Thursday, Sep 11, 2008

Dubai: Several leading banks and card companies downplayed the fallout of the latest ATM and credit card fraud even as customers panicked and made incessant calls to the banks to find out more about the situation.

Similarly, those affected thronged different branches to stake their claim for reimbursement.

CitibankCitibank, HSBC, Emirates NBDEmirates NBD, Dubai Islamic BankDubai Islamic Bank, National Bank of Abu DhabiNational Bank of Abu Dhabi and Abu Dhabi Commercial BankAbu Dhabi Commercial Bank are among those affected or see a potential threat that could affect their accounts.

Both MasterCard and Visa issued statements saying that they are cooperating with the law enforcement authorities and the banking industry on the latest breaches.

Almost all banks except ADCBADCB have since Wednesday sent alerts via SMS to their customers of changing their PIN and in some cases, asking them to remain vigilant by checking their balances every few days.

Abu Dhabi Commercial BankAbu Dhabi Commercial Bank has been monitoring all transactions of a select number of both affected and potential customers, said Alaa Eraiqat, the bank's deputy CEO.

"Instead of sending messages to them to change their PIN, the bank has called select customers who have been affected, asked about the transactions made and if it was not done by the cardholder, we have just gone ahead and replaced their card," Eraiqat said.

Industry sources also informed Gulf News about a leading domestic bank shutting its ATM operations for a few hours in the morning yesterday.

Although most banks maintained that a small set of their customers have been affected by the sudden counterfeit usage of the payment card abroad-all added together would run into thousands - they, however, acknowledged that this time it was different from previous cases of ATM card fraud and identity theft.

"The attack is more sophisticated than that routinely experienced, and has come from multiple countries, but nonetheless the number of customers directly affected is small," said Andrea Jaishankar, spokeswoman for HSBC Bank Middle East, adding that only ATM debit cards have been counterfeited.

Emirates NBDEmirates NBD's executive vice president and general manger, retail banking, Suvo Sarkar, told Gulf News that it is much less than five per cent of the customer base whose cards have been compromised, and both debit and credit cards were affected. In the case of other banks, debit cards have been counterfeited.

"This time there is no pattern as such, and we see a diversity in countries where transactions have been made," Sarkar said. "Until now, there have been 15 countries, including the UK and the US."

Highlighting the high level of communication among most banks, Eraiqat said that Fraud Forum, which is a platform for banks to exchange views on fraud, has been coordinating to make sure that steps are taken to minimise such cases by strengthening the systems of ATMs.

Many of the affected banks still use the magnetic strip cards as against the chip and pin cards, which is used in the West and is considered to be safer and cannot be easily misused.

National Bank of Dubai has been issuing chip (not chip-and-pin) cards for about a year now and Emirates Bank customers, as part of the merged company, will move towards the same very soon, Sarkar said. "That will definitely reduce the risk of fraud," he added.

HSBC, one of the most affected banks in the latest card fraud, however, continues to have confidence in their prevailing systems and have no plans to issue chip-and-pin based cards.

"HSBC cards are less susceptible to fraud than is the norm because we have a highly effective fraud detecting team in place and we have installed devices in our ATMs that prevent card skimming. We also have state of the art credit card fraud detection systems," said Jaishankar, the bank's spokesperson.

PIN theft: how ATM fraud occurs

The leading issue is duplication of cards and PIN number theft. A false card reader is installed in the card slot of an ATM machine which reads the card in order to copy it, while a micro-camera is placed somewhere on the machine to obtain the PIN number.

An alternative route that leads to the same result is card jamming. These are devices in the card slot that prevent the card holder from removing their card, which is later retrieved by a perpetrator in the vicinity who has also successfully observed the PIN number as it was entered by the user.

A similar method for fraud is causing the ATM machine to temporarily retain the card, which is later retrieved by the fraudster after they have personally observed the PIN code being entered.

In the later two cases, the cardholder is distracted from obtaining the card, and the PIN number is stolen by asking the cardholder to enter the PIN number under the veil of assistance.

Another technique for fraud is phishing. It is an attempt, via email, to fraudulently acquire sensitive information by someone masquerading as a trustworthy entity, such as a bank. Users are commonly guided to a deceptive website via emails, where they are asked to enter user names, passwords and/or credit card numbers.

Similar technique is also carried out over a telephone conversation, where the caller pretends to be a bank representative and asks to update account holder's information, which is then used to pilfer cash from the person's account.

Word of caution

HSBC advises cardholders to protect themselves against such fraud.

Watch out for hidden devices, but do not try to remove them. Contact the bank if something out of the ordinary is observed.

Do not let people stand close behind you when using the machine, in order to safeguard PIN number

Shield with your hand while entering PIN numbers

If the machine retains your card, contact the bank.

Never enter your PIN at the suggestion of others.

Do not write down your PIN, memorise it.

By Gaurav Ghose, Financial Features Editor and Nadia Saleem

© Gulf News 2008. All rights reserved.