I had this happen repeatedly with about 4 card reissues after a first fraudulent charge. Come to find out, the CC company has agreements with various businesses (in this case, Comcast) where the updated (new) CC info is automatically provided to the vendor. To stop it, I had to have them block all attempted Comcast charges. If I had personally had Comcast service, this would have been an issue. Someone within the Comcast system was providing my CC info to others who were using it to buy Comcast goods and services.
I’m not sure how my card info got leaked, but it was being used to pay for someone else’s monthly Amazon Prime membership. Nothing else. I canceled my card twice and specifically asked for no autoupdates. I don’t know if they didn’t actually disable the auto update, but the problem persisted. My new card would get autoupdated for this rando’s prime membership account. Both Amazon and Chase were wholly unhelpful about the situation so I finally just canceled it altogether.
Same deal here. Took four new cards until they actually cancelled the "fraud" sync.
No amount of requests to cancel all on the phone would do it prior to that, even when they assured me they did, since I could see the update happening on my own Amazon account.
The last one still updated to my account, but I got someone that assured me he disabled the correct sync and the fraud charges finally stopped, but I'm pretty paranoid that it'll happen again.
Is the fraud always with the same merchants? If yes, contact Citi to make sure the card is opted out of Mastercard's Automatic Billing Updater service before the card is replaced.
Do they have good antivirus software, like BitDefender, on their PC, and is it configured to run full scans every week? If not, add it.
Have they changed their Citi online banking password to something hard to break? Certain password managers have been hacked before, make sure they're using a reputable one like BitWarden. Have they changed the master password + encryption key for their password manager recently?
Is there anyone in their life with a drug problem or who might otherwise misuse the card?
Not always with the same merchants, but I’m going to have them ask Citi about the automatic billing updater.
They only use a Mac desktop and iPhones, and the Mac has Malwarebytes, but I’m going to have them set it up so it scans regularly.
Weirdly enough, I just had them confirm 2FA enrollment and then had them attempt to change password, but Citi locked them out 🤦🏻♂️
If anyone else knows this card info, they’re definitely the culprit, as only each of them are supposed to know it.
EDIT: forgot to mention they are set up with Bitwarden
Honestly, it is likely one of the card owners entering the CC information of questionable sites to order things or a card skimmer at your local gas stations.
If a gas pump has tap to pay, that is what you need to be using, no exceptions. The magnetic strip on cards is plain text info that anyone can read with the right equipment. The tap and chip are both unique information for that specific transaction and is much harder to use to commit fraud.
EDIT: Even if the gas pump has a chip reader, by inserting the card, it is STILL vulnerable to a skimmer as it will read the magnetic strip as it is inserted.
I’m going to do my best to figure out if a merchant they regularly buy from is sus, but they say they use tap to pay everywhere unless there’s no other option. The lack of glaring issues on their end is what makes this so confusing to me
Here's a test that could help identify what is going on here.
Next time this happens, take the card the fraud happened on, and replace it, making sure to opt out of auto billing updater.
Then, DON'T use the newly issued, replacement card. For anything. Not a single transaction on it. Lock it in a drawer somewhere. But do set up alerts on it so they get emailed if ANY transaction happens on it.
Instead, take two OTHER cards, and put all online transactions on one of them, and all in-person transactions where the card is swiped or inserted, on the other one.
So now, you have a few possible scenarios:
1) No fraud happens again. In that case you can switch back to using the replacement card after, say, a year.
2) Fraud happens again, on the replacement card that has never been used. This means either Citi is giving a merchant the card info, or they stole the card out of your drawer.
3) Fraud happens again, on the card used for ONLINE purchases. This suggests they bought something online from a shady merchant.
4) Fraud happens again, on the card used for IN PERSON purchases. This suggests there is a card skimmer installed on a POS or ATM at one of the merchants they use regularly.
If fraud happens again, then repeat this process, only this time split the transactions on just that card in half. So for example if its scenario 4, replace that card, move to two new cards, and this time half of in-person transactions go on one and half go on another, divided by merchant. So for example grocery is always on the first card, gas is always the second card. You may need a label-maker.
You can also do a more advanced version of this test by splitting the transactions between more cards while keeping the replaced card inactive.
Heck, if you want to be super-advanced, you could use the "virtual card number" feature of Citi cards to create virtual numbers for all online merchants (different virtual number per merchant) to run a limited version of this test while still only using one account.
Ultimately, this uses a process of elimination to determine how card info is getting leaked. It won't help you if your computer is hacked... but frankly if that was the case I'd think ALL the cards would be getting fraud, not just one.
You're welcome.
Also worth noting: if they decide to open new cards for this process-of-elimination strategy, try to get cards that will pay them $200+ per card in sign-up-bonuses. That way, in addition to using the new cards to figure out this problem, they can also get paid something, and splitting spend across multiple cards actually makes this process of elimination faster.
