> person said well my debit card will remain locked until I answer their questions

You also have the option of reporting them to your state banking regulator [1], the CFPB [2], the FDIC [3] and FTC [4].

A polite way to do this is to write a letter to your bank explaining what happened and Cc’ing the regulators. It will tend to get escalated to their legal department and has a chance of forcing policy change (and producing compensation).

[1] https://www.consumerfinance.gov/ask-cfpb/how-do-i-find-my-st...

[2] https://www.consumerfinance.gov/complaint/

[3] https://www.fdic.gov/contact/

[4] https://reportfraud.ftc.gov/#/

What's your approach for "cc'ing" on a letter?

Cc'ing comes from letters. The usual approach is to send a copy of the letter to each recipient in the cc list

Yep. CC means “Carbon Copy”, as in I’m writing this letter once, and using carbon paper to make copies as I write it. So the main recipient would get the primary copy and the CC recipients would literally get a carbon copy.

This made laugh so hard. I love these kinds of discovery as people make that to some are so obvious.

That's ridiculous. I have a similar story with Citibank. I decided to buy an M2 Macbook Pro less than 30 mins before the nearest Apple Store closed. So I ran to the store and, in doing so, forgot to bring my wallet. I figured it wasn't going to be an issue, since I have all my cards on Apple Pay.... but as it turns out, attempting to purchase with any of them resulted in a fraud block.

The Apple rep told me Amex was the worst, so I figured I'd call Citi. The person on the phone said "I've just sent a code to your phone". I got the text, which reads (and I quote): "Citi ID Code: 671865. We'll NEVER call or text for this code". I told him "this text says you'll never call for this code, yet you're on the phone with me asking me to give it to you". He laughed and said "yeah, I know it says that, but you have to read it to me"

I reluctantly read it to him, he unblocked my card, I tried purchasing again and it got blocked again. I ended up having to run home to get my wallet and run back. The Apple rep was kind enough to let back into the store with like a minute left before it closed.

This was ~6 months ago. My Citi app says my card is blocked to this day and that "[they] need to speak urgently with me", yet I can still make purchases with it as if it weren't blocked. I'm letting it linger in this limbo state to debug what happens. I have also never used this card again unless the POS really won't take Amex.

Semantics, but important: they said they’d never call or text YOU for the code.

In this case you called them and they asked you.

Yeah, I noticed that as I was writing the comment but I was too invested to backtrack at that point lol

Amex actually once did the same to me several years ago when trying to verify my identity while talking to them.

I refused on a couple phone calls. I forget whether in the end I gave it to them or not, the details are hazy. I do remember I left feedback.

To my knowledge, Amex actually stopped that practice since then. Because as you note with the citi experience, it is bad.

Amex asked me, via text, to call a number they provided to verify a potentially fraudulent charge and the first thing the number you call asks for is your full credit card number, all digits, not last four, all of them. The line doesn't even identify them as being from amex (not that you should trust it).

I called the fraud line on the back of the card (which was different than the number in the text) and they confirmed it was authentic but man, everything about that is straight up phishing.

TD Bank is also one that's horrible. Their online banking portal is myonlineaccount.net which is straight up a domain you'd use for phishing.

My mortgage got sold to M&T Bank whose web presence is at www3.mtb.com. I love that for them. I wonder what happened to their cert/HSTS setup on www ;)

But then what do you think the code is for if you can't confirm your identity with it when you call them? This is how it is supposed to work!

I generally use it to log in to my account as 2FA or when shopping online when some merchants also implement a payment process that taps into Citi's, when it also requests it as 2FA. Meaning I'm using it myself in some software rather than handing it over to someone else (even if by using software I'm also technically giving it to someone else)

Citi’s fraud prevention and identity verification systems are absolutely bizarre.

I’ve had them block my card and refuse to talk to me until I read them back a code from a letter in the mail more than once. The code is single-use, so this adds about a week of latency.

On the other hand, they once called me about fraudulent transactions on my card and didn’t hesitate at all to ask me for very personal details on that inbound (to me) call. I hung up and wasn’t able to get back to whatever department made that call due to the reasons above.

> I'd call Citi [...] "We'll NEVER call [...]"

Those are 2 very different things! Indeed they did not call, you called.

> yet you're on the phone with me

That wording is specifically ambiguous as to who placed the call.

It's unbelievable how bad at security financial institutions are. At an old job I had to set up our company with the accounts payable system of a customer. They used a system run by US Bank. They told us that we would receive set up instructions by mail, and a week later we got mail. It said "to begin the set up process go to https://bit.ly/..." and I knew I was being phished. Then I stopped to think and how would anybody know to send the set up packet to exactly the right place at the right time? Must be an insider. So I called US Bank, and they confirmed to me that the packet was in fact legit and this was supposed to be a bitly link. JFC.

I had a similar experience with Sainsbury’s Bank in the U.K.

Called me out of the blue after a failed transaction, I refused to give them the info they wanted and so they locked my account. Unlocking needed me to send them physical info that would have cost me.

Easy to sign up for an alternative. Lost a customer after 15 years. Well done Sainsbury’s Bank.

While their security practices sound woeful and you did the right thing, why haven't you called your bank to unlock your card and give the feedback that the outsourcing is awful?

With those security practices in place, locked is probably the status the card should have.

Who says it’s their security practice… The way the top post is told, I would assume the call to be made by an attacker . :)

It's probably less effort to switch to another bank.

When the WF credit cards were leaked someone claiming to be WF called and asked for my CC# and SSN to see if I'd been hacked. I laughed and told them that if they are hackers they can go F off and if they are truly WF then I need to speak to the manager immediately. I never got to chat with that manager.

This is disappointing to read. I've had nothing but excellent service from Ally. Whenever I've called their customer support, they are quick to answer, polite, competent, and have always resolved whatever problem I was having. But, I don't use their debit card.

Ally remains my favorite and main bank. It is just really complex and difficult to run a national bank as seen by out darling simple bank getting passed around like a hot potato before disappearing entirely. I think simple never really had a chance.

I have nothing but good things to say about ally itself.