"System update in progress. Please wait," read the prompt on Mr Philip Loh's Samsung Galaxy Note 4 smartphone last September. Thinking nothing of it, he went to bed.
Meanwhile, hackers got hold of his credit card details. Six flight tickets were purchased in Eastern Europe - from countries including Russia, Estonia and Latvia. The total price was $12,327.
Now the 47-year-old first aid trainer is entangled in a dispute with United Overseas Bank (UOB) as he tries to get the charges waived.
The bank, which insists its security system was never compromised, is asking him to pay $5,000 of the $12,327, having reduced the amount out of goodwill, or it would take legal action, said Mr Loh.
"How can I pay for something I didn't purchase? I've never even visited those countries before," he told The Straits Times.
When he woke up on Sept 30 last year, his phone was still "updating". He forcibly rebooted it by removing the battery, only to find SMS alerts from UOB on the purchases, as well as the one-time passwords (OTPs) used to authenticate them.
Shocked, he cancelled his credit card before going to the police and Consumers Association of Singapore (Case) for help.
Mr Loh appears to be one of the victims of a malicious program that the Association of Banks in Singapore (ABS) warned the public about last month. He insists he has entered his credit card details on his phone only twice or thrice in the past year - to buy movie tickets online.
He was told by the bank that one of the reasons the payments could not be waived was that they were made under the "3D secure payment system" - which authenticates online transactions by sending an OTP to the customer's cellphone. The Straits Times understands that because the hackers obtained the OTPs, the payment system was not compromised.
UOB said: "We review each customer dispute case thoroughly and take into account a number of contributing or mitigating factors. These include whether a customer had provided his credit card information on a phishing site or if transactions were authorised with an SMS OTP. In this present case, the bank's security measures were not compromised."
An ABS spokesman said that in some reported cases, consumers provided their credit card information on websites without checking if they were legitimate. "These allowed hackers to 'take control' of their smartphones to perform fraudulent online transactions."
Case executive director Seah Seng Choon said banks need to keep in mind shifting security vulnerabilities. "If a third party can hack into the system and perform transactions in this manner, it shows that the system needs to be reviewed to protect consumer interests."
Information technology lawyers said crooks are starting to get the better of two-factor authentication systems. "The question is: Is it fair for consumers to bear the liability when it is the system that has been compromised by hackers?" said lawyer Bryan Tan.