Virtual Credit Card Numbers: A Security Risk?
A friend of mine has a Citibank credit card and has frequently used their virtual credit card number program. For those unfamiliar with the program, essentially, the consumer downloads a free piece of software that generates virtual credit card numbers. The consumer can then assign an expiration date and a set limit to the card. The idea behind the program is that it limits the exposure to your actual credit card information. Instead of using your real credit card information online or over the phone, this allows virtual numbers to be used that are then routed back to your account through Citibank.
On the surface, this sounds like a great program that really helps prevent fraud. For all intents and purposes, I suppose it is; however, there are a few kinks that still need to be worked out.
My friend recently got his credit card bill in the mail and noticed an unfamiliar charge. When he investigated the charge, he discovered that a merchant had pushed a sale through using an expired card that was also over the limit parameters he set to begin with. Concerned, he called customer service. The representative explained that the merchant used a manual claim as opposed to an electronic one, and that they were legally required to pay the claim. It then became the consumer’s responsibility to report any fraud.
Ok, so let’s take a look at this. The program which Citibank designed to help prevent fraud has a very big loophole in it. All it takes for the crooks of the world to steal our money is to get a hold of one of these cards and submit a manual claim. Then they walk away with the cash while it’s left up to the consumer to report it. And, let’s say the consumer doesn’t look at their statement too closely and misses it until they do an audit – assuming they do one – but it’s past the 60 days consumers are given to dispute charges. Do they have to suck it up because of Citibank’s weird loophole?
So, to give it a whirl and see how protected he really was, my friend tried a new virtual credit card number. He was eying a new desk top computer he’d put together at Dell.com and he set the virtual credit card limit at $200. The computer he wanted was $700. He got his new virtual number and went over to Dell.com to pay. What do you know? The $700 charge went through, even though the limit was $200. Again, my friend was concerned, so he called customer service and asked about it. He was given the same story as above. He asked if merchants ever submitted anything electronically and the representative told him of course they did.
In my opinion, the concept is a solid one. Clearly there needs to be some enhancement in security measures because it seems that it’s fairly easy to work around the system. I believe the frustration for my friend is that he can’t seem to get a solid answer on why it’s occurring. Perhaps it was coincidental that both of the merchants in question submitted a manual request; however, Citibank isn’t the only one with virtual credit card numbers having issues. Apparently, Bank of America and Paypal’s systems have some of the same issues.
But, that leads me to believe that it may be a network problem and not necessarily anything with the banks. I can tell you from experience, when several companies are using the same system software, getting something changed is a hassle because it has to be changed on everyone’s system. Other companies may object to the changes and to do it solely for one company costs quite a bit of money. So, that may be the overall problem. Even still, I would think that customer security would be a sufficient reason to have these problems fixed, if it is that they are all on the same network for this program.
Of course you can always protect yourself with credit monitoring services for that extra layer of safety. Check out this free way to protect yourself, and get a free credit report and credit score.
So what do you think? Are these virtual numbers, overall, worth it? Or does it not really matter given the loophole?
Related posts:
- Debit Card Disputes and How They Work
- 20 Common Credit Card Fees to Watch Out For!
- 5 More Credit Card Myths to Watch Out For!
- Banks seize homes over credit card debt
- Is Credit Card Fraud Funding Terrorism?
If the virtual numbers worked as we’d think they would, they would have value. They would be closer to a gift card with a fixed amount of money, and you’d imagine that would be the highest amount at risk. It appears that things are not as they seem, and trusting the details of your post, that the virtual cards have no purpose at all. Losing one of those numbers is as bad as losing the regular number.
Joe
I have no personal experience with these cards, myself. However, I have clients complaining about them all the time – and, of course my friend. I would agree that as it stands, these virtual numbers serve no real purpose. But, if the kinks are worked out – particularly the large loophole that allows expired numbers and amounts over-the-limit to be used, then they will be worthwhile.
Well, I use the BofA virtual account number all the time, and yes I am aware of the problem, having experienced the problem quite often.
The one issue I have with your post is with your description of the Citicard virtual number. It doesn’t have a place to enter the amount, at least not the one I used to use, and even today still doesn’t. But even with that said, Citibank was quick to remove the excess charge above what I had agree to pay to the merchant for the product received, the one time that occurred, when I was using the Citibank virtual numbers.
I now use the one BofA offers only, which does have a place for an amount, but you’re correct, you can still be over charged.
But the problem is rare, and the credit card companies have always quickly rectified the problem. I think that problem has occurred, maybe one other time with BofA, among the hundreds of internet charges I’ve made.
