Citi Mastercard - Merchant Database Compromise
#31
Join Date: Apr 2005
Posts: 177
My SO got a call from Citi over the weekend indicating her Citi Chairman Card number had been compromised, that Citi was closing the account, and reissuing a new card. When asked what merchant was compromised, the CSR indicated she was not at liberty to say as a fraud investigation was ongoing. The odd part about all this is that my SO has never used her card...leads me to believe that it wasn't a compromised merchant but a compromised Citi or Amex database.
#32
Suspended
Original Poster
Join Date: May 2003
Location: NYC
Programs: United 1K, HHonors Gold, MR Gold
Posts: 1,628
Update
I've spoken to Citi a few times since my card was compromised. The charges have been cleared, although they say the investigation is still "ongoing". I was never able to persuade anyone (including a supervisor in Security) to tell me who the merchant was. The supervisor, however, did tell me that my card was compromised at a "bricks & mortar" store (not through online purchases), by someone who skimmed my card and created a new one, which was subsequently used in California. I still don't know who the retailer was, but the list is narrowed somewhat because I didn't use the card very much in stores in the last few months of its life.
#33
FlyerTalk Evangelist
Join Date: Nov 2002
Location: All over
Programs: Most
Posts: 10,839
My SO got a call from Citi over the weekend indicating her Citi Chairman Card number had been compromised, that Citi was closing the account, and reissuing a new card. When asked what merchant was compromised, the CSR indicated she was not at liberty to say as a fraud investigation was ongoing. The odd part about all this is that my SO has never used her card...leads me to believe that it wasn't a compromised merchant but a compromised Citi or Amex database.
#34
Join Date: Nov 2008
Posts: 1
This has happened to me too.. twice.. first someone got hold of citi bank card number(although i never lost my card and have used it on just 1 or 2 occasions) and made some withdrawals from a chicago atm(I'm in LA) ...I contested the charges and CITI refunded back the amount, but I could never got anyone from CITI to explain or give details about the fraud.I changed my accounts and got new cards, which I have not yet used and I got this message from CITI with subject "Russia Card Compromise" that said my new card may again have been compromised... I'm not sure whats happening.. Seems like there is internal leak or information breach in citi which they are not telling the customers...I'm seriously considering changing banks....
#35
FlyerTalk Evangelist
Join Date: Jul 2003
Location: Florida
Posts: 29,755
This has happened to me too.. twice.. first someone got hold of citi bank card number(although i never lost my card and have used it on just 1 or 2 occasions) and made some withdrawals from a chicago atm(I'm in LA) ...I contested the charges and CITI refunded back the amount, but I could never got anyone from CITI to explain or give details about the fraud.I changed my accounts and got new cards, which I have not yet used and I got this message from CITI with subject "Russia Card Compromise" that said my new card may again have been compromised... I'm not sure whats happening.. Seems like there is internal leak or information breach in citi which they are not telling the customers...I'm seriously considering changing banks....
Here is the experience I have with Chase.
I had a new Chase card that was only used once in a restaurant. It was compromised. I discovered this card's available credit line was reduced by $25 when I happened to log in Chase online to look up my other cards. Since I only used this card once, I knew right there something was wrong. I called Chase right away and the CSR identified an authorization from a gym in California went thru just 30 minutes ago. I told him this was fraudulent charge. He closed the account, and requested replacement card. He said it was good that I caught it in time - now the card was cancelled and new card issued, there should not be any more problem... I was also told that an affidavit would be sent to me and I needed to complete, sign and mail back to Chase.
Almost a month passed, the said affadavit still did not arrived. However, a 2nd fraudulent charge went thru, on the replacement card! Furious, I called Chase and demanded to speak to a supervisor at security dept. Guess what? She said there is NOTHING Chase could do to stop the 2nd fraudulent charge, because it went thru under a "Pre-Authorized Recurring Charge" - meaning the gym where the bogus card was used, could send charges thru no matter what... She said, the ONLY WAY to stop the merchant doing that, is for ME to contact the merchant and tell them they have a fraudulent card in their billing system, and tell them stop using it... She even gave me the 1-800 number of the merchant!
I could not believe what I heard. I told her the affidavit from the 1st fraudulent charge has not even arrived, and now a 2nd fraudulent charge went thru, what was I supposedly to do?! She said just simply write the 2nd charge on the form once I received it, then signed and sent it back...
