Citibank Credit Card security fail

| Comment | No TrackBacks

Fail #1 - Calling my mobile from a line with caller ID blocked so I can not identify the caller. The caller identified herself as a Citibank representative then proceeded to ask for my personal details beginning with my with Date of Birth. Of course being a paranoid I told her it was poor practice to ask customers for personal identifying information when the customer has no way of verifying the caller's veracity. Thankfully she then said I should call Citibank as soon as possible using the number on the back of my credit card.

I called 13 24 84, went through the IVR menus, and thankfully wasn't put on hold. The rep verified my identity using my full name, DOB, a single recent transaction on the account (note the ease with which one could provide these details if my account were indeed already compromised), and a secret question.

The rep claimed that Citibank had reason to believe that my card data had been swiped and used to produce replica cards. I find that hard to believe given that I've very rarely actually used the physical card with most transactions being online. But whatever.

Fail #2 - Although the rep was unable to provide details on exactly why they believe my account had been compromised Citibank was going ahead with blocking & cancelling the current account, and re-issuing a new card + number. This is really inconvenient given the number of auto-direct-debits I have setup and that the new card would not arrive for 7-10 days. I asked if there were particular merchants they considered risky but she could only say that "the system as a whole has identified your account as possibly compromised". Useless.

She did however question if I recognised two transactions - one from GoDaddy and another from PayPal, neither of which should look suspicious given the frequency of transactions from those "merchants" on my account, none of which I have ever raised issue with.

Fail sub-total - 17 minutes on the phone, no card to use for a week, and when the new card arrives I have to go and update a bunch of billing accounts. And no reason to believe that my card was actually compromised, nor that they won't call me again a week from now to say that I'll be re-issued with yet another card.

My gut says that either their own systems were compromised, or one of the merchant systems were compromised, and they are unwilling to share the truth.

No TrackBacks

TrackBack URL:

OpenID accepted here Learn more about OpenID

Recent Comments

  • Phoenix: Same exact scenario happened to me Sept 14, 09 with read more

About this Entry

This page contains a single entry by goosmurf published on July 21, 2009 4:03 PM.

Swoopo is pure evil genius was the previous entry in this blog.

Customer loyalty vs new customer offers is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.