RE: What's up with Citibank?

["Kyle Quest" <Kyle.Quest () networkengines com>]

Speaking of ATMs in Russia...
It doesn't seem like the exact same thing,
but I have encountered some strange things when I was
in Russia in January (this is something new because it
wasn't like that before...). For some reason ATMs 
(from different banks) would choke on MasterCard Debit/Credit 
cards (I had a number of those with me). They did accept 
the pin, but then when I'd try to perform a transaction 
it would say something about the account being invalid 
or give me some number code. It wasn't even possible 
to view account information. Whenever I tried to call 
the banks they couldn't tell me anything at all...

That makes me wonder... if it's a problem with the ATM
networks (in those countries), then people using cards 
other than from Citibank should be noticing something as well.

K.

-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org]On
Behalf Of Fergie
Sent: Monday, March 06, 2006 3:11 PM
To: funsec () linuxbox org
Subject: Re: [funsec] What's up with Citibank?


More on this today, both on Boing Boing and over on techdirt.com:

http://www.boingboing.net/2006/03/06/citibank_live_richly.html

http://www.boingboing.net/2006/03/06/citibank_security_br.html

http://techdirt.com/articles/20060306/112200_F.shtml

- ferg

-- "Fergie" <fergdawg () netzero net> wrote:

Via Boing Boing.

[snip]

BoingBoing pal and Citibank customer Jake Appelbaum tried to withdraw some cash with his ATM card on Saturday night. He 
initiated his bank account long ago in the US, but was in Toronto, Canada yesterday. Jake explains:

"To my surprise, the ATM machine rejected the transaction and urged me to contact my financial institution. The machine 
also reported on the receipt "INELIGIBLE ACCOUNT." 

Jake called Citibank's international customer support number, and soon learned that the lockout was part of a much 
larger fraud crisis -- by no means the only data security issue at Citibank in recent months. 

Jake continues:  

"The supervisor identified herself as a manager named Carla ID#CRU194. I identified myself as an upset customer whose 
account was locked for some unknown reason. She asked me a few questions about my location, my issue and then informed 
me that my card was suspected of fraud. 
Naturally, I perked my ears up and asked for details of any fraud. She informed me that there had been no direct 
fraudulent transactions on my account. Rather, she informed me that the ATM networks of Canada, Russia and the United 
Kingdom have been compromised. I used the term class break as a question and she repeated that there has been a class 
break of the ATM networks in those countries. The ATM network in Canada has been compromised and as a result, using my 
ATM card over the Canadian network locked my account automatically. She informed me that this has been an ongoing issue 
for the last two weeks. When I asked why there was no media attention, she said she wasn't sure. I said it was a pretty 
big deal and she agreed. 

"She informed me that I would have to return to the United States to change my pin number before my card would be valid 
and in a usable state again. When I informed her that I would be traveling outside of the United States for at least a 
few months, possibly up to six, she repeated that I would have to re-enter the United States to fix the problem."

In other words, if you're a US Citibank customer trying to use your ATM card in Canada, Russia, or the UK right now, 
you are totally fuxx0red. 

Citibank didn't handle Jake's problem in a customer-friendly way at all, and it appears they're handling all affected 
customers with exactly the same procedure. 

Also, it seems this incident is receiving little media attention, which begs the question: for each massive security 
breach we do hear about at Citibank or other large financial institutions, how many more occur without our awareness? 

This February 2 Fresno Bee article appears to be tangentially related, and here's a story about a criminal conviction 
related to another Citibank bogus ATM scheme from 2004. But you'd think a security incident with the potential to leave 
thousands of customers stranded overseas without cash would get more notice. WTF? 

[snip]

http://www.boingboing.net/2006/03/05/citibank_under_fraud.html

- ferg


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg () netzero net or fergdawg () sbcglobal net
 ferg's tech blog: http://fergdawg.blogspot.com/


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.