Needless to say, despite what they told me no need to close the account, once the 2nd fraudulent charge cleared off the account, I closed it immediately - but kept it on display online so I could continue monitor it. I also tracked down the merchant, got thru its call center in Panama City and talked to a guy in the billing dept. At least the guy listened to my story and put a notation to the card number... He said according to the system, the card was used at Point of Sale - meaning there was an actual card present when the charge occurred. Obviously, the waiter skimmed the info from my card and sold it to criminals who in turn produced bogus cards.
You would think once a card is closed due to fraudulent charge, the problem should stop right there. Not so. My neighbor's AMEX was compromised, big time. They are seniors, never do anything online, so the compromise definitely is from somewhere where they have used the card. They only found out the card was compromised when they received their monthly statement - almost 10K worth of merchandises were bought. They called AMEX, went thru the same drill, card closed, replacement card issued. The next statement they still saw over 2K worth of fraudulent charges!
You can keep changing banks, but in this day and age, chances are, you may encounter similar incident again, and the new bank may not handle it any better than Citi.
The key is to keep a close eye on your cards activities, so you can spot fraudulent charges right after they occur, to minimize aggrevation.
#36
FlyerTalk Evangelist
Join Date: Jul 2003
Location: Florida
Posts: 29,755
How do you know what merchant it was and what data was in their database? There are certainly companies out there that have both my credit card and my social security number (phone company, for example). Since Citi is apparently not willing to tell me what merchant was affected, I have no way of even knowing what data was lost. And I doubt you know more.
So I'll leave it to the Cal AG's office to make the determination of whether they have violated CA state law.
So I'll leave it to the Cal AG's office to make the determination of whether they have violated CA state law.
Seriously, a CC breach is NOT ID Theft - but the media tend to mix the 2 and mislead the general public that they are the same. They are NOT.
Unless your SSN is lifted, and being fraudulently used to obtain loans, CCs, whatever, even government assistance, like welfares, you are not ID theft victim.
CC breach is costing consumer money, indirectly - for the losses banks suffer, they have to find ways to make it back. However, as an indivual, you will not need to pay the fraudulent charges, as long as you report them on a timely manner. As a cardholder, you have the responsibility to examine your statement and report any unauthorized charge within 60 days after statement date.
Even the law said you are responsible for the frist $50, in all reality, no issuer would make you pay the first $50.
#37
Join Date: Nov 1999
Location: SFO
Programs: UA 1.050MM, PersonalCar 0.275MM
Posts: 1,718
I have 4 cards issued by Citibank that I have been actively using as of this year; and 1 of them really did have to be replaced with a new card with a new card number because of actual fraudulent usage (pump-and-run transactions at gas stations in Florida). It's not clear if that card was cloned by a run-of-the-mill credit card thieve ring, or if the cloning was related to this unnamed merchant database security breach. But my other 3 Citibank credit cards that have been replaced in the last couple of months have not had any actual fraudulent transactions posted to them.
#38
Join Date: Sep 2003
Location: LAS
Posts: 1,323
I've spoken to Citi a few times since my card was compromised. The charges have been cleared, although they say the investigation is still "ongoing". I was never able to persuade anyone (including a supervisor in Security) to tell me who the merchant was. The supervisor, however, did tell me that my card was compromised at a "bricks & mortar" store (not through online purchases), by someone who skimmed my card and created a new one, which was subsequently used in California. I still don't know who the retailer was, but the list is narrowed somewhat because I didn't use the card very much in stores in the last few months of its life.
So, I don't think this suspect "merchant" only affects Citibank cards.
#39
FlyerTalk Evangelist
Join Date: Jul 2003
Location: Florida
Posts: 29,755
What difference does it make?
Do you PREFER your card to be ACTUALLY COMPROMISED then to have it closed, then the Bank pre-emptively close the account and replace it with new account so potential fraudulent charges could not happen? Just because you have that card in the Auto-Pay or whatever shopping portal and you hate to change it? Or in this case, may be Mastercard itself has detected some security breach, or being informed by interpol or whatever international agencies that some criminal rings have done some jobs, and MA immediately notified banks to take precaution? What is wrong to protect the bank's own interest?
Sure, the bank take action to protect its interest - what is wrong with that? If you run a business, wouldn't you do something to protect your own business when there is something bad you see happened?
The data breach is nothing new, whether with Citi or other banks, or even with the Government agencies. Such stories are more common than you would think. Citi is no exception. Just because it wants to take pre-emptive action, people would speculate its security on data base is no good...
Here is a place you can see the major security breaches since 2005, that includes not just banks, but merchants, government agencies, hospitals, universities, etc etc And that does not even incl systems being hacked, such as the TJ Max mess 2 years ago.
