computer vulnerabilities & criminal activity identity theft & credit card fraud 6.1 march 1, 2010...

Download Computer Vulnerabilities & Criminal Activity Identity Theft & Credit Card Fraud 6.1 March 1, 2010 Identity Theft & Credit Card Fraud 6.1 March 1, 2010

Post on 06-Jan-2018

218 views

Category:

Documents

4 download

Embed Size (px)

DESCRIPTION

Identity Theft and Assumption Deterrence Act 18 U.S.C § 1028 Makes it a federal crime to: “knowingly transfers or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law” Makes it a federal crime to: “knowingly transfers or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law”

TRANSCRIPT

  • Computer Vulnerabilities & Criminal ActivityIdentity Theft & Credit Card Fraud6.1March 1, 2010

    *One major problem - US reliance on SSN for identity verification

    Victims paying less because of insurance from finanicial institutions means we all pay more

  • Definition of Identity TheftA person commits the crime of identity theft if, without the authorization, consent, or permission of the victim, and with the intent to defraud for his or her own benefit or the benefit of a third person, he or she does any of the following:1. Obtains, records, or accesses identifying information that would assist in accessing financial resources, obtaining identification documents, or obtaining benefits of the victim.2. Obtains goods or services through the use of identifying information of the victim.3. Obtains identification documents in the victim's name.US Legal Definitions

    *

  • Identity Theft and Assumption Deterrence Act18 U.S.C 1028Makes it a federal crime to:knowingly transfers or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law

    *

  • Connecticut Criminal Law - Identity Theft http://law.justia.com/connecticut/codes/title53a/sec53a-129a.html

    *

  • Protected InformationNameDate of birthSocial Security numberDriver's license numberFinancial services account numbers, including checking and savings accountsCredit or debit card numbers

    Personal identification numbers (PIN)Electronic identification codesAutomated or electronic signaturesBiometric dataFingerprintsPasswordsParent's legal surname prior to marriage

    *Protected Information may vary from state to state

  • States with Mandatory ID Theft InvestigationCaliforniaLouisianaMinnesota

    *Most states have both criminal & civil laws regarding ID theft

  • Motivation for Identity TheftFinancial DesiresGreedStrain Theory

    *

  • Individuals Committing Identity TheftIndividualsMay have some relationship to the victimOften have no prior criminal recordIllegal ImmigrantsMethamphetamine UsersCareer CriminalsGangsHells AngelsMS-13Foreign Organized Crime GroupsAsiaEastern Europe

    *Meth users main fundings high correlation between meth users & # of id thefts

  • Victims of Identity TheftHigher education / higher incomeAge 22 - 59MarriedBasically, individuals most likely to have a good credit rating / credit history

    *

  • Methods of Obtaining Identity InformationDumpster DivingSkimmingPhishingChange of AddressTheft of Personal PropertyPretexting / Social Engineering

    *Low tech still most popular

    1.Dumpster Diving. They rummage through trash looking for bills or other paper with your personal information on it.2.Skimming. They steal credit/debit card numbers by using a special storage device when processing your card.3.Phishing. They pretend to be financial institutions or companies and send spam or pop-up messages to get you to reveal your personal information.4.Changing Your Address. They divert your billing statements to another location by completing a change of address form.5.Old-Fashioned Stealing. They steal wallets and purses; mail, including bank and credit card statements; pre-approved credit offers; and new checks or tax information. They steal personnel records, or bribe employees who have access.6.Pretexting. They use false pretenses to obtain your personal information from financial institutions, telephone companies, and other sources.

  • How the Internet is used for ID TheftHackersInterception of transmissions - retailer to credit card processorFirewall penetration - data searchAccess to underlying applicationsSocial Engineering / Phishing / PretextingMalware / Spyware / Keystroke Loggers

    *Underlying applications - communications look like normal user communications - 75% of hackersMany coming from Russian Federation & Ukraine (RBN)Pretexting - pretend to be the customer & call business & get info

  • Crimes Following Identity TheftCredit Card FraudPhone/Utility FraudBank/Finance FraudGovernment Document FraudEmployment FraudMedical FraudMisrepresentation during arrest

