Embed Size (px)
DESCRIPTION
Identity Theft Deter, Detect, and Defend At Home & At Work. Introductions. Lisa Stensland, OIT – Project Management Ray Price, CU Police Andrea Beesing, OIT – IT Security Sandy Eccleston, DFA Jamie Churchill, DFA Pat McClary, Counsel’s Office Norma Schwab, Counsel’s Office - PowerPoint PPT Presentation
Citation preview
Identity Theft
Deter, Detect, and Defend
At Home & At Work
Introductions
• Lisa Stensland, OIT – Project Management• Ray Price, CU Police
• Andrea Beesing, OIT – IT Security• Sandy Eccleston, DFA• Jamie Churchill, DFA• Pat McClary, Counsel’s Office• Norma Schwab, Counsel’s Office• Kenna Morehouse, Treasurer’s Office• Carolann Saggese, Treasurer’s Office• Chuck Alridge, CU Police• Debi Benson, DFA• George Sutfin, CU Police
Agenda
• Why be concerned?• Deter – how to prevent it• Detect – how to discover it• Defend – how to fix it• Identity theft prevention at work• But what about…?
What is Identity Theft?
• When someone uses your personal information without your permission to commit fraud or other crime– Name– Social Security number– Date of birth– Credit card number– Bank account numbers
Identity
Types of Identity Theft
Credit card 25%
Phone/utilities 16%
Bank account 16%
Employment-related 14%
Fraudulent tax return 6%
Business/personal/student loan 3%
Source: Federal Trade Commission, Feb 2007
Types of Identity Theft
Internet/email 2%
Medical 2%
Auto loan 2%
Driver’s license 1%
Real estate loan 1%
Gov’t benefits 1%
Other 24%
Source: Federal Trade Commission, Feb 2007
How does Identity Theft occur?
Good, old fashioned stealing
“Dumpster Diving”
“Skimming”
“Phishing”
http://219.166.162.37/icons/www.wachovia.com/…
Australia
“Phishing”
http://boaupdate.pochta.ru
Russia
“Phishing”
http://kooptickets.nl/~claudia/mycfcu.com/…..
Netherlands
“Phishing”
• Emails that appear to be from IRS requesting you confirm information
• Emails that are thanking you for a recent purchase (of something you didn’t buy)
• Phone phishing
When in doubt, ask or “call back”
Your bank will NEVER ask you for account numbers or passwords if they initiated the communication
Most studies show that the victim population is about
10 million per year.
That means every minute about 19 people become a new
victim of this crime.
In 2004, victims spent an average of 330 hours
recovering from this crime.
In 2004, 43% believe they knew their imposter.
14% of them said that it was an employee of a business who had their information.
The U.S. Government Reform Committee reports that all 19 government
departments and agencies reported at least one loss of personally identifiable
information since Jan. 2003.
Only a small number of the data breaches were caused by hackers. The vast majority of losses occurred from physical thefts of portable computers, drives and disks, or unauthorized use of data by employees.
According to the U.S. Department of Justice
Statistics, identity theft is now passing up
drug trafficking as the number one crime in the
nation.
Is this a big problem?
It’s huge.
--Identity Theft Resource Center, Facts & Statistics 2006
True Stories…
• Over 63 fraud cases reported to CU Police since 2005
• Many cases involve more than one incident– One case had 16!
Has anyone here been a victim?
How do you prevent Identity Theft?
DETER
DETECT
DEFEND
How many of you...
…have your Social Security card in your wallet or purse
right now?
Protect your sensitive information
• Do NOT carry your SSN card with you• Memorize PINs and passwords• Beware of promotions that request sensitive
information• Question how SSN or other sensitive data will
be used if it is requested by legitimate sources– It may not be needed!
Protect your sensitive information
• Shred pre-approved credit offers, receipts, bills, other records that have SSN
• Do not provide CC#, SSN, etc. out over email
• Do not click on links in unsolicited emails
How many of you...
...write checks to pay bills and then
put them in the mailbox with the flag up?
