Credit Card Fraud Detection Fail

Like many Costco members, my wife and I have Citi Costco Anywhere Visa cards. Before our recent trip to Japan, I logged in to my account to set travel notifications for both of our credit cards, specifying our departure and return dates. I received a confirmation email that acknowledged our travel itinerary, and it contained two travel notification reference numbers, one for each card.

We had planned to heavily rely on Suica, a prepaid rechargeable contactless smart card and electronic money system, while in Japan. Suica can be used to pay for public transportation systems (e.g., subways, buses, taxis) and general purchases (e.g., restaurants, gift shops, convenience stores). In addition to physical cards, one can simply add Suica to Apple Wallet and add funds electronically at any time.

The day before we departed for Japan, I successfully added Suica to my Apple Wallet and deposited 3,000 yen using my Citi Costco Anywhere Visa card via Apple Pay. The balance was updated within 10 seconds of adding funds, so I was fairly confident that I could recharge my Suica card on demand if I ever wanted to spend more than the remaining balance on my Suica card (foreshadowing).

During my first day in Japan, the Suica card worked flawlessly on a shuttle bus and the Tokyo subway system. For public transportation, it is not even necessary to open the Suica card or turn on one’s iPhone. Simply placing the iPhone in proximity of the scanner is sufficient, and the Suica card in Apple Wallet acknowledges the payment amount on the phone screen. So convenient!

On day 2, I successfully recharged my Suica card with a few thousand yen, again using my Citi Costco Anywhere Visa card. After several unanticipated purchases, I needed to recharge again later that same day, and this time I received payment failure notifications when attempting to use my Citi Costco Anywhere Visa card. After repeated failed attempts, I resorted to using my Apple Card via Apple Pay which worked flawlessly, so I assumed that my multiple purchases had triggered Citi’s fraud detection algorithm, despite me issuing a travel notification to prevent this sort of thing from happening. I then started to worry about completely losing access to my Citi Costco Anywhere Visa card, as that would have made things much more difficult while traveling abroad. Fortunately I had other credit cards that I could fall back on.

I had not received any email notifications (yes, I looked in my spam folder), text messages, or phone calls about fraud alerts. In retrospect, I did receive a text message and voice message from Citi alerting me to potential fraud, but I was unable to retrieve them until after I returned to the United States because I had purchased data-only eSIM plans while in Japan—this precluded me from using voice or SMS text. The voice message stated:

“This is the City Costco card fraud department with an important message for Victor Lee. We need to verify some recent activity on our Costco Anywhere Visa card by Citi ending in ####. Please call us back toll free at 844-612-6834 or TTY 711. Activity may be limited until we hear from you. If you wish to remove this phone number from further notifications, you may contact us at the number we left in this message. Goodbye.”

The text message included a link to login to my Citi account, and upon doing so it provided me with a list of charges that were flagged as unusual activity.

Fortunately I was able to recharge my Suica card with my Citi Costco Anywhere Visa card on day 3, and my physical credit card was also working. My wife also received payment failure notifications when recharging her Suica card more than once in the same day with her Citi Costco Anywhere Visa card, and she too was able to use her credit card with other merchants.

As a side note, I attempted to issue travel notifications for my Chase Visa card, but Chase no longer accepts travel notices, stating that “advanced technology like EMV chips and contactless credit cards help protect your credit card information during both everyday life and international travels.” The same is true for Apple Card Mastercard and American Express.

In summary, despite me issuing a travel notification to Citi, I was unable to avoid payment failures. A lesson learned is that it is a good idea to carry multiple credit cards to be prepared for situations like this when traveling internationally. Also, it would have been nice if Citi had sent me an email notification because data-only eSIM plans are commonly used by international travelers, and I would have been able to view the fraud notifications and confirm the flagged purchases sooner.

