Citibank Presents: Information Security and

Identity Theft

GSA SmartPay Conference

Citibank Presents:Continue the Revolution

Citibank® Commercial Cards, Government Services

The Ninth Annual GSA SmartPay Conference - Philadelphia, Pennsylvania

The Ninth Annual GSA SmartPay Conference

Information Security

August 22, 2007

Goals and Objectives

• Define “Information Security”

• Gain a clearer perspective on social engineering, internet thieves, phishing concepts, and electronic scams

• Provide you with the knowledge to protect data against intrusion and theft

• Refer you to resources that can provide assistance in the event of data or identity theft

Agenda

• Information security - what is it?

• Password protection tips

• Protecting against social engineering

• Recognizing phishing scams

• Know the game of thieves

• Identity theft

• What to do if you are a victim?

• Resources

=Equivalent to 1.5 million CDs

1,500,000

How Much?

Citibank manages one “petabyte” of electronic data1,125,899,906,842,624 bytes

Why Protect Information?

Valuable assetClient trustLaws and regulationsFinancial lossReputation

Laws and Regulations

• Citibank is subject to laws and regulations relating to Information Security:

– Customer privacy is a federal requirement:The Gramm-Leach-Bliley Act (GLBA)

– Privacy and information security legislation has increased significantly over past five years

What is Information Security?

• A collective set of policies, standards, processes and procedures that limits or controls access to, and use of, information to authorized users. – IS is the process of protecting data from unauthorized access, use,

disclosure, destruction, modification, or disruption.

• Are Information Security Methodologies new?– Julius Caesar is credited with the invention of the Caesar cipher c50 B.C. to prevent his secret

messages from being read should a message fall into the wrong hands.– WW II brought about significant advancements in IS in that formalized classification of data based

upon sensitivity of information and who could have access to the information was introduced.

– The rapid growth and wide spread use of electronic data processing and electronic business conducted through the Internet fueled the need for better methods of protecting these computers and the information they store, process and transmit.

What is Information Security?

• Information Security Core Principles:

– Confidentiality• Holding sensitive data in confidence, limited to an appropriate set of individuals or

organizations.

– Integrity• Data can not be created, changed, or deleted without authorization

– Availability• The information, the computing systems used to process the information, and the security

controls used to protect the information are all available and functioning correctly when the information is needed.

• The opposite of availability is denial of service (DOS)

Password Construction Techniques

• Constructing tough-to-crack passwords is an important way that you can protect information and your identity.

– Citibank Information Security Standards require that all static passwords (passwords that remain the same each time you log on to the system or application) must:

• Never be shared or written down

• Consist of a minimum of six (6) alphabetic and numeric characters

• A good password must also be unique. When constructing your password, never use easy-to-guess password elements such as:

– Your User ID (jsmith) – A phone number or street address – Names of family members, close friends, coworkers, pets, etc. – Your title or function (secretary, manager, security, etc.) – Names of places

Password Protection Technique

• Once you’ve constructed a hard-to-guess password, these are some important steps you should take to protect it:

• Do not give your password anyone – even if they claim they have a valid business reason.

• Change your passwords on a periodic basis as even the strongest passwords can be guessed or misplaced over time. In most cases, your business will select the appropriate period and it will be enforced automatically by the operating system or application.

• Watch out for applications that "remember" your password, so that you do not have to input the password again. Typically these applications have a checkbox on the log in screen that asks: "Remember my ID on this computer?" Always select “no” in response to this question.

Social Engineering

• A facet of Information Security aimed at manipulating people

• Creating a false sense of trust in order to…– Gain insider access– Obtain sensitive information– Bypass an organization's existing

physical security controls

Types of Social Engineering

• Psychological Subversion– Establishing a relationship with an insider

to gain access to continuing stream of information

• Masquerading– Impersonating people with legitimate

access or a need to know to gain access

• Shoulder Surfing– Stealing information by watching a

legitimate user type in a password

Examples of Social Engineering

• Tailgating– Entering secure locations by following

behind someone with legitimate access

• Dumpster Diving– Finding improperly discarded information

Examples of Social Engineering

• Federal Agency Example (Masquerading)

• Audit Risk Review Team (Dumpster Diving)

• Look out for…– Rushing– Name-dropping – Intimidation– Small mistakes, for example: misspellings,

misnomers, odd questions, etc.– Requesting forbidden information

Identity Theft – What is it?

• A component or subset within IS principles and the CIA Triad.

• According to the non-profit Identity Theft Resource Center, identity theft is "sub-divided into four categories: – Financial Identity Theft - using another's name and SSN to obtain

goods and services– Criminal Identity Theft - posing as another when apprehended for a

crime– Identity Cloning - using another's information to assume his or her

identity in daily life– Business/Commercial Identity Theft - using another's business name

to obtain credit

Recognizing Phishing Scams

• Phishing is a type of internet deception designed to steal your valuablepersonal data. In other words, Phishing may be considered a means to commit Identity Theft.

• Thieves might send fraudulent e-mail messages that appear to come from websites you trust and have existing relationships with.

BEWARE they may not be legitimate

• What does a phishing scam look like?

• Often include official-looking logos from real organizations and other identifying information taken directly from legitimate websites.

Phishing Example

Phishing

• The links that you are urged to click may contain all or part of a real company's name and are usually "masked," meaning that the link you see does not take you to that address but somewhere different, usually a phony website.

Internet Thieving and Electronic Scams

• How can I spot a true website from a fake? – Look for the lock or key icon at the bottom of the browser.– If the site has changed since your last visit, be suspicious.– A list of popular financial sites that use a secure page for logins is maintained on

pharming.org– Check spelling, grammar, and punctuation.

