Julie, a 70-year-old retiree, received an SMS from a bank stating that RM3,000 had been transferred and if she did not perform the transaction, she should call the number listed in the message. Julie called the number and reported the purported unauthorised transaction.
She spoke to someone who posed as an officer from Bank Negara Malaysia. The person requested her card information to safeguard her existing accounts with her bank.
Shortly after, she realised something was amiss and contacted her bank.
She was told there were multiple transactions amounting to RM50,000 involving her two credit cards and a debit card. She denied the transactions and filed a complaint with the bank.
The bank rejected Julie’s claim because the transactions were performed with a secured One-Time Password (OTP) sent via SMS to her registered mobile number. Julie also contended that she did not disclose any OTP for the said transactions.
OUR FINDINGS
According to the bank’s records, the disputed transactions were conducted through the merchant’s secure Three Domain (3-D) platform, which required credit card particulars, such as the card number, expiration date, and CVC/CVV codes.
The transactions were subsequently authorised upon verification of the OTP, which serves as an added layer of security to prevent any potentially fraudulent activities. The bank’s record showed that OTP SMS and transaction alerts were delivered to Julie’s mobile number registered with the bank.
Completing the transactions online would not have been possible without the necessary credit and debit card information and a valid OTP.
We believe Julie fell prey to an SMS scam, and her card details and OTPs were compromised. Julie’s card statement revealed that she had never made online transactions using her cards prior to this incident. Additionally, the disputed transactions did not reflect Julie’s usual credit card(s) average monthly spending, which is below RM200.
OUTCOME
While the Case Manager acknowledged Julie’s responsibility to safeguard their banking credentials, she opines that the bank must monitor unusual online transactions, especially involving vulnerable consumers.
Julie’s loss could have been prevented if the bank had implemented safety measures. The Case Manager recommended that the bank and Julie share the liability for the disputed sum equally. The bank rejected the recommendation and referred the matter for adjudication.
The Ombudsman reviewed the case and concurred with the Case Manager’s Recommendation.