Upload
shyann-inskeep
View
219
Download
5
Tags:
Embed Size (px)
Citation preview
Information Security and Identity Theft
Tim Sheridan
Vice PresidentCitibank® Commercial Cards
November 28, 2007
Global Transaction ServicesCash Management Trade Services and Finance Securities and Fund Services
2
Goal and Objectives
Provide a broad overview of Citi’s fraud and early warning policies and security operations, including a synopsis of strategies to identify fraud
Provide a synopsis of strategies to identify information security and fraud issues
Gain a perspective on phishing, e-mail, identity theft, password security, fraud and misuse management
3
Agenda
Safeguarding Passwords
Identity Theft Statistics and Tools
Citi Fraud Early Warning
Fraud Types
Citi’s Fraud Prevention Policy
Skimming and Other Major Threats
Prevention Tips
Fraud Indicators
4
Safeguarding Your Password
Passwords are the most common form of protection from unauthorized access
Change passwords regularly
Almost half of all online users utilize the same password for multiple access point
As an added security benefit, all of Citi’s technology tools have added security measures – Multi-Factor Authentication
– First time sign-on requires entering user ID and password
– Answer 3 of 5 security questions
– All subsequent log ons require responding to one of the three random questions
5
Three Simple Rules to Good Password Management
Never share passwords
Change password every 30 – 60 days
Use passwords that are difficult to guess
– 1Tr&St2!
– TrAcY1
– IiaRd2d (It is a Rainy day 2 day)
6
Something to Think About…..
Six Characters Example Combinations DaysAll numbers 123456 1,000,000 58All letters abcdef 309,000,000 17,882Numbers & letters 1a2b3c 2,180,000,000 126,157Numbers, letters and special characters 1a#2b$ 3,520,000,000 203,704Lower and upper case letters ABcDeF 19,600,000,000 1,134,259Lower and upper case letters and numbers AB1dE2 56,800,000,000 3,287,037Lower and upper case letters, numbers and special characters AB1#cD 690,000,000,000 39,930,556
7
Ways in Which Identity Can Be Stolen
Stealing records
Bribing employees
Hacking
Trash/Dumpster Diving
Credit Reports
Skimming
Theft of wallet/purse
Change of Address forms
Phishing
8
Identity Theft Statistics
Over 9 million Americans have their identity stolen each year
Industry wide – 686,683 consumer complaints on fraud and identity theft
Average loss per victim of identity theft is $4,800 and requires 30+ hours to fix credit report
The Federal Trade Commission’s website is a great resource for tips on how to protect yourself as well as what to do should you be a victim
www.FTC.gov
9
Causes Of Known Identity Theft
0
5
10
15
20
25
30
%
lost or stolen wallet, checkbook orcredit card
friends, acquaintances, relatives
accessed as offline transaction
corrupt employee
stolen paper mail
taken from garbage
computer spyware
accessed as part of onlinetransaction
computer virus/hacker
phishing
Offline 68.2% Online 11.6%
… You are the first line of defense
10
Identity Theft Tools
Utilize the Federal Trade Commission
– www.FTC.gov
– 1-877-FTC-HELP
– FTC requires businesses to develop and implement appropriate safeguards – including a written information security plan – to protect cardholder information
• This should be utilized as a “best practice” for colleges and universities to protect staff and students
Credit Bureau Agencies
– Review your credit report – one free report available annually
– All three bureaus provide free credit report once an individual has reported fraud
– Credit bureaus will not release your credit history without your approval for 90 days after the report of fraud
11
Citi Fraud Early Warning
Identify
– Lost/stolen
– Never received reissued or new card
– Altered
Monitor transactions
Reduce fraud losses
Detect unusual behavior in early stages of fraud while minimizing impact to our cardholders
12
“Misuse” and “Fraud” Defined
Misuse
– Cardholder uses his/her own card for transactions not permitted by NY State policy
Fraud
– A person or entity other than the cardholder makes transactions using the cardholder’s account
13
Fraud Types
Definitions
NRI Never received reissued or new card
Lost Cardholder misplaces / loses card
Stolen Cardholder is victim of theft
Cardholder is in possession of card; a copy has been made and used by the criminal. Manual vs. Skimming
Altered/Counterfeit
AccountTakeover
Fraudster is able to assume / obtain personal information in order to request an additional card
14
Fraud Prevention
Interfaces
Fraud Policy / Fraud ManagementTactical / Strategic Solutions
Prioritization/ Operations
Fraud Early Warning
Formula Development
Risk Modeling
Chargeback / Recovery
Security Operations
ClientAccount
Managers
Commercial Cards
Visa / MasterCard
Associations
15
Citi Fraud Prevention
Four strategic approaches to fighting fraud…
Prevention: Stop it before it even occurs
Detection: Find the fraudulent activity and reduce potential exposure
Recovery: Seize recovery opportunity through merchant liability
Deterrence:Prevent it from happeningagain
Product features, card activation, verification, application process
Formula development, FEW case review, loss defect analysis
Chargebacks, compliance
Aggressive field investigation and prosecution effort
16
Citi Fraud Detection Cycle
Merchant initiates transaction
Transaction information is checked against credit and fraud criteria/rules
If transaction matches fraud criteria, account may be blocked or monitored further
Accounts with transactions that meet fraud formula criteria (priorities) are sent for further review
Fraud Early Warning (FEW) representatives review current and past account activity to determine risk and attempt to contact cardholder for verification of account activity
17
Major Threats
The entire valid magnetic strip is read or “skimmed” and then reproduced and placed on a counterfeit card
Relatively easy to do, yet very difficult to detect
Citi efforts focus on identifying points of compromise (locations) and flagging accounts that have frequented those merchants
Skimming
18
Skimming and Other Major Threats
A credit or debit card is handed over to pay for a bill at a restaurant or retail shop.
