1. Facts, Issues, and Considerations 7 May 2008 Steven Barnett Identity Theft

2. Identity Theft Facts Victims: 8.4 million Total Loss: $49.3 billion Average Loss: $5,720 Average Resolution Time: 25 hours 2007 Identity Fraud Survey Report Javelin Strategy and Research

3. Case Study: TJX Largest theft ever of credit card numbers >45 million CC numbers collected over 18-month period, 2005-2007 450k+ driver’s licenses, SSNs also stolen Potential losses: >$300 million Will take years to discover actual damage The Wall Street Journal May 4, 2007

4. Case Study: TJX Cause: insecure wireless network in a Marshalls' store in St. Paul, Minn. WEP (Wired Equivalent Privacy) protocol Unencrypted transmissions to banks Missing software patches and firewalls The Wall Street Journal May 4, 2007

5. ID Theft Laws 1998: Identity Theft and Assumption Deterrence Act 2004: Identity Theft Penalty Enhancement Act 2005: REAL ID Act 1998: H.R.4151 [105th] 2004: H.R.1731 [108th] 2005: H.R.1268 [109th]

6. REAL ID Analysis Drivers license to have full name, DOB, gender, license number, photo, address, signature, machine-readable technology Database which all other states can access Information includes all of above, plus SSN, driver record H.R.1268 [109th]

7. REAL ID Analysis Potential ID theft: shared database Multiple access points = multiple vulnerabilities Case in point: TJX

8. REAL ID Analysis Potential ID theft: extensive info on cards Gives thieves everything they need Machine-readable = easy to steal data RFID

9. Summary ID theft is still a major problem Technology is a major potential attack vector Government is attempting to minimize ID theft At the same time, introducing laws that might increase it