A reader recounted their story of how their Citi American Airlines Credit card fell victim to a fraud scam due to convenience features of Citi’s payment system.
Moral Obligation/Objection to Exposing a Scam
I had a conundrum when considering whether to post about the scam a reader encountered. The dilemma was whether writing about the scam encourages others to take advantage of the security loophole at the bank rather than helping customers avoid being defrauded.
Ultimately, I felt that it was more important that people know what happened and how the reader fell prey so that others do not. The reader also shared it with me in the interest of stopping it from happening to others. It is with both the reader’s consent and suggestion that I decided to publish on this.
Credit Card Number Taken
Reader Henry F. shared a story with me recently about his Citi American Airlines credit card being scammed for fraud. The numbers were lifted, which is different than his credentials being stolen. As the numbers themselves were taken, only certain purchases could be made and those excluded any for which the billing zip code or address are required.
Clearly, these scammers knew what they were doing. Charges were incurred in four different cities which included Chicago and Las Vegas, likely from friendly billers. One such charge included more than $200 to Madame Toussaud’s which was a surprise to me since they neither had the physical card nor could run the charge online.
Flew Under the Radar
In total, around $500 in fraudulent charges were incurred before he noticed and for good reason but cleverly they came in at $20, $25, $50 slowly increasing over time. The scammers ran the charges but then circumvented the victim’s awareness because his balance never increased. The fraudsters called in and made phone payments for the amount that they had charged by using Citi’s system against the victim.
To make payments easy, Citi stores account information in their system and allows customers to make a payment from their stored checking account without being required to submit any further information. As such, the balance on the credit card never increased though, of course, Henry’s checking account balance lowered.
However, he had no reason to monitor his checking account closely because he rarely used his debit card and spent within his means, his bills paid out automatically from his account. This created a perfect storm for the thieves.
Citi did their part once their customer discovered the fraud. They identified the transactions, all outside of markets he frequented and always followed by an uncharacteristic unscheduled payment. They did what they pledged to do and should be applauded for their zero liability stance, quick cancel and replacement of his card. The solution to closing this vulnerability is removing stored payment information which should help customers and the bank catch issues faster.
The thieves knew Citi’s system well enough to exploit it and that remains a concern. While I am in favor of most payment convenience measures, this is one that adds a security flaw and that’s not worth the convenience to me.
Come see Matthew and me at FTU Chicago. The weekend of sessions is available for just $249 and if you use my affiliate link you can save another $30 with discount code EASTER when you purchase before April 22nd at midnight PST. Both days include lunch, coffee, and iced tea, and a pizza welcome dinner the evening prior (May 31st) to the first 75 who sign up.
Has something like this happened to you? What security members do you have in place? Do you think it’s irresponsible to expose scams (potentially encouraging others) or irresponsible to not share the news with readers so they can protect themselves?