Class Break of Citibank ATM Cards

There seems to be some massive class break against Citibank ATM cards in Canada, the UK, and Russia. I don’t know any details, but the story is interesting. More info here.

EDITED TO ADD (3/6): More info here, here, here, and here.

EDITED TO ADD (3/7): Another news article.

From Jake Appelbaum: “The one unanswered question in all of this seems to be: Why is the new card going to have any issues in any of the affected countries? No one from Citibank was able to provide me with a promise my new card wouldn’t be locked yet again. Pretty amazing. I guess when I get my new card, I’ll find out.

EDITED TO ADD (3/8): Some more news.

Posted on March 6, 2006 at 2:44 PM31 Comments


roy March 6, 2006 4:07 PM

The company may have known how the system was supposed to work, but it sounds like they didn’t know how it actually worked, or how it could fail, or how to recover from failures.

dk March 6, 2006 4:15 PM

There is a lot of confusion in this story. For example, some is now claiming that the Royal Bank of Canada also has this problem. However, I’ve been using my RBC credit and debit cards all weekend — including an hour and a half ago, and they are still working.

In the original story, Appelbaum says he used “class break” first, and the customer service supervisor repeated it back to him. I somehow doubt that the average call centre supervisor would know what a “class break” was. I suspect this story will become a lot more boring once more facts surface.

Jacob Appelbaum March 6, 2006 5:11 PM

Something weird is certianly happening with Citibank. They’re not saying very much at the moment.

Xeni has posted a few updates to BoingBoing all linked through here:

I think those are worth reading and my response on that page should also make it clear that it’s probably a few things, not just one isolated issue.

And yes, it’s true that I mentioned the words “class break” to the manager, however she’s the one that described the issue. She stated that the ATM networks of three countries have been compromised and are still considered compromised. In addition, they’ve been compromised for over two weeks.

It’s possible she misspoke but it’s also possible she had a clue, no?

Andrew March 6, 2006 5:13 PM

Nothing said by a call center employee should ever be trusted. In my experience, they’re more interested in ending the call than in getting anything right, and rarely have as much information as their customers. I recognize a few techniques to this end in the story, including parroting back anything the caller says (class break) and trying to make the caller think it isn’t all that bad (you were lucky, some people lost everything).

Rarely do these work, except by frustrating the caller to the point of hanging up on you, but when you have no information and no escalation path to anybody with information, there are few options to choose from, all of them bad.

Nova Lounge March 6, 2006 5:15 PM

Just talked to an investigative journalist friend who was looking into this..

Not a class break..

Response to previous retailer breach. A large number of Citibank cards are blocked for the UK, Canada and Russia.

This is a headache for traveling Citibank customers who use their cards in one of those countries – since there was no notice sent with a warning — but this is a customer service issue.

Dylan March 6, 2006 7:04 PM

SecurityFocus carries a CitiBank response:

This doesn’t seem to be very well thought through. Their response to compromised accounts, is to disable any cards used in Canada, UK, Russia, and post new cards to the USA addresses of those disabled cards.

How many of those disabled cards will be legitimate vs fraudulent?

Note also that it is only PIN based access that is being tracked and disabled. So we are talking about a real person using a pin number, not Credit Card transactions, which are apparently still fine.

Pat Cahalan March 6, 2006 8:18 PM


It will be interesting to see if those in California actually get details…

Chris Walsh March 6, 2006 8:33 PM

If this is in response to an existing issue with a retailer, it may be the same incident which has caused many other banks and credit unions to cancel cards, among them Wamu, BofA, Wells Fargo, Alabama Credit Union, and (IIRC) RegionsBank.

This phenomenon, where many card #s are revealed but the breached firm not identified by the card companies has been the subject of critical attention by the banking press, and by at least one well-regarded industry analyst.

me March 6, 2006 11:57 PM

Seriously, even though Jake is a personal friend of mine, all reports are either the result of Jake or other anonymous sources with little to no solid fact known, I find this shoddy reporting at best.

appelbaum again? March 7, 2006 1:21 AM

not enough fanboy wanking since the katrina fun?
yeah right- i’m sure the call center worker knows what a class break is…
keep blowing on fires that aren’t lit and you’ll continue to create nothing but hot air.

another_bruce March 7, 2006 3:12 AM

i don’t know what a class break is either.
i’m getting a sense that good old cash is best. forgive me for being old-fashioned.

AG March 7, 2006 9:20 AM

Im going to have a nervious breakdown if I keep reading your site. WOW Citibank sux.

Interesting angle;
Lets not even look at the extra money Citibank makes everyday they hold their customers money…
Money in open bank accounts is measured differently than money in Hold status. Hold status allows a BIG bank to say “this “millions of dollars” will not be spent today”
This allows them to take less money overnight from the Federal Gov and hence pay less interest

Anonymous March 7, 2006 9:49 AM

@Chris Walsh

I received a letter from Visa USA stating that my card/account was breached. They didn’t identify the merchant. I think that sucks. I want to know who the merchant is so that I can stop shopping there. Visa needs to be exposing these knuckleheads so that they improive their security.

