SEOUL, Aug. 14 (Korea Bizwire) - Citibank will face disciplinary action after a leak of its “A+ Check Card” security data caused domestic card holders to suffer losses.
The leak was traced to online payments service Paypal, which was hit by a BIN attack. Denoting the first six numbers of a check or credit card’s number, the BIN (also known as the Issuer Identification Number) attackers took advantage of the fact that BIN numbers can be used to identify the bank the card belongs to and the type of card it is.
Though Citibank undertook measures such as compensatory refunds and placing holds on transactions for customers who lodged complaints, it has not done the same for customers who have not been vocal about their losses.
For some, reporting their case to the bank resulted in a similar outcome to those who hadn’t, as requests to put a halt on outgoing payments were not implemented quickly. As a consequence, the customers stood by as they saw their accounts charged for purchases they had not made.
Citibank continued to show its ineptitude by failing to compensate the victims in a timely manner. Reportedly, some of the account holders waited up to 45 days for full refunds as the bank dragged its feet in dealing with the scandal.
All financial institutions that issue a check or credit card use the Fraud Detection Suite (FDS) to protect against fraudulent transactions. According to the Financial Supervisory Service (FSS), at Citibank all cases of card fraud were handled at the lowest levels of the organization. Subsequently, higher ups had no idea and were completely unprepared to tackle the problem.
Furthermore, Citibank’s use of the FDS was dependent on an outside contractor with which its agreement expired in 2015. Until it implemented a new FDS system in June of last year, the company used its own internal system to detect card fraud, which was described by the Financial Supervisory Service as flawed relative to other systems.
The FSS announced it had decided to sanction Citibank, but would not levy heavy penalties on the financial institution.
A spokesperson for the FSS explained the decision, saying, “Customers suffered losses and its process of compensation and overall system has flaws, but no laws were violated. Due to the lack of evidence, the sanctions imposed were not too severe.”
Lina Jang (linajang@koreabizwire.com)