1. Identity Theft: What it is, How itIdentity Theft: What it is, How it
Occurs, And How to Protect YourOccurs, And How to Protect Your
BusinessBusiness
A Presentation by Matt Smith. President of Litchfield
County Computer, L.L.C.
2. What is Identity TheftWhat is Identity Theft
Identity theft is when someone uses your personallyIdentity theft is when someone uses your personally
identifying information, like your name, Social Securityidentifying information, like your name, Social Security
number, or credit card number, without yournumber, or credit card number, without your
permission, to commit fraud or other crimes.permission, to commit fraud or other crimes.
27.3 million Americans have been victims of identity27.3 million Americans have been victims of identity
theft within the last 5 years.theft within the last 5 years.
Between 2008 and 2009 identity theft increased 11%Between 2008 and 2009 identity theft increased 11%
affecting 11 million Americans (1 in 20)affecting 11 million Americans (1 in 20)
If you have received a notice in the mail indicating thatIf you have received a notice in the mail indicating that
your data has been breached your chances of ID Theftyour data has been breached your chances of ID Theft
go up to 1 in 4go up to 1 in 4
3. The Two Types of Identity TheftThe Two Types of Identity Theft
There are two types of identity theft that canThere are two types of identity theft that can
impact your business:impact your business:
Personal identity theft of your customersPersonal identity theft of your customers
The theft of your business identityThe theft of your business identity
Both types of identity theft can hurt yourBoth types of identity theft can hurt your
business. I will talk mostly about personalbusiness. I will talk mostly about personal
identity theft.identity theft.
4. How Criminals get your Customer’sHow Criminals get your Customer’s
InformationInformation
Business records get stolenBusiness records get stolen
Shoulder SurfingShoulder Surfing
Dumpster DivingDumpster Diving
Pretending to be someone of authority from yourPretending to be someone of authority from your
companycompany
Internet based attacks (known as online identity theft)Internet based attacks (known as online identity theft)
SkimmingSkimming
PhishingPhishing
WLAN SecurityWLAN Security
PhotocopiersPhotocopiers
5. How Criminals get your Customer’sHow Criminals get your Customer’s
Information: Internet based attacksInformation: Internet based attacks
Credit card and other personal information isCredit card and other personal information is
stored in a database by an online merchant.stored in a database by an online merchant.
These databases require Internet access in orderThese databases require Internet access in order
to operate.to operate.
The database is broken into, allowing for largeThe database is broken into, allowing for large
amounts of personal information to be stolen.amounts of personal information to be stolen.
6. The TJX Security BreachThe TJX Security Breach
TJX is the parent company of Marshalls,TJX is the parent company of Marshalls,
TJMAXX, and several other retail stores.TJMAXX, and several other retail stores.
Sometime in the summer of 2005, two attackersSometime in the summer of 2005, two attackers
broke into the wireless network of the Marshallsbroke into the wireless network of the Marshalls
in St. Paul, MN and Miami, FL.in St. Paul, MN and Miami, FL.
Once they were inside the store’s network, theyOnce they were inside the store’s network, they
were able to break into TJX headquarters.were able to break into TJX headquarters.
A confirmed 45.7 million credit and debit cardA confirmed 45.7 million credit and debit card
numbers were stolen. This is the second largestnumbers were stolen. This is the second largest
data breach in U.S. history.data breach in U.S. history.
7. How Criminals get your Customer’sHow Criminals get your Customer’s
Information: SkimmingInformation: Skimming
Skimming is the act of running a credit cardSkimming is the act of running a credit card
though a device that is designed to capture andthough a device that is designed to capture and
store the information on many credit cards forstore the information on many credit cards for
easy access later by a computer.easy access later by a computer.
You can also skim a card by writing down theYou can also skim a card by writing down the
card information on a piece of paper when thecard information on a piece of paper when the
card is out of sight.card is out of sight.
Corrupt employees will sometimes hide aCorrupt employees will sometimes hide a
skimmer under a counter.skimmer under a counter.
8. How Criminals get your Customer’sHow Criminals get your Customer’s
Information: SkimmingInformation: Skimming
Picture of a skimmerPicture of a skimmer
9. How Criminals get your Customer’sHow Criminals get your Customer’s
Information: PhishingInformation: Phishing
Phishing is when someone tries to get yourPhishing is when someone tries to get your
information by putting a fake banking (or otherinformation by putting a fake banking (or other
site) on the Internet. Once the site is online thesite) on the Internet. Once the site is online the
phisher will send out spam emails looking forphisher will send out spam emails looking for
victims.victims.
