HELP - Citibank's Dispute

[Trazora]

Any idea how to go about submitting the case to MAS?

Anyone here done b4, appreciate your advise.

try dispute at fidrec https://www.fidrec.com.sg/website/faq.html

 

[irenecsn73]

try dispute at fidrec https://www.fidrec.com.sg/website/faq.html

Thank you so much.
I am still waiting for the Senior Mgmt of the Dispute Team to return my call but i doubt he/she can do anything.
I'll go down personally to Robinson Road next week to lodge this.

 

[Smokey.B]

Any idea how to go about submitting the case to MAS?

Anyone here done b4, appreciate your advise.

sorry never done it before, maybe u can try letting citibank know u intend to do so by XXX date.

if they still don't act on it and so certain MAS will waste their time on this u can proceed to lodge a complaint

unless there's loopholes in your story i find it ridiculous they are saying u are responsible for this

 

[nick3384me]

I think you have right to request for the receipt and no possible for mobile payment because need otp sms to activate

 

[mikezuper]

So to confirm it is a chip and not magnetic?

Since it is a physical shop, can ask merchant to get cctv footage and confirm from merchant side? Maybe try to call first?

 

[dhwang_best]

So to confirm it is a chip and not magnetic?

Since it is a physical shop, can ask merchant to get cctv footage and confirm from merchant side? Maybe try to call first?

Should confirm that is a Chip transaction not mag-Stripe transaction first.

One possible is that your card's mag-Stripe data has been skimmed and used to make fake card to initiate this transaction. This can further be confirmed by whether your 'mag-Stripe oversea usage' has been enabled or not.

If indeed a Chip transaction, have no idea how that happen.

Someone posted 'stole data using a infected POS. Copied data into custom card', theoretically it could be possible however too difficult to do. As for Chip transaction, the merchant's POS will send a random data along the transaction data to ask the Chip to sign those data. Even if you use an infected POS and deceived your card to sign and got the cryptogram, then copied the data into a custom card. This custom card's cryptogram will not match the transaction cryptogram which is initiated by the merchant's POS, since the random data will obviously not match.

Unless, the criminal use a fake card at the merchant's POS, relay all the actual transaction data to a fake POS on your side, and this fake POS deceive your card to sign on those data. then the fake POS transmit the transaction cryptogram generated by your card to the fake card, and the fake card response them to the merchant's POS.

No matter what, it's the security issue from bank card itself and bank should take the responsibility.

 

[oceanicmanta]

I thought overseas usage activation is for Chip only ... the mag stripe does not need to be activated to be used overseas

 

[mikezuper]

I thought overseas usage activation is for Chip only ... the mag stripe does not need to be activated to be used overseas

It is the other way around.

Now by default magnetic strip is disabled for overseas transaction and enabled for chip.

If you want to toggle either of it have to call them.

 

[yamakazi51]

I thought overseas usage activation is for Chip only ... the mag stripe does not need to be activated to be used overseas

Wrong. Magnetic is less secure hence the need to activate

 

[oceanicmanta]

Any idea how to go about submitting the case to MAS?

Anyone here done b4, appreciate your advise.

Last year, I had an issue with Citi (not CC related). Personal banker & Cust Svc not responsive & dragged for 2 months.

I called MAS hotline, asked them for Citi's Quality Service Manager email & contact. MAS provided Citi's staff email & asked me to write to Citi & copy MAS email (consumers@mas.gov.sg)

Within a week, Citi resolved the issue.

 

[fr33d0m]

Last year, I had an issue with Citi (not CC related). Personal banker & Cust Svc not responsive & dragged for 2 months.

I called MAS hotline, asked them for Citi's Quality Service Manager email & contact. MAS provided Citi's staff email & asked me to write to Citi & copy MAS email (consumers@mas.gov.sg)

Within a week, Citi resolved the issue.

This is the way to go for those banks with lousy customer services.

The regulator should step in and protect consumer against the big banks.

 

[irenecsn73]

So to confirm it is a chip and not magnetic?

Since it is a physical shop, can ask merchant to get cctv footage and confirm from merchant side? Maybe try to call first?

I was told its the CHIP that its not possible to duplicate.

I did mention about the CCTV but the Citibank CS said its my own responsibility to request from the merchant

 

[irenecsn73]

Should confirm that is a Chip transaction not mag-Stripe transaction first.

One possible is that your card's mag-Stripe data has been skimmed and used to make fake card to initiate this transaction. This can further be confirmed by whether your 'mag-Stripe oversea usage' has been enabled or not.

If indeed a Chip transaction, have no idea how that happen.