I guess the only answer is to stop shopping online altogether.

ordaj March 7, 2006 9:50 AM

@Chris Walsh

I received a letter from Visa USA stating that my card/account was breached. They didn’t identify the merchant. I think that sucks. I want to know who the merchant is so that I can stop shopping there. Visa needs to be exposing these knuckleheads so that they improive their security.

I guess the only answer is to stop shopping online altogether.

Mike March 7, 2006 10:38 AM

This is an interesting story, even as some of the facts don’t seem to jive. From a customer service perspective, Citibank has done a great deal wrong. They have, however, done some things right — they shouldn’t mail replacement cards anywhere other than the address a customer has on record. It’s certainly an inconvenience when you really are the account owner and are traveling, but I wouldn’t want my bank trusting someone over the phone who seemed to be me.

As for not shopping online, I think your odds are about as good for getting robbed offline. Someone locally got ahold of my credit card number a few months ago and ran up a couple grand in fraudulent charges. I have no idea where my CC info was gathered, but whenever we hand over our cards in stores or a restaurant, we’re at some risk.

Willy Wombat March 7, 2006 1:58 PM

Can someone define “class break” for me?

Can’t find much on Google – lots of Java and student rest periods – but nothing about security.

Bruce Schneier March 7, 2006 3:53 PM

“Can someone define ‘class break’ for me?”

From “Beyond Fear,” pp 93-4:

“Technological advances bring with them standardization, which also adds to security vulnerabilities, because they make it possible for attackers to carry out class breaks: attacks that can break every instance of some feature in a security system.

“For decades, phone companies have been fighting against class breaks. In the 1970s, for example, some people discovered that they could emulate a telephone operator’s console with a 2600-Hz tone, enabling them to make telephone calls for free, from any telephone….

“Class breaks mean that you can be vulnerable simply because your systems are the same as everyone else’s. And once attackers discover a class break, they’ll exploit it again and again until the manufacturer fixes the problem (or until technology advances in favor of the defender again).”

I didn’t think the term was mine, but maybe I was the first to popularize it.

Cheburashka March 7, 2006 4:49 PM

I would like to suggest that this, like yesterday’s post, is an example of one of the most dangerous aspects of our security error: Corporations using false claims of security to cover up their own incompetence or attempt to procure commercial advantage.

Davi Ottenheimer March 7, 2006 10:20 PM

“some people discovered that they could emulate a telephone operator’s console with a 2600-Hz tone”

Let’s be fair, it was discovered by Joybubbles (the whistler formally known as Joe Engressia), not “some people”.

derf March 8, 2006 10:29 AM

Consumers who are hit by debit card fraud can lose the entire balance of their accounts, if they don’t report the incident promptly.

Conspiracy theory – by not telling consumers, Citibank gets past the “promptly” bit and doesn’t have to eat the loss. I’m guessing a LOT of money is already gone, and Citi is playing the CYA card.

John Levine March 8, 2006 11:57 AM

This morning the New York Times and Wall Street Journal are both reporting that the breach is due to a data leak at OfficeMax which retained customer PIN information on debit transactions, even though the rules specifically tell them not to do so.

If a sophisticated company like OfficeMax can do something that stupid, what hope is there for the rest of us?

travelgirl March 8, 2006 12:53 PM


Draper certainly made it easier to “create” the tone when he discovered that a Cap’n Crunch whistle did so (hence his nickname)…


Some banks provide NO help in fund recovery when you use a debit card. If fraud occurs on it, your mileage will definitely vary. I know for a fact Wells Fargo refused to honour a fraud complaint more than a few years ago, and went so far as to state I should have used a “real” credit card to limit my potential losses.

You might want to see what your bank says…

Davi Ottenheimer March 8, 2006 1:24 PM

I thought Draper admitted that Joybubbles told him how to get the whistle to hit the right pitch (you have to cover one hole)…and he just took it from there.

Jilara March 8, 2006 6:59 PM

A friend of mine recently had his BoA ATM card inactivated, was notified of fraud (this is California) and called to find out what was up. His was a breeched account, and someone in midtown Manhattan had withdrawn $501.50 (500 + 1.50 out-of-network ATM charge). They told him the fraudulent withdrawal would be replaced, that it was some sort of security breech in their system, but he was without ATM access for a while.

How many accounts on how many banks will this affect, before this all plays out?

Tony H. March 16, 2006 12:35 PM

What on earth does this story have to do with Canada, other than that the person with the card problem happened to be visiting here? I don’t know if Citibank even operates here – if they do they’re certainly a very minor presence on the banking and card scene, and they don’t appear to have retail bank branches or ATMs. So what has any of this got to do with a “class break” supposedly related to the Canadian ATM network (presumably Interac

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.