NY AG Sues Citibank For Failing To Protect Customers From Hackers And Scammers (cnn.com) 50
New York Attorney General Letitia James filed a lawsuit against Citibank on Tuesday, alleging the big bank failed to do enough to protect and reimburse victims of fraud. From a report: The lawsuit argues that New York customers lost millions of dollars -- in some cases their entire lifesavings -- to scammers and hackers because of Citi's weak security and anti-fraud measures. According to the NY AG, Citi does not do enough to prevent unauthorized account takeovers, illegally refuses to reimburse fraud victims and "misleads" customers about their rights after their accounts are hacked.
The lawsuit, filed in US District Court for the Southern District of New York, alleges that Citi has "overpromised and underdelivered on security" and failed to respond appropriately to red flags. "Banks are supposed to be the safest place to keep money, yet Citi's negligence has allowed scammers to steal millions of dollars from hardworking people, James said in a statement. There is no excuse for Citi's failure to protect and prevent millions of dollars from being stolen from customers' accounts and my office will not write off illegal behavior from big banks."
The lawsuit, filed in US District Court for the Southern District of New York, alleges that Citi has "overpromised and underdelivered on security" and failed to respond appropriately to red flags. "Banks are supposed to be the safest place to keep money, yet Citi's negligence has allowed scammers to steal millions of dollars from hardworking people, James said in a statement. There is no excuse for Citi's failure to protect and prevent millions of dollars from being stolen from customers' accounts and my office will not write off illegal behavior from big banks."
Banks Are Responsible (Score:3)
Banks are responsible for fraud. Instead of putting the responsibility of fraud on the innocent consumers, banks need to do their Due Diligence when conducting NORMAL business with consumers.
Innocent Consumers aren't the real target of fraudsters, the real target are the Financial Institutions that accept fraudulent documentation, almost entirely unknown to the real victims.
Re:Banks Are Responsible (Score:5, Insightful)
If a bank just hands a scad of cash to the wrong person, how would that be the right person's responsibility? If I deposit money, they are agreeing to keep it safe and disperse it as I direct. If instead, they disperse it because Joe Random tells them to, that's on them, not me.
It's even worse when they give a loan to Joe Random out there under my name and then demand I pay it back even though *I* have never done business with them at all.
Re: (Score:1)
If that happens, yes, the person would not be responsible.
That's not what usually happens, though.
What usually happens is the equivalent of that the person coming in with someone and tells the teller to hand this person the money. Should he not do it?
Re: (Score:1)
A Troll-Mod is not a substitute for an argument. If you don't have one, just say so.
Re: (Score:2)
Troll Mod is "I disagree, a lot"
And as an aside, I happen to agree with the general premise that if it is the person's own fault, the banks shouldn't be responsible. But when Identifies are stolen, which is why DATA breaches are so problematic, Banks OIUGHT to be responsible for THEIR mistakes.
As for your use case scenario, I would hope the bank would recognize the old lady pulling all funds out to hand to young dude, and pull them aside for a few minutes to ask a few more questions. I would hope, but I als
Re: (Score:2)
And how would you do this in an online scenario?
Granny transfers a large sum of money to some party she never dealt with. Do you want to stop the transaction? I hope not, because what I just described is pretty much someone paying a craftsman bill who will likely charge late fees or even sue if that payment doesn't go through. And that happens far, far more often than any fraud.
So what exactly should the bank do?
Re: (Score:2)
I can think of a number of possible options, especially for vulnerable people. Biggest one would be an option for notification of family and an automatic one day delay for certain transactions. Legit transactions can withstand non-immediacy scenarios.
Re: (Score:2)
Sorry, no can do. Our bank laws are VERY strict, I'm not allowed to inform anyone about your bank business unless you explicitly agree to it. And I cannot make that agreement a requirement for any contract.
And rest assured, the people who'd need something like this the most are also the ones that will fight it the most. Can't have my son see what I do with my money!
Re: (Score:2)
And if they give your money to someone who isn't you, then it is damn well their fault for having done so.
Re: (Score:2)
Someone comes up to the teller and has all the required paperwork to prove that they're the genuine holder of the account, but it's fraudulent. If that happens because the bank sent those papers to a con artist, yes, the bank is responsible. If that happens because the account holder handed over the information to the con artist, the account holder is responsible.
