Treasury and Trade Solutions
Fighting cyber-crime together
Cyber-criminals are becoming more sophisticated and more determined by the day. Ensuring
tight and efficient security is therefore imperative. Three Citi executives – Sabine McIntosh,
Global Head of Account Services and Channel Digital Security, Treasury and Trade Solutions
(TTS); Rajesh Shenoy, Director, Global Product Manager Digital Security, TTS; and Elizabeth
Petrie, Director of Strategic Intelligence Analysis, Information Protection Directorate – discuss
what banks and corporates can do to protect their systems.
The benefits of moving from manual to digital operations are
so manifest that such a migration is all-but inevitable. Digital
processes allow greater efficiency, faster transactions and
increased control. Companies that use digital processes have
raced ahead of their less-advanced competitors – forcing
laggards to accelerate their implementation of automated
processes simply to remain relevant.
Furthermore, digitization requires security changes: enhanced
authentication can ensure that money or data is securely and
rapidly delivered to the right person, on time. Yet – while it
protects banks and corporates from the thieves and attackers
they have faced for centuries – digitization exposes a new
threat: cyber-crime.
A study by the Center for Strategic and International Studies
(CSIS) – sponsored by McAfee – found that cyber-crime costs
the global economy around US$445 billion per year. The
weakest link in a company’s operation can bring down the
entire corporation, and impact their supply chain and bank
accounts. An unprotected company is exposed to cyber-threats
which have quickly become the world’s most prevalent crime.
Know your enemy
Of course banks and corporates are well-accustomed to the
threat of fraud and theft – having always been prime targets.
So, while this is a new type of threat, banks are well aware of
the risks and are as determined as ever to remain secure. And
the trick to strong security is knowing your enemy.
Most threats are intrusion activity, and attackers can be both
outsiders and insiders. That said, the hardest form of attack
to detect – though thankfully the rarest – is from an insider.
The “insider threat,” generally comes from an individual
who has access to security or transaction systems – perhaps
redirecting funds or sharing confidential data. They could
be a trusted, valued – and therefore undetected – part of a
company or bank. However, banks are implementing behavior
analysis tools to flag anomalies in the network activity of an
employee, when it falls outside the scope of their entitlements
or access rights. This enables institutions to stop employees
from stealing intellectual property or destroying data since
the alerts happen real-time as the employee is engaging in
unauthorized activity on the network.
Outside attacks
Attacking from outside the company, but no less threatening,
are attackers such as “hacktivists.” Hacktivists are primarily
motivated by a political agenda rather than monetary gain.
Hacktivists rally support via social media platforms and
provide their supporters with online tools to attack a particular
target, such as banking websites. Some aim to gain press
2
attention – meaning that a targeted company or bank is not
only vulnerable to monetary loss, but also perhaps to a public
relations embarrassment as well as a loss of confidence from
their clients.
requesting sensitive information. And as the threats develop,
it is important to provide annual training to refresh everyone’s
knowledge on the top trends.
Then there are cyber terrorists – some of which compromise
systems specifically to launder money. That said, perhaps
the most sinister threat of all is the “state affiliated threat”
– usually (but not always) from a hostile nation seeking to
potentially undermine a rival country’s digital integrity. Having
gained entry into a system, these attackers can lie dormant
and invisible for many years – perhaps tracking information –
before disabling systems seemingly out of the blue.
IT Discipline
While cyber threats are indeed intimidating, in reality most of
cyber security comes down to discipline and vigilance by IT
and end-users – the negligence of which is, frankly, reckless.
In addition to targeting technology systems directly, these
outside threats – such as “hacktivists” and traditional “cyber
criminals” – use security-related social engineering to target
victims. This means using techniques, such as “phishing”
emails to manipulate a victim into downloading malware that
can capture sensitive information.
A cyber-security fort
Understanding the threat is the first step to neutralizing it. So
how should corporates protect themselves? By developing
a robust cyber-security system and set of processes,
corporations can spot and counter the ever-changing threats
to their online integrity.
