540 likes | 671 Views
Session 30. Your Role in Helping FSA Prevent Identity Fraud. Steven Anderson, Christopher Cooper, Kathleen Styles, and Dr. Linda Wilbanks| Nov. 2012 U.S. Department of Education 2012 Fall Conference. OIG Components. Audit Services Investigation Services
E N D
Session 30 Your Role in Helping FSA Prevent Identity Fraud Steven Anderson, Christopher Cooper, Kathleen Styles, and Dr. Linda Wilbanks| Nov. 2012 U.S. Department of Education 2012 Fall Conference
OIG Components • Audit Services • Investigation Services • Evaluation, Inspection, and Management Services • Information Technology Audits and Computer Crime Investigations
Benjamin Franklin “There is no kind of dishonesty into which otherwise good people more easily and frequently fall than that of defrauding the government.”
FRAUD DEFINED • An intentional distortion of the truth in an attempt to obtain something of value. Does not have to result in monetary loss. • Layman’s terms: Lying, cheating, and/or stealing.
ED/OIG Special Agents are Federal Law Enforcement Officers • Special Agents receive training in: • Interviewing/Interrogation • Criminal Law • Civil Law • Program and Contract Fraud • Firearms/Defensive Tactics • Search and Arrest Warrants
IT Audits and Computer Crime Investigations ITACCI centralizes the OIG information technology operational assessment, analysis, and law enforcement capabilities. ITACCI is comprised of three separate divisions, each with a distinct mission. This centralized concept ensures maximum coordination and cooperation both internally and externally.
TCD Mission • Conduct criminal investigations of computer security incidents • On-site technical support and laboratory forensic analysis of digital evidence • Proactive investigative analytics to identify fraudulent, criminal and cyber trends in ED’s programs and systems
TCD Structure TCD centralizes the OIG digital investigations and our support missions for the traditional OIG services. Comprised of three separate units, each with a distinct mission, that support the other units. Staffing: Special Agents (1811) IT Computer Specialists (2210) Investigative Analysts (1805)
The Threat • Actors State Sponsored Organized Cyber Crime Organizations Russian Mafia Traditional Mafia Professional Hackers Spammers Inside Threat Disgruntled Employees • Tools Botnets Keylogger Targeted Viruses Used to create quick one-time-use botnets Also used when specifically targeting a single site or organization The usual Internet attack tools Metasploit, etc.
Examples of What to Report • Compromise of Systems Privileges • Compromise of Information Protected by Law • Unauthorized Access of IT Systems or Data • Exceeding Authorized Access • Denial of Service of Major IT Resources • Malicious Destruction or Modification of data/information
Is Your System a Victim? • Yes? Maybe? Not Sure? • Immediate Reporting is Necessary! • Have the facts • Why you think there is an issue • Date/Time of the Incident • System Information • Location • Type and Purpose of the System • Point of Contact • Actions All Ready Taken
TCD’s Response • Will Work Through the SSO to Preserve the Data and Contain the Incident • May interview end-user • May run several tools to collect live data from the system • Conduct an Analysis of the System, Live Data, Network/Firewall Logs, and other data pertinent to the incident
Social Engineering Social Engineering is the art of prying information out of someone else to obtain access or gain important details about a particular system through the use of deception.