I've been working for banks pretty much for as long as this problem exists. Auditing first, malware analysis, security management, security consul
Re:Banks Are Responsible (Score:4, Informative)
The NY AG alleges that Citi gets customers to sign “coerced” affidavits that allows the bank to treat claims of fraud to narrow commercial laws on wire transfers instead of the more substantial protections from the Electronic Fund Transfer Act, a landmark consumer protection law.
“Citi then summarily rejects claims for reimbursement and instead blames consumers,” the lawsuit said.
Re: (Score:2)
Why should banks be responsible for people's foolishness? Banks are not peoples' daddies. The ultimate responsibility really belongs to the end user.
Because this is the business they have chosen to be in. It comes with profits, and responsibilities.
Don't want the responsibility? Choose another line of business than banking.
This is non-negotiable.
Re: (Score:2)
Banks have the cash in their accounts, and a fiduciary responsibility to only allow authorized users access to those accounts, and authorized charges against those accounts.
Banks control the authorization flow for pulling cash out of those accounts, completely.
If a bank authorizes fraudulent transactions, then they are liable for that, as enumerated in US federal regulations and laws. This really isn't hard.
Re: (Score:2)
Re: (Score:2)
In the past Citibank was defrauded by Indian call center workers. Why is that my fault?
Re: (Score:1)
How exactly is it the bank's fault if some dimwit follows the instructions of a Nigerian prince to hand over his account info along with pin and security info because greed trumps caution when promised vast amount of riches?
Re: (Score:2)
Problem is, the real solution is probably to create additional friction in financial transactions... but people don't want friction, they want the easiest access to their money possible.
If a bank were to hire a bunch of people and task them with reviewing all transactions over $5000 - and calling customers to discuss it prior to authorizing the transaction - I fully expect they'd lose a significant percentage of their customers because (from the customer's POV) "it's my money and I should have instant acces
Re: (Score:2)
Even more "friction" is not going to solve the underlying issue: You cannot stop people from being stupid.
First of all, banks already review transaction over a particular sum (sorry, can't disclose how much). And depending on your account, certain transactions over a certain amount are just not possible via online banking. That would not solve the issue, though, what would happen is that transactions are split up into many smaller tranches and the problem remains.
The core problem is that people are willing
Re: (Score:2)
That's the way my credit union does it. I have to call and increase my limit until midnight. It's occasionally annoying. I don't mind. They'll send a text sometimes asking if I am aware of a certain transaction. If I reply "no" they'll cancel the card and put in for a new one. Since that first time, if I get a message, I check the account, then do anything requiring the card before I reply "no".
Re:Banks Are Responsible (Score:5, Informative)
How exactly is it the bank's fault if some dimwit follows the instructions of a Nigerian prince to hand over his account info?
https://www.youtube.com/watch?... [youtube.com]
Bank: Sit down Mr Coleman, I'm afraid I've got bad news about your account.
Customer: Really?
Bank: I'm very sorry to say that someone's stolen your identity.
Customer: Oh God! Do you know who it was?
Bank: Well, they said they were you, but...
Customer: Of course. So, what happened?
Bank: Well, it was on the bank website. Someone logged in and committed identity theft electronically.
Customer: I see. Did they take anything else?
Bank: No.
Customer: Oh good. So, all the money's still there.
Bank: What?
Customer: Well, it's just my identity that's gone; none of your money.
Bank: Well, no, they did take... they emptied your account. It's identity theft.
Customer: They took all the money? That sounds more like a bank robbery.
Bank: No, no! If only. No, because, we could take the hit. No, no, it was actually your identity that was stolen. Primarily. It's a massive pisser for you.
Customer: It's actually money that's been taken?
Bank: Yes
Customer: From you?
Bank: Umm... kind of.
Customer: I don't know what you want from me other than my commiserations?
Bank: No, you see, it was your identity that... umm... they didn't just... they said they were you!
Customer: And you believed them?
Bank: Yes! They stole your identity!
Customer: Well, I don't know, because I seem to HAVE my identity, whereas you seem to have lost several thousands of pounds. In the light of that, I'm not clear why you think it's my identity that was stolen rather than your money?