Also the transaction processing companies have had a few large scale security breach in recent years. (the companies that process the transactions when you swipe your card - MC & Visa transactions are processed by such companies, versus AMEX & Discovery which have their own processing network).
http://www.privacyrights.org/ar/Chro...reaches.htm#CP
I am telling you, every major bank in this country has had some type of security breach incidents in the past few years. A few months ago a friend has his BofA card closed and replaced. Furious, he emailed BofA to ask for the reason, as he had the card for all his auto-pay stuff, and he is those folks who only has 1 or 2 cards. BofA NEVER gives him any reply other than the canned response. So he decided to change bank. Guess where he went? Citi! I told him if he changed bank because of it, he would be busy changing bank every year, or worse, every 6 months, in this day and age. 'Nuf said.
I would rather the bank pre-emptively closes the card deemed compromised, then to deal with actual fraudulent charge. Dont understand the logic of some people here, that such security action would be a big deal.
Do you PREFER your card to be ACTUALLY COMPROMISED then to have it closed, then the Bank pre-emptively close the account and replace it with new account so potential fraudulent charges could not happen? Just because you have that card in the Auto-Pay or whatever shopping portal and you hate to change it? Or in this case, may be Mastercard itself has detected some security breach, or being informed by interpol or whatever international agencies that some criminal rings have done some jobs, and MA immediately notified banks to take precaution? What is wrong to protect the bank's own interest?
Sure, the bank take action to protect its interest - what is wrong with that? If you run a business, wouldn't you do something to protect your own business when there is something bad you see happened?
The data breach is nothing new, whether with Citi or other banks, or even with the Government agencies. Such stories are more common than you would think. Citi is no exception. Just because it wants to take pre-emptive action, people would speculate its security on data base is no good...
Here is a place you can see the major security breaches since 2005, that includes not just banks, but merchants, government agencies, hospitals, universities, etc etc And that does not even incl systems being hacked, such as the TJ Max mess 2 years ago.
Also the transaction processing companies have had a few large scale security breach in recent years. (the companies that process the transactions when you swipe your card - MC & Visa transactions are processed by such companies, versus AMEX & Discovery which have their own processing network).
http://www.privacyrights.org/ar/Chro...reaches.htm#CP
I am telling you, every major bank in this country has had some type of security breach incidents in the past few years. A few months ago a friend has his BofA card closed and replaced. Furious, he emailed BofA to ask for the reason, as he had the card for all his auto-pay stuff, and he is those folks who only has 1 or 2 cards. BofA NEVER gives him any reply other than the canned response. So he decided to change bank. Guess where he went? Citi! I told him if he changed bank because of it, he would be busy changing bank every year, or worse, every 6 months, in this day and age. 'Nuf said.
I would rather the bank pre-emptively closes the card deemed compromised, then to deal with actual fraudulent charge. Dont understand the logic of some people here, that such security action would be a big deal.
Happy, I'm not sure that you're making the distinction that many of us posting on this thread are. Yes, when an individual card actually does get compromised, and cloned, of course it is wise for us to be keeping a close eye on our accounts online and deal with the problem ASAP. But what we're seeing is that Citibank is preemptively replacing a lot of credit cards where there's no actual fraudulent activity yet. This covers their ...; since if the cards are used fraudulently, they're on the hook for most of the liability.
I have 4 cards issued by Citibank that I have been actively using as of this year; and 1 of them really did have to be replaced with a new card with a new card number because of actual fraudulent usage (pump-and-run transactions at gas stations in Florida). It's not clear if that card was cloned by a run-of-the-mill credit card thieve ring, or if the cloning was related to this unnamed merchant database security breach. But my other 3 Citibank credit cards that have been replaced in the last couple of months have not had any actual fraudulent transactions posted to them.
I have 4 cards issued by Citibank that I have been actively using as of this year; and 1 of them really did have to be replaced with a new card with a new card number because of actual fraudulent usage (pump-and-run transactions at gas stations in Florida). It's not clear if that card was cloned by a run-of-the-mill credit card thieve ring, or if the cloning was related to this unnamed merchant database security breach. But my other 3 Citibank credit cards that have been replaced in the last couple of months have not had any actual fraudulent transactions posted to them.
Last edited by Happy; Nov 18, 2008 at 1:30 am
#40
FlyerTalk Evangelist
Join Date: Jul 2003
Location: Florida
Posts: 29,755
Last month, I was notified by HSBC Bank that my Mastercard had been compromised by an unidentified merchant, that my card was immediately blocked, and a new card was issued to me that same week. Despite several phone calls to HSBC, they also refuse to tell me who the merchant was. HSBC's fraud dept. insists that it was Mastercard itself that notified them of the breach, but the investigation continues.
