Who's liable for the loss incurred?

Who absorbs the loss when online credit card fraud takes place - the customer, the merchant or the bank?

Complicating this question is the 3D Secure payment system, which was set up in 2001 by Visa and adopted by other credit card firms and banks.

In the system, when customers make online payments, they must key in a one-time password (OTP) sent to their cellphones by the bank.

Before this was implemented, if a fraudulent transaction was made online, the merchant paid the price as the bank did not then have to pay the merchant.

But responsibility has shifted to the banks now with merchants signing up for 3D Secure, as the banks must authorise the payment request and pay the merchant based on such authentication.

Liability could also fall on the customer, especially if his card details were given away deliberately or negligently.

But, with cellphones increasingly targeted by hackers, 3D Secure may not be as safe as before: hackers can break into the customer's phone and steal the OTP as well as other sensitive data such as passwords.

This means the customer can reject responsibility, too.

7 ways to protect yourself against credit card fraud

  • Whenever you receive a new credit card in the mail, don't just let it sit for days along with the rest of your bills and/or junk mail. Take it out, activate it (online or call, whatever is easier for you) and sign the back.
  • The last thing you want is to lose track of it because in a pile with the rest of your "junk" mail - because we all know where junk mail ends up. And the last thing you want is for your credit card to end up in the hands of someone else.
  • If you're tired of receiving your mailed statements, most banks now offer e-statements, which are easier to manage - just make sure you're practicing good online security habits if you are taking the electronic storage route.
  • Whether you're using your credit card at a restaurant, retail establishment, club or bar, make sure you're following your card wherever it goes.
  • Because you want to make sure that your card is being swiped at the establishment's cash register and isn't disappearing into someone else's hands (or being used to make purchases while you're not looking).
  • Checking your receipts against your statement is especially useful if you make plenty of online purchases, as you might find price discrepancies between what you agreed to pay online and what's being shown on your statement.
  • Banks, retailers and government organisations will NEVER call or email you asking for your personal information - especially your credit card number!
  • Seriously, there's no "what if" when it comes to this one. No legitimate institution will ever ask for your credit card over the phone or in email, ever. So don't do it, not matter how legitimate the call sounds or the email looks.
  • Your bank should be near or at the top of your list of people and organisations to inform about your new address. That's because the last thing you want is for your credit card and bank statements to be "lost" in the mail or mailed to your old address where they can end up in anyone's hands.
  • Many credit cards offer "alarms" that send you an SMS or email whenever a charge over a certain amount is made. Some credit cards even offer alerts that send you an SMS/email alert for every charge made on your card.

    That's great because it gives you time to call up the credit card issuer and dispute any "funny" charges made to your card.

The OTP can be sent to a more secure hardware token, but most banks opt for SMS OTPs for convenience.

"Currently, the banks decide the method of OTP delivery from the many options available," said Visa's country manager for Singapore and Brunei, Ms Ooi Huey Tyng.

Some experts, such as Mr Thomas Zink, research manager at market research firm IDC, said consumers should not be liable for fraudulent transactions if they were not acting "fraudulently or without reasonable care".

Most of the time, users will have to trigger or approve the installation of malware.

But IT lawyer Bryan Tan said it can be hard for the layman to detect these insidious programs, and they are almost always downloaded unintentionally.

"If you are a designer of malware, you are not going to put big flashing lights and say this is malware. You are going to make it as insidious as possible," Mr Tan pointed out .

Experts say that consumers should be extra vigilant about the content they access on their mobile phone.

To better protect themselves against mobile malware, they should also be mindful when opening e-mail links.

Man in row with bank over hacked phone

  • "System update in progress. Please wait," read the prompt on Mr Philip Loh's Samsung Galaxy Note 4 smartphone last September. Thinking nothing of it, he went to bed.
  • Meanwhile, hackers got hold of his credit card details. Six flight tickets were purchased in Eastern Europe - from countries including Russia, Estonia and Latvia. The total price was $12,327.
  • Now the 47-year-old first aid trainer is entangled in a dispute with United Overseas Bank (UOB) as he tries to get the charges waived.
  • The bank, which insists its security system was never compromised, is asking him to pay $5,000 of the $12,327, having reduced the amount out of goodwill, or it would take legal action, said Mr Loh.
  • Mr Loh appears to be one of the victims of a malicious programme that the Association of Banks in Singapore (ABS) warned the public about last month.

This article was first published on Jan 27, 2016.
Get a copy of The Straits Times or go to straitstimes.com for more stories.