Digital Security Cyber Security and Fraud Prevention

Transcription

1 Treasury and Trade Solutions Citi Online Academy February 2015 Digital Security Cyber Security and Fraud Prevention Rajesh Shenoy Global Head of TTS Digital Security +1 (416) Justin Deck Strategic Intelligence Analysis +1 (202) Ambrish Bansal North America Market Management +1 (212)

2 Agenda 1. Increasing Cyber Threats 3 2. Leveraging Bank Best Practices 7 3. Partnering on Security Case Study: Social Engineering Attack Payment Fraud and Transaction Security 23 2

3 1. Increasing Cyber Threats 3

4 Increase in Digital Banking Enhances Need for Cyber Security (B) As business interactions move online, cyber threats are becoming more sophisticated and dangerous. Tremendous Growth of Online Interactions with each Click or Tap Leaving a Trail of Data Cyber Threat and Fraud are on the Rise with Significant Impacts on Business and the Economy 4x in 10 Years Global Devices Connected to the Internet B 15B 50B $3 Trillion Estimated Cyber Attack Fallout Cost to Global Economy by x in 10 Years Global Digital Data (In Exabytes) 40,000 20, $200+ Billion Estimated Amount Stolen from Banks, Financial Institutions, Companies and Individuals, Double the Amount in Source: World Economic Forum, SWIFT. 1. McKinsey report: Risk and responsibility in a hyperconnected world: Implications for enterprises ; January The Guardian Report: Online fraud costs global economy many times more than $100 billion ; October

5 Nature and Frequency of Cyber Attacks The amount of knowledge required to launch very sophisticated attacks is decreasing over time making these threats more severe each day Recent attacks show increased knowledge and understanding of the technology, infrastructure and systems of their victims Bad Actors are going after customers, suppliers, and third-parties in addition to direct attacks Intelligence, external and internal as well as shared knowledge across the industry and governments will be the most effective counter strategies Attack Sophistication vs. Intruder Technical Knowledge High Required Intruder Knowledge Attack Sophistication Low Disabling Audits Self-replicating Code Password Guessing Back Doors Sweepers Hijacking Sessions Burglaries Exploiting Known Vulnerabilities Password Cracking Packet Spoofing Sniffers GUI Denial of Service Cross Site Scripting Stealth /Advanced Scanning Techniques www Attacks Automated Probes/Scans Coordinated DDOS Botnets Staged Distributed Attack Tools SQL Injections Tools Mobile Malware 5

6 Key Adversaries Cyber Criminals Motivation: Make Money Methods: Very mature underground economy supporting every facet of cyber criminal activity Cyber Terrorism Motivation: Instill fear so targets comply with demands or ideology Methods: Using cyber to enable their programs (Recruit, Incite, Train, Plan and Finance). Underground forums allow these groups to easily acquire destructive capabilities Hactivists Motivation: Seek publicity for their geopolitical agenda Methods: Disruption and Defacement State-Affiliated (Advanced Persistent Threat) Motivation: Political and technological advantage to improve self interests Methods: Advanced operations to gain a foothold into a target s infrastructure. Once a foothold is established, the adversary performs reconnaissance and methodically plans their attack. APT actors often leave back doors to re-establish access to the target in case their primary means is identified and mitigated 6

7 2. Leveraging Bank Best Practices 7

8 Role and Importance of Intelligence Intelligence must be an integral part of the decision making process. Intelligence is having the right information, at the right time, and in the hands of the right people. Intelligence Cycle Dissemination Requirements Analysis and Production Active Collaboration Planning and Direction Processing and Exploitation Collection Output/Deliverables Inform operational planning and strategic decision-making Inventory of intelligence resources Identification of resource gaps, recommendations for remediation Centralized mechanism for ad hoc intelligence data Regular, frequent updates to senior management and key business stakeholders (e.g. dashboard-type, high-level briefing report) Intelligence-sharing and knowledge-sharing (lessons learned, etc.) Intelligence is embedded in the day-to-day work, from the establishment of a customer relationship to the execution of any service. Capturing and understanding the knowledge of employees is the foundation of a successful Intelligence Program Source: 2008 Federal Bureau of Investigation; 8

