Fraud/Identity Theft

1
Fraud/Identity Theft

• Steve Brukbacher
• Information Security Coordinator
• University of Wisconsin, Milwaukee
• http//security.uwm.edu

2
Information Security Awareness

• Fraud/Identity Theft
• My purse was stolen in December. By February, I
  started getting notices of bounced checks. About
  a year later I received information that someone
  using my identity had defaulted on a number of
  lease agreements and bought a car. In 1997, I
  learned that someone had been working under my
  Social Security number for a number of years. A
  man had been arrested and used my SSN on his
  arrest sheet. Theres a hit in the FBI computers
  for my SSN with a different name and gender. I
  cant get credit because of this situation. I
  was denied a mortgage loan, employment, credit
  cards, and medical care for my children. Ive
  even had auto insurance denied, medical insurance
  and tuition assistance denied.
• -From a consumer complaint to the FTC, January
  2, 2001

3
Information Security Awareness

• Fraud/Identity Theft
• Identity Theft is the use of someone elses good
  name and credit to obtain things you will never
  pay for.
• Fraud/Identity Theft
• Identity Fraud vs Identity Theft
• Identity Theft When someone gathers personal
  information about you and assumes your identity
  as your own
• Identity Fraud Consists mainly of someone
  making unauthorized charges to your credit cart

4
Information Security Awareness

• What are some methods of Identity Theft?
• Email Scams
• Dumpster diving
• Credit Card information theft
• Lost/Stolen Wallets
• Bogus change of address requests
• Theft of information at workplace

5
Information Security Awareness
Legal Stuff Section 1028 of the Federal Criminal
Code (18 U.S.C. 1028) makes it a crime to
knowingly use, without lawful authority, a means
of identification (such as an individual's social
security number or date of birth) of another
person with the intent to commit a crime.
Section 523 of the Gramm-Leach-Bliley Act (15
U.S.C. 6828) makes it a crime to obtain customer
information of a financial institution by means
of false or fraudulent statements to an officer,
employee, agent or customer of a financial
institution.  Wisconsin State Statute
943.201 -using (someone else's) personally
identifiable information to obtain credit,
money, goods or services or avoid civil/criminal
process.
6
Information Security Awareness

• Fraud/Identity Theft
• Statistics
• 1. Approximately 7 million people were victims of
  identity theft in 2002. That breaks down to a
  little more than 13 identity thefts every minute.
  
• 2. 85 percent of all identity theft victims find
  out about the crime only when they are denied
  credit or employment, contacted by the police, or
  have to deal with collection agencies, credit
  cards, and bills.
• 3. On average, victims spend 600 hours to fix the
  damage. The time can add up to as much as 16,000
  in lost wages or income.
• http//www.insideid.com/idtheft/article.php/343826
  1

7
Information Security Awareness

• Identity Theft
• How Victims Information is Misused (2003)
• 33 credit card fraud
• 21 phone or utilities fraud
• 17 Bank Fraud
• 6 Loan Fraud
• -Courtesy of FTC

8
Information Security Awareness

• Fraud/Identity Theft

9
Information Security Awareness

• How do thieves get your information?
• Stealing records from employer
• Abusing access to credit reports (landlords,
  employers)
• Email Scams (Phishing)
• http//www.uwm.edu/sab2/Classes/Infosec/sample.ht
  m
• Simply stealing your mail
• Computer Hacking/Theft
• Skimming
• Dumpster diving
• Credit Card information theft
• Lost/Stolen Wallets
• Bogus change of address requests
• Pretext Calling

10
Information Security Awareness

• What do thieves do with this information?
• Open credit card and bank accounts in your
  name/credit, don't pay, then it goes on your
  credit report
• Change the billing address for current accounts
  and run up debts until you notice
• Take out auto loans on your credit rating by
  posing as you
• Open a bank account posing as you then write bad
  checks
• File for bankruptcy in your name
• Identify themselves as you when being arrested
• Obtain IDs/ driver licenses in your name
• Open cell phone or utility bills posing as you,
  then not pay
• Change of address requests with USPS
• Pose as you during an arrest, dont show up for
  court, then a warrant is issued for you!

11
Information Security Awareness

• What does it take to steal someone's identity?
• Name
• Social Security Number
• D.O.B.
• CC Fraud acct , exp. Date, Billing Address
• Mothers maiden name
• Address
• Phone number

12
Information Security Awareness

• Fraud/Identity Theft
• How Can I Tell if I'm a Victim of Identity Theft?
• Monitor the balances of your financial accounts.
  Look for unexplained charges or withdrawals.
  Other indications of identity theft can be
• failing to receive bills or other mail signaling
  an address change by the identity thief
• receiving credit cards for which you did not
  apply
• denial of credit for no apparent reason or
• receiving calls from debt collectors or companies
  about merchandise or services you didn't buy.
• -(UWM Police Department)

13
Information Security Awareness

• Fraud/Identity Theft
• How can I detect it?
• Order a copy of your credit report regularly
• When you do your taxes?
• Credit bureaus
• Equifax, 800-525-6285
• Experion, 888-397-3742
• TransUnion, 800-680-7289.

14
Information Security Awareness

• Free credit reports available March 1
• Online
• Fair and Accurate Credit Transactions Act of
  2004.
• www.annualcreditreport.com gets you all 3
  reporting agencies
• (actually have to type the address in!)
• Stick with that site. There are many reporting
  companies, some with strings or costs attached
• By Phone
• 877-322-8228
• By Mail
• Fill out the form (linked below) and mail it to
• Annual Credit Report Request Service, PO Box
  105281, Atlanta, GA 30348-5281.
  www.ftc.gov/bcp/conline/edcams/credit/docs/fact_ac
  t_request_form.pdf.

