Citibank’s Statement on the ATM Crisis

Citigroup spokesperson Elizabeth Fogarty released the following statement to us regarding the ATM crisis:

Recently, we became aware of fraudulent ATM cash withdrawals on Citi-branded MasterCard credit and debit cards used in the UK, Russia and Canada on customer accounts that had been possibly compromised in previous retailer breaches in the US. To protect customer accounts that were affected, we placed a special transaction block in those three countries on PIN based transactions. We are currently reissuing cards, as appropriate, to affected customers.

Protecting our customers’ accounts and personal information is one of our highest priorities.

The security breach is said to extend from a data loss by two retailers that occurred over a year ago. When asked who the retailers were, she said that data was not available at this time.

It seems this article in the Fresno Bee, which BoingBoing pointed to us, may be pertinent. As they report, about three quarters of a million dollars in fraudulent ATM withdrawals were initiated in Russia and across the world. These withdrawals seemed to stem directly from data loss by an unspecified retailer. As to why the retailer is unnamed, Foley, an employee of the Identity Theft resource center said, “I’m quite sure that (the retailer) doesn’t want the world to know that he was quite so dumb as to lose this information.”

It seems that the banking organizations are more than willing accomplices in keeping the retailer’s identity cloaked.

Another article, also found via a BoingBoing pointer, if not directly related, certainly makes for interesting reading. It describes the guilty pleas of 12 of the 21 arrested members of a global ATM scam network called Shadowcrew operating a website trafficking in stolen credit and bank card numbers and identity information.

Previously:
Citibank’s ATM Crisis Merely Extends “Money Don’t Matter” Campaign
Massive Citibank Alert: UPDATE
Massive Citibank Fraud Alert: UPDATE
Massive Citibank Fraud Alert

Comments

Edit Your Comment

  1. Chris H says:

    Under California and other state security breach notification laws, companies can delay notification for a temporary period to assist law enforcement. But the retailers here will have to eventually give notice.

    I was just at a conference where a security guy from a major card issuer discussed a new major risk at retailers–RFID networks. He discussed one case where a retailer with a RFID inventory system operating on open wifi was accessed by hackers who were then able to get to payment data through the RFID system!