Citibank / Citigroup’s Shoddy System Architecture

Posted on by Rob
Reply

So, I want to buy a house soon… you know, a gorgeous, rambling estate in New Jersey’s Somerset, Morris, or Hunterdon Counties. Somewhere I can pay $5 billion a month to have the lawn mowed, bequeath to The Sophster, yet never furnish — except for the one room where the computers reside.

Anyhow, now that I am out of DREAMWORLD… in order to help finance this purchase in the most economical fashion, I decided to insanely bolster my credit rating by going the App-O-Rama route.  I had my golden years (in the eyes of the creditors), playing with credit from 19 years of age to about 24.  Like many young Americans, I dug myself into a hole of expiring promos where interest racked up like gangbusters and had one hell of a time trying to pay off the bills from 24 to 29.  After that, I swore off credit cards and lived off of debit and cash.  Sadly, the offers for AmEx Platinum and low rate mortgages dried up like SpongeBob in Death Valley, as did my credit rating.  Although my score was “high,” I was routinely denied for the simplest of requests during the credit crisis of the late aughts.  I couldn’t even get a store or gas card due to “Lack of real estate or revolving accounts” (I had only 3 credit cards that I barely used.)

Fast forward to the opening of the lending floodgates, along with a time in my life where I began utilizing those 3 accounts again and paying them in full each billing cycle, and the offers began to pour in again.  I took my time researching how to get my creditor attractiveness back to its 1999 – 2004 levels and the idea of the AoR or “App-O-Rama” came into play.  For the uninitiated, you essentially apply for as many credit instruments as possible in a one day span as not to incur the dreaded credit score ding of an “inquiry” or “hard pull.”  Basically, you ARE receiving a 2 to 5 point ding for each inquiry, but when the creditor runs your report that day to make a decision, all the other inquiries have not been tallied up on your credit report, so what they see at that time is hopefully a responsible, flawless, record.

Like I said, the inquiries WILL show up in a matter of days, so one must be sure to get this application frenzy done in about 24 hours.  The desired result is that even with the hard pulls, you now have attainable credit lines so far beyond your initial line of credit that your credit utilization percentage, if any, is minuscule.

So, I did this and ended up with cumulative a credit limit hundreds of millions of times more than what any decent human requires.  That being said, there are only a finite amount of lenders offering credit cards worth your while, so choose wisely.

The creditor I am about to dig into is Citibank/Citigroup.  They offered me four different cards.  Although co-branded, these cards essentially get all of their money from Citibank.  One was a standard Citibank Mastercard.  Another was a Sears store charge.  Two gas cards, one for Shell and the other for Sunoco also were part of the deal.

Now… here is where the problem with their system lies:

I gladly activated all of these cards and began making small charges on therm to establish bill paying rapport.  As I am sure you can understand, having to maintain 4 distinct logins and provide ACH/Electronic payment info to each card is burdensome, so when I saw the “Add another Citicard to this login” link, I was stoked.

For some reason or another, I didn’t take note of this feature until I registered my last card, the Royal Dutch Shell “Drive for Five” gas card.  Thankfully, upon selecting “Link your other accounts to this login” I was not prompted to enter all the card number, expiry, ZIP code and CVV code info as when I originally registered each card before.  All the system/site wanted was my login and password for each of the other accounts.  Cool!!!

Added Sears.  Great – success page served and now a “Which account do you want to administer” dropdown/select group appeared in the main navigation.

Added Sunoco.  Awesome!  Same thing as for Sears.

Time to go back to account home page and see the drilldown.  Not good.

I now received a “General error” page with no way to navigate anywhere but to the privacy policy, site terms, and the global Royal Dutch Shell page (remember this was based on logging into the Shell branded version of Citi’s “accountonline.com” site)

I called technical service and dealt with a friendly and semi helpful representative, who after providing my account number and last four of the social, was able to pull up my login name and request confirmation on the handle.  He had the right creds and he then informed me that on his end, he was able to use a “master password” to successfully login to my account without error.  When I told him that I only got an error page 20 minutes prior to the call, he insisted that he could no longer help me until I was in front of a machine again.  Because I was on the road, this was impossible so we ended the call with him telling me to call back with card in had, in front of a computer if the problem persisted.  The problem DID persist, and I called back.  The next rep I dealt with was a nice lady to whom I explained my previous CR interaction with.  She essentially told me there is no master password and that the guy I spoke to before was a bald faced liar.  Dissent among the ranks. Not good.  She then connected me to an offshore rep named “Knuckle” who had no idea of what was going on as he had no authority to do anything for any credit cards, let alone gas or store cards as he specialized solely in checking/debit card issues.

Gah.

Knuckle was then so kind as to hook me up with Reno Jim who, in his defense was working in Nevada at 5:30AM local time.  Jim liked dismissing any of my own observations on how the account behaved and what induced the anomaly.  Even when I informed him that by this time if I peeled the URL from other Citigroup sites once “improperly” logged into the Shell site, I could then successfully navigate to the payment page and such — this made no difference to Jimbo.

So, to further this system nightmare, there is this horribly thought out bastard cookie or token that is set by Citibank or Citigroup sites that assumes your session while on any of their sites — be it citibank.com or any of the sites living under accountonline.com…. for example:

I go to pay my Sunoco card and I get to the page where I enter the payment info…. Oh dear, I forgot my account and routing numbers, let’s login to Citibank (in the same browser)

Great, I have my account info, let’s paste it into the required fields on the SUNOCO branded site.

Excellent, it’s all there… let’s submit that payment.

BOOO!  The Citibank session has now usurped the login at Sunoco because there is NO DISCRETION between their sites and all that info I just entered and thought I was posting to the Sunoco account has now induced a system error from the MAIN CITI SITE.

Try doing this on any site… Login to Sears, then login to Shell or BestBuy or whatever, then try to continue completing actions on the original site… You’ll get the boot.

Terrible oversight, Citi!!  Fix it.

 

Yeah, I am here…

Posted on by Rob
Reply

I am Rob Healy, count rocula,  Front end developer, site developer, son, brother, dad, good-times-guy, and now; a blogger.

I’ll post my programming hurdles and solutions, stuff about my little one, music, so on and so forth.

Hope some of it helps.