Jacob Appelbaum was traveling through Toronto, Canada, on March 4th, 2006, and innocently stopped to get some cash out of his Citibank account via ATM.
Little did he know that this simple act would open the door to yet another massive security breach surrounding debit cards and ATM networks.
Appelbaum tried repeatedly to withdraw $100 from his account, and was denied, his account marked as "ineligible."
He tried contacting Citibank, and was told that there had been a breach of the ATM network Citibank uses for transactions in Canada, Britain, and Russia. His card would be canceled and reissued, but as he was outside the U.S., that was of little help to him.
"The ATM network in Canada has been compromised and as a result, using my ATM card over the Canadian network locked my account automatically," he related.
"[The bank representative] informed me that this has been an ongoing issue for the last two weeks. When I asked why there was no media attention, she said she wasn't sure. I said it was a pretty big deal and she agreed."
Appelbaum, a network security consultant by trade, wasn't satisfied with the answers he got. He asked if a "class break" was responsible for the ATM compromise.
In security parlance, a "class break" is when one particular breach opens up a network to more breaches, and can attack different security instances in one system. The Citibank representative he spoke to confirmed -- at the time -- that this was the case.
But was it?
The Plot Thickens
As is often the case these days, blogs and independent news sites picked up on Appelbaum's story before the mainstream media did. BoingBoing, one of the Web's most highly trafficked blogs, took notice of the incident and followed up on it.
Other instances of Citibank debit and credit cards being shut down and leaving their users without cash began to surface. Pro-shopper blog the Consumerist got a note from someone claiming to be a Citibank employee, who related that Citibank employees were just as clueless about the breach as their customers.
"A client came into the branch late last week (She was traveling in Canada), and her card stopped working for no reason," the anonymous writer said.
"She called up Citiphone and they gave her no reason as to why the card was blocked, and had a new card sent to our branch. Since she was in Canada, this really didn't help her out one bit."
Citibank issued a press release on March 6th stating that the cards were locked due to "previous retailer breaches" in the U.S. "To protect customer accounts that were affected, we placed a special transaction block in those three countries on PIN based transactions," the statement said. "We are currently reissuing cards, as appropriate, to affected customers."
Details regarding the particular retailer that may have been responsible were not provided to the public. A Citibank spokesman, who asked not to be identified, would only say that the breach "happened in the United States to a small number of affected accounts."
The bank blocked access to the accounts when it noticed a large number of "fraudulent cash withdrawals" in ATMs outside the country in mid-Feb. 2006, the spokesman said.
When asked why the bank would not confirm the identity of the third party that caused the breach, the spokesman said that "we don't know precisely who it was, and even if we did, we couldn't discuss it publicly for a variety of reasons."
Speculation has it that the "third party retailer breach" may be connected to a similar shutdown that occurred last month, in which Bank of America and Washington Mutual customers suddenly found their cards disabled.
The FBI and Secret Service are continuing to investigate the breach, with claims that it centers on retail behemoths Wal-Mart and Office Depot.
Although Wal-Mart has admitted to a security breach in Nov. 2005 that forced at least one bank to reissue hundreds of cards to its customers, both retail chains are publicly denying any new security breaches or hacks in recent months.
"Something Doesn't Add Up"
There is also the possibility that the data breaches come from the hack of the CardSystems payment processing database.
Forty million Visa and MasterCard users' information was exposed to identity thieves in the CardSystems breach, with approximately 260,000 accounts actually hacked or stolen.
CardSystems recently settled charges with the Federal Trade Commission (FTC) that it failed to provide appropriate security measures to protect consumers' private information. The company was recently bought by Pay By Touch, a biometrics-based payment processing company.
Jacob Appelbaum is skeptical of Citibank's claims and was unimpressed with their response to the situation.
"This sounds like an issue that's unrelated to cards just being rejected, doesn't it?" he said to BoingBoing. "If it was just the networks rejecting cards, why did I need to have a new card reissued?"
Speaking to ConsumerAffairs.com, Appelbaum reiterated his belief that the breach was not what it seemed to be. "It doesn't make very much sense," he said.
"[Citibank's response is] void of any real information. It doesn't state who was compromised and when. It doesn't give the details as to why my new card would be possibly locked just for using the Canadian ATM system... As I've said before, something doesn't add up."