Presentation on theme: "Global Transaction Services"— Presentation transcript:
1Global Transaction Services Cash Management Trade Services and Finance Securities and Fund ServicesInformation Security and Identity TheftTim SheridanVice PresidentCitibank® Commercial CardsNovember 28, 2007
2Goal and ObjectivesProvide a broad overview of Citi’s fraud and early warning policies and security operations, including a synopsis of strategies to identify fraudProvide a synopsis of strategies to identify information security and fraud issuesGain a perspective on phishing, , identity theft, password security, fraud and misuse managementWe will discuss Citi’s Fraud Early Warning.We will define our fraud types to help you understand our strategies.We will discuss our strategies for identifying fraud.We will discuss the difference between fraud and misuse. And we will help you to determine potential misuse by your cardholders.
3Agenda Safeguarding Passwords Identity Theft Statistics and Tools Citi Fraud Early WarningFraud TypesCiti’s Fraud Prevention PolicySkimming and Other Major ThreatsPrevention TipsFraud Indicators
4Safeguarding Your Password Passwords are the most common form of protection from unauthorized accessChange passwords regularlyAlmost half of all online users utilize the same password for multiple access pointAs an added security benefit, all of Citi’s technology tools have added security measures – Multi-Factor AuthenticationFirst time sign-on requires entering user ID and passwordAnswer 3 of 5 security questionsAll subsequent log ons require responding to one of the three random questionsAs employees, we are accountable for all activity associated with our user IDs and passwords
5Three Simple Rules to Good Password Management Never share passwordsChange password every 30 – 60 daysUse passwords that are difficult to guess1Tr&St2!TrAcY1IiaRd2d (It is a Rainy day 2 day)
6Something to Think About….. Depending on the complexity of your password, this is the typical time it takes for a hacker to get your password
7Ways in Which Identity Can Be Stolen Stealing recordsBribing employeesHackingTrash/Dumpster DivingCredit ReportsSkimmingTheft of wallet/purseChange of Address formsPhishing
8Identity Theft Statistics Over 9 million Americans have their identity stolen each yearIndustry wide – 686,683 consumer complaints on fraud and identity theftAverage loss per victim of identity theft is $4,800 and requires 30+ hours to fix credit reportThe Federal Trade Commission’s website is a great resource for tips on how to protect yourself as well as what to do should you be a victim
9Causes Of Known Identity Theft … You are the first line of defenseOffline 68.2% Online 11.6%2006 Study shows that Consumers’ preventative measures can affect the majority of fraud casesTo perpetrate a fraud, the criminal first has to access the consumer’s private information.This is referred to as an “information breach.” Of the cases where the source of information breach was known, 63% were initiated by breaches of information that were within the consumer’s control. These fell into four major categories: 30% lost or stolen wallets, credit/debit cards and checkbooks, 15% trusted associates, i.e., friends, family, in-home employees and neighbors, 9% stolen mail or garbage and 9% home computers (hacking, viruses and phishing). Fraud amounts from these cases encompass 73% of the total fraud amount or $41.5 billionBusinesses as a source of information breach account for 30% of cases: data breaches (6%), fraudulent transaction processing (7%) and employee malfeasance (15%).
10Identity Theft Tools Utilize the Federal Trade Commission 1-877-FTC-HELPFTC requires businesses to develop and implement appropriate safeguards – including a written information security plan – to protect cardholder informationThis should be utilized as a “best practice” for colleges and universities to protect staff and studentsCredit Bureau AgenciesReview your credit report – one free report available annuallyAll three bureaus provide free credit report once an individual has reported fraudCredit bureaus will not release your credit history without your approval for 90 days after the report of fraud
11Citi Fraud Early Warning IdentifyLost/stolenNever received reissued or new cardAlteredMonitor transactionsReduce fraud lossesDetect unusual behavior in early stages of fraud while minimizing impact to our cardholdersFEW reviews indicators to determine specific fraud losses. This done through formula development by our Risk Modeling group. Reviewing existing fraud trends and patterns found in other portfolios.
12“Misuse” and “Fraud” Defined Cardholder uses his/her own card for transactions not permitted by NY State policyFraudA person or entity other than the cardholder makes transactions using the cardholder’s accountIf the card member authorized the transactions and later denies them, we consider this misuse. Later we will discuss how to help you identify misuse within your university.If the card member did not authorize charges, we consider these transactions fraud.
