Presentation is loading. Please wait.

Presentation is loading. Please wait.

Global Transaction Services

Similar presentations

Presentation on theme: "Global Transaction Services"— Presentation transcript:

1 Global Transaction Services
Cash Management Trade Services and Finance Securities and Fund Services Information Security and Identity Theft Tim Sheridan Vice President Citibank® Commercial Cards November 28, 2007

2 Goal and Objectives Provide a broad overview of Citi’s fraud and early warning policies and security operations, including a synopsis of strategies to identify fraud Provide a synopsis of strategies to identify information security and fraud issues Gain a perspective on phishing, , identity theft, password security, fraud and misuse management We will discuss Citi’s Fraud Early Warning. We will define our fraud types to help you understand our strategies. We will discuss our strategies for identifying fraud. We will discuss the difference between fraud and misuse. And we will help you to determine potential misuse by your cardholders.

3 Agenda Safeguarding Passwords Identity Theft Statistics and Tools
Citi Fraud Early Warning Fraud Types Citi’s Fraud Prevention Policy Skimming and Other Major Threats Prevention Tips Fraud Indicators

4 Safeguarding Your Password
Passwords are the most common form of protection from unauthorized access Change passwords regularly Almost half of all online users utilize the same password for multiple access point As an added security benefit, all of Citi’s technology tools have added security measures – Multi-Factor Authentication First time sign-on requires entering user ID and password Answer 3 of 5 security questions All subsequent log ons require responding to one of the three random questions As employees, we are accountable for all activity associated with our user IDs and passwords

5 Three Simple Rules to Good Password Management
Never share passwords Change password every 30 – 60 days Use passwords that are difficult to guess 1Tr&St2! TrAcY1 IiaRd2d (It is a Rainy day 2 day)

6 Something to Think About…..
Depending on the complexity of your password, this is the typical time it takes for a hacker to get your password

7 Ways in Which Identity Can Be Stolen
Stealing records Bribing employees Hacking Trash/Dumpster Diving Credit Reports Skimming Theft of wallet/purse Change of Address forms Phishing

8 Identity Theft Statistics
Over 9 million Americans have their identity stolen each year Industry wide – 686,683 consumer complaints on fraud and identity theft Average loss per victim of identity theft is $4,800 and requires 30+ hours to fix credit report The Federal Trade Commission’s website is a great resource for tips on how to protect yourself as well as what to do should you be a victim

9 Causes Of Known Identity Theft
… You are the first line of defense Offline 68.2% Online 11.6% 2006 Study shows that Consumers’ preventative measures can affect the majority of fraud cases To perpetrate a fraud, the criminal first has to access the consumer’s private information. This is referred to as an “information breach.” Of the cases where the source of information breach was known, 63% were initiated by breaches of information that were within the consumer’s control. These fell into four major categories: 30% lost or stolen wallets, credit/debit cards and checkbooks, 15% trusted associates, i.e., friends, family, in-home employees and neighbors, 9% stolen mail or garbage and 9% home computers (hacking, viruses and phishing). Fraud amounts from these cases encompass 73% of the total fraud amount or $41.5 billion Businesses as a source of information breach account for 30% of cases: data breaches (6%), fraudulent transaction processing (7%) and employee malfeasance (15%).

10 Identity Theft Tools Utilize the Federal Trade Commission
1-877-FTC-HELP FTC requires businesses to develop and implement appropriate safeguards – including a written information security plan – to protect cardholder information This should be utilized as a “best practice” for colleges and universities to protect staff and students Credit Bureau Agencies Review your credit report – one free report available annually All three bureaus provide free credit report once an individual has reported fraud Credit bureaus will not release your credit history without your approval for 90 days after the report of fraud

11 Citi Fraud Early Warning
Identify Lost/stolen Never received reissued or new card Altered Monitor transactions Reduce fraud losses Detect unusual behavior in early stages of fraud while minimizing impact to our cardholders FEW reviews indicators to determine specific fraud losses. This done through formula development by our Risk Modeling group. Reviewing existing fraud trends and patterns found in other portfolios.

12 “Misuse” and “Fraud” Defined
Cardholder uses his/her own card for transactions not permitted by NY State policy Fraud A person or entity other than the cardholder makes transactions using the cardholder’s account If the card member authorized the transactions and later denies them, we consider this misuse. Later we will discuss how to help you identify misuse within your university. If the card member did not authorize charges, we consider these transactions fraud.

