Edoceo's Blog | Entrepreneurship, Engineering

CitiBank & CostoCo: Marketing that feels like fraud

These two companies are engaged in some type of credit card marketing that mostly feels like fraud:

For the past few weeks we’ve received many calls from a number claiming to be CitiBank (855-805-5486). It’s an automated robot when it connects to voicemail, if you answer they connect you to a human who is quite demanding with information. And looking this number up on the internet has scores of people calling it a SCAM or FRAUD. They continue to call our number, which has been registered on the USA DoNotCall site since 2008!

If you call back it’s difficult to proceed without entering a credit card number or SSN. Why would you give that to a contact that is not trusted? Mashing all the buttons, saying ‘Operator’ a bunch of time and then just waiting finally did the trick.

I was eventually connected with a human (Marie). She refuses to provide her employee id. She is unable to tell me anything unless I have the numbers requested above!? I asked what address to send legal paperwork to. Then I was put on hold for 15 minutes.

When Marie came back they said they could remove my phone number from the dialer. But, if there is some fraud happening here – ignoring it is not the right answer? Why would an employee of Citi encourage behaviour that compounds the issues of identity theft and fraud? I demanded a supervisor.

I waited another 10 minutes to speak to a supervisor. Bridgette, in Collections #021684937 Why did I have to talk to someone in Collections!? To my knowledge I have no account here, my business has no account here. And this “Citi” representative claims there is an open account, with a balance!

I finally got the address to send legal issues to, so I could start sending the necessary registered mail for any legal proceedings. I was given these two addresses, but not sure which is better.

PO Box 9101, Des Moines, IA, 50368-9101
PO Box 6077, Sioux Falls, SD, 57117-6077

But the call cannot proceed with anything meaningful unless I share my SSN (or EIN) with them. I’m, naturally, reluctant to give this information to an untrusted contact. I cannot get anymore information, it’s a dead end.

I hang up, frustrated and nervous. Identity theft is a big issue – not just for the dollars that could be lost. It’s difficult and very time-consuming to try to fix these issues. The real cost is in one lone human fighting against a wall of corporate bullshit. Hours could be spent on the phone, sending certified mail, consulting with attorneys and all that.

Later that Afternoon

So, I found a CitiBank number that I could trust and called that one. Magically I got someone who is helpful. I asked them about this phone number (the one above, that’s real scammy-looking) and was informed here that it is in fact a CitiBank marketing phone number.

It’s related to a CostCo business account that I had closed over seven years ago. When I was on the line with this account manager they informed me that my old privacy settings were set to not call. They violated their own policy! This is the kind of complaint that should be filed with the FTC.

After maybe an hour of worry about fraud, and about an hour of time on the phone trying to fix things I was able to discover that there is really no problems. And also received yet another address for CitiBank.

Attn: Customer Service
Citi Bank
PO Box 6500
Sioux Falls, SD, 57117


Basically CitiBank at this point violated internal policy and the DoNotCall registry and used a scammy-feeling marketing tactic to try to re-capture legacy accounts. Accounts that had communications/privacy settings configured as DO NOT CONTACT

When contacted about this ploy CitiBank made the process difficult and was reluctant to share anything with their prospect/previous customer.

In my own mind the reputation of CitiBank, CostCo and AmEx has been seriously damaged.

Update 2016-10-13

The calls continue.

Update 2016-10-15

After I tweeted to CitiBank they called me back, they mentioned that my phone number (the one on our website) was associated with another account! Perhaps it’s a sales-padding thing, like Wells Fargo. It turns out someone else just used our phone number for contact. It appears that CitiBank takes registrations from “customers” without verifying them. I was told by Amber in their payments department – “anyone can use any phone number”.

Now the issue is that Citi gives credit out to people who they haven’t even verified the phone number for. Then they will harass whoever has that phone number and make it very difficult to get any resolution. But, if you Tweet them, then the matter finally gets handled. WTF.

Windows 10 Hates Dual Boot

The title basically says it all. Windows 10 (and 8 and 7) all really don’t play nice with Dual Boot – despite what Microsoft claims.

First, the failure of Windows 7 to handle dual-boot nicely caused some (many) Windows 7 updates to fail on my Lenovo Y480. I kept getting the error where the updates would try to apply, then fail, then roll back and (after a few reboots) Windows 7 would finally start. This in-turn caused the my Windows 7 system to never receive the Windows 10 update notification – which was actually a bit of a blessing.

But finally, in June 2016 I wanted Windows 10. And the Upgrade wouldn’t work; and it would fail if I tried from USB. The installer indicated I would have to start over and would wipe the disk! I even took this computer to the Microsoft Store – where I was promised a free laptop if they couldn’t complete the upgrade in one day (I whined about it on HN). Well, the of course the Microsoft Store couldn’t figure it out – and weaselled out of the free laptop deal.