The card is swiped through a legitimate credit machine...
The same card is then swiped through a small illegal electronic gadget known as a skimmer. The pager-sized device can "read" and store data from the magnetic strips of up to 200 cards.
19
Skimming and Other Major Threats
The skimmer is given to a counterfeiter who downloads all the information onto a computer and either sends it abroad or runs up a cloned copy of the card.
Printing and embosser machines then put the card holder's credit card details onto blank plastic cards.
Another machine is used to create and encode the magnetic strip on the reverse of the card. Lastly an appropriate hologram is affixed to the card. A cloned card is then distributed and out on the streets ready for use.
20
Skimming Device
21
This fraudster is rigging the card reader to capture the card of the next person to use the machine
ATM Skimming Device
22
ATM Skimming Device
Here the fraudster pretends to render assistance. What he is in fact trying to do is obtain the customer’s PIN now that
he has captured the card.
23
ATM Skimming Device
He convinces the customer that he would be able to retrieve his card if he entered his PIN while he holds down both the
“cancel” and “enter” buttons.
24
Counterfeiting
Internet, mail/telephone order (MOTO) and true manual/altered counterfeit attacks have increased throughout the industry
Citi has chargeback protection on the majority of cases
The use of CVV2/CVC2 (Card Verification Value) helps unless fraudsters become familiar with its use
25
Don’t get hooked…by “phishing”
Phishing and Spoof E-mail
“Phishing” and “spoofing” are industry terms for e-mail disguised to look as if it comes from a legitimate source, such as Citi
The information requested from the recipient is typically used for identity theft
How to know if e-mail is legitimate
– You should never be asked to verify account information online
– Most phishing e-mails contain obvious spelling or grammatical errors
– If you are unsure of any e-mail that may have been sent by Citi, forward it to [email protected]
26
Phishing/Spoofing
Never provide account information via an email solicitation
27
Phishing/Spoofing
Notifications advising of credit balances, especially from foreign countries are a red flag
28
Fraud Prevention Tips
Never leave cards in an unlocked desk or cabinet
Do not leave receipts/statements/reports unattended
Be aware of your surroundings when providing card information to another person
Review your statements/account activity regularly
Immediately contact the card provider if you do not recognize activity
Avoid letting merchants take your card out of your line of sight if possible
Keep your account information current
Do not keep PIN with card
Change password(s) frequently
29
Fraud Prevention Tips
Internal process to receive cards / distribute to cardholders
Use employee’s correct verification when submitting applications
Never leave new / reissued / canceled cards in an unlocked desk or cabinet
Do not leave reports / statements lying around
Report potential compromise immediately to Citigroup
Assist in educating cardholders that the card is for authorized use only
Utilize card restrictions (MCC, Transaction Limits, etc)
Report cancelled cards for terminated employees immediately
Tips for Program Coordinators
30
Misuse Prevention Tips
Educate cardholders to understand NY State policy in regards to card usage and misuse
Utilize merchant category code restrictions
Establish transaction limits
Eliminate or restrict cash access
Set realistic credit limits
Use reporting tools to monitor card usage
Issue cards based on need, versus title
31
Preventing Misuse and Fraud
Missing Documents
Unreturned Confirmations
Unsupported or
Unapproved Adjustments
Missing approval signatures
No property records
Photocopied invoices
Unusual Number of Disputes
Unusual refund activity
When the Data is too perfect
Watch for anomalies
32
Potential Fraud Indicators –Employee
Employee is very reluctant to take vacations or even days off
Employee works long hours of overtime, often without seeking compensation (extra pay or time off in lieu of overtime)
Long-time employee has strong knowledge of NY State’s internal control systems and is able, due to position or relationships, to override or circumvent internal controls
Employee is very friendly with other employees, offering gifts or bonuses or travel to encourage cooperation with or "blind eye" to questionable acts
Employee berates or uses fear or intimidation to force junior employees to do his or her bidding
33
Potential Fraud Indicators –Employee
Employee becomes excessively angry, defensive or forgetful when questioned about State process, procedures and decisions
Life-style of employee exceeds apparent family resources; living standard more lavish than lifestyles of employee’s parents or siblings
Employee caught in a lie about State matters, raising questions about truthfulness of other assertions
Employee, for certain supplier(s) or client(s) is rumored to be on close personal terms or to be recipient of lavish hospitality or in an intimate relationship
Employee expense account is heavily used and higher than for employees with similar responsibilities
© 2007 Citigroup Inc. All rights reserved.