These spam emails will look and sound official.These spam emails will look and sound official.
However they are merely traps to get yourHowever they are merely traps to get your
customers to reveal their personal information.customers to reveal their personal information.
10. How Criminals get your Customer’sHow Criminals get your Customer’s
Information: PhishingInformation: Phishing
The would-be phisher will steal your website’sThe would-be phisher will steal your website’s
code and then use it to set up a clone websitecode and then use it to set up a clone website
that will capture your customer’s data and sendthat will capture your customer’s data and send
it to the phisher.it to the phisher.
11. How Criminals get your Customer’sHow Criminals get your Customer’s
Information: WLAN SecurityInformation: WLAN Security
Another major problem for businesses isAnother major problem for businesses is
wireless network security.wireless network security.
All too often a business will just install a wirelessAll too often a business will just install a wireless
network because it’s convenient, withoutnetwork because it’s convenient, without
realizing the security risks.realizing the security risks.
Wireless networking technology does supportWireless networking technology does support
encryption. However, this encryption can beencryption. However, this encryption can be
broken with the use of the proper tools.broken with the use of the proper tools.
12. How Criminals get your Customer’sHow Criminals get your Customer’s
Information: WLAN SecurityInformation: WLAN Security
If your business is on a main road or other highIf your business is on a main road or other high
traffic location or has a large parking lot wirelesstraffic location or has a large parking lot wireless
networking should be avoided altogethernetworking should be avoided altogether
because it can allow an attacker enough time tobecause it can allow an attacker enough time to
probe your network and break into it withoutprobe your network and break into it without
being seen.being seen.
Once an attacker actually gets into your networkOnce an attacker actually gets into your network
he can sit outside undetected and steal data withhe can sit outside undetected and steal data with
impunity.impunity.
13. How Criminals get your Information:How Criminals get your Information:
PhotocopiersPhotocopiers
Photocopiers made in the last 6 years have thePhotocopiers made in the last 6 years have the
same hard drives that computers do.same hard drives that computers do.
These hard drives are used to store everyThese hard drives are used to store every
document the copier has ever copied. This datadocument the copier has ever copied. This data
has very little chance of being overwritten.has very little chance of being overwritten.
14. How Criminals get your Information:How Criminals get your Information:
PhotocopiersPhotocopiers
These hard drives can be stolen from the copier,These hard drives can be stolen from the copier,
revealing personal information.revealing personal information.
They also become a problem after the copier isThey also become a problem after the copier is
disposed of.disposed of.
Sharp and Xerox make security kits. However,Sharp and Xerox make security kits. However,
the security kit must be applied to the copier.the security kit must be applied to the copier.
15. Business ResponsibilitiesBusiness Responsibilities
Businesses are required under the Fair CreditBusinesses are required under the Fair Credit
Reporting Act to turn over any records that mayReporting Act to turn over any records that may
assist an ID theft investigation.assist an ID theft investigation.
Victims can ask a LEO for assistance.Victims can ask a LEO for assistance.
All requests are made in writing.All requests are made in writing.
Once a request is received the business has 30Once a request is received the business has 30
days to turn over the requested materials.days to turn over the requested materials.
16. Business ResponsibilitiesBusiness Responsibilities
The business has the right to refuse to provideThe business has the right to refuse to provide
the records if:the records if:
You can’t verify the identity of the victim.You can’t verify the identity of the victim.
The request is based on a misrepresentation.The request is based on a misrepresentation.
The request involves a customer’s web surfingThe request involves a customer’s web surfing
habits.habits.
Another State or Federal law prohibits the request.Another State or Federal law prohibits the request.
17. The Red Flags RuleThe Red Flags Rule
This is an FTC rule that businesses that grantThis is an FTC rule that businesses that grant
large loans or allow people to defer paymentlarge loans or allow people to defer payment
must comply with.must comply with.
The rule states that businesses must identify redThe rule states that businesses must identify red
flags that could signal customer ID theft. Theseflags that could signal customer ID theft. These
red flags are specific to the type of business.red flags are specific to the type of business.
