Scanning the Internet for External Cloud Exposures via SSL Certs
Ira Wilsker's January 2014 Identity Theft Presentation
1. GREATER CLEVELAND PC
USERS’ GROUP
IDENTITY THEFT
January 11, 2014
By Ira Wilsker
Some slides are from an ORIGINAL Presentation by
Sgt. Eric Gilbert and Sgt. Hiland Priddy, Texas Department
of Public Safety (DPS) for mandatory Texas Law
Enforcement Officer In Service Training
2. JANUARY 10, 2014: Personal info stolen
from 70M customers, company says
3. The nation's second largest discounter said
Friday that hackers stole personal
information — including names, phone
numbers as well as email and mailing
addresses — from as many as 70 million
customers as part of a data breach it
discovered in December.
Target said in December that customers'
names, credit and debit card numbers,
card expiration dates, debit-card PINs
and the embedded code on the magnetic
strip on the back of cards had been
5. THE ADDRESS IN THE “COUNTRY” COLUMN IS THE LOCATION
OF THE TARGET STORE WHERE THAT CARD WAS USED
6. FOREIGN CREDIT AND DEBIT CARDS STOLEN FROM
TARGET FETCH PREMIUM PRICES – ALSO NOTICE
“MATURITY” OF CARDS vs. PRICE
THESE ARE DEBIT CARDS
7. FOREIGN CREDIT AND DEBIT CARDS STOLEN
FROM TARGET FETCH PREMIUM PRICES – ALSO
NOTICE THAT “QUALITY” CARDS WITH HIGHER
CREDIT LIMITS FETCH HIGHER PRICES
8. MANY OF THESE CREDIT CARD SELLING SITES ARE LOCATED IN
RUSSIA OR EASTERN EUROPE – ONES ABOVE ARE RUN BY A
RUSSIAN WITH THE HANDLE “HELKERN”
9. THERE HAS BEEN
NO PUBLIC DISCLOSURE
ABOUT THE METHOD USED TO
OBTAIN THE TARGET CREDIT
CARD INFORMATION, BUT
MANY SECURITY EXPERTS ARE
FAIRLY CERTAIN THAT IT WAS
LIKELY “SPEAR PHISHING”
DIRECTED TO A TARGET
EMPLOYEE WHO HAD ACCESS
12. APRIL 4, 2011 – Millions Exposed to
Potential IDENTITY THEFT!
Dallas – The customer lists of about 2500 corporate clients of
Dallas based EPSILON, a marketing company, were stolen by a
hacker over the weekend. These mailing lists are used to send
about 40 billion emails annually to the millions of clients and
customers of these 2500 companies. EPSILON has reported that
the data stolen consisted of customer names and email
addresses, but not personal financial data.
A comprehensive list of companies
known to have had their client email list
stolen includes (as of April 6, 2011):
13. 1-800-FLOWERS
AbeBook
AIR MILES Rewards
Ameriprise
Ann Taylor
Barclays Bank of Delaware
Barclay's L.L. Bean Visa
Beachbody
bebe
Benefit Cosmetics
Best Buy
Best Buy Reward Zone
BJ's Visa
Borders
Brookstone
Capital One
Catherine's
Charter Communications
Citi
City Market
College Board
Dell
Dillons
Disney Destinations
Eddie Bauer
Friends
Eileen Fisher
Ethan Allen
Eurosport Soccer Express
Food 4 Less
Fred Meyer
Fry's Electronics
Hilton Honors
Home Shoppers Network
Jay C
JPMorgan Chase
King Soopers
Kroger
Lacoste
Marks & Spence
Marriott Rewards
McKinsey Quarterly
MoneyGram
New York & Company
QFC
Ralphs
Red Roof Inn
Ritz-Carlton Rewards
Robert Half International
Scottrade
Smith Brands
Target
TD Ameritrade
TIAA-CREF
TiVo
TripAdvisor.com
US Bank
Verizon
Victoria's Secret
Viking River Cruises
Visa
Walgreens
World Financial Network
NOTE: Companies in
RED have a presence in
this area
14. The millions of customers of these
companies may become the targets of
PHISHING or SPEAR PHISHING.
PHISHING uses spoofed or counterfeit
duplicates of authentic websites for the
explicit purpose of IDENTITY THEFT. The
victim is tricked into entering valuable
personal information on the website.
Information solicited is typically credit or
debit card numbers, PIN numbers,
security codes, expiration dates, user
names, account numbers, and
passwords.
15. SPEAR PHISHING is a similar form of
IDENTITY THEFT but the emails are
targeted to specific users. Since the
cyber crook has the customer information
from these companies, they will likely be
selling that information or using it to send
out millions of SPAM emails that look
authentic, appearing to be from real
companies where the target victim really
has an account. This tends to improve
the success rate, with more victims
disclosing their personal information.
