Fraud Prevention and Misuse

NSAA/NASC Joint Middle Management ConferenceSpringfield, IL

2

Agenda

• Fraud in the Marketplace

• Types of Fraud– Identity Theft

– Scams

– Phishing

• Stay Informed

• Protecting Your Card Programs– Fraud vs. Misuse

– Policies/ Procedures

– Data Mining to Identify Potential Risk

• Fraud and Misuse Prevention Tips

3

Fraud in the Marketplace

“ Consumers Report $239 Million Lost To Cyber Fraud In '07” Washington Post April 4, 2008

“A recent study shows that credit card fraud hit one in twenty users and identity theft affected one in fifty people during past year.” myIDfix.com

“Identity theft is the fastest growing crime in America. The average victim spends 175 hours and $1000.00 repairing the damage. “

myIDfix.com

" Every 79 seconds, a thief steals someone's identity, opens accounts in the victim's name and goes on a buying spree."

CBSnews.com

“U.S. Study Shows 8.3 Million Victims of Identity Theft in 2005” ftc.gov

“$652B lost annually by US businesses to fraud and in more than 40% of these cases, not a penny is recovered.”

gtnews.com

Types of Fraud

5

Types of Fraud

• Identity– Phishing– Skimming

• Pharmacy

• Financial

• Internet Auctions

• Sweepstakes / Lottery

• Counterfeit Payments

• Jury Duty

• Charity / Donation Requests

• Romance / Internet Dating

• Employee / Business

6

Identity Theft – How It Can Happen

• Stealing records

• Bribing employees

• Hacking

• Trash/Dumpster Diving

• Credit Reports

• Skimming

• Theft of wallet/purse

• Change of Address forms

• Eavesdropping on conversations

• “Shoulder surfing”

7

Identity Theft Statistics

• Fastest growing form of fraud

• Over 10 million Americans have their identity stolen each year– Identity theft increased by 79% from the year 2002 to 2003 – fastest growing form of

fraud

• Industry wide – 686,683 consumer complaints on fraud and identity theft

• Average loss per victim of identity theft is $4,800 and requires 600 hours to clear their name / credit reports (IDTheftCenter.org)

• Based on 600 hours times the indicated victim wages, this equals nearly $16,000 in lost potential or realized income. (IDTheftCenter.org)

8

Identity Theft Statistics

• According to the FBI, the number of victims will increase by 500,000-700,000 each year 

• Every 79 seconds an identity is stolen in this country– By the end of this session, more than 75 people will become victims of identity theft

• 28% of identity theft was due to a lost or stolen credit card

9

Causes Of Known Identity Theft

Source: 2006 Identity Theft Survey Report

10

How Victims Discovered ID Theft

Source: 2006 Identity Theft Survey Report

You are the first line of defense

11

How Identity Theft Affects You

Source: 2006 Identity Theft Survey Report

12

Identity Theft Tools

• Utilize the Federal Trade Commission– www.ftc.gov

– 1-877-FTC-HELP

– FTC requires businesses/organizations to develop and implement appropriate safeguards – including a written information security plan – to protect cardholder information

• This should be utilized as a “best practice” to protect employees and business

• Credit Bureaus– Review your credit report – one free report available annually

– All three bureaus provide free credit report once an individual has reported fraud

– Credit bureaus will not release your credit history without your approval for 90 days after the report of fraud

13

Phishing Scams and Fraudulent Emails

• Phishing is a type of deception designed to steal your valuable personal data, such as credit card numbers, passwords, account data, or other information

• Millions of fraudulent e-mail messages are sent that appear to come from Web sites you trust, like your bank or credit card company, and request that you provide personal information

• Often include official-looking logos from real organizations and other identifying information taken directly from legitimate Web sites

• March 6, 2008 Headline from www.darkreading.com:

Surge of Phishing Kits Hits the Net

Researchers are investigating an unusually high volume of free phishing kits – over 400 – now in the wild

14

What Does Phishing Look Like?

Resting (but not clicking) the mouse pointer on the link reveals the real Web address, as shown in the box with the yellow background

The string of cryptic numbers looks nothing like the company's Web address, which is a suspicious sign

15

Never provide account information via an email solicitation

16

Notifications advising of credit balances or requests to “decline” a transaction, especially from foreign countries are a red flag

17

Identifying Phishing and Email Scams

• "Verify your account“– Businesses should not ask you to send passwords, login names, Social Security numbers,

or other personal information through e-mail

• “If you don't respond within 48 hours, your account will be closed" - Conveys a sense of urgency and might even claim that your response is required because

your account has been compromised

• "Click the link below to gain access to your account" - HTML-formatted messages can contain links or forms that you can fill out just as you'd fill out a form on a Web site

– Links may contain all or part of a real company's name and are usually "masked,"

• May also use Uniform Resource Locators (URLs) that resemble the name of a well-known company but are slightly altered by adding, omitting, or transposing letters. For example, the URL "www.microsoft.com" could appear instead as: - www.micosoft.com - www.mircosoft.com - www.verify-microsoft.com

18

Credit Card Skimming

• The entire valid magnetic strip is read or “skimmed” and then reproduced and placed on a counterfeit card

• Relatively easy to do, yet very difficult to detect

• Efforts focus on identifying points of compromise (locations) and flagging accounts that have frequented those merchants

19

Skimming and Other Major Threats

A credit or debit card is handed over to pay for a bill at a restaurant or retail shop

The card is swiped through a legitimate credit machine...

