Credit Card Fraud Detection Fail

Like many Costco members, my wife and I have Citi Costco Anywhere Visa cards. Before our recent trip to Japan, I logged in to my account to set travel notifications for both of our credit cards, specifying our departure and return dates. I received a confirmation email that acknowledged our travel itinerary, and it contained two travel notification reference numbers, one for each card.

We had planned to heavily rely on Suica, a prepaid rechargeable contactless smart card and electronic money system, while in Japan. Suica can be used to pay for public transportation systems (e.g., subways, buses, taxis) and general purchases (e.g., restaurants, gift shops, convenience stores). In addition to physical cards, one can simply add Suica to Apple Wallet and add funds electronically at any time.

The day before we departed for Japan, I successfully added Suica to my Apple Wallet and deposited 3,000 yen using my Citi Costco Anywhere Visa card via Apple Pay. The balance was updated within 10 seconds of adding funds, so I was fairly confident that I could recharge my Suica card on demand if I ever wanted to spend more than the remaining balance on my Suica card (foreshadowing).

During my first day in Japan, the Suica card worked flawlessly on a shuttle bus and the Tokyo subway system. For public transportation, it is not even necessary to open the Suica card or turn on one’s iPhone. Simply placing the iPhone in proximity of the scanner is sufficient, and the Suica card in Apple Wallet acknowledges the payment amount on the phone screen. So convenient!

On day 2, I successfully recharged my Suica card with a few thousand yen, again using my Citi Costco Anywhere Visa card. After several unanticipated purchases, I needed to recharge again later that same day, and this time I received payment failure notifications when attempting to use my Citi Costco Anywhere Visa card. After repeated failed attempts, I resorted to using my Apple Card via Apple Pay which worked flawlessly, so I assumed that my multiple purchases had triggered Citi’s fraud detection algorithm, despite me issuing a travel notification to prevent this sort of thing from happening. I then started to worry about completely losing access to my Citi Costco Anywhere Visa card, as that would have made things much more difficult while traveling abroad. Fortunately I had other credit cards that I could fall back on.

I had not received any email notifications (yes, I looked in my spam folder), text messages, or phone calls about fraud alerts. In retrospect, I did receive a text message and voice message from Citi alerting me to potential fraud, but I was unable to retrieve them until after I returned to the United States because I had purchased data-only eSIM plans while in Japan—this precluded me from using voice or SMS text. The voice message stated:

“This is the City Costco card fraud department with an important message for Victor Lee. We need to verify some recent activity on our Costco Anywhere Visa card by Citi ending in ####. Please call us back toll free at 844-612-6834 or TTY 711. Activity may be limited until we hear from you. If you wish to remove this phone number from further notifications, you may contact us at the number we left in this message. Goodbye.”

The text message included a link to login to my Citi account, and upon doing so it provided me with a list of charges that were flagged as unusual activity.

Fortunately I was able to recharge my Suica card with my Citi Costco Anywhere Visa card on day 3, and my physical credit card was also working. My wife also received payment failure notifications when recharging her Suica card more than once in the same day with her Citi Costco Anywhere Visa card, and she too was able to use her credit card with other merchants.

As a side note, I attempted to issue travel notifications for my Chase Visa card, but Chase no longer accepts travel notices, stating that “advanced technology like EMV chips and contactless credit cards help protect your credit card information during both everyday life and international travels.” The same is true for Apple Card Mastercard and American Express.

In summary, despite me issuing a travel notification to Citi, I was unable to avoid payment failures. A lesson learned is that it is a good idea to carry multiple credit cards to be prepared for situations like this when traveling internationally. Also, it would have been nice if Citi had sent me an email notification because data-only eSIM plans are commonly used by international travelers, and I would have been able to view the fraud notifications and confirm the flagged purchases sooner.

COVID-19 Vaccination Record in Apple Wallet

I previously wrote about SafePass LA and briefly discussed why I prefer to store my COVID-19 vaccination record in Apple Wallet. In this post, I’d like to show you how you can get your COVID-19 vaccination record into Apple Wallet. There are 2 methods that I know of.