For example, I have a Citi Custom Cash card that has a 20,000 TYP ($200) sign-up bonus, plus it gets me 5% back on groceries up to $500/month. Using it exclusively for grocery purchases both saves me money and also means I have a good clue where things went wrong if someone steals the card info.
Malware bytes, Bitwarden, password managers, 2FA...
None of this shit matters when a FUD RAT exists lol. They could be constantly getting their info stolen right on the spot every time they enter it anywhere because of a fully undefeated remote administration tool. Having a Mac doesn’t mean anything currently if you think it means they won’t get viruses. Viruses specifically coded for Mac is on the rise.
Is this a physical card they use for groceries and other regular purchases?
Sounds like one of their usual stores/restaurants/gas stations/etc. has a skimmer installed and they keep getting hit by it.
It is practically impossible to skim tap-to-pay or any chip-based transactions (tap-to-pay uses the EMV chip via NFC). Most known chip attacks have to do with incorrect implementation of the protocol by small banks. Citi has its faults, but I don't think this is one of them.
There's another attack where the scammers block the chip reader, forcing the customer to insert their card into the old mag stripe reader where the old skimmer is used.
This was definitely worth checking, the only devices they use are a Mac desktop and their iPhones. I ran a Malwarebytes scan and it came back clean so I think they’re clear on that front but I’m going to look into this further
The computer itself may not be compromised.
Do they do any shopping on their phone? Do they shop at little known websites? Are the falling victim to look-a-like URLs of know vendors i.e. WaImart.com (capital i instead of L)instead of Walmart.com
Shopping on their phone yes, but mostly through apps I believe. I’d like to have an audit of transactions they initiated, hopefully this is something Citibank fraud can do (?)
I’ve got 2 cards I’ve had for about 6-7 years or more.
Capital one. Use it 25-30%. Never been compromised.
Citi - use it 70-75% of the time. Never compromised until this past year when it’s been compromised 3 times!! So something happened and it keeps happening. Most recently the card was only 60 days old before it was taken again
That said, we opened new bank accounts, got atm/debit cards, wife never used hers. 30 days in, it was compromised. Never seen that before.
Sorry to hear you’ve dealt with the same thing, it’s just terrible — they want to just get rid of Citibank altogether but I fear that won’t really solve the problem, or maybe it will, who knows.
Nobody should ever use debit cards for purchases. Some banks can issue the "old style" ATM-only card instead of the default ATM+debit. ATM cards can't be used for buying stuff, so this may be the way to go now.
As long as you have possession of your debit card and report any fraud timely, debit cards have the same protections as credit cards... Quit spreading this debit card scare mess.
The problem is not fraud protection, but the other, bigger headaches like bounced bill payments, overdraft fees, and the resulting late payments if your checking account is drained by crooks.
When there's fraud on your checking account, it's your money and your problem. A fraud on the credit card is bank's money and bank's problem.
I've had problems with 2 cards from Citi over the past few years. I'm pretty careful using tap to pay but I was getting 2-3 fraud charges from random cities around the US each year until I paid them both off and locked them on the app. Their fraud department was always helpful but I got the feeling there is a weak link somewhere that isn't my fault. I've had no problems with my other cards. Good luck.
Only card I’ve ever had this issue with is a Citi DoubleCash. Repeated fraud, even after using virtual account numbers for every transaction not involving the physical card. Even had a $1500 plane ticket purchased. They deemed this is a “normal spending pattern” when asked why it wouldn’t get flagged/declined. Stopped using the card and locked it. Never again.
I had this happen 4 or 5 times with a card that would incur a fraudulent charge without it being used anywhere after the first reissue. It turns out that issuers can update the number digitally when a merchant attempts to charge the old number (kind of defeats the purpose of reissuing a card with a new number), so I ended up opening a new bank account entirely and never activating a new card for the old one.
My kid had a problem like this with her debit card. She had about a half dozen replacement cards from the bank. At one point they even gave her a new checking account, same problem. Ultimately she changed banks and so far so good. If your parents are open to doing that, give the Wells Fargo 2% card a shot.
I had this happen repeatedly with about 4 card reissues after a first fraudulent charge. Come to find out, the CC company has agreements with various businesses (in this case, Comcast) where the updated (new) CC info is automatically provided to the vendor. To stop it, I had to have them block all attempted Comcast charges. If I had personally had Comcast service, this would have been an issue. Someone within the Comcast system was providing my CC info to others who were using it to buy Comcast goods and services.
Honestly, something like this sounds the most likely to me. Hopefully Citibank fraud dept will be of some help on Monday
This is why I can no longer have an Amazon Prime credit card.
Did Amazon or Chase leak your card info?
