Tips for Avoiding Credit Card Fraud: FBI

FBI’s tips to avoid a credit card fraud

• Don’t give out your credit card number online unless the site is a secure and reputable. Sometimes a tiny icon of a padlock appears to symbolize a higher level of security to transmit data. This icon is not a guarantee of a secure site, but provides some assurance.

• Don’t trust a site just because it claims to be secure.
• Before using the site, check out the security/encryption software it uses.
• Make sure you are purchasing merchandise from a reputable source.
• Do your homework on the individual or company to ensure that they are legitimate.
• Obtain a physical address rather than simply a post office box and a telephone number, and call the seller to see if the telephone number is correct and working.
• Send an e-mail to the seller to make sure the e-mail address is active, and be wary of those that utilize free e-mail services where a credit card wasn’t required to open the account.
• Consider not purchasing from sellers who won’t provide you with this type of information.
• Check with the Better Business Bureau from the seller’s area.
• Check out other websites regarding this person/company.
• Don’t judge a person or company by their website. Flashy websites can be set up quickly.
• Be cautious when responding to special investment offers, especially through unsolicited e-mail.
• Be cautious when dealing with individuals/companies from outside your own country.
• If possible, purchase items online using your credit card, because you can often dispute the charges if something goes wrong.

• Make sure the transaction is secure when you electronically send your credit card number.
• Keep a list of all your credit cards and account information along with the card issuer’s contact information. If anything looks suspicious or you lose your credit card(s), contact the card issuer immediately.

Information Security Flaw Exploited: Citibank lost over a million USD

 ‘Gone in 60 Seconds’  – and the lessons learned

During late October 2012, fourteen individuals were charged following a Federal Bureau of Investigation (FBI)-led investigation into the theft of over $1 million from Citibank using cash advance kiosks at casinos located in Southern California and Nevada. The fraudsters stole the money by exploiting a gap in the Citibank’s ATM applications—which required multiple withdrawals all within 60 seconds—giving the fraud a popular name among the legal and security circles ‘Gone in 60 Seconds’. 



The modus operandi worked as follows: the main accused recruited conspirators who were willing to open multiple Citibank checking accounts. He then supplied his co-conspirators with “seed” money, which was deposited into the recently opened accounts. After the money was deposited into the checking accounts, the conspirators would travel to nearly a dozen casinos in California,  Las Vegas and  Laughlin. When inside the casino, the conspirators, used cash advance kiosks at casinos to withdraw (all within 60 seconds) several times the amount of money deposited into the accounts, by exploiting the Citibank’s ‘security gap’ they discovered. The accused were also careful to keep both their deposits and withdrawals under $10,000 in order to avoid federal transaction reporting requirements and conceal their fraud.

What was the  ‘security gap’ which could be discovered by the fraudsters and NOT by the Citibank’s IS Auditors? 


As long as all of the withdrawals were made within one minute of the first, Citibank’s software assumed the transactions indicated erroneous duplicate processing of the first request, and hence no red flags would be raised. While the sophisticated plot  allowed the group to collect more than a $1 million over an eight-month period, thanks to a  mundane flaw in the criminals’ logic eventually led the FBI to its suspects: they all used their real names when activating the bank accounts that ended up excessively overdrawn.

What Citibank could have done to prevent this?
Presumably, the control weakness escaped the multiple layers of security at Citibank: concurrent audit during application development,  scenario based IT application controls and risk assessment by the concurrent auditors.  Also, there is a need for real time detection of suspect transactions, even for smaller amount of transactions. Interestingly, the accused kept the withdrawals under  $10,000 to avoid regulatory reporting and probably, they guessed it right that the bank would not look into transactions that would not require any regulatory reporting.

Most likely,  the fraud detection predictive data models used by Citibank  failed to notice such transactions or have assumed small amount transactions are relatively safer !! 

Lessons learned ….

Banks need to strengthen their fraud detection data models.
All transactions, not just those required for regulatory reporting, need to be monitored.
Real time audit to be built into their security frameworks. 
Needless to mention, build and continuously review appropriate application controls.