[See update at the bottom of the story for the outcome]

I’m naturally a bit paranoid when it comes to cybersecurity, whether that’s at work or in my personal life.  I generally enable two-factor authentication where it’s available, don’t reuse passwords, don’t write passwords down, etc.  For my personal banking, I even enabled SMS alerts for any transactions over a certain threshold, both as a security measure and to have some high level visibility to large transactions.

I expect banks to have high levels of security because their ability to protect our money from thieves is one of the reasons we use banks.  But, according to Citibank, that’s an unreasonable expectation since for the last three days, they’ve allowed fraudsters to withdraw thousands from my account, and they say it may continue tomorrow.

Allow me to explain…

On Saturday, I used my bank card to withdraw cash to pay our sitter for our night out at the Sydney Fringe Comedy Festival.  It was from some portable ATM machine at the festival’s theatre, and somehow it must have had its security compromised.

I awoke on Sunday to an SMS alert from Citibank that $1,000 had been withdrawn (after a balance check–smart thieves) from my account via an ATM not too far from the theatre.  I immediately phoned Citibank to tell them the charge was fraudulent, and that my wife and I had our cards, so my card must have been skimmed.  They said no problem, they would cancel my card, send me a new one, and unblock the funds related to the fraudulent charges once they had been investigated.  That’s just about all I could ask for.

Imagine my surprise when on Monday morning I received an SMS from Citibank that another $1,000 had been withdrawn from an ATM.  Again, I had the pieces of my cut-up card and my wife had her card, and we didn’t make the withdrawal.  I called Citibank to let them know it happened again and they said they would investigate and get back to me, and that they were sure my card had been cancelled, so the charge essentially couldn’t happen.  But it did.  And Citibank wasn’t sure how.

Now imagine my absolute dismay when I received the SMS alert from Citibank on Tuesday that a third $1,000 (my daily limit) had been withdrawn, again from a local ATM.  I was furious.  The time period for investigating fraud is up to 45 days.  That’s 45 days that I would be essentially out $3,000.

I called Citibank and demanded to speak to a supervisor in the fraud/disputes department.  The supervisor, Angel, confirmed that the card had been cancelled on Sunday and confessed that she had no idea how the withdrawals had been made on Monday and Tuesday.  In addition, she said she was unable to lift the lock on the additional $2,000 that had been withdrawn even after I notified Citibank of the fraud.

Angel assured me that Citibank’s technical team would investigate and I asked her whether or not I should expect an additional $1,000 to be withdrawn tomorrow and she replied that she did not know.  Let that sink in.  Citibank knows that a fraudster is withdrawing funds from my account via ATMs around Sydney, but is unable to stop it.

This goes back to my original proposition that one of the reasons we give banks our money is based on the belief that they have the means to keep it safe.  You’d think that if you told your bank that someone was coming to rob your account, they would be able to implement some measures to stop it.

Things went from bad to worse with Citibank when they said I would be unable to withdraw the unfrozen balance of my account in person because my card had been cancelled.  The one concession they’ve made is to extend the daily transfer limit to allow me to transfer the entirety of my account to another bank.  So that’s how I spent my morning, setting up a new bank account because Citibank is unable to secure access to their customers’ accounts.

If you happen to be a Citibank customer, beware that once thieves open the door to your account, Citibank is apparently unable to close it in a timely manner.  I’ve solved the problem by emptying the account myself, leaving nothing more for the thieves.

UPDATE (8 October 2017): Citibank got to the bottom of the issue and confirmed that we’ll be getting the money back at some point next week–much sooner than the potential 45 day investigation period.  The thing they hadn’t identified until yesterday (5 days after I first reported the fraudulent transactions) is that it was Kate’s card that had been cloned, not mine.  When I first reported the fraud on Sunday, the customer service rep didn’t check to see which card had been used to conduct the transactions and simply cancelled mine and left Kate’s as active.  Which is why the $1000 withdrawals continued for the next two days until I transferred all of the money to a new account.

It’s disappointing that Citibank missed such a simple detail at the outset, and more disappointing that it took them five days to discover the oversight, despite the repeated withdrawals.  I’m baffled by the conversations I had with Citibank in which they told me that they had no idea how the $1,000 withdrawals were made on Monday and Tuesday, since my card had been cancelled on Sunday.  All they had to do is look at which card was being used.  I’m happy to have the experience behind us and to have had it resolved in days as opposed to weeks.