How to protect yourself (and your bank account!) online

It may surprise you to know this, but the interwebs are full of scary people, and I’m not just talking about the ones who comment on the Straits Times Facebook page. 

No, I’m talking about scammers- the ones out for your credit card and banking details, who think nothing of emptying out life savings in a matter of seconds, and operate with increasing sophistication. It’s no longer the trope of the old aunty or uncle falling victim to wire fraud; young, tech-savvy working professionals are getting hit too. 

In this post, we’ll look at some common ways your accounts can be compromised, as well as mitigating steps you can take. 

Your card or card details get stolen

Anyone who’s ever lost a wallet full of credit cards will know the headache and dangers involved. 

The problem with physical cards is that anyone who finds them can do a lot of damage in a short amount of time (since most transactions are contactless, and how many times have you seen a cashier verify a signature anyway?). 

One way of mitigating this is to digitise your physical cards into a mobile wallet like Google Pay, Apple Pay or Samsung Pay. This way, there’s no physical card to be lost or stolen, and even if your phone ends up in the wrong hands, anyone who finds it won’t be able to make a transaction without further pattern or biometric verification.

It also means that you won’t need to cancel and reissue all your cards, because it’s impossible for someone with your phone to obtain your full card details. 

But even so, your card details can still be stolen if you save them online with a merchant whose database later gets compromised. While storing card details can be a big convenience (imagine having to pull out your card every time you wanted to hail a ride or order food delivery), there’s absolutely no reason to do it with a merchant you use infrequently, or worse, once-off.

Another way of keeping your card details safe is to make sure that any online merchant you shop at has the padlock symbol in the browser bar. This signifies a https connection, which means any communication between your browser and the server is encrypted. Even if someone were to intercept the data, it would be impossible to make sense of it.

Finally, you can consider lowering your transaction alert threshold. DBS allows you to lower this to as little as one cent, so you’ll be alerted to any transaction on your card, no matter the size. 

To do this, login to your DBS/POSB i-banking and mouse over the profile icon at the top right. Click on “Manage Alerts”.

On the next screen, click on “Manage Alerts” under the “Alerts on DBS/POSB Card(s)” section.

You’ll see a full listing of all the cards you have with DBS/POSB. For each card, you can opt in for SMS alerts and set the minimum transaction threshold. I’ve reduced this to S$0.01 for each item, meaning that so long as there’s any activity on my card, I’ll know.

You get phished

The modus operandi of a phishing scam should be well known by now: you receive an email, phone call, SMS or message from a messaging app claiming your bank account has been compromised, and a link to “rectify” the situation. The link or QR code sends you to a familiar-looking website, or connects you to a person claiming to be a bank staff member or government official. Your login credentials and 2FA are requested, and before you know it, your bank account’s been emptied out. 

I’m sure you’ve read enough horror stories to be wise to this kind of thing, but the fact that people keep falling prey suggests we’re not great at spotting them in the heat of the moment. 

To spot a phishing scam:

• Ask yourself if you were expecting a message. Scammers leverage emotions like fear, curiosity, worry or FOMO against targets. Take a breath and collect your thoughts before acting
• Visit websites directly instead of via embedded links (which may send you to a phishing site). Typing in the website name takes a couple of seconds longer, but could save you from a costly mistake
• If you do click a link, examine the URL and see whether it matches the one you know. Someone spoofing Milelion.com might use a lookalike like Milellion.com or Milelion.net
• Look out for bad grammar and spelling (interestingly, it’s not the case that scammers don’t know how to use spellcheck- security experts suggest they’re trying to avoid automated spam filters, or believe that those recipients who can’t spot such errors make easier targets)
• Be alert to the presence of outdated logos or graphics. Phishing sites tend to upload static images, and if the Visa or Mastercard logo looks like something from the last decade, it’s a red flag

When in doubt, Google’s Safe Browsing site status checker can be a useful tool for checking if a website may host suspicious content. 

Someone you know misuses your card

If you see an unfamiliar transaction on your card, don’t immediately assume you’ve been the victim of a faceless scammer. It could very well be that someone you know has used your card without your permission. Case in point: the recent incident where a father ended up with a S$20,000 credit card bill after his daughter went on a spending spree on the video game Genshin Impact.

The good news is that both Google Play and the Apple App Store allow parents to restrict purchases on their devices.

• Google Play
• Apple iTunes & App Store

If you need to give your child a card for day-to-day use, a debit card may be the better option, or a supplementary card with a lowered credit limit. 

The scammers get lucky

Being hyper vigilant with security isn’t necessarily a panacea against card fraud. Sometimes, the scammers just get lucky.

Your credit card number consists of three parts:

• A bank identification number (the first six digits, used to identify the bank which issued the card)
• An account number (the next 6-9 digits, used to identify the individual account)
• A check digit (the final digits, used to validate the authenticity of the card number based on the Luhn algorithm)

While the Luhn algorithm provides a way of screening out invalid card numbers, it was created to protect against accidental input errors, not malicious attacks. In other words, it’s entirely possible to write a programme that generates valid credit card numbers, and that’s exactly what scammers do. 

With the right software, they can generate endless ranges of valid card numbers, before attempting them in a brute force style attack. If you’re unlucky, your card number will be among those generated.

But what about expiry dates and CVVs? The former can be guessed, and the latter can be bypassed by looking for non-3DS merchants which do not validate CVVs prior to performing a transaction.

Honesty, there isn’t a lot you can do to avoid this- in fact, I suspect this may have happened to me towards the end of last year when I was hit by a fraudulent transaction on my Amaze Card. 

What you can do is to be alert and block the card the moment you see suspicious activity, or disable features on your card that you don’t need (see below). Remember, your maximum liability for an unauthorised transaction is capped at S$100, provided you have not acted with “gross negligence”. 

How to stay safe online with DBS

DBS has created additional resources for staying safe online, which can be found on the DBS BSharp portal (+1 for the unintentional Simpsons reference). 

BSharp tells you how to keep your device safe and up-to-date, good personal security practices, how to protect your information online, and the latest scam alert warnings. 

Another nifty feature that DBS customers can use to protect themselves is DBS Payment Controls, which grants them more granular control over the features of their cards.

With Payment Controls, DBS and POSB cardholders can :

• Temporarily lock or unlock their debit or credit cards
• Enable/disable online e-commerce transactions on all local or overseas websites
• Activate/deactivate usage for in-store overseas transactions
• Switch on/off the ability to make contactless and mobile wallet payments at local and overseas merchants
• Enable/disable cash advance transactions on credit cards
• Set a monthly spend limit

For example, someone who only uses the DBS Woman’s World Card for online transactions might consider deactivating in-person overseas transactions, as well as the contactless and mobile wallet payment functionality. 

They could also set a monthly spend limit of S$2,000, so they don’t accidentally breach the monthly 10X cap (remember, any spending beyond S$2,000 earns just 0.4 mpd!). 

Likewise, a DBS Altitude Card member who only uses the card for in-store transactions might consider deactivating the online e-commerce functionality, as well as disabling cash advance transactions. 

Cardholders will receive instant alerts when a transaction is blocked due to pre-set controls, which helps avoid confusion in case you forget that you deactivated a certain feature. 

Conclusion

While digital banking is no doubt convenient, it brings its own set of challenges. No one wants to be the next cautionary tale, but with the tips in this post, you’ll be well equipped to stay safe online.

Be sure to visit the DBS online security page for the latest security alerts and tips to safeguard yourself and your loved ones when banking online.