« We're Number Three! | Main | Rappaport on Stevens »

Thursday, August 25, 2005

How Companies Help Phishers and Fraudsters

A friend of mine recently received in the mail a letter purporting to be from Citibank.  It contained a sheet of paper saying: “Please see the enclosed for information regarding your Citi Mastercard Customer Credit Card account ending in [last four digits] issued by Citibank USA, N.A.”  Inside the letter were two little brochures – a notice of change to Citibank’s policies; and a complete privacy policy with an opt out form at the end. 

She went to Citibank’s website and downloaded their privacy policy and noticed some suspicious differences between the opt out form in the letter [on the left] and the one from Citibank’s website [on the right]. 

Privacy_notice2c_3 Privacy_notice_real1b_4


Two notable differences are: (1) the form from Citibank’s website has a toll free phone number you can call to opt out; the form in the letter does not; (2) the addresses of the processing centers where the opt out forms are to be sent are different.

So my friend then called Citibank to find out what was going on.  Had a fraudster acquired a card in her name?  Was the letter an elaborate fishing scheme? 

My friend recounted the conversation the best she could so I could recreate it on this blog.  This is reconstructed from her memory, so it’s not exact.  Although the transcript below doesn’t contain the precise words spoken, it hopefully will capture the gist of the conversation.

Click on the continuation to read more.

CUSTOMER SERVICE REPRESENTATIVE #1 (REP):  Hello.  May I have your account number?

MY FRIEND (F):  No, I'm sorry, I don't have an account with you.

REP:  Oh.

F:  I'm calling because I got this piece of mail yesterday that's supposedly from Citibank, but it looks suspicious to me.


F:  First of all, it refers to a Citi Mastercard account that I don't have.  So my first thought was maybe someone else opened a credit card account in my name.

Second, the letter included a Privacy Notice saying that if I want to limit who my personal information goes to, I should write down my credit card numbers -- there are spaces to write two of them -- and  send them to this processing center in Des Moines, Iowa.  The notice says I can do this over the phone, but doesn't give a phone number. It says I should call the number on my bank statement or on the back of my credit card -- neither of which I have, of course, since I don't have this credit card account.  So then I started wondering if someone posing as Citibank might have sent me a fake notice to try to get me to reveal my credit card numbers.  If that's the case, I thought you might want to know that somebody's doing that in Citibank's name.

A third option might be that this mail actually is from Citibank, and there's some sort of mistake in your records about this account that I've never opened.  If that's what's happened, I should fix that.

I did some looking around online this morning to try to figure out whether this letter was really from Citibank or not.  I Googled the processing center address on the Privacy Notice, and wasn't able to find any reference to this P.O. box in Des Moines.  I also found the Citi Mastercard Privacy Notice on the Citibank website, which I compared to the one I got in the mail.  [Explains differences in the form.]

[long pause]

REP:  Well, you don't have to fill out the Privacy Notice, m'am.  You could just throw it away.

F:  I'm definitely not filling it out -- I don't have an account with you.  But can you help me confirm whether this mail is actually from Citibank?  Could you tell me, for example, whether you've got a processing center at this address in Des Moines, Iowa?

REP:  Just one moment.  [Clicks away on computer.]  M'am, it doesn't look like we have a processing center in Des Moines.

[long pause]

REP:  Can I have your name?

F:  My name is [name]

REP:  Just a moment.  [Clicks away on computer.]  M'am, we don't have you on record as having an account with us.

F:  Right.  That's because I don't have an account with you.

[long pause.]

F:  So, if this letter didn't come from Citibank, maybe I should make some sort of complaint or let someone know?  Can I do that through you, or can you direct me to someone else I should talk to?

REP:  Maybe you should talk to someone in the credit card department.  Hold on just a moment and I'll transfer you.

[He puts me on hold for a few seconds.]

CUSTOMER SERVICE REPRESENTATIVE #2 (REP):  Hello.  May I have your account number?

F:  I don't have an account with you.

REP #2:  Oh.  May I have your Social Security number, then?

