Is PayNow safe?
My friend Julie raised eyebrows last month when she posed this question in her Facebook account: Is PayNow safe?
She was relating her daughter's traumatic experience on August 24 at 2.45 pm when she received an SMS that says a PayNow transaction of $1,000 to someone she did not know (see bank notification) was successful.
At that time her daughter Natalie was watching Netflix at home and her phone was with her. "How could anyone make a PayNow payment from her UOB account without her mobile phone?" Julie would like to know.
Natalie immediately called up the bank but her call was not picked up till around 3pm. She spoke with an officer who was not able to explain how the transaction was possible. The officer advised her to make a police report before the bank could return her the missing amount.
Mum and daughter rushed to the Serangoon Garden Police Post where the officer asked Natalie if anyone knew her bank account number. As it is a salary account, no one, except her company payroll department, should know, Julie says. "But that was beside the point because PayNow is supposed to be transacted using the mobile device. Unless there is another PayNow method that we’re not aware of."
Natalie then tried to send a copy of the police report via the email address the bank officer had provided, but it kept bouncing back. They had no choice but to rush to the UOB office in Suntec City to submit it personally. Natalie also terminated her current account and reopened a new one just to be safe.
What was infuriating was that none of the bank officers they spoke to could explain how the transaction was able to go through all the bank's security system.
When Natalie finally managed to connect by phone with UOB again, another officer told her it was in the hands of the police and her lost fund would only be returned after investigation. "Which means that the first officer had misled my daughter into thinking that a police report was a formality before they refunded her. Why couldn’t they check or do their own investigation immediately?" Julie asks.
After three weeks, what remains a mystery and of concern is how someone could access Natalie's bank account to pay by PayNow without the required device, her mobile.
Julie has the following questions for the bank to answer:
1. Is PayNow safe?
2. Is her UOB bank account at risk?
3. Why was not an OTP sent to her mobile, whilst a notification of successful transaction was sent to it?
4. Why was this amount transferred without an OTP security clearance?
Today (September 15), Julie has given an update on the situation in her Facebook account...
"To friends who have been concerned.
... the bank is dragging its feet over this lapse. It has been more than three weeks since this incident and I’ve not heard from them. Yesterday, we made a third trip to the UOB bank at Suntec to remind them that the stolen fund has not been restored and to expedite their processes.
This was my first meeting with the bank manager. I must say he was rather understanding and concerned and has given the word that he’ll “chase” those working on the case. Frankly in my opinion, they can take all the time in the world to investigate, but their first priority is to ensure that their client’s trust and confidence are not shaken.
Their system failed us because it didn’t send the security OTP clearance that was required before releasing the fund. Therefore, it was an unauthorised transaction and it’s the bank’s responsibility to make restitution for their system failure.
Why must my daughter lose her saving through no fault of hers? As far as we are concerned it’s not even a scam. It’s a theft that could have been prevented had the bank done its due diligence."
The bank will be contacted for its comments.
Why is UOB accusing us of wrongdoing?
LATEST: Sept 30.
UOB has not responded to our request for comments.
Meanwhile, Julie informs me on Whatsapp that an officer (Angela) from the bank contacted Natalie and "audaciously implied that she did it to pay for Shopee. Insisted they sent an OTP and also revealed that the recipient is from NUS, that the fund was sent to an IP (internet protocol) address, and whether Natalie worked in NUS and knew this person?"
An IP address is a unique address that identifies a device on the internet or a local network. The protocol is a set of rules governing the format of data sent via the internet or local network.
Julie says the officer "kept harassing her to admit she knows such a person and she paid for merchandise.
"Then she was asked to go back to the police with more info, meaning that she hadn't told the full story or she was hiding something."
Julie describes the conversation between the bank officer and Natalie as "downright bullying'', wanting her to say something they would like to hear".
Another thing that was inconsistent in the alleged purchase, Julie says, was the mode of payment. Natalie always pays for her Shopee stuff by credit card and not from her bank account.
What is getting Julie depressed is "their harassment and insistence that my daughter did it. Do you think she's stupid? Why would she do such a thing to her own money and then report it?
"Someone took her money from her bank account and the bank turns around and points finger at her integrity. Would you not feel what we feel if it had happened to you?
"You entrust your savings to an institution and that institution lost it through no fault of yours, yet turns around and accuses you of wrongdoing! Where is the justice?"
After more than a month since the incident, it is indeed puzzling why the bank and the police have not been able to give Julie and her daughter some satisfactory updates. The name of the recipient is known. Surely they would have contacted this person and found out from him/her many things which we would all like to know.
For example, if the bank says Natalie had purchased something from Shopee, what was it that she had purchased that cost $1,000, an amount that is beyond her purchase limit?
We would also like to know the identity of the recipient and whether or not he was indeed a seller of goods?
If so, whether the recipient is registered with Shopee as a retailer? This can easily be verified with Shopee.
Most importantly, the bank has to assure us that its PayNow system, already an established form of electronic payment here, is really robust and secure. This question has to be resolved quickly as the consequences of delay are unimaginable. There cannot be any doubt cast on its integrity.
Needless to say, the sooner those in charge get moving and provide us with the answers, the faster will our minds be at ease.
UPDATE -- October 13
Julie asks her MP for help
Last week, a police officer called to assure me that they are looking into the case. I had earlier alerted them to my blog.
Today, Natalie's mother Julie told me that she had asked MP Dr Tan Wu Meng (Clementi) for help as she remembers him as the parliamentarian who had recently called on the Monetary Authority of Singapore to investigate OTP cases.
"Dr Tan in turn got my Ang Mo Kio GRC MP Gan Thiam Poh to call me," Julie said. "Mr Gan assured me he would help me with the case."
It's been almost two months since this story broke. We can well understand why Julie had to contact Dr Tan for help. Because to date, nothing has happened to give Natalie and her mum some comfort.
And to think we are a financial centre known for our efficiency!!!