So who’s lying to their customers – Citibank or the WSJ? | FT Alphaville

So who’s lying to their customers – Citibank or the WSJ?

Newspapers, especially American newspapers, like to think that they check facts, giving their readers information that can be considered fair and accurate.

The real world, of course, is more complicated. The “truth” can be an ephemeral thing, subject to revision. That’s especially so when “facts” collide with “confidence,” or when the real story doesn’t quite mesh with legal necessities.

Sometimes newspapers report “facts,” but then have to sit by while another set of “facts” are denied.

Which brings us to this:

FBI Probes Hack at Citibank
Russian Cyber Gang Suspected of Stealing Tens of Millions;
Bank Denies Breach

The Federal Bureau of Investigation is probing a computer-security breach targeting Citigroup Inc. that resulted in a theft of tens of millions of dollars by computer hackers who appear linked to a Russian cyber gang, according to government officials.

The attack took aim at Citigroup’s Citibank subsidiary, which includes its North American retail bank and other businesses. It couldn’t be learned whether the thieves gained access to Citibank’s systems directly or through third parties.

And then this:

Citi Says Its Systems Were Not Breached

NEW YORK – In response to an inaccurate story today by The Wall Street Journal on Citi’s cyber security, Citi issued the following statement:

Allegations reported today by The Wall Street Journal of a breach of Citi systems and associated losses are false. Any allegation that the FBI is working on a case at Citigroup involving a breach of Citi systems resulting in tens of millions of dollars of losses is false. There has been no breach and there have been no associated losses. We take the security of our customers’ accounts and systems seriously. We continuously take steps to protect our customers against fraud, and we have state-of-the-art processes to detect and prevent criminal activity.

Occasionally, as with virtually all financial institutions, there are instances of fraud or breaches of third-party systems that result in our taking actions to protect our customers and Citi. However, contrary to the Wall Street Journal report today, there has been no breach of Citi’s systems.

Is it really the case that one of America’s great newspapers has declined to the point where it anonymously sources a story, runs the tale by the target institution, casually tacks on their denial, and then publishes a headline like “FBI Probes Hack at Citibank” over four columns of its front page?

If so, that Murdoch guy has some explaining to do.

Or is it actually that the real story is somewhat more complex and the bank here is simply responding in a high-handed manner to the simplified version of events printed by the Journal.

We (repeatedly) asked Robert Julavits, the Citi felt charged with pressing the bank’s denial on other media outlets for an explanation.  Ditto Siobhan Gorman, the Journal reporter fronting the story.

Both were maintaining a discreet radio silence.

So let’s speculate.


Ms Gorman has probably got access to some good Homeland Security/FBI/CIA source who has painted a hair-raising picture of how Russian cyber-gangs are launching increasingly sophisticated attacks on Western institutions.  One lead led to another, a real-life “victim’ was found in the shape of a lightening company boss called Robert Blanchard who’d seen $1m magicked out of his account, a few officials declined to comment in just the right tone on the phone – and hey!, we’ve got a story.

Meanwhile, Citigroup, like every major bank in the Western world, is covering up the fact that online fraud — both sophisticated and unsophisticated — is running at epidemic levels. But it can’t be seen to be singled out as an institution with weak controls, where the public at large might be fearful of depositing their money.  So it goes on the denial warpath.

But hang on, you say! How about the Citi guy saying: “We had no breach of the system and there were no losses, no customer losses, no bank losses.”

Well, maybe the Latvian Chinese Ukrainian Russian crooks were siphoning cash out of a Citi customer’s account, using his or her computer.  The customer would suffer no loss because the bank routinely makes good on the missing money; the bank, meanwhile, makes no loss because when it discovers a fraud such as this it simply contacts the correspondent bank in Latvian/China/Ukraine/Russian to which the money was transferred and demands it back.

That’s the shameful reality here.

Banks’ retail systems, resting on 30 year old computer code, are not secure. None can face the huge investment required to make them so, and in any case the banks are convinced that new security systems would soon be outwitted by criminals.

So instead they take a passive approach to fraud – relying on the fact that banks across the developing world need to retain correspondent banking relationships and must remain members of SWIFT, the wholesale interbank transfer collective.

So when a fraud is detected by a customer, the stolen “goods” can quickly be retrieved.

Even then, the incident is not routinely reported to the police on the basis that “nothing has been stolen.”

Of course, if the customer doesn’t notice the fraud, the theft never gets registered.  Official statistics in the US suggesting $260m was lost last year in all forms of online crime are a complete joke.

It’s a scandal. Why the authorities and the banks allow this cover-up to continue is a mystery.

As for the Wall Street Journal…