F:  No, you don't need my Social Security number.  I don't have an account with you.  I'm calling because I received a letter in the mail from Citibank yesterday about a Mastercard, but like I said, I don't have a credit card with you --

REP #2:  M'am, I'm sure you probably do have a credit card with us.

F:  No, I'm pretty sure I don't.

REP #2:  Yes, you probably do.

F:  No.  I have one major credit card, and it's not through Citibank.

REP #2:  Oh?  What kind of credit card is it?

F:  It's a Mastercard --

REP #2:  Uh-huh.  What bank is it with?

F:  National City.

REP #2:  Yeah, well, we own parts of National City.  So I'm sure your credit card is with us. 


F:   Um, all right, then.  Can you tell me whether you've got a processing center in Des Moines, Iowa?

REP #2:  [impatiently] We sure do, m'am.


F:  OK.  Thanks for all your help.

REP #2:  You're welcome.

There are many morals to this story:

1. This conversation is indicative of the kinds of conversations that we have with customer services representatives with banks and other businesses.  The representatives read from a script and can’t seem to respond without it.  They contradict each other, don’t seem to know what’s going on, and have little authority to do much of anything.  Increasingly, we’re having these frustrating encounters that are wasting our time.

2. Citibank’s customer service representatives seem nonchalant at the fact that a person, without a Citibank credit card, has called up and said she received something in the mail making reference to her Citibank credit card account number.  Shouldn’t Citibank be concerned about this?  It could be a case of credit card fraud or an elaborate phishing endeavor.  Citibank should investigate this.  Instead, they don’t seem to give a damn.

3. Companies contribute to phishing because they don’t establish with their customers clear protocols for valid communication.  This allows phishers to send fake emails and other communications falsely pretending to be from particular businesses.  If businesses established very clear rules about how they contact their customers, fraudsters would be less able to trick people. 

A personal example: I recently got a call from a computer which told me that there might be fraudulent charges on my credit credit card.  I was to call the number the computerized recording gave me.  This phone number didn’t match the phone number on the back of my card.  It could have been from a phisher.  So to be safe, I called the regular number on the back of my card, and the representative said that the computerized recording was bona fide and connected me to the fraud department.  Of course, the problem here was that my credit card company should not have given me a new number to call different from the one it had already given me on the back of my card.  This would assure me that I wasn’t calling some bogus number and giving out my credit card info to a fraudster.  The epilogue – there was no fraud.  I bought gas for my car and groceries in the same day, which apparently triggered the system.  Go figure! 

Posted by Daniel Solove on August 25, 2005 at 01:33 PM in Daniel Solove, Information and Technology | Permalink


TrackBack URL for this entry:

Listed below are links to weblogs that reference How Companies Help Phishers and Fraudsters:

» How Companies Help Phishers and Fraudsters from BlogSpy.NET
We found this blog entry very interesting so we've added a Trackback to it on our site. [Read More]

Tracked on Aug 26, 2005 11:49:58 AM

» Companies Helping Phishers from Emergent Chaos
Daniel Solove has a good post on "How Companies Help Phishers and Fraudsters." Companies have trouble being consistent in what they send, and that's to the advantage of fraudsters. They also have a hard time taking security information from... [Read More]

Tracked on Aug 30, 2005 9:41:20 AM


I stumbled on this site by accident, but found the topic very interesting... I can confirm that Citi does have a processing center in Des Moines, Iowa. At one time I opened a Helzbergs credit account and after a couple of years, it was converted to a Citi Mastercard. The payment address is now Citi Mastercard, Processing Center, Des Moines, Iowa 50362-1001. Not sure if this helps at all. Seems that Citi loves to buy out alot of smaller company's credit departments. I know that Home Depot also is serviced by Citi.

Posted by: Drew | Mar 2, 2006 4:25:34 PM

Another thought which makes this mail look quite suspect is simply the fact that it reqests you credit card information. Why would the lender need to ask you for that? They created that number for you. Clearly they already know that information. My guess is the mail was intended for misuse by someone unrelated to Citigroup. Our Fraud prevention team would definately have wanted the information you offered. If you ever get this type of suspicious item again. I am sure the Citibank.com web page has a link to report fraud concerns. If the concern ends up being no problem, so what. It doesn't hurt to have them check it out.