Someone posted 'stole data using a infected POS. Copied data into custom card', theoretically it could be possible however too difficult to do. As for Chip transaction, the merchant's POS will send a random data along the transaction data to ask the Chip to sign those data. Even if you use an infected POS and deceived your card to sign and got the cryptogram, then copied the data into a custom card. This custom card's cryptogram will not match the transaction cryptogram which is initiated by the merchant's POS, since the random data will obviously not match.

Unless, the criminal use a fake card at the merchant's POS, relay all the actual transaction data to a fake POS on your side, and this fake POS deceive your card to sign on those data. then the fake POS transmit the transaction cryptogram generated by your card to the fake card, and the fake card response them to the merchant's POS.

No matter what, it's the security issue from bank card itself and bank should take the responsibility.

Thanks for the explanation but these sounds complicated to me... i dont understand chip vs mag-stripe

 

[irenecsn73]

sorry never done it before, maybe u can try letting citibank know u intend to do so by XXX date.

if they still don't act on it and so certain MAS will waste their time on this u can proceed to lodge a complaint

unless there's loopholes in your story i find it ridiculous they are saying u are responsible for this

I dont even have a story to tell, they didnt even call me to clarify on anything.
On the day i received the message that my card was being used, i contacted them ASAP & filed for dispute, 3 months later i received a letter stating the CASE is CLOSED and I need to pay for it. Reason being there is no way the chip on card can be duplicated (Told by the Customer Service)

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Written on the letter :
Our records indicate that the disputed transaction was a contactless transaction, where a cardholder is required to swipe/tap the card at the terminal in order for the transaction to take place. Under the relevant Card Association Rules & Regulations for dispute resolution, the Issuing Bank (Citibank) does not have a chargeback rights for contactless transaction.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX


If they were to STOP the payment and investigate, I can even send them the original card on that very morning. (The card is used in UK at 3.28am & I can present to them in Spore at 9am - surely within 5+ hour, there is no way the card can be sent back to Spore from UK, this will SHUT them off)

 

[irenecsn73]

Latest updates :

I've just called MAS, they gave me the direct contact number of the person in charge (was told is VP of Citibank dispute team). Talked to her and she will ask her team to investigate and get in touch with me next week. I'll wait for them to revert before i submit the case to "Financial Industry Disputes Resolution Centre Ltd"

Thanks guys for all the suggestions.
Really appreciate ... thanks ... will see what is the next step

 

[mr168]

If they were to STOP the payment and investigate, I can even send them the original card on that very morning. (The card is used in UK at 3.28am & I can present to them in Spore at 9am - surely within 5+ hour, there is no way the card can be sent back to Spore from UK, this will SHUT them off)

Good tip, can use this to evident that the card is physically in Singapore if it was swiped or tapped in overseas.

I also just received a sms from DBS that my card has been blocked because of a suspicious transaction in UK. Amount is only 7 pound. The bank blocked and rejected the transaction and blocked my card.

 

[furryballs]

It is the other way around.

Now by default magnetic strip is disabled for overseas transaction and enabled for chip.

If you want to toggle either of it have to call them.

So if I am sure the place I going uses chip (nowadays almost every terminal is chip), I no need to activate overseas usage?

 

[furryballs]

Thanks for the explanation but these sounds complicated to me... i dont understand chip vs mag-stripe

Essentially chip is like your 2FA dongle, need a correct response to verify authenticity- not to say cannot crack, but probably not common (if you got the technology to break, probably can make better money elsewhere).

Mag-strip is just like nric, scan for the card number and assume it’s authentic

 

[furryballs]

Unless, the criminal use a fake card at the merchant's POS, relay all the actual transaction data to a fake POS on your side, and this fake POS deceive your card to sign on those data. then the fake POS transmit the transaction cryptogram generated by your card to the fake card, and the fake card response them to the merchant's POS.

No matter what, it's the security issue from bank card itself and bank should take the responsibility.

Another way without the elaborate relays is to simply use a mobile GSM/LTE POS. Just bring it close to TS anywhere in the world to tap. Merchant in London doesn’t mean transaction happened in London. But this is not likely because TS is sleeping at home, and we can all assume TS’s card is this safe at home.

This could be a landmark case that challenges card issuer’s TYS replies to deny liability.

 

[irenecsn73]

Another way without the elaborate relays is to simply use a mobile GSM/LTE POS. Just bring it close to TS anywhere in the world to tap. Merchant in London doesn’t mean transaction happened in London. But this is not likely because TS is sleeping at home, and we can all assume TS’s card is this safe at home.

This could be a landmark case that challenges card issuer’s TYS replies to deny liability.

YES, the card is with me at home. I am not out anywhere at that time.