UPDATE: Credit Card Fraud - $30K

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
uberme
Posts: 39
Joined: Wed Aug 12, 2015 3:17 pm

Re: Credit Card Fraud - $30K

Post by uberme » Wed Aug 22, 2018 6:46 pm

This was the reason I cancelled my Citi card in the past, had consistent fraud chargers, even after they issued new cards! Didn't have an issue with any other cards then or after.

User avatar
midareff
Posts: 5792
Joined: Mon Nov 29, 2010 10:43 am
Location: Biscayne Bay, South Florida

Re: Credit Card Fraud - $30K

Post by midareff » Wed Aug 22, 2018 7:08 pm

BanquetBeer wrote:
Sat Aug 18, 2018 10:17 am
Surprise to me you monitor your credit score more frequently than your account. Don’t you check all your accounts monthly? Seems main impact to credit would come after non-payment and may result in contacting credit company later than their requirements for fraud alert.
With a password manager weekly can't take more than 5 minutes at the very most weekly, maybe no more than 3 minutes.

Momus
Posts: 522
Joined: Tue Feb 21, 2012 9:23 pm

Re: Credit Card Fraud - $30K

Post by Momus » Sat Aug 25, 2018 4:13 pm

:? If you don't know your account is used fraudulently, you are a dummy. I check my mint account once daily.

60 days without checking, seriously 2 months? loool that person deserves to be robbed.

JBTX
Posts: 4084
Joined: Wed Jul 26, 2017 12:46 pm

Re: Credit Card Fraud - $30K

Post by JBTX » Sat Aug 25, 2018 6:22 pm

danaht wrote:
Sat Aug 18, 2018 10:57 pm
Sorry to hear about this. One thing I would say is to never use the same password for any of your accounts. Use a password manager like "Password Safe" (https://www.pwsafe.org/) to create and store random complex passwords that are unique for each account you have. That way if a thief hacks a site - and get's your password and other personal information (ie email address) from that site - the password he/she gets from the site will not be the same password as your email account. Once the thief has your email password - they can read your emails and find out what accounts you might have. They can also reset passwords, etc - via the hacked email account. Then they can delete any password reset emails to hide evidence that they hacked your email account. It's very important to use different passwords and not variations of the same password. Also, the best protection is to get some type of 2 factor authentication for your financial accounts via your mobile phone. This way even if the thief has access to your email - they still can't access the accounts - because they do not have access to your phone to get the authentication code.

Also I don't use sites that aggregate and store all your financial passwords (ie Mint). If something like Mint ever gets hacked - they will have all your accounts + all your account passwords. I think the financial institutions need to find a better way to share information with things like Mint (some type of read only limited access account). Until they do this - I'll stay away from applications like Mint.
While there is that theoretical risk with Mint or Quicken, in this particular instance chances are the issue would have surfaced much quicker. I update quicken weekly and see all of my credit card activity. If a password changes the download would fail, prompting me to figure out why, which would include me logging I to website. If that failed I try to change password. If that failed I'd all the credit card company.

I am confused in ops case how a password or other key info could get changed without a notification to him, unless he just missed it in his mailbox.

JBTX
Posts: 4084
Joined: Wed Jul 26, 2017 12:46 pm

Re: Credit Card Fraud - $30K

Post by JBTX » Sat Aug 25, 2018 6:26 pm

munemaker wrote:
Sat Aug 18, 2018 1:06 pm
BanquetBeer wrote:
Sat Aug 18, 2018 10:17 am
Surprise to me you monitor your credit score more frequently than your account.
Between my wife and I, we have maybe a dozen active credit card accounts. It is a lot easier and quicker to check credit karna weekly than it is to log into each account.
But I thought most creditors reported to agencies monthly, so even if you check weekly an particular account info only changes monthly, so your info could be a month out of date. I could be wrong.....

SpaethCo
Posts: 117
Joined: Thu Jan 14, 2016 12:58 am

Re: Credit Card Fraud - $30K

Post by SpaethCo » Sun Aug 26, 2018 12:33 am

investor4life wrote:
Sun Aug 19, 2018 12:22 am
Sadly, Citi does not have 2FA (not sure why).
Most 2FA implementations are still vulnerable to the most prevalent attack vector: phishing.

https://gbhackers.com/bypass-two-factor-authentication/

It’s a mess because credit card companies send out special offer emails with registration links all the time — I just got one yesterday for the Fidelity Rewards card pushing a bonus for spend over $xxx, with a link to click to enroll for the offer. All it takes is a well crafted email from a plausable domain, and if you’re not using a domain-validating password manager it could go sideways pretty quickly.

mrmass
Posts: 86
Joined: Thu Jul 26, 2018 6:35 pm

Re: Credit Card Fraud - $30K

Post by mrmass » Sun Aug 26, 2018 5:14 am

Not only use 2FA when available don't use the same pw across all your accounts. To help remember the different passwords consider using a password manager, like LastPass I use it, DW uses it, and we encourage users at my work to use it.

