Unauthorised Online Transaction


Encik Bashir (not his real name) holds a Bank Y credit card with the credit limit of RM30,000. On 8/4/2019, he discovered three unauthorized online transaction charged to his credit card amounting to RM24,154.81. He immediately reported the unauthorised transactions to the bank. Unfortunately, Encik Bashir was held liable for the disputed online transactions.

Encik Bashir denied performing the three online transactions on 18/3/2019,25/3/2019 and 4/4/2019 respectively. He alleged that he did not receive the text message containing the One Time Password (OTP) sent by the bank. According to Encik Bashir, his credit card and mobile phone were in his possession during the material time. 


Investigation and Findings

 Having reviewed the complaint, the Case Manager noted the following:

  1. The disputed transactions were performed through the merchant’s Three Domain (3D) secure website wherein an OTP must be entered for authentication and verification before the online transactions are approved.
  2. The bank’s Short Message Service (SMS) records show that the OTP was successfully sent to Encik Bashir’s mobile phone number registered with the bank for the three disputed transactions. The OTPs were entered within the validity period of 3 minutes and were successfully authenticated and approved by the merchant’s website. This implies that the online transactions had been authorised by Encik Bashir. In this instance, it is likely that the OTP and Encik Bashir’s card details were somehow compromised.
  3. Bank Y had also sent text messages to notify Encik Bashir of the successful online purchases after each of the three disputed transactions.
  4. Bank Y was unable to recover the disputed transactions as there are no chargeback rights for 3D secure transactions that are successfully authorised with the OTP.

The Case Manager opined that it is the responsibility of the Encik Bashir as a cardholder to maintain and safeguard the custody of the credit card at all times. Cardholders are responsible for all transactions that occur when the card is in their possession.



 Encik Bashir accepted the findings and observation of the Case Manager and agreed to settle the dispute in full.

 Bank Y on the other hand agreed to waive all the finance and late charges incurred on the disputed online transactions.