Cybersecurity: Is Your Company Prepared?



Similar documents
Risk Management in Global Operating Industry

Digital Security Cyber Security and Fraud Prevention

Innovative Approaches to Enhance Digital Security

NATIONAL CYBER SECURITY AWARENESS MONTH

Fraud Trends. HSBCnet Online Security Controls PUBLIC

Sound Business Practices for Businesses to Mitigate Corporate Account Takeover

Don t Fall Victim to Cybercrime:

CYBERCRIME: What your Bank should be doing to Protect your Business. David Pollino Senior Vice President Fraud Prevention Officer

Proactive Credential Monitoring as a Method of Fraud Prevention and Risk Mitigation. By Marc Ostryniec, vice president, CSID

Protecting your business from fraud

RLI PROFESSIONAL SERVICES GROUP PROFESSIONAL LEARNING EVENT PSGLE 123. Cybersecurity: A Growing Concern for Small Businesses

Online security. Defeating cybercriminals. Protecting online banking clients in a rapidly evolving online environment. The threat.

Cybercrime Prevention and Awareness

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

SPEAR PHISHING UNDERSTANDING THE THREAT

Corporate Account Take Over (CATO) Guide

Internet threats: steps to security for your small business

Remote Deposit Quick Start Guide

Deception scams drive increase in financial fraud

Whitepaper on AuthShield Two Factor Authentication with ERP Applications

2010 AICPA Top Technology Initiatives. About the Presenter. Agenda. Presenter: Dan Schroeder, CPA/CITP Habif, Arogeti, & Wynne, LLP

Cybersecurity: A Growing Concern for All Businesses. RLI Design Professionals Design Professionals Learning Event DPLE 160 October 7, 2015

Payment Fraud and Risk Management

Cyber Attacks and Liabilities Why do so many Organizations keep Getting Hacked, Sued and Fined?

How To Protect Your Online Banking From Fraud

Retail/Consumer Client. Internet Banking Awareness and Education Program

CAPITAL PERSPECTIVES DECEMBER 2012

Fraud Detection and Prevention. Timothy P. Minahan Vice President Government Banking TD Bank

Best Practices in Account Takeover

location of optional horizontal pic Corporate and Investment Banking Business Online Information Security

OCIE Technology Controls Program

Cyber Security, Fraud and Corporate Account Takeovers LBA Bank Counsel Conference December 2014

Your security is our priority

DEPARTMENT OF DEFENSE 6000 DEFENSE PENTAGON WASHINGTON, D.C

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Presented By: Corporate Security Information Security Treasury Management

Transforming the Customer Experience When Fraud Attacks

CYBERSECURITY: Is Your Business Ready?

White paper. Phishing, Vishing and Smishing: Old Threats Present New Risks

Information Security Awareness

Visa CREDIT Card General Guidelines

Mobile Identity: Improved Cybersecurity, Easier to Use and Manage than Passwords. Mika Devonshire Associate Product Manager

Corporate Account Takeover & Information Security Awareness. Customer Training

FFIEC CONSUMER GUIDANCE

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

The information contained in this session may contain privileged and confidential information. This presentation is for information purposes only.

Corporate Account Takeover & Information Security Awareness

CYBERSECURITY HOT TOPICS

Cybersecurity and internal audit. August 15, 2014

Common Data Breach Threats Facing Financial Institutions

LIGC-ACC Presentation November 9, 2015

Here are two informational brochures that disclose ways that we protect your accounts and tips you can use to be safer online.

Keep Your Business Banking

Help Protect Your Firm and Clients from Cyber Fraud

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

How we see malware introduced Phishing Targeted Phishing Water hole Download (software (+ free ), music, films, serialz)

Executive Summary 3. Snowden and Retail Breaches Influencing Security Strategies 3. Attackers are on the Inside Protect Your Privileges 3

Corporate Account Takeover & Information Security Awareness

Implementing a Program Management Plan

THE HOME LOAN SAVINGS BANK. Corporate Account Takeover & Information Security Awareness

Best Practices: Reducing the Risks of Corporate Account Takeovers

IT Security Risks & Trends

Creating, Developing and Instituting an Effective Incident Response Plan. Webinar. 15 April 2015

Phishing for Fraud: Don't Let your Company Get Hooked!

Citibank Custom Reporting System (CCRS) Cycle based Reporting

WHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR

Five Trends to Track in E-Commerce Fraud

Applying the 80/20 approach for Operational Excellence. How to combat new age threats, optimize investments and increase security.