13 Cardholder is victim of theft
Fraud Types Definitions NRI Never received reissued or new card Lost Cardholder misplaces / loses card Stolen Cardholder is victim of theft Cardholder is in possession of card; a copy has been made and used by the criminal. Manual vs. Skimming Altered/ Counterfeit Account Takeover Fraudster is able to assume / obtain personal information in order to request an additional card

14 Fraud Prevention Interfaces
Fraud Policy / Fraud Management Tactical / Strategic Solutions Prioritization/ Operations Fraud Early Warning Formula Development Risk Modeling Chargeback / Recovery Security Operations Client Account Managers Commercial Cards Visa / MasterCard Associations Discuss the interface between Fraud Policy and other areas. Policy dictates fraud strategies across the bank. They interact with association by receiving potential compromises. Assist with developing formulas through Risk Modeling. Directly involved with the recovery process in Security Operations. FEW executes policy’s strategies. Policy is responsible for methods and procedures pertaining to fraud across the bank. Responsibilities: Fraud Early Warning Account closure Verify transactions w/cardholders Identify and escalate trends for investigations Risk Modeling Identify fraud usages patterns, MCC trends, suspicious merchants Install “priorities” to flag accounts meeting criteria Determine risk to prioritize accounts for FEW analysts Constant review of effectiveness Security Operations Account closure – Electronic negative file/Affidavit or dispute letter from cardholder 2. Fraud investigations – restitution accounts/Field investigators 3. Recovery – chargeback rights Commercial Cards Client Account Mangers Work with clients – identify needs and specific spend patterns Escalate client concerns Associations Identify industry trends Provide tools to track/prevent/identify

15 Citi Fraud Prevention Four strategic approaches to fighting fraud…
Product features, card activation, verification, application process Prevention: Stop it before it even occurs Detection: Find the fraudulent activity and reduce potential exposure Recovery: Seize recovery opportunity through merchant liability Deterrence: Prevent it from happening again Formula development, FEW case review, loss defect analysis Chargebacks, compliance All of the groups we just discussed work to prevent fraud and each has a responsibility in each of the four steps above. Prevention -- -through marketing strategies, activation process which includes bulk activation, security verification process within all departments, application processing Detection- work on formula development with Risk Modeling, operations methods and procedures, review of trending through defect analysis to improve formulas, monitor hit rates Recovery—- within appropriate timeframes chargeback the merchant for any transactions where the card holder was not present, chargeback who did not follow proper authorization procedures. Deterrence—All of the areas- FEW, RM, FP, Sops activate field investigation process, also involving Secret Service, Postal Inspectors leading to prosecution Aggressive field investigation and prosecution effort

16 Citi Fraud Detection Cycle
Merchant initiates transaction Transaction information is checked against credit and fraud criteria/rules If transaction matches fraud criteria, account may be blocked or monitored further Accounts with transactions that meet fraud formula criteria (priorities) are sent for further review Fraud Early Warning (FEW) representatives review current and past account activity to determine risk and attempt to contact cardholder for verification of account activity Initiate transaction by swiping card. Credit and Fraud rules include Merchant Category Code restrictions. We will discuss your options to limit these restrictions in our prevention tips. Blocks may be placed on accounts based on the risk factor of the particular charge or series of charges without initial representative review. Representatives are assigned to review these cases real time.

17 Major Threats Skimming
The entire valid magnetic strip is read or “skimmed” and then reproduced and placed on a counterfeit card Relatively easy to do, yet very difficult to detect Citi efforts focus on identifying points of compromise (locations) and flagging accounts that have frequented those merchants Capture the magnetic strip information through a hand held device that can be purchased from Radio Shack Foreign skimming is a major threat. Cardholder may visit Mexico or Brazil and legitimately use their card for expenses. They come home; however their card information has been compromised and embedded on a plastic—this could be a hotel key. One of the strongest indicators of skimmed counterfeit is domestic and foreign charges simultaneously.

18 Skimming and Other Major Threats
A credit or debit card is handed over to pay for a bill at a restaurant or retail shop. The card is swiped through a legitimate credit machine... The same card is then swiped through a small illegal electronic gadget known as a skimmer. The pager-sized device can "read" and store data from the magnetic strips of up to 200 cards. “So, let’s recap – a credit or debit card is handed over to pay for a bill – either in a restaurant, hotel or shop – it could really happen anywhere. It is swiped through a legitimate till machine…”

19 Skimming and Other Major Threats
The skimmer is given to a counterfeiter who downloads all the information onto a computer and either sends it abroad or runs up a cloned copy of the card. Printing and embosser machines then put the card holder's credit card details onto blank plastic cards. “The device is then given to a counterfeiter (remember – at the factory set-up) where the information is loaded onto a computer, and they begin to run up cloned copies of the cards. They will also send the electronic information abroad to other operatives with similar set-ups.” Another machine is used to create and encode the magnetic strip on the reverse of the card. Lastly an appropriate hologram is affixed to the card. A cloned card is then distributed and out on the streets ready for use.

20 Skimming Device This is an example of an actual card skimming device, look at how small it is.

21 ATM Skimming Device An actual example of “skimming” : Citi security was informed that a skimming device had been found in the door entry system in a 24-hour ATM vestibule It had been attached just above Citi entry device using double-sided sticky tape This fraudster is rigging the card reader to capture the card of the next person to use the machine

22 ATM Skimming Device Here the fraudster pretends to render assistance. What he is in fact trying to do is obtain the customer’s PIN now that he has captured the card.