9 Leveraging Intelligence to Assess Information Security Risk Information Security Risk is determined based on strong assessment of the threats, known vulnerabilities and the assets involved. X X External Nation State Cyber Terrorists Cyber Criminals Hacktivists Internal Privileged Users End Users Insecure Code and Applications Toxic Combinations/ Over Entitlements Client Side Software Vulnerabilities Unauthorized Privileged User Access Unencrypted Data Improper Configuration Management Network and Operating System Software Vulnerabilities Intellectual Property Corporate Data Credentials Financial Transactions 9

10 Citi s Multi-Layered and Comprehensive Approach to Security Using talent, processes and technology to approach Information Security can significantly reduce cyber vulnerabilities inside Citi and their impact. Select Pillars of Strong Identity and Access Management Data Protection Vendor Management Practices Human Resources Policies Security Incident Management Intelligence Collection Intelligence and Industry Collection Networks Vulnerability Assessment Global Identity Management Security Training and Awareness Programs Information Security Risk Assessments and Issue Management 10

11 3. Partnering on Security 11

12 Digital Security is our Business Citi invests large amounts annually to help protect client assets. Working with our clients is critical to the integrity of end-to-end security. Focus on Partnering End-to-end, Bringing Together Technology and Best Practices Channel Protection Security goes beyond technology and authentication mechanisms to various processes, including Cyber Threat! Data Privacy Transaction Monitoring Maker/checker compliance for transaction authorization Ensuring business devices are clean and password-protected Leveraging data for alerts Payment monitoring and behavior-based blocking tools Client collaboration is central to maintaining high security Digital Channels have brought better control, but as we leverage new channels, we need to be at the top of our game and keep ahead of the curve. 12

13 Channel Protection We are leveraging innovation and strong best practices for existing solutions to balance risk and add value. Citi Client Technology Process Technology Process Strong user log-in credentials End-to-End encryption securing files and data exchanged between clients and Citi Secure Channels support message integrity, authenticity and nonrepudiation* Abnormal login behavior detection Intelligence on best practices to prevent Social Engineering Regular security health checks on channels (e.g. vulnerability assessment) Global policies and processes aligned with local regulatory requirements Update web browser and Java regularly Use anti-virus and other detection tools Use a pop-up blocker for doubtful sites Use automatic updates for business devices (Windows Update, Apple Update etc.), also for Adobe Flash Do not install or download unknown or unsolicited programs on your device Never share SafeWord Cards and keep PINs secret Password-protect all devices (e.g. computers, tablets, mobile etc.) Log-out at the end of each CitiDirect BESM session Do not share Challenge Response over the phone Be wary of web meeting software, especially log into your bank account over the web session * Capability specific to CitiConnect channel 13

14 Transaction Monitoring Our Transaction Monitoring capabilities help enable Citi and our clients to mitigate transaction level risks. Citi Client Technology Process Technology Process Solutions enabling clients to easily identify payment outliers and help mitigate potential risks (e.g. behavior based blocking capabilities) Ongoing review of communication and transaction information (e.g. content monitoring) Intelligence and industry trends monitoring Fraud and suspicious activities review Leveraging big data to enhance security Robust Security Incident Management Applications for user and entitlement reviews Tools monitoring approved users for file delivery and processing* Leverage solutions enabling the identification of payment outliers and risk mitigation Use pre-format functionality for manual payments Utilize maker/checker compliance for each transaction authorization For payment over a certain amount, use additional security levels Regular review of transaction reports and dashboards Report suspicious activity to Citi Never leave an active session unattended * Capability specific to CitiConnect channel 14

