I read with great discomfort about the recent spate of unauthorized cash withdrawals from Singapore bank accounts with DBS/POSB through a Malaysian source.
DBS said in a statement late on Thursday that the average amount withdrawn was about S$1,000 per account. “We are treating the matter with utmost priority and would like to assure customers that they will be fully compensated for any unauthorised withdrawals within 24 hours,” Jeremy Soo, head of the bank’s consumer banking unit in Singapore, said in a statement. – Reuters
This problem is only just the beginning. DBS has effectively revealed to the world that in a pool of 200, the average amount withdrawn is $1,000 per account and that the bank will compensate them within 24 hours. Why? Foreign hackers will then know that Singapore bank accounts are a gold mine and that to them, the bank is going to compensate the customers anyway so there’s no empathy in scamming them.
So how could this have happened?
I first suggested that the cause of such fraud is due to Point-of-Sale skimming. Preliminary investigations has shown that DBS ATMs had been compromised. Thus I will detail both scamming methods.
Method 1: Point-of-Sale (POS) Skimming
Method 2: ATM Card Slot Skimming
What is Point-of-Sale (POS) Skimming?
Point of Sale skimming can happen at the most unassuming and innocuous seeming places like provision shops, restaurants, supermarkets or petrol stations. When you offer your card to make a payment, all that the corrupt employee has to do is to skim your card with a small, hand-held electronic device before handing your card back. This device captures all details about your card and the sales person observe and make a mental note of your pin number while you enter it, this is known as shoulder surfing. In some cases, the CCTV of the shop can capture the moment the customer enters the pin when making the purchase.
Once the corrupt employee has your card details and PIN number, he can create a duplicate card and with that draw cash at an ATM or go on a shopping spree. ATM cash withdrawals are however the preferred method since large amounts of cash can be withdrawn at any one time and that it will not be limited to the credit/debit withdrawal limit set by the victim’s card. It’s also harder to track.
Card skimming devices – Devices that can record the information contained in the magnetic strips of your credit/debit cards are easily available in places like Malaysia and China. It is also available in Singapore and some manufacturers don’t even conduct any background checks.
Even without a card skimming device, the cashier handling your credit/visa card can make a mental note of your card number and the three digit security code at the back of the card since he’s the one holding it. That requires a great deal of eye power on your side though.
With the influx of foreign workers in Singapore, positions like cashiers are taken up by them and they can easily smuggle in the card skimming device and install it without the shop-owner’s knowledge. Pay closer attention to these type of people. Of course, I am not encouraging racial profiling. Even rogue Singaporeans can do the same.
Ironically, this is actually more risky than making purchases online because in most online transactions, Visa and Mastercard has in place a 2-Factor Authentication which means that after you have entered your Credit/Debit card details, the merchant will send a one-time verification code to your registered mobile phone for you to complete the online transaction.
How are ATMs compromised?
The scammers will use an external card read affix to the card slot in the ATMs machine. You can read the article below complete with pictures of the method here:
How do you protect yourself?
1. While entering any personal identification numbers (PIN), use your discretion to shield the keypad so that your hand movements are not very visible and you enter your passwords secretly.
2. You see a shop assistant swipe the card through a different machine to the one you used. You need to question this action. With regards to ATM machines, if you see an unusual device on the ATM card slot of the ATM machine, that is grounds of suspicion. If in doubt, call Customer Service.
3. Set a maximum withdrawal limit on your credit/debit card. Banks will allow you to do this. You can set the limit to as low as $100. If you do need to make a big purchase occasionally, get a mobile banking app and you can change your limit on the spot and revert back once you have made your purchase.
4. Be aware of your surroundings while withdrawing money at ATM centers. Do not crumple and throw away the transaction slips or credit card memos: read them, make a mental note of the details and then, either tear them or shred them to trash them.
5. Periodically check your account balances on Internet or by requesting your bank or credit agency to send you statements to ensure that no transactions are happening behind your back.
Update: Some have asked if the culprits can be caught. Short answer, 50/50. Why? A seasoned culprit will know that at ATM machines, there’s a camera to identify the person making the transaction. The problem here is that most cameras in ATM machines, especially in Malaysia only takes a side capture of the person in view. It differs from some other newer ATM machines that have a pinhole camera to capture the front of the person. The culprit can put on a disguise and make the withdrawals and disappear without a trace thus it will be hard for the police to track them down. In addition, the cash notes are unmarked.
There is some hope though for new generation credit/debit cards. Mastercard has implemented a scheme called the ‘Paypass’ where all you have to do to make the purchases is to tap and go, kind of like your EZ-Link card and your card never leaves your hand. The question herein lies in whether shopowners are willing to implement such a scheme since installation and servicing costs are high.
Are other banks at risk?
Yes. I wouldn’t be surprise that if you bank with Eg. UOB, HSBC, OCBC, there will be similar unauthorized withdrawals. DBS/POSB is targeted because it has the largest consumer base here in Singapore and that most people making transactions via NETs are usually using DBS/POSB issued cards.
Additionally, compromised ATMs can happen to any banks.