51 comments

[ 2.0 ms ] story [ 135 ms ] thread
> . A customer-service representative answering the firm’s help line said the bank is updating its systems, and was advising callers to try again in four hours.

A really bad time to be updating any software. I feel bad for the people who are trying to buy prescription drugs or groceries. Not everyone has backup credit cards.

I doubt any transaction processing systems got updated at any bank in the past 48hrs with the Brexit vote in the air.
Good find. An "extended major release" while they're onboarding 11 million new customers sounds painful.
It looks like they don't really care about distributed systems. With the current software methodologies planned global outages are not acceptable. It's still sad that banks like this can be one of the biggest because of their monopoly position.
We're switching away from credit cards as much as possible for that reason among others (e.g., we spend less when paying with something more tangible like cash). The only remaining use is for gas, hotels, and online purchases that I won't trust a debit card number to.
I use credit cards like a debit card but get rewarded for using them. I pay them off in full every month, I have never once paid interest on a credit card bill.
Me too, rewards plus the ability to easily contest and reverse fraudulent charges (which I have experienced multiple times) make a credit card infinitely better than a debit card.
(comment deleted)
Here in Australia you can just as easily contest charges on debit cards.

Bizarre that such a protection elsewhere is limited to just credit cards.

> get rewarded for using them

I understand why you want the rewards, and when I'm forced to use a credit card, I also want the reward. But we need to call out the bullshittedness of the system.

Everything in the world is 2-3% more expensive just so that credit cards can "give" you 1% back as a "reward". (Similar situation: People who are thrilled with a tax refund. The government takes money away from their paycheck, then later gives part of it back. If they don't think about it, they think they're getting free money.)

People get caught up in it as if credit card rewards are a good idea. It's not. It's a drag on the economy for the credit card companies to bake their costs into every transaction.

It very well might be, but not using a 1% cashback card doesn't mean you pay 3% less than someone using one. I can $1000 for a TV and get $10 or get $0 back - paying $970 and getting $0 back isn't an option
is it just me or do such things happen more and more? i remember those things not occurring years and years in the past.
There are more and more people with credit cards per centralized infrastructure to support payment transactions?
"move fast and break things" was a philosophy that would get you fired years in the past.
The timing of this as the switchover of Costco cards from Amex to Citi is happening certainly suggests a scaling problem regardless of the "updating its systems" excuse.

I've heard Amex blamed for losing the Costco deal, but given Amex's superlative customer service and Citi's less-than-optimal reputation, maybe Costco will turn out to be the bigger loser.

My experiences going from Costco Amex to Costco Citibank:

* Fraud protection learning seems to be reset from the old Amex history so I've had a regular purchase (sushi joint) get flagged.

* Haven't found the ability to add spouse to web based account management.

* New card issued has smart chip in it, which is a pain at most retailers since their readers require "eating" the card and take longer payment processing time before the card is ejected. So basically my older Amex was more convenient while using "inferior" tech.

* Costco gas pumps seem to be updated with new Visa prompts for cards. I wonder what kind of hassle it was to update that system.

* Apple Pay has a hard time recognizing my card with camera input. I had to manually enter information.

EMV (chip) cards are far, far more secure than magstripe cards. It's a tradeoff I'm happy to make, since my card number's been stolen 3 times in the last two years.
How are the EMV chip + signature cards in USA being far, far more secure?

User can just swipe and sign a stolen card same as always. Most retailers stll either incapable of using them or very forgiving as to signatures.

Card can be duplicated with the strip and without the chip, then used as a regular legacy card (until those become uncommon).

Finally, they can just steal the chip + signature cared, use the chip and they can still sign the slip and use it sama as ever.

The key here is chip + signature, which has been removed in countries that have advanced their payment processing. Here in Australia you actually haven't been able to sign for a transaction for the past 2-ish years.
True, but the story is about glitches with Citigroup USA. pokstad is referring to Costco Citi cards in the USA. Some USA issues will allow you to SET a pin on chipcards (rarely by default), but they are not REQUIRED at the POS by any retailers in the USA. None will, because that's not the industry agreement standard and would lock out the majority of consumers. The adoption has been a giant clusterfuck. Most retailers are still taking stripe only. It's the weakest link. Until retailers stop accepting stripes and chip + signature, there's no need to steal the PIN.

Hell, it's 2016 and I'm still encountering retailers who end up having to key in the card, or in a couple of cases still do offline processing with manual carbon-slip imprints.

Our shitty American cards affect the rest of the world too. Traveling to Europe over the past decade+ until 2015 I apologize for my unexpectedly chipless card everywhere I went (never had much trouble using it though); same with Canada up to present. They all have chip+PIN, but our cards go through without and spit out a receipt with a signature line.

> Card can be duplicated with the strip and without the chip, then used as a regular legacy card (until those become uncommon).

I don't think so. The card reader would demand that the chip be used. If there's no chip, the cashier should then call the police, as that's evidence of fraud.

If there's no chip, do you really think a cashier would call the police? The cashier would assume the reader is broken, stick the card (without a chip) in the chip reader 3 times to force a swipe and apologise for a "broken reader"
True enough, but most of my chip cards will not work with the mag strip if the card reader supports chip. If I slide the card, I get a message on the POS screen telling me to use the chip.

The guy who steals my mag stripe has to find a store without chip readers to make use of the stripe.

With how slow this roll out is, I fear the thief won't be able to find any stores accepting a chip, even if they tried.
On one of my old cards, the chip broke (physically). On every single reader I used, putting the side without a chip in the reader 3 times would allow me to swipe.
> The guy who steals my mag stripe has to find a store without chip readers to make use of the stripe.

