Once again, I have a credit card cut into pieces and dumped in a trash can, thanks to somebody trying to treat themselves to a spending spree on our account.
This time, the card was a Citi Double Cash MasterCard, and the transaction that got my attention was a $969.90 Lenovo purchase. Neither my wife nor I had any recollection of making that–and neither Citi nor Intuit’s Mint personal-finance app had flagged it as suspicious.
After spotting that in our account, I saw two other, sub-$10 transactions with “OTC Brands” that also didn’t match up with anybody’s memory. A 14-minute call later, Citi had canceled our cards and ordered up replacements–I can already shop online with the new number–and pledged to investigate these three sketchy purchases.
So overall, we got off easy. But the experience has been a useful reminder that sometimes security is entirely out of your hands. There’s nothing we could have done to stop this from happening; at best, Citi’s security would have flagged the Lenovo purchase and asked me to approve or deny it, as it did when an unknown party tried using our card in March of 2016 at a Ukrainian site.
And no, having an EMV chip on this card did not enhance its security for card-not-present transactions. Even if this card had required me to key in a PIN instead of sign for in-person purchases, that also would have likely made no difference online.
Sometimes you just have to hope that the system works–and when it doesn’t, hope that you don’t wait too long for the system to get your money back. Having gotten Equifaxed last year, I can confirm that things could be worse.
Rob Pegoraro 
One way to protect yourself from fraudulent use of your credit card number is to have the card issuer email or text you whenever a purchase is made using the card. That way you will be able to identify fraudulent charges immediately and inform the card issuer. I know Citibank offers this service for at least some of its cards, maybe all of them.
That could work if it were just me, but with my wife also on this card I’d have to check with her, and then the immediate response is gone.
Need to be careful!!
Whatever you do, do not use your bank’s VISA enabled debit card for anything other than ATM withdrawals. Unlike credit cards, when debit cards get used without permission, the money comes right out of your checking account instead being tacked-on to your credit card balance.
Having your checking account drained is a major hassle. Yes, the bank will cover the losses eventually, but until they do, you will be bouncing checks and other transactions all over the place. Additionally, you’ll have to jump through a few more legal hoops like signing affidavits and FAXing them to your bank. Not any fun.
Just as you say, credit card fraud is going to happen no matter how careful you are.
One way that I deal with the annoyance of having a card cancelled due to fraud is to have multiple credit cards. Ideally 3 or more.
The first card is for your most trusted organizations that you have regularly scheduled payments to. Do not use this card for day-to-day transactions — only use it for scheduled transactions with trusted organizations. This will help reduce the chance that you will have to change all of these accounts when a card gets compromised.
The second card is for your normal day-to-day credit card use. Use this for all of the places where credit card fraud is most likely. Use this card until it get hijacked, then use the third card.
The third credit card is the “burner” credit card. Keep this card with you and start using it for normal day-to-day credit card use until the above second card is replaced with a new account number.
Essentially, both the second and third cards are “burner” credit cards, since either of them could be hijacked at any point, but unlikely both at the same time.
Agreed about multiple credit cards, but for a different reason: optimizing rewards categories! But that will require a separate post to explain fully…