Citibank under fraud attack, customers locked out of accounts

BoingBoing pal and Citibank customer Jake Appelbaum tried to withdraw some cash with his ATM card on Saturday night. He initiated his bank account long ago in the US, but was in Toronto, Canada yesterday. Jake explains:

To my surprise, the ATM machine rejected the transaction and urged me to contact my financial institution. The machine also reported on the receipt "INELIGIBLE ACCOUNT."

Jake called Citibank's international customer support number, and soon learned that the lockout was part of a much larger fraud crisis — by no means the only data security issue at Citibank in recent months. Jake continues: 

The supervisor identified herself as a manager named Carla ID#CRU194. I identified myself as an upset customer whose account was locked for some unknown reason. She asked me a few questions about my location, my issue and then informed me that my card was suspected of fraud.

Naturally, I perked my ears up and asked for details of any fraud. She informed me that there had been no direct fraudulent transactions on my account. Rather, she informed me that the ATM networks of Canada, Russia and the United Kingdom have been compromised. I used the term class break as a question and she repeated that there has been a class break [ Ed. note: definition here] of the ATM networks in those countries. The ATM network in Canada has been compromised and as a result, using my ATM card over the Canadian network locked my account automatically. She informed me that this has been an ongoing issue for the last two weeks. When I asked why there was no media attention, she said she wasn't sure. I said it was a pretty big deal and she agreed.

She informed me that I would have to return to the United States to change my pin number before my card would be valid and in a usable state again. When I informed her that I would be traveling outside of the United States for at least a few months, possibly up to six, she repeated that I would have to re-enter the United States to fix the problem.

In other words, if you're a US Citibank customer trying to use your ATM card in Canada, Russia, or the UK right now — at ANY network, not just Citibank's — you may find yourself totally fuxx0red. The call-and-response goes like this:

Citibank customer:
I'm stranded in a foreign country, I need cash, and I can't withdraw cash from my account.

Citibank drone: 
d00d omfg we wuz 0wnz0red, it is teh suck!!!1!1 Go home and we'll re-issue a new card. Then be prepared to go through this all over again, and again, and again.

Citibank customer:
So even if I fly all the way back to the USA so you can issue me a new ATM card, you can't promise I won't be locked out the very next day?

Citibank drone: 
yup! kthxbi!

Citibank didn't handle Jake's problem in a customer-friendly way at all, and this appears to be standard procedure.

Also, it seems this incident is receiving little media attention, which begs the question: for each massive security breach we do hear about at Citibank or other large financial institutions, how many more occur without our awareness?

This February 2 Fresno Bee article appears to be tangentially related, and here's a story about a criminal conviction related to another Citibank bogus ATM scheme from 2004. But you'd think a security incident with the potential to leave thousands of customers stranded overseas without cash would get more notice. WTF?

Link to the full text of Jake's account.

Reader comment: Anonymous says,

Just wanted to mention that it's not just ATM cards that have been hacked with Citi. I was forced to close my Citi Mastercard by Citibank earlier this week "because one of their 'affiliates' was hacked and my card was affected". I knew it had to be a bad hack since when that _same card_ was involved in the DSW member information theft, they didn't make me close the card then (they never even contacted me). Forcing me to close it now made me suspect it was Citi that had been hacked, and the article about the ATM hack pretty much confirms it.

Reader comment: "Byte" in Poland says,

Not only US customers of CitiBank have problems, Polish have also, but the nature of problems is different.

According to short article: "CitiBank Handlowy S.A was hiding information that it has been robbed" by Rafał Pawlak on (Link, unfortunately in Polish only) accounts of several hundred customers of CityBank Handlowy S.A has been robbed with use of Internet access to their accounts. Translation of fragment of above article:

Robbed bank has not informed its customers that their accounts have been cleaned from money. Today (2003/03/02), bank has been identified to be CitiBank, and it has been determined that stolen money has been transferred through agency in Szczecin.

Robbers have cleaned Internet accounts of several hundred customers of CityBank Handlowy S.A. In virtual robbery citizens of Szczecin have been involved and money have been withdrawn from bank accounts through agency in Szczecin. (…)

Few minutes earlier, the same author has posted article (also linked from above text): "Virtual bank robbery" (Link) with more details about the robbery, but the name of the bank was not known at that time. According to that article twenty citizens of Szczecin have stolen 3 million zlotys (approximately 950 thousand dollars.) Hackers have installed software on bank's customers computers, and used it to collect data, that was later used to transfer money. There were only two hackers, and other eighteen involved people provided their private accounts for transferring stolen money.

Hackers have been collecting and analyzing data, about customers, for longer time. When they finally have decided that they have enough data, they have started the action of robbery, which has taken them about seven days to conduct. Fortunately for bank customers all of robbers has been already arrested.

Since data used in robbery has been collected from computers belonging to bank customers, blaming bank may not be appropriate. Still the bank can be accused of hiding information that it is being robbed (robbery took 7 days!!!), until the sum of money stolen reached 3 million zlotys.

I should also mention that there is bigger article in "Głos szczeciński" ("Szczecin Voice"), unfortunately I have no access to that article which is only available in printed form.