News

Property Agent’s Debit Card Added to Apple Pay Without Consent, Nearly $6,000 Spent

2024-12-04 , 12:48 pm

It’s been some time since we last heard about any new scam tactics. However, that doesn’t mean that scams have gone away.

A property agent’s debit card was mysteriously added to Apple Pay without his consent, and spoiler alert — he doesn’t even use an Apple device. Nearly $6,000 worth of transactions were then made on his debit card using Apple Pay.

Here’s what happened.

$5,988 Worth of Unauthorised Transactions Made on Property Agent’s Debit Card

If you opened your phone and found text messages from your bank stating that four transactions had been made on your debit card, what would be your first reaction?

Well, that’s exactly what happened to 50-year-old property agent Mr Li (hanyu pinyin). On 30 October, he received text messages from his bank, stating that four transactions were made on his debit card.

He proceeded to check his bank account and found out that there had indeed been four transactions made on his debit card. To his surprise, the transactions were made in Taiwan and totalled a sum of $5,988.

The thing is, he did not make these transactions. In other words, these were all unauthorised transactions.

I mean, duh. He wasn’t in Taiwan at the time.

Once he realised that something was off, he immediately contacted his bank and requested for his debit card to be frozen.

Bank Rejects Request to Dispute the Transactions

Later on, Mr Li received an email from his bank, stating that the transaction had yet to be posted (i.e., the transaction is still in “pending” status). The bank added that it would only process Mr Li’s request to dispute the transactions only after the transaction was posted.

A few days later, on 2 November, the transaction was finally posted. When Mr Li contacted his bank to inquire about this, the bank staff had assured him that this was normal, and that they would follow up with him accordingly.

Yet, days went past and there was no news from Mr Li’s bank. As such, on 14 November, the property agent decided to contact his bank again. However, he was greeted with an unexpected surprise.

According to the results of the bank’s investigations, Mr Li had allegedly authenticated the disputed transactions. Thus, the bank concluded that there was no dispute in relation to these transactions.

Property Agent’s Debit Card was Added to Apple Pay Without His Consent

As it turns out, the bank had sent Mr Li two text messages on 25 October — five days before the allegedly “unauthorised” transactions had taken place. The first text message related to his debit card being added to Apple Pay, while the second text message contained a one-time password (OTP) for adding his debit card to Apple Pay.

According to Mr Li, he did not see the two text messages the day it was sent, and was only made aware of it when the bank told him about it over the call.

But the thing here is — Mr Li does not even use an Apple device.

What likely happened was that a scammer had added Mr Li’s debit card to their Apple Pay, then managed to get their hands on the OTP to complete the process of adding the debit card to Apple Pay.

The bank advised Mr Li to lodge a police report if he was not the one who handed over the OTP for adding the debit card to Apple Pay. According to Shin Min Daily News, the police have confirmed that they have received Mr Li’s police report.

DBS and POSB: Contactless Transactions Cannot be Disputed

At this point, you might be thinking: “Huh? Gong simi? If he didn’t make these transactions and didn’t even know his card was added to someone else’s Apple Pay, then why does the bank say he had authenticated the transactions?”

As the 50-year-old himself said: “Even if I provided the OTP to let the scammers add my card to the e-wallet, those four transactions were not made by me. How can they say that I approved them?”

Well, we did a little digging into several banks’ policies on disputing card transactions. It appears that for some banks, contactless transactions cannot be disputed.

For instance, the DBS website lists contactless transactions as one of the many transactions which cannot be disputed and are not eligible for a chargeback request. These contactless transactions include “those facilitated through mobile wallets” such as Apple Pay, Google Pay, and Samsung Pay.

The same policy applies for POSB.

The position for other banks, such as UOB and OCBC, in relation to whether contactless payments can be disputed, is a little less clear.

The UOB site states that there are no chargeback rights for fully authenticated transactions, such as transactions which were authorised with OTPs. The OCBC website similarly states: “There are no dispute rights for transactions that had been fully authenticated, such as via OTP.”

The Scam That’s Still Going Strong: Using “Phishing” to Steal Card Information

What most likely had happened in Mr Li’s case was that he fell victim to a “phishing” scam. Yes, you’ve heard of the scam countless times. It’s still here today, and the scammers’ methods are only getting increasingly sophisticated.

According to Shin Min Daily News, it is generally believed that scammers steal their victims’ card information through “phishing” scams — for instance, the OCBC SMS “phishing” scams from a few years back. If you’d like to find out more about it, watch this video here:

These scammers can then add your cards to their own e-wallets such as Apple Pay, complete the relevant authentication, then subsequently use your cards for their own transactions.

And more often than not, sophisticated methods are deployed by these scammers to ensure that all these transactions are carried out without your knowledge.

So, what should you do to try to avoid these scams and the potential fate of being unable to dispute any “unauthorised” transactions?

Well, the first step is always to be on high alert for such “phishing” scams in the first place lah. You should always think twice before clicking on links provided in unsolicited emails and text messages, as well as check the authenticity of the emails and text messages.

You can find out more about how to guard against “phishing” scams from the Cyber Security Agency of Singapore (CSA)’s website here.

Stay safe lah, hor?