15
Information Security Awareness

• Fraud/Identity Theft
• How can I prevent it?-other tips
• Shred everything with you information on it that
  you dont need
• Place passwords on bank and credit cards
• Store card information separately
• Dont write pin s anywhere
• Dont provide personal info unless you initiated
  the contact
• Secure personal information in your home

16
Information Security Awareness

• What can I do if I think its already happened to
  me?
• Contact the fraud departments of any one of the
  three credit bureaus or the clearinghouse
  mentioned earlier to place a fraud alert on your
  credit file.
• Close the accounts that you know or believe have
  been tampered with or opened fraudulently.
• File a police report. Get a copy of the report to
  submit to your creditors and others that may
  require proof of the crime.
• File a complaint with the FTC using the ID Theft
  Affadvit. The FTC maintains a database of
  identity theft cases used by law enforcement
  agencies for investigations.

17
Information Security Awareness

• What can I do if I think its already happened to
  me?
• Keep a running record of everything
• Get it in writing!

18
Information Security Awareness

• Resources
• UWM Police Department
• http//www.uwm.edu/Dept/police/identity.html
• Federal Trade Commission
• http//www.ftc.gov

19
Information Security Awareness

• What are online businesses doing about this?
• Credit Card Chargebacks (uncollectible charges)
• U.S. federal law limits a consumers liability
  for unauthorized charges to 50, whether the
  purchase was made face-to-face or on the
  Internet. No such protective legislation exists
  for merchants, however, and they (businesses)
  bear the full cost of fraudulent charges as
  chargebacks from their banks.
• Merchants may also be asked to pay penalty fees
  in addition to the cost of the original charge.
  To reduce revenue losses due to credit card
  fraud, online businesses need to take steps to
  reduce the risk they take with every order
  received through their Web sites.
• http//www.score.org/eb_3.html

20
Information Security Awareness

• There are three ways to help reduce the risk of
  fraud
• Use an address verification system. It compares
  the address provided online with the cardholder's
  billing address.
• Use a negative database. Negative databases are
  filled with credit card numbers that are possible
  risks. (These databases can be updated online.)
• Use a credit card verification service. A service
  such as CyberSource can perform a host of checks
  for each transaction, such as verifying the
  Internet protocol (IP) address, real address,
  time of day, and other factors to create a
  profile and build a numeric confidence rating for
  the credit card.
• Store the information in an encrypted database on
  a secure server
• http//www.score.org/cgi/third_party.cgi?urlhttp
  3A//www.workz.com/
• Others
• Question orders from free email accounts
• Be wary of international orders
• Be wary of rush orders
• Be wary of peculiar shipping addresses
• verify shipping addresses by phone
  (reversedirectory.com)

21
Information Security Awareness

• What can I do to physically secure my
  information?
• Lock your workstation
• Dont leave stuff laying around
• Lock up when possible
• Surplus equipment properly
• Shred documents
• Rethink downloading Peoplesoft reports

22
Information Security Awareness

• What can I do to physically secure my
  information?
• Paper Shredders
• Enderis, Mel, EMS, Library, Engelman, Garland
• Steve Butzaff, Supt. of Buildings and Grounds
  (butzlaff_at_uwm.edu) (x5102)

23
Information Security Awareness

• Surplus Equipment
• Disposal
• EHS/RM Disposal Program
• http//www.uwm.edu/Dept/EHSRM/HAZEXCEPTIONS/escrap
  .html
• Cascading Equipment (giving to other staff)
• Use Autoclave or similar cleaner
• http//staff.washington.edu/jdlarios/autoclave/

24
Information Security Awareness

• Evaluating an online vendor
• Using ssl on website (lock icon)
• Customer service phone number
• Review the privacy policy
• Check Better Business Bureau
• Brick and Mortar address
• Do area codes ad zip codes match?
• Ask them where they are
• Privacy Policy?
• Pif vs npif
• What they do with it
• Google search!

25
Online Auction Fraud

• FBI receiving a lot of complaints on this
• Read rights/responsibilities carefully
• Research the seller
• Review the privacy policy
• Brick and Mortar address
• Do area codes ad zip codes match?
• Ask them where they are
• Privacy Policy?
• Pif vs npif
• What they do with it
• Google search!

26
Information Security Awareness

• Basic Computer Security Steps
• Virus Scan
• Be cautious with email attachments
• Use strong passwords
• Keep your PC and other software up to date
• Limit physical access to your computer
• Install a firewall
• Research new programs you are thinking of
  installing
• Know where to go for help
• Backup your files on a regular basis
• Dont immediately discount computer warning
  messages
• Available at http//security.uwm.edu

27
Information Security Awareness

• Resource List
• Virus Protection
• http//vil.mcafee.com
• http//www3.uwm.edu/security/virus/mcafee.cfm
• http//vil.mcafee.com/hoax.asp
• Hacker Thwarting
• http//www.cert.org/tech_tips/before_you_plug_in.h
  tmlIII
• http//www.microsoft.com/security/default.mspx
• Spyware
• http//spywarewarrior.com/
• http//www.safer-networking.org/en/index.html
• http//www.mozilla.org/
• Email Safety
• http//www3.uwm.edu/security/steps/step_2.cfm
• Identity Theft
• http//www.ftc.gov
• http//www.fraudwatchinternational.com/idtheft/idt
  heft.htm
• http//www.score.org/cgi/third_party.cgi?urlhttp
  3A//www.workz.com/