The same card is then swiped through a small illegal electronic gadget known as a skimmer

The pager-sized device can "read" and store data from the magnetic strips of up to 200 cards

20

Skimming

The skimmer is given to a counterfeiter who downloads all the information onto a computer and either sends it abroad or runs up a cloned copy of the card

Printing and embosser machines then put the card holder's credit card details onto blank plastic cards

Another machine is used to create and encode the magnetic strip on the reverse of the card

Lastly an appropriate hologram is affixed to the card. A cloned card is then distributed and out on the streets ready for use.

21

Skimming Device

22

This fraudster is rigging the card reader to capture the card of the next person to use the machine

ATM Skimming Device

23

ATM Skimming Device

The fraudster pretends to render assistance

What he is in fact trying to do is obtain the customer’s PIN now that he has captured the card information

24

ATM Skimming Device

He convinces the customer that he would be able to retrieve his card if he entered his PIN while he holds down both the

“cancel” and “enter” buttons

25

Stay Informed

• www.fbi.gov

• www.lookstoogoodtobetrue.com

• www.ic3.gov

• www.ftc.gov

• www.darkreading.com

• State governments / task forces

• Newspapers / Magazines

• …and many other resources are available

Protecting Your Card Programs

27

Credit Card Fraud Definitions

NRI Never received reissued or new card

Lost Cardholder misplaces / loses card

Stolen Cardholder is victim of theft

Cardholder is in possession of card; a copy has been made and used by the criminal. Manual vs. Skimming

Altered/Counterfeit

AccountTakeover

Fraudster is able to assume / obtain personal information in order to request an additional card

28

“Misuse” and “Fraud” Defined

• Misuse– Cardholder uses his/her own card for transactions not permitted by policy

• Fraud– A person or entity other than the cardholder makes transactions using the

cardholder’s account

• Card providers do not consider “misuse” as fraud and therefore cannot be disputed

• Implementing and enforcing policies and procedures will reduce potential fraud and misuse

• Frequent analysis of program will identify potential issues– Data mining analysis

29

Data Mining – What Is It?

“Data Mining is the ability to predict with a high degree of

probability, anomalies where fraudulent or inaccurate activity

is likely using statistical and mathematical techniques.”

Data mining can be done through the creation and analysis of

management reports

The Card Associations may also offer data mining

support/solutions

30

How Does Data Mining Work?

31

Identify all available sources that house your transactional data

Data Analysis – A Generic Approach

&

External to the organization

Internal to the organization

32

Data Mining Development Process

Data Staging Process

Interim Reporting

Unsupervised Reporting

Supervised Reporting

Cleaning, standardizing data elements and tagging fraudulent indicators

Develop Trend and Rule Based Exception Reporting using fraud indicators

Run transactions thru your models to identify possible fraudulent outliers

Using advanced techniques, run transactions thru AI software to predict fraudulent anomalies

33

• Cash Advances made with no other charges

• Recurring purchases from relatively unknown sources/vendors

• Level three summary data – miscellaneous product codes used

• No associated travel authorization to match charges

• Unusual Vendor

• High-end merchants

• Out-of-policy transactions

Examples of Activities Targeted by Data Mining

Need to Study Data

And Perform

Continuous Monitoring

Remember, everything isn’t always as it seems

34

• Generate reports on program performance

• Frequent review and analysis of program performance will identify unusual or suspicious trends and “transactions of interest”

• Once “transactions of interest” are identified, rules / policies can be created placing these transactions into two categories

• Take corrective action on out-of-policy transactions

Auditing Your Program

Valid explanation found or

Misuse, not fraud identifiedProbable improper transaction – full investigation needed

35

Watch For Anomalies

• Unusual activity

• Missing Documents

• Perfect Copies

• Unusual Number of Disputes

• Unexpected Product Codes

• Local/Out-of-Area Charges

• Excessive advances

• No split disbursement payments

• Unusual refund activity

36

• Good internal controls are critical

• Separation of duties

• Dwindling resources could impact internal controls

• Password and System Access

Establish Strong Internal Controls

Fraud and Misuse Prevention Tips

38

Fraud Prevention Tips

• Never leave cards in an unlocked desk or cabinet

• Do not leave receipts/statements/reports unattended

• Be aware of your surroundings when providing card information to another person

• Review statements/account activity regularly

• Immediately contact the card provider if you do not recognize activity

• Avoid letting merchants take your card out of your line of sight if possible

• Keep your account information current

• Do not keep PIN with card

• Change password(s) frequently

39

Fraud Prevention Tips – For Program Coordinators

• Internal process to receive cards / distribute to cardholders

• Use employee’s correct verification when submitting applications

• Never leave new / reissued / canceled cards in an unlocked desk or cabinet

• Do not leave reports / statements lying around

• Report potential compromise immediately

• Assist in educating cardholders that the card is for authorized use only

• Utilize card restrictions (MCC, Transaction Limits, etc)

• Report cancelled cards for terminated employees immediately

40

Passwords and Hacking….Something to Think About…..

