SINGAPORE — After discovering that AirAsia had charged her UOB credit card for two transactions totalling over $1,060 that she did not authorise, Zena Lim replaced her credit card in April.
But to the 47-year-old's horror, someone else continued to use her credit card credentials to make payments to AirAsia in May, despite her attempts to stop these transactions by blocking and replacing her card two more times.
In total, more than $3,600 in Malaysian ringgit and US dollars were siphoned from Lim's bank account in six payments.
The ophthalmologist said: "It's very distressing. How is it possible for the same merchant to charge three different card numbers in the span of nearly two months without requiring authentication?"
Merchants can choose not to activate 3D Secure authentication, an additional safety feature that requires the customer to enter a password associated with the card or code sent to their phone on their bank's website before a payment can be made.
Her case comes amid a growing number of reports from credit and debit cardholders in Singapore and abroad discovering their card details have been fraudulently used to buy services from legitimate firms, including Open AI and Apple.
While the unauthorised payments from Lim's account have since been reversed by UOB, the mystery remains, she said, adding that the matter has been reported to the Monetary Authority of Singapore (MAS) and the police.
"I'm frustrated that I have no answers as to how this happened," she said.
"The only time I purchased an AirAsia ticket was when I bought my helper's air ticket on my computer through eNets debit using my DBS bank account."
Kevin Reed, chief information security officer of cyber protection company Acronis, said Lim's case is rare.
If cyber criminals had stolen the details of her first card, they would still need to correctly crack her replacement card details twice in a row without triggering the bank's fraud prevention systems, which would have detected guessing attempts, he said.
It could be that that her cards had been used by someone familiar to her without her knowledge, he added.
Candid Wuest, vice-president of cyber protection research at Acronis, said: "We cannot rule out that there might be an internal glitch at one of the merchants or human error at Air Asia, the bank or the post service that shipped the new cards, or there might be gaps in her story."
Card details are most commonly compromised through malware, he noted.
Wuest said using fraudulent transactions to pay for airline tickets is uncommon as they are more difficult to profit from, unless they are sold as a cheap ticketing service.
For instance, some underground websites sell airline tickets purchased with stolen credit cards at a discount.
He said: "If these transactions were not for tickets at all but for loyalty points, then the attacker might have wanted to steal such loyalty points that can then be resold or exchanged for goods."
Responding to queries, a UOB spokesman said the bank has assisted Lim and will help to investigate, where necessary.
She said: "We would like to remind customers to be mindful of the security of their physical (and digital card) and not share their card and banking details with anyone, including family or household members."
The UOB spokesman said the bank has lowered the default threshold limit for all its card notification alerts to $500 as a preventive measure to help fight against card fraud.
Customers can also change their threshold limit to nominal amounts via UOB Personal Internet Banking, so they will be notified of any transaction, she added.
An AirAsia spokesman directed The Straits Times to its guest support page, which states that credit card fraud is a global issue affecting many industries, including airlines.
The statement said: "If anyone suspects that fraud has occurred, it's important to contact their bank immediately to block the card and to contact AirAsia via our guest support channels here for our prompt internal investigation into the matter."
In June, MAS told The Straits Times that customers would not be held liable for unauthorised transactions if a merchant has not required consumers to authorise online card transactions using a one-time password.
How to prevent fraudulent charges
- Consider using an identity theft protection service to monitor your accounts and provide reimbursement options following an identity theft.
- Set up transaction alerts for amounts as low as $0.01 on your bank’s app.
- Regularly check your card statements. If you see any discrepancies or receive SMS/push/e-mail notifications for transactions that you did not make, notify the bank immediately or within seven days upon receiving your cards’ statement.
- If aware of an unauthorised transaction, promptly alert your bank.
- You can also temporarily lock your cards using your banking apps. Banks will review the case if there are grounds for dispute and help you in raising a dispute report to Visa or Mastercard.
This article was first published in The Straits Times. Permission required for reproduction.