Digital Security – Cyber Security and Fraud Prevention

Citi Online Academy | December 2014

Treasury and Trade Solutions

Rajesh Shenoy

Global Head of TTS Digital Security

rajesh.a.shenoy@citi.com

+1 (416) 947-5602

Elizabeth Petrie

Director Strategic Analysis

elizabeth.petrie@citi.com

+1 (202) 776-1518

Agenda

1. Increasing Cyber Threats 3

2. Leveraging Bank Best Practices 7

3. Partnering on Security 11

4. Case Study: Social Engineering Attack 17

2

1. Increasing Cyber Threats

3

As business interactions move online, cyber threats are becoming more sophisticated and dangerous.

Increase in Digital Banking Enhances Need for Cyber Security

Tremendous Growth of Online Interactions with each Click

or Tap Leaving a Trail of Data

Cyber Threat and Fraud are on the Rise with Significant

Impacts on Business and the Economy

$200+ Billion Estimated Amount Stolen from Banks,

Financial Institutions, Companies and

Individuals, Double the Amount in 20102

Source: World Economic Forum, SWIFT.

1. McKinsey report: “Risk and responsibility in a hyperconnected world: Implications for enterprises”; January 2014.

2. The Guardian Report: “Online fraud costs global economy many times more than $100 billion”; October 2013.

Global Devices Connected to the Internet

Global Digital Data (In Exabytes)

4x in

10 Years

$3 Trillion Estimated Cyber Attack Fallout Cost

to Global Economy by 20201

44x in

10 Years

5B15B

50B

0

20

40

60

2009 2015 2020

(B)

0

20,000

40,000

2010 2012 2014 2016 2018 2020

4

Nature and Frequency of Cyber Attacks

Attack Sophistication vs. Intruder Technical Knowledge The amount of knowledge

required to launch very

sophisticated attacks is

decreasing over time making

these threats more severe

each day

Recent attacks show increased

knowledge and understanding

of the technology,

infrastructure and systems of

their victims

Bad Actors are going after

customers, suppliers, and

third-parties in addition to

direct attacks

Intelligence, external and

internal as well as shared

knowledge across the industry

and governments will be

the most effective

counter strategies

High

Low

1980 1990 2014

Attack

Sophistication

Cross Site Scripting

Password Guessing

Self-replicating Code

Password Cracking

Exploiting Known Vulnerabilities

Disabling Audits

Back Doors

Hijacking

Sessions

Sweepers

Sniffers

Packet Spoofing

GUI Automated

Probes/Scans

Denial of Service

www Attacks

Tools

“Stealth”/Advanced

Scanning Techniques

Burglaries

Distributed

Attack Tools

Staged

Coordinated

DDOS

2000

Mobile

Malware

SQL Injections

Botnets Required

Intruder

Knowledge

5

Tools, Techniques, and Procedures Used by Attackers

The primary objectives of cyber attackers are: Manipulate, Destroy, Disrupt and Steal.

Social Engineering Phishing and Spear-Phishing Rootkits

A common tactic, at times even non-

technical, that relies on human

interaction to trick other people into

breaking normal security procedures,

allowing them to gain information that

may be useful for exploit efforts

Emails, online posts, or other

electronic communications that

masquerade as a trustworthy party in

an attempt to trick the target into

divulging information or downloading

malware

Set of software tools that enable an

unauthorized user to gain control of a

computer system without being

detected

Packs containing malicious programs

that are mainly used to carry out

automated ‘drive-by’ attacks in order

to spread malware. These kits are

sold on the black market, where

prices ranging from several hundred

to over a thousand dollars are paid

A program that is automatically

installed on a target’s computer by

merely visiting a website. Victims do

not have to explicitly click on a link

within the page

Through computer programs and/or

an increased number of participants,

hackers flood the target’s website

with more traffic than the server can

handle. As the site attempts to

process the large volume of

malicious traffic, it denies access

from legitimate users. The rush of

traffic also causes servers to crash

Exploit Kits Drive by Downloads Distributed Denial of Service

6

2. Leveraging Bank Best Practices

7

Intelligence must be an integral part of the decision making process. Intelligence is having the right

information, at the right time, and in the hands of the right people.

Role and Importance of Intelligence

Output/Deliverables

Inform operational planning and strategic decision-making

Inventory of intelligence resources

Identification of resource gaps, recommendations for remediation

Centralized mechanism for ad hoc intelligence data

Regular, frequent updates to senior management and key business stakeholders (e.g. dashboard-type, high-level briefing report)

Intelligence-sharing and knowledge-sharing (lessons learned, etc.)

Analysis and

Production

Planning and

Direction

Processing

and

Exploitation

Collection

Dissemination Requirements

Active

Collaboration

Intelligence Cycle

Source: 2008 Federal Bureau of Investigation; www.fbi.gov/about-us/intelligence.

