Citibank’s Terrible, Customer-Hostile Security Measures

Posted in Finance, Rant

This is going to be a rant about how horrible Citibank’s customer experience is, particularly around their security measures that’s meant to protect their users. I’m still in disbelief on how misguided their systems are.

Of course, I didn’t open a Citibank account because they had an awesome reputation; on the contrary, they’re one of the worst when it comes to customer SAT and user satisfaction. I have an account mainly because I have a mortgage through CitiMortgage, and they provide incentives for integrating. I’m not so sure those incentives are worth the trouble of banking with them.

The ineptness starts with the scattered security systems they have put in place. There’s the online username + password combo, the debit card number + PIN combo, but also a passphrase and strangely enough, an account number that’s hidden unless you talk with someone on the phone who’ll insist that they can only give you the number one single time.

Individually, these pieces aren’t so bad and are fairly standard for most banks. Where Citibank excels is in tying all these disparate systems together, inexplicitly to make them more inconvenient for the end user. For me, this has meant that on three separate occasions, Citibank has locked out my online access (with username + password) because I haven’t validated my debit card and PIN. When I’m locked out, I’m asked to provide the offline debit card number and PIN, plus, inexplicitably, the hidden account number that I couldn’t even access if I could sign in to begin with.

There is, of course, no indication that I would need to activate anything to keep banking online. Worse, Citibank will automatically send out cards and PINs (in separate mails, also fairly standard) without asking or indication to the end user, and then lock out the user when they ignore the unnecessary paraphernalia or if the mailings get lost. It’s presumably done for the sake of security, except no one is asking for new cards.

The resolution to this is just as infuriating. PIN numbers—randomly generated by Citibank—can only be mailed out, they cannot be reset over the phone. Citibank sends them via FedEx overnight shipping, but puts unnecessarily strict restrictions on the shipment type:

  • Has to be signed
  • Has to deliver to the home address
  • Cannot be picked up at a FedEx location

Essentially, if you can’t stay home for a day waiting for an envelope with 4 random numbers in it, you cannot actually reset your PIN and thus cannot log onto the website. The customer service rep. has advised me to go into a bank branch to make it happen, which is again inefficient and does nothing to actually ensure better security, only inconvenience.

Maybe I can rationalize this level of incompetence by assuming that it’s active malice. Consumer banking is a decreasingly attractive business for Citigroup, and outside of simple neglect, perhaps they’re thinking that if they make the experience bad enough, people will just leave and save them the trouble of closing customers’ accounts.