What's up with Citibank?

["Fergie" <fergdawg () netzero net>]

Via Boing Boing.

[snip]

BoingBoing pal and Citibank customer Jake Appelbaum tried to withdraw some cash with his ATM card on Saturday night. He 
initiated his bank account long ago in the US, but was in Toronto, Canada yesterday. Jake explains:

"To my surprise, the ATM machine rejected the transaction and urged me to contact my financial institution. The machine 
also reported on the receipt "INELIGIBLE ACCOUNT." 

Jake called Citibank's international customer support number, and soon learned that the lockout was part of a much 
larger fraud crisis -- by no means the only data security issue at Citibank in recent months. 

Jake continues:  

"The supervisor identified herself as a manager named Carla ID#CRU194. I identified myself as an upset customer whose 
account was locked for some unknown reason. She asked me a few questions about my location, my issue and then informed 
me that my card was suspected of fraud. 
Naturally, I perked my ears up and asked for details of any fraud. She informed me that there had been no direct 
fraudulent transactions on my account. Rather, she informed me that the ATM networks of Canada, Russia and the United 
Kingdom have been compromised. I used the term class break as a question and she repeated that there has been a class 
break of the ATM networks in those countries. The ATM network in Canada has been compromised and as a result, using my 
ATM card over the Canadian network locked my account automatically. She informed me that this has been an ongoing issue 
for the last two weeks. When I asked why there was no media attention, she said she wasn't sure. I said it was a pretty 
big deal and she agreed. 

"She informed me that I would have to return to the United States to change my pin number before my card would be valid 
and in a usable state again. When I informed her that I would be traveling outside of the United States for at least a 
few months, possibly up to six, she repeated that I would have to re-enter the United States to fix the problem."

In other words, if you're a US Citibank customer trying to use your ATM card in Canada, Russia, or the UK right now, 
you are totally fuxx0red. 

Citibank didn't handle Jake's problem in a customer-friendly way at all, and it appears they're handling all affected 
customers with exactly the same procedure. 

Also, it seems this incident is receiving little media attention, which begs the question: for each massive security 
breach we do hear about at Citibank or other large financial institutions, how many more occur without our awareness? 

This February 2 Fresno Bee article appears to be tangentially related, and here's a story about a criminal conviction 
related to another Citibank bogus ATM scheme from 2004. But you'd think a security incident with the potential to leave 
thousands of customers stranded overseas without cash would get more notice. WTF? 

[snip]

http://www.boingboing.net/2006/03/05/citibank_under_fraud.html

- ferg


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg () netzero net or fergdawg () sbcglobal net
 ferg's tech blog: http://fergdawg.blogspot.com/


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.