Bank: I know it can look a bit like that, Mr Coleman. But the sad fact is that absolutely nothing has been taken from this multi-billion pound bank, whereas what they've taken from you a small businessman with a wife and small children, is your whole self.
Re: (Score:1)
It's more like this. And unlike your example, this is not a comedy skit, it is unfortunately the reality:
Customer: YOUR (very bad expletive) TELLER STOLE MY MONEY!!!
Bank: That's a serious accusation, who stole your money, sir?
Customer: He called me yesterday and told me he has to close my bank account!
Bank: That should have no effect on your account, unless there is an irregularity...
Customer: Unless I give him my online credentials.
Bank: You... didn't, right?
Customer: OF COURSE I DID!!! ELSE YOU CLOSE MY A
Re: (Score:2)
It's more like this. [snip]
I've numerous times experienced my banks (Chase, and First Tech) make unsolicited telephone calls to me and, near the start, say "please confirm your address" before they proceed.
That's nonsense of course. (1) The verb "confirm" doesn't work that way; (2) I should never disclose my details to an unsolicited caller. Sometimes I tell them "I'm not going to give any information until you've confirmed a few things for me first... what is X? what is Y? what is Z?" to which they get flustered because I've deviate
Re: (Score:3)
Tell me about it...
We spent countless hours issuing warnings to our customers that we would NEVER EVER EVER EVER (pinky swear and cherry on top!!!) contact them via email concerning anything about their account, we will ONLY EVER give them any kind of information via the "mail box" they have with the online banking (you can't really escape that, you log in and it will pop up IN YOUR FACE... usually it's just to inform you about the latest fraud, and if I ever catch marketing abuse it, they better run faster
Re: (Score:2)
I've had something similar happen. The bank security/fraud department called me out of the blue. I told them, so you are such and such fraud department at my bank? Yes. Ok, I'll call the number on my card and talk to them instead.
It was a legit call from the bank but since I didn't initiate it, I didn't really trust it. I called the bank number I had and got things all sorted out.
Never trust someone calling you asking for information. If you have a relationship with a business, you can call them back and if
Re: (Score:2)
Re: (Score:2)
I agree - consumers have some responsibility. If YOU send money to the 419'er well that should probably be looked at as your fault.
On the other hand if someone scams you out of your 'not-really-a-secret' account number and some PIN or even more laughably easy to get your SSN, and the bank lets them drain your account - well that if you ask me is THEIR failure to properly authenticate the customer.
Re: (Score:2)
Here's what the average information required is to transfer money from a bank account here:
Your login number, which has nothing to do with your bank account.
A 5 digit pin.
A second factor program, usually a phone app, that is contacted by your bank with a verification code that is displayed on your screen as well as your phone and you have to push a button on your phone to accept that, yes, this is you trying to log in.
(you issue the transfer you plan to do)
You get a message to your phone app again with the
Re: (Score:2)
What you are describing is the ideal process, and I know a lot of banks that still don't require MFA etc..
Even if that is Citi's nominal process for sending funds what about when someone calls customer service with the sob story about how they lost their phone? What then? Are they always required to come into a branch and prove they are who they say they are with some photo id etc? Or might they get their account unlocked and MFA enrollment reset after say providing some past address history, and SSN and DO
Re: (Score:2)
I know a lot of banks that still don't require MFA etc.
Ok, then I can see your point, this is criminal negligence. To put it mildly.
But it kinda explains why we've seen so few attempts at online banking fraud around here. It's just easier somewhere else. We call this the "Florianiprinzip" (Florian principle, from St. Florian, the patron saints of fire fighters, a well known song about him goes "Oh holy St. Florian, you water-bucket man, spare our houses and put others ablaze", i.e. the idea behind the principle is, as long as there's easier targets, you don't h
Banks not responsible according to US regulators (Score:1)
Banks not responsible according to US regulators.