Supplement to Authentication in an Internet Banking Environment

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

2014 Entry Form (Complete one for each entry.) Fill out the entry name exactly as you want it listed in the program.

Christos Douligeris cdoulig at unipi dot gr. Department of Informatics University of Piraeus

National Cyber Security Month 2015: Daily Security Awareness Tips

Preventing Misuse and Abuse in Your Program

Small businesses: What you need to know about cyber security

GUIDE TO PROTECTING YOUR BUSINESS

Whitepaper on AuthShield Two Factor Authentication and Access integration with Microsoft outlook using any Mail Exchange Servers

THE CHANGING FACE OF CYBERCRIME AND WHAT IT MEANS FOR BANKS

The Cost of Phishing. Understanding the True Cost Dynamics Behind Phishing Attacks A CYVEILLANCE WHITE PAPER MAY 2015

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY

CUSTOMER SECURITY AWARENESS: A Key Defense Against Corporate Account Takeover & Cyber Fraud

Privacy Liability & Data Breach Management Nikos Georgopoulos Cyber Risks Advisor cyrm October 2014

Technical Testing. Network Testing DATA SHEET

AVOIDING ONLINE THREATS CYBER SECURITY MYTHS, FACTS, TIPS. ftrsecure.com

Reducing Fraud whilst Keeping Transactions in Motion

2012 NORTON CYBERCRIME REPORT

Welcome to this ACT webinar

TRAINING FOR AMERICAN MOMENTUM BANK CLIENTS. Corporate Account Takeover & Information Security Awareness

Information Technology. A Current Perspective on Risk Management

Protecting your business from some of the current fraud threats

CYBERSECURITY FRAUD LOSS ISSUES & HOW TO ADDRESS RISKS IN TODAY'S INSURANCE MARKETPLACE 12/16/2015. December 17, 2015

Internal Controls and Fraud Detection & Prevention. Harold Monk and Jennifer Christensen

Streamlining Web and Security

Fighting ACH fraud: An industry perspective

Guide to Vulnerability Management for Small Companies

Mifflinburg Bank & Trust. Corporate Account Takeover & Information Security Awareness

ONLINE BANKING SECURITY TIPS FOR OUR BUSINESS CLIENTS

Cybersecurity. Are you prepared?

FFIEC Supplemental Guidance to Authentication in an Internet Banking Environment. Robert Farmer Senior Technology Compliance Manager

Treasure Trove The Rising Role of Treasury in Accounts Payable

Transcription:

Treasury and Trade Solutions April 29, 2015 Cybersecurity: Is Your Company Prepared? Sabine Mcintosh Managing Director Global Head of TTS Digital Security and Account Services sabine.mcintosh@citi.com +44 (20) 7508-7392 Elizabeth Petrie Director Strategic Analysis Information Protection Directorate elizabeth.petrie@citi.com +1 (202) 776-1518

Cyber Attacks Common Tactics and Impacts on Business Cyber Attack is an attempt by online criminals to access or damage a computer network/system often stealing data or money, and using both technical and non-technical methods. Common Attack Methods Impact on Business Human Effect Social Engineering Relying on human interaction to trick people into breaking security procedures and sharing useful information for exploit efforts Technology Malware Software tools that enable an unauthorized user to gain control of a computer system and gather sensitive information $113 Billion Estimated global cost of consumer cybercrime in 2013, or $298 per person 1 US $38BN China $37BN Europe $13BN Others $25BN Cyber Masquerading Taking over executive account to conduct cyber espionage or complete financial transaction Human + Technology Phishing Emails or online posts that masquerade as a trustworthy party in an attempt to trick the target into divulging information or downloading malware Countries with the greatest number of victims (as % of internet users): Russia (85%), China (77%), South Africa (73%) $3 Trillion Estimated Cyber Attack Fallout Cost to Global Economy by 2020 2 1. Symantec: The 2013 Norton Cybercrime Report ; October 2013. 2. McKinsey report: Risk and responsibility in a hyperconnected world: Implications for enterprises ; January 2014. 2

Cyber Threat Trends Against Financial Centers and Assets Cyber attackers are increasingly targeting financial centers to steal money and sensitive data. The biggest threat is the combined type of attacks using various tactics. Trends in Cyber Crime Common Manifestation against Financial Centers Multi-vector attacks Targeted victims Attacks against treasurers are delivered in multiple phases, Using Email, Social Media, unsecure Mobile/Personal devices to log into corporate assets. Caller pretends to be bank s fraud team or Microsoft Help. Victim reveals sensitive information or even allows screen sharing on their machine leading to exploitation and fraud. Sophisticated tools New malware programmers are using sophisticated methods that evade Anti- Virus solutions. Banking malware now features file stealing capabilities. Indirect attacks Attacker targets third-party vendors in order to access sensitive financial center data/systems and steal data/money. New players: Organized Crime Blackmail and Extortion schemes, Data stealing, and even Drug and Human Smuggling is being aided by cyber crime services. Persistence and long-term outlook Advanced tools are added to infected machines to steal valuable intellectual property. 3

