Protect yourself against the fastest growing crime in America: identity theft!
This year, nearly one million people will become victims of the fastest growing crime in America: identity theft. Now, there's a complete guide to preventing it, detecting it, and recovering from it. Written for technology professionals, security specialists, law enforcement professionals, and technology-aware laypeople, Identity Theft covers every facet of the problemand every countermeasure. It's an indispensable resourcewhether you want to protect yourself, your customers, or your citizens.
From simple personal steps you can take right now, to state-of-the-art biometrics and encryption solutions, John R. Vacca covers everything you need to know to fight identity theftand win.
Click here for a sample chapter for this book: 0130082759.pdf
I. IDENTITY THEFT FUNDAMENTALS.1. Identity Theft Defined.
What Is Identity Theft? How Identity Theft Is Done. Where There's Help. Getting Serious About Identity Theft. An Age of Betrayal.2. Minimizing Your Risk of Identity Theft. Guarding Against Identity Theft to Minimize Your Risk. Basic Security Precautions. Identifying Documents. End Notes.
Detecting Your Misappropriated Identity. Reporting ID Theft. Recovering From Identity Theft. When All Else Fails, Sue! Endnotes.
II. IDENTITY THEFT PROTECTION ON THE INTERNET.4. Identity Theft on the Internet.
Understanding Internet Identity Theft. Types of Associated Internet Identity Theft Crimes. Role of Privacy And Security Policies. Government Action and Public Policy. Endnotes.5. Prevention Methods for Internet Site Operators.
Inadequate Protection. Identity Theft Is Easy. Battening Down The Hatches. Not Just ISPs. Online Identity Theft and Fraud Prevention. ID Theft and Fraud Protection Plan for E-Business. Preparing Your Site for Any Holiday. Insurance and E-Commerce: Cyberliabilities. International Addresses and AVSs. The Future Benefits. Endnotes.6. Protecting the Identity Information of Customers.
The Internet Itself. Consumer and Corporate Identity Theft Protection Implementation and Deployment. Identity-Theft-Related Risks and Threats. Web Site Identity Theft Provisions. Web Identity Theft Protection Verification. Endnotes.7. Internet Site Operator Testing and Performance of Identity Theft Protection Techniques.
Identity Theft Protection Principles. Design and Testing Techniques. Identity Theft and Your Web Site. Endnotes.
III. IDENTITY PROTECTION FOR CORPORATIONS.8. Protecting the Identity Information of Customers and Employees.
Identity Theft Crimes. Identity Theft Offenders. Which Customers Are at Risk? Internal and External Identity Theft Offenders. Identity Theft Information Protection Measures. Planning for Identity Theft Liability. Endnotes.9. Guidelines for Protecting the Identity and Confidentiality of Personal Information When Working Outside the Corporate Office.
Other Sensitive Information. Identity Theft Legislation. Removing Records From the Office. Paper Records. Electronic Records. Laptop and Home Computers. Wireless Technology. Telephones and Voice Mail. Email, Faxes, and Photocopies. Conversations Outside the Office. Reporting Requirements.10. Management of Ongoing Identity Theft Prevention and Protection Techniques.
Management of Electronic Records. Neural Networks. Postfraud. Processing Internet Charges. Rerouting Shipments. Internet Privacy Policies. Endnotes.
IV. IDENTITY THEFT FUTURE SOLUTIONS AND TECHNOLOGIES.11. Biometrics.
How Biometric Systems Work. Types of Biometrics. Privacy-Enhanced Biometrics-Based Authentication. Biometrics and DNA at Work: Are They Cost Prohibitive for Identity Theft Protection? Benefits. Some Final Thoughts. Endnotes.12. Digital Signatures: Smart, Optical, and Other Advanced Cards.
Three Levels of Security. A Few Kinks to Work out. Smart, Optical, and Other Advanced Cards. Using Smart Cards to Secure E-Business Applications. Using Biometrics in Smart Card Information and Operations. Optical Memory Cards. The National ID Card: Is Big Brother Watching? Endnotes.13. Encryption.
What Is Email Encryption and How Does It Work? Symmetric Key Encryption. Asymmetric Encryption. Digital Signatures. Types of Email Encryption Products. Next Steps. Endnotes.14. E-Commerce Security.
