Attacks by an international network of criminals on UAE bank accounts highlights a need to convert the country's out-dated payment system to high-tech chip-and-pin, according to experts.
Scores of customers across the UAE have lost hundreds of thousands of dirhams in a spate of thefts in recent days, carried out by fraudsters in as many as 20 countries.
In what is being described as the largest security breach in the UAE, lenders moved to control the fall out by issuing emergency text messages to their customers to urge them to change their PIN number immediately.
Some banks - HSBC, Citibank, Lloyds TSB, Emirates NBD and the National Bank of Abu Dhabi - all reported attacks; others blocked international access to cash machines after accounts had money illegally withdrawn from overseas.
The UAE is now facing questions about how such a seemingly widescale attack could take place, and whether banking fraud is making the chip-and-pin system too costly to ignore. Mark Bowerman, spokesman for UK fraud awareness group Cardwatch, said because the UAE does not have chip-and-pin payment technology - widely used in Europe and other Western nations - it makes the banking system less secure than it needs to be. "One of the drivers for chip-and-pin in the UK was the high levels of fraud, which made for a very compelling business case," he told Emirates Business.
"From a commercial point of view it depends on the extent of fraud in the UAE," he added.
The UK saw card fraud almost triple between 1998 - when it cost £135 million (Dh881m) - and 2001, when it reached £411m. A decision was made in February 2002 to move to chip-and-pin EMV (the industry standard agreed by Europay, MasterCard and Visa) payment cards, which cost banks and retailers £1.1 billion.
The extent of card fraud in the UAE has not been disclosed.
One HSBC Middle East customer, who had Dh8,000 stolen on Thursday told Emirates Business: "This week is the UAE's wake up call to introduce chip-and-pin, and it is irrelevant how much the system costs. Banks have been too slow on this, which has cost customers tens if not hundreds of thousands of dirhams. I got a nasty shock when I received 10 text messages from HSBC, each telling me Dh800 had been withdrawn.
"In total Dh8,000 was stolen from my account, but I wasn't told where or how the money was taken. I phoned HSBC and stopped the card immediately. They told me I would get the money back but I'm angry as to why this happened.
"I told three friends about this and we could name four others who had been fleeced. It's not an isolated incident and looks like all banks in the UAE have been compromised in some way and potentially thousands of people affected."
Few details have been released as to the type of fraud taking place in the UAE and lenders have so far declined to reveal how much money has been taken in recent days, nor how many accounts affected.
Similar card frauds in the past have typically involved rigging ATM machines with cameras to steal customers' PIN numbers as they make withdrawals, or installing readers on handheld swipe card devices. Security around cards in the UAE is notoriously slack - with very few retailers checking a signature against that on a card. Equally, residents hand over cards in restaurants, for instance, and the waiter disappears with it - an opportunity for the magnetic information to be stolen.
"In the UK, we're seeing more frauds in supermarkets and petrol stations. Criminals need the magnetic strip details from your card, so would usually use a handheld card reader to swip your card. This could involve a corrupt member of staff," said Bowerman.
He rejected reports that because details appear to have been stolen randomly in the UAE, it suggests banks' systems themselves were somehow breached. "Because UAE banks have been attacked indiscriminately indicates criminals are targeting the industry as a whole rather than one institution."
But one UAE resident, who spoke to Emirates Business on the condition of anonymity, said he had money stolen from his account, despite not using his bank cards for three weeks. "This says to me that it's a central computer security failure not just random skimming frauds," he said.
Following the introduction of chip-and-pin in the UK in 2005, card fraud slowed but it is still a major concern. In 2007, £535m was stolen, but banks say more than half of this accounts for card-not-present frauds, such as purchases made over the phone and internet, which chip-and-pin cannot control. The best way to fight card fraud is for every country to introduce the globally recognised system in the UK, said Bowerman.
Chip-and-pin combines two security features, the 'chip' or microchip on the card stores card data more securely than a magnetic stripe, and the four-digit PIN, which is used to prove someone is the genuine cardholder.
Criminals tend to migrate towards markets and countries that continue to use magnetic strip technology. These markets become more attractive targets as neighbouring countries adopt chip-and-pin cards. Following this week's card frauds, UAE banks have promising to reimburse customers for any funds stolen from their accounts. Some of the lenders moved to block the accounts of clients who have failed to change their PINs, causing chaos.
Saif Al Shehhi, Senior General Manager of NBAD's Domestic Banking Division, said: "[We] utilise sophisticated fraud-monitoring techniques and were able to quickly detect the attacks and take urgent action to limit the problem. This includes the use of SMS alerts where customers are notified of any activities on their accounts, which has also assisted us in containing the problem.
"As part of this process we had to block certain transactions from overseas locations which may have caused some temporary inconvenience to customers travelling. This was unavoidable and we apologise to any customers inconvenienced in this way. Alternatives were also set up to allow them to access cash without penalty. It must be stressed that no customer will be out of pocket as a result of this incident and NBAD will fully refund any customers accounts affected by this attack.
"We are currently investigating the source of the problem and will advise further as we know. We also urge customers to change their PIN codes at our ATM's as a further precaution," he said.
How it works
When a customer wishes to pay for goods using this system, the card is placed into a PIN pad terminal (often by the customer themselves) or a modified swipe-card reader, which accesses the microchip on the card.
Once the card has been verified as authentic, the customer enters a four-digit PIN, which is checked against the PIN stored on the card. If the two match, the transaction completes.
Preventing fraud
What should I watch out for?
Be very alert any time someone wants to take your card out of your sight. The major way that fraud has been carried out has been by card "skimming", where data from a card's magnetic strip is electronically copied onto another card. This fraud is often carried out in restaurants, shops and petrol stations.
How can I protect myself?
Never let cards out of sight and check receipts and bank statement thoroughly. Shred all card receipts. A card receipt is all a clever fraudster needs to reproduce a replica card.
What's good ATM practice?
Common cash machine fraud includes using skimming devices and miniature camera devices, which record cardholders' pins. Often fraudsters hover around cash machines, spying on users in a bid to capture their pin numbers.
What happens if I fall victim to credit or debit card fraud?
Cardholders are not liable for fraudulent transactions as long as the original card is still in their possession. Any bank or business turning down a refund request is on shaky legal ground.
By Ryan Harrison
© Emirates Business 24/7 2008
