CSCU Module 10 Social Engineering and Identity Theft PDF

Social Engineering and
Identity Theft
Module 10
Simplifying Security.
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
05/16/2011,11:16:54AMPDT
OaklandPoliceShutDownBayAreaWideIdentityTheftOperation
OAKLAND Callingitthebiggesttheyhaveseen,OaklandpolicesaidMondaythatanidentitytheftoperationthat
manufacturedphonychecks,IDs andcredit cards hasbeenshutdown.
OfficialssaidtherearepotentiallythousandsofvictimsallovertheBayAreaandinotherstatesandthepossibilityofan
untoldamountofmonetaryloss.
PoliceChiefAnthonyBatts saidbreakinguptheoperationisparticularlyimportanttolawenforcementbecauseidentitytheft
"putsfearineveryone,"includinghimself.
Theoperation,whichOfficerHollyJoshicalleda"onestopshop"foridentitytheft,wasrunoutofaHaywardapartmentin
the21000blockofFoothillBoulevard,whereresidentMishel CavinessWilliams,40,wasarrestedlastweekassheleftthe
apartment.Shehad$4,000 incashonher,policesaid.
http://www.mercurynews.com
Woman Sought in
Theft
May23,2011
Suffolkpoliceareseekingassistancelocatingawomanwhoallegedlytookanelderlymansdebitcardanduseditonseveral
occasions.PolicehavefivefelonywarrantsonfileforLavonda GoosieMoore,37,forcreditcardtheft,creditcardfraud,
criminallyreceivingmoney,thirdoffensepetitlarcenyandidentitytheft.
PolicesayMooretookadebitcardfromthevictimonHillStreetonMay15anduseditonmultipleoccasionsatanATMandat
retailstores.TherealsoisawarrantonfileforMooreforthirdoffensepetitlarcenyinanunrelatedcase.
Mooreslastknownaddressisthe600blockofBrookAvenue.AnyonewhohasinformationonMooreslocationisaskedtocall
CrimeLineat1888LOCKUUP.CallerstoCrimeLineneverhavetogivetheirnamesorappearincourt,andmaybeeligiblefora
rewardofupto$1,000.
http://www.suffolknewsherald.com
Identity Theft Statistics 2011

AdultsVictimsof
IdentityTheft
FraudAttacksonExisting
CreditcardAccounts
11.1
Million
75%
$54 billion
13%
4.8%
TheTotalFraudAmount
VictimWhoKnew
CrimesWereCommitted
http://www.spendonlife.com
PercentofPopulation
VictimizedbyIdentity
Fraud
Scenario
ConsumerComplaint
Ilostmypursein2006.ButsurprisinglyIgotnoticesofbouncedchecksin2007.
Aboutayearlater,Ireceivedinformationthatsomeoneusingmyidentityhadbought
acar.In2008,IcametoknowthatsomeoneisusingmySocialSecurityNumber fora
numberofyears.ApersongotarrestedandproducedmySSNonhisarrestsheet.
Icantgetcreditbecauseofthissituation.Iwasdeniedamortgage,employment,
creditcardsandmedicalcareformychildren.
http://www.networkworld.com
Module Objectives
WhatisIdentityTheft?
WhattodoifIdentityisStolen?
PersonalInformationthatCanbe
Stolen
ReportingIdentityTheft
ProsecutingIdentityTheft
HowdoAttackersStealIdentity?
GuidelinesforIdentityTheft
Protection
WhatdoAttackersdowithStolen
Identity?
GuidelinesforProtectionfrom
ComputerBasedIdentityTheft
ExamplesofIdentityTheft
HowtoFindifYouareaVictimof
IdentityTheft?
IPAddressHidingTools
Module Flow
Identity Theft
Social
Engineering
How to Find if You Are a

Victim of Identity Theft
What to Do if
Identity Is Stolen
Reporting
Identity Theft
Protection from
Identity Theft
What is Identity Theft?

