We noticed you're blocking ads.

Keep supporting great journalism by turning off your ad blocker.

Questions about why you are seeing this? Contact us

Font Size

- Aa +

Mon 13 Oct 2008 04:00 AM

Font Size

- Aa +

Smash 'n grab

Leading network security experts are calling for a major overhaul of banking security in the UAE following the theft of thousands of dollars from local accounts by fraudsters.

Leading network security experts are calling for a major overhaul of banking security in the UAE following the theft of thousands of dollars from local accounts by fraudsters.

Angry customers have accused banks in the UAE of sleeping on the job in regard to network security following one of the worst fraud scams ever to hit the country. Thousands of dollars have allegedly disappeared from accounts across many of the nation's major banks, causing a shake-up in the ATM and network security sector.

The incident has triggered calls from international security experts for financial institutions in the emirates to update their security systems to prevent the country from being targeted by future scams.

Details of credit and debit cards, including PINs and replica cards have allegedly been used internationally during the incident, with the majority of fraudulent uses taking place in the United States. The specific and accurate data required to commit fraud of this magnitude could only have been acquired through a significant breach of bank security.

The apparent theft of information has prompted alerts from some of the country's major banks, for customers to change their PINs post haste, in an attempt to prevent theft from continuing. Lloyds Bank, HSBC, Dubai Bank, Visa and CBI, are among those financial institutions who have issued statements on the matter, while many other affected organisations appear to have gone to ground over the issue.

Some banking security experts have put the incident down to a trusting mentality in the UAE that has transferred itself to the banking security sector, where historically, cases of fraud have been extremely rare. One expert commented that because banks have never had to worry about this issue previously, they have become overwhelmed to find their current security systems are inadequate.

The incident has left ATM and card security specialists scratching their heads, perplexed by the conundrum of exactly how the fraud was perpetrated. At this stage all that is known is that important customer data was accessed through UAE banks, and distributed for use internationally.

Very little is known about how this important and supposedly secure data was accessed, leading to much speculation within the finance community. It is clear that the fraudsters accessed a variety of accounts across many different banks within the UAE, and the fraudulent transactions did not take place within the country.

General manager of security firm Scanit, David Michaux, says there are two major theories as to how the fraudsters acquired the information needed to access accounts and replicate credit and debit cards.

"One is the fact that it was a skimming exercise, and there was a team that worked here by attaching a card reader to the ATM and found a way to read the PIN. If that's the case it would be a good day. A bad day would be if it was a data breach, that would be very serious," explains Michaux.

The second theory is that the attack was too well-planned to have been a skimming exercise, and must have been a calculated data breach.

 "What we saw was definitely a planned attack, it was not an accident, or something where somebody stumbled across information on Tuesday and used it on Wednesday. They would have been storing the information and setting this up days or weeks in advance," says Trend Micro's Middle East director, Justin Doo.

 "We have a very, very trusting society in this area. We haven't managed to get the message out into the market about what the threats are. And the same goes for the high level security. If you look at what happened here, it was a fairly major network compromise," says Doo.

Most of the affected banks have declined to provide detailed comment on the incident, with some releasing brief written statements on the theft, and most issuing alerts to customers to change their PIN.

Credit card company Visa released the following statement after they became aware of the matter: "Visa is aware of a possible network intrusion in the UAE and will participate in any investigation as appropriate. In the meantime, the company is working with all banks in the country to ensure that appropriate security measures are being taken to prevent any potential breaches," read the statement.With the majority of financial institutions providing statements much akin to this, it is difficult to gauge the magnitude of the situation at this point in time. But whether it was the case of one person's details being taken, or several thousand customer accounts being accessed, the fact still remains that any breach of bank security is a serious issue for local financial institutions.

A myriad of suggestions have emerged from international banking experts following the intrusion with many commenting that drastic changes are needed in the country's financial security sector, if it is to be recognised as a world class financial hub.

Cambridge professor of security engineering Ross Anderson says the magnetic stripe technology currently used in the UAE, is particularly vulnerable to fraud.

"It is entirely trivial for anyone to attach a skimmer to an ATM and pick up card and PIN data to be used at some other ATM in Dubai, America, Thailand or anywhere," says Anderson.

One of the major suggestions from security experts is for card companies in the region to make the switch from magnetic stripe cards, to chip-card, or chip-and-PIN technology. This system requires both the customer's personal details and a microchip contained within the card to be present at any particular time for a transaction to be processed. But the question still begs to be answered: would this technology really prevent future cases of fraud?

"Well it certainly would prevent some types of fraud. It depends on whether it is card-present fraud. But I think in this case a lot of the focus will be around having good detection software and also having the analytics to identify potential fraud that might be going on," says Datamonitor's director of analysis for financial services and technology, Daniel Mayo.

"What they should be doing is using analytical software, or fraud prevention software that can look at suspicious transactions and patterns. The other thing they should be doing is trying to work more internationally so they can see cards that may have been flagged in other markets, and are known to be fraudulent," says Mayo.