The Vulnerability of Open Networks. Inadequate Privacy Laws, Policies, and Technologies. Privacy Solutions. E-Commerce Fraud Detection Solutions. Endnote.15. Data Mining.
Information Storage. What Is Data Mining? Examples of Data Mining. The Implications of Data Mining in the Context of Fair. Information Practices. Consumers and Businesses: Choices to Consider. Endnote.16. Summary, Conclusions, and Recommendations.
Summary. Recommendations. Final Words. Endnotes.
APPENDICES.Appendix A. Identity Theft Federal Laws Listing.
Identity Theft and Assumption Deterrence Act. Credit Laws.Appendix B. Identity Theft State Laws Listing.
Reports. Testimony. Comments.Appendix D. Identity Theft Cases and Scams Listing.
Cases. Scams.Appendix E. Identity Theft Affidavit.
Identity theft is the fastest growing crime in America. Based on credit bureau statistics, the Privacy Rights Clearinghouse estimates that between 700,000 and 900,000 Americans were victims of identity theft in 2001. According to a study of identity theft crimes performed by the Federal Trade Commission (FTC), the majority of cases relate to credit card fraud.
Usually, the first notice that consumers get that someone has fraudulently assumed their identity is either a call from a collection agency demanding payment on an overdue credit account that they never opened or when their own monthly billing statements do not arrive in the mail because the address on their account had been changed by an identity thief. Most victims never learn how the identity thieves accessed their personal information, although according to the FTC's study of reported cases, 48% resulted from a stolen wallet or purse.
The 1990s spawned this new variety of crooks whose stock in trade is the personal information available in your everyday transactions. Almost every transaction you make requires you to share some kind of personal information: getting money from your bank, charging to your credit card, making a long-distance phone call, or even getting your mail. An identity thief co-opts some piece of your personal information and appropriates it without your knowledge to commit fraud or theft. It can be as simple as a waiter or a clerk stealing your credit card number.
You might think your good name is invaluable, but on the street it sells for about $25-like the fake Michigan driver's license that bore Jane Sprayberry's name, but another woman's photo. With it, the impersonator walked into an American Express office, claimed she'd lost her credit card, and asked for a replacement. The helpful customer representative handed one over, and the thief's shopping spree began. The binge included stops at a jewelry shop, two appliance stores, and Saks Fifth Avenue. The impersonator even bought Versace underwear, according to Sprayberry, who is more of the T.J. Maxx type.
It was deja vu for Sprayberry: Her husband, Mark Sutton, had been the target of the same crime just one week before-but in addition to a retail blowout, the crook also drained his checking account. In all, Sprayberry and Sutton estimate that their impersonators stole $90,000 in merchandise and cash.
Does this sound like something that's happened to a friend or family member-or to you? It's no surprise. Identity fraud is the fastest growing white-collar crime in the country. The Identity Theft Resource Center in San Diego, California, estimates that more than 900,000 Americans had their personal information used illegally in 2001.
Sprayberry and Sutton were not casualties of a solitary street tough who lifted their wallets and ran up their credit card balances. Stolen wallets do still lead to identity theft, but old-fashioned pickpocketing is only a fragment of today's identity fraud scene. Sprayberry and Sutton were among hundreds of victims of what investigators say was a large crime ring centered in Detroit-one that is typical of well-oiled criminal machines that operate in major cities throughout the country. These rings are behind the nationwide explosion of identity fraud. Their leaders have expertly honed the skills needed to steal identities en masse and use them in every conceivable way to steal money from financial institutions and retailers, tainting the financial lives of millions of consumers in the process.
For Sutton and Sprayberry, mopping up the damage took about six months.
In still another case, a young man (let's call him Roger) tells the story about the time one of his coworkers at a drug store (call him Stephen) asked Roger for permission to have a piece of merchandise delivered to Roger's home. Stephen explained to Roger that he was buying a present for his wife and didn't want her to see it before he could wrap it and give it to her. Roger gladly agreed. A week later, Stephen asked again and Roger began to smell a rat. Realizing that he could be implicated by the use of his address if there was something illegal going on, Roger confronted Stephen, who admitted he had stolen some credit card numbers from customers at the drug store. Roger immediately reported the facts to the store's management, thereby saving himself from being accused of the crime (after all, the merchandise was being delivered to his address).
For the protection of the people in this book, real names are not used.