While some technology aspects can be complex, much of
the system mostly involves common-sense. For instance,
perhaps the most critical need is to protect the company from
the “insider threat”. Yet this is also one of the most logical
to deal with. Both companies and banks must be aware of
everyone with access to a banking system and other monetary
transactions. Personnel changes must immediately trigger
corresponding changes in access. Additionally, insisting on
multiple levels of approval (with multiple parties) for every
transaction can reduce the threat of a rogue employee
corrupting systems. CitiDirect BE (Citi’s web-based banking
platform), for instance, supports up to nine approval levels
before releasing any payment. Having a diverse set of people
and systems involved in a high value transaction increases
control and reduces the likelihood of fraud.
Transactions themselves also need to be watched. Creating
and analyzing full reports on all transactions is a must, and the
ability to spot anomalies and suspicious activity is invaluable.
Common sense can also be a powerful tool against securityrelated social engineering. Anyone contacting you claiming
to be from a bank and asking for passwords and private
information is a potential fraudster. Accepting email invitations
and clicking on shortened URLs is unwise, and giving out
sensitive information to anyone unknown, and sometimes even
those who are known, can be dangerous.
Certainly, companies must train employees on what to do
when called by someone claiming to be a bank representative
Using anti-virus software and regularly updating browsers
and systems are simple, preventative measures. And this
extends to any personal devices that employees could use to
access company platforms or execute transactions. Using an
unprotected device to access business platforms, even just
once, is essentially inviting a cyber-criminal through an open
door – so discipline, in this sense, means taking an extended
interest in the gadgets that log-in to your network, ensuring
they are as up to date with the latest virus/malware protection
as any office PC or laptop.
Citi’s three pillars of defense
As well as being proactive in dealing with cyber-crime threats,
there is also a need to be reactive. Acting quickly against
cyber-crime is essential. One way Citi does this is through the
use of the “cyber kill chain” methodology. The methodology
enables Citi to tag information that it collects so that it can
identify an attack in the earliest stages – when an attacker is
trying to discover a vulnerable spot in a particular system. By
identifying and countering an attack early, Citi is able to not
only identify the threat before it fully develops, but also to use
the information it gains to spot future threats.
Of course, with threats coming from so many angles, a
security system requires a multi-layered response to counter
both the internal and external threats simultaneously. As
such, and over many years, Citi has developed a three-pillared
approach to digital security. This is a holistic solution that
focuses on what the attacker is targeting, as well as details
what processes and technology shields can be adopted.
Channel protection, the first of the three pillars, blocks an
attacker’s entry to a platform – such as Citi’s CitiDirect BE or
CitiConnect channels. Partly, this can be controlled through
insisting on strong log-in credentials for authentication. Citi,
for instance, often uses “challenge” and/or “response” tokens,
as well as digital certificates. Secondly, all data exchanged
with clients must also be protected with robust encryption
tools in case attackers try to read information while it is being
transferred from their system to Citi. Finally, and perhaps most
importantly, any abnormal log-in behavior or activity must be
detected, investigated immediately and minimized.
Of course many attackers are more focused on the
transactions themselves. As such, the second pillar
encourages both companies and banks to be vigilant about
payment outliers. Any outliers, often detected through
behavior-based blocking capabilities, must require a diligent
3
review of communication and transaction data. Citi’s
Payment Risk Manager helps identify outliers, for instance,
while CitiDirect BE reports can be reviewed for alerts for
certain events.
Thirdly, attackers often focus on higher value, and usually
confidential, data. Data privacy is therefore the final Citi
pillar – utilizing its data privacy policy and data governance
function. A strong focus on entitlements insures that only
the correct person is allowed to view information, this is
periodically reviewed and updated. Maintaining multiple
layers for security is key – backing up all data at different
sites, while using a variety of systems in order to protect
data and ensure it is both accurate and reliable.
Figure 1: Digital Security is Citi’s Business
Channel Protection
Cyber
Threat!
Data Privacy
Transaction Monitoring
Citi invests large amounts annually to help protect client assets.
Working with our clients is critical to the integrity of end-to-end
security.
• Security goes beyond technology and authentication
mechanisms to various processes, including:
Focus on Partnering End-to-end, Bringing Together Technology and
Best Practices
– Ensuring business devices are clean and password-protected
Fig 1. Digital channels have brought better control, but as we leverage
new channels, we need to be at the top of our game and keep ahead
of the curve.