Posted by: Citi Employee | Jan 24, 2006 2:08:15 AM

Several points of clarification needed here. I can't say too much about myself or what I do for Citi Group, but we definately do have many employees and operations in Des Moines including Card Services, Citi Home Equity, Citi Financial and more. Citi Group is a global company in over 100 counties with over 300,000 employees and the best security policies I've ever seen. I have worked directly and inderectly with many financial institutions. Citi employees at every level are trained to identify fraud, verify caller identity every time they answer the phone, and protect customer privacy sometime to an unreasonable extent. But, overprotective is better than underprotecting. Yes, by the way, I could share quite easily how anyone could gather confidential customer information from some other lenders in ways that would never work at Citi. Perhaps it would help if we all understand that "CitiGroup" is the 2nd largest financial institution on earth and includes Citigroup, CitiFinancial, CitiMortgage, CitiHomeEquity, Citibank, Banamex (bank of Mexico), Smith Barney, and more. It does not however to the best of my knowledge own any part of National City Bank which is a small regional lender. If Citi had an iterest in them, I suspect they would pay cash and own all of them. I doubt it would cost even one weeks earnings for Citi. The offer mentioned sounds like it did come from Card Services if it came from Citi at all. You were wise to seek another number independently for contacting the lender if you have concerns about fraud. I regret that the representative in our card services did such a poor job of assisting you and spoke clearly from ignorance about any ownership of National City Bank. Every computer at CitiGroup in (I suspect every division) has contact information right on the home page. You should have been connected with the fraud reporting people as soon as it was discovered you had no account and a reason for concern. Just FYI, Citi policy forbids transfer of customer information in e-mail, paper documents are shreded daily and stored in secured electronic format. Even the phones are secure lines that go through the computer system for privacy and security. For example, when I make outbound calls from work. The caller ID will show an area code hundreds of miles from where I live. The area code is the place where they have the secure mainframe computer I log into before my phone works. Oh, and by the way, all you have to do is ask and we can opt-out for all your accts by phone. You don't need to send in the form. The form could be lost in the mail.

Posted by: Citi Employee | Jan 24, 2006 1:55:42 AM

I want to agree with Mr. Gowder's final sentence - "The businesses that have the incentive to create such processes must bear the responsibility for any vulnerabilities that they have." - and add my personal pet peeve.

I hate phone trees that are defectively structured, and do not give (or at least not announce that they give) a zero-for-human option. I especially hate when it's a PHONE COMPANY that can't properly structure a phone tree.

Recently, I had to call SBC/Ameritech to report that I did, indeeed, pay my bill on the deadline, because I got a letter that said I'd be cutoff on date X if I didn't pay by then, etc. (My bad - I'd missed a month, so I was on the 60-day mark. Oops). I paid online, but the webpage confirmation did not tell me whether my payment alone was enough, or whether the "notifying" them was still needed. So I called the 800#. After many other tree-branchings, I was where I wanted to be -- "to report a payment that you've already made, press 2" -- and the next option was "If you mailed your payment, press 1. If you paid by phone, press 2." PERIOD. No "online" option (though I had a lawlerly musing about whether it counted as "by phone" if the ISP is dialup). No zero-out-for-human option. The online-option was absence was particularly funny because the entire procedure started with a computer-voice encouraging me to go to the dot-com instead to do everything!

So it just kept repeating the "1 or 2" options, till on the 4th or 5th try, it said "I will now transfer you to a CSR."

The CSR actually told me that her shift was almost over and she was eager to get home. But that's another story.

We just may have to ditch them for the landline and go VoIP, or cell-only, after all.

Posted by: just me | Aug 29, 2005 6:23:13 PM

I think we have to understand some of this as a societal problem. People are conditioned (much like Daniel's point re: the computerized voice) to conform their conduct to formalized, mechanized, bureaucraticized processes -- fill in the SSN here, the credit card number here, etc. The businesses that have the incentive to create such processes must bear the responsibility for any vulnerabilities that they have.