An all-too-common example is when an identity thief steals a wallet or purse and uses the victim's personal information to open a credit card account in that name. A clever thief might be able to rapidly obtain thousands of dollars of credit in the victim's name. Many luxury or exclusive chain stores are willing to quickly open credit accounts with the proper identification. Identity thieves can then have a buy now, pay never shopping spree, racking up thousands of dollars in bills at their victim's expense. Even before the victim knows what's going on, a quick-acting thief can make hundreds of dollars in charges.
Now, consider the case of Babygear.com (based on a real case), which was targeted as a source of credit card numbers by an unknown identity thief in Eastern Europe. In December 2000, Ellen of Gilbert, Arizona, got a telephone call from an employee of The Boeing Co. in Seattle telling her the credit card she had used to buy a Boeing leather jacket had been declined. The employee asked if she wanted to use another card to make the purchase. Ellen told them she didn't try to buy a jacket, and she asked them what the shipping address was. They told her Yugoslavia.
Ellen wasn't surprised by the call because she had already canceled the card after being alerted by an employee of online auction site eBay that someone had tried to use her card to make almost $700 in purchases and have them shipped to Yugoslavia. Ellen was one of 240 customers of online baby products retailer Babygear.com whose credit card data was apparently stolen from the site in September 2000 and traced to a hacker in Yugoslavia. Babygear.com has since filed for bankruptcy protection.
The former Babygear.com CEO indicated he was unaware of any widespread security breaches at the site, which was shut down in early December 2000. Meanwhile, other Babygear customers recounted what happened after their credit card data was snatched.
In still another case, Diane of River Falls, Wisconsin, was lucky, because she found out her credit card information had been stolen before any charges were made to her card. Around Thanksgiving 2000, she got a call from someone at a computer company in Florida asking if she was charging computer equipment to send to Yugoslavia. Thus warned, she was able to cancel her card before any charges were made to it. However, unlike Ellen, who indicated she still uses her new card to make online purchases, Diane said she's had it with buying on the Internet. She hasn't used her new card online since then.
In the case of Irene of Coeburn, Virginia, it was debit card data that was stolen from the Babygear.com site. She didn't notice any charges until January 2001, but then she noticed that someone had taken out $700 cash on January 2, 2001, and put it back in again on the same day. On January 3, 2001, there were two charges for $300 and $400 from an online payment service. Irene indicated that although she was lucky that her bank reimbursed her for the money taken out of her account, the entire episode was a nightmare. As a result of someone draining her account unbeknownst to her, the checks she had been writing bounced.
Silvia of San Ramon, California, found out that she was a victim of credit card fraud while making a small purchase at a drugstore. She found out during January 2001 that something was wrong when she was at the drugstore with her two young children and was told her credit card was declined for a $14 purchase. Silvia didn't realize what had happened until she got a call from an employee of Gap.com who said the jeans she ordered were returned because the shipping address was incorrect.
Teresa of Redwood City, California, indicated someone charged a total of $700 to her card before she discovered there was a problem. The only time she used her card online was at Babygear.com, and there is no way she'll use it online again.
As you can see from the preceding examples, identity theft is epidemic, with an estimated more than 1,700 people losing their identity everyday in the United States alone. Obviously everyone is at risk.
With the preceding in mind, you already know the standard advice for minimizing the odds that your identity will be stolen: Don't keep your Social Security card in your wallet and give out your number as seldom as possible. Shred financial documents. Use a mail slot or locked mailbox. However, investigators and prosecutors who see firsthand how identity thieves ply their trade have some less conventional ideas for protecting yourself. In many cases, these are precautions they themselves have taken.
You should tell your credit card issuers to stop sending you unsolicited convenience checks, which are a favorite of credit fraudsters, because the account holder isn't likely to spot the charge for at least 30 days. Often these checks are stolen from residential mailboxes. In one New York case involving stolen mail, a fraud ring wrote $850,000 worth of convenience checks.
You should also switch to using gas-company credit cards, rather than an all-purpose Visa or MasterCard, at the pump. The reason? Gas-station attendants and other employees have access to customers' names and account numbers, even if the card is only swiped at the pump. A gas-only card has far less appeal to an identity thief. A gas station attendant can get paid $25 for each good credit card number he or she gets. It's the same with restaurant workers, but there's no restaurant-only alternative to Visa and MasterCard.
