Protecting credit cards from online fraud

Credit-card users bear full liability in online fraud cases if they are found to be negligent in handling their details, including giving away credit-card details freely.
Credit-card users bear full liability in online fraud cases if they are found to be negligent in handling their details, including giving away credit-card details freely.ST PHOTO: DIOS VINCOY JR

Reader Hannah Young wrote in to ask how she could protect her credit card from online fraud. She said her card details were stolen and about $600 was spent fraudulently at Airbnb - an amount she is disputing with her bank. A bank probe is ongoing. She asked: "Why is there no two-PIN password security for websites? How else can we protect our card numbers? Why am I suffering the consequences of identity theft when the bank should be responsible for keeping my money safe?" Senior Tech Correspondent Irene Tham replies.

Reader Hannah Young wrote in to ask how she could protect her credit card from online fraud.

She said her card details were stolen and about $600 was spent fraudulently at Airbnb - an amount she is disputing with her bank. A bank probe is ongoing.

She asked: "Why is there no two-PIN password security for websites? How else can we protect our card numbers? Why am I suffering the consequences of identity theft when the bank should be responsible for keeping my money safe?" Senior Tech Correspondent Irene Tham replies.

When online credit-card fraud takes place, only one of three parties absorbs the loss: the customer, the merchant or the bank.

That is why there is a need for banks to investigate who the negligent party is.

An authentication service, dubbed 3D Secure, was set up in 2001 by Visa for banks, credit-card companies and merchants to better secure transactions. The service requires customers to enter a one-time password (OTP) to authorise online transactions. This method protects all parties from fraud.

A 3D Secure-protected transaction is most likely initiated by the customer. When disputes occur, they will be handled on a case-by-case basis.

Customers bear full liability if they are found to be negligent in handling their details.

Negligence could mean giving away credit-card details freely, or indiscriminately downloading apps or clicking on links that compromise the security of the phone for receiving OTPs or the computer. Hackers can steal the OTP in compromised phones, or hijack passwords and personal information on compromised computers for fraudulent transactions.

If the customer is found to have taken all reasonable steps to secure his personal data, then his liability for online fraud is capped at $100. Card issuers will investigate and may consider waiving, at their discretion, the $100 liability for unauthorised charges, on a case-by-case basis.

As a rule of thumb, do not download or update any apps from the Web browser on the phone as the links that take users to these websites are likely to be bogus.

App downloading should be via proper channels such as the Google Play or iTunes App stores.

Users should also be wary of downloading dodgy apps and surfing suspicious websites, where malware is often hidden. Once malware takes over the phone, it is easy to carry out fraudulent transactions. OTPs can be intercepted as they are usually sent via SMS.

Embedded links in instant messages from chat apps and e-mail attachments are also known to carry malware.

Card users should also immediately report any suspicious activities to their banks to limit their losses.

A version of this article appeared in the print edition of The Straits Times on May 20, 2017, with the headline 'Protecting credit cards from online fraud'. Print Edition | Subscribe