Cyber Security, Data Breach, Education, Identity Theft, Tip of the Week

Identity Theft

According to a Consumer Report, there are millions of Americans becoming victims of identity theft.

Identity Theft
Javelin Strategy & Research, in 2017 & Federal Trade Commission

Identity theft Video: 7 Ways to protect yourself from cybercriminals

Types of Identity Theft and Fraud

  1. Driver’s license theft: most common
  2. Mail theft: oldest ways for criminals to steal your information
  3. Debit Card fraud or Credit Card fraud: called “card-not-present fraud”
  4. Online shopping fraud: purchase items using stolen card and shipped to their own address mostly overseas called “eCommerce fraud”
  5. Social Security Number theft: usually occurs from a data breach or tax id theft
  6. Account Takeover fraud: criminals gain access to your bank or credit card from data breach, phishing scams, malware attacks then starts using the credit card for their own gains
  7. Senior Citizen identity theft: very common since checking financial accounts or credit report is not important for most of them, scams happens when they trust the wrong person (Scam Video)
  8. Child Identity theft: not as common but their Social Security Numbers (SSN) can be use to apply for government benefits, take out a loan, etc. often the child does not realize this theft until they are of age and applying for a student loan or car loan
  9. Tax Identity theft: Bad guys will file your income tax before you do and use a fax address to receive the funds
  10. Biometric ID theft: Fingerprint or voice recognition are the best example such as when “Alexa” (Amazon’s hands free speaker controlled with your voice) can be copied and recorded, but it doesn’t end there (parks such as Six Flags and Disney are using fingerprint to identify who you are for easy access to the park!)
  11. Criminal Identity theft: happens when criminals would provide your own data (stolen or lost ID) when arrested/ you would not know until you need a background check for a new job or a warrant is issued for you arrest
  12. Synthetic Identity theft: fastest growing type of ID fraud – real and fake information is merged to create a new identity using SSN, names, addresses, birthdays bought from the “dark web”
  13. New Account Takeover: criminal opens a new account with your information and have the ability to impersonate you to access a higher credit limit
  14. Medical Identity theft: more difficult to discover, but usually used to obtain medical services in your name/check your statement of benefits often
  15. Loan Stacking fraud: multiple loans are taken out by borrowers who slide through today’s automated approval process from loopholes in online lending marketplaces
  16. Mortgage Fraud: borrower, broker, or an appraiser lies about information on the application for a mortgage loan/it’s done to get approved for a bigger loan or to get the mortgage approved!
  17. Auto Lending fraud: similar to mortgage fraud and occurs when consumers, dealers, auto lenders submits or accepts a fraudulent (falsified information)application for credit
  18. Employment Identity theft: criminal applies for a job using your SSN or ID, the employers reports the income to the IRS under your name and expects you to pay taxes on all income earned in your name/review credit report regularly
  19. Bust-Out Fraud: first party fraud scheme and a deliberate form of fraud or ID theft “sleeper fraud”/ happens when a consumer applies for credit and uses their own name with the intent of maxing out all available credit for the purpose of disappearing
  20. Internet of Things (IoT) Identity theft: occurs when your smartphones/tablets are paired with consumer products such as cars, heart monitors, and household appliances that are connected to the internet which creates an opportunity for hackers to steal your data usually from a security flaw

Identity Theft and Fraud Complaints from 2014-2017

Identity Theft and Fraud Complaints 2014 to 2017

Prevention is the best route

Use Strong Passwords that is unique to you

  • Make it easy for you to remember but hard to guess
  • Use KeePass to store all your passwords securely in an encrypted file (database)
  • Change it as often as you can (routinely)
  • Don’t ever reuse passwords
  • Do not write them and leave them on your desk (put away inside your wallet/inside your purse)

Review Bank statements and Credit Card statements thoroughly each month

  • Check for suspicious transactions

  • Notify bank or card issuer immediately

Check your three credit reports (Experian, TransUnion and Equifax) often for any signs of identity theft

  • If you discover unauthorized access to your credit reports notify the credit reporting agency right away
  • Place a fraud alert, a credit lock, or a security freeze on all three if you suspect your personal information has been compromised


  • This is where you might be tricked into revealing sensitive information via email or text
  • Messages would be created to look like it is from a company you have an account already or someone (person or organization) you know well
  • When you click to the link from the message and attempt to log into your account, you have now handed over your login and password to the “bad guys”
  • Now you are vulnerable to many types of identity theft

Recovery Steps to help limit the damage if you become a victim to Identity Theft

  • File a Report immediately (get copies of the report for your insurance, medical provider, credit bureau, etc.)

  • File with the Federal Trade Commission (FTC) for their Recovery Steps

  • Call the Companies Where the Fraud Occurred (let them know it was not you and ask to work with you)

  • Communicate With Each Credit Bureau and place a freeze or fraud alert on your credit report

  • If it’s a medical fraud call your insurance company and medical providers (get a copy of your medical files and ask to have them corrected/file with the Office for Civil Rights (OCR) as well)

  • If you become a victim of Tax ID Theft contact the Internal Revenue Service (IRS)

Safeguard Against Future Problems

  • Stay up to date by reading and learning continuously (read ways to protect your information)

  • Learn about the warning signs

  • Learn how to reduce your risks

  • How to avoid Identity Theft/How to avoid Frauds & Scams (read)

  • Be persistent by monitoring your accounts and reviewing your personal information to stay on top of looming threats

For more information read: Security Awareness For Taxpayers

Cyber Security, Education, Tip of the Week

Did You Know?

