Cyber security and internet fraud have been on the rise globally for a number of years now. With many aspects of our personal lives increasingly being transacted online and especially with the growth of online banking, this is an issue that needs to be tackled rigorously.
Based on a report that recently came out, it is evident that incidents of online scams and other fraudulent activities are showing no signs of abating. While we are all individually responsible for ensuring that we practice online safety, to what extent have the big institutions which we transact through offered support?
A number of family members and friends who have fallen victim to credit card fraud had realised with horror that their banks required them to stump up the entire amount on the credit card bill before they can request for a refund for the portion that was incurred as a result of fraudulent activity.
To add on to their stress, they were further informed that they would only be refunded the monies at the bank’s discretion. These incidences of fraud could have happened to anyone and had absolutely nothing to do with their own carelessness. Despite that, the banks in question were not willing to step in to protect the victims. While I understand that banks have to make profits, surely they would be best placed to tackle such incidences of fraud instead of requiring victims to first stump up the cash?
Given the volume of credit card fraud in Singapore whereby “1 in 3” Singaporeans are victim of this crime, perhaps there should be regulations put in place to ensure that all banks deal with this in a unified and supportive manner. As it stands, whether or not you get your money back depends on whether you have complied with the terms and conditions of the bank in question. Given that these are often lengthy and being mindful of the fact that not all customers are savvy, to what extent have the key terms been explained to customers to prepare them for possible frauds and fall outs?
The Journal of Cyber Security has conducted a study on the terms and conditions of various banks including those of Singapore banks and the Code of Consumer Banking Practice for Singapore. In its research, it looked at, among other things, whether the banks provided adequate guidance to its customers on banking safety and further whether or not the terms and conditions were clear and accessible. Amongst other things, the research uncovered that Oversea-Chinese Banking Corporation (OCBC) ‘s terms and conditions did not appear to specify how customers might record PINs. This could be something that could penalise less savvy customers who may not be aware of how to prevent fraud.
Secondly, while the terms and conditions of OCBC insist that the card and PIN must not be kept together, it was noted elsewhere that PINs must be memorised and not recorded anywhere. This apparent contradiction could be a source of confusion to customers and could be used against victims of fraud on the basis that they have not complied with the terms and conditions of the bank despite the terms being inconsistent to begin with.
There is a further list of requirements such as: “Customers were advised not to repeat any digits in the 6-digit PIN more than once, that it should not be based on the User ID, telephone number, birthday or other personal information, that it should not be used for different websites, applications or services, and that it should be changed ‘regularly’.” Customers of the Singapore bank also had “to install antivirus, antispyware and firewalls, and ensure they were updated and patched. File and printer sharing also have to be disabled, and customers cannot use public or Internet cafe computers. Browsers cannot be used to store credentials.”
The other banks reviewed from other jurisdictions do not appear to impose such aggressive restrictions. Is this something that the common man will be able to understand and let alone comply with? Is this wordy checklist an attempt to shift the burden of fraud victims from the institution to the victim? Is the shifting of liability in such a manner fair or equitable? Is it a form of corporate bullying?
It is noteworthy that non-compliance with Terms and Conditions have been used as a means to reject reimbursements to customers who have fallen victim to fraudulent acts. An example would be the case where victims of phone scams who had handed their money over to crooks impersonating bank staff were not supported by the banks in question despite them clearly having been victims.
Based on reports, I understand that if the banks had informed its customers not to reveal details such as pin numbers over the telephone, they would not be liable for any of the fraud. However, is this too onerous for a customer especially for the moms and pops who are not as savvy?
Incidences of fraud are not going to let up and everyone needs to take on personal responsibility for their own safety. That said, shouldn’t there be some form of corporate responsibility? After all, don’t they have the deepest pockets?