Recently, Citi experienced a data breach that exposed credit card numbers and contact information of about 1% of its customers. When you consider CitiGroup has tens of millions of customers, you realize that’s a pretty big number. Citi says that it is contacting those who were impacted, but that could take a while. Meanwhile, if you have a Citi account, you might want to consider how to protect yourself.
What Should You Watch Out For?
If there is some good news in this, it’s that, by law, your liability for fraudulent credit card purchases is $50. (With debit purchases, many issuers offer limited protection, but you usually have to notify the issuer within two days if you want liability limited to $50. If you take too long, you could find your checking account drained — and no recourse.) However, it’s often better not to wait until a fraudulent purchase is made; you can call and ask for a new account number and a replacement card.
Citi officials say that security codes and expiration dates were not included in the data breach, so it will be difficult for others to make purchases over the phone or via the Internet. Instead, what you really need to guard against are phishing attempts made by fraudsters to get the information they are missing.
Scammers might use the information they do have to appear legitimate. With your email address and credit card number, they can send a phishing email with a Citi logo found online. It looks legitimate, because they have your information. You are asked to click on a link, or to call a number. If you click on the link, you may be taken to a dummy web site where you enter your username and password; now the scammers have the information they need to access your account directly. If you call, you might be asked for your Social Security number, the expiration date on your card, or the security code, “for identification.” Now the fraudsters have everything they need to make purchases with your card, or open new accounts in your name.
Instead of responding as directed in email (and even some snail mail) communiques, check the customer service number on the back of your credit card, or on one of your monthly statements. Call that number and ask for help with your account. If you want to visit the bank’s web site, enter the url directly into your browser, in a new window. The official url will be on your account statement.
Other Data Breaches to Come
This is good advice to follow in any case. Citi’s data breach wasn’t the first (my own information was compromised in Sony’s PSN data breach), and it certainly won’t be the last. You must assume that your information is going to be at risk. As a result, it is important to be vigilant.
Here are some things you can do to protect yourself:
- Change your online banking passwords regularly.
- Use different passwords on different accounts. After the PSN breach, there were reports of scammers taking the usernames and passwords discovered and trying them at major banking web sites. If you use the same username and password for each of your logins, all of your accounts are compromised if one is.
- Check your accounts for odd activity. You should reconcile your statements each month, but you can also check your accounts online to get a quicker idea of what is happening.
- Periodically check your credit report so you can catch ID theft sooner. The one free report you receive each year from the major bureaus via annualcreditreport.com may not be enough anymore — especially if your data has been accessed. If you are really concerned, you can get a credit freeze.
- Replace credit cards that might have been compromised.
- Never give personal information to someone who initiates contact with you over the phone. Remember that caller ID can be spoofed so that it appears you are getting a legit phone call, even when you aren’t.
- Contact financial institutions only directly, through official channels. Don’t simply hit “reply” to an email, or click on link in an email.
- Make sure that your connection is secure by checking for the “s” at the end of the “http” in the url.