DBS Group has lost $500,000 to fraudsters who withdrew the cash from the accounts of about 400 customers earlier this week at ATMs in Malaysia but does not expect further losses, it said yesterday.
Customers who used two of its standalone ATMs at Bugis Street over a three-day period in late November are likely to have had their card details and personal identification numbers (PINs) stolen, according to the bank's analysis of the fraud victims' transaction records.
The bank has moved swiftly, contacting all 2,726 customers it believed to be at risk after using those ATMs, deactivated their ATM and debit cards, and offered them replacements.
By the end of yesterday, it had also contacted all customers whose account history showed an ATM transaction in Malaysia in the past few days to check if they had made such a transaction.
DBS has pledged to compensate customers fully for any fraudulent transaction within 24 hours.
It is also alerting customers by text message whenever money is withdrawn from their account at an ATM in Malaysia, DBS Singapore country manager Sim S Lim told reporters at a briefing yesterday.
"Increasing evidence points to the unauthorised withdrawals as being part of a card-skimming operation," he said.
"At this stage of our investigations, we know the location which has most likely been compromised, and the date and time it happened, and isolated the customers at high risk," Mr Lim said. He declined to reveal the precise location of the ATMs or exactly when they were compromised, citing security concerns.
The bank's anti-fraud team is working with the police here to investigate the theft.
It is unclear how customers' card details or PINs were stolen. A thorough check of the machines showed no evidence of tampering or suspicious devices and the machines are still in use, said Jeremy Soo, DBS's head of consumer banking in Singapore.
All the bank's ATMs are fitted with devices designed to prevent the theft of card details through skimming.
But "based on the transaction patterns of customers who have reported unauthorised withdrawals from their accounts, we noticed that a large majority of these accounts have transacted at these ATMs", DBS spokesman Karen Ngui said.
The bulk of the unauthorised cash withdrawals were made on Wednesday and Thursday, ranging from a few hundred ringgit to several thousand ringgit, at multiple banks' ATMs in Malaysia, she added.
Some accounts were hit more than once; in several cases, there were multiple withdrawals from a single account within a few minutes.
But by yesterday evening, the bank had received no customer reports of unauthorised withdrawals during the day, only reports of withdrawals in preceding days, Mr Lim said. "We think it's been contained."
Ms Ngui also reminded customers that bank officers would never ask them to reveal their PIN or bank password, warning that fraudsters have tried to impersonate bank officers on the phone.
Asked if the evidence so far indicated that someone within the bank could be involved in the fraud, Mr Lim replied: "Not that I'm aware of."
To cope with the surge in customers seeking to check if their accounts have been affected, the bank has extended the opening hours at its branches since Thursday.
This article was first published in The Business Times.