There are others out there too. Just search for password manager. Good luck.

User avatar
Prokofiev
Posts: 950
Joined: Mon Feb 19, 2007 9:45 pm
Location: New Orleans

Re: UPDATE: Credit Card Fraud - $30K

Post by Prokofiev » Wed Sep 19, 2018 11:53 am

This is an update on my credit card fraud investigation.

About 60 days after reporting the fraud to Citibank, they have credited my account with the 3- $10k charges for a total of $30k. My credit score is back above 800 and all is well. I was not expecting to hear anything back from them about this, but surprisingly I received a call yesterday requesting more information and giving me a full run-down of what they think has happened. They are still investigating the case and were quite helpful and open in giving me info.


First, they wanted to know if I access my account from a Windows or Mac machine. I have ONLY used Windows products, but the hacker used a Mac machine. Back in Feb, someone logged in with my password and Username from a Mac and changed the Email address on the account. They only changed a single letter - replacing a "1" with a lower case "l". Citi believes this would have triggered an Email to me, but can't prove it and I certainly don't recall such an Email. But most people either ignore this Email or immediately check their account and don't notice the subtle change, since all the info seems correct. The hacker first sets-up an Email account for themselves with this new altered name, which is not difficult. This spoofs the system and all new alerts are sent to the new altered Email, which is controlled by the hackers. After waiting a week, they then proceed to change the address and telephone number of the account. Of course this alert is now sent to the new Email account and you will not receive it. Finally, they change the password and magic questions to lock you out of the account entirely. They then charge as much as possible quickly before you check your account and call the bank.


Several problems with this scenario . . .

How did they get my username and password? Citi believes by phishing. I think that is almost impossible.

How could they get into my account from a different unregistered computer without knowing my secret questions and answers?
Citi again thinks by phishing (impossible) or seeing similar answers on another compromised website where they might have also found my password (weakly possible).

Still a lot of unanswered questions, but there is no doubt someone did this fraud by hacking and not by knowing my card number at a restaurant or store.

Lots of other weird things that might have made a perfect storm with this case . . . My home address changed last year, 4 months prior to the hack. My wallet was stolen in January in Buenos Aires. My computer was fixed in early Feb at a computer geek store and they had access to my machine for several days. I used this computer while visiting China in May right when the fraudulent charges were made. But it now seems (at least CITI thinks) none of this had any bearing on the fraud.


Just some useful info to report back to you. I'm still not sure exactly what happened. I am off the hook for the $30k which is the most important thing for me!
Everything should be made as simple as possible, but not simpler - Einstein

User avatar
Prokofiev
Posts: 950
Joined: Mon Feb 19, 2007 9:45 pm
Location: New Orleans

Re: UPDATE: Credit Card Fraud - $30K

Post by Prokofiev » Mon Oct 15, 2018 12:13 pm

I just received an Alert from Credit Karma concerning a data breach of TicketFly.com where my password was compromised (although this breach was some 6 months ago). The time of the breach matches closely with the time of my credit card account being hijacked and I had used this same password for both of these old accounts. Did not remember that or even remember using TicketFly. That could explain how a hacker might have entered, but not how they would be able to answer security questions from a non-registered computer.

Of course I have already changed all my other important passwords, all of which were/are different. Shows how even a slight slip-up from the past can eventually be exploited by a determined hacker.
Everything should be made as simple as possible, but not simpler - Einstein

michaeljc70
Posts: 3746
Joined: Thu Oct 15, 2015 3:53 pm

Re: UPDATE: Credit Card Fraud - $30K

Post by michaeljc70 » Mon Oct 15, 2018 3:55 pm

Thanks for the update. It is hard to believe that they allowed 3 charges that big through without it triggering security. I assume you don't max out the account all the time so that alone should have been suspicious to them. Unless....whoever made the charges was able to intercept the calls from security and say they (pretending to be you) made them.

dustinst22
Posts: 107
Joined: Sun Apr 15, 2018 1:09 pm
Location: Huntington Beach, CA

Re: UPDATE: Credit Card Fraud - $30K

Post by dustinst22 » Mon Oct 15, 2018 4:43 pm

I have a good number of credit cards from bonus chasing, many remain inactive. It's a good idea to tie everything into one interface -- I use personal capital for this. Then you can just log in and see if anything stands out, takes a couple minutes.