Such precautions may reduce the odds of you becoming an identity-theft victim, but there's no magic bullet. Just by having a job and health insurance, applying for credit, or making routine transactions, you inherently put your personal information at risk. There's no way to protect yourself, other than having bad credit.
This book can be used by domestic and international system administrators, government computer security officials, network administrators, senior managers, engineers, sales engineers, marketing staff, Web developers, military top brass, network designers, and technicians. With regard to identity theft, the book is primarily targeted at those in government and law enforcement who require the fundamental skills to develop and implement security schemes designed to protect their organizations' information from attacks, including managers, network and systems administrators, technical staff, and support personnel. This also includes those involved in securing Web sites, including Web developers; Webmasters; and systems, network, and security administrators.
This book is also valuable for systems analysts, design engineers, programmers, technical managers, and all data processing, telecommunications, and office automation professionals involved in designing, configuring, or implementing ID theft prevention and protection techniques. In short, the book is targeted toward all types of people and organizations around the globe who have responsibility for managing and maintaining the Web site service continuity of organizational systems including line and project managers, team members, consultants, software and security engineers, and other information technology (IT) professionals who manage Web site cost justification, investments, and standards. Others who might find it useful are scientists, engineers, educators, top-level executives, IT and department managers, technical staff, and the more than 1 billion Internet, intranet, and extranet users around the world.
Identity Theft shows experienced (intermediate to advanced) security and law enforcement professionals how to protect corporations, Web sites, and individuals and detect ID theft, and report the findings that will lead to the incarceration of the perpetrators. This book also provides the fundamental knowledge you need to analyze risks to your system and implement a workable security and antifraud policy that protects your information assets from potential intrusion, damage, or theft. Through extensive hands-on examples (field and trial experiments) and case studies, you will gain the knowledge and skills required to master the deployment of ID theft countermeasures to thwart potential attacks.
Throughout the book, extensive hands-on examples provide individuals with practical experience in ID theft detection, analysis, and reporting, as well as countermeasures and future directions. In addition to future ID theft detection, prevention, and protection solutions in personal, commercial organizations and governments, the book addresses, but is not limited to, the following key features:
This book leaves little doubt that the new and emerging field of ID theft detection, prevention, and protection techniques is about to evolve. This new area of knowledge is now being researched, organized, and taught. This book will certainly benefit organizations and governments, as well as their antifraud and security professionals.
The book is organized into five parts and includes appendices as well as an extensive glossary of fraud and ID theft terms and acronyms. It provides a step-by-step approach to everything you need to know about preventing and protecting ID theft, as well as information about many topics relevant to the planning, design, and implementation of them. The book gives an in-depth overview of the latest ID fraud and theft countermeasures. It discusses what background work needs to be done, such as developing an anti-ID-fraud plan, and shows how to develop anti-ID-theft plans for individuals, organizations, and educational institutions. More important, this book shows how to install an anti-ID-fraud system, along with the detection techniques used to test the system. The book concludes with a discussion about future anti-ID-theft planning and development solutions and technologies.
This part of the book covers the process of guarding against and recovering from identity theft and sets the stage for the rest of the book. Next, it discusses in specific detail how to minimize your risk of identity theft. Remember, you ultimately cannot prevent identity theft from happening, but you can reduce the odds. Finally, this part helps you begin the process of detecting, reporting, and recovering from identity theft.
Part II begins by giving you an overview of how the issues related to identity theft require a multifaceted response that involves e-businesses, consumer education, and public policy. Only through this level of cooperation and action will the issues and victims of identity theft be addressed. Businesses (or any entity on the Net) must prevent the illicit use of an identity and protect private information. Other types of e-business, like service bureaus and marketing companies, need to take steps to ensure that private information is correctly stored and unavailable for abuse. Additionally, e-businesses involved with the issuance of online credit or online revolving credit need to take steps that verify information and use technology to reduce the ability for a stolen identity to be used to create a new account. Consumers can't expect that some big brother will watch out for their privacy or verify that information is not used without their authorization. Furthermore, consumers need to know where to report identity theft issues, what action e-businesses can take, and to what extent business will protect their privacy. Governments need to provide mechanisms for consumers to report crimes to the appropriate law enforcement agencies, provide training and education to law enforcement, and capture statistical information about the use and abuse of stolen identities and make this information available to both public and private-sector groups.
