The great UAE ATM sting - have banks learnt their lesson?

A couple of weeks ago a major fraud was carried out against banks in the UAE, a fraud that resulted in a loss of several million dollars.

  • E-Mail
By  Mark Sutton Published  June 13, 2003

A couple of weeks ago a major fraud was carried out against banks in the UAE, a fraud that resulted in a loss of several million dollars.

While the media in the UAE was quick to discover the crime, the banks in the region stayed remarkably quiet about it, and with good reason. The reason that they stayed quiet was that as more details emerge about the crime, it is becoming clear that this fraud should never have happened.

The crime itself is relatively straightforward, although it does require a degree of organisation and technical competence. The persons behind the crime targeted ATM machines, and through the use of either a special card called a ‘white card’ or through a device that is planted on the ATM itself, the gang were able to collect the numbers and the PIN numbers of a large number of debit and cards.

Once you have these numbers it is again a relatively simple procedure to create batches of fake cards.

The criminals then went back to the ATM machines, this time selecting those that are not covered by CCTV cameras and used the fake cards to withdraw as much money from the machines as possible.

By making their move just before midnight, the gang was then able to wait until midnight and the start of a new day, and take even more money from the machines. The attacks were also made over the weekend, giving the culprits a long time before the banks would detect what had happened.

The attack and its methods are well documented, as these sorts of attacks first came to light several years ago—which is exactly why the banks in the UAE should not have been caught out. Several security experts were surprised to see this means of attack being carried out, as the ways to prevent are also well known, and yet apparently the banks were not prepared.

The situation reminded me of a scene from the classic con-artist film ‘The Sting’ starring Robert Redford and Paul Newman. As the two con-men are discussing how to carry out their latest trick, they consider using an old scam which hasn’t been used for some years — which is exactly why they think it will work — their victim won’t remember this con, whereas he might be aware of more recent tricks.

The banks in the UAE seem to have fallen for a similar approach. It is strongly suspected that the perpetrators of the attacks were from outside of the region, and came here looking for targets that weren’t secured against methods that had become too well known elsewhere.

But for the banks in the UAE, ignorance is no excuse. The banking industry is multinational, and so is the business of IT security. The methods used in these attacks were well known, international systems and software vendors have the utilities and applications that can be used to prevent transactions that fall outside of usual patterns of usage, even outside of business hours, and securing an ATM machine is not a major task, and yet a large number of both local and international banks in the country seem to have failed to take the basic steps to safeguard themselves. They might lock the money in the vaults at the end of the day, but leaving ATM machines wide open is as good as having given the thieves a key.

Security experts talk time and again about the reluctance of some organisations to act until they have suffered a catastrophic loss—now the banks in the UAE have lost perhaps $13 million, not to the damage done to customer confidence and customer relations. Maybe now they will act to bring the banking systems in this region into line with the rest of the world?

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code