Personal Identity Theft in the Webbased Business World

1
Personal Identity Theft in the Web-based Business
World

• Presenter Rick Weatherspoon
• Xtreme Computing, LLC

2
Agenda

• Definition of ID Theft
• ID Theft Statistics
• Business Losses
• Types of Web-based ID Theft
• Hacking Attacking
• Phishing
• WarXing/War Driving
• ID Theft Reporting
• Questions

3
Identity Theft Definition

• The Deliberate Assumption of Another Person's
  Identity, Usually to Gain Access to their
  Finances, or Frame Them for a Crime

4
ID Theft Statistics (National)

• Fastest Growing Crime in US
• U.S. Identity Fraud Crimes now total 52.6
  Billion Annually
• Per-Victim Total of 5,686
• Affects Roughly 9.3 Million Individuals in US
  Yearly

Source 2005 Study by Javelin Strategy
Research
5
ID Theft Statistics (State)

• 2,909 Complaints Filed in Oregon State (2004)
• Oregon State Ranks within the Top 10 (9th)
• Complaints Rose 20 More than in 2003

6
ID Theft Statistics (County)
Source Wallowa County Sheriff May 2006
7
Business Losses Due to ID Theft

• Between May 2004 and May 2005, 1.5 Million
  Computer Users Lost 929 Million on ONLY Phishing
  Scams
• US Businesses Lose an Estimated 2 Billion Per
  Year on Clients who are Victims
• Businesses Lose an Average of 4,800 per Victim

Source Washington State AGO Identity Theft
Advisory Panel January 2006
8
Types of Web-based ID Theft

• Hacking Attacking
• Phishing
• WarXing/War Driving

9
Web-based Hacking Attacking

• Authentication Hacking
• Browsing
• Cookie Theft
• Session Hijacking
• Network Sniffers
• Password Cracking
• Dictionary Attacks
• Google Hacking
• SQL Injection
• Directory Traversal

10
Phishing

• Attempts to Fraudulently Acquire Sensitive
  Consumer Info Via False Web Pages, Emails, IMs,
  FAX, VOIP
• Term Arises from Using Sophisticated Lures to
  Fish for Consumers Financial Data Passwords
• Recently Targeting Banks, Online Payment
  Services, IRS Letters
• Common Tricks Include Misspelled URLs, use of
  SubDomains, Altering Address Bars, Cross Site
  Scripting
• Recent Scam Left Voice Messages to Call Bank with
  Account PIN Numbers over a VOIP Network

11
Citibank Phishing Email Example
12
Citibank Phishing Web Link
13
Citibank Phishing User Garbled URL
14
Citibank Phishing Invalid Credit Card Number
15
Citibank Phishing Source

• Search with Whois Utility
• IP 219.148.0.0 - 219.148.159.255netname
  CHINATELECOM-hedescr CHINANET hebei province
  networkdescr China Telecomdescr
  No.31,jingrong streetdescr Beijing
  100032country CNmnt-by MAINT-CHINANET
  changed hostmaster_at_ns.chinanet.cn.net 20030820
  source APNIC

16
WarXing/War Driving

• Searching for Wireless Networks and Access Points
  by Moving Vehicle/Bike (WLAN, WiFi HotSpots)
• Captures Information Packets with WiFi-based
  equipment (Laptop/PDA)
• Software Freely Available to Monitor, Capture,
  and Analyze Clear Text and Encrypted Data
  (NetStumbler, AirSnort, WEPCracker, etc.)
• Majority of Wireless Networks Use Default
  Settings (SSIDs, Passwords, Encryption Keys,
  etc.)
• Legality of War Driving Not Clearly Defined in
  the US

17
Wireless Network Diagram
18
Reporting of ID Theft

• FBI/Internet Fraud Complaint Center
• 1.800.251.3221
• www.ifccfbi.gov
• Federal Trade Commission
• 1.877.438.4338
• www.consumer.gov/idtheft/
• Internet Crime Complaint Center
• www.ic3.gov/complaint
• Oregon State Department of Justice
• http//www.doj.state.or.us/
• Wallowa County Sheriff Department
• 541.426.3131

19
Questions?
www.xtremecomputing.us/briefings.html