After I discovered the Windows failure to handle dual boot issue I was able to get my Windows 7 updated. Then I was able to complete the Windows 10 upgrade as well. But, Windows 10 updates still fail – unless one makes special accommodations for Microsoft’s Developer Arrogance.

Dual Boot Fails

What Microsoft understands as “dual boot” means Windows is the Active Partition and nothing else can claim this. A problem for me; see I use syslinux as my bootloader, /dev/sda1 is the bootable partition and it’s formatted with ext2 (yes 2). Windows 7 (and 10) have updates that, for some reason, need to Windows on the bootable partition. Not all updates; only some. On Windows 7 the blocker was some patch to SHA2 and I’m not sure about what causes the issues on Windows 10 – probably all of them.

How to Get Updates to Work

First, at your boot prompt choose Windows. Then in Windows open the Disk Manager and set the Windows partition (/dev/sda3) to be the bootable one (aka: Active Partition). Then reboot, Windows should automatically start. Then wait for the updates and the requisite reboot. Now your Windows 10 is updated! To switch back to your desired bootloader you must boot from some external media, then configure your preferred bootable partition – Windows cannot change the Active Partition back to /dev/sda1 because the Disk Manager is a broken pile of garbage. This was a frustrating path.

Magic MBR from Syslinux

The above process sucks. If you are missing your bootable USB tool then you’ll not be able to switch partitions until you can boot from something smarter than Windows. There is a chain loader in Syslinux but I’ve not been able to get that to work – and trick Windows.

Windows as VM Only

But, if you use a toolkit like VirtualBox or KVM to boot Windows from it’s own partition then everything is great. However, now you cannot go back to booting Windows direct anymore – because Windows is hyper-sensitive to hardware changes.


Windows does not play well with others – NEWS! The work-around is basically allocating dedicated time & resources to running a simple update – or run Windows in a VM – or figure out some bootload trick.

I’m Done with Google – Takeout

After building the huge list of Apps and Services you have connected with your Google Accounts (https://www.google.com/settings/dashboard) you then have to download whatever is left using the https://takeout.google.com/ Takeout tool.

Once you have this download and have reviewed everything on the Dashboard it’s time to delete the designated account from your Google Apps Domain.

Repeat as necessary. For us we had three or four idle accounts in our Google Apps before cleaning this up. For the ones that are necessary you can move the Data to another account that you can control – within the domain. I’m not sure how to move data to an account outside the domain.

I’m Done with Google – Cloud Print

One of the easiest, and most frustrating, “services” Google offers is Cloud Print. It’s basically junk. The Internet is full of dreaded printer offline issues and forum posts about it random loss of functionality.

I enjoyed the promise of Cloud Print but it never delivered. I wanted to print to my office or home printers from anywhere. But Cloud Print would drop connections randomly; printers would be offline and require some magic incantation of un-install, reboot, purge Chrome cache, manage devices – across Mac and Linux systems. This was actually one of the easier services to drop.

Like many folks in the “tech” space I’ve got a VPN method into my Home and my Office. This VPN is powered by a Raspberry Pi running OpenVPN. So, simply adding CUPS to this machine and plugging printers in via USB got that part sorted.

It was actually one of the easier Google Services to drop. My frustrations caused by random things breaking has been greatly reduced. Simple and easy.

I’m Done with Google (Part 2)

A long while ago I wrote about being Done with Google. They have simply taken over too much for my taste. Frankly however, I went “all in” on Google around 2006 or so. I moved many domains into the Google Apps and enjoyed all the services they offered. But, as they grew these services suffered; my most critical issue then was that inbound messages were getting dropped (because of how Groups had changed for Businesses over time) – it negatively impacts my customer service. So I started the migration out.

First let me say that you cannot escape Google 100%; just not possible. If you want to have a business presence on the Internet you must engage with Google and other large players (Twitter, Facebook, etc). So, we still have to maintain a Google Account – but we are moving towards one, based on a Gmail address.

As I mentioned before I have/had a number of domain accounts with Google using Mail and, as it turns out, many other services. Some I could just drop and had so little content I didn’t care but for the Edoceo brand I had loads of stuff – from Blogger (migrated to WP); Apps on the Play Store, YouTube, Google+ Pages and all that jazz.

Using a single “unified” Google Account (already existing) I started with a spreadsheet tracking all domains I had moved into Google (>5, <10) and then all the Services in there; then all the Accounts.

Last entry on this topic was over a year ago. It’s taken that long to audit and build this list. It was quite shocking to see how much interaction/integration with Google one human (or one company) has.

Stay tuned for the longer stories of migration of various accounts & services.

