Information Security and Identity Theft

Tim Sheridan

Vice PresidentCitibank® Commercial Cards

November 28, 2007

Global Transaction ServicesCash Management Trade Services and Finance Securities and Fund Services

2

Goal and Objectives

Provide a broad overview of Citi’s fraud and early warning policies and security operations, including a synopsis of strategies to identify fraud

Provide a synopsis of strategies to identify information security and fraud issues

Gain a perspective on phishing, e-mail, identity theft, password security, fraud and misuse management

3

Agenda

Safeguarding Passwords

Identity Theft Statistics and Tools

Citi Fraud Early Warning

Fraud Types

Citi’s Fraud Prevention Policy

Skimming and Other Major Threats

Prevention Tips

Fraud Indicators

4

Safeguarding Your Password

Passwords are the most common form of protection from unauthorized access

Change passwords regularly

Almost half of all online users utilize the same password for multiple access point

As an added security benefit, all of Citi’s technology tools have added security measures – Multi-Factor Authentication

– First time sign-on requires entering user ID and password

– Answer 3 of 5 security questions

– All subsequent log ons require responding to one of the three random questions

5

Three Simple Rules to Good Password Management

Never share passwords

Change password every 30 – 60 days

Use passwords that are difficult to guess

– 1Tr&St2!

– TrAcY1

– IiaRd2d (It is a Rainy day 2 day)

6

Something to Think About…..

Six Characters Example Combinations DaysAll numbers 123456 1,000,000 58All letters abcdef 309,000,000 17,882Numbers & letters 1a2b3c 2,180,000,000 126,157Numbers, letters and special characters 1a#2b$ 3,520,000,000 203,704Lower and upper case letters ABcDeF 19,600,000,000 1,134,259Lower and upper case letters and numbers AB1dE2 56,800,000,000 3,287,037Lower and upper case letters, numbers and special characters AB1#cD 690,000,000,000 39,930,556

7

Ways in Which Identity Can Be Stolen

Stealing records

Bribing employees

Hacking

Trash/Dumpster Diving

Credit Reports

Skimming

Theft of wallet/purse

Change of Address forms

Phishing

8

Identity Theft Statistics

Over 9 million Americans have their identity stolen each year

Industry wide – 686,683 consumer complaints on fraud and identity theft

Average loss per victim of identity theft is $4,800 and requires 30+ hours to fix credit report

The Federal Trade Commission’s website is a great resource for tips on how to protect yourself as well as what to do should you be a victim

www.FTC.gov

9

Causes Of Known Identity Theft

0

5

10

15

20

25

30

%

lost or stolen wallet, checkbook orcredit card

friends, acquaintances, relatives

accessed as offline transaction

corrupt employee

stolen paper mail

taken from garbage

computer spyware

accessed as part of onlinetransaction

computer virus/hacker

phishing

Offline 68.2% Online 11.6%

… You are the first line of defense

10

Identity Theft Tools

Utilize the Federal Trade Commission

– www.FTC.gov

– 1-877-FTC-HELP

– FTC requires businesses to develop and implement appropriate safeguards – including a written information security plan – to protect cardholder information

• This should be utilized as a “best practice” for colleges and universities to protect staff and students

Credit Bureau Agencies

– Review your credit report – one free report available annually

– All three bureaus provide free credit report once an individual has reported fraud

– Credit bureaus will not release your credit history without your approval for 90 days after the report of fraud

11

Citi Fraud Early Warning

Identify

– Lost/stolen

– Never received reissued or new card

– Altered

Monitor transactions

Reduce fraud losses

Detect unusual behavior in early stages of fraud while minimizing impact to our cardholders

12

“Misuse” and “Fraud” Defined

Misuse

– Cardholder uses his/her own card for transactions not permitted by NY State policy

Fraud

– A person or entity other than the cardholder makes transactions using the cardholder’s account

13

Fraud Types

Definitions

NRI Never received reissued or new card

Lost Cardholder misplaces / loses card

Stolen Cardholder is victim of theft

Cardholder is in possession of card; a copy has been made and used by the criminal. Manual vs. Skimming

Altered/Counterfeit

AccountTakeover

Fraudster is able to assume / obtain personal information in order to request an additional card

14

Fraud Prevention

Interfaces

Fraud Policy / Fraud ManagementTactical / Strategic Solutions

Prioritization/ Operations

Fraud Early Warning

Formula Development

Risk Modeling

Chargeback / Recovery

Security Operations

ClientAccount

Managers

Commercial Cards

Visa / MasterCard

Associations

15

Citi Fraud Prevention

Four strategic approaches to fighting fraud…

Prevention: Stop it before it even occurs

Detection: Find the fraudulent activity and reduce potential exposure

Recovery: Seize recovery opportunity through merchant liability

Deterrence:Prevent it from happeningagain

Product features, card activation, verification, application process

Formula development, FEW case review, loss defect analysis

Chargebacks, compliance

Aggressive field investigation and prosecution effort

16

Citi Fraud Detection Cycle

Merchant initiates transaction

Transaction information is checked against credit and fraud criteria/rules

If transaction matches fraud criteria, account may be blocked or monitored further

Accounts with transactions that meet fraud formula criteria (priorities) are sent for further review

Fraud Early Warning (FEW) representatives review current and past account activity to determine risk and attempt to contact cardholder for verification of account activity

17

Major Threats

The entire valid magnetic strip is read or “skimmed” and then reproduced and placed on a counterfeit card

Relatively easy to do, yet very difficult to detect

Citi efforts focus on identifying points of compromise (locations) and flagging accounts that have frequented those merchants

Skimming

18

Skimming and Other Major Threats

A credit or debit card is handed over to pay for a bill at a restaurant or retail shop.