15 Data Privacy Data Privacy is a key focus area with controls that meet applicable data privacy guidelines around the world and the flexibility to share information across a global organization. Citi Client Technology Process Technology Process Stringent protection of information with a variety of systems helping to ensure client data is accurate and reliable Data integrity tools to protect privacy of messages and files* Accessible data and fully backed-up at different sites Regular client training and awareness sessions Strict information security approach in compliance with applicable local data protection regulations Information sharing via Industry networks for successful protection Robust controls around modifications of payee information and beneficiary bank account details Controls for sharing and modification of files, messages and other sensitive information Corporate IT team should utilize tools for data loss prevention to monitor, alert, identify, and block the flow of unauthorized data into and out of your network Set appropriate levels of approvals Limit access to sensitive and confidential data within your organization Avoid storing sensitive data on device Implement a removable media policy (e.g. restrict the use of USB drives, external hard disks etc.) * Capability specific to CitiConnect channel 15

16 Acting on Suspicious Activity Contact Citi s helpdesk to report any suspicious activities and findings. Client Red Flags Transaction Approval Requested to approve a transaction you don t know anything about, or for an unfamiliar supplier etc. Phone Call-in before the call-back; Change in the tone of a wellknown contact; Fake text messages etc. Receive with alarmist language, poor grammar and spelling errors, or visibly fake links etc. System Message Asking for password in place you don t recognize, Additional step/page during the login or transaction etc. 16

17 4. Case Study: Social Engineering Attack 17

18 Beneficiary Change Scenario This scenario demonstrates the tactic of a social engineer to fabricate a change of beneficiary to steal money Youcef from Company X notices an from his supplier Bernie from ABC Technology, and is surprised that the tone is more formal than usual 4 contains dually authorized bank letter requesting change of bank account details Youcef replies that it is subject to additional security and requires signature verification call-back Red flags 18 Bernie replies that he is currently traveling and not available via usual contact number and to work with his trusted colleague Yohan who is also authorized to complete security

19 Beneficiary Change Scenario (Cont.) 1 2 Soon after Yohan calls Youcef (in-bound call) to complete the transaction (while out-of-band call verification is protocol) 3 4 Youcef says first I need to take you through security procedure Yohan becomes anxious, aggressive, and responds that Bernie had provided dual authorization by and him to contact Youcef Youcef quickly takes Yohan through security process given the urgency, and upon his answering few questions, confirmed the change of bank details within days Red flags 19

20 Beneficiary Change Scenario (Cont.) 1 2 A few weeks later, Sam from ABC Technology calls Youcef noticing a large overdue payment 3 4 Youcef remembers invoice due to its unusual size as he needed management approval and it was received on the same day as the bank details change Sam says that they did not change their bank account Youcef escalates for investigation and finds that payment was effective 4 weeks earlier, soon after the holidays Red flags 20

21 Beneficiary Change Scenario (Cont.) 1 2 Youcef explains to Sam that after Bernie s and Yahon s call, an invoice from ABC Technology was received right away and paid to the new bank account with Lucky bank 3 Sam confirms that they have never banked with Lucky Bank, and did not request a bank account change 4 Youcef realizes that he acted on a fraudulent bank account change Youcef made a mistake of not initiating communication with an approved contact from ABC Technology to confirm the validity before making the change Red flags 21

22 5. Payment Fraud and Transaction Security 22

23 Payment Fraud by the Numbers : The US Perspective Types of Payment Fraud Experienced Payments fraud comes in various forms and occurs across all payment instruments. Traditional Fraud: Check Payments Studies estimate losses between $5 and $50 Billion annually To reduce check fraud, many companies have increased the use of electronic payments Percent of Organizations Affected by Payment Fraud Percent of Organizations Affected by Payment Fraud Check 82% Check volumes are declining on average 8% annually, however check fraud is increasing ACH Debits 22% Credit / Debit Cards 43% Electronic Fraud: ACH and Wire ACH volumes growing about 3% annually and ACH Fraud growing, as well FBI Studies estimate a conservative loss number is in excess of $100 Million for both ACH and Wire Fraud Wires 14% ACH Credits 9% 0% 20% 40% 60% 80% 100% Source: 2014 AFP Payments Fraud and Control Survey. 23

