1 / 34

Information Security and Identity Theft Tim Sheridan Vice President Citibank ® Commercial Cards November 28, 2007

Global Transaction Services. Cash Management Trade Services and Finance Securities and Fund Services. Information Security and Identity Theft Tim Sheridan Vice President Citibank ® Commercial Cards November 28, 2007. Goal and Objectives.

Download Presentation

Information Security and Identity Theft Tim Sheridan Vice President Citibank ® Commercial Cards November 28, 2007

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.


Presentation Transcript

  1. Global Transaction Services Cash Management Trade Services and Finance Securities and Fund Services Information Security and Identity Theft Tim Sheridan Vice President Citibank® Commercial Cards November 28, 2007

  2. Goal and Objectives • Provide a broad overview of Citi’s fraud and early warning policies and security operations, including a synopsis of strategies to identify fraud • Provide a synopsis of strategies to identify information security and fraud issues • Gain a perspective on phishing, e-mail, identity theft, password security, fraud and misuse management

  3. Agenda • Safeguarding Passwords • Identity Theft Statistics and Tools • Citi Fraud Early Warning • Fraud Types • Citi’s Fraud Prevention Policy • Skimming and Other Major Threats • Prevention Tips • Fraud Indicators

  4. Safeguarding Your Password • Passwords are the most common form of protection from unauthorized access • Change passwords regularly • Almost half of all online users utilize the same password for multiple access point • As an added security benefit, all of Citi’s technology tools have added security measures – Multi-Factor Authentication • First time sign-on requires entering user ID and password • Answer 3 of 5 security questions • All subsequent log ons require responding to one of the three random questions

  5. Three Simple Rules to Good Password Management • Never share passwords • Change password every 30 – 60 days • Use passwords that are difficult to guess • 1Tr&St2! • TrAcY1 • IiaRd2d (It is aRainy day 2day)

  6. Something to Think About…..

  7. Ways in Which Identity Can Be Stolen • Stealing records • Bribing employees • Hacking • Trash/Dumpster Diving • Credit Reports • Skimming • Theft of wallet/purse • Change of Address forms • Phishing

  8. Identity Theft Statistics • Over 9 million Americans have their identity stolen each year • Industry wide – 686,683 consumer complaints on fraud and identity theft • Average loss per victim of identity theft is $4,800 and requires 30+ hours to fix credit report • The Federal Trade Commission’s website is a great resource for tips on how to protect yourself as well as what to do should you be a victim • www.FTC.gov

  9. Causes Of Known Identity Theft … You are the first line of defense Offline 68.2% Online 11.6%

  10. Identity Theft Tools • Utilize the Federal Trade Commission • www.FTC.gov • 1-877-FTC-HELP • FTC requires businesses to develop and implement appropriate safeguards – including a written information security plan – to protect cardholder information • This should be utilized as a “best practice” for colleges and universities to protect staff and students • Credit Bureau Agencies • Review your credit report – one free report available annually • All three bureaus provide free credit report once an individual has reported fraud • Credit bureaus will not release your credit history without your approval for 90 days after the report of fraud

  11. Citi Fraud Early Warning • Identify • Lost/stolen • Never received reissued or new card • Altered • Monitor transactions • Reduce fraud losses • Detect unusual behavior in early stages of fraud while minimizing impact to our cardholders

  12. “Misuse” and “Fraud” Defined • Misuse • Cardholder uses his/her own card for transactions not permitted by NY State policy • Fraud • A person or entity other than the cardholder makes transactions using the cardholder’s account

  13. NRI Never received reissued or new card Lost Cardholder misplaces / loses card Stolen Cardholder is victim of theft Altered/Counterfeit • Cardholder is in possession of card; a copy has been made and used by the criminal. Manual vs. Skimming AccountTakeover Fraudster is able to assume / obtain personal information in order to request an additional card Fraud Types Definitions

  14. Fraud Policy / Fraud ManagementTactical / Strategic Solutions Prioritization/ Operations Formula Development Chargeback / Recovery ClientAccount Managers Visa / MasterCard Fraud Early Warning Risk Modeling Security Operations Commercial Cards Associations Fraud Prevention Interfaces

  15. Citi Fraud Prevention Four strategic approaches to fighting fraud… Product features, card activation, verification, application process • Prevention: Stop it before it even occurs • Detection: Find the fraudulent activity and reduce potential exposure • Recovery: Seize recovery opportunity through merchant liability • Deterrence: Prevent it from happening again Formula development, FEW case review, loss defect analysis Chargebacks, compliance Aggressive field investigation and prosecution effort

  16. Citi Fraud Detection Cycle • Merchant initiates transaction • Transaction information is checked against credit and fraud criteria/rules • If transaction matches fraud criteria, account may be blocked or monitored further • Accounts with transactions that meet fraud formula criteria (priorities) are sent for further review • Fraud Early Warning (FEW) representatives review current and past account activity to determine risk and attempt to contact cardholder for verification of account activity

  17. Major Threats Skimming • The entire valid magnetic strip is read or “skimmed” and then reproduced and placed on a counterfeit card • Relatively easy to do, yet very difficult to detect • Citi efforts focus on identifying points of compromise (locations) and flagging accounts that have frequented those merchants

  18. Skimming and Other Major Threats A credit or debit card is handed over to pay for a bill at a restaurant or retail shop. The card is swiped through a legitimate credit machine... The same card is then swiped through a small illegal electronic gadget known as a skimmer. The pager-sized device can "read" and store data from the magnetic strips of up to 200 cards.

