Transcript web.ewu.edu
• Presented by Skye Hagen Asst Director Office of Information Technology Identity Theft and Con Games • Presentation will include phishing, pharming and other identity theft attacks. • It will also include related confidence games that happen on the Internet. • If you have any questions during the presentation, don’t hesitate to ask! What is Phishing? • Phishing attacks use social engineering and technical subterfuge to steal identities. • The goal is to obtain access to financial systems. – Credit card numbers – Accounts and passwords for financial institutions – Social Security Numbers Def: Social Engineering • Social engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information. • Usually applies to using trickery for information gathering or computer system access. Social Engineering Techniques • E-mail – We see this all the time. – Sometimes the spam filter catches them, sometimes it does not. – Generally sent to a large number of recipients. • Phone calls – Usually used as for directed attacks. – Person attempts to gain specific access. What is Pharming? • A computer attack that misdirects a user to a bogus web site. • Often implemented as software downloaded from the Internet. So what’s with the Ph? • • • • Original ‘ph’ word was phreaking. Not exactly sure of the original meaning. Maybe a combination of ‘phone’ and ‘freaking’. It may also refer to the use of various audio frequencies to manipulate the phone system. • Term made famous by hackers who manipulated the phone system to make free calls. • Most famous, John Draper, aka Captain Crunch. How does phishing work? • Attack usually starts with an e-mail. – User must respond to an event, such as an account suspension. – Must follow link in e-mail. • Does not usually have a phone contact. – Describes serious consequences to not responding. – Tries to get you to make a quick decision. – Example of a phishing e-mail. Phishing attack • Once at the fake web site, try to get you to enter your account and password information. • Sites are very realistic. – Refer back to example phishing attack. How does pharming work? • Similar to phishing, it begins with an email. • Not necessarily an account update style notice. • May direct you to scandalous pictures, or inexpensive products. • Gets you to a web site where malicious code is downloaded to your system. Why? Why? • Lots of money! • Do the math – Send 100,000 e-mails. – Get a response rate of 1%. – That’s 1,000 people that respond! – That’s 1,000 bank accounts or credit cards that could be drained or used illegally. – If each account is drained by $500, that 1/2 a million dollars! Phishing Response Rate • There is no way to measure response rate to phishing scams. • Symantec estimates 1% to 10% depending upon the sophistication of the attack. • They also estimate a much higher response rate for phishing than the response rate for other spam messages. Identity Theft • Phishing and pharming are just two ways that your identity can be stolen. • Other ways include people impersonating you to obtain credit. – Maybe to obtain work, using a stolen SSN. – Generally to get credit cards for one time use. – In one case, a person used a stolen identity to purchase a house! Other Confidence Games • Not truly a case of identity theft • Nigerian e-mail scam • Trying to establish an American business presence, and looking for an agent to forward items to foreign countries. • Winning a foreign lottery. • All are advance fee arrangements. – You pay upfront fees or shipping. Examples of Confidence Games • Unique ‘Christian’ confidence game that was sent to me. What can you do about this? • Be careful in all transactions on the Internet. – Know the policies and procedures for the financial organizations that you deal with. • How will your bank contact you if they detect suspicious activity? • Know how to report suspected identity theft. What can you do about this? • Consider using prepaid credit cards for online purchases. – Exposure is limited. – Card not tied in any way to your banking accounts. – Card does not impact your credit rating. – Visa offers cards directly. – A number of companies offer branded Visa or MasterCard prepaid cards. What can you do about this? • Consider credit report monitoring. – Not a be all, end all solution. – Only identifies when your credit is impacted. • Will indirectly show credit card activity. – Does not protect against your accounts being drained. What can you do about this? • Use a different password for each financial account you have. – Yes, this can be a pain to remember. – Use a password manager to help manage your accounts and passwords. What can you do about this? • Check out the security arrangements before signing up for online banking? – What access controls do they use? – Look for multiple factor authentication • Something you know (password) • Something you posses (token) • Something you are (fingerprint) What can you do about this? • Use anti-virus software, and keep it up to date. • Use anti-malware software, and likewise, keep it up to date. • Consider using an anti-phishing tool bar on your web browser. – Built-in in newer browsers. What to do it you are a victim? • Contact your financial institutions. – Most have help services for identity theft. • Check your state’s web site. – Usually the Attorney General or the Secretary of State. • Check the web site for the Federal Trade Commission. – www.ftc.gov Test Your Knowledge • http://www.sonicwall.com/phishing/ • http://survey.mailfrontier.com/survey/quizte st.cgi?themailfrontierphishingiqtest • Google with a search of ‘phishing quiz’. • Try to beat my score, I’ve done two tests, and I got 9 out of 10 right. References • Kevin Mitnick, The Art of Deception – Book about using social engineering techniques to gain access to facilities and systems. • Wikipedia – Search for ‘phishing’, ‘pharming’ and ‘phreaking’. • The Anti-Phishing Working Group – www.antiphishing.org References (cont’d) • Federal Trade Commission – www.ftc.gov • State Attorney’s General or state trade commissions. • Your bank’s web site – Usually contains privacy and security pages that explain your rights and how the institution safeguards access. Thanks for attending! • Copy of presentation will be available at… • www.ewu.edu/securityawareness • I have also sent a copy to the QSI people, in case they are assembling a web site.