We noticed you're blocking ads.

Keep supporting great journalism by turning off your ad blocker.

Questions about why you are seeing this? Contact us

Font Size

- Aa +

Wed 8 Oct 2008 04:00 AM

Font Size

- Aa +

Time for a rethink

The UAE's banks are being forced to re-examine systems and processes in the aftermath of a major ATM fraud.

The UAE's banks are being forced to re-examine systems and processes in the aftermath of a major ATM fraud.

The UAE's banks are now assessing the lessons learned from one of the country's worst ATM frauds. Last month, thousands of dollars allegedly disappeared from accounts across some of the UAE's biggest banks, prompting calls for a radical rethink of security procedures and practices.

Details of credit and debit cards, including PINs and replica cards have allegedly been used internationally during the incident. The specific and accurate data required to commit fraud of this magnitude could only have been acquired through a significant breach of bank security.

The apparent theft of information has prompted alerts from some of the country's major banks, for customers to change their PINs post haste, in an attempt to prevent theft from continuing.

Lloyds Bank, HSBC, Dubai Bank, Visa and CBI, are among those financial institutions who have issued statements on the matter, while many other affected organisations appear to have gone to ground over the issue.

Some banking security experts have put the incident down to a trusting mentality in the UAE that has transferred itself to the banking security sector, where historically, cases of fraud have been extremely rare. One expert commented that because banks have never had to worry about this issue previously, they have become overwhelmed to find their current security systems are inadequate.

The incident has left ATM and card security specialists scratching their heads, perplexed by the conundrum of exactly how the fraud was perpetrated. At this stage all that is known is that important customer data was accessed through UAE banks, and distributed for use internationally.

Very little is known about how this important and supposedly secure data was accessed, leading to much speculation within the finance community. It is clear that the fraudsters accessed a variety of accounts across many different banks within the UAE, and the fraudulent transactions did not take place within the country.

General manager of security firm Scanit, David Michaux, says there are two major theories as to how the fraudsters acquired the information needed to access accounts and replicate credit and debit cards.

"One is the fact that it was a skimming exercise, and there was a team that worked here by attaching a card reader to the ATM and found a way to read the PIN. If that's the case it would be a good day. A bad day would be if it was a data breach, that would be very serious," says Michaux.

The second theory is that the attack was too well-planned to have been a skimming exercise, and must have been a calculated data breach. "What we saw was definitely a planned attack, it was not an accident, or something where somebody stumbled across information on Tuesday and used it on Wednesday. They would have been storing the information and setting this up days or weeks in advance," says Trend Micro's Middle East director, Justin Doo.

"We have a very, very trusting society in this area. We haven't managed to get the message out into the market about what the threats are. And the same goes for the high level security. If you look at what happened here, it was a fairly major network compromise," says Doo.

Most of the effected banks have declined to provide detailed comment on the incident, with some releasing brief written statements on the theft, and most issuing alerts to customers to change their PIN.Credit card company Visa released the following statement after they became aware of the matter: "Visa is aware of a possible network intrusion in UAE and will participate in any investigation as appropriate. In the meantime, the company is working with all banks in the country to ensure that appropriate security measures are being taken to prevent any potential breaches."

With the majority of financial institutions providing statements much akin to this, it is difficult to gauge the magnitude of the situation at this point in time. But whether it was the case of one person's details being taken, or several thousand customer accounts being accessed, the fact still remains that any breach of bank security is a serious issue for local financial institutions.

A myriad of suggestions have emerged from international banking experts following the intrusion with many commenting that drastic changes are needed in the country's financial security sector, if it is to be recognised as a world class financial hub.

Cambridge professor of security engineering Ross Anderson says the magnetic stripe technology currently used in the UAE, is particularly vulnerable to fraud.

"It is entirely trivial for anyone to attach a skimmer to an ATM and pick up card and PIN data to be used at some other ATM in Dubai, America, Thailand or anywhere," says Anderson.

One of the major suggestions from security experts is for card companies in the region to make the switch from magnetic stripe cards, to chip card, or Chip and PIN technology. This system requires both the customer's personal details and a microchip contained within the card to be present at any particular time for a transaction to be processed. But the question still begs to be answered: would this technology really prevent future cases of fraud?

"Well it certainly would prevent some types of fraud. It depends on whether it is card-present fraud. But I think in this case a lot of the focus will be around having good detection software and also having the analytics to identify potential fraud that might be going on," says Datamonitor's director of analysis for financial services and technology, Daniel Mayo.