20. NOTE THAT THE CROOK IS ASKING
FOR THE DEBIT CARD NUMBER,
SECURITY CODE AND PIN NUMBER!
THIS WOULD NO LONGER BE YOUR
DEBIT CARD, AND YOUR ACCOUNT
WILL BE QUICKLY EMPTIED
24. Identity theft is not just an
unauthorized charge on a credit
card anymore.
Identity theft, according to the
Federal Trade Commission, “occurs
when someone uses your
personally identifying information,
like your name, Social Security
number or credit card number,
without your permission, to commit
fraud or other crimes.”
25. Types of Identifiers
• Personal:
–
–
–
–
–
Name and Date of Birth
Social Security Number
Address and phone numbers
Driver’s license and passport numbers
Mother’s maiden name; pet name; etc.
• Financial:
– Credit card numbers (including
security codes)
– Bank account numbers
– ATM Card and PIN numbers
– Insurance policy numbers
26. Official US Gov’t ID THEFT WEBSITE
http://www.ftc.gov/idtheft (redirects)
ftc.gov/idtheft (redirects)
29. 2013 IDENTITY THEFT REPORT
from JAVELIN RESEARCH (2/13)
Identity fraud incidents and amount
stolen increased—The number of identity
fraud incidents increased by one million more
consumers over the past year, and the dollar
amount stolen increased to $21 billion, a
three-year high but still significantly lower
than the all-time high of $47 billion in 2004.
This equates to 1 incident of identity fraud
every 3 seconds.
30. 1 in 4 data breach notification recipients
became a victim of identity fraud—This
year, almost 1 in 4 consumers that received
a data breach letter became a victim of
identity fraud, which is the highest rate since
2010. This underscores the need for
consumers to take all notifications seriously.
Not all breaches are created equal. The
study found consumers who had their Social
Security number compromised in a data
breach were 5 times more likely to be a fraud
victim than an average consumer.
SOURCE: Javelin Research 2/13
31. DECEMBER 12, 2013
http://www.bjs.gov
16.6 MILLION PEOPLE EXPERIENCED IDENTITY THEFT IN 2012
Financial losses totaled $24.7 billion
WASHINGTON – An estimated 16.6 million people,
representing 7 percent of all persons age 16 or older in the
United States, experienced at least one incident of identity
theft in 2012, the Justice Department’s Bureau of Justice
Statistics (BJS) announced today.
Financial losses due to personal identity theft totaled $24.7
billion, over $10 billion more than the losses attributed to all
other property crimes measured in the National Crime
Victimization Survey. About 14 percent of victims suffered
an out-of-pocket financial loss due to the most recent
incident of identity theft. Of the victims who experienced an
out-of-pocket loss, about half lost $99 or less.
32. In 2012, the misuse or attempted misuse of an
existing account was the most common type of
identity theft — experienced by 15.3 million
people. An estimated 7.7 million people reported
the fraudulent use of a credit card and 7.5
million reported the fraudulent use of a bank
account such as a debit, checking or savings
account. Another 1.1 million persons had their
information misused to open a new account,
and about 833,600 persons had their information
misused for other fraudulent purposes.
SOURCE: Victims of Identity Theft, 2012
(NCJ 243779)
37. Arizona, California, Florida, Texas, and Nevada are the top 5 states for Identity Theft
OHIO IS RANKED 29th IN
IDENTITY THEFT
Why are THESE
states in RED? The
answer is “Politically
Incorrect”
SOURCE: FTC
48. Now who can access the victims’ information?
This site was registered in Missouri, but hosted in TAIWAN!
Others were hosted in Germany, Mexico, India,
Czechoslovakia, and the Netherlands
49. LINK ABOVE LOOKS AUTHENTIC
There are only 5 questions that you must answer before you receive your $250 reward.
Once you click to submit your answers you are taken to a page that requests your
personal information along with your credit card number so that they can “credit your
account” the $250 reward.
50. NOW THE
CYBER CROOK
HAS ALL OF
YOUR
INFORMATION
INCLUDING
CREDIT CARD,
DL, AND
MOTHER’S
MAIDEN NAME.
WHAT CAN HE
DO WITH THIS
INFORMATION?
51. INCOME TAX PHISHING IS
MOST COMMON AROUND
TAX TIME.
NOTE THAT THIS RUSSIAN
CROOK WOULD HAVE
CREDIT CARD AND PIN
NUMBER
http://www.kotlovka.ru/picnews/help/www.irs.gov
53. Prevention – Personal Awareness
• Do not give out personal identifier information
over the phone or Internet.
• Stay informed about your personal financial
records with frequent checks of credit history,
bank records, i.e., extra or unknown transactions.
• Limit personal information on necessary public
distribution items (checks, business cards).
• Purchase a home shredder.
• Consider Identity Theft Insurance (controversial).
• PRACTICE “SAFE HEX”