? • The number of adult victims of identity fraud has declined marginally between 2003 and 2006, from 10.1 million people to 8.9 million people, in the United States. Better Business Bureau • Consumers don’t bear the brunt of financial losses from identity fraud, Internet use does not increase the risk; and seniors are not the most frequent targets of fraud operators. Javelin Research • Greater commitment to technology, including two-factor authentication, anti-phishing toolbars, and increased credit monitoring. • Greater understanding by consumers - nearly 40 percent of citizens are willing to pay fees for more protection, according to Unisys study Are We Really Making Progress? • Nearly 55 million Americans had their personal information compromised between February 2005 and April 2006 (Privacy Rights Clearinghouse) – Only covers “reported” breaches • January – March 2006, at least 75 incidents of “data disclosure” have been reported, potentially affecting more than 4.9 million individuals (ChoicePoint) – ChoicePoint was one of the most infamous insecurity cases of 2005 • "Only one percent of bank employees report that their bank provides special identity theft training for employees". International Communications Research (ICR) • 2005 described as “the year of the breach” with 130+ reported breaches Are We Really Making Progress? • More than 180,000 PCs are turned into zombies every day, and that figure is continually rising (Ciphertrust) – Pumping out spam, launching Denial of Service attacks, and stealing personal information • 40 of the Top 50 threats identified in 2005, including viruses, worms and trojans, were designed to steal confidential information from the user's computer. Symantec • "In the last six months of 2005 there were an average 7.92 million phishing attempts per day." Symantec's Internet Security Threat report • 1 in 10 consumers reported receiving notification of their personal data being compromised (August 2005) What Next? Attacks • Dawn of the Bots – Botnets and bot herders. Dutch trio infected more than 1.5 million PCs with Toxbot trojan to steal credit card numbers and other personal data, and to blackmail online businesses. – “Meta Fisher” bot Trojan known to have infected 1 million+ computers to attack personal bank accounts (March 200). Dubbed “the most sophisticated bot Trojan ever” – Encrypted bots • Debit card attacks – “Could mark the dawning of a new age in computer crime.” Gartner – Exploits weak policies and practices • Denial of Service/Blackmail – Million Dollar Home page – 23,000+ hosts attacking the site – $50,000 ransom demanded • Personal attacks – Spear phishing – Individual blackmail and ransom What Next? Responses • Consolidation of data protection laws – H.R.3997 - The Financial Data Protection Act of 2005, to amend the Fair Credit Reporting Act – H.R.4127 - reasonable security policies, better procedures to protect computerized data containing personal information, nationwide notice in the event of a security breach. – 23 states already have enacted disclosure laws requiring various forms of notification of data breaches. • Authentication, identification and other technologies – Tokens and biometrics – Bank of America and Wells Fargo initiatives • Personal anti-phishing tools – McAfee Site Advisor – Google, Firefox, Microsoft • More laws, fines, personal accountability, firings The Cost of Failure • Providence Health Systems, Portland – loss of $7- 9 million in “financial and legal aftereffects “ from theft of computer tapes • BJ’s Wholesale – losses estimated at $10 million +, before litigation, for data theft incident. – 163 Credit Unions filed suit as a result of breach. • ChoicePoint - paid $15 million in fines after unwittingly selling consumer credit reports to thieves posing as legitimate customers. • Cardsystems – took 15 years to get to processing more than $15 billion annually in credit card payments. – Took less than 8 months after losing customer data to national humiliation, Congressional hearings, loss of major clients, payment of fines to the FTC, and fire sale of assets. The Cost of Failure • “In a climate of heightened consumer awareness and concern about online security and fraud, 37% of online banking consumers believe some banks are more secure than others, while 43% place online banking security among the top-three factors in selecting where to bank.” Jupiter Research • “12 million consumers have switched banks to reduce the risk of becoming victims of identity theft.