identity theft cpes for cpas program georgia perimeter college december 9, 2005
TRANSCRIPT
Identity Theft
What is it?
Who commits it?
How does it happen?
What are the possible consequences?
How can I prevent it?
What must I do if it happens to me?
What Is Identity Theft?
n : the co-option of another person's personal information (e.g., name, social security number, credit card number, passport) without that person's knowledge and the fraudulent use of such knowledge
-- dictionary.com
Federal Identity Theft and Assumption Deterrence Act18 U.S.C. § 1028(a)(7)
Federal law passed in 1998
Prohibits “knowingly transfer[ring] or us[ing], without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law.”
Other Related Federal Statutes
18 U.S.C. § 1028 – identification fraud
18 U.S.C. § 1029 – credit card fraud
18 U.S.C. § 1030 – computer fraud
18 U.S.C. § 1341 – mail fraud
18 U.S.C. § 1343 – wire fraud
18 U.S.C. § 1344 – financial institution fraud
Georgia Statute §16-9-121. Identity Fraud Law
“A person commits the offense of identity fraud when without the authorization or permission of a person with the intent unlawfully to appropriate resources of or cause physical harm to that person, or of any other person, to his or her own use or to the use of a third party he or she: (1) Obtains or records identifying information of a person which would assist in accessing the resources of the other person; or(2) Accesses or attempts to access the resources of the other person through the use of identifying information.”
Identifying Information
Names (current or former)
Social Security numbers
Driver’s license numbers
Bank account/credit card numbers
Birth dates
Tax identification numbers
Medical identifications
Many other data items
Statistics
Source: Federal Trade Commission Identity Theft Data Clearinghouse reportOver 635,000 consumer identity theft &
fraud complaints received in 200461% classified as fraud, 39% identity theft.Up 50% since 2002.Reported losses of over $547 million.
27,300,000 million victims in past 5 years
Statistics (cont.)
Rank ID Fraud Type No. of Victims Percentage
1 Credit Card Fraud 2,068 28%
2 Bank Fraud 1,609 22%
3 Phone or Utilities Fraud 1,317 18%
4 Government Documents or Benefits Fraud
754 10%
5 Employment-Related Fraud 556 7%
6 Loan Fraud 444 6%
Other 1,723 23%
Attempted Identity Fraud 472 6%
Statistics (cont.)
Source: GA Stop ID Theft Network2,592 victims reported in Georgia in 2001
Seventh-highest in nation
Atlanta was 11th among major cities for reported identity theft in 2004 according to FTC
Statistics (cont.)
Source: ChoicePoint Data Disclosures Report, 2005
As of Nov. 15, 125 data disclosure incidents this year57 million people potentially affected
Note:
Actual number of identity theft cases is surely higher
Many other identity theft cases may be reported as other forms of crime
Statistics (cont.)
Losses to banks and final institutionsEstimated $48 billion in 2003
Average loss per business victim$10,200
Average loss to individual victims$1,180175 or more hours resolving problems over
two or more years
Who Commits Identity Theft?
Professional thieves
Strangers
Employees of businesses
Family members and relatives
Friends/acquaintances
Who Commits Identity Theft?
An estimated nine percent of ID theft cases involve family
Another ten percent of ID theft cases involve someone with another form of personal relationship (friend/ acquaintance, co-worker, etc.)
Who Commits Identity Theft?
Phillip CummingsEmployee of a New York technology
company Illegally downloaded thousands of credit
reports and sold information overseasOver 30,000 people victimized
Federal Bureau of Investigation website
Who Becomes a Victim of Identity Theft?
Michelle Brown Identity stolen by a receptionist from a
rental applicationThe Michelle Brown Story
, Lifetime Channel
Who Becomes a Victim of Identity Theft?
Abigail Kelly Identity stolen by her sisterLost her job as a result of arrest warrant for
unpaid bills Obtained civil judgement against sister60 Minutes story, September 12, 2004
Who Becomes a Victim of Identity Theft?
Bryonn BainHarvard Law School graduate, poet,
adjunct professor at NYUArrested in NYC in 1999 for a crime that he
and friends witnessed someone else commit
Charges were dismissed five months later after four court appearances
http://www.villagevoice.com/issues/0017/bain.php
Who Becomes a Victim of Identity Theft?
Byronn Bain (cont.) Identity stolen at least seven times after initial
arrest Arrested on three outstanding warrants in
November, 2002 Released only after court appearance where
assistant DA recognized him as a law school classmate
http://www.villagevoice.com/issues/0339/bain.php
How Does Identity Theft Occur?