Modify your mail habits
• Don’t leave mail containing checks or account information in your mailbox
• Use the post office mailboxes• Keep an eye out for bills or statements that
aren’t received in a timely manner
How many of you...
...have noticed fewer and fewer places actually require or check your signature on a credit
card?
Modify your credit card habits
• Carry only cards you use regularly• Sign the backs of all credit cards (or write
“Check ID”)• Do not loan out your cards to anyone• Report lost/stolen cards immediately• Keep a copy of both sides of your cards in a
safe place
Modify your credit card habits
• Check for the “padlock” and/or “https” when purchasing online
• Opt out of pre-approved credit card offers• Opt out of junk mail• Shred all pre-approved credit card offers
– Do not just tear them up!
How many of you...
...do not have a firewall or
do not have anti-virus software on your computer at home that is up-to-date?
Safeguard your computer
• Use a firewall• Use anti-virus software AND keep it updated• Use wireless encryption• Do NOT give out your NetID/password under
ANY circumstances• Lock your computer when you are away from
your desk
Take advantage of other services available to you
• Credit monitoring services (not free)– Periodic emails reporting on changes to your credit report
• Identity Theft Insurance (proceed with care)• Fraud alert
– A flag on your credit report that encourages creditors to take extra steps to ensure identity has not been stolen
– Can only be done if you have been a victim of identity theft
• Credit freeze
Credit Freeze
• NYS allowed starting in November 2006• Prevents lenders and others from accessing
your credit report • Good news – Identity thieves will be unable to
establish credit in your name• Bad news – so will you
– Will also affect background checks and most requests for insurance
How do you find out if this has happened to you?
DETER
DETECT
DEFEND
How many of you...
...have not checked your credit report in the last 12 months?
Increase monitoring
• Check your credit report regularly– Free from each credit bureau once per year– Pull one every 4 months (rather than all 3 at once)
• Monitor your bank and credit card statements closely for unauthorized transactions
• Keep an eye out for bills that do not arrive as expected
Increase monitoring
• Watch for unexpected credit cards or account statements
• Investigate any denial of credit situations• Watch out for calls or letters about purchases
that you didn’t make
How do you restore your good name?
DETER
DETECT
DEFEND
Steps to Take
• Immediately close the account and request fraud dispute forms
• File a police report– You will need the report number when corresponding with
bank/credit card company
• Contact one of the 3 credit reporting agencies to place a “fraud alert” on your file
– The credit reporting agency is required to notify the other 2 to do the same
Steps to Take
• Report the theft to the Federal Trade Commission
• Keep copies of everything and journal all correspondence (date/time/name)– Send all written correspondence “certified mail,
return receipt requested”
• Know your rights!
Credit Card Liability
• Covered under Fair Credit Billing Act (FCBA)• Your maximum liability under federal law for
unauthorized use is $50• If you report lost/stolen cards before they are
used, your liability is $0• If the loss is only of the card number and not
the card, your liability is $0
Debit Card Liability
• Covered under Electronic Fund Transfer Act (EFTA)
• Liability depends on how quickly you report the loss
• It does not matter if you ran it through as “credit”!
• It does not matter if you “signed” rather than used PIN number!
Debit Card Liability
Timeframe Liability
Before card is used $0
Within 2 business days of lost/stolen card $50
After 2 business days, up to 60 days after statement including unauthorized charges is mailed
$500
After 60 days after statement including unauthorized charges is mailed
NO LIMIT
Investment Liability
• There are currently NO federal liability protections against fraudulent use of your investment or retirement accounts!
• Check with your bank or brokerage to see what they offer for liability protection
Identity Theft Protection at Work
How does this apply to work?
• Current federal and state law– Family Educational Rights and Privacy Act (FERPA)– Health Insurance Portability and Accountability Act (HIPAA)– Gramm-Leach-Bliley Act (GLBA)– NY Data Security and Notification Law (12/8/05)
• Growing social expectations due to rise in identity theft awareness
• Need to protect Cornell’s reputation
How does this apply to work?
