Monday, March 16, 2015

Identity Theft - What,How,Protect,Take Care

Labels:
 Introduction to Identity Theft

In the course of a busy day, you may write a check at the grocery store, charge tickets to a ball game, rent a car, mail your tax returns, change service providers for your cell phone, or apply for a credit card. Chances are you don’t give these everyday transactions a second thought. But an identity thief
does. Identity theft is a serious crime. People whose identities have been stolen can spend months or years – and thousands of dollars – cleaning up the mess the thieves have made of a good name and credit record. In the meantime, victims of identity theft may lose job opportunities, be refused loans for education, housing, or cars, and even get arrested for crimes they didn’t commit. Humiliation, anger, and frustration are among the feelings victims experience as they navigate the process of rescuing their identity.

Identity theft is a crime that involves using another person’s personal information to take malicious actions, such as conducting fraud or stealing funds. The information provided in this document is designed to help individuals protect themselves against identity theft and mitigate the risk.


“Identity theft and identity fraud are terms used to refer to all types of crime in which someone wrongfully obtains and uses another person’s data in some way that involves fraud deception”

The frequency of identity theft has increased dramatically. Criminals use electronic means to obtain the Personally Identifiable Information (PII) needed to carry out this crime. As set forth throughout this paper, there are numerous steps that one can and should take to defend against identity (ID) theft in general and the prevalence of targeting by sophisticated and not-so- sophisticated hackers. However, none of the steps, either alone or in the aggregate, can absolutely preclude becoming a victim of identity theft or prevent PII from being stolen. The information provided throughout this document is designed to help protect against this possibility and to mitigate the risks that could happen. If, despite best efforts to defend against ID theft, a determined attacker is successful in conducting ID theft, basic guidance is provided to assist in addressing the situation.



The Threat
The threat is real as evidenced in some of the key findings from the U.S. Department of Justice, Victims of Identity Theft, 2012 report:
  • ID theft cost Americans $10 billion more than household burglary, motor vehicle theft, and property theft in 2012
  • 85% of fraudulent use involves existing accounts
  • 7% of persons age 16 or older were victims of ID theft in 2012
  • 29% of ID theft that involved personal information took one month or more to resolve
  • 66% of ID theft victims report a direct financial loss

The threat actor’s goals may include attempts to ruin reputation, cripple financial status or create legal problems. The classes or types of threat actors could include hacktivists, disgruntled former/current employees, cyber criminals and nation-states. Today’s online connectivity fosters a proliferation of locations where PII may be retained and available. Additionally, personalized email phishing attacks (spear-phishing and whaling) are increasing in sophistication or even look behind your shoulder or in your garbage . All of these factors result in a heightened cyber risk environment and therefore requires greater vigilance on the part of individuals to protect private information. PII can facilitate successful ID theft to include obtaining Social Security Number (SSN), age, salary, and home/ office phones numbers. This information is critical for ID theft to succeed in stealing an identity. Any personal data is useful to perform ID theft and aid in crafting believable spear-phishing emails that can appear to be sent from trusted sources. Through this activity, an attacker can gain control of the target device, enabling access to additional PII, which can facilitate ID theft.

Where Personal Information Can be Found
Personal information can be found online or even in your trash dumpsters . Data that individuals actively publish about themselves could include information from signature blocks, social networking sites, organizational sites (e.g. professional, alumni, and clubs), resumes, biographies, or interviews. Personal information that exists on the internet could also be posted by third parties that aggregate, post, and potentially sell personal information


Exposing Information
 Personal information can be thought of as identity DNA. It can be used to uniquely “mark” a person for tracking and be leveraged to gain footholds in the personal lives of friends, family members, and co-workers. Most people understand the need to protect their SSN and Personal Identification Numbers (PIN); however, there are other identifiers that could help a thief access PII. The table above lists a few of those less thought about identifiers. Having this additional information enables threat actors to build a better personal profile that may be used to more effectively assume another person’s identity.