IdentitytheftorIDfraudreferstoacrime whereanoffenderwrongfullyobtains keypiecesof
theintendedvictim'spersonal identifying information,suchasdateofbirth,SocialSecurity
number,driver'slicensenumber,etc.,andmakesgainbyusingthatpersonaldata
Financial
losses
Criminal
charges
Identity
TheftEffects
Itleadstodenialof
employment,health
carefacilities,mortgage,
bankaccountsandcredit
cards,etc.
Legal
issues
Personal Information that Can be

Stolen
Passportnumbers
Names
Address
Birthcertificates
Dateofbirth
Creditcard/Bank
accountnumbers
Drivinglicense
numbers
Mothers
maidenname
Socialsecurity
numbers
Telephone
numbers
How do Attackers Steal Identity?

Phishing
SocialEngineering
Itisanactofmanipulating
peopletrusttoperform
certainactionsordivulging
privateinformation,without
usingtechnicalcracking
methods
Fraudsterpretendtobea
financialinstitutionand
sendspam/popup
messagestotricktheuser
torevealpersonal
information
Hacking
TheftofPersonalStuff
Fraudstersmaysteal
walletsandpurses,mails
includingbankandcredit
cardstatements,pre
approvedcreditoffers,and
newchecksortax
information
Attackersmayhackthe
computersystemsto
stealconfidential
personalinformation
10
What do Attackers do with Stolen

Identity?
Credit Card
Fraud
Theymayopennew
creditcardaccountsin
thenameoftheuserand
donotpaythebills
Phone or Utilities
Fraud
Theymayopenanew
phoneorwirelessaccount
intheusersname,orrun
upchargesonhis/her
existingaccount
Theymayuseusersname
togetutilityservicessuch
aselectricity,heating,or
cableTV
11
Other Fraud
Theymaygetajobusing
legitimateusersSocial
Securitynumber
Theymaygivelegitimate
usersinformationtopolice
duringanarrestandifthey
donotturnupfortheir
courtdate,awarrantfor
arrestisissuedon
legitimateusersname
What do Attackers do with Stolen

Identity?
Bank/Finance
Fraud
Government
DocumentsFraud
Theymaycreatecounterfeitchecks
usingvictimsnameoraccountnumber
Theymaygetadrivinglicenseor
officialIDcardissuedonlegitimate
usersnamebutwiththeirphoto
Theymayopenabankaccountin
victimsnameandissuethechecks
Theymayusevictimsnameand
SocialSecuritynumbertoget
governmentbenefits
TheymaycloneanATMordebitcard
andmakeelectronicwithdrawalson
victimsname
Theymayfileafraudulenttaxreturn
usinglegitimateuserinformation
Theymaytakealoanonvictimsname
12
Identity Theft Example
Original
IdentityTheft
SameName:TRENTCHARLESARSENAUL
13
Module Flow
Identity Theft
Social
Engineering

What to Do if
Identity Is Stolen
Reporting
Identity Theft
Protection from
Identity Theft
14
Social Engineering
Social
Engineering
Social Engineers
Attempt to Gather
Types of Social
Engineering
Socialengineeringisthe
artofconvincingpeople
torevealconfidential
information
Sensitiveinformation
suchascreditcard
details,socialsecurity
number,etc.
Humanbasedsocial
engineering
Itisthetrickusedtogain
sensitiveinformation by
exploitingthebasic
humannature
Passwords
Computerbased
socialengineering
Otherpersonal
information
15
Social Engineering Example
Hi,wearefromCONSESCO
Software.Wearehiringnew
peopleforoursoftwaredevelopment
team.Wegotyourcontactnumber
frompopularjobportals.
Pleaseprovidedetailsofyourjobprofile,
currentprojectinformation,
socialsecuritynumber,andyour
residentialaddress.
16
Criminal as Phone Banker

