On 12 July 2024, Mary downloaded an application called ‘EZI Recycled’ after viewing an Instagram advertisement and then made a payment of RM5 via the linked website. At approximately 9:00 pm on the same day, she discovered 11 unauthorised online transactions on Shopee Mobile Malaysia, totalling RM47,410, charged to her XE Bank credit card.
Mary denied having performed the transactions and immediately contacted the bank to block her card. She subsequently lodged a dispute seeking a full waiver of the disputed amount and filed a police report. The bank maintained that she was liable because all transactions had been authenticated using OTPs sent to her registered mobile number.
FINDINGS
The evidence showed that 11 3-D Secure online transactions, totalling RM47,410, were carried out on 12 July 2024 using Mary’s credit card. The bank’s records indicate that the OTPs were successfully delivered to Mary’s registered mobile number and correctly entered on the 3-D Secure verification page, thereby authorising the transactions.
Mary maintained that she did not receive any OTPs. The surrounding circumstances suggested that her card details and OTPs were compromised. It is likely that the downloaded application contained malicious malware capable of accessing her banking credentials and intercepting OTPs.
The bank blocked the card only after Mary reported the incident. No chargeback rights were available, as the transactions had been authenticated under the 3-D Secure protocol.
The 11 transactions occurred over a short span of time and were inconsistent with Mary’s usual spending pattern. Such activity would reasonably have warranted closer scrutiny under the bank’s fraud monitoring controls and a verification call to the cardholder.
OUTCOME
We conclude that Mary’s banking credentials were compromised through the downloaded application, enabling unauthorised third-party access to conduct the disputed transactions.
Although the transactions were authenticated in accordance with security protocols, the bank could have adopted additional preventive measures by contacting Mary, given the unusual frequency and pattern of the transactions, which may have mitigated the losses.
At the same time, Mary ought to have exercised greater caution when downloading unfamiliar applications and providing sensitive information online.
Applying the principle of fairness, the Ombudsman decided that it is reasonable to apportion liability between Mary and the bank.