Personal information trust relationships
ID theft may exploit networks or accounts of trusted associates from which to send malicious email, as these networks and systems are often not secure. Emails sent at specific times of the year may serve to increase the believability of the phishing attempt, such as a tax service provider email sent in the spring or a medical benefits email sent in the fall.
Examples of trusted service providers include:
  • Personal: Spouse/child’s employer or school, friends, associates, lawyers, social groups, educational groups (university associations–as student, instructor, or alumni)
  • Professional: Workplace contacts, conferences, organizations, job posting sites, LinkedIn, certification groups (CISSP®1 , Security+®2 )
  • Medical: General practitioner, dentist, specialists, labs, hospitals, therapists
  • Financial: Credit union, banks, investments, mortgage company, pension plans, income tax services, accountants, money transfer , credit card companies, online purchasing sites
  • Criminal:Cited or arrested for a crime uses another person's name and identifying information, resulting in a criminal record being created in that person's name
  • Media/Entertainment: Reporters/organizations (interviews, quotes), subscriptions, technical publications, special interest sites, streaming video sites, gaming sites
  • Insurance: Medical, life, homeowners, auto
  • Service Providers: Utilities (ISPs, gas, electric, water), home security
  • Synthetic Identity: information from several different victims to create a new identity. Although the primary victim here is the lender, it can still negatively affect the person whose name or Social Security ID is used
  • Romance scams: Poses as the target’s ideal love match
  • Other: DMV, court (jury duty, subpoena), law enforcement, CWF, transportation

Identity Thief Schemes 
The following examples of identity theft schemes are from public record documents.

        Phillip Cummings
Phillip Cummings, a help desk worker at a software firm, took a spreadsheet of  logins and passwords when he quit, granting him access to a number of credit reports. The criminals he sold the reports to,  stole $50 to $100 million
        Abraham Abdallah
Abraham Abdallah duped several credit score companies into providing them with information, and then used the identities of some of America’s richest including Warren Buffet and Steven Spielberg to steal millions of dollars.
        Malcolm Byrd Gets
Malcolm Byrd was sitting at home when police officers came to his home and arrested him on a
warrant for cocaine possession. Though eventually his name was cleared, Byrd learned that a criminal had used his name when he was arrested. He spent some time in jail before finally being released.
        Dr. Gerald Barnes
Gerald Barnbaum lost his pharmacist license after committing Medicaid fraud. He stole the identity of Dr. Gerald Barnes and practiced medicine under his name. A type 1 diabetic died under his care. “Dr. Barnes” even worked as a staff physician for a center that gave exams to FBI agents. He’s currently serving hard time.
        Marcelo Nascimento da Rocha
This drug smuggler impersonated Henrique Constantino, the brother of the CEO of the airline Gol Airlines, enjoying the high life but then getting busted after sleeping with a woman who actually knew the real Constantino.
        Andrea Harris-Frazier
Margot Somerville lost her wallet on a trolley. Two years later she was arrested. Andrea Harris-Frazier had defrauded several banks—using Somerville’s identity—out of tens of thousands of dollars. The real crook was caught.
        Frederic Bourdin
Bourdin liked to impersonate missing children, including Nicholas Barclay, a missing teen. The teen’s family was fooled, even though Bourdin looked nothing like Barclay (including different hair and eye color--amazing, isn’t it?). More stunning is that the family was fooled for nearly a year until fingerprints proved his real identity. He’s been in and out of jail since.

Typical Techniques
Whaling, a common ID theft technique, is the targeting of high ranking corporate executives (the big fish) via malicious code embedded within emails. The goal is to compromise networks, devices, or to collect personal and organizational information. Unbeknownst to the victim, the threat actor performs targeted research on exposed personal information in order to craft deceptive emails. The emails often contain attachments/links and information designed to deceive. These appear to originate from a known person, have a professional look and feel, and are difficult to identify as malicious. The ID thieves’ target will often open the bogus emails and then “click-on” the socially engineered malicious
attachments/ links. While the skill level required for successful ID theft is minimal, modification of such as data/PII manipulation or assumption of target ID, requires increased sophistication. ID theft includes, but is not limited to, fabricating criminal liability, ruining an individual’s reputation or credit, and/ or blackmailing the target, which could result in legal action, job loss, or arrest.
ID theft may achieve these goals through the following means:

  • Take Advantage of System Access: Place material on a hard drive that is indicative of serious illegal activity (e.g. maliciously edited photographs, espionage, insider trading, incriminating emails)
  • Alter or Access Financial Information: Collect sensitive financial information, access, modify, or create accounts (e.g. credit accounts, investment sites), steal funds
  • Recover Credentials (e.g. user names, passwords, challenge question answers)
  • Establish Persistent Presence on Network or Device: Gather long-term information on network and device related data.  This may be aggregated with data from other information technology systems used.

The remainder of this document will cover Systems Mitigations, Behavioral Mitigations, Monitoring Practices and Systems (Hardware, Software, Services)

Key Message
Several steps that can help safeguard hardware, software, and services against ID theft include securing systems, limiting exposure (electronic and physical), applying software restriction policies, and service partitioning (e.g. using different devices/OSs/browsers for activities of differing sensitivities). Specific areas that require attention include home networks, mobile devices, email services, authentication, storage, games, and applications.