Hi,IamMikecallingfromCITIBank.
Duetoincreasingthreatperception,we
areupdatingoursystemswithnew
securityfeatures.Canyouprovideme
yourpersonaldetailstoverifythatyou
arerealStella.
ThanksMike,Herearemydetails.Doyou
needanythingelse?
17
Authority Support Example
Hi,IamJohnBrown.I'mwiththe
externalauditorsArthurSanderson.We've
beentoldbycorporatetodoasurprise
inspectionofyourdisasterrecovery
procedures.
Yourdepartmenthas10minutestoshow
mehowyouwouldrecoverfroma
websitecrash.
18
Technical Support Example
Amancallsacompanyshelpdeskandsays
hehasforgotten hispassword.Headds
thatifhemissesthedeadlineonabig
advertisingproject,hisbossmightfirehim.
Thehelpdeskworkerfeelssorryforhim
andquicklyresetsthepassword,
unwittinglygivingtheattackerclear
entranceintothecorporate
network
19
Human-Based Social Engineering

Eavesdropping
Shouldersurfing
Eavesdroppingis
unauthorizedlisteningof
conversationsorreading
ofmessages
Itisinterceptionofany
formofcommunication
suchasaudio,video,or
written
Shouldersurfingisthe
procedurewherethe
attackerslookoverthe
usersshouldertogain
criticalinformationsuchas
passwords,personal
identificationnumber,
accountnumbers,credit
cardinformation,etc.
Attackermayalsowatchthe
userfromadistanceusing
binocularsinordertoget
thepiecesofinformation
20
Dumpsterdiving
Dumpsterdivingincludes
searchingforsensitive
informationatthetarget
companystrashbins,
printertrashbins,user
deskforstickynotes,etc.
Itinvolvescollectionof
phonebills,contact
information,financial
information,operations
relatedinformation,etc.
Computer-Based Social Engineering

Hoaxlettersareemailsthatissue
warnings totheuseronnew
viruses,Trojans,orwormsthat
mayharmtheuserssystem
Popup
Windows
Windowsthatsuddenlypopup
whilesurfingtheInternetand
askforusersinformation to
loginorsignin
Hoax
Letters
Gatheringpersonalinformation
bychattingwithaselectedonline
usertogetinformationsuchas
birthdatesandmaidennames
Chain
Letters
Instant
Chat
Messenger
Chainlettersareemailsthatoffer
freegifts suchasmoneyand
softwareontheconditionthatthe
userhastoforward themailtothe
saidnumberofpersons
21
Spam
Email
Irrelevant,unwanted,and
unsolicitedemail tocollectthe
financialinformation,social
securitynumbers,andnetwork
information
Computer-Based Social Engineering:

Phishing
Anillegitimateemailfalselyclaiming tobefromalegitimatesiteattemptstoacquiretheusers
personaloraccountinformation
Phishingemailsorpopupsredirectuserstofakewebpagesofmimickingtrustworthysitesthatask
themtosubmittheirpersonalinformation
FakeBankWebpage
22
Phony Security Alerts

PhonySecurityAlertsaretheemailsor
popupwindows thatseemtobefrom
areputedhardwareorsoftware
manufacturerslikeMicrosoft,Dell,etc.,
Itwarns/alertstheuserthatthe
systemisinfected andthuswill
providewithanattachmentoralinkin
ordertopatchthesystem
Scammerssuggesttheuserto
downloadandinstallthosepatches
Thetrapisthatthefilecontains
maliciousprogramsthatmayinfectthe
usersystem
23
Computer-Based Social Engineering through

Social Networking Websites
ComputerbasedsocialengineeringiscarriedoutthroughsocialnetworkingwebsitessuchasOrkut,Facebook,
MySpace,LinkedIn,Twitter,etc.
Attackersusethesesocialnetworkingwebsitestoexploituserspersonalinformation
24
Module Flow
Identity Theft
Social
Engineering

What to Do if
Identity Is Stolen
Reporting
Identity Theft
Protection from
Identity Theft
25
How to Find if You are a Victim

of Identity Theft?
Billcollectionagenciescontactyouforoverduedebts youneverincurred
Youreceivebills,invoices,orreceiptsaddressed toyouforgoodsorservices
youhaventaskedfor
Younolongerreceiveyourcreditcardorbankstatements
Younoticethatsomeofyourmailseemstobemissing
Yourrequestformortgageoranyotherloanisrejectedcitingyourbadcredit
historydespiteyouhavingagoodcreditrecord
26
How to Find if You are a Victim

of Identity Theft?
Yougetsomethingin
themail aboutan
apartmentyounever
rented,ahouseyou
neverbought,orajob
youneverheld
Youloseimportant
documents suchas
yourpassportor
drivinglicense
Youreceive
creditcard
statementwith
newaccount
Youidentify
irregularities in
yourcreditcard
andbank
statements
Youaredeniedfor
socialbenefits
citingthatyouare
alreadyclaiming
27
Module Flow
Identity Theft
Social
Engineering

What to Do if
Identity Is Stolen
Reporting
Identity Theft
Protection from
Identity Theft
28
What to do if Identity is Stolen?

