The latest episode of the global $45 million ATM heist has had the banks and customers of this region sit up once again to the menace of cyber threat that is gaining sophistication by the day.
The two banks of the region, National Bank of Ras Al Khaimah in the UAE and Bank of Muscat in Oman, that have been the victims of this daring fraud, targeted at their prepaid card segment, have said in statements that their customers haven’t suffered any financial loss.
In fact, Oman’s largest lender has said in a statement to the stock exchange that it is trying to recover the 15 million Omani riyal ($39 million) it lost in the fraud.
“Bank Muscat is aware from press reports that a number of arrests in different jurisdictions have taken place in relation to the prepaid debit card fraud incident which we disclosed on Feb. 25 and 26,” it said in a brief statement to the Muscat Securities Market. “We reiterate that we are exploring all avenues of recovery so as to protect shareholder interests and will advise the markets accordingly if there are any material developments in this regard.”
Both banks had already made provisions for the losses it suffered.
Different stakeholders are taking steps to reassure their clients.
Press reports have confirmed that the two card processing companies that were hacked by the criminals are Bangalore-based ElectraCard Services, which is partially owned by MasterCard, and Enstage, which is based in Pune.
“Our customers were adversely affected by this sophisticated crime. We are deeply committed to information security, and we will continue to take all reasonable measures to ensure our networks are secured from criminal actors,” Govind Setlur, founder of Enstage said in a statement. “Since the time the incident occurred, EnStage has retained independent security experts to analyze the intrusion and to recommend enhancements to its information security infrastructure. EnStage has implemented both these enhancements as well as additional monitoring capabilities” he added.
While Mastercard’s own security systems have not been compromised, MasterCard’s vice president communications, Middle East and Africa, MasterCard, Sami Lahoud, told Gulf News that as soon as the company was informed of the compromise, it delisted ElectraCard.
“MasterCard’s systems were not involved or compromised during these cyberattacks,” lahoud said. “Security is a top priority for MasterCard and we have a comprehensive fraud management program in place to protect consumers worldwide. ElectraCard Services (ECS) is run independently and we do not exercise control of their operations.”
Lahoud said that when they identified who was the compromised entity on the value chain, they had to delist them [ElectraCard] to safeguard the whole chain,” said Lahoud.
“We had to safeguard the whole integrity of the industry. But you have to keep in mind that this was unfortunately the misdeed of a group of criminals.”
Looking at the latest security breach, Justin Doo, Security Practice Director Middle East and French-speaking Africa, Symantec Corporation, believes that the card processing companies have been following the rules, but the fact is perpetrators are changing the rules and changing the game.
The way to prevent such attacks is to “Build more robust, data-centric security around the way that data is processed and making sure that denial of service attacks can’t be used to block or prevent the online verification of the transaction,” said Doo.
“It is sitting and looking at where the weak points were in terms of the current security landscape of the investments that the organisations have made and where they need to be possibly, monitoring closer –changing thresholds, changing communication protocols.”