CyberCoders Shameful Recruit Solicitation

I’ve got a role as a CTO (among other things). In this role one of my duties is finding and acquiring talent for our engineering team. Functionally this duty involves posting job applications, reviewing resumes and candidates. Additionally it involves fielding emails from recruiters from companies such as CyberCoders, TopTal, various boot-camps and others.

Finding talent is hard, there is a good book about the problem: Smart & Gets Things Done I find myself agreeing with Joel more often than not. These “flashy” recruiting firms don’t make it any easier – quite the opposite in fact.

I don’t respect the work of CyberCoders. It’s not recruiters that bother me. In reality, good recruiters are totally worth the money they earn – which is true of anything: Quality has Value. Durrrr. The problem with CyberCoders specifically is this email footer.

The candidate identified in this email is a recruited candidate of CyberCoders, Inc. If the candidate is hired for any position whether part time or full time, as “Contract”, “Direct Hire”, or in any other capacity by your organization or any affiliate within 12 months from the date of this submission, your organization will owe a fee in accordance with CyberCoders’ standard Fee Agreement. If you have any questions about our standard Fee Agreement, please check our web site www.cybercoders.com or contact 949-885-5151.

Look at that. Read it again. CyberCoders has now injected themselves into any financial transactions I may have with this candidate for the next 12 months. “Oh, but they need to get paid for their services” I hear you saying. People should be paid for services rendered. However, we’ve never engaged CyberCoders. We’ve requested many times for them to stop sending us this spam. We have rejected their solicitations multiple times.

Shit got real today. Yet another spam from CyberCoders identified a candidate for us. This candidate is a person I’ve known since 2012! We are directly connected on LinkedIn. Now they are blocked. It was embarrassing to tell them that I couldn’t consider them for any position for at least the next 12 months. At this point any candidate who arrives via CyberCoders has to be immediately rejected – and blocked for the next 12 months. We’ve had to start keeping a spreadsheet.

It also makes me wonder if CyberCoders is just surfing my LinkedIn and sending me links to folks I already know, maybe with some algo to identify specific connections. I mean, I could write this code, so I’m sure they could too.

for C in djb.connections:
    if is_viable_candiate(C):

Issues Migrating to CloudFlare

I’ve been working to migrate one of my systems over to CloudFlare which on it’s face appears to be a pretty good service. I created an account, entered my payment information and began evaluating their services. I was not impressed with help pages that had images fail to load (due to 404s). Pressing buttons that generated some vague error message (request failed #1053) and froze up pages were also a bit of a turn off. Then the real pain started.

Switching NS

The first thing that CloudFlare is forcing me to do is flip over to using their NS. It’s handy that they’ve crawled my existing DNS and imported a bunch of the necessary records. That is a good thing. However, I don’t want to migrate NS until I’m sure this is the right path. Switching NS takes about 24 hours, so if there is an issue I’ll have to wait another 24 hours to roll-back the changes. I’m not willing to risk my site availability for 48 hours.

Blocked on SSL

Even without switching the NS records we can see what IPs CloudFlare would resolve my host to (using dig $hostname @ns.cloudflare.com). I then tweaked my /etc/hosts file to reflect that and attempted some connections. CloudFlare assures me that SSL will work. However, CloudFlare SSL doesn’t work until the NS has been switched. And I cannot switch the NS until I’ve verified that SSL works – and I don’t like to wait 24-48 hours to determine if I just broke a web-application that generates revenue.

Support Fails

I asked for clarity on the situation from their support team and explained my risk-averse position. They basically told me just to flip the NS. I don’t think the understood the request.

Sales Support

I contact their sales team. I’ve signed up for a paid product; the marketing materials said that things would be possible – things that are not working. The sales guy reported that with CloudFlare the SSL and NS are tightly integrated – only after NS is switched and verified can the SSL be issued. It was not a joke. First switch NS and hope it works; after NS has been moved (and traffic is routed via CloudFlare) can the SSL be issued. This whole thing runs on SSL. So switching means that I’m exposed to risk that my NS/DNS stuff gets messed up and that while that is happening the SSL will be broken too.


CloudFlare is a reasonably good product and the protections they offer are good and priced well (at $200/mo). This onboarding process sucks however. It’s not even possible to evaluate the outcome of the work you will be attempting – to ensure that things will go smoothly. If there was a mistake it would cost me more than I pay CloudFlare in a year.

To actually evaluate this process I’ve had to start off with a new, throw away, domain; get it configured similar to my primary, purchase (and wait) for it’s SSL certificates then flip to the CloudFlare NS, wait to see what happens – all while monitoring for breakages on this test domain.

The lesson for other technology firms is: Don’t make the risk of switching cost more than the services provided; Allow customers to get a full evaluation rather than forcing them to take high-risk first steps – just on on-board with your product.