13Cardholder is victim of theft Fraud TypesDefinitionsNRINever received reissued or new cardLostCardholder misplaces / loses cardStolenCardholder is victim of theftCardholder is in possession of card; a copy has been made and used by the criminal. Manual vs. SkimmingAltered/ CounterfeitAccount TakeoverFraudster is able to assume / obtain personal information in order to request an additional card
14Fraud Prevention Interfaces Fraud Policy / Fraud Management Tactical / Strategic SolutionsPrioritization/ OperationsFraud Early WarningFormula DevelopmentRisk ModelingChargeback / RecoverySecurity OperationsClient Account ManagersCommercial CardsVisa / MasterCardAssociationsDiscuss the interface between Fraud Policy and other areas.Policy dictates fraud strategies across the bank. They interact with association by receiving potential compromises. Assist with developing formulas through Risk Modeling. Directly involved with the recovery process in Security Operations. FEW executes policy’s strategies. Policy is responsible for methods and procedures pertaining to fraud across the bank.Responsibilities:Fraud Early WarningAccount closureVerify transactions w/cardholdersIdentify and escalate trends for investigationsRisk ModelingIdentify fraud usages patterns, MCC trends, suspicious merchantsInstall “priorities” to flag accounts meeting criteriaDetermine risk to prioritize accounts for FEW analystsConstant review of effectivenessSecurity OperationsAccount closure – Electronic negative file/Affidavit or dispute letter from cardholder2. Fraud investigations – restitution accounts/Field investigators3. Recovery – chargeback rightsCommercial Cards Client Account MangersWork with clients – identify needs and specific spend patternsEscalate client concernsAssociationsIdentify industry trendsProvide tools to track/prevent/identify
15Citi Fraud Prevention Four strategic approaches to fighting fraud… Product features, card activation, verification, application processPrevention: Stop it before it even occursDetection: Find the fraudulent activity and reduce potential exposureRecovery: Seize recovery opportunity through merchant liabilityDeterrence: Prevent it from happening againFormula development, FEW case review, loss defect analysisChargebacks, complianceAll of the groups we just discussed work to prevent fraud and each has a responsibility in each of the four steps above.Prevention -- -through marketing strategies, activation process which includes bulk activation, security verification process within all departments, application processingDetection- work on formula development with Risk Modeling, operations methods and procedures, review of trending through defect analysis to improve formulas, monitor hit ratesRecovery—- within appropriate timeframes chargeback the merchant for any transactions where the card holder was not present, chargeback who did not follow proper authorization procedures.Deterrence—All of the areas- FEW, RM, FP, Sops activate field investigation process, also involving Secret Service, Postal Inspectors leading to prosecutionAggressive field investigation and prosecution effort
16Citi Fraud Detection Cycle Merchant initiates transactionTransaction information is checked against credit and fraud criteria/rulesIf transaction matches fraud criteria, account may be blocked or monitored furtherAccounts with transactions that meet fraud formula criteria (priorities) are sent for further reviewFraud Early Warning (FEW) representatives review current and past account activity to determine risk and attempt to contact cardholder for verification of account activityInitiate transaction by swiping card.Credit and Fraud rules include Merchant Category Code restrictions. We will discuss your options to limit these restrictions in our prevention tips.Blocks may be placed on accounts based on the risk factor of the particular charge or series of charges without initial representative review. Representatives are assigned to review these cases real time.
17Major Threats Skimming The entire valid magnetic strip is read or “skimmed” and then reproduced and placed on a counterfeit cardRelatively easy to do, yet very difficult to detectCiti efforts focus on identifying points of compromise (locations) and flagging accounts that have frequented those merchantsCapture the magnetic strip information through a hand held device that can be purchased from Radio ShackForeign skimming is a major threat. Cardholder may visit Mexico or Brazil and legitimately use their card for expenses. They come home; however their card information has been compromised and embedded on a plastic—this could be a hotel key.One of the strongest indicators of skimmed counterfeit is domestic and foreign charges simultaneously.
18Skimming and Other Major Threats A credit or debit card is handed over to pay for a bill at a restaurant or retail shop.The card is swiped through a legitimate credit machine...The same card is then swiped through a small illegal electronic gadget known as a skimmer. The pager-sized device can "read" and store data from the magnetic strips of up to 200 cards.“So, let’s recap – a credit or debit card is handed over to pay for a bill – either in a restaurant, hotel or shop – it could really happen anywhere. It is swiped through a legitimate till machine…”
19Skimming and Other Major Threats The skimmer is given to a counterfeiter who downloads all the information onto a computer and either sends it abroad or runs up a cloned copy of the card.Printing and embosser machines then put the card holder's credit card details onto blank plastic cards.“The device is then given to a counterfeiter (remember – at the factory set-up) where the information is loaded onto a computer, and they begin to run up cloned copies of the cards. They will also send the electronic information abroad to other operatives with similar set-ups.”Another machine is used to create and encode the magnetic strip on the reverse of the card. Lastly an appropriate hologram is affixed to the card. A cloned card is then distributed and out on the streets ready for use.
20Skimming DeviceThis is an example of an actual card skimming device, look at how small it is.
21ATM Skimming DeviceAn actual example of “skimming” :Citi security was informed that a skimming device had been found in the door entry system in a 24-hour ATM vestibuleIt had been attached just above Citi entry device using double-sided sticky tapeThis fraudster is rigging the card reader to capture the card of the next person to use the machine
22ATM Skimming DeviceHere the fraudster pretends to render assistance. What he is in fact trying to do is obtain the customer’s PIN now that he has captured the card.