Question What is the role of Treasury in cyber security? a) Prevention b) Detection c) Education d) Mitigation e) All of the above 4

Why is Digital Security Important to Treasurers? Treasury is at the nexus of a company s financial flows. Key Risk Areas Human Factors Banks Insider Fraud Access to sensitive data Suppliers Financial Centers and Flows Vendor performing Financial Outsource Function Changing bank details Technology/Process Factors Data privacy and sensitive data restrictions Connectivity interacting with banking system Information Security and Technology Other Parts of the Corporation Exploitation of security weaknesses in other areas Internal Interactions 5

Question In what areas are you concerned about cyber security threats and risks? a) Electronic Banking b) Financial Supply Chain c) None 6

Security Best Practices Within the Financial Center How to improve internal fraud prevention and react in the face of cyber attacks? Prevention Monitor Your Internal Controls Implement electronic payments for recurring check disbursements Use Risk Mitigating Human Resource Best Practices Promote staff training on cyber threats and fraud awareness Use additional levels of control for new payee authentication Minimize spare check stock and maintain tight control over inventory Conduct surprise audits Review exception items and account activity daily Financial Centers and Flows Periodically rotate staff in financially sensitive assignments Separate financial responsibilities amongst staff Require staff with financial responsibilities to take mandatory time off Ensure hiring procedures include reference checks, background screening Manage Your Transaction Controls Enable controls around access to systems and data Use locked beneficiary templates (preformats) for payments to prevent beneficiary takeover Separate deposit and disbursement accounts allowing depository accounts to block all check presentment Post-attack Management and Recovery Issue alerts and reminders for staff to know exactly what to do in the event of an actual or potential compromise Notify your security officer and your usual bank contact to investigate any suspicious activity Act quickly to recover lost funds (Bank can work with you to investigate and attempt recovery of funds) 7

Question Who is responsible for security in your organization? a) Information Security b) Internal Audit c) Operations Control c) Everyone e) None of the above 8

Fraud Risk Management The Fraud Risk Managers Toolkit will be a packaged set of materials that can be used to expand awareness and best practices within the client organization to tackle fraud risks encapsulating both Social Engineering and Digital Security. Toolkit Components General Fraud Risk Bulletins Fraud Basics (What is Fraud?) (brochure) How to raise Awareness in your organization (slipsheet) Fraud Prevention (microsite) Posters and placemat A series of regular emails to Fraud Risk Managers 1. Identify Crisis, 2. Prepare, Prevent, Protect. 3. Lock it up 4. See it. Report it. Social Engineering Human and physical and psychological elements Formal Training materials Classroom session - presentations Training Video Case Study Scenarios (videos and animation) Core Payments materials Cash Management: Cash in Transit, Teller Implant and Mobile Teller Services (slip sheet) Manual vs. Electronic Payments(presentation) CitiDirect BE Best Practices, video (Video/Slipsheet) Digital Security Cyber attacks Payment Flow management 9

Appendix 10

Treasurer Fraud Attempt Impersonation This is a the general case of how cyber-attacks may target and compromise a senior executive s account to conduct fraud. Treasurer updates Social Networking Site account that he will be speaking at the annual International Association of CFOs and Corporate Treasurers in China The Social Networking Site Account is opened by Hacker using online brute force attack to guess the Treasurer s login ID and password Hacker makes connections with all associates (e.g. key supplier) holding a Treasurer title linked to that account Hacker sends a Social Networking Site message to all associates asking them to click on the link to the upcoming conference that the Treasurer is speaking at All associates are infected unknowingly by malware when they click on the link Because of the malware infection, the Hacker compromises the credentials for the associate s e-mail account and sends directions to the Treasurer s Account Payable colleague to change vendor bank details and transfer funds 11

