Protecting Your Identity
What is IA?
•
Committee on National Security Systems definition:
– Measures that protect and defend information and information
systems by ensuring their availability, integrity, authentication,
confidentiality, and non-repudiation.
• CIA model
– Confidentiality: prevent disclosure from unauthorized individuals
or systems
– Integrity: Information cannot be modified without authorization
– Availability: Information must be accessible when needed
– Authentication: establishing information as authentic
– Non-repudiation: ensuring that a party cannot refute that
information is genuine.
What is Identity Theft?
• Identity theft occurs when someone uses your personally identifying
information, like your name, Social Security number, or credit card
number, without your permission, to commit fraud or other crimes
• The FTC estimates that as many as 9 million Americans have their
identities stolen each
• Typical Identity theft crimes
– Rent an apartment
– Obtain a credit card or other types of debt
– Establish a telephone account
– Get various types of identifications in the victim’s name
– Steal financial assets
What is Identity Theft?
• Costs of Identity Theft
– Legal fees
– Exorbitant amount of time
– Lost job opportunities
– Denial of all types of financial resources
– False accusations, and potential arrests for crimes not committed
How Does it Occur?
• In most cases attackers need personally identifiable
information (PII) or personal documents in order to
impersonate the victim.
• Name, Address, DOB, Birthplace, License Number, Credit
Card Number, SSN
• Where could an attacker find this information?
• Could you be an easy target?
Generation Stereotype
• Millennial Generation (Us)
– Users of instant communication technology
• Myspace, Twitter, Facebook, Text, IM, e-mail
– Tech savvy
• Video Games (PC, Xbox, Playstation)
• MMOs (Second Life, WOW, Lineage, Maple Story)
• P2P file sharing
• 90 percent own a computer in US
• Spend more time online than watching TV
• How much information about you is stored on somebody else’s
servers?
• What methods of protection are in place?
Contemporary High Risk Areas
• On-line shopping
• Malware
• Credit Card Applications
– Online incentives
– in person incentives
– mail applications
• Physical Assets
– Laptops, cellphones, ipods...
– Wallet, purse, checkbook...
• Social Networking
• Online Gaming
• File sharing
Social Engineering
• The process of using social skills to convince people to
reveal access credentials or other valuable information
• Common Social Engineering Techniques
– Confidence Trick
– Pretexting
– Baiting
– Quid Pro Quo
– Phishing
• Spear Phishing
• Whaling
• Phone Phishing
Phishing
• An attempt to obtain personal or financial information by
using fraudulent means, usually by posing as a legitimate
entity.
• Targets
– PII
• Methods
– Bank Account Credentials
– E-mail Login Credentials
– Social Networking Login Credentials
• Why?
Phishing Email Example
Phishing Email Example
Phishing Email Example
Phishing Logon Example
Phishing
• Phishing can take many forms:
– E-mails from websites or services you use frequently
– Bogus job offers
– They might appear to be from a friend or someone
you know (Spear Phishing)
– They might ask you to call a number (Phone Phishing)
– They usually contain official looking logos
– They usually links to phony websites that ask for
personal information
– Physical Mail
Red Flags
• “Verify your account”
• “Click the link for account access”
• “If you don’t respond, your account will be suspended”
• “Suspicious activity alert”
• Pop ups
• Deceptive URLs
– www.mircosoft.com
– www.facesbook.com
– www.192.168.XX.XX/citibank.com/code.html
• Masked URLs
Identity Theft
• What are other method’s of stealing someone’s identity?
– Non Technical
•
•
•
•
•
Dumpster Diving (Storage Media and Documents)
Skimming
Pickpocketing/Theft
Shoulder surfing
Changing Mailing Address
– Technical
•
•
•
•
Hacking
Malware
Password Cracking
Packet sniffing
Prevention
• Shred all your important information \
• Don’t access personal info in public places
• Use privacy screens when necessary
• Have your checks delivered to your bank
• Properly destroy storage media (hard drives,flash drives,
cds...)
Prevention
• Drop off payment checks at the post office
• Note when new credit cards are to be received
• Cancel old credit cards
• Use strong passwords
• Don’t post personally identifiable info on the internet.
• Install proper anti-malware software
Prevention
• Carry only necessary information with you
• Do not give out personal information unless necessary
• Monitor your accounts
• Order your credit report at least twice a year
• Know the site you are visiting (pay attention to URLs)
• Ensure PII info is encrypted (SSL, TLS)
Annual Credit Report
• Request your Credit Report Online
– https://www.annualcreditreport.com
• To Request your Credit Report by Phone
– Call 1-877-322-8228
• To Request your Credit Report by Mail
– Annual Credit Report Request Service
P.O. Box 105281
Atlanta, GA 30348-5281
Recovering From Identity Theft
• What are the steps I should take if I'm a
victim of identity theft?
– Place a fraud alert on your credit reports, and
review your credit reports
– Close the accounts that you know, or believe, have
been tampered with or opened fraudulently
– File a complaint with the Federal Trade
Commission
– File a report with your local police or the police in
the community where the identity theft took place
Anti-Phishing Phil
http://wombatsecurity.com/antiphishing_phil/index.html
Questions