S'pore woman loses S$10,000 in DBS credit card fraud which allegedly bypassed OTP SMS

The bank said that the transactions were authorised via OTP SMS, but the customer said that she didn't receive any notification.

Joshua Lee | June 20, 2021, 05:45 PM

A woman in Singapore has become the victim of alleged credit card fraud.

Facebook user Danica Alena Choo put up a post on June 16 that detailed how seven transactions totalling S$10,150 were made on her supplementary credit card without her knowledge.

In January this year, Choo tried to make an online purchase with her supplementary card, but it was declined.

When she called DBS to find out why, she was told that she had exceeded the credit limit.

"To my horror, I learnt that a total of SEVEN consecutive transactions were charged to my card, each amounting to approximately S$1,400. The total damage was S$10,150."

According to the bank, these transactions were made with a OTP (one-time password), meaning that they were secure. Because of this, the bank said that it was unable to refund the money.

"But guess what? I did NOT receive any OTP for these seven transactions at all.

The bank claimed I could have keyed in the OTP by mistake. But seven times?! Did the bank seriously think I would be tricked into giving the OTP to a stranger seven times?

Long story short, we are liable for the charges."

Money was wired to Malaysian company

According to Choo, the seven transactions were made to Wise (formerly known as TransferWise), a website for remitting money overseas.

The transactions were wired to a Malaysian company, CWP Global Enterprise, and processed in Malaysian ringgit.

Wise told Choo that the transactions had gone through and were irreversible.

In fact, Choo found out from Wise that 10 transactions were made but only seven went through. This is because after seven transactions were made, DBS started rejecting the rest, informing Wise of possible fraudulent activity.

Following the tip off from DBS, Wise suspended the account that was used to process the transactions.

Bank initially did not want to waive interest

Choo has lodged a police report. However, she said she was told that the case has no favourable outcome. Police investigations revealed that the Wise account was created using someone else's personal details. There are apparently no more leads for the police to act on.

Choo said that DBS initially refused to waive the monthly interest on the credit card spending while police investigations were ongoing.

However, the bank relented after Choo and her husband went to their Member of Parliament Gan Kim Yong for help.

The bank, however, still expects Choo to pay the S$10,150 because they were allegedly authorised via SMS OTP — a fact which Choo disputes.

"There were apparently SMS alerts sent to my mobile number once each disputed transaction was completed.

At this point, I wish to reiterate that I did NOT receive a single SMS OTP or alert regarding any of the seven transactions, so help me God... We are clearly victims of a fraud case."

Choo has approached StarHub to check if receipts of text messages are recorded in its system, but the telco told her that the Singapore Police Force would have to approach its headquarters directly for access to such data.

According to Choo, DBS also said that it has never encountered unauthorised bypassing of OTP before.

Speaking to Mothership, Choo says that she doesn't think she is a victim of a phishing attack, adding that many others have also approached her to share similar experiences.

DBS: Customers should not click on email links, install questionable programs

Responding to Mothership, DBS said:

"Our customers’ banking security is important to us and our systems are safe, secure and uncompromised. The merchant in question is 3D-Secure enabled, which requires customers to authenticate their transactions using a One-Time-Password via SMS, or their DBS Digital Token. This is an industry-standard security protocol which protects customers against fraudulent use by unauthorised individuals. We would like to remind our customers that they should never click on links from emails or install any programs from unknown or questionable sources. These precautionary measures reduce the risk of compromising their devices, and prevent them from being intercepted by viruses and malicious software. For security tips and alerts, visit: https://www.dbs.com.sg/personal/support/guide-security-on-scams-and-fraud.html

In the event that customers seek further recourse from FIDReC, which is an independent and impartial mediation party, they can be assured that DBS will fully support the process. As this matter has been referred to FIDReC, we are unable to comment further."

Top images via DBS.