Credit Card Fraud Citibank (Costco)

  • Hi Guest, welcome to the help forum. You can get fast answers to your customer service questions here. We have a dedicated team of advocates who are ready to help. Just go to the section that matches your question and ask us!
  • If you've posted a question or issue for our advocates to assist with, please be sure to check back frequently for responses and requests for clarification.
  • Did you know you can get email notifications when something new posts to your favorite forum? It's easy. Just click the "watch" link right next to the "post new thread" button at the top of your favorite forum. The rest is easy. Now you'll never miss another conversation.
  • Want to become an expert user? Drop by the How to use this forum section and all will be revealed. We'll show you how to make the most of your experience.

jsn55

Verified Member
Dec 26, 2014
8,102
7,982
113
San Francisco
#22
I'm so tired of all this hype about CHIP cards being "more secure." They are NOT. The reason they're secure in Europe and the rest of the world is that those countries require a PIN for each transaction. These ones in the US can be picked up and used by anyone. Stores don't even require a signature anymore. OP, did you have a PIN code on your card? I expect not.
As usual, AMA highlights the real issue. The US decided way back when that "real chip/pin card" systems were too expensive. But of course nobody wanted to admit that Europe's plan was the best. So the US decided to come up with a bogus chip card plan. Security is no better than it was, but people's concept is that our cards are now better.

The best part, in my opinion, is that you use your chip card in a little reader connected to the cash register, the transaction is completed, and the business never looks at the name on the card. So anyone can use anyone else's card any time because there's no verification at all. This is beyond ridiculous.
 
Mar 18, 2019
35
30
18
37
#23
As usual, AMA highlights the real issue. The US decided way back when that "real chip/pin card" systems were too expensive. But of course nobody wanted to admit that Europe's plan was the best. So the US decided to come up with a bogus chip card plan. Security is no better than it was, but people's concept is that our cards are now better.

The best part, in my opinion, is that you use your chip card in a little reader connected to the cash register, the transaction is completed, and the business never looks at the name on the card. So anyone can use anyone else's card any time because there's no verification at all. This is beyond ridiculous.
It's true that chip cards do not offer any additional protection against lost or stolen cards being used fraudulently, but they DO offer a huge amount of additional protection against cloning and data breaches. Data breaches of a retailer's payment system does not reveal credit card numbers, since chip transactions only contain a unique transaction ID which changes each time the chip is used. Also, the chip in the card cannot really be cloned since the chip is designed not to leak its internal private encryption key.

Both of those two protections are why, if the OP claims to still physically have his cards, I can understand why Citi doesn't believe his card could have been used fraudulently. However, if the criminal had a card that was designed to trick the retailer's terminal into allowing a fall-back to using the magnetic stripe (e.g. a chip in the card that deliberately fails to be properly read), then a fraudulent magnetic stripe transaction could be made using a stolen credit card number.

Citi should be able to tell the difference between whether the transaction was made using the chip or if the transaction was made with a "chip card" but using the magnetic stripe.
 

Neil Maley

Moderator
Staff Member
Advocate
Dec 27, 2014
17,632
15,920
113
New York
www.promalvacations.com
#24
Keep going up the executive chain at Citibank. Unless it’s a debit card, I have never done anything other than swipe a card with a chip at the register. There is no PIN necessary. Unless you used it in Europe the chip offers no protection against a cloned or stolen card.
 

mmb

Verified Member
Jan 20, 2015
1,035
1,087
113
#25
It's true that chip cards do not offer any additional protection against lost or stolen cards being used fraudulently, but they DO offer a huge amount of additional protection against cloning and data breaches. Data breaches of a retailer's payment system does not reveal credit card numbers, since chip transactions only contain a unique transaction ID which changes each time the chip is used. Also, the chip in the card cannot really be cloned since the chip is designed not to leak its internal private encryption key.

Both of those two protections are why, if the OP claims to still physically have his cards, I can understand why Citi doesn't believe his card could have been used fraudulently. However, if the criminal had a card that was designed to trick the retailer's terminal into allowing a fall-back to using the magnetic stripe (e.g. a chip in the card that deliberately fails to be properly read), then a fraudulent magnetic stripe transaction could be made using a stolen credit card number.

