identity theft cpes for cpas program georgia perimeter college december 9, 2005

Identity Theft

CPEs for CPAs Program

Georgia Perimeter College

December 9, 2005

Could You Be at Risk?

Identity Theft

What is it?

Who commits it?

How does it happen?

What are the possible consequences?

How can I prevent it?

What must I do if it happens to me?

What Is Identity Theft?

n : the co-option of another person's personal information (e.g., name, social security number, credit card number, passport) without that person's knowledge and the fraudulent use of such knowledge

-- dictionary.com

Federal Identity Theft and Assumption Deterrence Act18 U.S.C. § 1028(a)(7)

Federal law passed in 1998

Prohibits “knowingly transfer[ring] or us[ing], without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law.”

Other Related Federal Statutes

18 U.S.C. § 1028 – identification fraud

18 U.S.C. § 1029 – credit card fraud

18 U.S.C. § 1030 – computer fraud

18 U.S.C. § 1341 – mail fraud

18 U.S.C. § 1343 – wire fraud

18 U.S.C. § 1344 – financial institution fraud

Georgia Statute §16-9-121. Identity Fraud Law

“A person commits the offense of identity fraud when without the authorization or permission of a person with the intent unlawfully to appropriate resources of or cause physical harm to that person, or of any other person, to his or her own use or to the use of a third party he or she: (1) Obtains or records identifying information of a person which would assist in accessing the resources of the other person; or(2) Accesses or attempts to access the resources of the other person through the use of identifying information.”

Identifying Information

Names (current or former)

Social Security numbers

Driver’s license numbers

Bank account/credit card numbers

Birth dates

Tax identification numbers

Medical identifications

Many other data items

Statistics

Source: Federal Trade Commission Identity Theft Data Clearinghouse reportOver 635,000 consumer identity theft &

fraud complaints received in 200461% classified as fraud, 39% identity theft.Up 50% since 2002.Reported losses of over $547 million.

27,300,000 million victims in past 5 years

Statistics (cont.)

Rank ID Fraud Type No. of Victims Percentage

1 Credit Card Fraud 2,068 28%

2 Bank Fraud 1,609 22%

3 Phone or Utilities Fraud 1,317 18%

4 Government Documents or Benefits Fraud

754 10%

5 Employment-Related Fraud 556 7%

6 Loan Fraud 444 6%

Other 1,723 23%

Attempted Identity Fraud 472 6%

Statistics (cont.)

Source: GA Stop ID Theft Network2,592 victims reported in Georgia in 2001

Seventh-highest in nation

Atlanta was 11th among major cities for reported identity theft in 2004 according to FTC

Statistics (cont.)

Source: ChoicePoint Data Disclosures Report, 2005

As of Nov. 15, 125 data disclosure incidents this year57 million people potentially affected

Note:

Actual number of identity theft cases is surely higher

Many other identity theft cases may be reported as other forms of crime

Statistics (cont.)

Losses to banks and final institutionsEstimated $48 billion in 2003

Average loss per business victim$10,200

Average loss to individual victims$1,180175 or more hours resolving problems over

two or more years

Who Commits Identity Theft?

Professional thieves

Strangers

Employees of businesses

Family members and relatives

Friends/acquaintances


An estimated nine percent of ID theft cases involve family

Another ten percent of ID theft cases involve someone with another form of personal relationship (friend/ acquaintance, co-worker, etc.)


Phillip CummingsEmployee of a New York technology

company Illegally downloaded thousands of credit

reports and sold information overseasOver 30,000 people victimized

Federal Bureau of Investigation website

Who Becomes a Victim of Identity Theft?

Michelle Brown Identity stolen by a receptionist from a

rental applicationThe Michelle Brown Story

, Lifetime Channel


Abigail Kelly Identity stolen by her sisterLost her job as a result of arrest warrant for

unpaid bills Obtained civil judgement against sister60 Minutes story, September 12, 2004


Bryonn BainHarvard Law School graduate, poet,

adjunct professor at NYUArrested in NYC in 1999 for a crime that he

and friends witnessed someone else commit

Charges were dismissed five months later after four court appearances

http://www.villagevoice.com/issues/0017/bain.php


Byronn Bain (cont.) Identity stolen at least seven times after initial

arrest Arrested on three outstanding warrants in

November, 2002 Released only after court appearance where

assistant DA recognized him as a law school classmate

http://www.villagevoice.com/issues/0339/bain.php

How Does Identity Theft Occur?

Many non-technological methods “Dumpster diving”Dishonest employeesMail theft/interceptionMasquerading and “Social hacking” “Shoulder surfers”Telemarketing scams

How Does Identity Theft Occur? (cont.)