Citibank is regulated by the federal agency the OCC. The OCC is captured by the big banks and allows them to run with no fraud detection and the banks will force customers to eat the losses. Take the exploding check fraud epidemic, the national banks do not check the check images for fraud (such as mobile/ATM deposit). The only thing they really look at is the routing numbers and the numeric amount field which is easily modified. Utterly comical check
Re: (Score:2)
Honestly, given citi, sure. (Score:2)
A person I know had a story once, I believe about Citi, where they had a phishing message and wanted to report it to the bank's fraud/security people. And the person they got to told them that to see whether an email is legit, look at the email and see if it has a citibank logo, because that's how you can tell it's legitimate.
If my fuzzy memory of years back is correct, and that was indeed Citi, then yeah, they should absolutely be on the hook for some amount of this fraud.
Re: (Score:2)
For something like that, sure. But absolving the customers by default isn't really going to do any good either, because that would in turn make banks, and especially online banking, nearly unusable because banks would become insanely sensitive whenever you try to transfer more than a buck to someone you didn't have a business relationship with before.
Give them more money (Score:2)
As always, the solution is to hand over more taxpayer money because look how well it's worked the last ten times it's been done.
Re: (Score:2)
Please tell me how a bank should know whether the transfer a customer orders is legit or fraudulent. Someone who knows the credentials, the pin, the OTP number and everything else that the legit user would know issues the transfer of 2000 bucks to some account abroad.
Legit? Scam? How'd you know?
Re: (Score:2)
It's called out of the ordinary. If the customer has been with the bank for any length of time there is a pattern to their financial operations. If something suddenly shows up which doesn't fit the pattern, it might be a time to contact the customer to verify the request is valid.
I once had my credit union contact me when a several thousand dollar charge suddenly showed up on my credit card. I verified with them it was legitimate and everything went through. Why did they do that? Because I had never done
Re: (Score:2)
Most of my financial transfers are "out of the ordinary". If it was ordinary, I'd pay by credit card.
I pay some plumber, some electrician, and I never did business with them before. Do I have to go for each such transaction to the bank to show that yes, I want to pay my bills? That kinda defeats the purpose of online banking, doesn't it?
Re: (Score:2)
You are demonstrating willful ignorance: you know it doesn't work like that.
In the case of your examples (plumber, electrician) you may not have done business with them before, but others in your area perform transactions with them and other businesses of their type for similar amounts of money every day. These factors combine to indicate that the transaction is likely legitimate.
Re: (Score:2)
Please tell me how a bank should know whether the transfer a customer orders is legit or fraudulent. Someone who knows the credentials, the pin, the OTP number and everything else that the legit user would know issues the transfer of 2000 bucks to some account abroad.
Legit? Scam? How'd you know?
There are entire departments dedicated to this at every financial institution in the world. It has become a legitimate field to work in.
I worked on the original "verified by Visa" program implementing automatic fraud detection/prevention. Early implementations monitored for transactions that matched a pattern of known fraud, or that did not match the pattern of anticipated customer use. It was pretty amazing (to me, at the time) and has gotten much better over the intervening years. The number of factor
NY Attorney General Letitia James strikes again! (Score:2, Troll)
It's great to have this person actually looking out for people instead of just ignoring corrupt banks.
Re: (Score:2)
Could we please first establish corruption? Ok, from what I heard so far, security of US banks is pretty shabby, but could we maybe address that instead?
Fuck, do you people not have some kind of bank oversight?
Re: NY Attorney General Letitia James strikes agai (Score:2)
We have laws and rules.
Citibank was not following them.
That's why they're getting sued.
Re: (Score:2)
What law did they not heed?
Re: NY Attorney General Letitia James strikes aga (Score:3)
It's in TFA
The NY AG alleges that Citi gets customers to sign âoecoercedâ affidavits that allows the bank to treat claims of fraud to narrow commercial laws on wire transfers instead of the more substantial protections from the Electronic Fund Transfer Act, a landmark consumer protection law.
âoeCiti then summarily rejects claims for reimbursement and instead blames consumers,â the lawsuit said.
Read the Actual Lawsuit Filing (Score:3)
https://ag.ny.gov/sites/defaul... [ny.gov]
The filing makes clear the specific failings Citibank has which should be fixed (most of us would agree with most of them). In contrast the comments here talk too much about the stupidity of customers.
worst banks (Score:2)
The two worst major consumer banks (imo of course) in the US are Citi and Wells. I have many anecdotes about how they really really suck.