Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
United States News

NY AG Sues Citibank For Failing To Protect Customers From Hackers And Scammers (cnn.com) 50

New York Attorney General Letitia James filed a lawsuit against Citibank on Tuesday, alleging the big bank failed to do enough to protect and reimburse victims of fraud. From a report: The lawsuit argues that New York customers lost millions of dollars -- in some cases their entire lifesavings -- to scammers and hackers because of Citi's weak security and anti-fraud measures. According to the NY AG, Citi does not do enough to prevent unauthorized account takeovers, illegally refuses to reimburse fraud victims and "misleads" customers about their rights after their accounts are hacked.

The lawsuit, filed in US District Court for the Southern District of New York, alleges that Citi has "overpromised and underdelivered on security" and failed to respond appropriately to red flags. "Banks are supposed to be the safest place to keep money, yet Citi's negligence has allowed scammers to steal millions of dollars from hardworking people, James said in a statement. There is no excuse for Citi's failure to protect and prevent millions of dollars from being stolen from customers' accounts and my office will not write off illegal behavior from big banks."

This discussion has been archived. No new comments can be posted.

NY AG Sues Citibank For Failing To Protect Customers From Hackers And Scammers

Comments Filter:
  • by Archangel Michael ( 180766 ) on Tuesday January 30, 2024 @12:31PM (#64200964) Journal

    Banks are responsible for fraud. Instead of putting the responsibility of fraud on the innocent consumers, banks need to do their Due Diligence when conducting NORMAL business with consumers.

    Innocent Consumers aren't the real target of fraudsters, the real target are the Financial Institutions that accept fraudulent documentation, almost entirely unknown to the real victims.

    • How exactly is it the bank's fault if some dimwit follows the instructions of a Nigerian prince to hand over his account info along with pin and security info because greed trumps caution when promised vast amount of riches?

      • Problem is, the real solution is probably to create additional friction in financial transactions... but people don't want friction, they want the easiest access to their money possible.

        If a bank were to hire a bunch of people and task them with reviewing all transactions over $5000 - and calling customers to discuss it prior to authorizing the transaction - I fully expect they'd lose a significant percentage of their customers because (from the customer's POV) "it's my money and I should have instant acces

        • Even more "friction" is not going to solve the underlying issue: You cannot stop people from being stupid.

          First of all, banks already review transaction over a particular sum (sorry, can't disclose how much). And depending on your account, certain transactions over a certain amount are just not possible via online banking. That would not solve the issue, though, what would happen is that transactions are split up into many smaller tranches and the problem remains.

          The core problem is that people are willing

        • That's the way my credit union does it. I have to call and increase my limit until midnight. It's occasionally annoying. I don't mind. They'll send a text sometimes asking if I am aware of a certain transaction. If I reply "no" they'll cancel the card and put in for a new one. Since that first time, if I get a message, I check the account, then do anything requiring the card before I reply "no".

      • by ljw1004 ( 764174 ) on Tuesday January 30, 2024 @01:04PM (#64201110)

        How exactly is it the bank's fault if some dimwit follows the instructions of a Nigerian prince to hand over his account info?

        https://www.youtube.com/watch?... [youtube.com]

        Bank: Sit down Mr Coleman, I'm afraid I've got bad news about your account.
        Customer: Really?
        Bank: I'm very sorry to say that someone's stolen your identity.
        Customer: Oh God! Do you know who it was?
        Bank: Well, they said they were you, but...
        Customer: Of course. So, what happened?
        Bank: Well, it was on the bank website. Someone logged in and committed identity theft electronically.
        Customer: I see. Did they take anything else?
        Bank: No.
        Customer: Oh good. So, all the money's still there.
        Bank: What?
        Customer: Well, it's just my identity that's gone; none of your money.
        Bank: Well, no, they did take... they emptied your account. It's identity theft.
        Customer: They took all the money? That sounds more like a bank robbery.
        Bank: No, no! If only. No, because, we could take the hit. No, no, it was actually your identity that was stolen. Primarily. It's a massive pisser for you.
        Customer: It's actually money that's been taken?
        Bank: Yes
        Customer: From you?
        Bank: Umm... kind of.
        Customer: I don't know what you want from me other than my commiserations?
        Bank: No, you see, it was your identity that... umm... they didn't just... they said they were you!
        Customer: And you believed them?
        Bank: Yes! They stole your identity!
        Customer: Well, I don't know, because I seem to HAVE my identity, whereas you seem to have lost several thousands of pounds. In the light of that, I'm not clear why you think it's my identity that was stolen rather than your money?
        Bank: I know it can look a bit like that, Mr Coleman. But the sad fact is that absolutely nothing has been taken from this multi-billion pound bank, whereas what they've taken from you a small businessman with a wife and small children, is your whole self.