That said, checking your credit regularly is a good idea -- I found out earlier this year someone had somehow created two Direct TV accounts and then defaulted on them in my name. Fraud seems to be extremely common.

thelimocat
Posts: 20
Joined: Sun Oct 15, 2017 2:04 pm

Re: UPDATE: Credit Card Fraud - $30K

Post by thelimocat » Mon Oct 15, 2018 5:02 pm

"Lots of other weird things that might have made a perfect storm with this case . . . My home address changed last year, 4 months prior to the hack. My wallet was stolen in January in Buenos Aires. My computer was fixed in early Feb at a computer geek store and they had access to my machine for several days. I used this computer while visiting China in May right when the fraudulent charges were made. But it now seems (at least CITI thinks) none of this had any bearing on the fraud."

Well let's see! Address changed, didn't tell Citi did you!! Wallet stolen hummmm lots of info there, computer fixed at shop humm, plenty of time for a geek to surf!!, computer used in China -> they'll hack it the minute its turned on.

Suffice it to say that these banks have gotten fairly good at keeping track of transactions (cheap data storage is a wonderful thing)

Recently there was and article that discussed the value of credit scores, some guy had a near perfect 850 score. They said anything over about 760 was very good and all this fighting for higher scores was just noise. So all those cards, really why!

I'm glad that it was resolved in your favor. Best news a person can get.

dknightd
Posts: 931
Joined: Wed Mar 07, 2018 11:57 am

Re: Credit Card Fraud - $30K

Post by dknightd » Mon Oct 15, 2018 5:20 pm

Momus wrote:
Sat Aug 18, 2018 7:13 pm
I use mint.
I have thought about using mint.com. But I'm not comfortable giving them all my account information. It seems that might introduce a single point of failure that could be very very inconvenient. It does seem like it would be handy, but do I really want to give them all my personal information on purpose?????

Note to self, consider cancelling some old cards I never use. Maybe keep one or two really old ones, or, maybe not

User avatar
jabberwockOG
Posts: 1484
Joined: Thu May 28, 2015 7:23 am

Re: UPDATE: Credit Card Fraud - $30K

Post by jabberwockOG » Mon Oct 15, 2018 5:33 pm

Prokofiev wrote:
Wed Sep 19, 2018 11:53 am
This is an update on my credit card fraud investigation.

About 60 days after reporting the fraud to Citibank, they have credited my account with the 3- $10k charges for a total of $30k. My credit score is back above 800 and all is well. I was not expecting to hear anything back from them about this, but surprisingly I received a call yesterday requesting more information and giving me a full run-down of what they think has happened. They are still investigating the case and were quite helpful and open in giving me info.


First, they wanted to know if I access my account from a Windows or Mac machine. I have ONLY used Windows products, but the hacker used a Mac machine. Back in Feb, someone logged in with my password and Username from a Mac and changed the Email address on the account. They only changed a single letter - replacing a "1" with a lower case "l". Citi believes this would have triggered an Email to me, but can't prove it and I certainly don't recall such an Email. But most people either ignore this Email or immediately check their account and don't notice the subtle change, since all the info seems correct. The hacker first sets-up an Email account for themselves with this new altered name, which is not difficult. This spoofs the system and all new alerts are sent to the new altered Email, which is controlled by the hackers. After waiting a week, they then proceed to change the address and telephone number of the account. Of course this alert is now sent to the new Email account and you will not receive it. Finally, they change the password and magic questions to lock you out of the account entirely. They then charge as much as possible quickly before you check your account and call the bank.


Several problems with this scenario . . .

How did they get my username and password? Citi believes by phishing. I think that is almost impossible.

How could they get into my account from a different unregistered computer without knowing my secret questions and answers?
Citi again thinks by phishing (impossible) or seeing similar answers on another compromised website where they might have also found my password (weakly possible).

Still a lot of unanswered questions, but there is no doubt someone did this fraud by hacking and not by knowing my card number at a restaurant or store.

Lots of other weird things that might have made a perfect storm with this case . . . My home address changed last year, 4 months prior to the hack. My wallet was stolen in January in Buenos Aires. My computer was fixed in early Feb at a computer geek store and they had access to my machine for several days. I used this computer while visiting China in May right when the fraudulent charges were made. But it now seems (at least CITI thinks) none of this had any bearing on the fraud.


Just some useful info to report back to you. I'm still not sure exactly what happened. I am off the hook for the $30k which is the most important thing for me!
Thanks for sharing your experience. I'll also suggest what others have posted. 1) make sure your PC has not been infected with a key logger. In some cases the easiest thing to do is simply reinstall the OS along with your apps. 2) Then go thru and change all your passwords for any financial, social, and email accounts. Anywhere 2fa is avail get it turned on. 3) This assumes your phone was not been hacked and cloned which is less likely for average retail customer. But its a good idea to change basic phone password as well as passwords for your phone apps and email.

