Citibank probes ATM withdrawals, cites potential U.S. ‘retailer breaches'

It put a transaction block on some MasterCard debit and credit cards in Canada, Russia and the U.K.

Citibank has put a transaction block on an unspecified number of Citi-branded MasterCard debit and credit cards used in three countries because of fraudulent automated teller machine (ATM) cash-withdrawal activity, the company said in a statement yesterday.

The statement was issued after Boing Boing, a popular online blog site, carried a story detailing the problems a Citibank customer had while trying to access his account from Canadian ATM machines. The story suggested that the individual may have been the victim of ATM fraud involving Citibank cards in Canada, Russia and the U.K.

Apparently in response to widespread publicity about the blog posting, Citibank issued a brief statement confirming the ATM fraud without disclosing any details. “Recently, we became aware of fraudulent ATM cash withdrawals on Citi-branded MasterCard credit and debit cards used in three countries on customer accounts that had been possibly compromised in previous retailer breaches in the U.S.,” the company said. “To protect customer accounts that were affected, we placed a special transaction block in those three countries on PIN-based transactions.”

The statement went on to add that Citibank is currently reissuing cards to affected customers. “Protecting our customers’ accounts and personal information is one of our highest priorities,” the statement said.

The fact that the fraud involves ATM cash withdrawals using personal identification numbers (PIN) suggests that it may be the result of massive "card-skimming" activity, said Avivah Litan, an analyst at Gartner Inc. in Stamford, Conn.

“What seems to be happening at Citibank is that they are stopping ATM cash withdrawals, which means somebody got their PINs,” Litan said. “There are two general ways you can steal a PIN. One is through card skimming; the other is through phishing,”

Given the apparent scope of the fraud, Litan pointed to card skimming as a likely cause.

Card skimming involves the use of illegal card-reading devices that intercept and record data stored on magnetic strips on credit and debit cards which are then later used to create counterfeit cards. Such devices, which have long been used to steal card information in places such as restaurants, have been proliferating widely and have made skimming one of the most prevalent forms of credit card fraud these days.

In fact, skimmers were believed to have been behind a massive credit card theft in December involving wholesaler Sam’s Club, a division of Wal-Mart Stores Inc.

In that incident, card skimmers were thought to have used skimming devices at Sam’s Club gas stations to steal debit card information from potentially thousands of consumers. At that time, Sam’s Club acknowledged that a breach had taken place, but did not disclose what exactly transpired saying only that “electronic systems and databases used inside its stores” were not involved.

Litan said it is likely that Citibank’s current ATM fraud problems are related to the Sam’s Club breach.

Copyright © 2006 IDG Communications, Inc.

Shop Tech Products at Amazon