        • It's more like this. And unlike your example, this is not a comedy skit, it is unfortunately the reality:

          Customer: YOUR (very bad expletive) TELLER STOLE MY MONEY!!!
          Bank: That's a serious accusation, who stole your money, sir?
          Customer: He called me yesterday and told me he has to close my bank account!
          Bank: That should have no effect on your account, unless there is an irregularity...
          Customer: Unless I give him my online credentials.
          Bank: You... didn't, right?
          Customer: OF COURSE I DID!!! ELSE YOU CLOSE MY A

          • by ljw1004 ( 764174 )

            It's more like this. [snip]

            I've numerous times experienced my banks (Chase, and First Tech) make unsolicited telephone calls to me and, near the start, say "please confirm your address" before they proceed.

            That's nonsense of course. (1) The verb "confirm" doesn't work that way; (2) I should never disclose my details to an unsolicited caller. Sometimes I tell them "I'm not going to give any information until you've confirmed a few things for me first... what is X? what is Y? what is Z?" to which they get flustered because I've deviate

            • Tell me about it...

              We spent countless hours issuing warnings to our customers that we would NEVER EVER EVER EVER (pinky swear and cherry on top!!!) contact them via email concerning anything about their account, we will ONLY EVER give them any kind of information via the "mail box" they have with the online banking (you can't really escape that, you log in and it will pop up IN YOUR FACE... usually it's just to inform you about the latest fraud, and if I ever catch marketing abuse it, they better run faster

            • I've had something similar happen. The bank security/fraud department called me out of the blue. I told them, so you are such and such fraud department at my bank? Yes. Ok, I'll call the number on my card and talk to them instead.

              It was a legit call from the bank but since I didn't initiate it, I didn't really trust it. I called the bank number I had and got things all sorted out.

              Never trust someone calling you asking for information. If you have a relationship with a business, you can call them back and if

        • Damn, I just linked that same sketch! Well, nothing wrong with having extra Mitchell and Webb.
      • by DarkOx ( 621550 )

        I agree - consumers have some responsibility. If YOU send money to the 419'er well that should probably be looked at as your fault.

        On the other hand if someone scams you out of your 'not-really-a-secret' account number and some PIN or even more laughably easy to get your SSN, and the bank lets them drain your account - well that if you ask me is THEIR failure to properly authenticate the customer.

        • Here's what the average information required is to transfer money from a bank account here:

          Your login number, which has nothing to do with your bank account.
          A 5 digit pin.
          A second factor program, usually a phone app, that is contacted by your bank with a verification code that is displayed on your screen as well as your phone and you have to push a button on your phone to accept that, yes, this is you trying to log in.
          (you issue the transfer you plan to do)
          You get a message to your phone app again with the

          • by DarkOx ( 621550 )

            What you are describing is the ideal process, and I know a lot of banks that still don't require MFA etc..

            Even if that is Citi's nominal process for sending funds what about when someone calls customer service with the sob story about how they lost their phone? What then? Are they always required to come into a branch and prove they are who they say they are with some photo id etc? Or might they get their account unlocked and MFA enrollment reset after say providing some past address history, and SSN and DO

            • I know a lot of banks that still don't require MFA etc.

              Ok, then I can see your point, this is criminal negligence. To put it mildly.