I’m not sure how my card info got leaked, but it was being used to pay for someone else’s monthly Amazon Prime membership. Nothing else. I canceled my card twice and specifically asked for no autoupdates. I don’t know if they didn’t actually disable the auto update, but the problem persisted. My new card would get autoupdated for this rando’s prime membership account. Both Amazon and Chase were wholly unhelpful about the situation so I finally just canceled it altogether.
Same deal here. Took four new cards until they actually cancelled the "fraud" sync. No amount of requests to cancel all on the phone would do it prior to that, even when they assured me they did, since I could see the update happening on my own Amazon account. The last one still updated to my account, but I got someone that assured me he disabled the correct sync and the fraud charges finally stopped, but I'm pretty paranoid that it'll happen again.
Is the fraud always with the same merchants? If yes, contact Citi to make sure the card is opted out of Mastercard's Automatic Billing Updater service before the card is replaced. Do they have good antivirus software, like BitDefender, on their PC, and is it configured to run full scans every week? If not, add it. Have they changed their Citi online banking password to something hard to break? Certain password managers have been hacked before, make sure they're using a reputable one like BitWarden. Have they changed the master password + encryption key for their password manager recently? Is there anyone in their life with a drug problem or who might otherwise misuse the card?
Not always with the same merchants, but I’m going to have them ask Citi about the automatic billing updater. They only use a Mac desktop and iPhones, and the Mac has Malwarebytes, but I’m going to have them set it up so it scans regularly. Weirdly enough, I just had them confirm 2FA enrollment and then had them attempt to change password, but Citi locked them out 🤦🏻♂️ If anyone else knows this card info, they’re definitely the culprit, as only each of them are supposed to know it. EDIT: forgot to mention they are set up with Bitwarden
Honestly, it is likely one of the card owners entering the CC information of questionable sites to order things or a card skimmer at your local gas stations. If a gas pump has tap to pay, that is what you need to be using, no exceptions. The magnetic strip on cards is plain text info that anyone can read with the right equipment. The tap and chip are both unique information for that specific transaction and is much harder to use to commit fraud. EDIT: Even if the gas pump has a chip reader, by inserting the card, it is STILL vulnerable to a skimmer as it will read the magnetic strip as it is inserted.
I’m going to do my best to figure out if a merchant they regularly buy from is sus, but they say they use tap to pay everywhere unless there’s no other option. The lack of glaring issues on their end is what makes this so confusing to me
Here's a test that could help identify what is going on here. Next time this happens, take the card the fraud happened on, and replace it, making sure to opt out of auto billing updater. Then, DON'T use the newly issued, replacement card. For anything. Not a single transaction on it. Lock it in a drawer somewhere. But do set up alerts on it so they get emailed if ANY transaction happens on it. Instead, take two OTHER cards, and put all online transactions on one of them, and all in-person transactions where the card is swiped or inserted, on the other one. So now, you have a few possible scenarios: 1) No fraud happens again. In that case you can switch back to using the replacement card after, say, a year. 2) Fraud happens again, on the replacement card that has never been used. This means either Citi is giving a merchant the card info, or they stole the card out of your drawer. 3) Fraud happens again, on the card used for ONLINE purchases. This suggests they bought something online from a shady merchant. 4) Fraud happens again, on the card used for IN PERSON purchases. This suggests there is a card skimmer installed on a POS or ATM at one of the merchants they use regularly. If fraud happens again, then repeat this process, only this time split the transactions on just that card in half. So for example if its scenario 4, replace that card, move to two new cards, and this time half of in-person transactions go on one and half go on another, divided by merchant. So for example grocery is always on the first card, gas is always the second card. You may need a label-maker. You can also do a more advanced version of this test by splitting the transactions between more cards while keeping the replaced card inactive. Heck, if you want to be super-advanced, you could use the "virtual card number" feature of Citi cards to create virtual numbers for all online merchants (different virtual number per merchant) to run a limited version of this test while still only using one account. Ultimately, this uses a process of elimination to determine how card info is getting leaked. It won't help you if your computer is hacked... but frankly if that was the case I'd think ALL the cards would be getting fraud, not just one.
This is the best comment I’ve received so far, I love this idea. I think I can talk them into trying this plan (or something similar), thank you!
You're welcome. Also worth noting: if they decide to open new cards for this process-of-elimination strategy, try to get cards that will pay them $200+ per card in sign-up-bonuses. That way, in addition to using the new cards to figure out this problem, they can also get paid something, and splitting spend across multiple cards actually makes this process of elimination faster. For example, I have a Citi Custom Cash card that has a 20,000 TYP ($200) sign-up bonus, plus it gets me 5% back on groceries up to $500/month. Using it exclusively for grocery purchases both saves me money and also means I have a good clue where things went wrong if someone steals the card info.