Six Characters Example Combinations DaysAll numbers 123456 1,000,000 58All letters abcdef 309,000,000 17,882Numbers & letters 1a2b3c 2,180,000,000 126,157Numbers, letters and special characters 1a#2b$ 3,520,000,000 203,704Lower and upper case letters ABcDeF 19,600,000,000 1,134,259Lower and upper case letters and numbers AB1dE2 56,800,000,000 3,287,037Lower and upper case letters, numbers and special characters AB1#cD 690,000,000,000 39,930,556

41

Misuse Prevention Tips

• Educate cardholders to understand policy in regards to card usage and misuse

• Utilize merchant category code restrictions

• Establish transaction limits

• Eliminate or restrict cash access

• Set realistic credit limits

• Use reporting tools to monitor card usage

• Issue cards based on need, versus title

42

IRS Circular 230 Disclosure: Citigroup Inc. and its affiliates do not provide tax or legal advice. Any discussion of tax matters in these materials (i) is not intended or written to be used, and cannot beused or relied upon, by you for the purpose of avoiding any tax penalties and (ii) may have been written in connection with the "promotion or marketing" of any transaction contemplated hereby("Transaction"). Accordingly, you should seek advice based on your particular circumstances from an independent tax advisor.

Any terms set forth herein are intended for discussionpurposes only and are subject to the final terms as set forth in separate definitive written agreements. This presentation is not a commitment to lend, syndicate afinancing, underwrite or purchase securities,or commit capital nor does it obligate us to enter into such a commitment, nor are we acting as a fiduciary to you. By accepting this presentation, subject to applicable lawor regulation, you agree to keep confidential the existence of and proposed terms for any Transaction.

Prior to entering into any Transaction, you should determine, without reliance upon us or our affiliates, the economic risks and merits (and independently determine that you are able to assume these risks)as well asthe legal, tax and accounting characterizationsand consequencesof any such Transaction. In this regard, by accepting this presentation, you acknowledge that (a) we are not in the business of providing (and you arenot relying on us for) legal, tax or accounting advice, (b) there may be legal, tax or accounting risks associatedwith any Transaction, (c) you should receive (and rely on) separate and qualified legal, tax and accountingadvice and (d) you should apprise senior management in your organization as to such legal, tax and accounting advice (and any risks associated with any Transaction) and our disclaimer as to these matters. Byacceptanceof these materials, you and we hereby agree that from the commencement of discussions with respect to any Transaction, and notwithstanding any other provision in this presentation, we hereby confirmthat no participant in any Transaction shall be limited from disclosing the U.S. tax treatment or U.S. tax structure of such Transaction.

We are required to obtain, verify and record certain information that identifies each entity that enters into a formal business relationship with us. We will ask for your complete name, street address, and taxpayer IDnumber. We may also request corporate formation documents, or other forms of identification, to verify information provided.

Any prices or levels contained herein are preliminary and indicative only and do not represent bids or offers. These indications are provided solely for your information and consideration, are subject to change at anytime without notice and are not intended as a solicitation with respect to the purchaseor sale of any instrument. The information contained in this presentation may include results of analyses from a quantitative modelwhich represent potential future events that may or may not be realized, and is not a complete analysis of every material fact representing any product. Any estimates included herein constitute our judgment as of thedate hereof and are subject to change without any notice. We and/or our affiliates may make a market in these instruments for our customersand for our own account. Accordingly, we may have a position in any suchinstrument at any time.

Although this material may contain publicly available information about Citi corporate bond research, fixed income strategy or economic and market analysis, Citi policy (i) prohibits employees from offering, directly orindirectly, a favorable or negative researchopinion or offering to change an opinion as consideration or inducement for the receipt of business or for compensation; and (ii) prohibits analysts from being compensated forspecific recommendations or views contained in research reports. So as to reduce the potential for conflicts of interest, as well as to reduce any appearance of conflicts of interest, Citi has enacted policies andprocedures designed to limit communications between its investment banking and research personnel to specifically prescribed circumstances.

© 2007 Citi, N.A. All rights reserved. Citi, Citi and Arc Design, and Citi are trademarks and service marks of Citigroup Inc. or its affiliates and are used and registered throughout the world.

42

43