[funsec] What's up with Citibank?
fergdawg at netzero.net
Mon Mar 6 14:10:36 CST 2006
More on this today, both on Boing Boing and over on techdirt.com:
-- "Fergie" <fergdawg at netzero.net> wrote:
Via Boing Boing.
BoingBoing pal and Citibank customer Jake Appelbaum tried to withdraw some cash with his ATM card on Saturday night. He initiated his bank account long ago in the US, but was in Toronto, Canada yesterday. Jake explains:
"To my surprise, the ATM machine rejected the transaction and urged me to contact my financial institution. The machine also reported on the receipt "INELIGIBLE ACCOUNT."
Jake called Citibank's international customer support number, and soon learned that the lockout was part of a much larger fraud crisis -- by no means the only data security issue at Citibank in recent months.
"The supervisor identified herself as a manager named Carla ID#CRU194. I identified myself as an upset customer whose account was locked for some unknown reason. She asked me a few questions about my location, my issue and then informed me that my card was suspected of fraud.
Naturally, I perked my ears up and asked for details of any fraud. She informed me that there had been no direct fraudulent transactions on my account. Rather, she informed me that the ATM networks of Canada, Russia and the United Kingdom have been compromised. I used the term class break as a question and she repeated that there has been a class break of the ATM networks in those countries. The ATM network in Canada has been compromised and as a result, using my ATM card over the Canadian network locked my account automatically. She informed me that this has been an ongoing issue for the last two weeks. When I asked why there was no media attention, she said she wasn't sure. I said it was a pretty big deal and she agreed.
"She informed me that I would have to return to the United States to change my pin number before my card would be valid and in a usable state again. When I informed her that I would be traveling outside of the United States for at least a few months, possibly up to six, she repeated that I would have to re-enter the United States to fix the problem."
In other words, if you're a US Citibank customer trying to use your ATM card in Canada, Russia, or the UK right now, you are totally fuxx0red.
Citibank didn't handle Jake's problem in a customer-friendly way at all, and it appears they're handling all affected customers with exactly the same procedure.
Also, it seems this incident is receiving little media attention, which begs the question: for each massive security breach we do hear about at Citibank or other large financial institutions, how many more occur without our awareness?
This February 2 Fresno Bee article appears to be tangentially related, and here's a story about a criminal conviction related to another Citibank bogus ATM scheme from 2004. But you'd think a security incident with the potential to leave thousands of customers stranded overseas without cash would get more notice. WTF?
"Fergie", a.k.a. Paul Ferguson
Engineering Architecture for the Internet
fergdawg at netzero.net or fergdawg at sbcglobal.net
ferg's tech blog: http://fergdawg.blogspot.com/
More information about the funsec