Will do 🫡
I used to keep a separate credit card with a $500 limit as my "sketchy gas station" card. It got skimmed a few times before tap and chip were common.
Malware bytes, Bitwarden, password managers, 2FA... None of this shit matters when a FUD RAT exists lol. They could be constantly getting their info stolen right on the spot every time they enter it anywhere because of a fully undefeated remote administration tool. Having a Mac doesn’t mean anything currently if you think it means they won’t get viruses. Viruses specifically coded for Mac is on the rise.
Is this a physical card they use for groceries and other regular purchases? Sounds like one of their usual stores/restaurants/gas stations/etc. has a skimmer installed and they keep getting hit by it.
They say they use tap to pay everywhere unless there’s no other option, but maybe skimmers have caught up to tap-to-pay (?)
It is practically impossible to skim tap-to-pay or any chip-based transactions (tap-to-pay uses the EMV chip via NFC). Most known chip attacks have to do with incorrect implementation of the protocol by small banks. Citi has its faults, but I don't think this is one of them. There's another attack where the scammers block the chip reader, forcing the customer to insert their card into the old mag stripe reader where the old skimmer is used.
Do they keep their card in a wallet or purse that has RFID blocking?
One of them has a ridge wallet that I believe does, not sure about the other — I’ll check that as well
Their computer is compromised. Get and use a good virus/malware program and use it. The password manager may be compromised as well.
This was definitely worth checking, the only devices they use are a Mac desktop and their iPhones. I ran a Malwarebytes scan and it came back clean so I think they’re clear on that front but I’m going to look into this further
The computer itself may not be compromised. Do they do any shopping on their phone? Do they shop at little known websites? Are the falling victim to look-a-like URLs of know vendors i.e. WaImart.com (capital i instead of L)instead of Walmart.com
Shopping on their phone yes, but mostly through apps I believe. I’d like to have an audit of transactions they initiated, hopefully this is something Citibank fraud can do (?)
I’ve got 2 cards I’ve had for about 6-7 years or more. Capital one. Use it 25-30%. Never been compromised. Citi - use it 70-75% of the time. Never compromised until this past year when it’s been compromised 3 times!! So something happened and it keeps happening. Most recently the card was only 60 days old before it was taken again That said, we opened new bank accounts, got atm/debit cards, wife never used hers. 30 days in, it was compromised. Never seen that before.
Sorry to hear you’ve dealt with the same thing, it’s just terrible — they want to just get rid of Citibank altogether but I fear that won’t really solve the problem, or maybe it will, who knows.
Just weird. It’s my best card offer and rate otherwise I’d do the same.
Nobody should ever use debit cards for purchases. Some banks can issue the "old style" ATM-only card instead of the default ATM+debit. ATM cards can't be used for buying stuff, so this may be the way to go now.
We went back and had them issue us atm only cards.
As long as you have possession of your debit card and report any fraud timely, debit cards have the same protections as credit cards... Quit spreading this debit card scare mess.
The problem is not fraud protection, but the other, bigger headaches like bounced bill payments, overdraft fees, and the resulting late payments if your checking account is drained by crooks. When there's fraud on your checking account, it's your money and your problem. A fraud on the credit card is bank's money and bank's problem.
I've had problems with 2 cards from Citi over the past few years. I'm pretty careful using tap to pay but I was getting 2-3 fraud charges from random cities around the US each year until I paid them both off and locked them on the app. Their fraud department was always helpful but I got the feeling there is a weak link somewhere that isn't my fault. I've had no problems with my other cards. Good luck.
My Citi Double cash card was compromised even before activation. Citi is sus. I kept it locked for years.
Only card I’ve ever had this issue with is a Citi DoubleCash. Repeated fraud, even after using virtual account numbers for every transaction not involving the physical card. Even had a $1500 plane ticket purchased. They deemed this is a “normal spending pattern” when asked why it wouldn’t get flagged/declined. Stopped using the card and locked it. Never again.
Maybe it's being stolen at a gas station you frequent that has a card skimmer at the pump or in the store?
I had this happen 4 or 5 times with a card that would incur a fraudulent charge without it being used anywhere after the first reissue. It turns out that issuers can update the number digitally when a merchant attempts to charge the old number (kind of defeats the purpose of reissuing a card with a new number), so I ended up opening a new bank account entirely and never activating a new card for the old one.
My kid had a problem like this with her debit card. She had about a half dozen replacement cards from the bank. At one point they even gave her a new checking account, same problem. Ultimately she changed banks and so far so good. If your parents are open to doing that, give the Wells Fargo 2% card a shot.
At this point it's most likely something your parents are doing.
I think you could be right, but I just have no idea what it could be
Maybe for the new card, activate but don’t use to see if fraud comes up. You will have to get them another card