Technological methodsWireless communication interception

Cell phonesWireless networks

Camera phonesSoftware

Viruses/HijackingSpyware

How Does Identity Theft Occur? (cont.)

More technological methodsCredit card “skimming”Spy cameras in ATMs “Phishing” and “Pharming”

Example of “Phishing”

Email received 12/7/2004

Supposedly from Suntrust Bank

Indicates possible fraudulent use of my account

Example of “Phishing” (cont.)

Example of “Phishing” (cont.)<IMG height=43 alt="" hspace=0 src="http://www.suntrust.com/images/Common/release3/logo_home.gif" width=127 border=0> 

<IMG height=5 alt="" hspace=0 src="http://www.suntrust.com/images/Common/release3/common_header_yellowspan.gif" width=836 border=0>

<table cellSpacing="0" cellPadding="0" Please click the link below to reactivate your account: 

<a href="http://64.49.197.9/update/">

https://www.suntrust.com/internetBanking/RequestRouter?requestCmdId=Reactivate </a>



Sincerely, 

SunTrust Security Department

Potential Consequences to Victims

FinancialCivilCriminal

Financial Consequences

Direct monetary lossesOften least of victim’s problemsUsually limited if fraud reported in timely

fashion


Credit cardsNo liability if reported before misuse$50 per credit card if reported after misuse


ATM/Debit cardsNo liability if reported before misuse$50 per card if reported within two

business days$500 per card if reported within 60 days of

statement showing unauthorized transaction


ChecksBank is liable for losses from forged

checks, IF you notify them in timely manner

Financial Consequences (cont.)

Indirect monetary lossesLost time/wagesCosts of photocopying/mailingAttorney’s fees

Credit Denial of credit based on erroneous

information Increased rates for loans/mortgages

Civil Consequences

LawsuitsLoss of current jobFailure to be hired for new job

Criminal Consequences

Approximately 15% of victims obtain a criminal record due to identity theftAlmost impossible to completely remove criminal record once it is in law enforcement databases

How Can I Prevent It?

Total prevention is impossible!

Minimize risks as much as possible

Protect four primary areas InformationPropertyDocumentsTechnology

Protect Your Information

Do not give out information unnecessarily!Ask why a piece of information is needed

You can refuse to give information, but you may not receive the service in return

Do not use your Social Security number as an identification number

Needed by IRS, SSA

Protect Your Information (cont.)

Make sure you know who is requesting the informationAre they legitimate?

Do not give out personal information unless you initiate the call/email


Do not give out personal information over a cell phone


Be especially cautious withSocial Security numberPassport numberBank/credit account numbers

These are the most dangerous items in the wrong hands


Check your credit reports regularly

Federal law allows you one free copy of each bureau’s credit report annually

See http://www.annualcreditreport.com/ for information

Georgia law allows you TWO free copies of each credit report annuallyMust contact each credit bureau separately

Protecting Your Information (cont.)

Optimal method for checking credit reportsPer Clark Howard’s suggestionEvery four months, request one credit

report


Why check all three credit reports?Not all creditors report to all credit reporting

agencies Information on one report may be

inaccurate even if it is correct on the other reports

Incorrect information must be cleared up on each report separately


Should you use a credit monitoring service? In most cases, noException is if you are already a victim of

identity fraud

Note: credit bureaus will try to sell you credit monitoring when you request free reports. Be aware!


Run a public records search annuallyAvailable free from ChoicePointAllows you to check publicly available data

about yourself for accuracyCan provide clues that identity fraud has

occurred


Guard PINs and other identifiers from spying

Consider using electronic bill delivery/ bill paying services Removes possibility of mail theft Allows earlier detection of unauthorized activity Encourages more careful monitoring of financial

activity


Keep a record of all bank/credit account numbers along with phone numbers

Keep a photocopy of your wallet contents and passport in a safe place


Opt out of sharing personal informationPre-screened credit offers

Call 1-888-5-OPTOUTCredit Bureau marketing lists

Write each credit bureauTelemarketing offers

http://www.donotcall.gov/Registration good for five years


More opt-out optionsDirect mail marketing

http://www.the-dma.org/consumers/offmailinglist.htm

Registration good for five yearsEmail marketing

http://www.dmaconsumers.org/offemaillist.htmlRegustration good for one year


Omit personal identifying information from resumes and job applicationsYou will eventually have to provide this if

hiredShould not be needed until late in hiring

process If demanded early, do you really want to

work there?

Protect Your Property

Keep property secured at all timesPurses/briefcases/walletsElectronics

Special Considerations for Mail

Use a locked mailbox, or pick up mail promptly

Place all outgoing mail in secured mailbox

Keep track of billing cycles

Make sure all expected mail is actually received

Protect Your Property (cont.)

