Last week I received a troubling voice-mail claiming to be from the Fraud department at Citibank. They asked that I call back at specified number to discuss "suspicious activity" on my account. In case it hasn't already occurred to you, NEVER CALL someone who leaves you a voice-mail wanting to talk about your credit card or banking information.
Instead, I called the number printed on the back of my Citibank card... and was automatically routed to the Fraud department. Seems like the voice message was legit, but you can never be too cautious. The agent said they had flagged a suspicious transaction that they wanted to review with me. Had I recently tried to purchase $1099 worth of god knows what from a Swedish website I'd never heard of? No. Would I like to check with other family members on my account and call back? No. "No problem", she said. The transaction was declined, the account number disabled, a new account number created, and new cards on the way. Quick and painless.
It's worth noting that I rarely use this account. In fact, reviewing my statements, I saw that I had made 2 purchases in the past 6 months. The first was at a local bar that I've visited many times over the past couple of years (don't judge me!). The other was an online payment for a 're-up' on a month-to-month mobile calling plan for my mother-in-law's cell phone / SIM. That's not to say that the card number could not have been compromised prior to these 2 transactions. I had used that card for all my travel expenses on an international business trip last year. But, the timing definitely felt suspicious to me.
So, when it came time again to re-up the MIL's SIM card, I was faced with a dilemma: Use the newly replaced card to make the purchase and assume they weren't the source of the problem? After all, they're a fairly well-known company whose products you can purchase at 'respectable' brick & mortar retailers.
The problem is they only accept one form of payment: credit card. Ugh! I use PayPal for my online purchases whenever possible. The merchant gets an authorization from PayPal without ever getting my banking information and PayPal then transfer the amount of the payment from my checking account. I've used 2FA (two factor authentication) since it was an option (originally with the PayPal security key and now with Verisign VIP Access for Mobile) with PayPal and I feel much more secure doing business this way. But, like the merchant in question, not everyone accepts PayPal.
What I did find is that Citibank offers a "Virtual Account" service. They describe it quite simply as
...a free service which allows cardmembers to generate a substitute credit card number which can be used in place of their real credit card number during online or telephone shopping.
Sounds good, right? A couple of additional great benefits (beyond hiding your real account number from the merchant) are the abilities to set a purchase limit on the Virtual Account Number as well as a custom expiration date. The online tool is easy to use and with just a couple of clicks you've got a virtual card with all the info you need to make an online or telphone purchase.
This completely solved my problem for the non-PayPal-accepting site. I'll also be using it for any over-the-phone purchases that require a credit card in the future.
I'm sure other card issuers have similar programs. Leave a note in the comments if you know of any.