Treasurer Fraud Attempt Beneficiary Change The follow-up scenario demonstrates the tactic of the Hacker to fabricate a change of beneficiary to steal money. Account Payable staff (Mike) notices an email requesting change of bank account details from his supplier (Hacker), and is surprised that the tone is more formal than usual Mike replies requiring signature verification call-back Supplier replies that he is currently traveling and not available via usual contact number and to work with his trusted colleague Yahon Soon after Yahon calls Treasurer (in-bound call) to complete the transaction Yahon becomes anxious, aggressive, and responds that Supplier had provided dual authorization by email and instructed him to contact Treasurer Mike quickly takes Yahon through the security process given the urgency, and upon his answering of a few questions correctly, confirmed the change of bank details Two weeks later, Sam (actual supplier) calls the Treasurer noticing a large overdue payment Mike remembers the invoice due to its unusual size as he needed management approval and it was received on the same day as the request to change bank details Sam says that they did not change their bank account Mike escalates for investigation and finds that payment was effected 4 weeks earlier, soon after the holidays Mike explains to Sam that soon after Hacker s email and Yahon s call, an invoice from ABC Technology was received right away and paid to the new bank account held with Lucky bank Sam confirms that they have never banked with Lucky Bank, and did not request a bank account change Mike realizes that he acted on a fraudulent request to change account details Red flags 12

Treasurer Fraud Attempt Screen Sharing This is a social engineering illustration where the fraudster impersonates a Citi helpdesk staff, requesting a client to share screen and conducting fraud. Peter (secondary authorizer) receives a call from Mr Green (fraudster) who wants to speak with Emma (first authorizer) Peter re-directs the call to Emma Green explains to Emma that he is from Citi Helpdesk calling regarding a CitiDirect BE Java software update Emma asked Green to send her an email to confirm he is from Citi, providing Green her email and phone number Shortly after, Green sends an email that appears to be from citidirect.com Green calls Emma again once the email had been received, asking her to open the CitiDirect BE application Green then provides an alternative internet address which redirected Emma to a remote sharing website appearing to show CitiDirect BE login Green asks Emma to return to the first (genuine) CitiDirect BE login page via Challenge Response Green then spends 5 minutes with Emma testing, but does not ask her to authorize a transaction Green asked Emma to leave the CitiDirect BE session open for 10 minutes and re-direct the call to a transaction maker Emma redirected Green to Bob, who was then asked to follow the exact same screen sharing process Green asked Bob to leave the session open and redirect his call to Peter, which he did Peter explained to Green that he did not have a CitiDirect BE application on his thin client computer; therefore, Peter was asked to use Emma s laptop to log into CitiDirect BE Green explains that the updates have been completed and made a request to Emma and Peter not to use CitiDirect BE until Jan 5 to avoid disrupting the server migration On Dec 31, Bob noticed that $800,000 had been debited from their accounts Both Bob and Peter simultaneously try to contact Citi and Green to understand why there was a debit on the account Citibank responded that there has been no scheduled software updates and that the circumstances were suspicious Red flags 13

Continuous Innovation to Keep Ahead of the Threat Citi is leveraging its global Innovation Labs to explore and develop new security solutions. Biometrics Device Security Voice Biometrics: Evaluate technologies to enable user access via simple verification of their natural speech Behavioral Biometrics: Deploy passive log-in tool using client behavior (i.e. typing) that cannot be emulated by external agents Malware Detection: Enable passive detection tools to identify viruses Information Breach: Advise clients when their private credentials are being publicly distributed by cyber criminals Out of Band Security Out of Band Authentication: Provide One-Time-Password via SMS, Phone Call or device application, using a channel or device separate from the primary banking channel Digital Signature and Transaction Approval: Secure transactions via mobile device separate from desktop banking channel Transaction Security Payment Risk Manager: Use data analytics tools to identify unusual payment transactions for clients to review prior to execution by Citi Risk-based Authentication: Enable simpler security for low risk transactions and complex security for higher risk transactions The key challenge is to balance user experience, security, and worldwide availability for Citi clients. The above smart experiments may or may not be rolled out 14

IRS Circular 230 Disclosure: Citigroup Inc. and its affiliates do not provide tax or legal advise. Any discussion of tax matters in these materials (i) is not intended or written to be used, and cannot be used or relied upon, by you for the purpose of avoiding any tax penalties and (ii) may have been written in connection with the promotion or marketing of any transaction contemplated hereby ( Transaction ). Accordingly, you should seek advice based on your particular circumstances from an independent tax advisor. Any terms set forth herein are intended for discussion purposes only and are subject to the final terms as set forth in separate definitive written agreements. This presentation is not a commitment or firm offer and does not obligate us to enter into such a commitment, nor are we acting as a fiduciary to you. By accepting this presentation, subject to applicable law or regulation, you agree to keep confidential the information contained herein and the existence of and proposed terms for any Transaction. We are required to obtain, verify and record certain information that identifies each entity that enters into a formal business relationship with us. We will ask for your complete name, street address, and taxpayer ID number. We may also request corporate formation documents, or other forms of identification, to verify information provided. 2015 Citibank, N.A. All rights reserved. Citi and Citi and Arc Design are trademarks and service marks of Citigroup Inc. or its affiliates and are used and registered throughout the world.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information