Carry only necessary items in purse/walletMinimize number of credit cardsDo not routinely carry Social Security card,

passport or birth certificateOnly carry if you need it that day

Protect Your Property (cont.)

Do not carry checkbook unless absolutely necessary Includes deposit slips and carbons as wellDocuments contain bank routing

informationWith this, thieves can easily completely

loot your bank account

Protect Your Documents

Store identifying documents in a safe, locked place

Home: locked cabinetEspecially important if you do not trust other

occupants or have outsiders in the home

Protect Your Documents

Business: locked filing cabinet with limited key accessCritical because of business liabilityGeorgia law – up to $10,000 fine PLUS

unlimited civil liability

Protect Your Documents (cont.)

Shred personal documents before throwing awayCredit card statements/receipts “Courtesy” checksCredit offersOld cancelled checksExpired credit cardsAny document with identifying information

Protect Your Documents (cont.)

Shred business documents before throwing awayClient/customer informationOutdated filesAny document with identifying information

Protect Your Technology

Technology protection is a complex issue!

Mixture of safeguards required to handle different types of problems

Protect Your Technology (cont.)

Physical security Control access to computersMinimize storage of sensitive data on

laptop computers

Protect Your Technology (cont.)

Keep safeguards up to dateOperating system updatesSecurity program updates

New types of attacks arise weekly

Schedule automatic updates and use them

Personal Electronics

Password protection is a minimum level

Inconvenience of entering password outweighed by security

Set up a password on PDAsEntry required when powered on

Personal Electronics (cont.)

Set up login password on ALL computersDo not allow “guest” accounts on

computersWith Windows, accounts can be bypassedNever allow automatic login

Personal Electronics (cont.)

If possible, set up BIOS password on laptopsCannot start up laptop without entering

passwordCaution: if you forget this password, NO

ONE can get into your computer

Password Choices

Choose passwords that areCombinations of letters, numbers, and

symbolsDo not contain any identifying data

Birth datesFamily members’ names/variations

Are at least eight to ten characters long

Password Security

Do not write down passwords or PINsEspecially don’t keep written passwords or

PINs with the item using them!

Do NOT give ANYONE your password or PIN

Changing Passwords

Do not use the same password for everything

Change your passwords regularly

However, it’s better to use a “good” password badly than to use “bad” passwords well

Data Files

Do not make sensitive files accessible through networkDisable file sharing If files must be shared, password-protect

them

Data Files (cont.)

Simply deleting a file is not enough!Files remain in the Recycle/Trash bin after

deletionRecovery from here is simpleMust either specifically delete files from

Recycle Bin or empty Recycle Bin

Additional Protection for Companies

Authenticate all access to sensitive electronic dataRequire ID and password for access

Disable network access of terminated employees IMMEDIATELY

Additional Protection for Companies (cont.)

Limit physical and logical access to company databases

Create, implement, and enforce a specific data access policy “need to know” basis for data access

Discarding Computer Equipment

Computer hard drivesData can be recovered even after

formattingOnly safe way to ensure removal is to use

a data wiping utilityDarik’s Boot and Nuke claims to wipe drives to

DOD standards http://dban.sourceforge.net/

Discarding Data Disks

Removeable data disks can be recovered and read

Physically destroy disks before discardingShred if possibleCDs can be microwaved for no more than

three seconds to destroy data

World Wide Web Security

Make sure the web site you are using is the one you think you are usingDon’t click on links in emails unless you

can be sure you are going to that siteManually type in URL into your browser If the URL indicates a numeric address

instead of a domain name, BEWARE

World Wide Web Security (cont.)

Make sure you are using Secure Socket technology if sending personal information to a trusted web site Indicated by

Lock icon at bottom of browser windowhttps:// prefix on site URL (not http://)

I’m a Victim – What Do I Do Now?

Some measures apply to all cases

Others only for certain situations

Record-keeping

Send all correspondence Certified mail Return receipt requested

Keep EXCELLENT documentation Log all phone contacts

Company name, contact name, date, time

Keep copies of all correspondence you send File ANYTHING you receive that MAY relate to the

situation

For All Cases

Immediate stepsWithin 30 days

Long-term stepsOver next several months/years

File a Police Report

Contact local law enforcement

Georgia law requires thatLaw enforcement must take reportReport must be forwarded to Governor’s

Office of Consumer AffairsConsumer Affairs will forward to Georgia

Crime Information Center

File a Police Report (cont.)