  19. Skimming and Other Major Threats The skimmer is given to a counterfeiter who downloads all the information onto a computer and either sends it abroad or runs up a cloned copy of the card. Printing and embosser machines then put the card holder's credit card details onto blank plastic cards. Another machine is used to create and encode the magnetic strip on the reverse of the card. Lastly an appropriate hologram is affixed to the card. A cloned card is then distributed and out on the streets ready for use.

  20. Skimming Device

  21. ATM Skimming Device This fraudster is rigging the card reader to capture the card of the next person to use the machine

  22. ATM Skimming Device Here the fraudster pretends to render assistance. What he is in fact trying to do is obtain the customer’s PIN now that he has captured the card.

  23. ATM Skimming Device He convinces the customer that he would be able to retrieve his card if he entered his PIN while he holds down both the “cancel” and “enter” buttons.

  24. Counterfeiting • Internet, mail/telephone order (MOTO) and true manual/altered counterfeit attacks have increased throughout the industry • Citi has chargeback protection on the majority of cases • The use of CVV2/CVC2 (Card Verification Value) helps unless fraudsters become familiar with its use

  25. Phishing and Spoof E-mail Don’t get hooked…by “phishing” • “Phishing” and “spoofing” are industry terms for e-mail disguised to look as if it comes from a legitimate source, such as Citi • The information requested from the recipient is typically used for identity theft • How to know if e-mail is legitimate • You should never be asked to verify account information online • Most phishing e-mails contain obvious spelling or grammatical errors • If you are unsure of any e-mail that may have been sent by Citi, forward it to submitphishing@citigroup.com

  26. Phishing/Spoofing Never provide account information via an email solicitation

  27. Phishing/Spoofing Notifications advising of credit balances, especially from foreign countries are a red flag

  28. Fraud Prevention Tips • Never leave cards in an unlocked desk or cabinet • Do not leave receipts/statements/reports unattended • Be aware of your surroundings when providing card information to another person • Review your statements/account activity regularly • Immediately contact the card provider if you do not recognize activity • Avoid letting merchants take your card out of your line of sight if possible • Keep your account information current • Do not keep PIN with card • Change password(s) frequently

  29. Fraud Prevention Tips Tips for Program Coordinators • Internal process to receive cards / distribute to cardholders • Use employee’s correct verification when submitting applications • Never leave new / reissued / canceled cards in an unlocked desk or cabinet • Do not leave reports / statements lying around • Report potential compromise immediately to Citigroup • Assist in educating cardholders that the card is for authorized use only • Utilize card restrictions (MCC, Transaction Limits, etc) • Report cancelled cards for terminated employees immediately

  30. Misuse Prevention Tips • Educate cardholders to understand NY State policy in regards to card usage and misuse • Utilize merchant category code restrictions • Establish transaction limits • Eliminate or restrict cash access • Set realistic credit limits • Use reporting tools to monitor card usage • Issue cards based on need, versus title

  31. Missing Documents Unreturned Confirmations Unsupported or Unapproved Adjustments Missing approval signatures No property records Photocopied invoices Unusual Number of Disputes Unusual refund activity When the Data is too perfect Preventing Misuse and Fraud Watch for anomalies

  32. Potential Fraud Indicators –Employee • Employee is very reluctant to take vacations or even days off • Employee works long hours of overtime, often without seeking compensation (extra pay or time off in lieu of overtime) • Long-time employee has strong knowledge of NY State’s internal control systems and is able, due to position or relationships, to override or circumvent internal controls • Employee is very friendly with other employees, offering gifts or bonuses or travel to encourage cooperation with or "blind eye" to questionable acts • Employee berates or uses fear or intimidation to force junior employees to do his or her bidding

  33. Potential Fraud Indicators –Employee • Employee becomes excessively angry, defensive or forgetful when questioned about State process, procedures and decisions • Life-style of employee exceeds apparent family resources; living standard more lavish than lifestyles of employee’s parents or siblings • Employee caught in a lie about State matters, raising questions about truthfulness of other assertions • Employee, for certain supplier(s) or client(s) is rumored to be on close personal terms or to be recipient of lavish hospitality or in an intimate relationship • Employee expense account is heavily used and higher than for employees with similar responsibilities

  34. © 2007 Citigroup Inc. All rights reserved.

More Related