The tip of the iceberg

It was the week when the security promises made by multiple banks across the UAE went flying out the window.

  • E-Mail
By  Sathya Ashok Published  September 17, 2008

It was the week when all the security promises made by banks in the UAE went flying out the window.

Multiple banks in the country, including HSBC, Lloyds TSB, Citibank, National Bank of Abu Dhabi (NBAD) and Dubai Bank have had money stolen from customer accounts via fraudulent withdrawals within and outside the UAE. Only Dubai Bank has so far revealed that around 42 of its customers has been affected by the card fraud. It is not yet clear how much money has been lost by the banks.

What’s most disturbing though is the fact that the banks have not revealed yet how the extensive fraud happened in the first place. How did the fraudsters get through the security mesh of the banks, some of which employed two-factor authentication to ensure that customers are who they state themselves to be, to steal from not one, but multiple accounts across the country?

Banking and financial institutions are reputed worldwide to be one of the biggest investors in security solutions. Not only do they spend a lot more than other verticals on security systems, but they also tend to be pioneers in using new, groundbreaking solutions first. This is simply because of the nature of the data involved.

Unlike most other organisations, banks tend to deal with important and critical information not just within the company, but also constantly with its customers. As customers demand more ease in transaction and universal availability of their funds, banks have been forced to provide these services increasingly over the web and through remote offices. These measures have also required an increased focus on security, and the need to control the way data flows within and outside the organisation’s network.

You would think that by now, with operations across the globe, big international banks would have got the game all squared. And I guess you would be wrong, at least in the Middle East.

This is not the first instance of a bank’s apparent security screen being breached. There have been others in the past, known and unknown, and all indications point to the very real possibility that this is likely to happen again. Such is the nature of humans and such are the limits of technology.

However, while the Middle East is as open to attacks as any other region, the problem is compounded by the lack of proper regulations that monitor and require banks to state breaches clearly to customers when they do occur. With the lack of laws that hold financial institutions accountable for the mistakes they commit, it is left up to the individual discretion of the bank as to how much damage it reveals to the public and how much of it remains behind closed doors.

When banks have that huge loophole to slip through, chances are that they are not as driven as their counterparts elsewhere in the globe to invest in security, brush up their processes and remain alert to any possibility of breaches. All of the above can create a financial overhead for the organisation, and banks in the region try to minimise on this. And why should they not, when there no government strictures or legal regulations to pull them up and demand an explanation, even when they suffer from a spate of fraud instances, and lose untold amounts of customer money?

Recent reports indicate that banks are brushing up on their security following the massive breach. Such a reactive approach to what has happened is pathetic damage control at best. That being said, the card fraud and what banks are doing to minimise the spread, is just the tip of the iceberg.

Governments across the Middle East have to wake up to the need for stricter principles to guide organisational operations, especially in the case of companies that handle as sensitive data as do banks everyday. They should pass rules that demand banks to reveal not only exactly what they are doing in terms of security, but also that they bring to light the true extent of any breach – small or large – in their organisation, along with details on how it could have happened and exactly what measures they are putting in place to ensure there are not repeat instances.

Only with this true knowledge can customers see through false claims and choose wisely between all the various financial institutions purporting to offer world-class services. Until then, putting all your money in a locked box under your bed might prove to be a safer choice.

3922 days ago

In this part of the world, banks insist on giving an atm card which also acts as a debit card. This can be a serious security risk for a customer, as i am sure sound bankers will agree. Customers should have the option of having just an atm card.

3926 days ago

Banks weren't "forced" to provide online banking to make life easier for customers - they did it because it's cheaper than having real people in physical branches! Just look at the amount of branches closed over the past ten years, and at the fact that many banks now charge more for the same services 'in person' than if you get those same services online.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code