Smash 'n grab

Leading network security experts are calling for a major overhaul of banking security in the UAE following the theft of thousands of dollars from local accounts by fraudsters.

  • E-Mail
By  Patrick Elligett Published  October 12, 2008

Leading network security experts are calling for a major overhaul of banking security in the UAE following the theft of thousands of dollars from local accounts by fraudsters.

Angry customers have accused banks in the UAE of sleeping on the job in regard to network security following one of the worst fraud scams ever to hit the country. Thousands of dollars have allegedly disappeared from accounts across many of the nation's major banks, causing a shake-up in the ATM and network security sector.

The incident has triggered calls from international security experts for financial institutions in the emirates to update their security systems to prevent the country from being targeted by future scams.

Details of credit and debit cards, including PINs and replica cards have allegedly been used internationally during the incident, with the majority of fraudulent uses taking place in the United States. The specific and accurate data required to commit fraud of this magnitude could only have been acquired through a significant breach of bank security.

The apparent theft of information has prompted alerts from some of the country's major banks, for customers to change their PINs post haste, in an attempt to prevent theft from continuing. Lloyds Bank, HSBC, Dubai Bank, Visa and CBI, are among those financial institutions who have issued statements on the matter, while many other affected organisations appear to have gone to ground over the issue.

Some banking security experts have put the incident down to a trusting mentality in the UAE that has transferred itself to the banking security sector, where historically, cases of fraud have been extremely rare. One expert commented that because banks have never had to worry about this issue previously, they have become overwhelmed to find their current security systems are inadequate.

The incident has left ATM and card security specialists scratching their heads, perplexed by the conundrum of exactly how the fraud was perpetrated. At this stage all that is known is that important customer data was accessed through UAE banks, and distributed for use internationally.

Very little is known about how this important and supposedly secure data was accessed, leading to much speculation within the finance community. It is clear that the fraudsters accessed a variety of accounts across many different banks within the UAE, and the fraudulent transactions did not take place within the country.

General manager of security firm Scanit, David Michaux, says there are two major theories as to how the fraudsters acquired the information needed to access accounts and replicate credit and debit cards.

"One is the fact that it was a skimming exercise, and there was a team that worked here by attaching a card reader to the ATM and found a way to read the PIN. If that's the case it would be a good day. A bad day would be if it was a data breach, that would be very serious," explains Michaux.

The second theory is that the attack was too well-planned to have been a skimming exercise, and must have been a calculated data breach.

 "What we saw was definitely a planned attack, it was not an accident, or something where somebody stumbled across information on Tuesday and used it on Wednesday. They would have been storing the information and setting this up days or weeks in advance," says Trend Micro's Middle East director, Justin Doo.

 "We have a very, very trusting society in this area. We haven't managed to get the message out into the market about what the threats are. And the same goes for the high level security. If you look at what happened here, it was a fairly major network compromise," says Doo.

Most of the affected banks have declined to provide detailed comment on the incident, with some releasing brief written statements on the theft, and most issuing alerts to customers to change their PIN.

Credit card company Visa released the following statement after they became aware of the matter: "Visa is aware of a possible network intrusion in the UAE and will participate in any investigation as appropriate. In the meantime, the company is working with all banks in the country to ensure that appropriate security measures are being taken to prevent any potential breaches," read the statement.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code