Business | Banking

Bigger security flaw behind card thefts

The banks in the UAE have a problem. Someone has found a way of taking their customers' money.

  • By Scott Shuey, Chief Business Reporter
  • Published: 22:59 September 12, 2008
  • Gulf News

The banks in the UAE have a problem. Someone has found a way of taking their customers' money.

How? The banks aren't saying. Their response is that they are investigating, but their refusal to actually say what happened is almost as infuriating as the thefts themselves.

Every time I hear a bank say it is investigating, I translate that to mean they have no clue as to why they were robbed.

Justin Doo, the managing director of TrendMicro, a company that regularly deals with security issues, says the lack of disclosure isn't helping anyone.

"This culture of non-disclosure is killing the public interest," he says. "Everyone needs to talk about it."

But since no one is, I talked to several people this week trying to figure out what might have happened. There are a couple of theories in the security industry, but the evidence seems to suggest that a network, probably the one banks use to clear ATM transactions, has been hacked.

One security insider I spoke to says he believes that some organisation has found a hole in the clearing system.

That's bad. It means that a bunch of criminals might have found a way to insert a sniffer programme into the network that banks use to process ATM transactions.

Sniffer programmes grab information, i.e. data that includes a person's account number and PIN, as it is being processed.

That means that anyone who used an ATM in the UAE - residents and tourists alike - could have had their information stolen.

It's probably why Dubai Bank announced on Thursday that 42 customers' accounts had been compromised.

Sniffer programmes have been used before, although not in the UAE. In the US, sniffer programs were used to steal information from a retailer's computer in 2007. That attack on TJ Maxx affected over 45 million customer accounts.

To make matters worse, the information that was taken in the UAE looks to have been sold.

Had the information been taken by skimmers - skimming is when additional hardware is illegally added to an ATM that allows hackers to steal personal information from a card's magnetic strip and capture the user's PIN number - the information probably would only have been used locally, experts say.

Skimmers don't usually take the data abroad, but the stolen information here has been used in such places as Cairo and Saudi Arabia. There have even been two reports of the data being used in the UK.

What I really want to know is why banks took so long to notify their customers that a break had occurred. The US Embassy issued a warning last week that unauthorised credit card and ATM transactions were being discovered, yet it took almost a week for the banks to issue warnings.

Of course, that brings up a second issue. Why haven't there been any warnings about credit cards? If the thieves found a way to steal ATM information, they could have just as easily stolen credit information.

ATM info is time sensitive (crooks have to steal the money before accounts holders change their PINs), but crooks have the liberty of taking their time with credit cards thanks to their expiration dates.

This is why the banks should be telling us exactly what happened. We need to know if our credit cards have been compromised.

We need to know so we can protect ourselves, because as one security expert told me "we haven't seen the last of this."

ATM info is time sensitive (crooks have to steal the money before accounts holders change their PINs), but crooks have the liberty of taking their time with credit cards thanks to their expiration dates.

  • Rate this article
  • Average reader rating (0 votes) 0 Stars
Tools

Emailing an article to friend is a simple way to share a news item. Your friend will receive an email with your name and email address as well any personal message you choose to send.

The information you provide on this page will not be used to send unsolicited emails.

This service is not intended to encourage spam, and action may be taken against individuals who maliciously enter personal details of another individual.

Share this article

More from Banking

  1. Court orders freeze on all Saad assets

  2. New smart card launched

  3. Banks face increase in funding costs

  4. HSBC underlying profits up sharply

All articles in Banking

More from Business

Gulf News
Popular in Business
Way to go this DSF
XPRESS

Way to go this DSF

A fun-filled route to guide you to all the happening dos in town

Business Editor's choice