Identity Theft Deter, Detect, and Defend At Home & At Work

1. Identity TheftDeter, Detect, and DefendAt Home & At Work

2. Introductions • Lisa Stensland • Manager, CIT Project Management Office • Former member of the Association for Financial Counseling and Planning Education • Ray Price • Cornell Police for 34 years • Last 8 years in Crime Prevention, which includes loss prevention and identity theft

3. Agenda • Why be concerned? • Deter – how to prevent it • Detect – how to discover it • Defend – how to fix it • Identity theft prevention at work • But what about…?

4. What is Identity Theft? • When someone uses your personal information without your permission to commit fraud or other crime • Name • Social Security number • Date of birth • Credit card number • Bank account numbers Identity

5. Types of Identity Theft Source: Federal Trade Commission, Feb 2007

6. Types of Identity Theft Source: Federal Trade Commission, Feb 2007

7. How does Identity Theft occur?

8. Good, old fashioned stealing

9. “Dumpster Diving”

10. “Skimming”

11. “Skimming”

12. “Skimming”

13. Lost or Stolen Laptop

14. Credit Card Shaving • Thieves try out 16 digit number combinations until one works! • Start with a stolen or deactivated credit, debit, or bank gift card • Generally, the thieves only have to worry about the figuring out the last four digits of a credit card • The first 12 numbers typically identify the bank and are common across many cardholders

15. Credit Card Shaving • Using razor blades, thieves shave off the numbers they need from another card • Apply them to the stolen card with superglue • Scratch the mag-strip so that numbers must be entered manually from the front

16. “Phishing” http://kooptickets.nl/~claudia/mycfcu.com/….. Netherlands

17. “Spearphishing”

18. “Spearphishing”

19. “Spearphishing” https://cuweblogin.cit.cornell.edu/cuwl-cgi/login2.cgi http://turist.hr/galerija/bjelovar/index/cornel/index.html Croatia/Hrvatska

20. “Phishing” • Emails that appear to be from IRS requesting you confirm information • Emails that are thanking you for a recent purchase (of something you didn’t buy) • Phone phishing When in doubt, ask or “call back” Your bank will NEVER ask you for account numbers or passwords if they initiated the communication

21. Is this a big problem? The U.S. Government Reform Committee reports that all 19 government departments and agencies reported at least one loss of personally identifiable information since Jan. 2003. Only a small number of the data breaches were caused by hackers. The vast majority of losses occurred from physical thefts of portable computers, drives and disks, or unauthorized use of data by employees. In 2007, identity theft generated the most complaints to the FTC by far. It was complained about 500% more than the complaint in second place. According to the U.S. Department of Justice Statistics, identity theft has now passed up drug trafficking as the number one crime in the nation. The victim population is about 10 million per year. 1 in 6 Americans will be a victim. Victims will spend on average of 175 hours and $1200 recovering from this crime. It’s huge. --Identity Theft Resource Center, Facts & Statistics 2006 & FTC

22. True Stories… • March 2005 - Bank of America • 1,200,000 lost social security and account numbers were lost • May 2006 - Veteran’s Administration • 26,500,000 social security numbers and DOB were lost when a laptop was stolen • January 2007 - TJ Maxx • 47,500,000 credit card numbers were stolen by hackers taking advantage of unencrypted wireless network in parking lot

23. Medical ID Theft • April 2007, Salt Lake City • Woman delivers a baby at a local hospital • …then abandons it! • Baby tests positive for methamphetamine • Hospital identifies mother as Anndorie Sachs and tracks her down • Anndorie says she did not have a baby recently • DCFS threatens to take away her other 4 children, aged 2-7

24. Medical ID Theft (cont) • Good news • Accusations were dropped • Anndorie was absolved of paying the bill • Bad news • Anndorie’s medical records were altered to show the blood type and medical record of a complete stranger • Anndorie has a blood clotting disorder • The hospitals insist that they have fixed the issue, but Anndorie can’t be sure because they need to PROTECT the PRIVACY of the IDENTITY THIEF!

25. Scrap Paper • March 10, 2008 • School teacher purchases box of scrap paper for her fourth grade students - $20 • What she really gets? • Medical records of 28 hospital patients!

27. Has anyone here been a victim?

28. DETER DETECT DEFEND How do you prevent Identity Theft?

29. How many of you... …have your Social Security card in your wallet or purse right now?

30. Protect your sensitive information • Do NOT carry your SSN card with you • Memorize PINs and passwords • Beware of promotions that request sensitive information • Question how SSN or other sensitive data will be used if it is requested by legitimate sources • It may not be needed!