Get copies of the law enforcement reportKeep for your recordsSend copies to creditors when reporting

fraudulent activity

Notify Credit Bureaus

All three credit bureaus should be alertedEquifax – http://www.equifax.com/Experian – http://www.experian.comTransUnion – http://www.transunion.com

Notify Credit Bureaus

Call first, follow up in writingCertified mail, return receipt

Request fraud alerts on your files

Normal duration of fraud alert is 90 – 180 days Request, in writing, extension for seven

years

Notify Creditors

Call first, follow up in writingNotify ALL creditorsBanksCredit card companiesOther lendersPhone companiesUtilities ISPs and other service providers

Notify Creditors

Existing creditorsReport fraudulent activity immediatelyCancel existing accountRequest replacement cards with new

account numbers

Notify Creditors

Fraudulently obtained accountsTake action as soon as you discover

existence of accountState that you never requested accountProvide with copy of police report and

fraud affadavitRequest that account be closedGet confirmation in writing

Get Credit Reports

Should be automatically sent at no charge when fraud alert is filedReview carefully for inaccurate informationRemember that some inaccurate

information may predate the crime

Dispute all inaccurate information in writing

Report the Crime

Federal Trade Commissionhttp://www.consumer.gov/Fill out FTC’s ID Theft Affidavit

Many companies will accept as documentationOthers insist on their own paperwork

Report the Crime

U.S. State Department (passport agency)Notify whether or not you have a passporthttp://www.state.gov/

Social Security Administration If Social Security number is compromisedhttp://www.ssa.gov/

Report the Crime (cont.)

U.S. Postal Inspection Service/local Post Office If mail fraud or change of address is

involved http://www.usps.com/postalinspectors/welcome2.htm

Also consider renting a locked post office box

Report the Crime (cont.)

Department of Motor Vehicles If a motor vehicle is involvedhttp://www.dmvs.ga.gov/

Internal Revenue Service/Georgia Department of Revenue If fraudulent tax returns are involvedhttp://www.irs.gov/http://www2.state.ga.us/departments/DOR/

Special Steps

Bank accounts If checks are stolen or misused, contact ALL

check approval agencies CheckRite: (800) 766-2748 Chexsystems: (800) 428-9623 CheckCenter/CrossCheck: (800) 843-0760 Certigy/Equifax: (800) 437-5120 International Check Services: (800) 526-5380 SCAN: (800) 262-7771 TeleCheck: (800) 710-9898

When Criminal Activity is Involved

In addition to the above, you MUST take additional steps

Failure to do this could result in ArrestJail timeSignificant expense to repeatedly clear

your record

When Criminal Activity is Involved (cont.)

Have local law enforcement confirm your identityFingerprintsPhotographCopies of identifying information

Have them send information to other jurisdictions involved as well


Request a “key name switch” in databasesEntry should be under impostor’s actual

name If not known, as “John/Jane Doe”

Make sure your name is listed as an alias, not as real name

Include local, state, federal databases


Obtain a clearance document Called by different names:

Clearance letter – Mis IDCertificate of release

Make multiple copies of this documentCarry a copy with you at ALL timesMake sure a trusted friend/family member has

a copy


If all else fails, hire a criminal defense attorney with experience in this area If the perpetrator is caught, you can ask for

this (and other) expenses as restitution

Long-Term Damage Control

Do NOT pay any fraudulent charges/bills/ checks Use Fair Credit Reporting Act provisions to your

advantage

Continue to get credit reports regularly (at least every six months)

Carefully monitor all financial activity

Long-Term Damage Control (cont.)

Carefully monitor mail

Do NOT change your Social Security numberCauses many more problems than it solves

Resources -- Federal Agencies

Federal Trade Commission http://www.consumer.gov/idtheft/

Department of Justice http://www.usdoj.gov/criminal/fraud/idtheft.html

Social Security Administration http://www.ssa.gov/pubs/idtheft.htm

U.S. Postal Inspection Service http://www.usps.com/postalinspectors/welcome2.htm

Resources – State Agencies

Georgia Stop Identity Theft Networkhttp://www.stopidentitytheft.org/

Resources -- Nonprofit Organizations

Better Business Bureauhttp://www.bbbonline.org/IDTheft/

Identity Theft Resource Centerhttp://www.idtheftcenter.org/index.shtml

Privacy Rights Clearinghousehttp://www.privacyrights.org/identity.htm

Acknowledgements

Andrew Sledge, Desktop Technician, OIT, Georgia Perimeter CollegeSpyware and computer security information

Hunter Eidson, System Administrator, Georgia Perimeter CollegeComputer security information

In Closing

This presentation is available online athttp://www.gpc.edu/~jbenson/presentations/idtheft.ppt