Intelligence is embedded in the day-to-day work, from the establishment of a customer relationship to the execution of any

service. Capturing and understanding the knowledge of employees is the foundation of a successful Intelligence Program

8

Information Security Risk is determined based on strong assessment of the threats, known

vulnerabilities and the assets involved.

Leveraging Intelligence to Assess Information Security Risk

External

Nation State

Cyber Terrorists

Cyber Criminals

Hacktivists

Internal

Privileged Users

End Users

Insecure Code and Applications

Toxic Combinations/

Over Entitlements

Client Side

Software Vulnerabilities

Unauthorized Privileged

User Access

Unencrypted Data

Improper Configuration

Management

Network and Operating System

Software Vulnerabilities

Intellectual Property

Corporate Data

Credentials

Financial Transactions

X X

9

Using talent, processes and technology to approach Information Security can significantly reduce cyber

vulnerabilities inside Citi and their impact.

Citi’s Multi-Layered and Comprehensive Approach to Security

Select Pillars of Strong Identity and Access Management

Security Incident Management

Global Identity Management

Security Training and Awareness

Programs

Intelligence Collection

Vendor Management

Practices

Intelligence Collection and

Industry Networks

Human Resources

Policies

Vulnerability Assessment

Data Protection

Information Security Risk Assessments

and Issue Management

10

3. Partnering on Security

11

Citi invests large amounts annually to help protect client assets. Working with our clients is critical

to the integrity of end-to-end security.

Digital Security is our Business

Security goes beyond technology

and authentication mechanisms to

various processes, including

Maker/checker compliance for

transaction authorization

Ensuring business devices are

clean and password-protected

Leveraging data for alerts

Payment monitoring and

behavior-based blocking tools

Client collaboration is central to

maintaining high security

Cyber

Threat! Data Privacy

Channel Protection

Transaction Monitoring

Focus on Partnering End-to-end, Bringing Together Technology and Best Practices

Digital Channels have brought better control, but as we leverage new channels, we need to be at the

top of our game and keep ahead of the curve.

12

Channel Protection

We are leveraging innovation and strong best practices for existing solutions to balance risk and add value.

Citi Client

Technology Process Technology Process

Strong user log-in

credentials

End-to-End encryption

securing files and data

exchanged between

clients and Citi

Secure Channels support

message integrity,

authenticity and non-

repudiation*

Abnormal login behavior

detection

Intelligence on best

practices to prevent

Social Engineering

Regular security health

checks on channels (e.g.

vulnerability assessment)

Global policies and

processes aligned with

local regulatory

requirements

Update web browser and

Java regularly

Use anti-virus and other

detection tools

Use a pop-up blocker for

doubtful sites

Use automatic updates

for business devices

(Windows Update, Apple

Update etc.), also for

Adobe Flash

Do not install or

download unknown or

unsolicited programs on

your device

Never share SafeWord

Cards and keep PINs

secret

Password-protect all

devices (e.g. computers,

tablets, mobile etc.)

Log-out at the end of

each CitiDirect BESM

session

Do not share Challenge

Response over the phone

Be wary of web meeting

software, especially log

into your bank account

over the web session

* Capability specific to CitiConnect channel13

Transaction Monitoring

Our Transaction Monitoring capabilities help enable Citi and our clients to mitigate transaction level risks.

Citi Client

Technology Process Technology Process

Solutions enabling clients

to easily identify payment

outliers and help mitigate

potential risks (e.g.

behavior based blocking

capabilities)

Ongoing review of

communication and

transaction information

(e.g. content monitoring)

Intelligence and industry

trends monitoring

Fraud and suspicious

activities review

Leveraging big data to

enhance security

Robust Security Incident

Management

Applications for user and

entitlement reviews

Tools monitoring approved

users for file delivery and

processing*

Leverage solutions

enabling the identification

of payment outliers and

risk mitigation

Use pre-format

functionality for manual

payments

Utilize maker/checker

compliance for each

transaction authorization

For payment over a

certain amount, use

additional security levels

Regular review of

transaction reports and

dashboards

Report suspicious activity

to Citi

Never leave an active

session unattended

* Capability specific to CitiConnect channel 14

Data Privacy Data Privacy is a key focus area with controls that meet applicable data privacy guidelines around the world and

the flexibility to share information across a global organization.

Citi Client

Technology Process Technology Process

Stringent protection of

information with a variety

of systems helping to

ensure client data is

accurate and reliable

Data integrity tools to

protect privacy of

messages and files*

Accessible data and fully

backed-up at different

sites

Regular client training

and awareness sessions

Strict information security

approach in compliance

with applicable local data

protection regulations

Information sharing via

Industry networks for

successful protection

Robust controls around

modifications of payee

information and

beneficiary bank account

details

Controls for sharing and

modification of files,

messages and other

sensitive information

Corporate IT team should

utilize tools for data loss

prevention to monitor,

alert, identify, and block

the flow of unauthorized

data into and out of your

network

Set appropriate levels of

approvals

Limit access to sensitive

and confidential data

within your organization

Avoid storing sensitive

data on device

Implement a removable

media policy (e.g. restrict

the use of USB drives,

external hard disks etc.)

