CSCU Module 10 Social Engineering and Identity Theft.pdf
March 28, 2017 | Author: Sandeep Roy | Category: N/A
Short Description
Download CSCU Module 10 Social Engineering and Identity Theft.pdf...
Description
Social Engineering and Identity Theft Module 10
Simplifying Security.
1
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
05/16/2011, 11:16:54 AM PDT
Oakland Police Shut Down Bay Area‐Wide Identity Theft Operation
OAKLAND ‐‐ Calling it the biggest they have seen, Oakland police said Monday that an identity theft operation that manufactured phony checks, IDs and credit cards has been shut down. Officials said there are potentially thousands of victims all over the Bay Area and in other states and the possibility of an untold amount of monetary loss. Police Chief Anthony Batts said breaking up the operation is particularly important to law enforcement because identity theft "puts fear in everyone," including himself. The operation, which Officer Holly Joshi called a "one‐stop shop" for identity theft, was run out of a Hayward apartment in the 21000 block of Foothill Boulevard, where resident Mishel Caviness‐Williams, 40, was arrested last week as she left the apartment. She had $4,000 in cash on her, police said. http://www.mercurynews.com
2
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Woman Sought in Theft
May 23, 2011
Suffolk police are seeking assistance locating a woman who allegedly took an elderly man’s debit card and used it on several occasions. Police have five felony warrants on file for Lavonda “Goosie” Moore, 37, for credit card theft, credit card fraud, criminally receiving money, third offense petit larceny and identity theft. Police say Moore took a debit card from the victim on Hill Street on May 15 and used it on multiple occasions at an ATM and at retail stores. There also is a warrant on file for Moore for third offense petit larceny in an unrelated case. Moore’s last known address is the 600 block of Brook Avenue. Anyone who has information on Moore’s location is asked to call Crime Line at 1‐888‐LOCK‐U‐UP. Callers to Crime Line never have to give their names or appear in court, and may be eligible for a reward of up to $1,000. http://www.suffolknewsherald.com
3
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Identity Theft Statistics 2011 Adults Victims of Identity Theft Fraud Attacks on Existing Credit card Accounts 11.1 Million
75%
$54 billion 13% 4.8% The Total Fraud Amount
Victim Who Knew Crimes Were Committed http://www.spendonlife.com
4
Percent of Population Victimized by Identity Fraud
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Scenario
Consumer Complaint “I lost my purse in 2006. But surprisingly I got notices of bounced checks in 2007. About a year later, I received information that someone using my identity had bought a car. In 2008, I came to know that someone is using my Social Security Number for a number of years. A person got arrested and produced my SSN on his arrest sheet. I can’t get credit because of this situation. I was denied a mortgage, employment, credit cards and medical care for my children.”
http://www.networkworld.com
Module Objectives What is Identity Theft?
What to do if Identity is Stolen?
Personal Information that Can be Stolen
Reporting Identity Theft Prosecuting Identity Theft
How do Attackers Steal Identity?
Guidelines for Identity Theft Protection
What do Attackers do with Stolen Identity?
Guidelines for Protection from Computer Based Identity Theft
Examples of Identity Theft How to Find if You are a Victim of Identity Theft?
IP Address Hiding Tools
6
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Module Flow
Identity Theft
Social Engineering
How to Find if You Are a Victim of Identity Theft
What to Do if Identity Is Stolen
Reporting Identity Theft
Protection from Identity Theft
7
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
What is Identity Theft? Identity theft or ID fraud refers to a crime where an offender wrongfully obtains key pieces of the intended victim's personal identifying information, such as date of birth, Social Security number, driver's license number, etc., and makes gain by using that personal data
Financial losses
Criminal charges Identity Theft Effects
It leads to denial of employment, health care facilities, mortgage, bank accounts and credit cards, etc.
Legal issues
8
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Personal Information that Can be Stolen Passport numbers
Names
Address
Birth certificates
Date of birth
Credit card/Bank account numbers Driving license numbers
Mother’s maiden name
Social security numbers
Telephone numbers
9
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
How do Attackers Steal Identity? Phishing
Social Engineering It is an act of manipulating people trust to perform certain actions or divulging private information, without using technical cracking methods
Fraudster pretend to be a financial institution and send spam/ pop‐up messages to trick the user to reveal personal information
Hacking
Theft of Personal Stuff Fraudsters may steal wallets and purses, mails including bank and credit card statements, pre‐ approved credit offers, and new checks or tax information
Attackers may hack the computer systems to steal confidential personal information
10
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
What do Attackers do with Stolen Identity? Credit Card Fraud
They may open new credit card accounts in the name of the user and do not pay the bills
Phone or Utilities Fraud They may open a new phone or wireless account in the user’s name, or run up charges on his/her existing account They may use user’s name to get utility services such as electricity, heating, or cable TV
11
Other Fraud They may get a job using legitimate user’s Social Security number They may give legitimate user’s information to police during an arrest and if they do not turn up for their court date, a warrant for arrest is issued on legitimate user’s name
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
What do Attackers do with Stolen Identity? Bank/Finance Fraud
Government Documents Fraud
They may create counterfeit checks using victim’s name or account number
They may get a driving license or official ID card issued on legitimate user’s name but with their photo
They may open a bank account in victim’s name and issue the checks
They may use victim’s name and Social Security number to get government benefits
They may clone an ATM or debit card and make electronic withdrawals on victim’s name
They may file a fraudulent tax return using legitimate user information
They may take a loan on victims’ name
12
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Identity Theft Example
Original
Identity Theft
Same Name: TRENT CHARLES ARSENAUL
13
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Module Flow
Identity Theft
Social Engineering
How to Find if You Are a Victim of Identity Theft
What to Do if Identity Is Stolen
Reporting Identity Theft
Protection from Identity Theft
14
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Social Engineering Social Engineering
Social Engineers Attempt to Gather
Types of Social Engineering
Social engineering is the art of convincing people to reveal confidential information
Sensitive information such as credit card details, social security number, etc.
