A reader recounted their story of how their Citi American Airlines Credit card fell victim to a fraud scam due to convenience features of Citi’s payment system.
If you are considering booking travel or signing up for a new credit card please click here. Both support LiveAndLetsFly.com.
If you haven’t followed us on Facebook or Instagram, add us today.
Moral Obligation/Objection to Exposing a Scam
I had a conundrum when considering whether to post about the scam a reader encountered. The dilemma was whether writing about the scam encourages others to take advantage of the security loophole at the bank rather than helping customers avoid being defrauded.
Ultimately, I felt that it was more important that people know what happened and how the reader fell prey so that others do not. The reader also shared it with me in the interest of stopping it from happening to others. It is with both the reader’s consent and suggestion that I decided to publish on this.
Credit Card Number Taken
Reader Henry F. shared a story with me recently about his Citi American Airlines credit card being scammed for fraud. The numbers were lifted, which is different than his credentials being stolen. As the numbers themselves were taken, only certain purchases could be made and those excluded any for which the billing zip code or address are required.
Charges Incurred
Clearly, these scammers knew what they were doing. Charges were incurred in four different cities which included Chicago and Las Vegas, likely from friendly billers. One such charge included more than $200 to Madame Toussaud’s which was a surprise to me since they neither had the physical card nor could run the charge online.
Flew Under the Radar
In total, around $500 in fraudulent charges were incurred before he noticed and for good reason but cleverly they came in at $20, $25, $50 slowly increasing over time. The scammers ran the charges but then circumvented the victim’s awareness because his balance never increased. The fraudsters called in and made phone payments for the amount that they had charged by using Citi’s system against the victim.
To make payments easy, Citi stores account information in their system and allows customers to make a payment from their stored checking account without being required to submit any further information. As such, the balance on the credit card never increased though, of course, Henry’s checking account balance lowered.
However, he had no reason to monitor his checking account closely because he rarely used his debit card and spent within his means, his bills paid out automatically from his account. This created a perfect storm for the thieves.
Citi’s Cooperation
Citi did their part once their customer discovered the fraud. They identified the transactions, all outside of markets he frequented and always followed by an uncharacteristic unscheduled payment. They did what they pledged to do and should be applauded for their zero liability stance, quick cancel and replacement of his card. The solution to closing this vulnerability is removing stored payment information which should help customers and the bank catch issues faster.
Conclusion
The thieves knew Citi’s system well enough to exploit it and that remains a concern. While I am in favor of most payment convenience measures, this is one that adds a security flaw and that’s not worth the convenience to me.
Come see Matthew and me at FTU Chicago. The weekend of sessions is available for just $249 and if you use my affiliate link you can save another $30 with discount code EASTER when you purchase before April 22nd at midnight PST. Both days include lunch, coffee, and iced tea, and a pizza welcome dinner the evening prior (May 31st) to the first 75 who sign up.
Has something like this happened to you? What security members do you have in place? Do you think it’s irresponsible to expose scams (potentially encouraging others) or irresponsible to not share the news with readers so they can protect themselves?
Wow that is scary. Presumably his liability could different between the credit and checking accounts, which could lead to some unreimbursed costs. A quick google search suggests that bill payments are considered protected checking activities under Reg E. Of course, one hopes the bank would reimburse for fraud, regardless of their legal obligation. Btw, MT in Vegas sells online tickets.
How does he know only the card number was compromised? If it was taken locally, could be pretty easy to guess the zip code. Some systems only verify based on zip, not the full address.
Citi always asks me a challenge question when I call in. I wonder how the fraudster knew the answer.
This is an inside job. I worked in customer service for Citi and the cardholder is required to verify the name of the bank and the last 4 of the account they’re paying from or a payment cannot be processed using saved information and a full routing and account number must be given. The employee(s) must have lifted the number through the system and made payments to the account, other than that, there’s no way this could have been done.