Transcript Personal Identity Theft in the Business World

Personal Identity Theft in
the Web-based Business
World
Presenter – Rick Weatherspoon
Xtreme Computing, LLC
Agenda
•
•
•
•
Definition of ID Theft
ID Theft Statistics
Business Losses
Types of Web-based ID Theft
– Hacking & Attacking
– Phishing
– WarXing/War Driving
• ID Theft Reporting
• Questions
2 June 2006
Identity Theft Definition
• The Deliberate Assumption of Another
Person's Identity, Usually to Gain Access
to their Finances, or Frame Them for a
Crime
2 June 2006
ID Theft Statistics (National)
• Fastest Growing Crime in US
• U.S. Identity Fraud Crimes now total $52.6
Billion Annually *
• Per-Victim Total of $5,686
• Affects Roughly 9.3 Million Individuals in
US Yearly
* Source – 2005 Study by Javelin Strategy & Research
2 June 2006
ID Theft Statistics (State)
• 2,909 Complaints Filed in Oregon State
(2004)
• Oregon State Ranks within the Top 10
(9th)
• Complaints Rose 20% More than in 2003
2 June 2006
ID Theft Statistics (County)
Wallowa County
8
7
6
5
4
Fraud
3
2
Identity Theft
1
0
2002
2003
2004
2005
2006
* Source – Wallowa County Sheriff; May 2006
2 June 2006
Business Losses Due to ID Theft
• Between May 2004 and May 2005, 1.5 Million
Computer Users Lost $929 Million on ONLY
Phishing Scams
• US Businesses Lose an Estimated $2 Billion
Per Year on Clients who are Victims
• Businesses Lose an Average of $4,800 per
Victim *
*Source – Washington State AGO Identity Theft Advisory Panel; January 2006
2 June 2006
Types of Web-based ID Theft
• Hacking & Attacking
• Phishing
• WarXing/War Driving
2 June 2006
Web-based Hacking & Attacking
• Authentication Hacking
–
–
–
–
–
–
Browsing
Cookie Theft
Session Hijacking
Network Sniffers
Password Cracking
Dictionary Attacks
• Google Hacking
• SQL Injection
• Directory Traversal
2 June 2006
Phishing
• Attempts to Fraudulently Acquire Sensitive
Consumer Info Via False Web Pages, Emails, IMs,
FAX, VOIP
• Term Arises from Using Sophisticated Lures to
“Fish” for Consumer’s Financial Data & Passwords
• Recently Targeting Banks, Online Payment Services,
IRS Letters
• Common Tricks Include Misspelled URLs, use of
SubDomains, Altering Address Bars, Cross Site
Scripting
• Recent Scam Left Voice Messages to Call Bank with
Account & PIN Numbers over a VOIP Network
2 June 2006
Citibank Phishing Email Example
2 June 2006
Citibank Phishing Web Link
2 June 2006
Citibank Phishing – User Garbled URL
2 June 2006
Citibank Phishing – Invalid Credit
Card Number
2 June 2006
Citibank Phishing Source
• Search with Whois Utility:
IP : 219.148.0.0 - 219.148.159.255
netname: CHINATELECOM-he
descr: CHINANET hebei province network
descr: China Telecom
descr: No.31,jingrong street
descr: Beijing 100032
country: CN
mnt-by: MAINT-CHINANET
changed: [email protected]
20030820
source: APNIC
2 June 2006
WarXing/War Driving
• Searching for Wireless Networks and Access Points
by Moving Vehicle/Bike (WLAN, WiFi HotSpots)
• Captures Information Packets with WiFi-based
equipment (Laptop/PDA)
• Software Freely Available to Monitor, Capture, and
Analyze Clear Text and Encrypted Data
(NetStumbler, AirSnort, WEPCracker, etc.)
• Majority of Wireless Networks Use Default Settings
(SSIDs, Passwords, Encryption Keys, etc.)
• Legality of War Driving Not Clearly Defined in the
US
2 June 2006
Wireless Network Diagram
2 June 2006
Reporting of ID Theft
• FBI/Internet Fraud Complaint Center
– 1.800.251.3221
– www.ifccfbi.gov
• Federal Trade Commission
– 1.877.438.4338
– www.consumer.gov/idtheft/
• Internet Crime Complaint Center
– www.ic3.gov/complaint
• Oregon State Department of Justice
– http://www.doj.state.or.us/
• Wallowa County Sheriff Department
– 541.426.3131
2 June 2006
Questions?
www.xtremecomputing.us/briefings.html