– Payment monitoring and behavior-based blocking tools
Innovation Spotlight
Citi therefore has a robust response when attacked. Yet
cyber-crime is constantly evolving as current attacks
become known and dealt with. As such, Citi is proactively
working with industry leaders on innovative approaches
to reduce the threat of cyber-attacks. We are focused on
improving both security and the client experience.
One example illustrates the point. The explosion of singlepurpose credentials per application, such as security tokens,
has benefits and risks. These single-purpose credentials
require end-user vigilance to prevent against loss and may
create user frustration when interacting with multiple banks.
Citi as a banking leader developed a proof of concept
with Microsoft Treasury utilizing Microsoft Azure-based
– Maker/checker compliance for transaction authorization
– Leveraging data for alerts
• Client collaboration is central to maintaining high security
next generation identity technology. Microsoft already
issues very secure identities to its employees with digital
certificates. Leveraging those smart IDs, Citi and Microsoft
tested access to Microsoft’s bank accounts via CitiDirect BE
as a way to both enhance security and the user experience.
A spokesperson at Microsoft describes how the treasury
team was often either worried about the threat of cyberattack, or inconvenienced by the need to carry around
bags of security tokens for every bank – both distractions
from core operations. The need to conduct business easily
without concerns about work being stolen is an imperative.
Citi and Microsoft’s joint research and development activity
shows promise for a future system that increases security
and usability.
4
Strength in numbers
So security is about more than simply protection. It allows
companies the freedom to operate without fear. And
while sophisticated security systems and due diligence
will help protect against cyber-crime, there is one key
weapon that will keep defenses as strong as possible:
collaboration. As the Microsoft-Citi partnership illustrates, cyber security
is easier when banks and corporates work together
to protect the end to end security of bank-corporate
interactions. Sharing knowledge of anomalies or updates,
or even of attackers’ activities, makes every party stronger.
What’s more, conversations between parties enable a bank
to ensure that solutions created for a particular corporate
can be adapted to the specific threats faced. It enables
solutions to be produced more quickly, and with fewer flaws.
And collaboration is a trend very much underway. In fact,
information sharing is probably more advanced in the
digital security space than any other sector. Real-time,
highly-detailed, analysis enables banks and companies
to detect patterns and stay (at least) one step ahead of
attackers.
What’s more, this collaboration is taking place on an
international level – attacking a global threat through
combining the capabilities of companies and banks
across the world. The Information Sharing and Analysis
Centers (ISACs), for instance, share information not only
internationally, but also across sectors. It understands that
attackers are not necessarily that picky, and an attacker
targeting one company in a certain sector can easily pivot
to focus on another company or sector entirely. Cyber-crime is a very real – and a potentially very
debilitating – threat. Alone, companies are vulnerable. Yet
by working together, both banks and companies can help
defeat today’s cyber-crime – and be ready and able to
defeat them again tomorrow.
Please Note: This article was originally published in gtnews.
▼
Figure 2: The Power of Our Network
CitiDirect BE SM
Online
▼
Award winning
digital corporate
banking platform
live in 96 markets
that processes +$30
trillion annually
CitiDirect BE SM
Mobile
Industry leading
mobile platform that
processed $113 billion
in Mobile Payments
from on-the-road ICG
clients in 2013 alone!
Sabine McIntosh
Director
Global Head of Digital Security and
Account Services TTS, Citi
Sabine McIntosh has been the Global Head of Account Services
and Channel Digital Security, within Treasury and Trade
Solutions (TTS) since October 2013. Sabine is responsible
for the development and execution of Citi’s Strategy for
the Operating Account, and the Digital Security of TTS
Electronic channels. Sabine has been with Citi for 14 years.
Previously, Sabine was responsible for leading the Client
Onboarding transformation initiative for Europe, Middle East
and Africa, including the launch and adoption of the electronic
Bank Account Management platform in the region. Prior
to this role, Sabine was regional Product Manager for Citi’s
payment channels, including the award winning electronic
banking platform Citidirect®. Sabine joined Citi Technology
organization in 2000 as a Senior Program Manager
responsible for a number of regional transformation initiatives.
