The Ostrich Approach

Banking security hit the headlines in the UAE yesterday, after the Central Bank released a statement warning that an ATM in the country had been hit by a skimming hack , resulting in an unknown number of compromised accounts. And as usual, while a small handful of banks in the country were ready to talk about the problem, most of them decided to stick their heads in the sand and pretend that nothing was wrong.

The news broke online (and made the front page of some newspapers the day afterwards) leaving most UAE residents, or in fact anyone who read the story and had used an ATM in the country recently, wondering if their bank details had been stolen.

The initial statement from the Central Bank of the UAE didn't mention where the hacked ATM was or which bank it belonged to - just the fairly ominous announcement that all cards used in the machine over a seven day period had their data copied.

Follow up enquiries from itp.net and our sister site arabianbusiness.com, frankly, got nowhere. Who was hacked? What should bank customers do if they are worried? Are the hackers still active in the UAE? No proper answers, just some advice from one or two more helpful banks on what to look out for in future.

Some security incidents need to be treated confidentially. The media doesn't expect to get every single detail of every single security incident, and nor should we. But the poor communications skills shown by the financial sector is not just frustrating and worrying, it is downright negligent. The manner of the hack used on this ATM is nothing new. Most likely the gang has moved on from skimming ATMs in other countries where protection from this sort of attack is now standard. In fact, a large proportion of ATMs in the UAE have already got protection installed, and banks should be checking the machines to look for card readers and cameras.

The hack went undiscovered for seven days, a long time given that some ATM frauds take minutes, and also given that the card reader and camera would have been left attached to the machine for the whole length of time, with the criminals nearby or making regular visits to harvest the data. This would suggest that the criminals targeted a machine without protection, that wasn't checked regularly, in an out of the way place, or had inside help.

All of which raises the question - which bank didn't take steps to safeguard its ATMs, and in turn, its customers? Maybe the criminals have developed a new method of skimming cards, and put a new twist on an old scam, but most likely, they spotted an easy target and took advantage of it.

And unfortunately, none of the users of the compromised ATM spotted anything out of the ordinary and reported it. While it shouldn't fall to the end customer to protect themselves if the service provider is being careless, it works against everyone's interests not to issue proper warnings of threats or to refuse to disclose details after an incident. If there is a new scam, end users need to be educated about it; if its an old trick then they need reminding to be aware, and if a bank has been negligent in failing to stop a well-known security problem, it should be held to account.

Without customer education about threats, they will continue to be a part of the vulnerability. Proper communications with customers isn't just about peace of mind for customers, but also about making them into another line of defence against security hacking, whether physical or online.