Global Transaction Services Cash Management Trade Services and Finance Securities and Fund Services Information Security and Identity Theft Tim Sheridan Vice President Citibank® Commercial Cards November 28, 2007
Goal and Objectives • Provide a broad overview of Citi’s fraud and early warning policies and security operations, including a synopsis of strategies to identify fraud • Provide a synopsis of strategies to identify information security and fraud issues • Gain a perspective on phishing, e-mail, identity theft, password security, fraud and misuse management
Agenda • Safeguarding Passwords • Identity Theft Statistics and Tools • Citi Fraud Early Warning • Fraud Types • Citi’s Fraud Prevention Policy • Skimming and Other Major Threats • Prevention Tips • Fraud Indicators
Safeguarding Your Password • Passwords are the most common form of protection from unauthorized access • Change passwords regularly • Almost half of all online users utilize the same password for multiple access point • As an added security benefit, all of Citi’s technology tools have added security measures – Multi-Factor Authentication • First time sign-on requires entering user ID and password • Answer 3 of 5 security questions • All subsequent log ons require responding to one of the three random questions
Three Simple Rules to Good Password Management • Never share passwords • Change password every 30 – 60 days • Use passwords that are difficult to guess • 1Tr&St2! • TrAcY1 • IiaRd2d (It is aRainy day 2day)
Ways in Which Identity Can Be Stolen • Stealing records • Bribing employees • Hacking • Trash/Dumpster Diving • Credit Reports • Skimming • Theft of wallet/purse • Change of Address forms • Phishing
Identity Theft Statistics • Over 9 million Americans have their identity stolen each year • Industry wide – 686,683 consumer complaints on fraud and identity theft • Average loss per victim of identity theft is $4,800 and requires 30+ hours to fix credit report • The Federal Trade Commission’s website is a great resource for tips on how to protect yourself as well as what to do should you be a victim • www.FTC.gov
Causes Of Known Identity Theft … You are the first line of defense Offline 68.2% Online 11.6%
Identity Theft Tools • Utilize the Federal Trade Commission • www.FTC.gov • 1-877-FTC-HELP • FTC requires businesses to develop and implement appropriate safeguards – including a written information security plan – to protect cardholder information • This should be utilized as a “best practice” for colleges and universities to protect staff and students • Credit Bureau Agencies • Review your credit report – one free report available annually • All three bureaus provide free credit report once an individual has reported fraud • Credit bureaus will not release your credit history without your approval for 90 days after the report of fraud
Citi Fraud Early Warning • Identify • Lost/stolen • Never received reissued or new card • Altered • Monitor transactions • Reduce fraud losses • Detect unusual behavior in early stages of fraud while minimizing impact to our cardholders
“Misuse” and “Fraud” Defined • Misuse • Cardholder uses his/her own card for transactions not permitted by NY State policy • Fraud • A person or entity other than the cardholder makes transactions using the cardholder’s account
NRI Never received reissued or new card Lost Cardholder misplaces / loses card Stolen Cardholder is victim of theft Altered/Counterfeit • Cardholder is in possession of card; a copy has been made and used by the criminal. Manual vs. Skimming AccountTakeover Fraudster is able to assume / obtain personal information in order to request an additional card Fraud Types Definitions
Fraud Policy / Fraud ManagementTactical / Strategic Solutions Prioritization/ Operations Formula Development Chargeback / Recovery ClientAccount Managers Visa / MasterCard Fraud Early Warning Risk Modeling Security Operations Commercial Cards Associations Fraud Prevention Interfaces
Citi Fraud Prevention Four strategic approaches to fighting fraud… Product features, card activation, verification, application process • Prevention: Stop it before it even occurs • Detection: Find the fraudulent activity and reduce potential exposure • Recovery: Seize recovery opportunity through merchant liability • Deterrence: Prevent it from happening again Formula development, FEW case review, loss defect analysis Chargebacks, compliance Aggressive field investigation and prosecution effort
Citi Fraud Detection Cycle • Merchant initiates transaction • Transaction information is checked against credit and fraud criteria/rules • If transaction matches fraud criteria, account may be blocked or monitored further • Accounts with transactions that meet fraud formula criteria (priorities) are sent for further review • Fraud Early Warning (FEW) representatives review current and past account activity to determine risk and attempt to contact cardholder for verification of account activity
Major Threats Skimming • The entire valid magnetic strip is read or “skimmed” and then reproduced and placed on a counterfeit card • Relatively easy to do, yet very difficult to detect • Citi efforts focus on identifying points of compromise (locations) and flagging accounts that have frequented those merchants
Skimming and Other Major Threats A credit or debit card is handed over to pay for a bill at a restaurant or retail shop. The card is swiped through a legitimate credit machine... The same card is then swiped through a small illegal electronic gadget known as a skimmer. The pager-sized device can "read" and store data from the magnetic strips of up to 200 cards.
