Parliamentary Replies
Published Date: 05 July 2023

Written reply to Parliamentary Question on unauthorised credit card charges

Date: For Parliament Sitting on 5 July 2023

Name and Constituency of Member of Parliament

Mr Saktiandi Supaat, Bishan-Toa Payoh GRC

Question:

To ask the Prime Minister (a) in each of the last five years, what is total value of unauthorised credit card charges that have been reported; (b) what proportion of such unauthorised charges comprised individual transactions that are below S$50 in value each; and (c) what regulatory measures are being considered or implemented to protect Singaporeans against Bank Identification Number attacks?

Answer by Mr Tharman Shanmugaratnam, Senior Minister and Minister in charge of MAS:

1. A Bank Identification Number (“BIN”) attack is a type of card fraud, using software to generate possible credit and debit card number combinations, expiration dates, and card verification values. Low value transactions are systematically attempted in order to test for valid card details, and higher value transactions are subsequently made using those valid card information.

2. The statistics requested by the Member are not readily available. Unauthorised credit card transactions, in particular arising from BIN attacks, are not specifically tracked. Banks, however, track credit card dispute cases, which may comprise disputes over goods purchased or services rendered, card fraud, lost or stolen cards, or scams. Of these, scams continue to be the main driver of losses suffered by consumers.

3. In BIN attacks, the fraudster typically targets merchants that do not require One-Time-Password (“OTP”) authentication, as the fraudster would not ordinarily have access to the OTP. In such a case, a card user will not be liable for an unauthorised transaction. Rather, the merchant involved will be liable for the loss, as long as the card user reports the case on a timely basis.

4. MAS expects that card issuers in Singapore and card scheme operators such as Visa and Mastercard have strong card security measures to protect customers from card fraud, including BIN attacks. Measures implemented include real-time card fraud monitoring; providing transaction alerts to customers; implementing OTP to authenticate customers before approval of online transactions at merchants; and chargeback mechanisms to reverse unauthorised transactions. Card issuers also work quickly to replace cards whose BIN numbers have been compromised.

5. Members of the public are strongly encouraged to monitor their card transactions regularly, and immediately notify their card issuers if they notice any fraudulent or suspicious transactions, and also report such transactions to the Police.

* * *