Presentation on theme: "Information Security and Identity Theft Tim Sheridan Vice President Citibank ® Commercial Cards November 28, 2007 Global Transaction Services Cash ManagementTrade."— Presentation transcript:
Information Security and Identity Theft Tim Sheridan Vice President Citibank ® Commercial Cards November 28, 2007 Global Transaction Services Cash ManagementTrade Services and FinanceSecurities and Fund Services
2 Goal and Objectives Provide a broad overview of Citis fraud and early warning policies and security operations, including a synopsis of strategies to identify fraud Provide a synopsis of strategies to identify information security and fraud issues Gain a perspective on phishing, , identity theft, password security, fraud and misuse management
3 Agenda Safeguarding Passwords Identity Theft Statistics and Tools Citi Fraud Early Warning Fraud Types Citis Fraud Prevention Policy Skimming and Other Major Threats Prevention Tips Fraud Indicators
4 Safeguarding Your Password Passwords are the most common form of protection from unauthorized access Change passwords regularly Almost half of all online users utilize the same password for multiple access point As an added security benefit, all of Citis technology tools have added security measures – Multi-Factor Authentication –First time sign-on requires entering user ID and password –Answer 3 of 5 security questions –All subsequent log ons require responding to one of the three random questions
5 Three Simple Rules to Good Password Management Never share passwords Change password every 30 – 60 days Use passwords that are difficult to guess –1Tr&St2! –TrAcY1 –IiaRd2d (It is a Rainy day 2 day)
6 Something to Think About…..
7 Ways in Which Identity Can Be Stolen Stealing records Bribing employees Hacking Trash/Dumpster Diving Credit Reports Skimming Theft of wallet/purse Change of Address forms Phishing
8 Identity Theft Statistics Over 9 million Americans have their identity stolen each year Industry wide – 686,683 consumer complaints on fraud and identity theft Average loss per victim of identity theft is $4,800 and requires 30+ hours to fix credit report The Federal Trade Commissions website is a great resource for tips on how to protect yourself as well as what to do should you be a victim
9 Causes Of Known Identity Theft Offline 68.2% Online 11.6% … You are the first line of defense
10 Identity Theft Tools Utilize the Federal Trade Commission –www.FTC.govwww.FTC.gov –1-877-FTC-HELP –FTC requires businesses to develop and implement appropriate safeguards – including a written information security plan – to protect cardholder information This should be utilized as a best practice for colleges and universities to protect staff and students Credit Bureau Agencies –Review your credit report – one free report available annually –All three bureaus provide free credit report once an individual has reported fraud –Credit bureaus will not release your credit history without your approval for 90 days after the report of fraud
11 Citi Fraud Early Warning Identify –Lost/stolen –Never received reissued or new card –Altered Monitor transactions Reduce fraud losses Detect unusual behavior in early stages of fraud while minimizing impact to our cardholders
12 Misuse and Fraud Defined Misuse –Cardholder uses his/her own card for transactions not permitted by NY State policy Fraud –A person or entity other than the cardholder makes transactions using the cardholders account
13 Fraud Types Definitions NRI Never received reissued or new card Lost Cardholder misplaces / loses card Stolen Cardholder is victim of theft Cardholder is in possession of card; a copy has been made and used by the criminal. Manual vs. Skimming Altered/ Counterfeit Account Takeover Fraudster is able to assume / obtain personal information in order to request an additional card
14 Fraud Prevention Interfaces Fraud Policy / Fraud Management Tactical / Strategic Solutions Prioritization/ Operations Fraud Early Warning Formula Development Risk Modeling Chargeback / Recovery Security Operations Client Account Managers Commercial Cards Visa / MasterCard Associations
15 Citi Fraud Prevention Four strategic approaches to fighting fraud… Prevention: Stop it before it even occurs Detection:Find the fraudulent activity and reduce potential exposure Recovery:Seize recovery opportunity through merchant liability Deterrence:Prevent it from happening again Product features, card activation, verification, application process Formula development, FEW case review, loss defect analysis Chargebacks, compliance Aggressive field investigation and prosecution effort
16 Citi Fraud Detection Cycle Merchant initiates transaction Transaction information is checked against credit and fraud criteria/rules If transaction matches fraud criteria, account may be blocked or monitored further Accounts with transactions that meet fraud formula criteria (priorities) are sent for further review Fraud Early Warning (FEW) representatives review current and past account activity to determine risk and attempt to contact cardholder for verification of account activity
17 Major Threats The entire valid magnetic strip is read or skimmed and then reproduced and placed on a counterfeit card Relatively easy to do, yet very difficult to detect Citi efforts focus on identifying points of compromise (locations) and flagging accounts that have frequented those merchants Skimming
18 Skimming and Other Major Threats A credit or debit card is handed over to pay for a bill at a restaurant or retail shop. The card is swiped through a legitimate credit machine... The same card is then swiped through a small illegal electronic gadget known as a skimmer. The pager-sized device can "read" and store data from the magnetic strips of up to 200 cards.
