He tried again and received another SMS with an OTP. This time, he managed to add his card to the app.
On Dec 20, he received notifications that two transactions had been made on his credit card, amounting to €1,035. He also discovered that two transactions, totalling about €237, were made on Dec 18.
He went back to check and realised the first OTP was for adding his card to Google Pay.
Another victim, who wanted to be known only as Larry, described a similar experience.
He linked his POSB credit card to Koufu Eat on Nov 25 and received an OTP to add his card to Google Pay. Thinking the message was for adding his card to the app, he keyed it in.
Like Mr Teh, his first attempt was unsuccessful but his card was added on his second try.
On Dec 7, he was notified that a transaction of €1,480 was made on his card.
One victim, who wanted to be known only by her first name Celine, said she had tried adding her husband’s debit card to the app on Dec 11.
When her husband received the OTP notification, he read out the six digits to Celine.
The app kept hanging every time she keyed in the OTP. She eventually gave up and did not add the card.
However, at about 2am on Dec 21, her husband was notified that his card had been charged about €500 without his authorisation.
The couple later discovered that the OTP message that they had been sent while trying to use their card on Koufu Eat had also been for adding their card to Google Pay.
The incident came as a rude shock for Celine.
“We are both in our mid-30s … We are very IT savvy,” she said. “The chances of us getting scammed is like close to a minimum.”
“But apparently it still happened because we didn’t really read the messages carefully.”
All three victims made police reports after the fraudulent transactions.
Koufu told CNA its app is not linked to e-wallet payment modes, such as Google Pay or Apple Pay.
It also said Koufu Eat does not store any of its customers’ credit card details as its payment gateway is eNETS.
Once customers check out their orders on the app, they are directed to the eNETS payment gateway to process the payment.
NETS said its investigation showed that the reported fraudulent transactions were not processed by eNETS.
The payment gateway is certified in accordance with the latest industry guidelines, it added.
Information passing through the payment gateway is encrypted and the credit card information is tokenised, said the eNETS spokesperson, adding that it does not store card verification value (CVV) credentials in any form.
“The case is now under investigation. We will continue to extend our support to the Singapore Police Force as required,” NETS said.
None of the victims have been able to get their money back. When they approached DBS, the bank explained that it could not withhold or waive the transactions.
According to Celine and Mr Teh, they were told that since they keyed in the OTP, they had authorised adding their card to Google Pay and these transactions were considered legitimate.
Mr Teh was told the transaction was classified as secured and remained the liability of the card holder, but the police may recommend a “special arrangement” to the bank for consideration.
In response to CNA’s queries, DBS said on Tuesday that it is aware of recent reports of unauthorised transactions on its customers’ cards after adding them to the Koufu app.
“We have been working closely with Koufu and the police to investigate this matter thoroughly,” said the bank.
DBS said investigations indicate that there has been “no compromise” to its payment and card platforms and that they remain secure.
“Instead, affected customers had authorised the addition of their card to an unknown third-party Google Pay wallet. When a card is added to a mobile wallet, it is akin to having the card on hand,” said the bank.
“For this reason, subsequent card payments made via the mobile wallet cannot be disputed. We have been in touch with affected customers to provide support and assistance.”
It encouraged customers to remain vigilant and to report them to its 24-hour fraud reporting hotline at 1800 339 6963 if they are within Singapore or on +65 6339 6963 from overseas.
“We also recommend activating transaction notification alerts to stay informed of all card activity and regularly monitoring payments for any suspicious transactions,” said DBS.