 "The problem of fraud is one that doesn't really go away. You tend to find that fraud moves across countries, so as one country strengthens fraud protection you will find that fraudsters start to attack other emerging markets," he claims.

Regional director of Level Four Software, Issa Keshek, agrees that fraud cases of this magnitude tend to occur in countries where the economy is expanding and new banks are constantly opening, creating a more attractive target for hackers and the criminals who choose to employ them.

"This is something that we have been talking to banks about because it is a mirror image of what took place in Europe and is taking place in Australia right now," says Keshek.

He also says the banks have become lax in updating their security applications because of the climate of safety that appears present in the UAE. He says they need to switch from manually updating these programs, to automatic updates in order to stave off future attacks on regional financial networks.

"Banks in the UAE have been testing these applications manually. The downside to this method is that this is such a time consuming process and you wouldn't do as thorough testing as require to ensure that no hacking is possible. The only way to circumvent that is to have EMV or chip-based cards and to do your testing as frequently as required, making sure you use automated testing to remain compliant with the latest EMV mandate," adds Keshek.

Preventing fraud

• Upgrade to chip-and-PIN - Both elements must be present for the transaction to be processed.

• Better government regulations to establish liability in fraud cases.

• Update to automated security testing so  - tests of security software should be conducted more frequently.

• Increase bank disclosure - Banks should discuss these issues with the public and increase accountability.

• Improve customer education on avoiding fraud - encourage fraud-safe practices amongst customers.

• Stricter monitoring and flagging of fraudulent cards globally - local banks require improved fraud tracking.

• Biometric readers - Install fingerprint readers or retinal scanners on local ATMs.

But not everyone agrees that a migration to EMV technology will dramatically add to card security in the Middle East. According to Cambridge University professor, Ross Anderson, the chip-and-PIN system is only slightly more resistant to fraud than the magnetic stripe system.

"It's slightly harder to commit fraud with chip-and-PIN but not that much harder, because people can sabotage the chip-and-PIN terminals in order to get the terminal to automatically collect card and PIN data. Those cards are used very widely in retail now in Europe as well as in ATMs so there are millions of opportunities to collect card data," says Anderson.

He says the best way for the UAE to move forward in the area of card security is to adopt a system akin to the US regulatory scheme, which was introduced after an elderly woman successfully sued Citibank over a number of disputed ATM transactions involving a relatively small amount of money when compared to similar incidents in recent years.

 "In America, if there is a dispute, the consumer is right. In Britain the first ATM cases went the other way because the banks used legal tactics and weighted money arguments to prevent the cases ever being heard. So in the UK, the banks can tell you that you must be mistaken or lying," Anderson says.

"The curious thing here is that the American banks spend less money on security and have less fraud than UK banks, because UK banks are into liability management rather than risk management and they know the customer complaints won't be properly investigated. If the UAE is contemplating which system to use to resolve these disputes, the American system is the only answer. Only if the customer is shielded from fraud, and the bank has to bail the cost, will the bank then have the proper economic incentives to invest in system security," explains Cambrige University's Anderson.

"If the UAE wants to safeguard its position as the financial hub of the Gulf, then one of the things it has to be paying attention to at this time is bank regulation. The regulation of computer security is not the big ticket item. Consumer protection is a part of the security mix that cannot be ignored," he adds.

With the burgeoning economy across the UAE, especially in the emirates of Dubai and Abu Dhabi, the nation's financial institutions are becoming increasingly attractive targets for hackers and fraudsters who are looking to compromise the - now formerly - lax security employed here.

The vast majority of the security community have struck a harmonious chord with their call for an upgrade of banking security systems, however the dispute lies in deciding the best method of doing so. Whether this upgrade takes place at a regulatory level, an IT systems level, or at a customer education level, the recent incident has made it painfully obvious that the security of electronic banking in the country is in dire need of a serious overhaul.


Adding fingerprint readers, retinal scanners and other biometric identification to ATMs could help prevent certain kinds of card fraud, according to some banking industry experts. This would also make things easier for customers, because while you can forget your PIN, your fingerprints or your eyes are unlikely to leave you anytime soon.

Director of analysis for financial services and technology at Datamonitor, Daniel Mayo, says biometric readers, much like the chip-and-PIN system would help reduce cases of card-present fraud.

"The problem is when dealing with cross-border fraud, you may be dealing with people in unknown markets and not have records of their biometrics," says Mayo.

"The ideal security system would be one where you have chip-and-PIN, and ideally some kind of biometric authentication. This would also mean that if customers were using an online computer, they would also have a token by which to identify themselves as well as just the card details," he says.

"But when dealing with fraud outside of the market, the focus really needs to be on tracking, monitoring and analysing any suspect activity."

Arabian Business: why we're going behind a paywall

For all the latest tech news from the UAE and Gulf countries, follow us on Twitter and Linkedin, like us on Facebook and subscribe to our YouTube page, which is updated daily.
Real news, real analysis and real insight have real value – especially at a time like this. Unlimited access ArabianBusiness.com can be unlocked for as little as $4.75 per month. Click here for more details.