Jacob Appelbaum thought he had done everything right. Before he traveled to Canada, he called his ATM/debit card issuer, Citibank, and told the bank to expect international transactions. But somehow, the San Francisco resident found himself in Toronto with no way to withdraw money from his Citibank checking account — and in the center of rumors about an extensive problem with Citibank debit cards and the ATM system.
When Appelbaum arrived in Canada last week and tried to withdraw currency from an ATM in Toronto, the machine told him his was an "ineligible account." He called Citibank, which told him his account had been placed on hold for suspicion of fraud. A customer service agent refused to provide more details — or to unlock his card so he could get some local currency.
"I was infuriated," Appelbaum said. "I had notified them I would be using it in Canada."
Appelbaum's account of what happened next, published on his personal blog, has created a firestorm of rumors about Citibank's ATM system. He says a Citibank customer service agent at first told him there was a major problem with Canada's ATM systems.
Citibank hasn't done much to quell the rumors, issuing only a vague statement Monday evening confirming a much less dramatic story. The statement indicated that the bank had detected "fraudulent ATM cash withdrawals on Citi-branded MasterCard credit and debit cards used in the UK, Russia and Canada." As a result, some debit cards had been shut off, said Citibank spokeswoman Elizabeth Fogarty.
Data leaks
A series of consumer accounts had been compromised during data leaks by third-party U.S. retailers, Fogarty said. She would not indicate which retailers were involved. Impacted accounts had been placed on a watch list.
It's customary for credit and debit card issuers to monitor accounts for fraud after credit card data is stolen from a merchant. Often, the accounts aren't canceled until there's evidence they are actively being used in fraud.
"To protect customer accounts that were affected, we placed a special transaction block in those three countries on PIN based transactions," Citibank said in its statement. "We are currently reissuing cards, as appropriate."
Fogarty wouldn't say how many consumers were on that list, saying only it involved a "small number of accounts." But she did say that it's unlikely consumers would find out unless they traveled to Canada, the United Kingdom or Russia. In other words, some Citibank customers are currently carrying cards that will be useless for withdrawing funds in some foreign countries, but like Appelbaum, consumers won't find out there's a problem until they travel. Even calling ahead, like Appelbaum did, apparently won't head off trouble.
Meanwhile, Appelbaum finds himself in a curious situation. His card has not been completely shut down; it's only blocked from PIN-based transactions. He can still make credit-card style purchases, called "signature-based debit" by the industry. But he can't use his PIN and get cash back from retailers when he shops, and he can't make ATM withdrawals.
Asked why a card suspected of cash withdrawal fraud could still be used for credit purchases, Fogarty said this: "We detected fraudulent ATM cash withdrawals on a small number of accounts affected by a third party breach in the US in 3 countries, which is why that functionality was blocked."
Being in a foreign country with no access to cash — and only a working credit card — is more of a hassle than it appears, Appelbaum said. Without cash, he couldn't get around until he purchased a monthly bus pass with his credit card. Using it cost him an extra $5 in fees.
Fogarty said Citibank will provide additional information about the situation later on Tuesday.
Speculation about the incident on Internet sites was rampant, with many writers trying to peg the Citibank incident to a specific data leak.
Purloined PIN codes?
Gartner analyst and fraud expert Avivah Litan noted that Citibank was clearly reacting to fraud involving stolen PIN codes — which hints at a more severe problem than stolen credit cards. Criminals with access to PIN codes can wreak far more havoc on consumer accounts. Stolen PIN codes would allow a criminal to access a consumers' entire bank account.
Litan wondered why Citibank didn't inform all consumers who are impacted by the incident.
"What's frustrating for people is the feeling, 'I'd like to know if I'm in that lot,'" she said. Consumers face a bigger hassle getting refunds from debit card fraud than from credit card fraud. More important, credit card fraud liability is capped at $50. Consumers who are hit by debit card fraud can lose the entire balance of their accounts, if they don't report the incident promptly.
For now, Appelbaum says Citibank is issuing a new debit card but won't send it to him in Toronto — instead, the card is being sent to his California home, where a friend will reroute it to him in Toronto.