Next, Part II shows Internet service providers (ISPs) how to prevent identity theft by looking at types of identity theft prevention techniques and technologies. In spite of the ease of committing this crime, there are steps ISPs can take to reduce customers' exposure to the consequences. This part also shows you how to protect the identity information of customers. Finally, Part II discusses ISP testing and performance of identity theft protection techniques.
Part III begins by showing you how companies can protect their customers and employees from identity theft. The nature of identity theft fraud is changing, not so much in the types of offenses being committed, but rather in the means by which those offenses are being perpetrated. Traditional fraud offenses are increasingly being facilitated by and perpetrated using the new electronic technology. Electronic systems have increased the opportunity for fraud by providing increased access to opportunities and also increasing the ease, speed, and anonymity of criminal activity. This provides challenges to law enforcement and business in terms of prevention, detection, and investigation. Solutions to the problems of identity theft protection lie in increased awareness of the changing risks, especially the increased risk of external attacks through connection to external electronic systems; in prevention, including the widespread use of effective electronic security and identity verification systems; and in international cooperation in regulation, information sharing, and enforcement. These measures should be supported by accountability, transparency, and effective risk management strategies in both the public and private sectors. Many of the most effective solutions need to be built into business systems and organizational practice.
This part also discusses guidelines for protecting the identity and confidentiality of personal information when working outside the corporate office. Finally, it examines the management of ongoing identity theft prevention and protection techniques.
Part IV opens with a discussion of the use of enhancing security and privacy in biometrics-based authentication systems, biometrics at work, voice identity and electronic addressing, fingerprint scanning, facial scanning, and DNA scanning. Biometrics-based authentication to prevent ID theft has many usability advantages over traditional systems such as passwords. Specifically, users can never lose their biometrics, and the biometric signal is difficult to steal or forge. This part also shows that the intrinsic bit strength of a biometric signal can be quite good, especially for fingerprints, when compared to conventional passwords. Yet, any system, including a biometric system, is vulnerable when attacked by determined hackers. This part highlights eight points of vulnerability in a generic biometric system and discusses possible attacks. Several recommendations are made to alleviate some of these security threats. Replay attacks are addressed using data-hiding techniques to secretly embed a telltale mark directly in the compressed fingerprint image. A challenge/response method is proposed to check the liveliness of the signal acquired from an intelligent sensor. This part also touches on the often-neglected problems of privacy and revocation of biometrics. It is somewhat ironic that the greatest strength of biometrics-that they do not change over time-is at the same time its greatest liability. Once a set of biometric data has been compromised, it is compromised forever. To address this issue, I propose applying repeatable noninvertible distortions to the biometric signal. Cancellation simply requires the specification of a new distortion transform. Privacy is enhanced because different distortions can be used for different services and the true biometrics are never stored or revealed to the authentication server. In addition, such intentionally distorted biometrics cannot be used for searching legacy databases and thus alleviate some privacy violation concerns.
In this part, I hope that throughout this process you, the reader, have thought about your own personal information and how important it is that no company misuse it. After all, we are all individuals with some level of concern about our own information. At the same time that you might be the developer of one application, you are the customer of other applications. Just as you want to provide good customer service, you also want to receive good customer service. In the information economy, customer service is taking on a new look-privacy. As an example of what can go wrong, when caller identification applications were first introduced, many companies assumed that responding to customers by name when they called would be seen as good customer service. They soon found that people often did not take kindly to that approach. "How do you know my name?" expressed in angry tones, was frequently heard. We all value our privacy in a general sense and we are becoming more sensitive about the protection of our personal information. This part also presents examples of applications that require user authentication and transaction authorization with a very high level of security. More and more, Web applications with similar security requirements will emerge as the volume of financial transactions conducted via the Internet increases steadily. The pure Java architecture presented in this part allows such applications to be secured in an elegant and flexible way, using smart cards to provide a higher level of security. A prototype for performing biometric authentications inside a smart card is also presented. Three biometric techniques are studied to analyze their viability: speaker recognition, hand geometry, and iris identification. The results show the possibility of integrating biometrics as a card holder verification method, therefore improving user authentication in smart-card-based applications. Better results can be obtained building a new smart card mask, instead of using an open operating system card, such as the Java-Cards used in the prototypes developed. If this last option is not possible, results with the RISC-based JavaCard are good enough for a commercial product. Further efforts will be applied to integrate other biometric techniques in the prototypes developed, such as fingerprint or facial recognition.