* Capability specific to CitiConnect channel 15

Acting on Suspicious Activity

Client

16

Contact Citi’s helpdesk to report any suspicious activities and findings.

Phone

Call-in before the call-back; Change in the tone of a well-

known contact; Fake text messages etc.

Transaction Approval

Requested to approve a transaction you don’t know

anything about, or for an unfamiliar supplier etc.

Email

Receive email with alarmist language, poor grammar

and spelling errors, or visibly fake links etc.

System Message

Asking for password in place you don’t recognize,

Additional step/page during the login or transaction etc.

Red Flags

4. Case Study: Social Engineering Attack

17

Beneficiary Change Scenario

This scenario demonstrates the tactic of a social engineer to fabricate a change of beneficiary to steal money.

Youcef from Company X notices an email from his supplier

Bernie from ABC Technology, and is surprised that the tone is

more formal than usual

E-mail contains dually authorized bank letter requesting

change of bank account details

2

4

1

3

18 Red flags

Bernie replies that he is currently traveling and not available via

usual contact number and to work with his trusted colleague Yohan

who is also authorized to complete security

Youcef replies that it is subject to additional security and requires

signature verification call-back

Beneficiary Change Scenario (Cont.)

19

Soon after Yohan calls Youcef (in-bound call) to complete the

transaction (while out-of-band call verification is protocol) Youcef says first I need to take you through security procedure

Yohan becomes anxious, aggressive, and responds that Bernie

had provided dual authorization by email and him to contact

Youcef

Youcef quickly takes Yohan through security process given the

urgency, and upon his answering few questions, confirmed the

change of bank details within days

2

Red flags

1

4 3

Beneficiary Change Scenario (Cont.)

20

A few weeks later, Sam from ABC Technology calls Youcef noticing

a large overdue payment

Youcef remembers invoice due to its unusual size as he needed

management approval and it was received on the same day as the

bank details change

Sam says that they did not change their bank account Youcef escalates for investigation and finds that payment was

effective 4 weeks earlier, soon after the holidays

2

4

1

3

Red flags

Beneficiary Change Scenario (Cont.)

21

Youcef explains to Sam that after Bernie’s email and Yahon’s call,

an invoice from “ABC Technology” was received right away and

paid to the new bank account with Lucky bank

Sam confirms that they have never banked with Lucky Bank,

and did not request a bank account change

Youcef realizes that he acted on a fraudulent bank account change Youcef made a mistake of not initiating communication with an

approved contact from ABC Technology to confirm the validity

before making the change

2

4

1

Red flags

3

Analysis and internal investigations

22

• Investigation revealed that Bernie’s email account had been compromised. The fraudsters knew that

Bernie is the contact person for communicating with Company X. Personal information about Youcef was

harvested from Bernie’s compromised mailbox.

• In this situation Youcef missed several ‘Red Flags’ which may indicate suspicious activity:

Behavioral characteristics: request to change important information (bank account details) were

followed by a change in the tone and phraseology of the correspondence from a well-known

counterparty

Urgency and non-availability: initiator of the email stated that currently they are busy (travelling)

there is no opportunity to contact him/her using confirmed telephone numbers and further delegated

security verification via email to a subordinate employee

Inbound vs. outbound call: John from ABC calls in before the call-back can be made and is

extremely anxious to get the transaction completed

IRS Circular 230 Disclosure: Citigroup Inc. and its affiliates do not provide tax or legal advise. Any discussion of tax matters in these materials (i) is not intended or written to be used, and cannot

be used or relied upon, by you for the purpose of avoiding any tax penalties and (ii) may have been written in connection with the “promotion or marketing” of any transaction contemplated hereby

(“Transaction”). Accordingly, you should seek advice based on your particular circumstances from an independent tax advisor.

Any terms set forth herein are intended for discussion purposes only and are subject to the final terms as set forth in separate definitive written agreements. This presentation is not a commitment

or firm offer and does not obligate us to enter into such a commitment, nor are we acting as a fiduciary to you. By accepting this presentation, subject to applicable law or regulation, you agree to

keep confidential the information contained herein and the existence of and proposed terms for any Transaction.

We are required to obtain, verify and record certain information that identifies each entity that enters into a formal business relationship with us. We will ask for your complete name, street address,

and taxpayer ID number. We may also request corporate formation documents, or other forms of identification, to verify information provided.

© 2014 Citibank, N.A. All rights reserved. Citi and Citi and Arc Design are trademarks and service marks of Citigroup Inc. or its affiliates and are used and registered throughout the world.