I consider it a minor problem, at worst, and pales in comparison to having every internet store front keeping a copy of your actual credit card number on file on their servers.
I also keep a close eye on all my credit card balances online, at least weekly, or more, depending on how often I charge. It’s the sensible thing to do.
Besides, the problem you bring up is not exclusive to virtual account numbers. It can happen any time you use a credit card to make a purchase, even in a brick and mortar retailer.
Sorry, my first paragraph indicated it happened quite often, and that is not correct. It has happened, but it is very rare.
I’ve been using citi virtual numbers for many years. A purchase could never go above the limit I set. I don’t know why your friend is having issues with that, but I tried many times intentionally and a merchant could never charge more than the amount I set. I specifically remember authorizing a $50 dollar virtual number for T-mobile refill which didn’t go through and later they told me they were applying a tax on the $50. Marc, You can set the amount and validity duration (2 to 12 months) in the Advanced Options and it’s been available since the beginning.
I have been using Citicard Virtual Account Numbers for over 2 years now & have never had any problem at all. On one order I placed the merchandise did not all ship at the same time as one item was on back order. When the merchant tried to ship the back ordered item & charge it to the original virtual acct numberon original order, it was denied to the merchant. So I had to get another virtual acct # to get the item shipped.
On another order to a different merchant, I returned part of the order over 30 days later & it was credited back to my virtual acct # that is tied to my actual credit card number.
If you are able to set a dollar limit on each order, I am not aware of that feature. However, I plan to check into that.
I do however print off a copy of each order with the virtual acct on the order (some web sites will not actually print the card #) & keep it. But you can also go to the virtual acct # screen & look up all your past transactions with each virtual acct used. They keep these orders on file for a rather long period of time – not exactly sure how long.
I am a really big fan of these “fake” numbers & planning on checking my other credit card to see if they offer the same thing.
And I have actually had charges denied when I ordered one of these free trials for a product (I did not know & was not told they would start a recurring monthly charge). When it came time for their 1st monthly recurring charge they were denied because of the virtual account number’s one time charge feature.
Just love my virtual account number!!!
Where did we ever get this absurd idea of giving people our account numbers? It is ridiculous that they can dip in to our accounts any time they feel like it and take as much as they want. It is a system that seems designed for fraud and abuse.
I want a system based on transactions. I authorize one transaction for a certain amount and no more. Once it goes through, the number is useless to crooks because the transaction has already been completed and cannot be reused.
Oh and while we’re at it why can’t we have electronic banking in real time yet? When I pay my rent “electronically” the bank takes my money out today but then they print a check and put it in the mail and my landlord gets it 8 days later. They they have to wait for the check to clear. Bank is sucking up interest on my money the whole time.
Fred: The system of approving transactions, as you describe, is EXACTLY what the virtual cards are all about! And we do have electronic banking in real time, and you can do this. The problem you are having with this is that your landlord does have electronic banking, which is why your bank has to send them a check. They can’t electronically pay something to someone not set up to receive electronic payments. So your complaint should be with your landlord. Of course if you’re concerned about the bank sucking up interest on your money you always just write him a check yourself.
They are worth it, I work for one of the companies listed above. they all have different software. Its the way a merchant can push a payment through visa, its not us the manual push cant be denied its like a membership they will follow your account even through fraud and lost stolen accounts…..
I used a virtual number for a trial product that cost $1.00 to ship. I created a number for $1.00 that would expire in 1 month (advanced options for amount and exp. date). After receiving the trial I CLOSED the number. When the trial ended I received an email that the company would charge $79.99 if I didn’t return the unused portion of a SINGLE USE container. That had fraud written all over it. Confident that I closed the number I just moved on and dismissed the “threat”.
I can happily report that was about 3 months ago and I was never billed. The number was used for $1.00 and then I closed the number. Further more, I’ve used my virtual numbers for YEARS and never had a problem. Create limits of amount and time, and go to Active Numbers and close the numbers you no longer use.
I have a few questions.
I generated a virtual account number and set the limit to $50 and the expiration date to March 2010.
I recently purchased something off of Amazon.com that totaled up to $48.99. I have $1.01 remaining on that virtual account number.
I was then able to sell a textbook for 79.99 + 3.99 for shipping and handling ($83.98). Will I be able to receive payments (credit) on my virtual account number or is it not able to receive credit? Do you think there will be a problem if my limit is set to $50? How is that supposed to work?
Thanks in advance!