24 Payments Best Practices Overview Best practices to help mitigate fraud risk, improve visibility and control over your payment flows, optimize your overall payment activities, and increase process efficiencies. Internal Controls and Automation Counter-Party Data Management Enhanced Real-time Data Visibility Enable maker-checker on transactions (both internal systems and bank infrastructure) Periodic review of vendor base and vendor information Increased security and control Set-up debit blocks and filters* Review unauthorized ACH debits to make a Pay / No Pay decision Payee Name Authentication Auto-schedule payments with appropriate authorization Reduce Manually Initiated Funds Transfers (MIFTs) Centralize payment processes and counterparty management Minimize manual collection of counterparty data via forms and faxes. Automate supplier and other counterparties payment data collection and maintenance Leverage bank enabled systems to collect, store, and manage payment information Leverage tools to enhance data visibility Equip shared service centers to Identify payment outliers quickly for timely corrective action Obtain real-time transaction data and view historical transaction activity Access to performance measurement and transaction information Reliable Intelligence Analytics Tools Transparency and Visibility Process Efficiencies and Improved Security * Most commonly used in the US 24

25 Payment Risk Management Best Practices Monitor Your Internal Controls Consider implementing electronic payments for recurring check disbursements Review exception items daily Review account activity daily Minimize spare check stock and maintain tight control over inventory Conduct surprise audits Separate deposit and disbursement accounts allowing depository accounts to block all check presentment Use Risk Mitigating Human Resource Best Practices Periodically rotate personnel in financially sensitive assignments if possible Separate financial responsibilities amongst staff Require individuals with financial responsibilities to take mandatory time off Ensure hiring procedures include reference checks, background screening 25

26 Payment Risk Management Best Practices (Cont.) Partner with Your Bank to Deploy Transaction Security Tools Use electronic supplier onboarding processes with multi-level data validation Utilize Positive Pay* solution for Check and ACH Use ACH Debit Blocks and Filters* Leverage hands free payment execution capabilities via scheduling features Deploy capabilities to monitor and action payment outliers Use multi-factor authentication for access to all transaction initiation capabilities * Most commonly used in the US 26

