My husband and I have had a Mastercard through Citi since 1992. About three years ago, I got a call from their fraud unit saying the card was hacked, and we got new cards. In the last 3-1/2 months, our card has been hacked three times and replaced.
With the last cards I got, I activated over the phone as I always do and within a week I got a call from the fraud unit asking my about charges that I did not make. We had never even used the new card and the cards had never left the house!
How can our cards be hacked if we never used them?
The man I spoke to at Citi asked me if we use our cards for online purchases and I told him my husband has purchased items from Amazon. He then told me that since Amazon is such a large company that they automatically get the new credit card number.
Is that even possible? I am very hesitant to activate our new cards. Any advice would be greatly appreciated.
S.P., North Olmsted
The gentleman from Citi told you correctly. Many merchants and deposit banks that we deal with automatically get our new account numbers when we get a credit or debit card replaced. The service is called “account updater.”
Here’s what Amazon says about it: “About Automatic Updates to Credit or Debit Cards . . . Amazon participates in account update services offered by some banks to help keep your cards up-to-date in our system.
“If your bank participates, these service (sic) will automatically update your card number or expiration date in our system when it changes. If you don’t want to have your cards automatically updated, you can opt out of these services by contacting your issuing bank.”
Amazon indeed received your new account number. It seems your credit card misuse may be occurring from someone who has access to your Amazon account (inside or outside Amazon). I’d recommend changing your Amazon password immediately and deleting any saved payment information from your Amazon profile.
Back to account updater services. Here’s what MasterCard says about it:
“Customers with account-on-file payment arrangements face service disruptions when their card expires or account information changes. For merchants, these payment declines can increase the risk of customer attrition, compromise sales and potentially increase direct and indirect expenses from customer service calls. Account changes inconvenience customers and can affect their relationship with merchants.”
Visa says something similar. “Visa Account Updater is a service that facilitates and encourages customer satisfaction, retention and loyalty by exchanging updated account information between participating merchants and Visa card issuers.”
Clearly, Citi participates in this service. Citi didn’t respond to my query in the past two weeks. I also contacted Chase and Bank of America, two of the nation’s other huge credit card issuers. Chase spokeswoman Carlene Lule referred me to Amazon. BofA spokeswoman Betty Riess referred me to MasterCard and Visa.
This is a huge convenience service for merchants. They don’t have to worry about your future purchases not going through because you didn’t provide your new account number. Or in the case of a recurring payment — say a cellphone bill — the phone company can keep on charging your card without interruption.
It could be a convenience to us consumers in some cases, as well. I pay my credit card bill through my deposit bank’s online bill payment service. When I get a new card number (which has happened several times in recent years because of data breaches,) I don’t have to input the new account number in order for the bill to be paid. My bank is notified automatically by my credit card issuer.
Still, it would be nice to be offered the chance to opt out if we don’t want it. I suggest you contact Citi.
I attempted to join the Planet Fitness in North Olmsted and was advised the only way I could pay was with my checking account. The person at the desk explained to me they had to have my routing number and checking account number.
Understandably, I am very uncomfortable with this because a data breach could result in my checking account being exposed.
I offered to pay the membership in full for the year, thinking I would just give them cash or a check, and was told I could only pay monthly with my checking account. I called customer service and they confirmed this. The woman did share that when presented with this in the past, exceptions have been made but she could not do that for me since the gyms are franchises.
Every Planet Fitness I drive by always seems busy so there are apparently thousands of people doing this with no issue, but it just seems really unsafe to me.
I agree with you, if the gym-goers have only one checking account.
Cases like these are one of the reasons I strongly encourage people to have a primary checking account and a secondary checking account. (Or even a third or fourth.) The secondary checking account can be used to write checks to individuals, to link to a PayPal account or provide for a recurring transaction like this. If there is a data breach, you haven’t exposed your primary checking account that you use for direct deposits, mortgage or rent payments and the majority of your monthly income and expenses.
Another option that might come in handy in a case like this: An online checking/ prepaid debit card. One of the leaders in this space, Movo, offers an FDIC-insured account with no monthly fees, regardless of balance. And you get a routing number and account number, just like you would with any checking account.
With this second-account method, your real checking account can’t be wiped out by a fraudster.
Author: Teresa Murray
Date: Oct 7, 2018