Identity Theft: Are You Really You?
We are pleased to inform you of the final announcement that you are one of our New Year Winners of the UNITED KING-DOM ONLINE PROMO AWARDS, held on 26th January, 2009. You have won for yourself a total sum of £516,778.00 POUNDS STERLING and its equivalent is $730,362.00 USD. Please contact the fiduciary agent for your claims by sending to him your details below.
PROVIDE DETAILS BELOW AND SEND TO OUR CLAIMS AGENT FOR VERIFICATION 1. Full Names: 2. Address: 3. Age: 4. Sex: 5. Marital Status: 6. Occupation: 7. Phone numbers: 8. Country: Fiduciary Agent: Mr. Henry Smith Email:email@example.com Yours Truly, Harry Wilhelm (Mr.)
Co-ordinator Online Promo Programme.
It’s quite likely that you’ve seen or received an e-mail like this before. Such e-mails are typical ploys used by identity thieves to dupe unsuspecting users on the Internet into divulging their personal information. Identity theft has consistently grown over the past decade to become, literally, one of the biggest threats to our existence today. A recent report1 from the Federal Trade Commission (FTC) confirmed that 2008 was the ninth year in a row where identity theft was the number one consumer complaint, and 26% of all consumer complaints received.
A total of 9.9 million victims of identity theft2 were reported in the U.S.. This means a total of around 27,049 cases a day and very close to a staggering 19 victims every minute. Basically, every time you lifted your mug to take a sip of coffee last year, somebody’s identity was stolen.
The problem is not that of individuals alone. A 2009 identity theft report3 states that U.S. organizations have already suffered 83 security breaches so far this year, potentially exposing personal information records of 1,140,146 people. It is important, and unnerving, to note that this figure does not include the victims of the Heartland Payment Systems breach4 which is believed to be one of the largest security breaches ever.
I Didn’t Buy That! I Didn’t Buy That! I Didn’t Buy That! I Didn’t Buy That!
One of the most common motivations for identity theft is financial fraud: you receive your credit card bill and discover that in the last month you (or someone pretending to be you) bought expensive women’s jewelry, the latest model of the Porsche, and a holiday getaway to Venice. This kind of identity theft could end up hurting you in your bank account, credit card account, social programs, tax refunds, and just about any other avenue where financial gain could be in the identity thief’s target.
Such identity theft begins by gathering the victim’s personal information, such as his or her full name, address, social security number, and date of birth. While you might think that this is quite difficult to gather, it’s actually not. One technique, of course, is the scam e-mail you saw at the beginning of this article. But there are a number of other methods.
Take a moment to think about all the things that you throw away in the trash can – your bank statements, tax return communi-cations, credit card statements, utility bills, and insurance communicommuni-cations, to name a few. All of these will have a lot of this personal information. An identity thief can go “dumpster diving,” which is quite literally rummaging through your garbage for personal information to find these items and information that you may routinely throw away.
There are also less obvious ways of finding your personal information. For instance, an identity thief could “research” you at government registers and public record search services. Even Internet searches give up a lot of information. Have you ever tried doing an Internet search on your full name? You might be surprised at what you’ll find.
Sometimes, identity thieves post bogus job offers online which ask for your personal information. An unsuspecting user would-n’t even mind keying in his/her social security number if it’s a question of employment. In times of recession, when jobs are scarce, such techniques, sadly, even play on the emotions of potential identity theft victims. Often video rental stores, schools, apartments, and many other such places ask for your social security number as well. An identity thief could, for instance, just call in to a video rental to “verify” your membership information.
The information gathered on a potential victim can then be used to apply for a new credit card in the victim’s name. Once the card is obtained, shopping season begins for the identity thief. All this effort might not even be necessary at times. An identity thief who can get his/her hands on that pre-approved credit card offer which you threw away, can just respond to that offer with an address change request and avoid all the pain of hunting down your personal information.
The next time you pay for your bill at a restaurant, grocery store, car mechanic, or other retailer, look at the receipt you’re sign-ing after your credit card is swiped. Too many times, that little paper shows your complete credit card number and its expira-tion date.
