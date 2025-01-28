Credit card services disabled on Koufu app amid police investigation into unauthorised transactions
Some victims found out that their cards were used via Google Pay after they tried to add them to the Koufu Eat app.
SINGAPORE: Food court operator Koufu has stopped credit card services on its app amid police investigations into unauthorised transactions that customers said were linked to the app.
Last month, the company started receiving reports of unauthorised transactions on payments in its Koufu Eat app.
Some victims told CNA their cards were used without their knowledge days after they tried to add them to Koufu’s app. People also left reviews on Google Play store detailing a similar experience.
Earlier this month, customers using the app received a notification saying that the card payment option was unavailable due to a “technical update” on its payment gateway.
In response to CNA’s queries, Koufu confirmed that the credit card services were disabled due to police investigations. Currently, customers can only use PayLah! to make payments.
Koufu, which runs over 70 outlets, said it has been in talks with the police about the app’s security since it received reports of the fraudulent incidents.
“Our initial investigations with the Singapore Police Force (have) not detected any security and data breach.
“Our app payment gateway is built to the security standards and in accordance with industry guidelines,” it added.
NETS, which runs the payment gateway eNETS that Koufu’s app uses, said on Tuesday (Jan 28) that there has been “no indication of any compromise of security controls” on its end.
Police investigations are ongoing.
VICTIMS’ CARDS USED VIA GOOGLE PAY
Several reviews posted on Google’s app store - with the earliest dating back to October - were purportedly by customers whose cards were added to Google Pay or charged without authorisation after they tried to add the cards on Koufu’s app.
As of Jan 27, there were 12 such reviews.
A Reddit post about two weeks ago described a similar experience.
Three victims told CNA that they received an SMS with a one-time password (OTP) when they tried to add their credit cards to the Koufu app, but it did not work at the first try.
Days later, they realised their cards were used via Google Pay – with transactions between €500 (US$525) and €1,500.
Mr Teh, who wanted to be known only by his last name, visited a Koufu food court on Dec 7, 2024. After keying his credit card details into Koufu’s app, he received an SMS from DBS with an OTP to add his card to Google Pay.
He assumed that this OTP was to add his credit card to the app.
“At that point, I was adding my information … I was expecting an OTP to come in for me to add the card to Koufu. So when the SMS came in, obviously I will enter (it) in,” he said.
But when he tried to order food on the app, it was unsuccessful.
“This was strange at that point (in) time, but I'm not someone who buys stuff online so frequently that I immediately spot what's going on,” he said.
He tried again and received another SMS with an OTP. This time, he managed to add his card to the app.
On Dec 21, he received notifications that two transactions had been made on his credit card, amounting to €1,035. He also discovered that two transactions, totalling about €237, were made on Dec 18.
He went back to check and realised the first OTP was for adding his card to Google Pay.
Another victim, who wanted to be known only as Larry, described a similar experience.
He linked his POSB credit card to Koufu Eat on Nov 25 and received an OTP to add his card to Google Pay. Thinking the message was for adding his card to the app, he keyed it in.
Like Mr Teh, his first attempt was unsuccessful but his card was added on his second try.
On Dec 7, he was notified that a transaction of €1,480 was made on his card.
One victim, who wanted to be known only by her first name Celine, said she had tried adding her husband’s debit card to the app.
When her husband received the OTP notification, he read out the six digits to Celine.
The app kept hanging every time she keyed in the OTP. She eventually gave up and did not add the card.
However, at about 2am on Dec 21, her husband was notified that his card had been charged about €500 without his authorisation.
The couple later discovered that the OTP message that they had been sent while trying to use their card on Koufu Eat had also been for adding their card to Google Pay.
The incident came as a rude shock for Celine.
“We are both in our mid-30s … We are very IT savvy,” she said. “The chances of us getting scammed is like close to a minimum.”
“But apparently it still happened because we didn’t really read the messages carefully.”
All three victims made police reports after the fraudulent transactions.
Koufu told CNA its app is not linked to e-wallet payment modes, such as Google Pay or Apple Pay.
It also said Koufu Eat does not store any of its customers’ credit card details as its payment gateway is eNETS.
Once customers check out their orders on the app, they are directed to the eNETS payment gateway to process the payment.
NETS said its investigation showed that the reported fraudulent transactions were not processed by eNETS.
The payment gateway is certified in accordance with the latest industry guidelines, it added.
Information passing through the payment gateway is encrypted and the credit card information is tokenised, said the eNETS spokesperson, adding that it does not store card verification value (CVV) credentials in any form.
“The case is now under investigation. We will continue to extend our support to the Singapore Police Force as required,” NETS said.
None of the victims have been able to get their money back. When they approached DBS, the bank explained that it could not withhold or waive the transactions.
According to Celine and Mr Teh, they were told that since they keyed in the OTP, they had authorised adding their card to Google Pay and these transactions were considered legitimate.
Mr Teh was told the transaction was classified as secured and remained the liability of the card holder, but the police may recommend a “special arrangement” to the bank for consideration.
In response to CNA's queries, DBS said on Tuesday that it is aware of recent reports of unauthorised transactions on its customers' cards after adding them to the Koufu app.
"We have been working closely with Koufu and the police to investigate this matter thoroughly," said the bank.
DBS said investigations indicate that there has been "no compromise" to its payment and card platforms and that they remain secure.
"Instead, affected customers had authorised the addition of their card to an unknown third-party Google Pay wallet. When a card is added to a mobile wallet, it is akin to having the card on hand," said the bank.
"For this reason, subsequent card payments made via the mobile wallet cannot be disputed. We have been in touch with affected customers to provide support and assistance."
It encouraged customers to remain vigilant and to report them to its 24-hour fraud reporting hotline at 1800 339 6963 if they are within Singapore or on +65 6339 6963 from overseas.
"We also recommend activating transaction notification alerts to stay informed of all card activity and regularly monitoring payments for any suspicious transactions," said DBS.