Contactthecreditreportingagencies
http://www.experian.com
http://wwwc.equifax.com
http://www.transunion.com
Immediatelyinformcreditbureaus
andestablishfraudalerts
Requestforacreditreport
Reviewthecreditreportsandalert
thecreditagencies
Freezethecreditreportswithcredit
reportingagencies
Contactallofyourcreditorsand
notifythemofthefraudulentactivity
Changeallthepasswordsofonline
accounts
Closetheaccountsthatyouknowor
believehavebeentamperedwithor
openedfraudulently
29
What to Do if Identity Is Stolen?

Fileareportwiththe
localpoliceorthepolice
inthecommunitywhere
theidentitythefttook
place
Takeadvicefrompolice
andreportingagencies
abouthowtoprotect
yourselffromfurther
identitycompromise
Fileacomplaintwith
identitytheftand
cybercrimereporting
agenciessuchasthe
FTC
Tellthedebtcollectors
thatyouareavictimof
fraudandarenot
responsibleforthe
unpaidbill
Askthecreditcard
companyaboutnew
accountnumbers
30
Askthebanktoreportthe
fraudtoaconsumer
reportingagencysuchas
ChexSystemsthatcompiles
reportsonchecking
accounts
Module Flow
Identity Theft
Social
Engineering

What to Do if
Identity Is Stolen
Reporting
Identity Theft
Protection from
Identity Theft
31
Federal Trade Commission

TheFederalTradeCommission,thenation'sconsumerprotectionagency,collects
complaintsaboutcompanies,businesspractices,andidentity theft
http://www.ftc.gov
32
econsumer.gov
econsumer.govisaportalforyou
asaconsumertoreport complaints aboutonline
andrelated transactions withforeigncompanies
http://www.econsumer.gov
33
Internet Crime Complaint Center
TheInternetCrimeComplaint
Centers(IC3)missionistoserveasa
vehicletoreceive,develop,andrefer
criminalcomplaints regardingthe
rapidlyexpandingarenaofcyber
crime
TheInternetCrimeComplaintCenter
(IC3)isapartnershipbetweenthe
FederalBureauofInvestigation(FBI),
theNationalWhiteCollarCrime
Center(NW3C),andtheBureauof
JusticeAssistance(BJA)
http://www.ic3.gov
34
Prosecuting Identity Theft

Begintheprocessby
contactingthebureaus,
banks,oranyother
organizationswhomay
beinvolved
Fileaformalcomplaint
withtheorganization
andwiththepolice
department
Fileacomplaintwith
theFederalTrade
Commissionand
completeaffidavits
toproveyour
innocenceonthe
claimsofidentity
theftandfraudulent
activity
Obtainacopyofthe
policecomplaintto
provetothe
organizationsthat
youhavefiledan
identitytheft
complaint
35
ContacttheDistrict
Attorney'sofficefor
furtherprosecuting
theindividualswho
maybeinvolvedin
theidentitytheft
Regularlyupdate
yourselfregarding
theinvestigation
processtoensure
thatthecaseis
beingdealtwith
properly
Module Flow
Identity Theft
Social
Engineering

What to Do if
Identity Is Stolen
Reporting
Identity Theft
IP Hiding Tools
36
Hiding IP Address Using Quick Hide IP

Tool
QuickHideIPhidesyourinternetidentitysoyoucansurfthewebwhilehidingyourealIP andlocation
ItredirectstheInternettrafficthroughanonymousproxies
QuickHideIP.WebsitesyouarevisitingseetheIPaddressoftheproxyserverinsteadofyourownIPaddress
http://www.quickhideip.com
37
IP Address Hiding Tools

