For all GRAB users that i know, please unlink your credit/debit card from GRAB Grab (tagging Grab too). I’d been told twice by different GRAB customer service managers that I can post the issue i am facing with GRAB to any social media, CASE, or anywhere. So I am now trying my best to escalate and spread awareness.
First of all, i would like to share a picture about 6 transactions done at the same timing 25 Oct 2020, 9:12 AM (i can’t confirm the seconds as the apps only allow me to see as such) can someone enlighten me, is it possible for a user to execute 1 topup, 3 payments to a merchant call Razer Gold, and 2 payments to Qoo10 at the same timing 9:12 AM(police officer on-site confirmed the timing too)?
BUT unfortunately GRAB support kept saying their GAC and OTP verified those transactions and confirmed those are valid transactions. In fact i didn’t receive any OTP and GAC at that time (i was in a course from 8am-4pm SGT) and GRAB still allows 900 SGD topup from credit card and repeated payments to merchant without stopping or at least SMS/notify the user on potential fraudulent transactions. EVEN SAY they sent OTP, how the OTP been compromised?
The managers shared to me: they had done their level best to assist on my case by concluding not GRAB system issue, OTP/GAC is working fine and nothing more they can do. I even asked what Grab will do if police investigated and the account of Razer Gold and Qoo10 not mine.
SADLY, no one from grab able to answer those questions. And they encouraged me to share this issue to social media, CASE or anywhere i can think of.
Police report was made on the day i found out there were unauthorised transactions in my grab wallet 27 Oct 2020 around 9pm SGT, because i was trying to order for dinner from grab food and notice my balance was not as i remembered. That triggered me to check my transaction page and i found out those 6 transactions.
IF I am with GRAB support, the picture says thousand words, it is impossible for a user to make 6 transactions at the same timing. Then i will wait for police investigation to confirm if the address and the user who made the payments are matched, or find out and confirm on PEN test or vulnerability assessments to confirm that this won’t happen in the system (given the time the support get back to me, i don’t think it is sufficient to do so much tests). But the treatment i get from Grab support were JUST CONCLUDED that customer shared OTP to 3rd party, and no REFUND (in short, customer’s fault).
I think GRAB didn’t treat this issue seriously even related to system security might had been compromised, and might impact GRAB’s reputation, security and dependability. The whole journey with Grab support/call centre were totally disaster, but i won’t share it here.
THE MOST IMPORTANT MESSAGE, PLEASE unlink your credit/debit card or any money related apps from GRAB, as somehow the OTP/auth had been compromised for some unauthorised transactions. IT IS NOT SAFE.