The card is swiped through a legitimate credit machine...

The same card is then swiped through a small illegal electronic gadget known as a skimmer. The pager-sized device can "read" and store data from the magnetic strips of up to 200 cards.

19

Skimming and Other Major Threats

The skimmer is given to a counterfeiter who downloads all the information onto a computer and either sends it abroad or runs up a cloned copy of the card.

Printing and embosser machines then put the card holder's credit card details onto blank plastic cards.

Another machine is used to create and encode the magnetic strip on the reverse of the card. Lastly an appropriate hologram is affixed to the card. A cloned card is then distributed and out on the streets ready for use.

20

Skimming Device

21

This fraudster is rigging the card reader to capture the card of the next person to use the machine

ATM Skimming Device

22

ATM Skimming Device

Here the fraudster pretends to render assistance. What he is in fact trying to do is obtain the customer’s PIN now that

he has captured the card.

23

ATM Skimming Device

He convinces the customer that he would be able to retrieve his card if he entered his PIN while he holds down both the

“cancel” and “enter” buttons.

24

Counterfeiting

Internet, mail/telephone order (MOTO) and true manual/altered counterfeit attacks have increased throughout the industry

Citi has chargeback protection on the majority of cases

The use of CVV2/CVC2 (Card Verification Value) helps unless fraudsters become familiar with its use

25

Don’t get hooked…by “phishing”

Phishing and Spoof E-mail

“Phishing” and “spoofing” are industry terms for e-mail disguised to look as if it comes from a legitimate source, such as Citi

The information requested from the recipient is typically used for identity theft

How to know if e-mail is legitimate

– You should never be asked to verify account information online

– Most phishing e-mails contain obvious spelling or grammatical errors

– If you are unsure of any e-mail that may have been sent by Citi, forward it to submitphishing@citigroup.com

26

Phishing/Spoofing

Never provide account information via an email solicitation

27

Phishing/Spoofing

Notifications advising of credit balances, especially from foreign countries are a red flag

28

Fraud Prevention Tips

Never leave cards in an unlocked desk or cabinet

Do not leave receipts/statements/reports unattended

Be aware of your surroundings when providing card information to another person

Review your statements/account activity regularly

Immediately contact the card provider if you do not recognize activity

Avoid letting merchants take your card out of your line of sight if possible

Keep your account information current

Do not keep PIN with card

Change password(s) frequently

29

Fraud Prevention Tips

Internal process to receive cards / distribute to cardholders

Use employee’s correct verification when submitting applications

Never leave new / reissued / canceled cards in an unlocked desk or cabinet

Do not leave reports / statements lying around

Report potential compromise immediately to Citigroup

Assist in educating cardholders that the card is for authorized use only

Utilize card restrictions (MCC, Transaction Limits, etc)

Report cancelled cards for terminated employees immediately

Tips for Program Coordinators

30

Misuse Prevention Tips

Educate cardholders to understand NY State policy in regards to card usage and misuse

Utilize merchant category code restrictions

Establish transaction limits

Eliminate or restrict cash access

Set realistic credit limits

Use reporting tools to monitor card usage

Issue cards based on need, versus title

31

Preventing Misuse and Fraud

Missing Documents

Unreturned Confirmations

Unsupported or

Unapproved Adjustments

Missing approval signatures

No property records

Photocopied invoices

Unusual Number of Disputes

Unusual refund activity

When the Data is too perfect

Watch for anomalies

32

Potential Fraud Indicators –Employee

Employee is very reluctant to take vacations or even days off

Employee works long hours of overtime, often without seeking compensation (extra pay or time off in lieu of overtime)

Long-time employee has strong knowledge of NY State’s internal control systems and is able, due to position or relationships, to override or circumvent internal controls

Employee is very friendly with other employees, offering gifts or bonuses or travel to encourage cooperation with or "blind eye" to questionable acts

Employee berates or uses fear or intimidation to force junior employees to do his or her bidding

33

Potential Fraud Indicators –Employee

Employee becomes excessively angry, defensive or forgetful when questioned about State process, procedures and decisions

Life-style of employee exceeds apparent family resources; living standard more lavish than lifestyles of employee’s parents or siblings

Employee caught in a lie about State matters, raising questions about truthfulness of other assertions

Employee, for certain supplier(s) or client(s) is rumored to be on close personal terms or to be recipient of lavish hospitality or in an intimate relationship

Employee expense account is heavily used and higher than for employees with similar responsibilities

© 2007 Citigroup Inc. All rights reserved.