27

28 IRS Circular 230 Disclosure: Citigroup Inc. and its affiliates do not provide tax or legal advice. Any discussion of tax matters in these materials (i) is not intended or written to be used, and cannot be used or relied upon, by you for the purpose of avoiding any tax penalties and (ii) may have been written in connection with the "promotion or marketing" of any transaction contemplated hereby ("Transaction"). Accordingly, you should seek advice based on your particular circumstances from an independent tax advisor. In any instance where distribution of this communication is subject to the rules of the US Commodity Futures Trading Commission ("CFTC"), this communication constitutes an invitation to consider entering into a derivatives transaction under U.S. CFTC Regulations 1.71 and , where applicable, but is not a binding offer to buy/sell any financial instrument. Any terms set forth herein are intended for discussion purposes only and are subject to the final terms as set forth in separate definitive written agreements. This presentation is not a commitment to lend, syndicate a financing, underwrite or purchase securities, or commit capital nor does it obligate us to enter into such a commitment, nor are we acting as a fiduciary to you. By accepting this presentation, subject to applicable law or regulation, you agree to keep confidential the information contained herein and the existence of and proposed terms for any Transaction. Prior to entering into any Transaction, you should determine, without reliance upon us or our affiliates, the economic risks and merits (and independently determine that you are able to assume these risks) as well as the legal, tax and accounting characterizations and consequences of any such Transaction. In this regard, by accepting this presentation, you acknowledge that (a) we are not in the business of providing (and you are not relying on us for) legal, tax or accounting advice, (b) there may be legal, tax or accounting risks associated with any Transaction, (c) you should receive (and rely on) separate and qualified legal, tax and accounting advice and (d) you should apprise senior management in your organization as to such legal, tax and accounting advice (and any risks associated with any Transaction) and our disclaimer as to these matters. By acceptance of these materials, you and we hereby agree that from the commencement of discussions with respect to any Transaction, and notwithstanding any other provision in this presentation, we hereby confirm that no participant in any Transaction shall be limited from disclosing the U.S. tax treatment or U.S. tax structure of such Transaction. We are required to obtain, verify and record certain information that identifies each entity that enters into a formal business relationship with us. We will ask for your complete name, street address, and taxpayer ID number. We may also request corporate formation documents, or other forms of identification, to verify information provided. Any prices or levels contained herein are preliminary and indicative only and do not represent bids or offers. These indications are provided solely for your information and consideration, are subject to change at any time without notice and are not intended as a solicitation with respect to the purchase or sale of any instrument. The information contained in this presentation may include results of analyses from a quantitative model which represent potential future events that may or may not be realized, and is not a complete analysis of every material fact representing any product. Any estimates included herein constitute our judgment as of the date hereof and are subject to change without any notice. We and/or our affiliates may make a market in these instruments for our customers and for our own account. Accordingly, we may have a position in any such instrument at any time. Although this material may contain publicly available information about Citi corporate bond research, fixed income strategy or economic and market analysis, Citi policy (i) prohibits employees from offering, directly or indirectly, a favorable or negative research opinion or offering to change an opinion as consideration or inducement for the receipt of business or for compensation; and (ii) prohibits analysts from being compensated for specific recommendations or views contained in research reports. So as to reduce the potential for conflicts of interest, as well as to reduce any appearance of conflicts of interest, Citi has enacted policies and procedures designed to limit communications between its investment banking and research personnel to specifically prescribed circumstances. [TRADEMARK SIGNOFF: add the appropriate signoff for the relevant legal vehicle] 2015 Citigroup Global Markets Inc. Member SIPC. All rights reserved. Citi and Citi and Arc Design are trademarks and service marks of Citigroup Inc. or its affiliates and are used and registered throughout the world Citibank, N.A. All rights reserved. Citi and Citi and Arc Design are trademarks and service marks of Citigroup Inc. or its affiliates and are used and registered throughout the world Citigroup Inc. All rights reserved. Citi and Citi and Arc Design are trademarks and service marks of Citigroup Inc. or its affiliates and are used and registered throughout the world Citigroup Global Markets Limited. Authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. All rights reserved. Citi and Citi and Arc Design are trademarks and service marks of Citigroup Inc. or its affiliates and are used and registered throughout the world Citibank, N.A. London. Authorised and regulated by the Office of the Comptroller of the Currency (USA) and authorised by the Prudential Regulation Authority. Subject to regulation by the Financial Conduct Authority and limited regulation by the Prudential Regulation Authority. Details about the extent of our regulation by the Prudential Regulation Authority are available from us on request. All rights reserved. Citi and Citi and Arc Design are trademarks and service marks of Citigroup Inc. or its affiliates and are used and registered throughout the world [Name of Legal Vehicle] [Name of regulatory body.] All rights reserved. Citi and Citi and Arc Design are trademarks and service marks of Citigroup Inc. or its affiliates and are used and registered throughout the world. Citi believes that sustainability is good business practice. We work closely with our clients, peer financial institutions, NGOs and other partners to finance solutions to climate change, develop industry standards, reduce our own environmental footprint, and engage with stakeholders to advance shared learning and solutions. Highlights of Citi's unique role in promoting sustainability include: (a) releasing in 2007 a Climate Change Position Statement, the first US financial institution to do so; (b) targeting $50 billion over 10 years to address global climate change: includes significant increases in investment and financing of renewable energy, clean technology, and other carbon-emission reduction activities; (c) committing to an absolute reduction in GHG emissions of all Citi owned and leased properties around the world by 10% by 2011; (d) purchasing more than 234,000 MWh of carbon neutral power for our operations over the last three years; (e) establishing in 2008 the Carbon Principles; a framework for banks and their U.S. power clients to evaluate and address carbon risks in the financing of electric power projects; (f) producing equity research related to climate issues that helps to inform investors on risks and opportunities associated with the issue; and (g) engaging with a broad range of stakeholders on the issue of climate change to help advance understanding and solutions. Citi works with its clients in greenhouse gas intensive industries to evaluate emerging risks from climate change and, where appropriate, to mitigate those risks. efficiency, renewable energy and mitigation