• If there are errors chances are you may have been phished.– Hover over suspicious links to find masked URL’s (as in the previous example). – A reputable business will never ask you to verify account information online.– Did you initiate the contact?

• What to do?– Report suspicious incidences to the Organization immediately

Don’t be a victim of Identity Theft

• Types:– Hijacking existing accounts and deposits– Creating new alternate identities

• How can someone steal my identity? – Stealing records– Trash (Dumpster Diving)– Credit Reports– Theft of wallet, purses– Electronic scams (as discussed)

What if I am a victim?

Five steps to minimize damage/maximize control:

• Contact the fraud department at one of the three major credit bureaus

• Review your credit report

• Contact institutions where fraud occurred

• File a police report

• File report with the Federal Trade Commission

Statistics• Surveys in the USA from 2003 to 2006 showed a decrease in the total

number of victims but an increase in the total value of identity fraud to US $56.6 billion in 2006.

• The average fraud per person rose from $5,249 in 2003 to $6,383 in 2006. • Only 15% of victims find out about the theft through proactive action

taken by a business.• The average time spent by victims resolving the problem is about 40

hours. • 73% of respondents indicated the crime involved the thief acquiring a

credit card

Statistics

Resources

Federal Trade Commission Identity Theft Clearing House

www.consumer.gov/idtheft1-877-438-4338

Resources: Credit Bureau Agencies

Equifax 1-800-525-6285• www.equifax.com

Experian 1-800-Experian (397-3742) • www.experian.com

TransUnion 1-800-680-7289• www.transunion.com

Free credit reportswww.annualcreditreport.com

Summary

• Defined “Information Security”

• Set clear roles and responsibilities

• Know your password rules!

• Be aware of social engineering and data theft techniques

• Know what to do if you are a victim!

• Questions?

Reminders

• Thank you for attending this session!

• Visit the Citibank Welcome Center– Room 104 A/B, 1st Floor– National Industries for the Blind will have a display of products– Conference Slide Show – come see yourself shine!

• Visit the Citibank Technical Demonstration Center– Room 106 A, 1st Floor

• Please take a moment to complete your GSA survey for this session!

IRS Circular 230 Disclosure: Citigroup Inc. and its affiliates do not provide tax or legal advice. Any discussion of tax matters in these materials (i) is not intended or written to be used, and cannot be used or relied upon, by you for the purpose of avoiding any tax penalties and (ii) may have been written in connection with the "promotion or marketing" of the Transaction. Accordingly, you should seek advice based on your particular circumstances from an independent tax advisor.Any terms set forth herein are intended for discussion purposes only and are subject to the final terms as set forth in separate definitive written agreements. This presentation is not a commitment to lend, syndicate a financing, underwrite or purchase securities, or commit capital nor does it obligate us to enter into such a commitment, nor are we acting as a fiduciary to you. By accepting this presentation, subject to applicable law or regulation, you agree to keep confidential the existence of and proposed terms for any transaction contemplated hereby (a “Transaction”).

Prior to entering into any Transaction, you should determine, without reliance upon us or our affiliates, the economic risks and merits (and independently determine that you are able to assume these risks) as well as the legal, tax and accounting characterizations and consequences of any such Transaction. In this regard, by accepting this presentation, you acknowledge that (a) we are not in the business of providing (and you are not relying on us for) legal, tax or accounting advice, (b) there may be legal, tax or accounting risks associated with any Transaction, (c) you should receive (and rely on) separate and qualified legal, tax and accounting advice and (d) you should apprise senior management in your organization as to such legal, tax and accounting advice (and any risks associated with any Transaction) and our disclaimer as to these matters. By acceptance of these materials, you and we hereby agree that from the commencement of discussions with respect to any Transaction, and notwithstanding any other provision in this presentation, we hereby confirm that no participant in any Transaction shall be limited from disclosing the U.S. tax treatment or U.S. tax structure of such Transaction.

We are required to obtain, verify and record certain information that identifies each entity that enters into a formal business relationship with us. We will ask for your complete name, street address, and taxpayer ID number. We may also request corporate formation documents, or other forms of identification, to verify information provided.

Any prices or levels contained herein are preliminary and indicative only and do not represent bids or offers. These indications are provided solely for your information and consideration, are subject to change at any time without notice and are not intended as a solicitation with respect to the purchase or sale of any instrument. The information contained in this presentation may include results of analyses from a quantitative model which represent potential future events that may or may not be realized, and is not a complete analysis of every material fact representing any product. Any estimates included herein constitute our judgment as of the date hereof and are subject to change without any notice. We and/or our affiliates may make a market in these instruments for our customers and for our own account. Accordingly, we may have a position in any such instrument at any time.

Although this material may contain publicly available information about Citi corporate bond research or economic and market analysis, Citi policy (i) prohibits employees from offering, directly or indirectly, a favorable or negative research opinion or offering to change an opinion as consideration or inducement for the receipt of business or for compensation; and (ii) prohibits analysts from being compensated for specific recommendations or views contained in research reports. So as to reduce the potential for conflicts of interest, as well as to reduce any appearance of conflicts of interest, Citi has enacted policies and procedures designed to limit communications between its investment banking and research personnel to specifically prescribed circumstances.

© 2007 Citibank, N.A. All rights reserved. Citi and Citi and Arc Design and Citibank are trademarks and service marks of Citigroup Inc. or its affiliates and are used and registered throughout the world.