• Cornell must notify and report if protected data is reasonably believed to have been inappropriately accessed
• Protected data includes– Name with
• Social security number• Credit card number• Bank account number with associated PIN• Drivers license number
Examples
• March 2005 - Bank of America– 1,200,000 lost social security and account numbers were
lost
• May 2006 - Veteran’s Administration– 26,500,000 social security numbers and DOB were lost
when a laptop was stolen
• January 2007 - TJ Maxx– 47,500,000 credit card numbers were stolen by hackers
taking advantage of unencrypted wireless network in parking lot
Why do we care?
Why do we care?
Precautions to take
• Identify the sensitive data on your system – do you really need it?– Social Security Numbers– Credit card numbers– Drivers license numbers
• Make sure your IT staff is aware that you manage sensitive data
• Work with your local IT staff to ensure your system is protected
Precautions to take
• Before performing any action on your computer ask if there’s a chance this action might put the data at risk– Clicking on e-mail attachments– Turning off the firewall, anti-virus– Installing programs from the internet
• If you work from home using personal computers – YOU are responsible for the security of your computer– Enable encryption on home wireless networks– Ensure sensitive data is encrypted
Precautions to take
• NEVER share your NetID/password• Use a complex password• Do not use your NetID/password for non-
Cornell systems• Do not email credit card numbers• Keep P-card/credit card applications and
paper checks locked up
Precautions to take
• Shred documents that are no longer needed – use shredder bins
• Keep a close eye for data stored on laptops• Change your screensaver to lock your
computer when you are away
Tools available to you
• Policies for keeping access to your confidential information as secure as possible
• Tools for avoiding exposure due to system compromises
Policies for securing data
• Draft Policies– Authentication of Information Technologies
Resources Interim Policy: http://www.cit.cornell.edu/policy/interim/AuthenticationITR.html
– Information Security of Institutional Data: http://www.cit.cornell.edu/oit/policy/drafts/InstData.html
Spider
• Open source (free) software developed by IT Security Office
• Identifies files on your system containing SSN’s and credit card numbers so you can remove them
• Use with guidance from your local technical support staff
• http://www.cit.cornell.edu/computer/security/tools/
Anti-Spyware and Anti-Virus Software
• Guards against software which installs itself on your computer to gather information about you without your knowledge
• Automatically updated as malware evolves• Cornell licenses Symantec Anti-Virus
– Includes anti-spyware with version 10.0– License covers home systems
• More info: http://www.cit.cornell.edu/computer/security/spyware/
Departmental security assessment service
• Offered by IT Security Office• Assessment of current environment• Assist in development of local solutions and
architectures• To schedule contact:
But what about…?
But what about…?
• Online Purchases– Safe if you look for https and padlock!
• Online Banking/Bill Payment– Safe if you look for https and padlock– Minimize human interaction– Your sensitive data will get to the systems either
way
But what about…?
• Credit Monitoring Services– $9-12 per month to alert you of changes to your credit report– Does not protect you - simply notifies you if ID theft has
already happened
• Identity Theft Insurance– Insurance riders – Zander Insurance ID Theft Program– Lifelock
But what about…?
• Insurance riders– Cover expenses incurred for cleaning up ID theft
(phone calls, mail, copies, etc.)– May or may not cover lost wages– Read policy carefully!
But what about…?
• Zander Insurance Identity Theft Program– $6.50 per month– Provides an advocate that will work with your
bank/creditors on your behalf to clean up ID theft– Covers expenses and lost wages/personal/
vacation time
But what about…?
• Lifelock ($10 per month)– CEO publicizes his SSN demonstrating confidence in their
service– They don’t do anything for you that you can’t do for yourself
FREE• Fraud alerts (every 90 days)• Pull annual credit reports• Opt outs for junk mail and pre-approved credit card
– Only paid out 3 claims according to a recent article– Scandal surrounded co-founder (no longer on staff)
In closing…
Deter, Detect, DefendAt Home and At Work
• Keep your sensitive data secure
• Monitor regularly for identity theft
• Act quickly if you think your identity has been compromised
Questions?