              But it kinda explains why we've seen so few attempts at online banking fraud around here. It's just easier somewhere else. We call this the "Florianiprinzip" (Florian principle, from St. Florian, the patron saints of fire fighters, a well known song about him goes "Oh holy St. Florian, you water-bucket man, spare our houses and put others ablaze", i.e. the idea behind the principle is, as long as there's easier targets, you don't h

    • Banks not responsible according to US regulators.
      Citibank is regulated by the federal agency the OCC. The OCC is captured by the big banks and allows them to run with no fraud detection and the banks will force customers to eat the losses. Take the exploding check fraud epidemic, the national banks do not check the check images for fraud (such as mobile/ATM deposit). The only thing they really look at is the routing numbers and the numeric amount field which is easily modified. Utterly comical check

    • I thought I'd misread or misunderstood but yes, apparently in the USA, customers are responsible for their banks' security. What a shit show. So this means that the USA banking system is cultivating & rewarding hoards of scammers, hackers, & tricksters. I guess once they've become a big enough industry, they can move into Wall St.. Crapitalism at it's finest!
  • A person I know had a story once, I believe about Citi, where they had a phishing message and wanted to report it to the bank's fraud/security people. And the person they got to told them that to see whether an email is legit, look at the email and see if it has a citibank logo, because that's how you can tell it's legitimate.

    If my fuzzy memory of years back is correct, and that was indeed Citi, then yeah, they should absolutely be on the hook for some amount of this fraud.

    • For something like that, sure. But absolving the customers by default isn't really going to do any good either, because that would in turn make banks, and especially online banking, nearly unusable because banks would become insanely sensitive whenever you try to transfer more than a buck to someone you didn't have a business relationship with before.

  • It's clear Citi doesn't have the resources to put proper security measures in place. After all, they only made $9.2 billion last year [citigroup.com].

    As always, the solution is to hand over more taxpayer money because look how well it's worked the last ten times it's been done.
    • Please tell me how a bank should know whether the transfer a customer orders is legit or fraudulent. Someone who knows the credentials, the pin, the OTP number and everything else that the legit user would know issues the transfer of 2000 bucks to some account abroad.

      Legit? Scam? How'd you know?

      • It's called out of the ordinary. If the customer has been with the bank for any length of time there is a pattern to their financial operations. If something suddenly shows up which doesn't fit the pattern, it might be a time to contact the customer to verify the request is valid.

        I once had my credit union contact me when a several thousand dollar charge suddenly showed up on my credit card. I verified with them it was legitimate and everything went through. Why did they do that? Because I had never done

        • Most of my financial transfers are "out of the ordinary". If it was ordinary, I'd pay by credit card.

          I pay some plumber, some electrician, and I never did business with them before. Do I have to go for each such transaction to the bank to show that yes, I want to pay my bills? That kinda defeats the purpose of online banking, doesn't it?

          • You are demonstrating willful ignorance: you know it doesn't work like that.

            In the case of your examples (plumber, electrician) you may not have done business with them before, but others in your area perform transactions with them and other businesses of their type for similar amounts of money every day. These factors combine to indicate that the transaction is likely legitimate.

      • Please tell me how a bank should know whether the transfer a customer orders is legit or fraudulent. Someone who knows the credentials, the pin, the OTP number and everything else that the legit user would know issues the transfer of 2000 bucks to some account abroad.

        Legit? Scam? How'd you know?

        There are entire departments dedicated to this at every financial institution in the world. It has become a legitimate field to work in.

        I worked on the original "verified by Visa" program implementing automatic fraud detection/prevention. Early implementations monitored for transactions that matched a pattern of known fraud, or that did not match the pattern of anticipated customer use. It was pretty amazing (to me, at the time) and has gotten much better over the intervening years. The number of factor

  • It's great to have this person actually looking out for people instead of just ignoring corrupt banks.

  • by PastTense ( 150947 ) on Tuesday January 30, 2024 @03:26PM (#64201616)

    https://ag.ny.gov/sites/defaul... [ny.gov]

    The filing makes clear the specific failings Citibank has which should be fixed (most of us would agree with most of them). In contrast the comments here talk too much about the stupidity of customers.

  • The two worst major consumer banks (imo of course) in the US are Citi and Wells. I have many anecdotes about how they really really suck.

In the long run, every program becomes rococco, and then rubble. -- Alan Perlis

Working...