Just a warning to anyone reading this to be careful about what you say if a CC calls you regarding high dollar fraud investigation. There is quite a bit of law protecting consumers against CC fraud but if the CC company can determine that there is sufficient lack of care or outright negligence involved by the specific consumer they may decline to reimburse the fraudulent charges. This is much harder to do given existing credit card consumer protection law (unlike debit cards which have few consumer protections) but in any case it is best to be truthful answering direct questions but best to not volunteer anything additional. Just like when "talking" to the police in any kind of investigation (including simple traffic ticket) there is typically little to be gained by talking freely, and a lot potentially to be lost.

investor4life
Posts: 119
Joined: Fri Oct 08, 2010 9:45 am

Re: UPDATE: Credit Card Fraud - $30K

Post by investor4life » Mon Oct 15, 2018 5:39 pm

Prokofiev wrote:
Wed Sep 19, 2018 11:53 am
This is an update on my credit card fraud investigation.

About 60 days after reporting the fraud to Citibank, they have credited my account with the 3- $10k charges for a total of $30k. My credit score is back above 800 and all is well. I was not expecting to hear anything back from them about this, but surprisingly I received a call yesterday requesting more information and giving me a full run-down of what they think has happened. They are still investigating the case and were quite helpful and open in giving me info.


First, they wanted to know if I access my account from a Windows or Mac machine. I have ONLY used Windows products, but the hacker used a Mac machine. Back in Feb, someone logged in with my password and Username from a Mac and changed the Email address on the account. They only changed a single letter - replacing a "1" with a lower case "l". Citi believes this would have triggered an Email to me, but can't prove it and I certainly don't recall such an Email. But most people either ignore this Email or immediately check their account and don't notice the subtle change, since all the info seems correct. The hacker first sets-up an Email account for themselves with this new altered name, which is not difficult. This spoofs the system and all new alerts are sent to the new altered Email, which is controlled by the hackers. After waiting a week, they then proceed to change the address and telephone number of the account. Of course this alert is now sent to the new Email account and you will not receive it. Finally, they change the password and magic questions to lock you out of the account entirely. They then charge as much as possible quickly before you check your account and call the bank.



Several problems with this scenario . . .

How did they get my username and password? Citi believes by phishing. I think that is almost impossible.

How could they get into my account from a different unregistered computer without knowing my secret questions and answers?
Citi again thinks by phishing (impossible) or seeing similar answers on another compromised website where they might have also found my password (weakly possible).

Still a lot of unanswered questions, but there is no doubt someone did this fraud by hacking and not by knowing my card number at a restaurant or store.

Lots of other weird things that might have made a perfect storm with this case . . . My home address changed last year, 4 months prior to the hack. My wallet was stolen in January in Buenos Aires. My computer was fixed in early Feb at a computer geek store and they had access to my machine for several days. I used this computer while visiting China in May right when the fraudulent charges were made. But it now seems (at least CITI thinks) none of this had any bearing on the fraud.


Just some useful info to report back to you. I'm still not sure exactly what happened. I am off the hook for the $30k which is the most important thing for me!
Weren't you concerned/surprised that you did not receive alerts from Citi for the charges *you* made on that card during the 1-week period between email id being changed and the fake charges happening?

User avatar
Prokofiev
Posts: 950
Joined: Mon Feb 19, 2007 9:45 pm
Location: New Orleans

Re: UPDATE: Credit Card Fraud - $30K

Post by Prokofiev » Mon Oct 15, 2018 6:34 pm

investor4life wrote:
Mon Oct 15, 2018 5:39 pm

Weren't you concerned/surprised that you did not receive alerts from Citi for the charges *you* made on that card during the 1-week period between email id being changed and the fake charges happening?
No. I did not receive alerts for every charge made, on any of my credit cards. Only for change of Email, address or password change. But I would check all my account balances (except this one!) weekly and track them. This card would have a $0 balance for most of the year and was 30+ years old and fell thru the crack as a result. They did have my correct home address after I moved.

I have written and updated this post as a service to our readership. I have read several posts here about "Vanguard stole my money" or "Fidelity account was hacked" where the final outcome was either not reported or much more commonly, the person misinterpreted the facts and all was actually well. Here is an example of a verified hack. I am embarrassed that my password was reused and I didn't discover this. Also today's Credit Karma report on compromised passwords was very useful and helped to possibly explain a likely attack route. I still cannot quite put all the pieces together on how this happened, but wanted to give out the info I received. Thanks for your interest.
Everything should be made as simple as possible, but not simpler - Einstein

Mingus
Posts: 641
Joined: Fri Apr 19, 2013 2:25 pm

Re: Credit Card Fraud - $30K

Post by Mingus » Mon Oct 15, 2018 8:01 pm

munemaker wrote:
Sat Aug 18, 2018 1:04 pm
Yet, they let someone else fraudulently charge my account. How does this happen?
If the card was never activated and still used fraudulently then it means there is a good chance there is a crime ring at the bank issuing the card or even at VISA/MC/etc.

Post Reply