Waiters and clerks with malicious intentions sometimes use “skimmers” which can record credit card information once a card is swiped across it. Better still, identity thieves are known to install skimmers onto ATM machines in conjunction with a tiny camera, to read the user’s PIN.
Finally, there is the evergreen phishing technique. Users on the Internet are directed to a website that looks exactly like an original one. For instance, a user could be directed to a look-alike of a well-known online shopping website. Once the user makes purchases on the phony website and enters in his/her credit card information, the identity thief’s job is done. A variant of this technique in recent times has been vishing, which involves the use of a spurious interactive voice response (IVR) system. An identity thief may frame a user into believing that this IVR system belongs to the user’s bank and make the user key in his/ her card details and PIN over the phone.
And What Is Worse And What Is Worse And What Is Worse And What Is Worse
While financial fraud as the purpose of identity theft is surely unforgivable, it’s definitely not the most despicable. Another form of identity theft involves stealing identity to commit crime, be able to move around freely in other countries, obtain spe-cial privileges and permits, and perpetrate or support terrorist activities. It is quite unfortunate that a number of these identity theft incidents translate into headlines associated with drug trafficking, money laundering, organized crime, illegal immigra-tion, terrorist attacks, and so on.
Life After Death Life After Death Life After Death Life After Death
It’s true! And now, proven as well. A very common form of identity theft today involves identity thieves assuming the identi-ties of dead people. The Social Security Death Index (SSDI) contains records of dead people in the U.S. Extracted from the United States Social Security Administration’s Death Master File, the database holds records of over 83 million dead people and can be freely accessed over the Internet thanks to genealogy websites.
These websites come replete with intimate information on dead people such as their date of birth, date of death, social security number, last address of residence and state/territory where the social security number was issued. If a faint, matter-of-fact voice inside you is asking why this information is made available online, the documents held by the Social Security Administration are government records and under the Freedom of Information Act5 (FOIA) it is mandatory to make the information public. It’s no wonder that this form of identity theft is on the rise7 in the U.S.
Better Dead Than Alive? Better Dead Than Alive? Better Dead Than Alive? Better Dead Than Alive?
If you fall prey to identity theft, you will certainly face an uphill climb. Many victims of identity theft never even find out about their stolen identity until a lot of damage has already been done. In fact, a number of these victims find out when they answer the doorbell or a telephone call to discover that they owe vulgar sums of money to some huge company that is ready to sue them.
The worst part probably is that, in both financial and criminal identity theft, the entire onus of clearing one’s name of blame lies with the victim. In both cases, the task is a highly arduous one. Victims of identity theft need to prove their own identity to start with and may have to undergo court proceedings to be cleared of charges, until which time the court holds the victim as guilty of all the offenses committed by the identity thieves.
Prevention Is Better Than Cure Prevention Is Better Than Cure Prevention Is Better Than Cure Prevention Is Better Than Cure
There is no doubt that striving to prevent identity theft can save you a lot more pain than waiting for it to happen and then looking for the cure. There are a number of things you can do, both as an individual and as a business, to prevent identity theft. As an individual:
• Protect your SSNProtect your SSNProtect your SSNProtect your SSN. Always remember, that the only people that have the legal right to demand your social security number
are government bodies like the motor vehicle department, welfare department, tax department, etc., and organizations like banks, brokerages and your employer. The Social Security Administration provides specific guidelines8that direct who you should and should not provide your social security number to.
• Protect your personal information like your lifeProtect your personal information like your lifeProtect your personal information like your lifeProtect your personal information like your life. This doesn’t stop only at your social security number. While it is important
to safeguard your social security number, don’t think that other information like your full name, address, date of birth, etc. are all worthless. Putting together pieces of information can sometimes be easier than you think.
• Shred whatever you don’t needShred whatever you don’t needShred whatever you don’t needShred whatever you don’t need. Tear up, and preferably shred, all documents that have your personal information on them
once you decide to throw them into the trash.
• OptOptOptOpt----outoutoutout. If those pre-approved offers are unwanted, you should “opt out” of them. Just call 888 – 5OPTOUT (567-8688) and
follow the instructions. Once you’re done, your name is removed from mailing and telemarketing lists for two years.
