Causing Damages to Customers
As Citibank Korea hasn’t compensated customers who use its debit card for the damages for more than 45 days, the financial authorities enforced sanctions against the bank.
According to the Financial Supervisory Service (FSS) on August 13, affiliated stores at Paypal in the U.S. were targeted with a BIN attack and numerous cases of information of Citibank Korea’s A+ Check Card, which made transactions with the relevant stores were illegally leaked, causing damages. A bank identification number (BIN) is the first six out of 16 numbers that appear on a debit and credit card. The BIN uniquely identifies the institution issuing the card. The BIN attack is a method in which valid card numbers are randomly generated by changing the last ten numbers.
Citibank Korea’s A+ Check Card was under such attacks and hundreds of cases were reported from January last year to April this year, causing damages of tens of million won. Citibank compensated customers who directly reported their losses and blocked the payment at the affiliated overseas stores but the bank hasn’t checked with customers who haven’t reported the damages on whether they actually made payments at the stores or suffered financial damages.
The bank also failed to hold the payments so customers who reported the losses saw their payments withdraw from their accounts within three to seven days.
In addition, Citibank didn’t compensate even customers who suffered from the damages until the affiliated overseas stores charge back the money. So, it took over 45 days until the customers get a refund. In this regard, the FSS said, “The bank took a considerable period of time to compensate the customers.”
Citibank hasn’t also taken the follow-up measures in time such as investigation on the cause of the incident, protection for customers and prevention of recurrence as well as procedure for compensations. All financial companies which issue a credit or debit card are required to run the fraud detection system (FDS). In Citibank, working-level officials are in charge of preventing illegal use of credit and debit cards including the FDS management so executives has failed to come up with comprehensive and systematic measures to protect customers and prevent any reoccurrences of this incident, according to the FSS.
Based on inspection results, the FSS voted to impose two sanctions of “management attention” and two other sanctions of “improvement needs” on Citibank. An official from the FSS said, “Citibank caused inconvenience to its customers and had insufficient systems and procedures for damage compensation. But, the bank didn’t violate the related laws so we decided to impose the light punishment.”