Did you know FISMA

There are two organizations with the same acronym FISMA. Make sure you know the major differences!

  1. Federal Information Security Management Act (FISMA) of 2002

  2. Federal Information Security and Modernization Act (FISMA) of 2014

Federal Information Security Management ACT of 2002

The Federal Information Security Management Act (FISMA) of 2002 is a United States legislation that defines a comprehensive framework to protect government information, operations and assets against natural or man-made threats. This act requires all federal agencies, departments, and their contractors to adequately safeguard their information systems and assets. FISMA was signed as part of the Electronic Government Act of 2002 or E-Government Act of 2002.

E-Government Act of 2002 or Public Law 107-347

This law was created “to enhance the management and promotion of electronic Government services and processes by establishing a Federal Chief Information Officer within the Office of Management and budget, and by establishing a broad framework of measures that require using Internet-based information technology to enhance citizen access to Government information and services, and for other purposes”.

FISMA Objectives:

  • To support the operations and assets of a federal agency, and contractor or another source
  • To provide for the development and maintenance of minimum controls necessary to protect federal information and information systems commensurate with the risk and magnitude of harm resulting from unauthorized access, use, or disclosure including annual reviews on the effectiveness of the information security and privacy programs
  • Produce an accurate inventory of all information systems

Note: Applies to all federal information and information systems including data in all forms (paper, electronic, audio)

This Act is important in healthcare because of the expense with regards to meeting FISMA rules for enabling the secure exchange of health information to private sectors. FISMA is mandating regular security risk assessments, annual reviews, and security certifications/accreditation programs for contractors as well as providing an annual report of information security programs. A good example is the Center for Medicare and Medicaid where they about 200 contractors would be applicable to FISMA mandates. There would be millions of healthcare providers who would then request health records electronically. This would require increased in staff budget as well as incurring costs in updating computer technology.

Where does HIPAA stand with regards to FISMA of 2002?

FISMA has 171 information security controls that are mandated for federal agencies. In contrast, the U.S. healthcare industry must meet the Health Insurance Portability and Accountability Act (HIPAA), which has only 101 of the FISMA controls. There will be a definite gap from a more controlled system (FISMA) to a less secure HIPAA environment.

FISMA: created specifically for federal government computer systems

HIPAA and State Privacy Laws: created for the private sector

The Federal government gave the National Institute of Standards and Technology (NIST) the role to develop standards to be used by Federal agencies for categorizing information based on risk levels, create guidelines for the types of categories to be used, and the minimum information security requirements for the information and information systems in each category.

Federal Information Security and Modernization Act (FISMA) of 2014

The Federal Information Security and Modernization Act (FISMA) of 2014 is a federal law that provides security protections to information collected or maintained by or for a federal agency. FISMA codifies the Department of Homeland Security’s role in administering the implementation of information security policies for Federal Executive Branch civilian agencies, overseeing agencies’ compliance with those policies, and assisting OMB in developing the polices.

This act updates the Federal Government’s cybersecurity practices by:

Codifying Department of Homeland Security (DHS) authority to administer the implementation of information security policies for non-national security Federal Executive Branch systems, including providing technical assistance and deploying technologies to such systems; 

Amending and clarifying the Office of Management and Budget’s (OMB) oversight authority over federal agency information security practices; and by

Requiring OMB to amend or revise OMB A-130 to “eliminate inefficient and wasteful reporting.

An overview of the Department of Homeland Security’s role in administering the implementation of information security policies for Federal Executive Branch civilian agencies, overseeing agencies’ compliance with those policies, and assisting OMB in developing the policies are:

Authorizes DHS to provide operational and technical assistance to other Federal Executive Branch civilian agencies at the agency’s request;

Places the federal information security incident center (a function fulfilled by US-CERT) within DHS by law;

Authorizes DHS technology deployments to other agencies’ networks (upon those agencies’ request);

Directs OMB to revise policies regarding notification of individuals affected by federal agency data breaches;

Requires agencies to report major information security incidents as well as data breaches to Congress, as they occur and annually and

Simplifies existing FISMA reporting to eliminate inefficient or wasteful reporting, while adding new reporting requirements for major information security incidents. 

 Homeland Security Act of 2002

The Homeland Security Act of 2002 became public law 107-296 on November 25, 2002. It was established to secure the United States from the many threats received or may encounter in the future. To date there are over 240,000 employees from aviation, border security, emergency response, cybersecurity analyst, to chemical facility inspector. The Department of Homeland Security has an expansive role and goals for protecting the nation.

The FISMA metrics leverage the Cybersecurity Framework as a standard for managing and reducing cybersecurity risks, and they are organized around the framework’s five functions: Identify, Protect, Detect, Respond, and Recover. The Cybersecurity Framework, when used in conjunction with NIST’s 800-37 Rev 1 Guide for Applying the Risk Management Framework to Federal Information Systems, 800-39, Managing Information Security Risk: Organization, Mission, and Information System View and associated standards and guidelines, provides agencies with a comprehensive structure for making more informed, risk-based decisions and managing cybersecurity risks across their enterprise.

The United States Computer Emergency Readiness Team (US-CERT) provides publications/documents to help us with everything from setting up your first computer to understanding the nuances of emerging threats such as:

  • Banking securely online
  • Introduction to information security
  • Protecting aggregated data
  • Risks of using portable devices
  • Cyber threats to mobile phones