Prior to Citi, Sabine has held various sales management roles.
Sabine is a graduate of the University Paris Dauphine.
Rajesh Shenoy
Director
Director and Global Product Manager
for Digital Security TTS, Citi
In this role he is responsible for the identity solutions
product for Citi’s institutional clients and providing digital
security capabilities for Citi’s corporate banking channels.
Prior to this, Mr. Shenoy was the global channel manager
for the industry leading TTS online banking portal CitiDirect
BE as well as client facing analytics solutions. Since joining
Citi in 1998, Mr. Shenoy has served the organization in a
variety of capacities – with leadership roles in product,
client advisory, operations, and technology functions
while working at Citi branches in the United States, United
Kingdom, Canada, Russia, China, Singapore, Venezuela,
and Ireland. Mr. Shenoy holds an MBA in Finance from the
Wharton School at the University of Pennsylvania and
graduated with a Bachelor of Science degree in Computer
Systems Engineering from Stanford University.
Elizabeth M. Petrie
Director
Office of the Chief of Information
Security
Elizabeth M. Petrie is Director of Strategic Intelligence
in the Office of the Chief of Information Security (OCIS).
She reports to Citi’s Chief Information Security Officer
T.J. Harrington, who leads the firm’s Global Information
Security, Anti-Money Laundering Operations and Office
of Emergency Management, applying an informationled, threat-focused approach to protect Citi from cyberattackers, among other adversaries.
Beth manages the Strategic Intelligence Analysis Group,
which produces actionable intelligence assessments on the
cyber threat to inform decisions made by executives on
information security practices. Organizations around the
world are realizing that advanced intelligence capabilities
can consistently deliver new levels of safety with
proactive insights on true threats. Beth’s team transforms
information into knowledge and leverages a strong network
of professionals to create intelligence products that keep
Citi ahead in understanding the cyber threat landscape. She
joined Citi in January of 2014 with more than 15 years of
experience as an intelligence analyst.
As head of Cyber Intelligence for the Federal Bureau of
Investigation, Beth managed multiple intelligence units,
oversaw production of actionable intelligence for senior
policymakers, and led development of a threat prioritization
methodology. Her career at the FBI also included authoring
intelligence assessments on white collar trends impacting
global financial institutions and working as a tactical analyst
supporting espionage cases. Beth started her career as
an intelligence research specialist with the Department of
Justice’s Criminal Division, writing implementation plans for
Presidential Initiatives.
Beth has a master’s degree in Technology Management
from Georgetown University, a master’s degree in
Criminal Justice from George Washington University and a
bachelor’s degree in Psychology from Saint Mary’s College,
Notre Dame. Beth and her husband Chris are owners
of a small business and live in Maryland with their two
daughters, Kaitlyn and Madeline.
Treasury and Trade Solutions
transactionservices.citi.com
© 2014 Citibank, N.A. All rights reserved. Citi and Citi and Arc Design is a service mark of Citigroup Inc., used and registered
throughout the world. The information and materials contained in these pages, and the terms, conditions, and descriptions that
appear, are subject to change. Not all products and services are available in all geographic areas. Your eligibility for particular
products and services is subject to final determination by Citi and/or its affiliates. Any unauthorised use, duplication or disclosure
is prohibited by law and may result in prosecution. Citibank, N.A. is incorporated with limited liability under the National Bank Act
of the U.S.A. and has its head office at 399 Park Avenue, New York, NY 10043, U.S.A. Citibank, N.A. London branch is registered
in the UK at Citigroup Centre, Canada Square, Canary Wharf, London E14 5LB, under No. BR001018, and is authorised and
regulated by the Office of the Comptroller of the Currency (USA) and authorised by the Prudential Regulation Authority. Subject
to regulation by the Financial Conduct Authority and limited regulation by the Prudential Regulation Authority. Details about
the extent of our regulation by the Prudential Regulation Authority are available from us on request.. VAT No. GB 429 6256 29.
Ultimately owned by Citi Inc., New York, U.S.A.
GRA25781 12/14