Who's liable for the loss incurred?

Visa credit cards are displayed in Washington.
Visa credit cards are displayed in Washington.PHOTO: REUTERS

Who absorbs the loss when online credit card fraud takes place - the customer, the merchant or the bank?

Complicating this question is the 3D Secure payment system, which was set up in 2001 by Visa and adopted by other credit card firms and banks.

In the system, when customers make online payments, they must key in a one-time password (OTP) sent to their cellphones by the bank.

Before this was implemented, if a fraudulent transaction was made online, the merchant paid the price as the bank did not then have to pay the merchant.

But responsibility has shifted to the banks now with merchants signing up for 3D Secure, as the banks must authorise the payment request and pay the merchant based on such authentication.

Liability could also fall on the customer, especially if his card details were given away deliberately or negligently.

But, with cellphones increasingly targeted by hackers, 3D Secure may not be as safe as before: hackers can break into the customer's phone and steal the OTP as well as other sensitive data such as passwords.

This means the customer can reject responsibility, too.

The OTP can be sent to a more secure hardware token, but most banks opt for SMS OTPs for convenience.

"Currently, the banks decide the method of OTP delivery from the many options available," said Visa's country manager for Singapore and Brunei, Ms Ooi Huey Tyng.

Some experts, such as Mr Thomas Zink, research manager at market research firm IDC, said consumers should not be liable for fraudulent transactions if they were not acting "fraudulently or without reasonable care".

Most of the time, users will have to trigger or approve the installation of malware.

But IT lawyer Bryan Tan said it can be hard for the layman to detect these insidious programs, and they are almost always downloaded unintentionally.

"If you are a designer of malware, you are not going to put big flashing lights and say this is malware. You are going to make it as insidious as possible," Mr Tan pointed out.

Experts say that consumers should be extra vigilant about the content they access on their mobile phone.

To better protect themselves against mobile malware, they should also be mindful when opening e-mail links.

A version of this article appeared in the print edition of The Straits Times on January 27, 2016, with the headline 'Who's liable for the loss incurred?'. Print Edition | Subscribe