UltraSurf
HideIPNG
http://www.ultrareach.com
http://www.hideipsoft.com
HideMyIP
TOR
http://www.hidemyip.com
http://www.torproject.org
IPHider
Anonymizer Universal
http://www.iphider.org
http://www.anonymizer.com
AntiTracks
HideTheIP
http://www.giantmatrix.com
http://www.hidetheip.com
38
Module Summary
Identitytheftistheprocessofusingsomeoneelsespersonalinformationforthe
personalgainoftheoffender
Criminalslookthroughtrashforbillsorotherpaperwithpersonalinformationonit
Criminalscallthevictimimpersonatingagovernmentofficialorotherlegitimate
businesspeopleandrequestpersonalinformation
Keepthecomputeroperatingsystemandotherapplicationsuptodate
Donotreplytounsolicitedemailthatasksforpersonalinformation
Usestrongpasswordsforallfinancialaccounts
Reviewbank/creditcardstatements/creditreportsregularly
39
Identity Theft Protection Checklist

Nevergiveawaysocialsecurityinformationorprivatecontactinformation
onthephone unlessYOUinitiatedthephonecall
KeepyourSocialSecuritycard,passport,license,andothervaluable
personalinformationhiddenandlockedup
Ensurethatyournameisnotpresentinthemarketershitlists
Shredpaperswithpersonalinformationinsteadofthrowingthemaway
Confirmwhoyouaredealingwith,i.e.,alegitimaterepresentativeora
legitimateorganization overthephone
Carryonlynecessarycreditcards
Cancelcardsseldomused
Reviewcreditreports regularly
40
Identity Theft Protection Checklist

DonotcarryyourSocialSecuritycardinyourwallet
Donotreplytounsolicitedemailrequestsforpersonalinformation
Donotgivepersonalinformationoverthephone
Review bank/creditcardstatementsregularly
Shredcreditcardoffers andconveniencechecksthatarenotuseful
Donotstoreanyfinancialinformationonthesystemandusestrong
passwordsforallfinancialaccounts
Checkthetelephoneandcellphonebillsforcallsyoudidnotmake
Readbeforeyouclick,stoppreapprovedcreditoffers,andreadwebsite
privacypolicies
41
Computer Based Identity Theft Protection

Checklist
Keepthecomputeroperatingsystem andotherapplications uptodate
Installantivirussoftwareandscanthesystemregularly
Enablefirewall protection
Checkforwebsitepolicies beforeyouenter
Becarefulwhileopeningemailattachments
Clearthebrowserhistory,logs,andrecentlyopenedfiles everytime
Checkforsecuredwebsites whiletransmittingsensitiveinformation
42

CSCU Module 10 Social Engineering and Identity Theft PDF

Transféré par

Informations du document

Description originale:

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

CSCU Module 10 Social Engineering and Identity Theft PDF

Transféré par

Droits d'auteur :

Formats disponibles

Social Engineering and

Identity Theft Statistics 2011

How to Find if You Are a

What is Identity Theft?

Personal Information that Can be

How do Attackers Steal Identity?

What do Attackers do with Stolen

What do Attackers do with Stolen

Identity Theft Example

How to Find if You Are a

Social Engineering Example

Criminal as Phone Banker

Authority Support Example

Technical Support Example

Human-Based Social Engineering

Computer-Based Social Engineering

Computer-Based Social Engineering:

Phony Security Alerts

Computer-Based Social Engineering through

How to Find if You Are a

How to Find if You are a Victim

How to Find if You are a Victim

How to Find if You Are a

What to do if Identity is Stolen?

What to Do if Identity Is Stolen?

How to Find if You Are a

Federal Trade Commission

Internet Crime Complaint Center

Prosecuting Identity Theft

How to Find if You Are a

Hiding IP Address Using Quick Hide IP

IP Address Hiding Tools

Identity Theft Protection Checklist

Identity Theft Protection Checklist

Computer Based Identity Theft Protection

Vous aimerez peut-être aussi