Many non-technological methods “Dumpster diving”Dishonest employeesMail theft/interceptionMasquerading and “Social hacking” “Shoulder surfers”Telemarketing scams
How Does Identity Theft Occur? (cont.)
Technological methodsWireless communication interception
Cell phonesWireless networks
Camera phonesSoftware
Viruses/HijackingSpyware
How Does Identity Theft Occur? (cont.)
More technological methodsCredit card “skimming”Spy cameras in ATMs “Phishing” and “Pharming”
Example of “Phishing”
Email received 12/7/2004
Supposedly from Suntrust Bank
Indicates possible fraudulent use of my account
Example of “Phishing” (cont.)<IMG height=43 alt="" hspace=0 src="http://www.suntrust.com/images/Common/release3/logo_home.gif" width=127 border=0><BR>
<IMG height=5 alt="" hspace=0 src="http://www.suntrust.com/images/Common/release3/common_header_yellowspan.gif" width=836 border=0>
<table cellSpacing="0" cellPadding="0" <p>Please click the link below to reactivate your account: </p> <p align="left">
<a href="http://64.49.197.9/update/">
https://www.suntrust.com/internetBanking/RequestRouter?requestCmdId=Reactivate </a>
</p>
<p align="left">Sincerely, <br>
SunTrust Security Department
Financial Consequences
Direct monetary lossesOften least of victim’s problemsUsually limited if fraud reported in timely
fashion
Financial Consequences
Credit cardsNo liability if reported before misuse$50 per credit card if reported after misuse
Financial Consequences
ATM/Debit cardsNo liability if reported before misuse$50 per card if reported within two
business days$500 per card if reported within 60 days of
statement showing unauthorized transaction
Financial Consequences
ChecksBank is liable for losses from forged
checks, IF you notify them in timely manner
Financial Consequences (cont.)
Indirect monetary lossesLost time/wagesCosts of photocopying/mailingAttorney’s fees
Credit Denial of credit based on erroneous
information Increased rates for loans/mortgages
Criminal Consequences
Approximately 15% of victims obtain a criminal record due to identity theftAlmost impossible to completely remove criminal record once it is in law enforcement databases
How Can I Prevent It?
Total prevention is impossible!
Minimize risks as much as possible
Protect four primary areas InformationPropertyDocumentsTechnology
Protect Your Information
Do not give out information unnecessarily!Ask why a piece of information is needed
You can refuse to give information, but you may not receive the service in return
Do not use your Social Security number as an identification number
Needed by IRS, SSA
Protect Your Information (cont.)
Make sure you know who is requesting the informationAre they legitimate?
Do not give out personal information unless you initiate the call/email
Protect Your Information (cont.)
Be especially cautious withSocial Security numberPassport numberBank/credit account numbers
These are the most dangerous items in the wrong hands
Protect Your Information (cont.)
Check your credit reports regularly
Federal law allows you one free copy of each bureau’s credit report annually
See http://www.annualcreditreport.com/ for information
Georgia law allows you TWO free copies of each credit report annuallyMust contact each credit bureau separately
Protecting Your Information (cont.)
Optimal method for checking credit reportsPer Clark Howard’s suggestionEvery four months, request one credit
report
Protect Your Information (cont.)
Why check all three credit reports?Not all creditors report to all credit reporting
agencies Information on one report may be
inaccurate even if it is correct on the other reports
Incorrect information must be cleared up on each report separately
Protect Your Information (cont.)
Should you use a credit monitoring service? In most cases, noException is if you are already a victim of
identity fraud
Note: credit bureaus will try to sell you credit monitoring when you request free reports. Be aware!
Protect Your Information (cont.)
Run a public records search annuallyAvailable free from ChoicePointAllows you to check publicly available data
about yourself for accuracyCan provide clues that identity fraud has
occurred
Protect Your Information (cont.)
Guard PINs and other identifiers from spying
Consider using electronic bill delivery/ bill paying services Removes possibility of mail theft Allows earlier detection of unauthorized activity Encourages more careful monitoring of financial
activity
Protect Your Information (cont.)
Keep a record of all bank/credit account numbers along with phone numbers
Keep a photocopy of your wallet contents and passport in a safe place
Protect Your Information (cont.)
Opt out of sharing personal informationPre-screened credit offers
Call 1-888-5-OPTOUTCredit Bureau marketing lists
Write each credit bureauTelemarketing offers
http://www.donotcall.gov/Registration good for five years
Protect Your Information (cont.)
More opt-out optionsDirect mail marketing
http://www.the-dma.org/consumers/offmailinglist.htm
Registration good for five yearsEmail marketing
http://www.dmaconsumers.org/offemaillist.htmlRegustration good for one year
Protect Your Information (cont.)