31. Protect your sensitive information • Shred pre-approved credit offers, receipts, bills, other records that have SSN • Do not provide CC#, SSN, etc. out over email • Do not click on links in unsolicited emails

32. How many of you... ...write checks to pay bills and then put them in the mailbox with the flag up?

33. Modify your mail habits • Don’t leave mail containing checks or account information in your mailbox • Use the post office mailboxes • Keep an eye out for bills or statements that aren’t received in a timely manner

34. Consider Online Banking & Bill Payment • Computers don’t steal identities, human beings do • Minimize the number of people that have the opportunity to access your information • Online banking & bill payment is secure as long as you see: • “https” in the address – ‘s’ = secure… OR … • Padlock in lower right corner of browser

35. How many of you... ...have noticed fewer and fewer places actually require or check your signature on a credit card?

36. Modify your credit card habits • Carry only cards you use regularly • Sign the backs of all credit cards • AND write “Check ID” • Do not loan out your cards to anyone • Report lost/stolen cards immediately • Keep a copy of both sides of your cards in a safe place

37. Modify your credit card habits • Check for the “padlock” and/or “https” when purchasing online • Opt out of pre-approved credit card offers • Opt out of junk mail • Shred all pre-approved credit card offers • Do not just tear them up!

38. How many of you... ...do not have a firewall or do not have anti-virus software on your computer at home that is up-to-date?

39. Safeguard your computer • Use a firewall • Use anti-virus software AND keep it updated • Use wireless encryption • Configure your computer to NOT remember logins/passwords • Lock your computer when you are away from your desk • Use different (and complex) passwords for different accounts

40. Password Protection • The Imperva Application Defense Center (ADC) Study • December 2009, 32 million passwords were breached at rockyou.com and posted online • Analysis was performed on these passwords resulting in some startling findings http://www.imperva.com/docs/WP_Consumer_Password_Worst_Practices.pdf

41. Study Findings • 30% of users chose passwords whose length is <= 6 characters • 60% of users use limited set of alpha-numeric characters • 50% of users use names, slang words, dictionary words, or simple key sequences • In just 110 attempts, a hacker would typically be able to gain access to one new account every second, or 17 minutes to break 1000 accounts http://www.imperva.com/docs/WP_Consumer_Password_Worst_Practices.pdf

42. Password Protection http://www.imperva.com/docs/WP_Consumer_Password_Worst_Practices.pdf

43. Password Recommendations • Passwords should contain at least 8 characters • Passwords should contain a mix of 4 different types of characters • Upper case, lower case, numeric, special characters like !@#$%^& • Do not use names, dictionary words, key sequences, or any part of your name or email address

44. Password Recommendations • For keeping track of multiple passwords, develop an “algorithm” using a favorite word or phrase • Pet’s name: “C0dy” • Citibank account: C0dy@citibank • Fidelity account: C0dy@fidelity • You can have a different complex (using capital letters and symbols) password for each account AND it’s easy to remember

45. Take advantage of other preventative services available to you • Fraud alerts • A flag on your credit report that encourages creditors to take extra steps to ensure identity has not been stolen • A 90-day fraud alert can be placed anytime you think you may become a victim of ID theft • An ‘extended alert’ can be placed on for 7 years - requires a police report

46. Credit Freeze • NYS allowed starting in November 2006 • It is a lock on your credit report that prevents lenders and others from accessing it • Good news – Identity thieves will be unable to establish credit in your name • Bad news – Neither will you (unless you “thaw” your report for a nominal charge) • May additionally affect background checks and most requests for insurance

47. DETER DETECT DEFEND How do you find out if this has happened to you?

48. How many of you... ...have not checked your credit report in the last 12 months?

49. Increase monitoring • Check your credit report regularly • Free from each credit bureau once per year (Equifax, TransUnion, Experian) • Pull one every 4 months (rather than all 3 at once) • Monitor your bank and credit card statements closely for unauthorized transactions • Keep an eye out for bills that do not arrive as expected

50. Increase monitoring • Watch for unexpected credit cards or account statements • Investigate any denial of credit situations • Watch out for calls or letters about purchases that you didn’t make • Consider credit monitoring services offered by banks, credit card companies, reporting credit reporting agencies