Time for a rethink

The UAE's banks are being forced to re-examine systems and processes in the aftermath of a major ATM fraud.

The UAE's banks are now assessing the lessons learned from one of the country's worst ATM frauds. Last month, thousands of dollars allegedly disappeared from accounts across some of the UAE's biggest banks, prompting calls for a radical rethink of security procedures and practices.

Details of credit and debit cards, including PINs and replica cards have allegedly been used internationally during the incident. The specific and accurate data required to commit fraud of this magnitude could only have been acquired through a significant breach of bank security.

The apparent theft of information has prompted alerts from some of the country's major banks, for customers to change their PINs post haste, in an attempt to prevent theft from continuing.

Lloyds Bank, HSBC, Dubai Bank, Visa and CBI, are among those financial institutions who have issued statements on the matter, while many other affected organisations appear to have gone to ground over the issue.

Some banking security experts have put the incident down to a trusting mentality in the UAE that has transferred itself to the banking security sector, where historically, cases of fraud have been extremely rare. One expert commented that because banks have never had to worry about this issue previously, they have become overwhelmed to find their current security systems are inadequate.

The incident has left ATM and card security specialists scratching their heads, perplexed by the conundrum of exactly how the fraud was perpetrated. At this stage all that is known is that important customer data was accessed through UAE banks, and distributed for use internationally.

Very little is known about how this important and supposedly secure data was accessed, leading to much speculation within the finance community. It is clear that the fraudsters accessed a variety of accounts across many different banks within the UAE, and the fraudulent transactions did not take place within the country.

General manager of security firm Scanit, David Michaux, says there are two major theories as to how the fraudsters acquired the information needed to access accounts and replicate credit and debit cards.

"One is the fact that it was a skimming exercise, and there was a team that worked here by attaching a card reader to the ATM and found a way to read the PIN. If that's the case it would be a good day. A bad day would be if it was a data breach, that would be very serious," says Michaux.

The second theory is that the attack was too well-planned to have been a skimming exercise, and must have been a calculated data breach. "What we saw was definitely a planned attack, it was not an accident, or something where somebody stumbled across information on Tuesday and used it on Wednesday. They would have been storing the information and setting this up days or weeks in advance," says Trend Micro's Middle East director, Justin Doo.

"We have a very, very trusting society in this area. We haven't managed to get the message out into the market about what the threats are. And the same goes for the high level security. If you look at what happened here, it was a fairly major network compromise," says Doo.

Most of the effected banks have declined to provide detailed comment on the incident, with some releasing brief written statements on the theft, and most issuing alerts to customers to change their PIN.

READERS' COMMENTS

MORE FROM ARABIANBUSINESS.COM