askST: How can I protect myself from online credit card fraud and identity theft?

Reader Hannah Young wrote in to askST about how she could protect her credit card from online fraud.

She said her card details were stolen and some $600 was spent fraudulently at Airbnb - an amount she is disputing with her bank. An investigation by the bank is still ongoing.

She asked: "Why is there no two-pin password security for online websites? If that's the case how can we protect our card numbers? Why am I suffering the consequence of the identity theft when the bank should be responsible for keeping my money safe?"

Senior Tech Correspondent Irene Tham replied.

When online credit card fraud takes place, only one of three parties absorbs the loss: the customer, the merchant or the bank. That is why the bank needs to investigate who is the negligent party.

An authentication service, dubbed 3D Secure, was set up in 2001 by Visa for banks, credit card companies and merchants to better secure transactions. The service requires customers to enter an OTP to authorise online transactions. This method protects all parties from fraud.

A 3D Secure protected transaction is most likely initiated by the customer. Such disputes will be handled on a case-by-case basis.

Customers also bear full liability if found to be negligent in handling his or her card details. Negligence could mean giving away credit card details freely, or indiscriminately downloading apps or clicking on links that compromise the security of the phone for receiving OTPs or the computer. Hackers can steal the OTP in compromised phones, or hijack passwords and personal information on compromised computers for fraudulant transactions.

If the customer is found to have taken all reasonable steps to secure his or her personal data, then the customer's liability for online fraud is capped at $100.

Card issuers will investigate and may consider waiving at their discretion the $100 liability for unauthorised charges on a case by case basis. Card issuers will investigate and may consider waiving the $100 liability for unauthorised charges on a case by case basis.

As a rule of thumb, do not download or update any apps from the Web browser on the phone as the links that take users to these websites are likely to be bogus. App downloading should be via proper channels such as the Google Play or iTunes App stores.

Users should also be wary of downloading dodgy apps and surfing dodgy websites, where malware is often hidden. Once malware takes over the phone, it is easy to carry out fraudulent transactions. OTPs can be intercepted as they usually come via SMS.

Embedded links in instant messages from chat apps and e-mail attachments are also known to carry malware.

Card users should also immediately report any suspicious activities to their banks to limit their loss.