• Keep it personalKeep it personalKeep it personalKeep it personal. Whenever you’re writing down personal information or typing it on a computer, check to ensure that
there are no “shoulder surfers” around who are trying to take a peek.
• Require a Photo ID CheckRequire a Photo ID CheckRequire a Photo ID CheckRequire a Photo ID Check. Instead of putting your signature behind your credit cards, you can write “Ask For Photo ID”
behind it. While this might not work amazingly well considering that not a lot of people look for the signature behind the credit card, it could add an extra line of defense if you require that your identification be verified each time you present your credit card.
• Carefully dispose of digital informationCarefully dispose of digital informationCarefully dispose of digital informationCarefully dispose of digital information. Before you throw away any digital equipment that can store data on it, ensure that
you sanitize it completely of all the data. Deleting the data alone will do no good. A number of good digital data sanitizers are available online, many of them free.
• Review all statements religiously and diligently each monthReview all statements religiously and diligently each monthReview all statements religiously and diligently each monthReview all statements religiously and diligently each month. Ensure that you recognize all purchases and transactions on
• Check your credit report at least once a yearCheck your credit report at least once a yearCheck your credit report at least once a yearCheck your credit report at least once a year. The Fair Credit Reporting Act (FCRA) requires that each of the nationwide
consumer reporting companies (i.e. Equifax, Experian, and TransUnion) provide you with a free copy of your credit report, at your request, once every 12 months. The FTC has detailed guidelines9 on how you can go about the process.
• PPPPeeeerrrrssssoooonnnnaaaallllllllyy myymmaaaaiiiillll aaaallllllll bm bbiiiillllllllssss ob ooorrrr ddddooooccccuumuummeeeenm nnttttssss tttthn haaaatttt ccccohh ooonnnttttaaaaiiiinn nn ynyyyoouoouuurrrr ppppeeeerrrrssssoooonnaaaallll iiiinnn nnnffffoooorrrrmmmmaaaattttiiiioooonn aaaatttt tttthnn hhheeee ppppoooosssstttt ooooffffffffiiiicccceeee oorrrr aaaa sssseeeerrrrvoo vvviiiicccceeee mmmaaaaiiiillllbm bbbooooxxxx.
• Check Your credit card receipts before signing. Check Your credit card receipts before signing. Check Your credit card receipts before signing. Check Your credit card receipts before signing. When you make purchases with your credit card and see that the printed
receipt you’re signing has your full card number and/or expiration date on it, scratch out the details with your pen fully and then sign it. If the vendor complains, let him/her know that he/she violated the Fair and Accurate Credit Transaction Act (FACTA) which requires businesses to shorten credit/debit card numbers on electronically printed receipts so that they don’t expose any more than the last five numbers of your account. The law also forbids businesses from printing the expira-tion date altogether. And while you’re leaving, you can also drop in the good news to him/her that you’re filing a complaint with the FTC on this. You can do this online10 or by calling 1-877-382-4357.
• Look carefully at your ATM. Look carefully at your ATM. Look carefully at your ATM. Look carefully at your ATM. Ask your bank if you see that your ATM machine has a suspicious bulge or attachment on it to
make sure there are no skimmers attached.
• Buy online only on secure websites. Buy online only on secure websites. Buy online only on secure websites. Buy online only on secure websites. When making purchases online, always look for an “https” website address and a
pad-lock symbol that will show you the details of the website’s digital certificate when you click on it. This indicates that your information is encrypted before transmission. Keep track of your online purchases and know what you’ve bought.
• Enter social networking sites cautiously. Enter social networking sites cautiously. Enter social networking sites cautiously. Enter social networking sites cautiously. Social networking sites like Facebook, Orkut, MySpace, and others are favorites
among identity thieves. Be careful with personal information online.
• Don’t respond to eDon’t respond to eDon’t respond to eDon’t respond to e----mails asking you for personal informationmails asking you for personal informationmails asking you for personal information, even if the e-mail looks like it’s coming from your bank or mails asking you for personal information
even the government. If the e-mail is about a lottery you just won, just remember that there are no free lunches in life.