Human based social engineering
It is the trick used to gain sensitive information by exploiting the basic human nature
Passwords
Computer based social engineering
Other personal information
15
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Social Engineering Example
Hi, we are from CONSESCO Software. We are hiring new people for our software development team. We got your contact number from popular job portals. Please provide details of your job profile, current project information, social security number, and your residential address.
16
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Criminal as Phone Banker Hi, I am Mike calling from CITI Bank. Due to increasing threat perception, we are updating our systems with new security features. Can you provide me your personal details to verify that you are real Stella. Thanks Mike, Here are my details. Do you need anything else?
17
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Authority Support Example
Hi, I am John Brown. I'm with the external auditors Arthur Sanderson. We've been told by corporate to do a surprise inspection of your disaster recovery procedures. Your department has 10 minutes to show me how you would recover from a website crash.
18
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Technical Support Example
A man calls a company’s help desk and says he has forgotten his password. He adds that if he misses the deadline on a big advertising project, his boss might fire him. The help desk worker feels sorry for him and quickly resets the password, unwittingly giving the attacker clear entrance into the corporate network
19
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Human-Based Social Engineering Eavesdropping
Shoulder surfing
Eavesdropping is unauthorized listening of conversations or reading of messages It is interception of any form of communication such as audio, video, or written
Shoulder surfing is the procedure where the attackers look over the user’s shoulder to gain critical information such as passwords, personal identification number, account numbers, credit card information, etc. Attacker may also watch the user from a distance using binoculars in order to get the pieces of information
20
Dumpster diving Dumpster diving includes searching for sensitive information at the target company’s trash bins, printer trash bins, user desk for sticky notes, etc. It involves collection of phone bills, contact information, financial information, operations related information, etc.
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Computer-Based Social Engineering Hoax letters are emails that issue warnings to the user on new viruses, Trojans, or worms that may harm the user’s system
Pop‐up Windows
Windows that suddenly pop up while surfing the Internet and ask for users’ information to login or sign‐in
Hoax Letters
Gathering personal information by chatting with a selected online user to get information such as birth dates and maiden names
Chain Letters
Instant Chat Messenger
Chain letters are emails that offer free gifts such as money and software on the condition that the user has to forward the mail to the said number of persons
21
Spam Email
Irrelevant, unwanted, and unsolicited email to collect the financial information, social security numbers, and network information
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Computer-Based Social Engineering: Phishing An illegitimate email falsely claiming to be from a legitimate site attempts to acquire the user’s personal or account information Phishing emails or pop‐ups redirect users to fake webpages of mimicking trustworthy sites that ask them to submit their personal information
Fake Bank Webpage
22
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Phony Security Alerts Phony Security Alerts are the emails or pop‐up windows that seem to be from a reputed hardware or software manufacturers like Microsoft, Dell, etc., It warns/alerts the user that the system is infected and thus will provide with an attachment or a link in order to patch the system Scammers suggest the user to download and install those patches The trap is that the file contains malicious programs that may infect the user system
23
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Computer-Based Social Engineering through Social Networking Websites Computer‐based social engineering is carried out through social networking websites such as Orkut, Facebook, MySpace, LinkedIn, Twitter, etc. Attackers use these social networking websites to exploit users’ personal information
24
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Module Flow
Identity Theft
Social Engineering
How to Find if You Are a Victim of Identity Theft
What to Do if Identity Is Stolen
Reporting Identity Theft
Protection from Identity Theft
25
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
How to Find if You are a Victim of Identity Theft? Bill collection agencies contact you for overdue debts you never incurred
You receive bills, invoices, or receipts addressed to you for goods or services you haven’t asked for
You no longer receive your credit card or bank statements
You notice that some of your mail seems to be missing
Your request for mortgage or any other loan is rejected citing your bad credit history despite you having a good credit record
26
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
How to Find if You are a Victim of Identity Theft? You get something in the mail about an apartment you never rented, a house you never bought, or a job you never held
You lose important documents such as your passport or driving license
You receive credit card statement with new account
You identify irregularities in your credit card and bank statements
You are denied for social benefits citing that you are already claiming
27
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Module Flow
Identity Theft
Social Engineering
How to Find if You Are a Victim of Identity Theft
What to Do if Identity Is Stolen
Reporting Identity Theft
Protection from Identity Theft
28
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
What to do if Identity is Stolen? Contact the credit reporting agencies http://www.experian.com http://wwwc.equifax.com http://www.transunion.com
Immediately inform credit bureaus and establish fraud alerts
Request for a credit report
Review the credit reports and alert the credit agencies