Method 1: Healthvana

The Los Angeles County Department of Public Health partnered with Healthvana in December of 2020 to provide digital vaccination records as discussed here. A couple weeks after I received my 2nd Moderna COVID-19 vaccine, I received a text message from Healthvana. It contained a URL that allowed me to view a digital record of my vaccination:

After entering some information to confirm my identity, I was shown my COVID-19 vaccine record and presented with an option to add it to my Apple Wallet.

If you did not receive a text message or email from Healthvana, and if you received your COVID-19 vaccination in the county of Los Angeles, you can contact Healthvana and request your COVID-19 digital vaccination record. In the “What is your question about?” field, select “COVID-19 Vaccination” and complete the rest of the form. When I did this for my wife, she received a response later that same day.

Method 2: Vaccination QR Code

If you prefer not to use Healthvana, or if you did not receive your COVID-19 vaccination in the county of Los Angeles, there are other ways to get your COVID-19 vaccination record into Apple Wallet. All you need is a QR code of your vaccination record and an iPhone running iOS 15 or later (at the time of this writing, the current version is iOS 15.1.1).

Step 1 is to get a QR code of your vaccination record. There are at least 2 ways to get a QR code. The first is to retrieve it from your provider. For example, Kaiser Permanente has a portal where patients can login and retrieve immunization history and other parts of one’s medical record. This includes a QR code in SMART Health Card format.

If your provider does not provide a QR code to you, and if you live in the state of California, you can request your digital COVID-19 vaccine record at https://myvaccinerecord.cdph.ca.gov. Simply enter your name, date of birth, your phone number or email, and a 4-digit PIN (any 4 numbers that you want, for the purpose of securely accessing your digital record). After submitting this information, you should soon receive  a text message or email with a link to retrieve your COVID-19 vaccine record which will contain a QR code.

Step 2 is to scan your QR code with your iPhone running iOS 15 or later. Simply launch your camera app and point your rear-facing camera at the QR code. Once your phone recognizes the QR code, it will display a “Health” notification:

Tapping the “Health” notification will take you to the Apple Health app with a prompt to add your COVID-19 vaccination record to Wallet and Health. Here’s what it looked like when I did this for my wife:

Step-by-step instructions, along with other options to add verifiable COVID-19 vaccination information to Apple Wallet and Health, are provided here. Learn more about Apple Wallet here.

COVID-19 Digital Health Credentials

If you’ve received one of the COVID-19 vaccines, you might have realized that there are many ways to prove that you have been vaccinated. First there is the physical “COVID-19 Vaccination Record Card” with the logos from the U.S. Department of Health and Human Services and Centers for Disease Control at the upper right. Here’s mine:

If you received your shot at a location where you normally receive healthcare, you might also be able to access your immunization records through a patient portal. Here’s what mine looks like from a desktop-based web browser. Note that it unfortunately does not list the dates, and there was a data entry error because for my second shot, I asked that it be injected into my RIGHT arm.

In some cases, your local city or county may have partnered with a 3rd party health information technology company to provide you with a digital version of your vaccination record that can be added to a mobile wallet. Los Angeles County has partnered with Healthvana on this effort, and I received a text message that my vaccination record was available to be added to my mobile wallet. Here are screenshots from my iPhone to illustrate what it looks like to retrieve my vaccine information from a mobile web browser and what the record looks like in Apple Wallet:

As if there weren’t enough options, if you have an iPhone and a healthcare provider that supports interoperable patient data through a “Blue Button” download, you could transfer your vaccination information and other health records to your Apple Health app. Follow these instructions to add your health data to Apple Health. Here’s what my immunization record looks like in Apple Health, both in human-readable summary view as well as the underlying data:

There is much discussion about vaccine passports nowadays which has given rise to many questions. Can we do it? Should we do it? Is it even legal? Without getting into a lengthy debate, suffice it to say that technologies have already been around for many years, and we’ve already been implementing digital health credentials to varying degrees for quite some time. For me, adding data related to COVID-19 vaccination simply represents a more comprehensive picture of my overall health data.

In addition to the discussion about vaccine credentials or passports, perhaps a bigger challenge is to figure out whether we can all agree on a common method to share health data. There is a saying that goes something like this: “The great thing about health IT standards is that there are so many of them to choose from.”