Home Network
The best offense is a great defense. Keep home networks patched and updated to help deal with the latest attacks and to protect against website drive-by infection. Use anti-virus and anti-malware
software to help eliminate threats. Implement firewall protection (many anti-virus suites offer this capability). Keep browsers and browser plug-ins (e.g., Flash®3 ) up-to-date, enable automatic updates if possible, and consider disabling Java™4 in the browser. Limit privileges (e.g. “guest” or “user” privileges) for accounts used by guests and children. Periodically change passwords. Make sure wireless access points and domain name servers are secure using methods described in the following links.

Mobile Devices
Maintain physical control of the device. Where applicable, perform an integrity scan and install a virus scanner to help detect tampering activity. Only install trusted applications. Turn off wireless, Bluetooth®5 , and GPS when not in use. Exercise extreme caution when considering connection to public WiFi networks, using cellular networks if available. Create a robust device password. Enable automatic screen locking (after inactivity) and device disk encryption, if available.

Device Isolation
Consider having different devices dedicated to different purposes, i.e. one computer for financial/PII use, another for games/children, another for use while travelling, etc. When travelling, do not take an unnecessary device (laptop or smartphone) on the trip. In general, avoid accessing sensitive services (such as financial and medical) while travelling. Be careful of services that are accessible from mobile devices, and know which services store credentials since these services may not store these securely. Use a secondary browser for sensitive services. This can often provide virtual isolation from any malware that may be present on the primary (sacrificial) browser.

Email and Cloud
Do not open emails or email attachments from untrusted sources. Opening email attachments from unknown senders can load malware and access sensitive information via deceptive procedures such as whaling. Filter emails; run anti-malware and virus scans.

Authentication/Passwords
Most online services use password-based authentication. Make passwords complex, and do not use the same password for multiple accounts. If passwords are written down,  they should not be associated with the account, and the written list should be stored in a safe place (e.g., in a locked box at home). Most services also provide password reset questions based upon various life information. Often these questions have answers that can be discovered and used to facilitate ID theft. Some online services are beginning to allow the use of physical tokens as a form of authentication. Many others allow for the use of a second authentication channel, such as a text message with a passcode. When these measures are available, use them

 Storage (media, SD card, USB, portable, backups, file sharing, disposal)
Disable autorun capability. Sanitize media before first use through virus scanning or reformatting it. Remove or disable hardware from machines that do not need removable media. Secure and maintain
physical control over media, computers and mobile devices. Virus  scan all removable media. When accessing this media, use non-privileged accounts; if possible, access such media from a virtual machine or sandbox. Make use of document viewers instead of full applications. Prior to discarding removable media, or a computer or smartphone with fixed media, delete all data or physically destroy the media. Consider using secured USB storage, particularly bootable USB drives that offer secure operating systems with identity and password protections.

Games and Applications
Do not download or install games from untrusted or unknown sites. Avoid entering personal information into the game during installation, surveys, etc. Turn off location services. Do not allow tracking options and delete cache after using the application. Opt out of any request for multi-sharing between different applications, email, and social networking sites. Lower the level of access privilege allowed by the application, if possible


Mitigations – Behavioral
Successfully protecting against ID Theft requires planning and effort; awareness of the normal mode of operation (behavior) that can be used to compromise identities and the safeguards that can be used to reduce the threat is key.

Be Aware of the Context of the Machine You Use
Exercise extreme caution when accessing public WiFi hotspots; usually, using a mobile device’s cellular data connection is safer than WiFi. Do not exchange any personal information or transact any sensitive business on untrusted networks. Do not exchange home and work content. Use different usernames for home and work email addresses. To prevent reuse of compromised passwords, use different passwords for each of your email accounts. Use password recovery or challenge questions that no one else (including children) would know or could find from Internet searches or public records. Use two-factor authentication when available for accessing webmail, social networking, financial, and other accounts. Avoid posting photos with embedded GPS coordinates, since this provides information about the location of the persons in the photo at the time embedded in the photo metadata.

Social Media
Great care must be taken in reducing Internet profiles by limiting observable network activity, habits, and interests, to include shopping and entertainment choices. Information such as personal address or phone number, place of employment, and other personal information related to family members should not be posted, due to the potential for targeting or harassment. Where available, limit access of information to “friends only.” Verify any new sharing requests either by phone or in person, and do NOT accept invites from total strangers. Only establish and maintain connections with known and
trust people, and encourage friends and family to take similar precautions with their accounts. Use secure browser settings when possible, and monitor browsing history to ensure that all access points are recognized; turn off application features that track location patterns, such as GPS. Consider creating account(s) on the most popular social networking sites to help counter someone else creating a fraudulent account, thus mitigating ID theft from this avenue.

