Credit Card Intrusion Detection

I just received a call from a computer at Citicards, the company that issued one of my credit cards. Twice in the past few years that card was stolen by credit card number thieves. I found the exchange with the computer interesting.

First it announced that it was calling from the Citicards fraud department. Next it asked if I was "Richard Bejtlich," using the best pronounciation of my last name a computer could muster. (It's "bate-lik", by the way.) Then it asked me to verify the zip code of the billing address for the credit card. At this point I figured providing a zip code was a low-risk activity, in the event this was a sophisticated social engineering attempt.

Once I "authenticated" via zip code, the computer asked if I had made a purchase of $6.37 yesterday at "fast food" something-or-other. I recognized this as the dinner I bought at the incredibly high-brow Chick-fil-A drive-thru window at 9 pm last night. I pressed "one" to validate the transaction. Next the computer asked if I had spent money at an automated data which I recognized as the gas I bought prior to driving to Columbia, MD. I validated that transaction. At that point the computer was satisfied. It told me to call 1-800-950-5114 if I had any concerns.

I believe Citicards alerted to my two recent transactions because I hardly use that card. It's also possible they are edgy after the recent CardSystems Solutions heist. It's even possible my card is on a watch list of some sort. Thanks to John Ward for pointing out I was probably working with the Citicards Fraud Early Warning program.