So, I don't think this suspect "merchant" only affects Citibank cards.
So, I don't think this suspect "merchant" only affects Citibank cards.
So why people are getting so upset that Citi did not tell them which merchant it was, or what breach it was? I would be grateful that my cards being pre-emptively closed for potential security risk, then seeing actual fraudulent charges going thru and I have to deal with it.
#41
A FlyerTalk Posting Legend
Join Date: Sep 2003
Location: Living the dream in Antigua and the nightmare in Florida
Programs: AA PLAT 2MM, *A Gold, WN detractor
Posts: 49,841
Someone tried to hork my card yesterday
I have been on vacation the past week and a half in Aruba. Because CB assesses a "foreign transaction fee" for purchases in US dollars outside of the USA, I never use it internationally anymore. The last time I used the card was in MIA at the duty-free shop on Nov. 9th. I used it at a gas station yesterday with no problems. This morning I got the call about suspicious activity, but for once it was real (I probably get 2 or 3 of these calls a year). Someone tried to use my number for a purchase at NFL.com yesterday for $542. After I confirmed that it was not me, the account was closed.
This is the second time in the past year that the account has been closed - previously it was for one of the "merchant database" compromises. I don't know why CB seems to have these problems when no other card I hold has ever had them, but I am through with using CB for my automatic payments - the aggravation is no longer worth the miles.
This is the second time in the past year that the account has been closed - previously it was for one of the "merchant database" compromises. I don't know why CB seems to have these problems when no other card I hold has ever had them, but I am through with using CB for my automatic payments - the aggravation is no longer worth the miles.
#42
FlyerTalk Evangelist
Join Date: Dec 2006
Location: Pacific Northwest
Programs: UA Gold 1MM, AS 75k, AA Plat, Bonvoyed Gold, Honors Dia, Hyatt Explorer, IHG Plat, ...
Posts: 16,839
So why people are getting so upset that Citi did not tell them which merchant it was, or what breach it was? I would be grateful that my cards being pre-emptively closed for potential security risk, then seeing actual fraudulent charges going thru and I have to deal with it.
Given that only my Citi card was proactively closed, and none of my or my wife's other banks (Chase, US Bank, Amex, ...) were affected, I still have strong doubts about Citi's story here.
#44
FlyerTalk Evangelist
Join Date: Jul 2003
Location: Florida
Posts: 29,755
The two things are not mutally exclusive: If there is really a merchant database breach, it's nice for Citi to be proactive, but that doesn't mean I wouldn't want to know what merchant was affected. After all, it would give me the ability to decide whether I want to do business with that merchant in the future. Why does that simple desire upset you?? In other words, if some merchant isn't doing a good job protecting my data, I want to know. If you don't care, fine, but don't you tell me that I shouldn't care.
Given that only my Citi card was proactively closed, and none of my or my wife's other banks (Chase, US Bank, Amex, ...) were affected, I still have strong doubts about Citi's story here.
Given that only my Citi card was proactively closed, and none of my or my wife's other banks (Chase, US Bank, Amex, ...) were affected, I still have strong doubts about Citi's story here.
Read my other post more carefully, my friend's BofA card was closed for the same excuse and BofA also refused to inform him any details. So he closed BofA account and opened a Citicard. I guess you can say that he jumped from pan to fire.
The reality is, there are "blocks" of accounts being affected, it could be Citi was unlucky to have many of the blocks being affected - not surprisingly, because Citi is the BIGGEST partner of Mastercard, and probably is the LARGEST mastercard issuer with the highest number of cardholders. Therefore, Citi's mastercards would be affected far more frequent than other issuers mastercard. Dont you think?
Chase is a Visa issuer, so is US Bank, I believe. You can also argue that Visa may have a better handle on the security breach than Mastercard. However, from my own experience dealing with Chase on ACTUAL fraudulent charge, I dont give Chase any credit in that department!
#45
FlyerTalk Evangelist
Join Date: Jul 2003
Location: Florida
Posts: 29,755
Honestly, I dont know why people demand to know why and what had happened - what difference does it make? Any bank is vulnerable. Period.
I also dont understand why people like to do the autopay - once you read thru the database, you would realize many security breaches are due to loss of computer tapes or system being hacked - why increase your vulnerability by storing your credit card info online at vendor's system?! You can use Outlook or whatever calendar type software to remind you payment date etc. I NEVER store any credit card info with any merchant, including the monthly payment to utilities or whatnot. The few minutes required to input card info when making an online transaction, is well worth to me to prevent potential security breach simply because something happened to the computer tapes or such.