Omit personal identifying information from resumes and job applicationsYou will eventually have to provide this if
hiredShould not be needed until late in hiring
process If demanded early, do you really want to
work there?
Special Considerations for Mail
Use a locked mailbox, or pick up mail promptly
Place all outgoing mail in secured mailbox
Keep track of billing cycles
Make sure all expected mail is actually received
Protect Your Property (cont.)
Carry only necessary items in purse/walletMinimize number of credit cardsDo not routinely carry Social Security card,
passport or birth certificateOnly carry if you need it that day
Protect Your Property (cont.)
Do not carry checkbook unless absolutely necessary Includes deposit slips and carbons as wellDocuments contain bank routing
informationWith this, thieves can easily completely
loot your bank account
Protect Your Documents
Store identifying documents in a safe, locked place
Home: locked cabinetEspecially important if you do not trust other
occupants or have outsiders in the home
Protect Your Documents
Business: locked filing cabinet with limited key accessCritical because of business liabilityGeorgia law – up to $10,000 fine PLUS
unlimited civil liability
Protect Your Documents (cont.)
Shred personal documents before throwing awayCredit card statements/receipts “Courtesy” checksCredit offersOld cancelled checksExpired credit cardsAny document with identifying information
Protect Your Documents (cont.)
Shred business documents before throwing awayClient/customer informationOutdated filesAny document with identifying information
Protect Your Technology
Technology protection is a complex issue!
Mixture of safeguards required to handle different types of problems
Protect Your Technology (cont.)
Physical security Control access to computersMinimize storage of sensitive data on
laptop computers
Protect Your Technology (cont.)
Keep safeguards up to dateOperating system updatesSecurity program updates
New types of attacks arise weekly
Schedule automatic updates and use them
Personal Electronics
Password protection is a minimum level
Inconvenience of entering password outweighed by security
Set up a password on PDAsEntry required when powered on
Personal Electronics (cont.)
Set up login password on ALL computersDo not allow “guest” accounts on
computersWith Windows, accounts can be bypassedNever allow automatic login
Personal Electronics (cont.)
If possible, set up BIOS password on laptopsCannot start up laptop without entering
passwordCaution: if you forget this password, NO
ONE can get into your computer
Password Choices
Choose passwords that areCombinations of letters, numbers, and
symbolsDo not contain any identifying data
Birth datesFamily members’ names/variations
Are at least eight to ten characters long
Password Security
Do not write down passwords or PINsEspecially don’t keep written passwords or
PINs with the item using them!
Do NOT give ANYONE your password or PIN
Changing Passwords
Do not use the same password for everything
Change your passwords regularly
However, it’s better to use a “good” password badly than to use “bad” passwords well
Data Files
Do not make sensitive files accessible through networkDisable file sharing If files must be shared, password-protect
them
Data Files (cont.)
Simply deleting a file is not enough!Files remain in the Recycle/Trash bin after
deletionRecovery from here is simpleMust either specifically delete files from
Recycle Bin or empty Recycle Bin
Additional Protection for Companies
Authenticate all access to sensitive electronic dataRequire ID and password for access
Disable network access of terminated employees IMMEDIATELY
Additional Protection for Companies (cont.)
Limit physical and logical access to company databases
Create, implement, and enforce a specific data access policy “need to know” basis for data access
Discarding Computer Equipment
Computer hard drivesData can be recovered even after
formattingOnly safe way to ensure removal is to use
a data wiping utilityDarik’s Boot and Nuke claims to wipe drives to
DOD standards http://dban.sourceforge.net/
Discarding Data Disks
Removeable data disks can be recovered and read
Physically destroy disks before discardingShred if possibleCDs can be microwaved for no more than
three seconds to destroy data
World Wide Web Security
Make sure the web site you are using is the one you think you are usingDon’t click on links in emails unless you
can be sure you are going to that siteManually type in URL into your browser If the URL indicates a numeric address
instead of a domain name, BEWARE
World Wide Web Security (cont.)
Make sure you are using Secure Socket technology if sending personal information to a trusted web site Indicated by
Lock icon at bottom of browser windowhttps:// prefix on site URL (not http://)
I’m a Victim – What Do I Do Now?
Some measures apply to all cases
Others only for certain situations
Record-keeping
Send all correspondence Certified mail Return receipt requested
Keep EXCELLENT documentation Log all phone contacts
Company name, contact name, date, time
Keep copies of all correspondence you send File ANYTHING you receive that MAY relate to the
situation
File a Police Report
Contact local law enforcement
Georgia law requires thatLaw enforcement must take reportReport must be forwarded to Governor’s
Office of Consumer AffairsConsumer Affairs will forward to Georgia
Crime Information Center
File a Police Report (cont.)
