As first reported by boingboing, several days ago, Citibank customers had their money fountains turned off. Quite a problem for this guy, Jake Appelbaum , travelling in Canada and who hadn't planned on returning to the US for several months.
BoingBoing pal and Citibank customer Jake Appelbaum tried to withdraw some cash with his ATM card on Saturday night. He initiated his bank account long ago in the US, but was in Toronto, Canada yesterday. Jake explains: To my surprise, the ATM machine rejected the transaction and urged me to contact my financial institution. The machine also reported on the receipt “INELIGIBLE ACCOUNT.”Jake called Citibank's international customer support number, and soon learned that the lockout was part of a much larger fraud crisis -- by no means the only data security issue at Citibank in recent months.
Chicago Tribune | Citibank uncovers debit card fraud
Citibank has frozen the use of an undisclosed number of debit cards in three countries after detecting “several hundred” fraudulent cash withdrawals in PIN-based transactions. The data was stolen from the U.S., but the transactions occurred in Russia, Canada and the United Kingdom.“Citibank and our customers were the victims of a third-party business information breach” last year, the company said in a statement. “We immediately began enhanced monitoring of the affected accounts for fraud, and in mid-February we detected several hundred fraudulent cash withdrawals in three countries.” To protect customers' accounts, Citibank blocked an undisclosed number of PIN-based transactions in those locations, the company said.
Citibank blamed the breach on OfficeMax:
A story in Wednesday's New York Times, citing unidentified sources, said it appeared that the Citibank debit card information was obtained through a security breach at OfficeMax Inc., the Itasca-based office supplies retailer.OfficeMax said Wednesday that it had “no knowledge of a security breach.”
curiouser, and curiouser....
from the New York Times:
Citigroup said it halted such transactions in Canada, Britain and Russia after detecting an unspecified number of fraudulent cash withdrawals from automated teller machines last month. Other big banks, including Bank of America, Wells Fargo and Washington Mutual, have taken similar steps, they said.All of the banks said they would provide new cards to customers whose accounts were compromised.
[however, requiring customers to return home]Banking industry executives said it appeared that debit card information, including personal identification numbers, was obtained through a security breach of computer files at OfficeMax, the office supply chain. Storing PIN information violates the payment industry's security rules.
The executives spoke on the condition that they and their companies not be identified because their companies were involved in the case and they were not allowed to speak publicly about it.
William Bonner, an OfficeMax spokesman, denied the company was the source. “We have no knowledge of a security breach at OfficeMax,” he said. He said he could neither confirm nor deny whether files containing PIN's were ever kept.
It is possible that another source of the breach could be identified at a bank or payment processor handling PIN-based transactions.
The lawyerly phrases, “have no knowledge,” and “neither confirm nor deny,” usually mean that the spokesman strongly suspects, but has been walking down the hallways with fingers in his ears going 'lalala' so as not to overhear any facts. In other words, in this instance, OfficeMax probably was the source of the fraud.
update more here