23 ATM Skimming Device He convinces the customer that he would be able to retrieve his card if he entered his PIN while he holds down both the “cancel” and “enter” buttons.

24 Counterfeiting Internet, mail/telephone order (MOTO) and true manual/altered counterfeit attacks have increased throughout the industry Citi has chargeback protection on the majority of cases The use of CVV2/CVC2 (Card Verification Value) helps unless fraudsters become familiar with its use Perpetrators may have compromised a merchants identification and use this identification to verify valid card numbers and expiration dates. Authorizations for $1 or less are suspected to be points of compromise. Sometimes we identify an altered plastic through a name variance. In other words, the name transmitted through the authorization process does not match our records. We recover the majority of MOTO fraud. To aid in merchant protection, the association has established the use of a card verification value found in the signature strip. With this information the transaction can be changed from a no card present to a card present protecting the merchant’s chargeback rights.

25 Phishing and Spoof E-mail
Don’t get hooked…by “phishing” “Phishing” and “spoofing” are industry terms for disguised to look as if it comes from a legitimate source, such as Citi The information requested from the recipient is typically used for identity theft How to know if is legitimate You should never be asked to verify account information online Most phishing s contain obvious spelling or grammatical errors If you are unsure of any that may have been sent by Citi, forward it to

26 Phishing/Spoofing Never provide account information via an solicitation

27 Phishing/Spoofing Notifications advising of credit balances, especially from foreign countries are a red flag

28 Fraud Prevention Tips Never leave cards in an unlocked desk or cabinet
Do not leave receipts/statements/reports unattended Be aware of your surroundings when providing card information to another person Review your statements/account activity regularly Immediately contact the card provider if you do not recognize activity Avoid letting merchants take your card out of your line of sight if possible Keep your account information current Do not keep PIN with card Change password(s) frequently

29 Fraud Prevention Tips Tips for Program Coordinators
Internal process to receive cards / distribute to cardholders Use employee’s correct verification when submitting applications Never leave new / reissued / canceled cards in an unlocked desk or cabinet Do not leave reports / statements lying around Report potential compromise immediately to Citigroup Assist in educating cardholders that the card is for authorized use only Utilize card restrictions (MCC, Transaction Limits, etc) Report cancelled cards for terminated employees immediately Review slide.

30 Misuse Prevention Tips
Educate cardholders to understand NY State policy in regards to card usage and misuse Utilize merchant category code restrictions Establish transaction limits Eliminate or restrict cash access Set realistic credit limits Use reporting tools to monitor card usage Issue cards based on need, versus title

31 Preventing Misuse and Fraud
Watch for anomalies No property records Photocopied invoices Unusual Number of Disputes Unusual refund activity When the Data is too perfect Missing Documents Unreturned Confirmations Unsupported or Unapproved Adjustments Missing approval signatures Fraud starts small and may not stop after only one action. No matter how small the misuse, it should be addressed immediately to prevent any future occurrences. Case example: transactions over looked in May 2002 ($2,500), fraud caught in April 2003 (still tallying at $125K) The card MUST only be used by the cardholder whose name appears on the card. If the cardholder is not directly involved in the transaction, there is greater risk that fraud will be committed. Cardholders should be able to provide documentation of purchases i.e. invoices, receipts, etc. when requested by the Program Administrator or auditors. Random reviews of cardholder records by the Program Administrator will discourage fraud since cardholders know someone is watching. In many instances the Program Administrator can detect fraud earlier with proper review. Identify the cardholder's duties, what is his/her normal purchase pattern.

32 Potential Fraud Indicators –Employee
Employee is very reluctant to take vacations or even days off Employee works long hours of overtime, often without seeking compensation (extra pay or time off in lieu of overtime) Long-time employee has strong knowledge of NY State’s internal control systems and is able, due to position or relationships, to override or circumvent internal controls Employee is very friendly with other employees, offering gifts or bonuses or travel to encourage cooperation with or "blind eye" to questionable acts Employee berates or uses fear or intimidation to force junior employees to do his or her bidding Common characteristics of the potential “fraudster

33 Potential Fraud Indicators –Employee
Employee becomes excessively angry, defensive or forgetful when questioned about State process, procedures and decisions Life-style of employee exceeds apparent family resources; living standard more lavish than lifestyles of employee’s parents or siblings Employee caught in a lie about State matters, raising questions about truthfulness of other assertions Employee, for certain supplier(s) or client(s) is rumored to be on close personal terms or to be recipient of lavish hospitality or in an intimate relationship Employee expense account is heavily used and higher than for employees with similar responsibilities Common characteristics of the potential “fraudster

34 © 2007 Citigroup Inc. All rights reserved.

Download ppt "Global Transaction Services"

Similar presentations

Ads by Google