Email encryption is a powerful tool in helping to protect an individual's privacy. In this part, I map out the basic concepts. You should put this new knowledge into practice and actively investigate use of email encryption software. Because I provide only a brief overview of the topic, you should follow the links previously cited to gain an even better understanding of email encryption. It is always useful to start with a list of your requirements that can be used to assess any potential products. If possible, test some products yourself. Soon, using encryption software will become second nature. If you don't protect your privacy with tools like email encryption, you may well lose it. That could result in anything from a minor annoyance, to a gut-wrenching feeling of violation, to the loss of significant amounts of money. Guard your privacy and identity well; the tools are out there for you to do so.
Next, Part IV discusses how, in an era of networked information technologies, personal information has acquired intrinsic commercial value, whether collected directly or indirectly, to serve a variety of commercial purposes. However, an open networked system such as the Internet remains at present an uncertain environment, particularly for the conduct of commercial transactions. Such transactions in the "real" world are enveloped in a framework of laws, customs, and practices that create the necessary trust and confidence to ensure wide public participation. In the unstructured framework of the virtual world, however, the traditional ways of conducting business are not always appropriate or adequate. To a much greater extent, the virtual world, a creation of technology, will be dependent on technology for many of its solutions. The challenge is to transport the basic principles that exist in the physical world through laws, customs, and practices into the virtual world-in effect, to create a parallel process. This is the case to be made for privacy and the principles that protect our personal information in the world of e-commerce. Specifically, fair information practices provide a framework by which to assess technology-based solutions and to serve as a benchmark in creating those solutions. The combined efforts of technology experts, cryptographers, lawyers, policymakers, privacy advocates, and ultimately the public will be needed to create acceptable solutions to the privacy dilemmas arising out of a networked world. Given the broad public apprehension about using the Internet to conduct commercial transactions and consumers' concerns over the prospect of losing their privacy, it is incumbent on all of us who wish to make electronic commerce a viable form of transacting business to inform the public about these issues. It is particularly important that the public understand the different options being considered and the choices available to them. Throughout the 21st century, all indications suggest that privacy will continue to resonate as a significant public issue. The challenge will be to develop and advance information technologies, supported by appropriate legal and policy frameworks, that can minimize the public's apprehensions about technology, and, in the process, enhance personal privacy.
The need to protect and manage personal information has been likened to the management of natural resources. Personal information is a resource, exploited commercially, but valued as an element of human dignity and enjoyment of one's private life. It is therefore to be protected and managed, not unlike the protection and management of other resources. As with early efforts to protect the environment in the absence of legislation, privacy protection currently relies on ancient common law principles that continue to adapt to new technological challenges to personal integrity, happiness, and freedom. These principles have now found legislative expression in various statutes relating to environmental protection. Information, however, has some unique qualities in need of special regulatory and judicial attention. Looking ahead, consumers will not only want goods and services, but assurances that the information they provide to a business is, from a privacy perspective, protected. To deal with this need, a shared responsibility for the management of personal information will be essential, involving government, the business community, and consumers. Only through shared responsibility, sustained by the business community through a culture of privacy, and strengthened by the voice of consumers, can personal information become a protected, managed, and valued resource. This part gives all three parties (consumers, businesses, and government) incentives for action toward protecting personal information in the marketplace. The tension between technology and privacy can be minimized if privacy safeguards are made a key consideration up front, rather than an afterthought. Although current data-mining practices are somewhat beyond the up-front stage, there is still time to ease this tension before applications become commonplace. One short-term approach might be for businesses to provide consumers with choices in the form of multiple selection opt-outs. The final chapter of this book provides a summary of identity theft, conclusions, and recommendations.
Five appendices provide direction to additional resources available about IDtheft. Appendix A is a listing of Federal ID theft laws. Appendix B is a listing of state ID theft laws. Appendix C contains a listing of reports, testimony, and comments relating to ID theft. Appendix D consists of a listing of ID theft cases and scams. Appendix E contains an ID theft affidavit and corresponding information. Appendix F is a glossary of ID fraud and theft terms and acronyms.