 Offline Interactions
Lock financial documents and records, including Social Security Card(s), in a safe place at home, and lock up wallets or purses in a safe place at work. Before sharing information at the workplace, businesses, children’s schools, or a doctor’s office, inquire as to why PII is required. Further, ask how will the PII be safeguarded, and discuss the consequences of not sharing. Always shred (with a quality shredder) receipts, credit offers, credit applications, insurance forms, physician statements, checks, bank statements, expired charge cards, and similar PII related documents when no longer needed. Before disposing of a computer or mobile device, always dispose of all the personal information it stores. Use a “wipe” utility program to overwrite the entire hard drive, and delete association of the device with any cloud account.

Online Interactions
Be alert to impersonators. Make sure to know who is receiving personal or financial information. Unless initiating the contact or the person communicated with is known, PII should not be given out on the phone, through the mail or over the Internet. If a company that claims to have an account sends an email asking for PII, do not click on links in the email. Instead, type the company name directly into the web browser to access their site, and/or contact them through their customer service center to confirm whether or not the company truly sent the request.

Travel
Never do online banking in public places. Maintain a low profile. If possible, use cash for purchasing personal items like souvenirs. Advise family members not to discuss your travel details and not to post these on social networking sites


Monitoring for Identity Theft 
Everyone is a potential victim of ID theft; therefore, all must be keenly aware of indications that they have been victimized or are actively being targeted. Monitoring these potential indicators is essential in identifying, mitigating and protecting against the threat. There are two classes of monitoring that are key:  personal and commercial.

Personal Monitoring
Personal monitoring involves individual steps that a person can take to detect ID theft activity. The steps involve routinely searching for evidence of compromise. Examples include reviewing credit card and bank statements, call logs, browser history, email (including the “Sent Items” folder), change in social networking privacy settings, and detecting an increase in unsolicited contacts. For example, a
deluge of unsolicited emails, calls, and/ or letters about making a purchase is an indicator that ID theft may be in progress.

 Credit Report
The most important personal monitoring is reviewing credit reports which contain a history of residences, credit accounts - minimum and maximum balance, open/close status and payment history. Any erroneous information in a credit report can be an indicator of ID Theft. Equifax, Experian, and TransUnion generate credit reports and are required by the Fair Credit Reporting ACT to provide a free copy of a person’s credit report every 12 months.

Commercial Monitoring
Credit Monitoring is a commercially available service, providing a subscriber with information that indicates changes in their personal profile. Areas of monitoring can be divided into two categories – Financial (credit and banking) and Personal. Financial monitoring identifies changes that are specific to a person’s credit, not necessarily their assets. For example, a new bank loan would be detected by a credit monitoring report but a large deposit or withdrawal would not. Personal monitoring identifies non-fiduciary references to a subscriber’s identity. This includes civil, criminal or other personal information available in public records. Commercial Monitoring services, such as LifeLock®9 , TrustedID®10, and others, have proven effective in using Financial and Personal monitoring to identify and mitigate ID Theft activity.

Response Steps
Recommended steps by the Federal Trade Commission (FTC), the US Government entity responsible for receiving and processing complaints concerning ID theft, are:

  1. Place an Initial Fraud Alert
  2. Order your credit reports
  3. Create an Identity Theft Report The initial report is called a Theft Affidavit. The Affidavit in conjunction with a police report makes the formal Identity Theft Report
  4. Contact the fraud department of the three major credit bureaus (Experian/TRW; TransUnion and Equifax).
  5. Contact the company that holds any account that you suspect may have been compromised. Ask for the fraud/security department; consider documenting all interactions with the company and closing all compromised accounts.
  6. Contact your local police department and obtain copies of all police reports made in relation to the company.
  7. Keep a detailed log of all contacts, notifications and interactions as you report the ID theft. Being as organized and detailed as possible will help you limit exposure to and recover from this crime.
 Additional References
This document is published by the NSA and the USA department of justice; named  Identity Theft Threat and Mitigations more info availably at the following:

Conclusions
It is our duty to understand the threat and take all the actions needed to protect our identity as briefed in these documents.  We can also look for organization and services providers that understand the threat and take actions in order to protect your identity.
In response to concerns over identity theft, numerous companies, financial institutions , service providers have stepped in with products that monitor your credit, ID, accounts, Info  reimburse you for lost wages or funds and guard your identity. Some employers also now offer ID theft insurance to help you reduce the amount of time and money spent resolving the crime, so check with your services provides and company which protection and means the use to protect your identity.