A written program for addressing red flags isA written program for addressing red flags is
required.required.
18. The Red Flags RuleThe Red Flags Rule
The best way to know if your business has toThe best way to know if your business has to
comply with the red flags rule is to read thecomply with the red flags rule is to read the
document that is provided by the FTC. Thisdocument that is provided by the FTC. This
document can be found by typing “ftc red flagdocument can be found by typing “ftc red flag
rules” without the quotes.rules” without the quotes.
20. Business Identity TheftBusiness Identity Theft
Consumers are no longer the only ones that areConsumers are no longer the only ones that are
subject to identity theft.subject to identity theft.
Businesses are separate entities with their ownBusinesses are separate entities with their own
set of identifying information that is subject toset of identifying information that is subject to
theft.theft.
The huge credit lines of businesses can be anThe huge credit lines of businesses can be an
attractive target.attractive target.
21. Business Identity Theft - MethodsBusiness Identity Theft - Methods
Dumpster DivingDumpster Diving
PhishingPhishing
Mail TheftMail Theft
The “bust out”The “bust out”
22. Business Identity Theft – Bust OutBusiness Identity Theft – Bust Out
The “bust out” is a simple tactic where aThe “bust out” is a simple tactic where a
criminal will rent space in the same building thatcriminal will rent space in the same building that
your business is in then apply for credit cardsyour business is in then apply for credit cards
using your business name.using your business name.
Because the physical addresses match up, theBecause the physical addresses match up, the
credit requests are not flagged.credit requests are not flagged.
Once the criminal has the cards they are sold onOnce the criminal has the cards they are sold on
the street.the street.
23. Business Identity Theft – Bust OutBusiness Identity Theft – Bust Out
Another technique is to use the cards toAnother technique is to use the cards to
purchase expensive goods that may not bepurchase expensive goods that may not be
discovered for 6 months or more.discovered for 6 months or more.
24. Difficulties Getting Your IdentityDifficulties Getting Your Identity
BackBack
Because it’s so new small and mediumBecause it’s so new small and medium
businesses do not have the same legalbusinesses do not have the same legal
protections that consumers do.protections that consumers do.
There are legal gaps in the current law.There are legal gaps in the current law.
California has taken the lead in laws to protectCalifornia has taken the lead in laws to protect
and recover business identities.and recover business identities.
Credit card companies are also puttingCredit card companies are also putting
procedures into place.procedures into place.
25. Difficulties Getting Your IdentityDifficulties Getting Your Identity
BackBack
One other issue that holds progress back is thatOne other issue that holds progress back is that
companies do not want to publicly admit thatcompanies do not want to publicly admit that
their identity has been stolen.their identity has been stolen.
26. If Your Identity is StolenIf Your Identity is Stolen
1. Contact your local Police Department and1. Contact your local Police Department and
have them file a police report. Although theyhave them file a police report. Although they
will not be able to do much else other than file awill not be able to do much else other than file a
report you will NEED a police report for laterreport you will NEED a police report for later
steps to help prove that there has been a crime. steps to help prove that there has been a crime.
Make sure that you get a copy of the policeMake sure that you get a copy of the police
report.report.
2. Cancel all accounts where the suspicious2. Cancel all accounts where the suspicious
activity was seen. This includes credit and debitactivity was seen. This includes credit and debit
cards.cards.
27. If Your Identity is StolenIf Your Identity is Stolen
3. Contact the 3 credit bureaus. They are3. Contact the 3 credit bureaus. They are
http://www.equifax.comhttp://www.equifax.com,, http://http://www.experian.comwww.experian.com,,
andand http://http://www.transunion.comwww.transunion.com. They will place a. They will place a
fraud alert on your account(s). If you skip thisfraud alert on your account(s). If you skip this
step, you run the risk of the identity thief beingstep, you run the risk of the identity thief being
able to reopen the accounts you had closed inable to reopen the accounts you had closed in
step 2.step 2.
4. Contact the FTC at4. Contact the FTC at
http://www.consumer.gov/idthefthttp://www.consumer.gov/idtheft and file a report.and file a report.
28. If Your Identity is Stolen:If Your Identity is Stolen:
5. Contact your creditors and inform them of5. Contact your creditors and inform them of
the situation. Provide copies of your policethe situation. Provide copies of your police
report if requested.report if requested.