Con game, blame game

While experts debate on how the recent spate of card frauds could have occurred in the UAE, there is no doubt that banks need to step up their security measures, and regulations have to catch up.

A major case of card fraud, affecting multiple customer accounts, rocked major UAE banks last month. The fraud, which affected banks including Dubai Bank, National Bank of Abu Dhabi, HSBC and Lloyds TSB, involved the theft of untold amounts of money.

Very little is known about how this important and supposedly secure data was accessed, leading to much speculation within the finance community. With the banks silent on what exactly occured, customers and security experts have been left to wonder on how the breach could have happened.

 

"There are many different types of card fraud, or fraud using cards, from the simplest ATM machine compromises, to high-end network hacks. Criminals sometimes try a combination of different methods to get the information they need. My reaction is that this was fairly well planned, and it was carried out in order to get maximum impact as soon as possible, so that the criminal could benefit as soon as possible," says Richard Archdeacon, part of Symantec EMEA's security practice.

"What was interesting about the recent reports is the loss of card activity that occurred outside the region. In other words, there was a definite attempt to take the information and turn it into cash very rapidly. And this is one of the characteristics of the underground economy. The criminals will band together, or they will send their information onto other criminals, and they will then use it internationally to get money," he added.

While customers themselves make for easier targets, most experts agree with Archdeacon, stating that the sheer scale of the breach indicates a focused attack, where a whole amount of data was stolen for rapid use across the world.

"There is the possibility of data leaking from a bank - intentionally or unintentionally. When an employee who has sensitive data on his PC accesses a website not related to work, a spyware or keylogger can be placed in his system without his knowing.

This will start stealing the customer information on the PC, and sending it out through the same site, and the employee will not even know," points out Judhi Prasetyo, Middle East consulting manager at Fortinet.

While many industry experts believe that banks in the region, like their global counterparts, have invested heavily in network security, a lot more work is warranted in the area of card security as well as educating customers on the travails of internet banking.

One of the suggestions from security experts is for card companies in the region to make the switch from magnetic stripe cards, to chip-card, or chip-and-PIN technology.

This system requires both the customer's personal details and a microchip contained within the card to be present at any particular time for a transaction to be processed.

"Banks in the UAE have been testing security applications manually. The downside to this method is that it is a time consuming process and you couldn't do as thorough a testing as required to ensure that no hacking is possible. The only way to circumvent that is to have EMV or chip-based cards and to do your testing as frequently as required, making sure you are always compliant with the latest EMV mandate that sets the standards," says regional director of Level Four software, Issa Keshek.

Meanwhile, others are calling for better laws and regulations to monitor and control the way banks handle breaches across the region. Cambridge University professor of security engineering, Ross Anderson says the way for the UAE to move forward is to adopt a system akin to the US regulatory scheme.

Whether with new laws, or by customer insistence, it is clear that with this attack, banks and financial institutions will have to gear up and become alert to security in the future. The clock is ticking.