Protect Your Identity

Last month, news broke that hackers stole and sold personal records of 2.9 billion people. The records were stolen from a company called National Public Data which provides services to staffing agencies, employers, private investigators, and other organizations who perform background checks. This apparently places a vast majority of people who live in the United States, Canada, and United Kingdom at greater risk for fraud and identity theft. Also, while this was perhaps the largest data breach of personal records, there are countless other data breaches that have likely resulted in your personal data being released to the dark web. To protect yourself, here’s what most experts recommend.

1. Set up accounts at all 3 major credit bureaus: Equifax, Experian, and TransUnion. While all 3 credit bureaus offer security products and services, setting up an account is free. Remember to safely store your username and password information (that is perhaps the topic of another blog post).

2. Check your credit report from all 3 major credit bureaus. If you’re not accustomed to doing this, the key things to look for are the accuracy of your contact information, revolving lines of credit, and inquiries. If a criminal has attempted to open up credit cards, take out a loan, or change your home address, you should immediately spot those. In the unfortunate event that someone has tried to steal your identity, follow the steps at IdentityTheft.gov.

3. Place a fraud alert on all 3 major credit bureaus. This will make it harder for a criminal to obtain credit in your name because businesses must verify your identity before issuing credit in your name—note that this is why it is important to verify your contact information in item 2 above. All 3 credit bureaus offer fraud alerts for free, and it lasts a year, after which you can renew it (also free). If you were a victim of identity theft and have a police report, you can place an extended fraud alert which will last for 7 years.

4. Place a credit freeze on all 3 major credit bureaus. This provides even greater security than a fraud alert because when your credit is frozen, nobody will be able to access your credit report or open a new credit account until your account with the specific credit reporting bureau is unfrozen (or “thawed”). Like all the other steps above, credit freezes are also free, and they remain in place until you thaw your account. Note that when you thaw your account, you do not necessarily need to thaw all 3 credit bureaus. Let’s say you want to buy a car, and the dealer wants to check your credit before issuing you a loan—if you know which credit bureau they use, you can temporarily thaw that one and then freeze it again after you complete your transaction. Also visit this FTC site to read about differences between fraud alerts and credit freezes.

5. Optionally place a credit lock on all 3 major credit bureaus. I say this is optional becuase the differences between freezing and locking your credit are minor. According to NerdWallet, freezing your credit usually occur within 1 business day and thawing occurs within 1 hour if done online, while locking and unlocking occur instantaneously. Although Equifax offers locking/unlocking for free, Experian and TransUnion charge a fee for this service. If you value the convenience of instant locking/unlocking and are willing to pay the fees (if any), then this may be a desirable option. Otherwise with just a little bit of planning, you can skip this step and achieve all 4 prior steps for free.

One last word on Equifax credit locks. As I mentioned above, Equifax offers credit locks for free, and this is done through its Lock & Alert service. Just note that if you sign up for Lock & Alert, you will need to register with another account that is separate from your “regular” Equifax account where you check your credit report, place fraud alerts, and freeze/thaw your account. I don’t know why they don’t just combine them together, but just note when storing your account information that these are 2 separate accounts. If you’re an Apple user like me and use iCloud to store your passwords, note that there seems to be a limitation where iCloud tries to be helpful by merging these 2 accounts because they have similar domain names. Do NOT overwrite your “regular” Equifax username/password with your Equifax Lock & Alert username/password or you will lose one of them. Hopefully Apple will come up with a solution for this scenario soon.

Fraud vs. Spendthrift

Apparently our family is doing its part to stimulate the economy this holiday season. A few weeks ago I received a fraud alert from Citi via text message and email just a few seconds after my wife made an online purchase:

It was easy to approve the purchase (I responded via text message as you can see from the first image), and we were back to our merry spending ways.

Thank goodness for this technology, even if it was a false alarm. According to this article, fraud detection is getting better with the application of artificial intelligence. However, keep in mind that fraud detection is a reactive measure and that you can and should take preventive measures to safeguard your financial data. Remember to always practice safe online shopping as summarized here. Happy online spending!