Freeze the credit reports with credit reporting agencies
Contact all of your creditors and notify them of the fraudulent activity
Change all the passwords of online accounts
Close the accounts that you know or believe have been tampered with or opened fraudulently
29
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
What to Do if Identity Is Stolen? File a report with the local police or the police in the community where the identity theft took place
Take advice from police and reporting agencies about how to protect yourself from further identity compromise
File a complaint with identity theft and cybercrime reporting agencies such as the FTC
Tell the debt collectors that you are a victim of fraud and are not responsible for the unpaid bill
Ask the credit card company about new account numbers
30
Ask the bank to report the fraud to a consumer reporting agency such as ChexSystems that compiles reports on checking accounts
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Module Flow
Identity Theft
Social Engineering
How to Find if You Are a Victim of Identity Theft
What to Do if Identity Is Stolen
Reporting Identity Theft
Protection from Identity Theft
31
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Federal Trade Commission The Federal Trade Commission, the nation's consumer protection agency, collects complaints about companies, business practices, and identity theft
http://www.ftc.gov 32
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
econsumer.gov econsumer.gov is a portal for you as a consumer to report complaints about online and related transactions with foreign companies
http://www.econsumer.gov
33
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Internet Crime Complaint Center
The Internet Crime Complaint Center’s (IC3) mission is to serve as a vehicle to receive, develop, and refer criminal complaints regarding the rapidly expanding arena of cyber crime The Internet Crime Complaint Center (IC3) is a partnership between the Federal Bureau of Investigation (FBI), the National White Collar Crime Center (NW3C), and the Bureau of Justice Assistance (BJA)
http://www.ic3.gov
34
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Prosecuting Identity Theft Begin the process by contacting the bureaus, banks, or any other organizations who may be involved File a formal complaint with the organization and with the police department
File a complaint with the Federal Trade Commission and complete affidavits to prove your innocence on the claims of identity theft and fraudulent activity
Obtain a copy of the police complaint to prove to the organizations that you have filed an identity theft complaint
35
Contact the District Attorney's office for further prosecuting the individuals who may be involved in the identity theft
Regularly update yourself regarding the investigation process to ensure that the case is being dealt with properly
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Module Flow
Identity Theft
Social Engineering
How to Find if You Are a Victim of Identity Theft
What to Do if Identity Is Stolen
Reporting Identity Theft
IP Hiding Tools
36
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Hiding IP Address Using Quick Hide IP Tool Quick Hide IP hides your internet identity so you can surf the web while hiding you real IP and location It redirects the Internet traffic through anonymous proxies Quick Hide IP. Websites you are visiting see the IP address of the proxy server instead of your own IP address
http://www.quick‐hide‐ip.com 37
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
IP Address Hiding Tools UltraSurf
Hide IP NG
http://www.ultrareach.com
http://www.hide‐ip‐soft.com
Hide My IP
TOR
http://www.hide‐my‐ip.com
http://www.torproject.org
IP Hider
Anonymizer Universal
http://www.iphider.org
http://www.anonymizer.com
Anti Tracks
Hide The IP
http://www.giantmatrix.com
http://www.hide‐the‐ip.com
38
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Module Summary Identity theft is the process of using someone else’s personal information for the personal gain of the offender Criminals look through trash for bills or other paper with personal information on it Criminals call the victim impersonating a government official or other legitimate business people and request personal information Keep the computer operating system and other applications up to date Do not reply to unsolicited email that asks for personal information Use strong passwords for all financial accounts Review bank/credit card statements/credit reports regularly
39
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Identity Theft Protection Checklist Never give away social security information or private contact information on the phone – unless YOU initiated the phone call Keep your Social Security card, passport, license, and other valuable personal information hidden and locked up Ensure that your name is not present in the marketers’ hit lists Shred papers with personal information instead of throwing them away Confirm who you are dealing with, i.e., a legitimate representative or a legitimate organization over the phone Carry only necessary credit cards Cancel cards seldom used Review credit reports regularly
40
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Identity Theft Protection Checklist Do not carry your Social Security card in your wallet Do not reply to unsolicited email requests for personal information Do not give personal information over the phone Review bank/credit card statements regularly Shred credit card offers and “convenience checks” that are not useful Do not store any financial information on the system and use strong passwords for all financial accounts Check the telephone and cell phone bills for calls you did not make Read before you click, stop pre‐approved credit offers, and read website privacy policies
41
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Based Identity Theft Protection Checklist Keep the computer operating system and other applications up to date Install antivirus software and scan the system regularly Enable firewall protection Check for website policies before you enter Be careful while opening email attachments Clear the browser history, logs, and recently opened files every time Check for secured websites while transmitting sensitive information
42
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
View more...
Comments