New York’s attorney general, Letitia James, yesterday launched legal action against one of America’s biggest banks for allegedly failing to adequately protect and reimburse customers who fell victim to online fraud.
She argued that Citibank should pay back the “millions” that New Yorkers are alleged to have lost, with interest, as well as penalties, and improve anti-fraud defenses for the future.
The case appears to revolve around incidents where cybercriminals managed to access victims’ accounts via social engineering and phishing tactics, before changing passwords and making large wire transfers.
James’s office claimed that Citi’s back-end fraud detection and customer authentication processes aren’t up to scratch – failing to catch “red flags” such as scammers using unrecognized devices, accessing accounts from new locations and changing account usernames and passwords. The bank also failed to stop the transfer of funds from multiple accounts to a single account and then onwards within minutes, to the tune of tens of thousands of dollars, James alleged.
Further, Citi is accused of failing to automatically start investigations or report fraudulent activity to law enforcement when consumers first report it. In fact, when consumers contacted the bank to report fraud, they experienced lengthy delays on the phone, allowing fraudsters to continue extracting funds, the attorney general alleged.
Read more on New York’s OAG: Credential Stuffers Compromised 1.1 Million Accounts
Failure to Reimburse
The second part of the case is concerned with the bank’s refusal to reimburse victims.
James argued that because Citi makes wire transfers available via the web and mobile banking apps, it must reimburse fraud victims under the Electronic Fund Transfer Act (EFTA), in a similar way to online credit or debit card fraud. However, the bank “illegally exploited a narrow exception” in the laws to deny reimbursement claims, she added.
“Banks are supposed to be the safest place to keep money, yet Citi’s negligence has allowed scammers to steal millions of dollars from hardworking people,” said Attorney General James.
“Many New Yorkers rely on online banking to pay bills or save for big milestones, and if a bank cannot secure its customers’ accounts, they are failing in their most basic duty. There is no excuse for Citi’s failure to protect and prevent millions of dollars from being stolen from customers’ accounts and my office will not write off illegal behavior from big banks.”
The attorney general’s office (OAG) also alleged that Citi:
- Did not implement proper measures to protect consumers from future fraud until they visit a local branch
- “Falsely” told consumers that their accounts were secure and sometimes promised that money would be returned, even though it didn’t take immediate steps to recover stolen funds
- “Falsely” told customers they had to visit local branches and execute special affidavits detailing the scams that led to financial losses. This information was subsequently used by the bank to blame consumers and deny their claims, the OAG claimed
Infosecurity has reached out to Citi for a response to the story.
Image credit: bilciu / Shutterstock.com