Citi should be able to tell the difference between whether the transaction was made using the chip or if the transaction was made with a "chip card" but using the magnetic stripe.
It is my understanding that since the conversion period (to update to chip use as opposed to mag strip use) is over, any merchant that still uses, or allows a chip card to be used magnetically, will NOT be provided coverage if the charge is fraudulent. That is, if they didn’t convert to chip, then their protection is lost and they (the vendor) cannot back charge me for the fraudulent use.
So, yes, it is very important how the card was used. But it sounds to me like that they have already told the OP that the chip was used. Don’t know how OP can get around that if that is what they are stating, unless OP would take them to court and have them prove it.
 
Mar 18, 2019
35
30
18
37
#26
It is my understanding that since the conversion period (to update to chip use as opposed to mag strip use) is over, any merchant that still uses, or allows a chip card to be used magnetically, will NOT be provided coverage if the charge is fraudulent. That is, if they didn’t convert to chip, then their protection is lost and they (the vendor) cannot back charge me for the fraudulent use.
So, yes, it is very important how the card was used. But it sounds to me like that they have already told the OP that the chip was used. Don’t know how OP can get around that if that is what they are stating, unless OP would take them to court and have them prove it.
Not quite, the merchant only needs to have the capability to process chip transactions to avoid the liability shift. If the chip on the card fails to be read, they can fall back to stropesc transactions without incurring fraud liability.

Also, the liability shift is from the payment processor to the merchant. It doesn't really affect your liability as a purchaser, which is governed by consumer credit laws.
 

mmb

Verified Member
Jan 20, 2015
1,035
1,087
113
#27
Not quite, the merchant only needs to have the capability to process chip transactions to avoid the liability shift. If the chip on the card fails to be read, they can fall back to stropesc transactions without incurring fraud liability.

Also, the liability shift is from the payment processor to the merchant. It doesn't really affect your liability as a purchaser, which is governed by consumer credit laws.
Thanks for that and then-
-so how does a cardholder prove the negative, as in my card never left my control in a distant location from the purchase place.
 
Aug 30, 2015
116
85
28
57
#28
That is a very key difference and something that should be pursued.
What's the difference? If it were a card with a chip on it, and it was swiped, they would not know it was a chip card. I expect they were referring to the type of transaction. If it was done with chip, the bank should be liable for the reason that they didn't protect the chip by requiring a PIN to be used with it. If the person only had to insert the chip card and wait, that's no type of security at all.
 
Sep 19, 2015
4,461
5,842
113
48
#29
What's the difference? If it were a card with a chip on it, and it was swiped, they would not know it was a chip card. I expect they were referring to the type of transaction. If it was done with chip, the bank should be liable for the reason that they didn't protect the chip by requiring a PIN to be used with it. If the person only had to insert the chip card and wait, that's no type of security at all.
Citibank only gives chip cards now — so the customer service can easily say it was a chip card so must be safe. But one can still swipe with a chip card from Citibank.

Very few banks have the chip and PIN system here in the US and it is foolish — if someone steels a card from a wallet it can be used with signature.

I wish the US would be chip and pin
 
Likes: SierraRose49
Mar 18, 2019
35
30
18
37
#30
What's the difference? If it were a card with a chip on it, and it was swiped, they would not know it was a chip card. I expect they were referring to the type of transaction. If it was done with chip, the bank should be liable for the reason that they didn't protect the chip by requiring a PIN to be used with it. If the person only had to insert the chip card and wait, that's no type of security at all.
The thing is, the OP says he still has his card. In order to clone a chip card the criminal would have to know OP's private encryption key. That is no small technical feat to acquire. Once the criminal has that, it's trivial to program their own pin on the card.

A PIN can protect against unauthorized use of a physically stolen card but is not helpful as a protection against cloning. Since OP's card was not stolen, whether or not it was PIN protected is irrelevant.
 
Feb 11, 2018
64
47
18
79
#31
I'm so tired of all this hype about CHIP cards being "more secure." They are NOT. The reason they're secure in Europe and the rest of the world is that those countries require a PIN for each transaction. These ones in the US can be picked up and used by anyone. Stores don't even require a signature anymore. OP, did you have a PIN code on your card? I expect not.
You are so right! Some stores don't require a signature, and in the ones that do, I write "Mickey Mouse" or a smiley face. No problem! So...tell us again why the US chip cards are more secure???
 