23ATM Skimming DeviceHe convinces the customer that he would be able to retrieve his card if he entered his PIN while he holds down both the “cancel” and “enter” buttons.
24CounterfeitingInternet, mail/telephone order (MOTO) and true manual/altered counterfeit attacks have increased throughout the industryCiti has chargeback protection on the majority of casesThe use of CVV2/CVC2 (Card Verification Value) helps unless fraudsters become familiar with its usePerpetrators may have compromised a merchants identification and use this identification to verify valid card numbers and expiration dates. Authorizations for $1 or less are suspected to be points of compromise.Sometimes we identify an altered plastic through a name variance. In other words, the name transmitted through the authorization process does not match our records.We recover the majority of MOTO fraud.To aid in merchant protection, the association has established the use of a card verification value found in the signature strip. With this information the transaction can be changed from a no card present to a card present protecting the merchant’s chargeback rights.
25Phishing and Spoof E-mail Don’t get hooked…by “phishing”“Phishing” and “spoofing” are industry terms for disguised to look as if it comes from a legitimate source, such as CitiThe information requested from the recipient is typically used for identity theftHow to know if is legitimateYou should never be asked to verify account information onlineMost phishing s contain obvious spelling or grammatical errorsIf you are unsure of any that may have been sent by Citi, forward it to
26Phishing/SpoofingNever provide account information via an solicitation
27Phishing/SpoofingNotifications advising of credit balances, especially from foreign countries are a red flag
28Fraud Prevention Tips Never leave cards in an unlocked desk or cabinet Do not leave receipts/statements/reports unattendedBe aware of your surroundings when providing card information to another personReview your statements/account activity regularlyImmediately contact the card provider if you do not recognize activityAvoid letting merchants take your card out of your line of sight if possibleKeep your account information currentDo not keep PIN with cardChange password(s) frequently
29Fraud Prevention Tips Tips for Program Coordinators Internal process to receive cards / distribute to cardholdersUse employee’s correct verification when submitting applicationsNever leave new / reissued / canceled cards in an unlocked desk or cabinetDo not leave reports / statements lying aroundReport potential compromise immediately to CitigroupAssist in educating cardholders that the card is for authorized use onlyUtilize card restrictions (MCC, Transaction Limits, etc)Report cancelled cards for terminated employees immediatelyReview slide.
30Misuse Prevention Tips Educate cardholders to understand NY State policy in regards to card usage and misuseUtilize merchant category code restrictionsEstablish transaction limitsEliminate or restrict cash accessSet realistic credit limitsUse reporting tools to monitor card usageIssue cards based on need, versus title
31Preventing Misuse and Fraud Watch for anomaliesNo property recordsPhotocopied invoicesUnusual Number of DisputesUnusual refund activityWhen the Data is too perfectMissing DocumentsUnreturned ConfirmationsUnsupported orUnapproved AdjustmentsMissing approval signaturesFraud starts small and may not stop after only one action. No matter how small the misuse, it should be addressed immediately to prevent any future occurrences.Case example: transactions over looked in May 2002 ($2,500), fraud caught in April 2003 (still tallying at $125K)The card MUST only be used by the cardholder whose name appears on the card. If the cardholder is not directly involved in the transaction, there is greater risk that fraud will be committed.Cardholders should be able to provide documentation of purchases i.e. invoices, receipts, etc. when requested by the Program Administrator or auditors.Random reviews of cardholder records by the Program Administrator will discourage fraud since cardholders know someone is watching.In many instances the Program Administrator can detect fraud earlier with proper review.Identify the cardholder's duties, what is his/her normal purchase pattern.
32Potential Fraud Indicators –Employee Employee is very reluctant to take vacations or even days offEmployee works long hours of overtime, often without seeking compensation (extra pay or time off in lieu of overtime)Long-time employee has strong knowledge of NY State’s internal control systems and is able, due to position or relationships, to override or circumvent internal controlsEmployee is very friendly with other employees, offering gifts or bonuses or travel to encourage cooperation with or "blind eye" to questionable actsEmployee berates or uses fear or intimidation to force junior employees to do his or her biddingCommon characteristics of the potential “fraudster
33Potential Fraud Indicators –Employee Employee becomes excessively angry, defensive or forgetful when questioned about State process, procedures and decisionsLife-style of employee exceeds apparent family resources; living standard more lavish than lifestyles of employee’s parents or siblingsEmployee caught in a lie about State matters, raising questions about truthfulness of other assertionsEmployee, for certain supplier(s) or client(s) is rumored to be on close personal terms or to be recipient of lavish hospitality or in an intimate relationshipEmployee expense account is heavily used and higher than for employees with similar responsibilitiesCommon characteristics of the potential “fraudster