    *71% of fraud happens in 1st weekCredit card fraud:They may open new credit card accounts in your name. When they use the cards and don't pay the bills, the delinquent accounts appear on your credit report.They may change the billing address on your credit card so that you no longer receive bills, and then run up charges on your account. Because your bills are now sent to a different address, it may be some time before you realize there's a problem.Phone or utilities fraud:They may open a new phone or wireless account in your name, or run up charges on your existing account.They may use your name to get utility services like electricity, heating, or cable TV.Bank/finance fraud:They may create counterfeit checks using your name or account number.They may open a bank account in your name and write bad checks.They may clone your ATM or debit card and make electronic withdrawals your name, draining your accounts.They may take out a loan in your name.Government documents fraud:They may get a driver's license or official ID card issued in your name but with their picture.They may use your name and Social Security number to get government benefits.They may file a fraudulent tax return using your information.Other fraud:They may get a job using your Social Security number.They may rent a house or get medical services using your name.They may give your personal information to police during an arrest. If they don't show up for their court date, a warrant for arrest is issued in your name.

  • Problem with Identity Theft InvestigationLapse of time between crime and the time the crime is reportedMonetary amountJurisdictionAnonymity

    *Also, monetary amount may be too low $5,000Jurisdiction

  • Identity Theft Investigationhttp://www.ftc.gov/bcp/edu/microsites/idtheft/law-enforcement/investigations.htmlIdentity Theft Data Clearing HouseIdentity Theft Transaction RecordsSubpoena or victims permissionRequest for documentsMust be in writingAuthorized by the victimBe sent address specified by the businessAllow the business 30 days to respond

    *

  • Credit Card FraudWide-ranging term for theft and fraud committed using a credit card or any similar payment mechanism as a fraudulent source of funds in a transaction.Wikipedia

    *$3.8 Billion in 2003

  • CardingThe unauthorized use of creditand debit card account information to fraudulently purchase goods and services.DATA BREACHES:WHAT THE UNDERGROUND WORLD OF CARDING REVEALS - US DOJ

    *

  • Carding TerminologyDumps - information electronically copied from the magnetic stripe on the back of credit and debit cards.Track 1 is alpha-numeric and contains the customers name and account numberTrack 2 is numeric and contains the account number, expiration date, the secure code (known as the CVV),and discretionary institution data.PIN - Personal Information NumberBIN - Bank Information Number

    *

  • Carding Terminology cont.Full Info or Fulls - a package of data about a victim, including for example address, phone number, social security number, credit or debit account numbers and PINs, credit history report, mothers maiden name, and other personal identifying information

    *

  • How Credit Card Information Obtained OnlineIn bulk from hackers who have compromised large databaseshttp://www.privacyrights.org/ar/ChronDataBreaches.htmPhishingMalware

    *

  • Types of CardingCarding Online Using stolen credit cards to purchase goods & services onlineCarding to a drop - having goods sent to another physical addressCobs - changing billing address with credit card company

    *

  • Types of Carding cont.In-Store CardingPresenting a counterfeit credit card that had been encoded with stolen account information to a cashier at a physical retail store locationMore riskyHigher level of sophistication

    *

  • Types of Carding cont.CashingThe act of obtaining money, rather than retail goods and services, with the unauthorized use of stolen financial informationPin Cashing - Using dump information to encode a strip on a card to use at ATMs

    *

  • Types of Carding cont.Gift Card VendingPurchasing gift cards from retail merchants at their physical stores using counterfeit credit cards and reselling such cards for a percentage of their actual valueSales maybe online or face-to-face

    *

  • Carding Forums OnlineTutorials on different types of carding-related activitiesPrivate and public message posting enabling members to buy and sell blocks of stolen account information and other goods and servicesHyperlinks for hacking tools and downloadable computer code to assist in network intrusions;Other exploits such as source code for phishing webpagesLists of proxiesAreas designated for naming and banning individuals who steal from other members

    *

  • Carding Websites (all disabled)www.shadowcrew.comwww.carderplanet.comwww.CCpowerForums.comwww.theftservices.comwww.cardersmarket.com

    *

  • Sample Carding Web Sites

    *

  • *

    *One major problem - US reliance on SSN for identity verification

    Victims paying less because of insurance from finanicial institutions means we all pay more

    *

    *

    *

    *Protected Information may vary from state to state*Most states have both criminal & civil laws regarding ID theft*

    *Meth users main fundings high correlation between meth users & # of id thefts*

    *Low