"What they should be doing is using analytical software, or fraud prevention software that can look at suspicious transactions and patterns. The other thing they should be doing is trying to work more internationally so they can see cards that may have been flagged in other markets, and are known to be fraudulent," says Mayo.

"The problem of fraud is one that doesn't really go away. You tend to find that fraud moves across countries, so as one country strengthens fraud protection you will find that fraudsters start to attack other emerging markets," he claims.

Regional director of Level Four Software, Issa Keshek, agrees that fraud cases of this magnitude tend to occur in countries where the economy is expanding and new banks are constantly opening, creating a more attractive target for hackers. "This is something that we have been talking to banks about because it is a mirror image of what took place in Europe and is taking place in Australia right now," says Keshek.

He also says the banks have become lax in updating their security applications because of the climate of safety that appears present in the UAE. He says they need to switch from manually updating these programs, to automatic updates in order to stave off future attacks on banking networks.

"Banks in the UAE have been testing these applications manually. The downside to this method is that this is such a time consuming process and you wouldn't do as thorough testing as required to ensure that no hacking is possible.

The only way to circumvent that is to have EMV or chip-based cards and to do your testing as frequently as required, making sure you use automated testing to remain compliant with the latest EMV mandate," adds Keshek.But not everyone agrees that a migration to EMV technology will dramatically add to card security in the Middle East. According to Cambridge University professor, Ross Anderson, the Chip and PIN system is only slightly more resistant to fraud than the magnetic stripe system.

"It's slightly harder to commit fraud with Chip and PIN but not that much harder, because people can sabotage the Chip and PIN terminals in order to get the terminal to automatically collect card and PIN data. Those cards are used very widely in retail now in Europe as well as in ATMs so there are millions of opportunities to collect card data," says Anderson.

He says the best way for the UAE to move forward in the area of card security is to adopt a system akin to the US regulatory scheme, which was introduced after an elderly woman successfully sued Citibank over a number of disputed ATM transactions involving a relatively small amount of money.

"In America, if there is a dispute, the consumer is right. In Britain the first ATM cases went the other way because the banks used legal tactics and weighted money arguments to prevent the cases ever being heard. So in the UK, the banks can tell you that you must be mistaken or lying," Anderson says.

"The curious thing here is that the American banks spend less money on security and have less fraud than UK banks, because UK banks are into liability management rather than risk management and they know the customer complaints won't be properly investigated. If the UAE is contemplating which system to use to resolve these disputes, the American system is the only answer. Only if the customer is shielded from fraud, and the bank has to [absorb] the cost, will the bank then have the proper economic incentives to invest in system security," explains Anderson.

"If the UAE wants to safeguard its position as the financial hub of the Gulf, then one of the things it has to be paying attention to at this time is bank regulation. The regulation of computer security is not the big ticket item. Consumer protection is a part of the security mix that cannot be ignored," he adds.

With the burgeoning economy across the UAE, especially in the emirates of Dubai and Abu Dhabi, the nation's banks are becoming increasingly attractive targets for hackers and fraudsters.

The vast majority of the security community has struck a harmonious chord with their call for an upgrade of banking security systems; however, the dispute lies in deciding the best method of doing so.

Whether this upgrade takes place at a regulatory level, an IT systems level, or at a customer education level, the recent incident has made it painfully obvious that the security of electronic banking in the country is in dire need of an overhaul.

Preventing fraud

• Upgrade cardholder base to Chip and PIN: Both the PIN and the chip in the card must be present for the transaction to be processed.

• Better regulations: Rules need to be in place to establish liability in fraud cases.

• Update to automated security testing: Tests and upgrades of security software should be conducted more frequently.

• Increase bank disclosure: Banks should discuss these issues more openly with the public and increase accountability.

• Improve customer education on how to avoid fraud.

• Stricter monitoring and flagging of fraudulent cards globally: Local banks require improved tracking of international fraud scams.

• Biometric readers: Install fingerprint readers or retinal scanners on ATMs.

Arabian Business: why we're going behind a paywall

For all the latest banking and finance news from the UAE and Gulf countries, follow us on Twitter and Linkedin, like us on Facebook and subscribe to our YouTube page, which is updated daily.
Real news, real analysis and real insight have real value – especially at a time like this. Unlimited access ArabianBusiness.com can be unlocked for as little as $4.75 per month. Click here for more details.