Protecting Others From Identity Theft • Properly handle documents • Shred sensitive information • Use key identifiers instead of the SSN • Password protect sensitive information • Audit access • Review access privileges • Verify who you are talking to
Obtain or take over financial accounts Take out loans for large purchases Open new lines of credit Sign lease agreements Establish services with utility companies Write fraudulent checks Purchase goods and services on the Internet Common Identity Theft Practices
Avoiding Identity Theft Don’t carry your SSN card with you! • Request a drivers license number • Shred sensitive information • Only carry what you use • Photo copy all cards in your wallet • Select hard to guess PINs and passwords • Don’t leave mail sitting in an unprotected box • Don’t give out private information over the phone • Order your credit reports • Use caution when providing ANY sensitive information
Weak controls • Little or no oversight • Lax rules • Debt • Addictions • Status • Greed Opportunity Motivation Fraud Triangle Rationalization • Everyone does it • I was only borrowing the money • I was underpaid and deserve it
Red Flags to Investigators Vices such as substance abuse and gambling Extravagant purchases or lifestyle Lack of documents (the ‘big flood’ destroyed…) Common Addresses (mailing, email, and IP) Pin number and password information the same Personal information that does not fit the norm Bank information that is the same
Fraud Indicators • One person in control • No separation of duties • Lack of internal controls/ignoring controls • No prior audits • High turnover of personnel • Unexplained entries in records • Unusually large amounts of payments for cash • Inadequate or missing documentation • Altered records • Non-serial number transactions • Inventories and financial records not reconciled • Unauthorized transactions • Related Party Transaction • Repeat audit findings
Sources of Allegations • OIG Hotline • ED Program Offices • School Employees and Officials • Guarantee Agencies • Citizens and Students • Competing Vendors/Schools • Other Federal Agencies • U.S. Attorney’s Offices • Other ED OIG Investigations • Federal Bureau of Investigation • State and Local Education Agencies
Examples of Title IV Fraud Schemes • Leasing of eligibility • Loan theft/ forgeries • Fraud/Theft by School Employees • Default rate fraud • 90/10 rule • Financial statement falsification • ATB fraud • Falsified last date of attendance • Obstruction of a federal audit or program review • FAFSA fraud- enrollment • Falsification of entrance exams • Falsification of GEDs/HS Diplomas • Falsification of attendance • Falsification of grades • Failure to make refunds • Ghost students
Link to OIG’s Distance Education Fraud Ring Investigative Program Advisory Report (IPAR) • http://www2.ed.gov/about/offices/list/oig/invtreports/l42l0001.pdf Information for Financial Aid Professionals (IFAP) website: • http://www.ifap.ed.gov/ifap/index.jsp Dear Colleague Letter GEN-11-17: • http://www.ifap.ed.gov/dpcletters/GEN1117.html Presentation on the IPAR provided at last year’s conference in Las Vegas.
IPAR/Dear Colleague Letter On September 26, 2011, the Department’s IG issued a report about fraud rings operating on distance education programs offered by institutions participating in the Federal student aid programs. The IG’s report identified an increasing number of cases involving large, loosely affiliated groups of individuals (fraud rings) who conspire to defraud Title IV programs through distance education programs. These fraud rings generally target institutions with low tuition in the context of distance education programs and involve a ringleader who:
IPAR/Dear Colleague Letter • Obtains identifying information from straw students “individuals who willingly provide the information” • Completes multiple financial aid applications using the information collected • Applies for admission under the institution’s open admissions program, where little or no third-party documentation is required • Participates in the amount of online interaction necessary to establish participation in the academic program and secure disbursements under an institution’s procedures
IPAR/Dear Colleague Letter Detecting fraud before funds have been disbursed is the best way to combat this crime. We therefore seek the help of institutions and advise that you take the following additional actions to identify and prevent the kind of student aid fraud identified in the IG’s report: Implement automated protocols that monitor information in your student information data system to identify instances where a number of students –
IPAR/Dear Colleague Letter • Use the same Internet Protocol (IP) address to complete and submit an admissions application • Use the same IP address to participate in the online academic program • Use the same e-mail address to submit an admissions application • Use the same e-mail address to participate in the online academic program • Appear to reside in a geographic location that is anomalous to the locations of most students in the program
IPAR/Dear Colleague Letter Modify your disbursement rules for students participating exclusively in distance learning programs, which would immediately reduce the amount that fraud ring participants can receive. Institutions have the authority to: • Delay disbursement of Title IV funds until the student has participated in the distance education program for a longer and more substantiated period of time (e.g., until an exam has been given, completed, and graded or a paper has been submitted) • Make more frequent disbursements of Title IV funds so that not all of the payment period’s award is disbursed at the beginning of the period
Who Commits Fraud Involving Education Funds? • School Employees, Officials, Owners, Financial Managers, and Instructors • Lenders and lender servicers • Guarantee Agencies • Award Recipients • Grantees and Contractors • ED Employees • Others
How You Can Help • Ensure that staff receive necessary training • Review documents thoroughly • Question documents/Verify authenticity • Request additional information from the vendors or administration • Compare information on different documents • Contact ED-OIG • A Guide to Grant Oversight and Best Practices for Combating Grant Fraud http://www.usdoj.gov/oig/special/s0902a/ final.pdf
Don’t Try To Investigate Suspicious Activity Yourself! You may have the missing piece of the puzzle we need!