Get copies of the law enforcement reportKeep for your recordsSend copies to creditors when reporting
fraudulent activity
Notify Credit Bureaus
All three credit bureaus should be alertedEquifax – http://www.equifax.com/Experian – http://www.experian.comTransUnion – http://www.transunion.com
Notify Credit Bureaus
Call first, follow up in writingCertified mail, return receipt
Request fraud alerts on your files
Normal duration of fraud alert is 90 – 180 days Request, in writing, extension for seven
years
Notify Creditors
Call first, follow up in writingNotify ALL creditorsBanksCredit card companiesOther lendersPhone companiesUtilities ISPs and other service providers
Notify Creditors
Existing creditorsReport fraudulent activity immediatelyCancel existing accountRequest replacement cards with new
account numbers
Notify Creditors
Fraudulently obtained accountsTake action as soon as you discover
existence of accountState that you never requested accountProvide with copy of police report and
fraud affadavitRequest that account be closedGet confirmation in writing
Get Credit Reports
Should be automatically sent at no charge when fraud alert is filedReview carefully for inaccurate informationRemember that some inaccurate
information may predate the crime
Dispute all inaccurate information in writing
Report the Crime
Federal Trade Commissionhttp://www.consumer.gov/Fill out FTC’s ID Theft Affidavit
Many companies will accept as documentationOthers insist on their own paperwork
Report the Crime
U.S. State Department (passport agency)Notify whether or not you have a passporthttp://www.state.gov/
Social Security Administration If Social Security number is compromisedhttp://www.ssa.gov/
Report the Crime (cont.)
U.S. Postal Inspection Service/local Post Office If mail fraud or change of address is
involved http://www.usps.com/postalinspectors/welcome2.htm
Also consider renting a locked post office box
Report the Crime (cont.)
Department of Motor Vehicles If a motor vehicle is involvedhttp://www.dmvs.ga.gov/
Internal Revenue Service/Georgia Department of Revenue If fraudulent tax returns are involvedhttp://www.irs.gov/http://www2.state.ga.us/departments/DOR/
Special Steps
Bank accounts If checks are stolen or misused, contact ALL
check approval agencies CheckRite: (800) 766-2748 Chexsystems: (800) 428-9623 CheckCenter/CrossCheck: (800) 843-0760 Certigy/Equifax: (800) 437-5120 International Check Services: (800) 526-5380 SCAN: (800) 262-7771 TeleCheck: (800) 710-9898
When Criminal Activity is Involved
In addition to the above, you MUST take additional steps
Failure to do this could result in ArrestJail timeSignificant expense to repeatedly clear
your record
When Criminal Activity is Involved (cont.)
Have local law enforcement confirm your identityFingerprintsPhotographCopies of identifying information
Have them send information to other jurisdictions involved as well
When Criminal Activity is Involved (cont.)
Request a “key name switch” in databasesEntry should be under impostor’s actual
name If not known, as “John/Jane Doe”
Make sure your name is listed as an alias, not as real name
Include local, state, federal databases
When Criminal Activity is Involved (cont.)
Obtain a clearance document Called by different names:
Clearance letter – Mis IDCertificate of release
Make multiple copies of this documentCarry a copy with you at ALL timesMake sure a trusted friend/family member has
a copy
When Criminal Activity is Involved (cont.)
If all else fails, hire a criminal defense attorney with experience in this area If the perpetrator is caught, you can ask for
this (and other) expenses as restitution
Long-Term Damage Control
Do NOT pay any fraudulent charges/bills/ checks Use Fair Credit Reporting Act provisions to your
advantage
Continue to get credit reports regularly (at least every six months)
Carefully monitor all financial activity
Long-Term Damage Control (cont.)
Carefully monitor mail
Do NOT change your Social Security numberCauses many more problems than it solves
Resources -- Federal Agencies
Federal Trade Commission http://www.consumer.gov/idtheft/
Department of Justice http://www.usdoj.gov/criminal/fraud/idtheft.html
Social Security Administration http://www.ssa.gov/pubs/idtheft.htm
U.S. Postal Inspection Service http://www.usps.com/postalinspectors/welcome2.htm
Resources -- Nonprofit Organizations
Better Business Bureauhttp://www.bbbonline.org/IDTheft/
Identity Theft Resource Centerhttp://www.idtheftcenter.org/index.shtml
Privacy Rights Clearinghousehttp://www.privacyrights.org/identity.htm
Acknowledgements
Andrew Sledge, Desktop Technician, OIT, Georgia Perimeter CollegeSpyware and computer security information
Hunter Eidson, System Administrator, Georgia Perimeter CollegeComputer security information