Posted by: Paul Gowder | Aug 26, 2005 3:28:26 PM


You're right about the difference between credit card fraud and ID theft, but this could be a case of ID theft if somebody had signed up for a credit card in my friend's name. This would most likely be an ID theft, as one would need my friend's Social Security number and other personal info to get the credit card. It is not the same as her credit card number falling into the wrong hands (this would be credit card fraud). If this was a phishing attempt, then it could just lead to credit card fraud, or it could lead to more and become an identity theft. The form, after all, asks for the person's address and phone number.

So while I agree with you that credit card fraud and ID theft are often confused, they are not wholly unrelated.

You're right that businesses should have an incentive to deal with credit card fraud, and they do have measures to deal with this -- as was the case in my story, getting the call from the fraud department analyzing patterns in my credit card use. But despite incentives, I still remain surprised why so many banks and financial institutions practice such shoddy security and allow access to people's accounts with just a Social Security number, mother's maiden name, birth date, etc. Why haven't the incentives worked here?

I also don't believe that the market works perfectly rationally. I think that these bad security practices persist in many cases because of simple inertia.


Posted by: Daniel Solove | Aug 26, 2005 3:04:07 PM

Dan, I mostly agree with you, but I suspect we differ on how exactly bad the problem you identify is. It's worth keeping in mind, as I know you know, that the problem that seems to be at issue in this post is not so much identity theft, but credit card fraud, and consumers are liable only for at most $50 for such fraud assuming they take reasonable measures to prevent it. So any bank that is contributing to pretexters gathering card numbers through sloppy communications practices hopefully has a financial incentive to clean up its act.

Posted by: Bruce | Aug 26, 2005 2:39:30 PM

Before law school, I worked for a while in Bank of America's new accounts center. (It was a good "going to school" job). A national furniture company misprinted its catalog with our number, and for a few months, we got a ton of callers trying to order a new sofa or dining set.

We never pulled anything unprofessional (though after a while, we got sick of rude furniture customers and pulled the plug on those phone calls really fast). But I discussed the issue with a colleague -- it would have been incredibly easy for one of us, if we were crooks, to have harvested a number of credit card numbers over the course of months that these people called us. (Of course, if we were crooks, it would have been an extremely bad idea to let us work at a bank in the first place. But that's another story).

Posted by: Kaimi | Aug 26, 2005 1:27:24 AM


P.S. And what happened to me with my credit card's fraud department is another example. I think it was wise of me not to just call some number that was given to me over the phone by a recording, but to call in to the main number on my card to make sure it was bona fide. I can imagine a fraudster easily calling people and impersonating the credit card company's fraud department. But now I'm "trained" by my credit card company to just call whatever number some computerized recording gives me that says "There may be some fraudulent transactions on your card . . . "


Posted by: Daniel Solove | Aug 26, 2005 12:44:11 AM


The problem with what happened here is that if this is a legit notice, it is done in a very unprofessional manner. Why doesn't one opt-out form have a phone number to call? Why isn't there any listing on Citibank's website about legit addresses so people can verify that this is in fact legit? The difficulty in this instance differentiating between a legit mailing and fraud is indicative of the problem, I think.

I'm not advocating for a uniform method for notifying customers, but that businesses take greater care in verifying their OWN IDENTITY to customers. So it's clear that Microsoft never emails people, so if you get an email from Microsoft, you know it's bogus. Perhaps companies ought to take better steps helping to educate consumers about the legitimate ways that they might communicate with them. After all, companies routinely fight for opt out, for the ability to send unsolicited emails to their customers (hence the exceptions in CAN SPAM), etc. Shouldn't companies have some responsibility to make sure that people can readily discern whether a communication is from the company or fraudulent? Or is this something that should be left to the customer? I agree that some phishing scams are really silly and anybody with common sense should see through them. But one reason for the success of phishing, I think, is that companies are partly to blame. If this opt out form that Citibank sent is legit, then this kind of ratty attempt at communicating with its customers (or non-customers) is exactly the kind of thing that trains people to fall for phishing scams.