Who is Responsible for Reporting Fraud? • Everyone who deals with DoED funding has a responsibility to help control fraud.
34 CFR § 668.16 Standards of Administrative Capability The Secretary considers an institution to have administrative capability if the institution: g)…Refers to the Office of Inspector General…any credible information indicating that an applicant for Title IV, HEA program assistance may have engaged in fraud or other criminal misconduct in connection with his or her application Reporting obligation further applies to fraud on the part of employees, third party servicers or other agents of the institution.
Why Report Fraud? • Ethical responsibility • To deter others from committing fraud and abuse • To protect the integrity of the Federal, State, and Local programs • To avoid being part of the fraudulent/criminal activities
Criminal Liability • 18 U.S.C. § 2, Aiding and Abetting Whoever commits an offense against the United States or aids, abets, counsels, commands, induces or procures its commission, is punishable as a principal. • 18 U.S.C. § 4, Misprision of a Felony Whoever, having knowledge of the actual commission of a felony cognizable by a court of the United States, conceals and does not as soon as possible make known the same to some judge or other person in civil or military authority under the United States, shall be fined under this title or imprisoned not more than three years, or both.
1-800-MIS-USED Inspector General’s Hotline http://www2.ed.gov/about/offices/list/oig/hotline.html
Privacy at ED – Who Does What • Establishment of CPO position, 2011 • FSA has a privacy advocate too • Privacy and security – what’s the difference? • The Inspector General’s Office focuses on fraud and criminal activity
College and Universities -- Targets • Current student and alumni information • Data widely distributed across campus • Hackers seek diverse information • The dawn of “Big Data” just makes this easier Remember: breaches can be the result of negligence and poor data management, as well as criminal activity.
Breach Reporting Do you need to report your breaches? To whom? • Your Participation Agreement “strongly encourages” breach reporting to FSA • FPCO (Family Policy Compliance Office) encourages reporting to FPCO • The majority of states have laws on SSN and breach reporting
What Is ED Doing to Help? The Privacy Technical Assistance Center (PTAC) offers: • Resources • Technical Assistance • Site Visits
Available PTAC Resources You can find a variety of resources on the PTAC website, including: • Checklist: Data Breach Response • Checklist: Data Governance • Issue Brief: Data Security and Management Training: Best Practice Considerations • Technical Brief # 2: Data Stewardship: Managing Personally Identifiable Information in Student Education Records www.ed.ptac.gov
FSA Information Security Group Dr. Linda Wilbanks • Ensure the security of FSA data at rest and in transport • Ensure the security of the FSA networks • If a breach or intrusion occurs • Determine point of entry and ensure it is closed • Determine if/what data lost • Report FSA data compromises to the DoED • Work to estimate the risk to data owners Monitor and identify trends
Threats Student Co-worker Insider threat Foreign actor
Threat - Intrusions • Worms • Trojans • Viruses • Penetrations CORE
Threat – Preventive Measures • Firewalls • Control entry • Monitor traffic • Scan and fix (Patch) new vulnerabilities • Two-factor authentication CORE
Incidents by Type and # Records BreachedFederal Government 2009-2010
User Vulnerabilities • Personal devices • Not patched • Internet connections – social media • Not scanned for virus, etc. • Thumb drives – FREE!! • Not really, always have file attached for promotion • Never know what else is on thumb drive • Easily lost