Feb 11, 2018
64
47
18
79
#32
Citibank only gives chip cards now — so the customer service can easily say it was a chip card so must be safe. But one can still swipe with a chip card from Citibank.

Very few banks have the chip and PIN system here in the US and it is foolish — if someone steels a card from a wallet it can be used with signature.

I wish the US would be chip and pin
Don't even need the signature. Any scrawl will do.
 

weihlac

Verified Member
Jun 30, 2017
1,579
1,555
113
Maui Hawaii
#34
I traveled yesterday through DEN and SFO. Several merchants in those two locations had the chip reader disabled(with a piece of cardboard) and required a card swipe. Chip use is by no means universal.
 
Likes: AMA
Apr 25, 2019
5
2
3
58
#35
Just to update: the best advice was “stop calling!” I sent an email/wrote a letter to one of the Citibank VPs (not sure which one got her attention) and within a couple days I received a call from security saying they were looking into the matter as requested by Ms. VP. About a week later they said they had determined that duplicate cards had been mailed but never received or activated by me and that they must have fallen into the wrong hands. Therefore I was not responsible for the fraudulent charges. My account has been credited, now I just need to get Citibank to remove the interest fee they charged last month (which they said the would). Thanks to everyone for your advice!
 
Likes: Neil Maley

weihlac

Verified Member
Jun 30, 2017
1,579
1,555
113
Maui Hawaii
#37
Just to update: the best advice was “stop calling!” I sent an email/wrote a letter to one of the Citibank VPs (not sure which one got her attention) and within a couple days I received a call from security saying they were looking into the matter as requested by Ms. VP. About a week later they said they had determined that duplicate cards had been mailed but never received or activated by me and that they must have fallen into the wrong hands. Therefore I was not responsible for the fraudulent charges. My account has been credited, now I just need to get Citibank to remove the interest fee they charged last month (which they said the would). Thanks to everyone for your advice!
If your mail is delivered to a curbside mailbox as opposed to your home, it is very easy for someone to stop in their car on the street and shuffle through your mail looking for credit cards, checks, etc. My wife will not put any financial items in our curbside mailbox for this reason-she takes them to the P.O. and mails them or puts them in a secure US Mailbox.
 
Likes: SierraRose49
Apr 8, 2019
17
19
3
71
#38
The Costco Citibank card has a photo of the owner on the back of the card for added security. If the card was rejected the first time the merchant should have looked to see if the purchaser was the same as the photo. Hopefully the stores have time stamped video cameras where they can pull a picture of the purchaser. Did you file a police report? That may help convince Citi that you did not make the purchases.
 
Sep 19, 2015
4,461
5,842
113
48
#39
Just to update: the best advice was “stop calling!” I sent an email/wrote a letter to one of the Citibank VPs (not sure which one got her attention) and within a couple days I received a call from security saying they were looking into the matter as requested by Ms. VP. About a week later they said they had determined that duplicate cards had been mailed but never received or activated by me and that they must have fallen into the wrong hands. Therefore I was not responsible for the fraudulent charges. My account has been credited, now I just need to get Citibank to remove the interest fee they charged last month (which they said the would). Thanks to everyone for your advice!
"Stop calling" is weihlac's mantra:) and is excellent advice. I am glad to listened to that advice and are on your way to a resolution.

Once I was sent another duplicate card because the logo on the card had changed. Judgemenot, do you know why a duplicate was sent -- I would ask -- if someone called and requested a duplicate that would mean that someone has access to your info and is watching your mailbaox. If it is something like a redesign or a computer glitch, then it is less worrisome. I have to say it is pretty obvious which envelopes have replacement credit cards in them and that makes it easier to steal.
 
Apr 25, 2019
5
2
3
58
#40
My mailbox is only accessible with a key so not sure where/who or even if duplicate cards were ordered but as long as the issue has been resolved I’m not complaining. (BTW we did receive new cards after this incident was reported.)
 
Likes: weihlac