Skimming and Other Major Threats The skimmer is given to a counterfeiter who downloads all the information onto a computer and either sends it abroad or runs up a cloned copy of the card. Printing and embosser machines then put the card holder's credit card details onto blank plastic cards. Another machine is used to create and encode the magnetic strip on the reverse of the card. Lastly an appropriate hologram is affixed to the card. A cloned card is then distributed and out on the streets ready for use.
ATM Skimming Device This fraudster is rigging the card reader to capture the card of the next person to use the machine
ATM Skimming Device Here the fraudster pretends to render assistance. What he is in fact trying to do is obtain the customer’s PIN now that he has captured the card.
ATM Skimming Device He convinces the customer that he would be able to retrieve his card if he entered his PIN while he holds down both the “cancel” and “enter” buttons.
Counterfeiting • Internet, mail/telephone order (MOTO) and true manual/altered counterfeit attacks have increased throughout the industry • Citi has chargeback protection on the majority of cases • The use of CVV2/CVC2 (Card Verification Value) helps unless fraudsters become familiar with its use
Phishing and Spoof E-mail Don’t get hooked…by “phishing” • “Phishing” and “spoofing” are industry terms for e-mail disguised to look as if it comes from a legitimate source, such as Citi • The information requested from the recipient is typically used for identity theft • How to know if e-mail is legitimate • You should never be asked to verify account information online • Most phishing e-mails contain obvious spelling or grammatical errors • If you are unsure of any e-mail that may have been sent by Citi, forward it to email@example.com
Phishing/Spoofing Never provide account information via an email solicitation
Phishing/Spoofing Notifications advising of credit balances, especially from foreign countries are a red flag
Fraud Prevention Tips • Never leave cards in an unlocked desk or cabinet • Do not leave receipts/statements/reports unattended • Be aware of your surroundings when providing card information to another person • Review your statements/account activity regularly • Immediately contact the card provider if you do not recognize activity • Avoid letting merchants take your card out of your line of sight if possible • Keep your account information current • Do not keep PIN with card • Change password(s) frequently
Fraud Prevention Tips Tips for Program Coordinators • Internal process to receive cards / distribute to cardholders • Use employee’s correct verification when submitting applications • Never leave new / reissued / canceled cards in an unlocked desk or cabinet • Do not leave reports / statements lying around • Report potential compromise immediately to Citigroup • Assist in educating cardholders that the card is for authorized use only • Utilize card restrictions (MCC, Transaction Limits, etc) • Report cancelled cards for terminated employees immediately
Misuse Prevention Tips • Educate cardholders to understand NY State policy in regards to card usage and misuse • Utilize merchant category code restrictions • Establish transaction limits • Eliminate or restrict cash access • Set realistic credit limits • Use reporting tools to monitor card usage • Issue cards based on need, versus title
Missing Documents Unreturned Confirmations Unsupported or Unapproved Adjustments Missing approval signatures No property records Photocopied invoices Unusual Number of Disputes Unusual refund activity When the Data is too perfect Preventing Misuse and Fraud Watch for anomalies
Potential Fraud Indicators –Employee • Employee is very reluctant to take vacations or even days off • Employee works long hours of overtime, often without seeking compensation (extra pay or time off in lieu of overtime) • Long-time employee has strong knowledge of NY State’s internal control systems and is able, due to position or relationships, to override or circumvent internal controls • Employee is very friendly with other employees, offering gifts or bonuses or travel to encourage cooperation with or "blind eye" to questionable acts • Employee berates or uses fear or intimidation to force junior employees to do his or her bidding
Potential Fraud Indicators –Employee • Employee becomes excessively angry, defensive or forgetful when questioned about State process, procedures and decisions • Life-style of employee exceeds apparent family resources; living standard more lavish than lifestyles of employee’s parents or siblings • Employee caught in a lie about State matters, raising questions about truthfulness of other assertions • Employee, for certain supplier(s) or client(s) is rumored to be on close personal terms or to be recipient of lavish hospitality or in an intimate relationship • Employee expense account is heavily used and higher than for employees with similar responsibilities