SINGAPORE - When Miss Huo Xi Ping checked her OCBC Bank account on May 14, the student was stunned to learn that a total of $137 had been charged through several transactions over two days to ChatGPT subscriptions.
But the 19-year-old student had never subscribed to the paid version of OpenAI's artificial intelligence programme, which was launched in February and costs US$20 (S$27) per month.
She is among a growing group of credit and debit cardholders in Singapore and overseas who have been unwittingly charged by legitimate firms including OpenAI and Apple through fraudsters.
Cyber security firm Palo Alto Networks has also recorded a surge in ChatGPT-themed attacks from its research between November 2022 and April, with more than 100 daily ChatGPT-related malicious URLs and multiple phishing URLs attempting to impersonate official OpenAI sites.
Since January, the police have received four reports of OpenAI or ChatGPT making such unauthorised transactions, although the Cyber Security Agency of Singapore (CSA) said it has not received any reports of fraudulent transactions related to ChatGPT subscriptions.
The CSA and cyber security experts said such small transactions could have been used by cyber criminals to identify or validate debit and credit card details before making larger transactions, and advised consumers to set alerts for these transactions on their accounts.
After discovering five ChatGPT transactions dated May 11 and May 12, Ms Huo contacted OCBC, which eventually refunded her the sum, cancelled her card and lodged a police report.
"I have registered for a free account on ChatGPT, but I have never entered my card details on ChatGPT's website," she said.
Customers of other local banks including POSB, DBS Bank and UOB have found similar transactions in their accounts.
A DBS credit card holder, who wanted to be known only as Mrs Law, said she was charged US$40 by a non-existent website and reported the incident to the bank in May.
"(The bank) didn't explain how the transactions occurred, and just proceeded to cancel my card and reissue me a new one," the 28-year-old curator said, adding that she received a refund and did not make a police report as it was a small amount.
Others have taken to social media platforms like Reddit, TikTok and Xiaohongshu to air their grievances about unapproved charges to their local bank accounts.
On May 29, content creator Daisy Anne Mitchell posted on TikTok that she lost $205 over eight days through 28 small transactions, including charges of $1 and $3, made from her POSB account to Apple.
On Thursday, a Reddit user who wanted to be known as Ms Tan said she lost $79 due to six unauthorised transactions to various firms made with a UOB debit card.
"People who don't use the provided debit cards, especially the spares that the banks give out, won't expect any transactions to be made on it, and thus may rightfully be wholly unaware of such transactions.
"And I don't think most people are aware that these debit cards can be compromised without the card ever leaving the house, physically nor digitally," the 28-year-old told The Straits Times on Friday (June 9).
Mr Ian Lim, Palo Alto Networks' field chief security officer, said these card details could have been derived from a Bank Identification Number (BIN) attack, where fraudsters have the leading six digits in a credit card and use software to generate the remaining numbers, along with the card verification value or CVV, and expiration dates.
Mr Lim said: "The fully generated numbers are then tested against real transactions to see if the card is still valid."
Also, most merchants do not require the user to provide two or more verification factors to make transactions that do not require physical cards, to facilitate the ease of use, Mr Lim said, noting that BIN attacks have been rising in tandem with online purchases.
This allows emuneration machines to generate different combinations of numbers without the need for customers to approve each of these transactions. The fraudulent transaction is successful when a debit or credit card number generated by trial and error works.
Fraudulent transactions can also occur when cyber criminals use card details from a data leak or when a customer's data is stolen from an unsecured website, said Mr Beaver Chua, OCBC Bank's head of anti-fraud, group financial crime compliance.
The CSA spokesman said such methods to test card details are not new and advised the public to inform their financial institution and the police immediately if there are fraudulent or suspicious transactions.
A Monetary Authority of Singapore (MAS) spokesman said customers will not be held liable for unauthorised transactions if a merchant has not required consumers to authorise online card transactions using a one-time password.
However, the onus is on merchants to activate 3D Secure (3DS) authentication, an additional step that requires the customer to enter a password associated with the card or code sent to their phone on their bank's website before a payment can be made.
Merchants may opt out of 3DS, as such added steps to a customer's purchase journey can impact sales revenue and volume, according to Mr Yeo Siang Tong, cyber security firm Kaspersky's general manager for South-east Asia.
Others could have required 3DS authentication only for bigger transactions, he said, which means that transactions of about $20 to $30 could have bypassed this check.
Said Mr Yeo: "This small value deduction is another tactic that criminals deploy to reduce suspicion from the victims."
OCBC, UOB and DBS advised customers to protect themselves by regularly monitoring their transactions and familiarising themselves with security controls such as how to temporarily lock their cards.
A DBS spokesman said: "Most reputable online merchants are 3D Secure enabled. For greater peace of mind, customers should always try to transact with these merchants and be aware of the card security protocols to further protect themselves."
The Straits Times has contacted OpenAI with queries.
What customers can do to protect themselves from fraudulent charges
- You may consider using an identity theft protection service to monitor your accounts and provide reimbursement options following an identity theft.
- Set up transaction alerts for amounts as low as $0.01 on your bank's app.
- Regularly check your card statements. If you see any discrepancies or receive SMS/push/e-mail notifications for transactions that you did not make, you should notify the bank immediately or within seven days upon receiving your cards' statement.
- If aware of an unauthorised transaction, promptly alert your bank.
- You can also temporarily lock your cards using your banking apps. Banks will review the case if there are grounds for dispute and help you in raising a dispute report to Visa or Mastercard.