“ Financial Insights • More than two thirds of the American public have lost confidence in the handling of their personal information.” Privacy and American Business and Harris Interactive study The Cost of Failure • “One in four Web users say they have stopped shopping online because of perceived security risks, and more than half no longer give personal information, such as addresses or birthdates, over the Internet.” Consumer Reports • “The combined effect of all these attacks is exacting a steep toll on consumer confidence in online commerce. More than 42 percent of surveyed consumers say their concerns about online attacks such as phishing18 affect their online shopping behavior. More than 28 percent say that online attacks have influenced their online banking activity.” Gartner, June 2005 • “Nearly 20 percent of respondents say they have terminated a relationship with a company after being notified of a security breach and 40 percent say they are thinking about terminating their relationship” The Ponemon Institute, 2005 The Cost of Failure • “Any company that fails to do what is necessary to help protect consumers is putting its corporate reputation at risk.” Harriet Pearson, chief privacy officer, IBM. • “There is a hidden threat to this digital future: It's not some cyberattack, but the loss of consumer confidence in the online experience. If consumers don't believe that their critical information is protected from irreparable damage or unauthorized access, they won't continue to embrace the digital lifestyle. And that won't just hurt the digital economy, but the economy as a whole. “ John Thomson, CEO. Symantec, Feb 06 • "The main thing we've lost is not the money; it is not the credit ratings. The main thing we've lost is trust.” David Perry, global director of education, Trend Micro at RSA 2006 How You Can Protect Yourself • Create a simple security plan – a checklist of what security gaps they need to fill – – – – – – – Security rules for the home Use of credit cards Use of web and e-mail Regular credit checking Physical and document security Use of security technologies Care in the office How You Can Protect Yourself • Create an ID theft response plan: – – – – – – – – What credit agencies to contact and how All bank and credit card account details Bank and credit card company contacts Copy of an ID theft affidavit Local police contact List of all SSNs in the home List of all missing or misused checks, with numbers Outstanding ATM and check cards How You Can Protect Yourself • Check credit reports at least every three months – The more often you check, the less damage will be done – Understand what you’re reading – Consumers need to be careful of the service they choose – Use strong passwords for credit accounts – Consider using a credit monitoring service How You Can Protect Yourself • Don’t leave mail unattended in public places – Mail theft is often the first, last and easiest step in identity theft – Don’t leave mail to be collected in a public place – Avoid making payments by mail. Pay online instead – Collect check books and ATM cards from the bank – don’t have the bank mail them – Have your mail collected when on vacation How You Can Protect Yourself • Shred all unnecessary financial documents – Shredding minimizes the threat of dumpster diving – Immediately shred preapproved credit card offers – Shred old hard copies of financial records and receipts – Use a cross-cut shredder – Fellowes is a popular brand, starting at around $50 How You Can Protect Yourself • Protect social security numbers or other personal financial information – Most ID thefts are based on combining pieces of information. The SSN is the holy grail – Never reveal your SSN over the phone, or send by e-mail – Don’t give it to businesses that request it as an identifier – Make sure that third parties that have it, such as CPAs, protect it - Beware of phishing and email scams – Protect it from family and friends How You Can Protect Yourself • Protect every computer you use in the home – – – – – – Firewall Virus protection Spyware protection Data encryption Patching and updating Privacy measures What Your Organization Can Do • View identity theft as a brand enhancer and a brand enabler – It’s time to capitalize on the crime – Have a plan in place for prevention, response, and notification • Customers don’t recognize data theft as the real crime – The real crime is (a) what’s done with the data and (b) what you failed to do • Educate your customers – They’re a captive audience – They want to trust you – They’ll appreciate the help – Talking about security is not a bad thing – Focus on phishing What Your Organization Can Do • Educate your employees – Saturation awareness training – Policies and rules – Data classification and protection – Encryption • Communicate and Counsel – Notify quickly, clearly, and honestly – Provide a hotline – Provide victim assistance and resolution • View a breach of trust as an opportunity – to create better trust and a stronger relationship