Like 90% of stores in USA today? Oh the pain. And what is likely to happen after the clerk apologizes for the reader being broken is that he keys in the card number manually. What, manual entry is going to be blocked too? Good luck with that. As long as lost sales to nonworking transactions >>> fraud, it's happening.

Edit, source, Krebs: http://krebsonsecurity.com/2016/02/the-great-emv-fake-out-no...

In February, Visa claims all of 17% of retailers have chip-capable terminals. My experience is that only a small fraction of chip-capable terminals are actually integrated with a POS system that enables them. Leading to the ridiculous situation of consumers facing 83% of retail locations with no chip reader, having to swipe, most of the rest having a useless chip slot and icon, and some small percentage <10% of locations actually having a working, functional chip slot (visually indistinguable from nonfunctional ones). Even where they do work, usability is poor. Beeps, lights, multitudinous prompts or even spoken instructions, and processing times in excess of five seconds or more where the stripes are just swipe and sign a second or two later.

The indicator that tells the machine that "This card is a chip card" is a single bit on the mag stripe. Turn that bit off when cloning the card and the machine never knows it should have asked for a chip.
Hmm, I'd assumed it was known by the card's first few numbers, or similar, but you're correct.

I've had chip cards since 2004, and their use here is universal. To swipe without raising suspicion requires an American accent. It's no problem in McDonald's, but any expensive purchase will either be denied by the clerk, require the manager's approval, or a phone call to the card processor. Criminals simply don't do it any more -- it's far easier to send stolen numbers to the USA, or make purchases online.

I don't understand how having to sign when you make a credit card purchase is in any way secure. Most of the touch-screen/stylus setups are so bad that you can just barely get a scribble that vaguely looks like a signature.
It's not really supposed to be secure against fraud by card thieves. It's supposed to deter actual cardholders from falsely repudiating their own purchases. If you chargeback a purchase as unauthorized, the retailer should be able to produce the slip with your signature on it. Then you can be asked under oath or penalty of prosecution, whether or not it is your signature. It also provides protection against errors. If you are erroneously charged multiple times for one for one transaction, the retailer will only be able to produce a single signed slip. If you actually make multiple purchases in the same amount in a row, there would be multiple, signed slips with different timestamps and distinguishably different signaturs.

There's a fiction that the retailer should compare the signature on the card to the slip, reinforced by a few large retailers with policies of checking that the card is in fact signed, but this obviously doesn't happen.

It is supposed to be chip + pin. That works. chip + signature is a silly compromise that is as insecure as magstripe + signature.
How is it as insecure? You can't clone a chip card with a skimmer, you actually have to steal it.
All chip + signature cards in the USA have a stripe too (excepting maybe a tiny fraction of retail cards). They have to, or something like 90% of POS will not accept them. Full rollout is going to take years. As long as there is a stripe and merchants accept the stripe, the stripe can be cloned. Yes, retailers who take the stripe when the issued card has a chip will be on the hook instead of the bank, but thieves don't care if the retailer or the bank pays.
A PIN vs. a signature via the chip makes no difference if merchants are still accepting stripes. The stripe is the weakest link.
Amex said Costco was 11% of their business (that breakup must have been really acrimonious), so I don't doubt that Citi is going to have scaling problems on-boarding that many new customers at once. It took a visit to the membership desk to get mine to work.

Oh, and as a former Citi customer, if it weren't for that 4% back on gas purchases, I would be using someone else's card at Costco (you can use a membership card + any Visa-branded card there now).

Note: this isn't just credit cards -- I personally found this right as it happened. My ATM card was declined for any amount at a BoA ATM. Annoyed, I went down to the Citi branch outside where all 8 or so ATMs had "out of order" screens and there was half a dozen people milling about saying it was down everywhere. Took to Twitter and lots were repeating it and saying web access and the mobile apps were down as well.
I know you could go inside, but this seems like the kind of thing that could cause a run on the bank.

Well, at least if Mary Poppins is to be believed.

Bad timing with Brexit paranoia, too.
USAA recently had the same issue; transactions not processing. They, like Costco, switched credit card issuers. So it may very well be a scaling issue like importing millions of customers into the DB.
What do you expect? Every bank customer is nothing but a slave. Banks own you
Love how I get down votes for the truth. If your bank refuses for any reason to give you access to your account you probably lose your job, your apartment, loans ...it will ruin your life for good. Happens to lot of people, its no mystery. In Western Europe you can't even have a normal average legal life without a bank account, that is why they had to introduce laws to force the banks to give everybody an account, because before banks often refused to do so and then peopl where stuck and their situation spiraled down the drain.
As you say yourself, the banks are regulated so they cannot do anything they want with you. So they do not quite own you. Anyway, you are going to be dependent on some structures of society unless you want to live on your own in the woods.
Please don't post unsubstantive rants, and please don't break the HN guidelines by going on about downvotes (https://news.ycombinator.com/newsguidelines.html). Especially not "Love how I get down votes for the truth", which is the most tedious trope of them all.
Anyone who has spent any amount of time dealing with Citi saw this coming from a mile away. Over at /r/churning, Citi's customer facing tech stack is the butt of many jokes, and there is no reason to believe their merchant facing services are any better.

Example: I was recently told by Citi to create a new account after getting locked out of my old one. This isn't the first time this has happened: I am now on username.4 on their website, and my wife and I have made a point of not putting any critical charges on Citi cards.

Costco may have saved a few bucks by ditching Amex, but they'll pay a price in customer satisfaction in the long run. Given their usual customer focused orientation, I'm surprised they thought this would be a good tradeoff.

> I am now on username.4

May I ask why didn't you drop by their office and tell them they are idiots and cancel your account after the second or third time?

Because dealing with their stupidity has allowed me to not pay for air travel over the last decade.

Life is a series of tradeoffs, sadly.