Social Security Numbersand Identity Theft

Brett Coryell, Deputy CIO Emory University

University Technology Services

introduction

2

Source: www.zanderinsurance.com

have you seen him?

3

Source: www.lifelock.com

Is this really a good idea?As far as I can tell, this is his real SSN.(Notice he recommends you not share yours, though.)

history

4

7 7 3 - 0 0 - 4 3 2 7

Area• Georgia 252-260• also 667-665• 700-728 for RR• 772 is highest

Group• unusual • SSA has lists• 252-260 are full

Serial• given in order

Source: Wikipedia, Social Security Administration

theft

She left her card at the café …

Average take for identity theft is greater than the average bank robbery.

Source: AM New York; videos from various internet sites

financial impact

6

Source: Federal Trade Commission report; Privacy Rights Clearinghouse

These are estimates by victims of how much the thief got.

Median value = $500, per FTC study.

Other estimates come in closer to $5700 on average.

One published account is as high as $6400 on average.

financial impact

7

Source: Federal Trade Commission 2006 report on Identity Theft

Many but not all credit card victims incurred no out of pocket expense.

Other costs include:• Time spent • Harassment (collectors)• Credit report fixes• Loan rejection• Banking problems• Insurance problems• Utilities cut off• Criminal investigation (12%)

time

8

Source: Federal Trade Commission 2006 report on Identity Theft

30% reported spending less than 1 hour cleaning up.

Median time was 4 hours.

If you had a new account opened in your name, 60% spent more than 10 hours.

A study by the Privacy Rights Clearinghouse says average time was 25 hours in 2007.

who does this stuff?

The most common thief was someone they know.

Risk factors for victims:• high income• well educated• woman• single adult• “more” kids

Source: Purdue University, Federal Trade Commission

who does this stuff?

10

Source: Federal Trade Commission 2006 report on Identity Theft

Emory

11

Legitimate and legal uses of social security numbers:• Payroll / taxes• Financial aid

Other protected data:• Health information• Student records

Some departments have reduced or eliminated their non-essential use of SSN.

get geeky

Firewall? Like that could stop me …

Actually, yes, quite often it does. It’s not always intruders we’re worried about, though.

Source: AM New York; videos from various internet sites

protection

13

SciQuest

Fin

HR

OPUS

Shadow

This diagram is a somewhat idealized version of our systems.

Emory does have some good practices and policies in place.Access to SSN in the warehouse is limited.Bypassing the warehouse or using SSN as an identifier creates risk

Areas of concern:• Printed reports• Emory Card• Local vendors• File transfers• Shadow databases• Desktops and laptops

be on the lookout

14

remember him?

15

Source: www.lifelock.com; Indiana Code

Is this a felony? No, but consider this section of Indiana law:

You must “… disclose a breach … following discovery … [that] any state resident[‘s] … unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person.”

the law

16

1. Right to Privacy Act (1974)a) Prevents state agencies (usually) from requiring your SSNb) Does not prevent employers from asking for it.

2. Georgia code (10-1-393.8) -- a person, firm, or corporation shall nota) May not intentionally communicate any person’s SSNb) Require a person to transmit SSN over the Internet unless the connection is

secure and the SSN is encrypted.c) Require an SSN to access a website unless a password or PIN is also used

3. Exceptions for state and federal law, setting up and deleting accounts, applications, enrollments, checking accuracy of SSN’s, etc.

4. No burden on “interactive computer service providers” and telcos to monitor.

5. Georgia code (10-1-912) requires notification if we discover a breach of security that leads us to reasonably believe that unencrypted data was seen by an unauthorized person. Extra notice if we go over 10,000 people.

enough Larry

Enough Larry for everyone?

What do you actually do if Larry’s got your number?

Source: AM New York; videos from various internet sites

digital citizenComputer• Use strong passwords• Watch for phishing (ask me)• Run spyware and antivirus• Look for secure checkouts• Use a software based firewall

Personal• Be stingy with your info• Check your credit reports• Watch your bank accounts• Don’t carry your SSN card• Get, and use, a shredder

Extra credit (or paranoia)• Use different credit card online• Use two or more banks

18

digital citizenIn our community• Adopt good trends

• Biometrics

• 2 factor authentication

• Challenge inappropriate use

• With vendors

• In our own systems

• Educate those around you

19

resources

20

FTC Website has videos, publications, and more.

resources

21

Consider Identity Theft insurance. You saw Lifelock. Here is another company. This one offers a counselor to help you with the paperwork.

anti-resource?

22

One of several catchy commercials, this service is actually NOT free.

Offered by Experian.

resources

23

39 states plus DC have laws requiring credit freeze.

$10 to place, suspend, or remove freeze in Georgia.

resources

24

1. IRS, if tax ID theft: phishing@irs.gov

2. Social Security Administration – 800-269-0271http://www.ssa.gov/ssnumber

3. U.S. Postal Inspectors, if USPS involved – 800-275-8777

4. State Department, if passport involved

5. If checks missing or involveda) TeleCheck – 800-710-9898b) Certegy, Inc. – 800-437-5120c) International Check Services – 800-631-9656

6. If Emory’s private information is involved, discuss with your manager and Emory’s Chief Information Security Officer, Brad Sanford (Brad.Sanford@emory.edu)

Source: Purdue University

resources

25

1. Clark Howard (consumer advocate), for news and alertshttp://www.clarkhoward.com (see “Identity Theft” at bottom of home page)

2. For consumer activism, check publisher of Consumer Reportshttp://www.financialprivacynow.org

3. Security freeze instructions:Security Freeze Instructions for EquifaxSecurity Freeze Instructions for ExperianSecurity Freeze Instructions for TransUnion

4. Florida identity theft victim’s kit:http://myfloridalegal.com/idkitprintable.pdf

?Questions

26

?Appendix

27

resources

28

resources

29

IRS fraud

30

Source: www.yahoo.com, www.bankrate.com

Playing FlashHELP

31

This presentation has an Adobe Flash file (.swf) in it.

Playing Flash inside a presentation requires the Adobe Flash player to be installed and that the specific location of the file is in the Properties section. Be sure to copy the .swf file and modify the animation properties when you move this presentation to a new computer.

Details are in the speaker’s notes for this slide.

anti-resource?

32

New car

anti-resource?

33

Pirate commercial

bustierre

Leather bustierre

Source: AM New York; videos from various internet sites

motorcycles

Cibibank motorcycles

Source: AM New York; videos from various internet sites