19 Skimming and Other Major Threats The skimmer is given to a counterfeiter who downloads all the information onto a computer and either sends it abroad or runs up a cloned copy of the card. Printing and embosser machines then put the card holder's credit card details onto blank plastic cards. Another machine is used to create and encode the magnetic strip on the reverse of the card. Lastly an appropriate hologram is affixed to the card. A cloned card is then distributed and out on the streets ready for use.
20 Skimming Device
21 This fraudster is rigging the card reader to capture the card of the next person to use the machine ATM Skimming Device
22 ATM Skimming Device Here the fraudster pretends to render assistance. What he is in fact trying to do is obtain the customers PIN now that he has captured the card.
23 ATM Skimming Device He convinces the customer that he would be able to retrieve his card if he entered his PIN while he holds down both the cancel and enter buttons.
24 Counterfeiting Internet, mail/telephone order (MOTO) and true manual/altered counterfeit attacks have increased throughout the industry Citi has chargeback protection on the majority of cases The use of CVV2/CVC2 (Card Verification Value) helps unless fraudsters become familiar with its use
25 Dont get hooked…by phishing Phishing and Spoof Phishing and spoofing are industry terms for disguised to look as if it comes from a legitimate source, such as Citi The information requested from the recipient is typically used for identity theft How to know if is legitimate –You should never be asked to verify account information online –Most phishing s contain obvious spelling or grammatical errors –If you are unsure of any that may have been sent by Citi, forward it to
26 Phishing/Spoofing Never provide account information via an solicitation
27 Phishing/Spoofing Notifications advising of credit balances, especially from foreign countries are a red flag
28 Fraud Prevention Tips Never leave cards in an unlocked desk or cabinet Do not leave receipts/statements/reports unattended Be aware of your surroundings when providing card information to another person Review your statements/account activity regularly Immediately contact the card provider if you do not recognize activity Avoid letting merchants take your card out of your line of sight if possible Keep your account information current Do not keep PIN with card Change password(s) frequently
29 Fraud Prevention Tips Internal process to receive cards / distribute to cardholders Use employees correct verification when submitting applications Never leave new / reissued / canceled cards in an unlocked desk or cabinet Do not leave reports / statements lying around Report potential compromise immediately to Citigroup Assist in educating cardholders that the card is for authorized use only Utilize card restrictions (MCC, Transaction Limits, etc) Report cancelled cards for terminated employees immediately Tips for Program Coordinators
30 Misuse Prevention Tips Educate cardholders to understand NY State policy in regards to card usage and misuse Utilize merchant category code restrictions Establish transaction limits Eliminate or restrict cash access Set realistic credit limits Use reporting tools to monitor card usage Issue cards based on need, versus title
31 Preventing Misuse and Fraud Missing Documents Unreturned Confirmations Unsupported or Unapproved Adjustments Missing approval signatures No property records Photocopied invoices Unusual Number of Disputes Unusual refund activity When the Data is too perfect Watch for anomalies
32 Potential Fraud Indicators –Employee Employee is very reluctant to take vacations or even days off Employee works long hours of overtime, often without seeking compensation (extra pay or time off in lieu of overtime) Long-time employee has strong knowledge of NY States internal control systems and is able, due to position or relationships, to override or circumvent internal controls Employee is very friendly with other employees, offering gifts or bonuses or travel to encourage cooperation with or "blind eye" to questionable acts Employee berates or uses fear or intimidation to force junior employees to do his or her bidding
33 Potential Fraud Indicators –Employee Employee becomes excessively angry, defensive or forgetful when questioned about State process, procedures and decisions Life-style of employee exceeds apparent family resources; living standard more lavish than lifestyles of employees parents or siblings Employee caught in a lie about State matters, raising questions about truthfulness of other assertions Employee, for certain supplier(s) or client(s) is rumored to be on close personal terms or to be recipient of lavish hospitality or in an intimate relationship Employee expense account is heavily used and higher than for employees with similar responsibilities