Image: Credit card © Mike Kemp, Getty Images

So much for a blasé data breach. The breach of Citigroup credit card numbers in May didn't include the cards' expiration dates and security codes, which should have prevented the hackers from using the cards. Even so, recently Citi announced that some 3,400 of those credit cards (about 1% of the total compromised) were fraudulently used, to the tune of $2.7 million.

None of the cardholders will be held responsible for those charges, says a Citi spokesman. But how did it happen? Citi suggested but would not confirm that some of the customers may have been involved in breaches at other companies that gave the hackers the full suite of information they needed. "I suspect what you're going to find is this was a very sophisticated hack by a group that's done more than this," says Jay Foley, the executive director at the Identity Theft Resource Center.

Citi's is among the latest in a series of breaches this year. In many cases, fraudsters have grown more sophisticated and are better able to access customer information and remain undetected than in the past, says Phil Blank, the managing director of security, risk and fraud for Javelin Strategy & Research.

A report by Javelin shows that among roughly two dozen of Visa and MasterCard's largest credit card issuers, the bigger institutions including Bank of America and U.S. Bank are among the best equipped to prevent, detect and resolve fraud. The relatively smaller banks on the list came in at the bottom, including State Farm, Associated Bank and SunTrust. The annual study, which was conducted before reports of Citi's breach surfaced, ranked Citi in ninth place.

The study considered several factors, including financial companies' security procedures, the availability of fraud alerts and other monitoring strategies. In response to the findings, a SunTrust spokesman said the company has "processes and procedures in place to ensure we are vigilant in our responsibility to clients." A State Farm spokesman says the company maintains physical and electronic safeguards that comply with federal regulations and that it regularly monitors computer networks and tests the strength of its security. A spokeswoman for Associated Bank says it employs several strategies to detect fraud against customers, including monitoring daily transaction activity and analyzing reported customer issues to identify potential security breaches and fraud. Cabela's WFB, which was the fourth-worst bank on the Javelin list, did not return a request for comment.

And identity theft experts say that protecting consumers' credit card information doesn't stop with the card issuer. In the past, payment processing systems, which transmit credit card information from a retailer to the card issuer after a purchase is made, have been hacked. "There are all sorts of probabilities," says Foley.

Luckily, consumers have protections when their credit cards are fraudulently used. Credit card companies hold customers liable for up to $50 of unauthorized credit card transactions and oftentimes they waive that charge as well. Still, knowing that your credit card number or other identifying information is out there is enough to make most consumers queasy -- and could increase the chances of becoming a victim of fraud going forward. Here are Javelin's rankings for the card issuers providing the most and least protection and help against fraud.

Best (score out of a possible 100)

  1. Bank of America (87)
  2. Discover (74)
  3. U.S. Bank (73)
  4. USAA (69)
  5. Capital One (68)


  1. State Farm (43)
  2. Associated Bank (46)
  3. SunTrust (47)
  4. Cabela's WFB (48)
  5. RBS (49)

This article was reported by AnnaMaria Andriotis for SmartMoney.