Posted by: Daniel Solove | Aug 26, 2005 12:39:20 AM

Dan, I agree, CSR hell is one of the most frustrating experiences there is in ordinary daily life. I've got all sorts of lengthy tales, including the time my cell phone company cashed my check but kept saying the bill was past due, despite the fact I faxed a copy of the cancelled check (I'm not exaggerating) 6 times to 6 different CSRs. But I think the connection between the idiot CSRs here and identity theft seems remote. A uniform method of contacting people doesn't really seem worth the effort, because (1) every company will have a different "uniform method," and no one will remember them anyway, and (2) phone numbers and addresses change frequently, even for businesses.

As for whether this is a phisher in action, it appears the first CSR was wrong; there is a Citibank processing center in Des Moines that does use Des Moines P.O. Boxes. Here is a site for the Sears Commercial One card, operated by Citibank, that uses similar contact addresses. The ZIP code is close (i.e., 50368 plus the last four digits of the box number), so the return address appears to be a real P.O. Box number (and as Paul observed, a real phisher would have to be pretty stupid to use a P.O. Box to conduct a pretexting scam).

But wait -- there's more. The initial odd part of your friend's story is that she got this form even though she does not have a Citibank credit card. I've never gotten a form from a company I don't do business with. CSR#2 said they own a piece of National City Corp., where she does have a card. Well, that's nice, but why is the form listed as coming from Citibank? (BTW were the last 4 digits the same or different?) National City says it only shares data with its affiliates, and Citibank is not listed as one of them.

I'm leaning toward some sort of weird bureaucratic snafu (perhaps they accidentally sent out GLB notices to a list of *potential* customers?), but fraud can't be ruled out. BTW, I've found that when CSRs seem powerless to resolve something, it helps to put it in writing and send it to the Legal Department.

Posted by: Bruce | Aug 26, 2005 12:22:53 AM

It would have to be a pretty dumb phisher to phish into a P.O. box. That address would be an actual U.S. Post Office, given the absence of a street address (plus per a very sensible regulation that prompted a firestorm of criticism when it was promulgated) (at least the PMB bit was sensible, I won't speak to the rest, which did indeed raise D.V. and privacy concerns).

Apart from the fact that you have to show id to get a p.o. box (which admittedly is a weak protection), I suspect it would be rather easy to nail to the wall any poor fool who committed large-scale credit card fraud via a box in a post office.

Posted by: Paul Gowder | Aug 25, 2005 5:43:58 PM

I've never received a privacy notice from any of the banks separately. It's always been included with a bill. Citibank has drop-boxes just about everywhere in the US and their CSRs have become horrendous within the last 5 years. Best advice is to be an informed consumer and use other resources rather than Citibank---sad, but true.

Your probably would have gotten an answer from say Creditboards.com faster than the company. Those folks know the credit game there!!

Posted by: Lola | Aug 25, 2005 3:44:11 PM

One comment as a postscript. My friend still hasn't been able to find out whether or not the letter she received was a fraud. It seems to be to be a fraud, since there's no phone number to call to opt out. But my friend's conversations with Citibank representatives were unhelpful in finding out anything about whether the letter was fraudulent. If it was fraudulent, this is a very troubling attempt at fraud. If the letter was not fraudulent, then shame on Citibank for sending out very suspicious pieces of mail.

Posted by: Daniel Solove | Aug 25, 2005 3:24:36 PM

These stories are horrendous. I do want to shed some light on the gas/groceries triggering. When a friend's debit card was stolen (retained by a store clerk), the sheriff was able to tell my friend that the thief was not a first-time amateur thief. The first thing the clerk did was go to a gas pump and buy a negligible amount of gas. Thieves do this to make sure the card is still active without alerting an actual person at a store, who could call the police. Gas pumps are one of the few unmanned machines that read cards without a pin number. I don't know if you were just topping off that day, but maybe this explains it?

Posted by: Christine Hurt | Aug 25, 2005 3:14:24 PM

I agree with your comments on the unhelpfulness of customer service. It's gotten so bad that I've almost completely given up on using costumer service completely, and I rarely buy warranties or service contracts because they are so unhelpful and time-consuming. Maybe this is the intent of companies that create such poor service centers, but it is frustrating nonetheless.

Posted by: Jeff V. | Aug 25, 2005 2:22:42 PM

The comments to this entry are closed.