Online Scam


Mr P responded to an advertisement on the social media regarding an offer to purchase an I-Phone for only RM1.00. Thinking that the purchase was made for RM1.00, Mr P proceeded with the online purchase and payment was made through his Bank D’s credit card. After the transaction has concluded, the Complainant realised that he was scammed because he was billed for an amount of AUD 499.99 which is equivalent to RM1,638.82.  

Within an hour after the transaction, Mr P contacted Bank D to request for cancellation of the transaction. Bank D is neither able to reverse the transaction nor provide details such as  the contact number and address of the merchant.

Mr P avers that  he has the right to cancel the transaction within 7 days and he wants the bank to waive the sum of RM1,638.82.


Investigation and Findings

The disputed transaction was performed through the merchant’s Three Domain (3-D) secure website whereby a One Time Password (OTP) is required to be entered by Mr P for authentication and verification before the transaction is approved.

The merchant in question sells a six month digital membership to its purchaser to participate in competitions. When a purchaser/participant wins the competition, they are allowed to purchase promotional items such as a brand new I-Phone, LED television or an iPad for only $1/£1/RM1. The purchaser must first create an account with details such as the name, e-mail address, contact number and postal address and accept the terms and conditions in order to proceed with the credit card payment.

According to the merchant, the price of AUD499.99 and the full description of what was being purchased were clearly displayed in the webpage before the credit card details are entered to effect payment. After Mr P entered his credit card details, an OTP was generated and sent by Bank D through a text message to Mr P’s mobile number. The text message containing the OTP that was sent to Mr P includes the merchant’s name and the amount payable of AUD499.99.  

The OTP was entered into the secured webpage  of the merchant within the given timeframe of 4 minutes  and payment of AUD499.99 was approved upon authentication and verification of the OTP.

It is not disputed that Mr P had authorised the transaction through the verification of the OTP. Mr P contended that he had informed Bank D of the alleged scam an hour after the transaction and requested for cancellation of the transaction. The issue is whether Bank D  being the Issuing bank can cancel the credit card transaction after the transaction is completed.  Based on the card scheme rules, once a transaction is authenticated and approved by the card Issuer electronically, neither the Issuing bank (in this case Bank D) nor the Acquirer (merchant’s bank) can cancel or stop the transaction. 

The reason as to why Bank D is unable to provide the details of the merchant when Mr P requested for it on 5/11/2016 because the said merchant is not acquired by Bank D. The merchant is acquired by a bank based offshore.

The Ombudsman noted that the amount billed of AUD499.99 was made known to the Complainant through the merchant’s webpage as well as the text message sent by Bank D. The Ombudsman opined that the Complainant had the opportunity to abort the transaction by refraining from entering the OTP into the merchant’s website.   



Based on the findings, the Ombudsman found that the disputed transaction was made electronically and it was approved through the verification of a valid OTP. In such circumstances,  Bank D is unable to cancel the transaction.

The Ombudsman upheld Bank D’s decision.