Compromised Credit Card - Unauthorized Online Transaction
Ms X has been an accountholder of XYZ Bank since 2001. She applied for credit card facility on 11th May 2011. The credit card was subsequently cancelled on 23rd November 2016.
On 23rd November 2016 at approximately 9.00am, Ms X received an email with a link from Apple entitled “How to reset your Apple ID password”. Ms X was under the impression that the email was genuine because she had attempted to reset the password previously but was unable to complete the task. Without hesitation, Ms X clicked the link and she was redirected to a fake webpage which is identical to the Apple website. Since Ms X had forgotten her Apple ID and password, she clicked the tab “Forgot ID or Password” and was prompted to enter her email address. Thereafter, Ms X was requested to enter her credit card details and once completed, she received a One Time Pin (OTP) through sms on her mobile phone to be entered into the webpage. Since the webpage displayed the merchant’s name as “Apple” with amount EUR0.00, Ms X did not notice any irregularity at the website and proceeded to enter the OTP to complete the process.
After the process was completed, Ms X was shocked to receive a short message service (sms) from XYZ Bank informing her that a transaction amounting to EUR2,000.00 was performed at 9.18am via her credit card. Ms X immediately contacted XYZ Bank to block the transaction. She was advised to lodge an official complaint with XYZ Bank once the transaction is posted into her credit card account and/or statement. Ms X filed a dispute at XYZ Bank and provided all relevant documentary evidence to deny the transaction was performed by her.
Ms X received a reply from XYZ Bank rejecting her claim for the refund on the grounds that the disputed transaction was successfully performed with Ms X’s valid credit card details and OTP that was sent to her mobile number.
Investigation and Findings
Upon receiving Ms X’s complaint on 23/11/2016, XYZ Bank proceeded to deactivate her credit card to avoid further unauthorised transactions. However, XYZ Bank could not stop the disputed transaction as it was an approved transaction with an OTP validation.
XYZ Bank contended that this is a case of “phishing” whereby Ms X was deceived by the fraudster into entering a fake website which appeared identical to the genuine Apple website. Ms X had entered her credit card details into the fake website which enabled the fraudster to retrieve such information. Arising from this, the fraudster is able to perform the transaction using Ms X’s credit card details which triggered an OTP to be sent to her mobile phone by XYZ Bank. Ms X had entered the OTP into the fake website which enabled the transaction to be completed. Since Ms X’s credit card details and OTP has been compromised via the fake website, the fraudster is able to perform the transaction without Ms X’s knowledge using her essential credentials.
XYZ Bank contended that they have taken steps to continuously alert all their customers on scams of such nature and had consistently reminded their customers not click on any URL or links via e-mails purportedly from XYZ Bank or any other platforms in any circumstances. These reminders on security alerts were made available via the XYZ Bank’s official website, internet banking page, self-service terminal area, and was also broadcasted over the radio.
XYZ Bank’s record indicated that there was neither a system failure nor breach of security during the aforesaid transaction. The fact remains that the valid credit card number which is only known to Ms X and the OTP which was sent to her mobile phone was used to perform the disputed transaction.
XYZ Bank was unable to perform chargeback against the merchant’s bank as the transaction was authorised via the 3D secure platform which requires an OTP to be entered and verified by the bank. Nevertheless, XYZ Bank performed a retrieval request to the acquirer and the acquirer had fulfilled an invoice evidence, delivery bill, secure online payment screen to substantiate the authenticity of the transaction.
In view of the above, XYZ Bank is unable to accede to the Ms X’s request for a refund.
The Case Manager duly noted that Ms X’s credit card details and OTP had been compromised. It is the duty of Ms X to observe all security measures prescribed by XYZ Bank to safeguard her essential credentials. Ms X was reminded to be alert at all times and to ensure that she always observe important security alerts prior to entering her credit card details.
Conversely, the Case Manager also observed that the message containing the OTP that was sent to Ms X via sms was not precise as the message did not indicate the purpose of the transaction, the merchant details and amount. XYZ Bank acknowledged the shortcoming of the contents in the OTP messages sent to their customers. Effective from January 2017, the OTP messages has been revised to include the merchant name and the transaction amount.
XYZ Bank offered a partial waiver of the disputed sum and agreed to waive all finance and late charges on goodwill basis. Ms X accepted XYZ Bank offer and the matter was resolved amicably between parties.