RM1 million scam: How did Maybank allow two RM500,000 transactions without OTP?

Malay Mail
Malay Mail

KUALA LUMPUR, March 2 — A Kuching businessman lost RM1 million from his Maybank account on 26th February 2023 after allegedly answering a phone call. Fortunately, he has managed to recover the funds after calling the National Scam Response Centre (NSRC) at 997. What’s intriguing is how such fund transfers are authorised without any One-Time-Password verification.

During a press conference held by Michael Kong Feng Nian, the special assistant to Sarawak DAP’s chief Chong Chieng Jen, it was revealed that the victim’s Maybank account had recorded two fund transfers amounting to RM500,000 each to Celcom Sdn Bhd. After getting in touch with both Maybank and Celcom on Monday, Celcom reimbursed the RM1 million to the victim the next day.

Maybank Transaction Records showing two RM500,000 transactions to Celcom Sdn Bhd. — Picture via SoyaCincau
Maybank Transaction Records showing two RM500,000 transactions to Celcom Sdn Bhd. — Picture via SoyaCincau

Maybank Transaction Records showing two RM500,000 transactions to Celcom Sdn Bhd. — Picture via SoyaCincau

Michael said credit must be given when it is due and he appreciated the fast response in recovering the funds. However, this incident reveals a major security flaw as it is definitely not normal to see a RM500,000 transaction being approved despite the current security safeguards imposed by banks including daily transaction limits. He questions how is it possible to transfer such a large amount without requiring OTP and no notification was sent to the user.

Although it was a happy ending for the victim, Michael calls for better security measures by the banks as there are many victims who have been scammed but have not recovered the funds which were transferred without their approval. He has repeated calls for the government and Bank Negara Malaysia to take necessary steps to boost public confidence in the country’s financial institutions and banking system.

Chong Chieng Jen, who also serves as Stampin MP, has recently called for banks to be held accountable for scams. He suggests making it compulsory for banks to reimburse scam victims so that they will be motivated to invest in upgrading and enhancing their online banking facility and tightening their SOPs for online transfers.

According to Maybank’s website, they have increased the daily limit for various transactions type from 18th June 2022. For individuals, customers can transfer up to RM50,000 per day while business accounts can transfer up to RM100,000 per day. However, it is mentioned that a customer may have the flexibility to enjoy a higher transfer limit based on the total investable asset with the bank.

Typically, Maybank would require an OTP or Secure2U transaction if funds are transferred to a new 3rd party or mule account. If the scammer intends to siphon funds, they would need to find a way to retrieve the OTP from the victim in order to complete the transaction. OTP typically isn’t required if the transfer is made to a saved account or biller on Maybank2u. In this recent incident, it appears that Celcom could be a saved biller and the culprit may have a different motive for the attack.

The biggest question is how is it even possible to transfer half a million ringgit twice considering there already are limits in place for 3rd party and interbank transfers? We have reached out to Maybank for further clarification.

As always, if you believed that you have been scammed, you should call NSRC at 997 immediately for a higher chance of recovering stolen funds. Last year, the NSRC has recovered about RM1.4 million worth of funds for online scam victims. — SoyaCincau