• Respond quickly.Respond quickly.Respond quickly.Respond quickly. If you think you’ve become a victim of identity theft, you should follow the FTC guidelines11 to recover
from it . As a business: ·
• Ensure that you comply with the FACTAEnsure that you comply with the FACTAEnsure that you comply with the FACTAEnsure that you comply with the FACTA. FACTA compliance will help ensure that your customers don’t become victims of
identity theft. While it is a social responsibility towards customers to protect their personal information, it will benefit your business to stay clear of negative newspaper headlines.
• Don’t wait for a law to force you into protecting customer informationDon’t wait for a law to force you into protecting customer informationDon’t wait for a law to force you into protecting customer informationDon’t wait for a law to force you into protecting customer information. Good information security will mean faster and
bet-ter growth for your business in the long-run. Being short-sighted about information security could leave you without a business.
• Provide support to employees impacted by identity theftProvide support to employees impacted by identity theftProvide support to employees impacted by identity theftProvide support to employees impacted by identity theft. Apart from the fact that your employees deserve such support,
Knowledge Is Power Knowledge Is Power Knowledge Is Power Knowledge Is Power
Your identity is probably the one thing that you expected will be left alone, and yet times today show us otherwise. Past per-formance has shown that identity theft will only increase from here on. Awareness and common-sense can be your best friend in your pursuit to protect your identity.
What I did in my youth is hundreds of times easier today. Technology breeds crime. - Frank William Abagnale, Jr. security consultant and renowned former identity theft mastermind
References References References References 1. http://www.ftc.gov/sentinel/reports/sentinel-annual-reports/sentinel-cy2008.pdf 2. http://money.cnn.com/2009/02/09/news/newsmakers/identity_theft.reut/ 3. http://www.idtheftcenter.org/ITRC%20Breach%20Report%202009.pdf 4. http://www.usatoday.com/money/perfi/credit/2009-01-20-heartland-credit-card-security-breach_N.htm 5. http://www.usdoj.gov/oip/index.html 6. https://dmf.ntis.gov/ 7. http://www.msnbc.msn.com/id/18495531/ 8. http://ssa-custhelp.ssa.gov/cgi-bin/ssa.cfg/php/enduser/std_adp.php?p_faqid=78 9. http://www.ftc.gov/bcp/edu/pubs/consumer/credit/cre34.shtm 10. https://www.ftccomplaintassistant.gov/ 11. http://www.ftc.gov/bcp/edu/microsites/idtheft/
Enterprise Risk Management:
At a Glance
ERM brings clients the highest level of expertise to assess and address risks, comply with standards and regulations and mitigate risks, using integrated and reasonably priced security services and solutions. Our practice provides organizations with the tools they need to address the compliance and risk manage-ment issues of today, as well as the broader and ever-increasing security challenges of the future.
ERM wants to hear from YOU….
With this edition of our newsletter, we’re rolling out a new format and new features. Tell us what you think! What features or topics would you like to see covered in future issues? Who else should receive this newsletter?
Your feedback is welcome and encouraged. Please send your comments to firstname.lastname@example.org.
For more information, visit For more information, visit For more information, visit
For more information, visit www.emrisk.com
800 Douglas Road North Tower, Suite 835 Coral Gables, FL 33134
ServicesIT Security Regulatory Compliance IT Audit Computer Forensics Risk Management Attestation
Certified Public Accountant (CPA)
Certified Information Systems Security
Certified Information Systems Auditor (CISA)
Certified Information Systems Manager (CISM)
Certified Information Technology
GIAC Security Essentials Certification GIAC Systems and Network Auditor
Qualified Security Assessor (QSA)
Approved Scanning Vendor (ASV)
Some of our Clients
Some of our Clients
Some of our Clients
Some of our Clients
ABN-AMRO Private Banking Bacardi-Martini, Inc.
Banco Industrial de Venezuela Banco ITAU
Bank United Caja Madrid Bank
Carnival Cruise Lines, LLC CitiBank
Coconut Grove Bank Commerce Bank E-data Financial
Florida International University Florida Power & Light Company Heico Aerospace
Helm Bank Knight Ridder
Nova Southeastern University Rinker Materials
Rudy, Exelrod & Zieff, LLP Seabourn Cruise Line TecniCard, Inc.
The International Bank of Miami TransAtlantic Bank