DUBAI: On April 12, hackers siphoned off Dh1,500 from Aemy's ATM card. "I received three SMS messages which said Dh1,500 was taken from my salary account to recharge two du mobile numbers.
"But I'm not even a du subscriber," said the Dubai Media City worker.
"It's scary. I only used my ATM card to buy from two of the major supermarkets in Dubai and never used it to buy anything online."
Aemy is just another target in a long list of recharge scam victims. In January, Asian expatriate Ihsan received six SMS messages from his bank about six du recharge transactions - which he swears he never made.
"I was informed by the [bank] customer service that my dispute may take up to 90 days to resolve. Come on, is it really cyber-crime? Or is someone within the bank - an employee perhaps - who's selling customer account details?"
In recent times there have been a litany of spooky mobile phone recharge scams leaving victims, telephone companies and banks blaming each other, but no one actually offering a viable solution.
Such intractable attacks fan fears among bank customers as the victims are left without hope of a refund.
While an estimate of the number of people affected by this scam is not available, postings on e-forums show this activity is widespread and a number of UAE banks and their customers have been targeted.
Between December 2010 and April this year, Indian businessman Kannaiyan Shankear lost Dh10,000; American Peter Troiano lost Dh2,000; Dubai resident Nadeem Siddiqui lost Dh3,000; and Al Ain resident Sunil Mohammad lost Dh2,000. The list goes on.
Most of these illegal swipes took place in the dead of night - as the victims slept.
Bigger amounts - from Dh28,500 to over Dh100,000 - were reported by other victims as hacking incidents in the UAE surged more than 500 per cent in 2010, on the back of a tsunami of attacks on local servers and end-users, said the country's top cyber sleuth, Tarek Al Hawi, Director of the National Computer Emergency Response Team (aeCERT), under the UAE's Telecommunications Regulatory Authority (TRA).
Al Hawi's team handled 344 security incidents last year - from compromised accounts to phishing and web defacements - compared to 67 in 2009.
On April 24, Abu Dhabi Police may have seen the tip of the recharge iceberg, after arresting five Arab men who obtained 200 prepaid GSM cards by using forged trading licences, passports, residency permits and stamps.
The gang worked jointly with retail shops to carry out phone credit balance transfers, said Brig Gen Hamad Al Hammadi, Director of Criminal Investigation of Abu Dhabi Police.
While the arrest may offer a breakthrough for law-enforcers, Dubai-based lawyers say a reimbursement from banks is a long shot (see box) as banks have different policies in dealing with disputes over online purchases.
American victim Troiano said he was never offered a refund and has since changed banks. "I'm still scared about what happened," he said. In his new bank, HSBC, he only kept a small portion of his money for online banking.
And while victims blame the telephone companies, the phone companies blame the banks and the banks blame the victims, even as law-enforcers blame outdated laws… the cycle continues.
A du spokesperson confirmed receiving "sporadic" reports of recharge scams and said they are extending all possible assistance and cooperation to help the concerned banks and local authorities. "As the incident was perpetrated on a third party's infrastructure," said a du spokesperson, "the funds that were illegally obtained could have been used in various other purchases/transactions in addition to the du recharges and - therefore our view of the incident is restricted to those instances - only the concerned bank has a full view of the incident."
Echoing du, an etisalat spokesperson said they are just the service providers, stressing that it's not their duty to track criminals who may be using their infrastructure.
But why do hackers use phone recharge as their favourite mode of attack instead of making outright online purchases?
"When hackers siphon money, they do not go for big amounts as it would be more obvious than pockets of Dh500 which are harder to trace," said Megha Kumar, Dubai-based software research manager at IT think-tank International Data Corp.
UAE companies spent about Dh110 million on IT security in 2010, 14 per cent higher than in 2009, said Kumar, who stressed that the onus of protecting customers lies with banks.
"Banks must assure that they can protect mobile transactions, for example, through dual authentication (for online banking). Mobile phones and smart phones are as vulnerable as computers that are not protected by updated security software."
The problem, say experts, is that hackers are able to cover their tracks by hijacking local computer networks.
On April 19, hackers are reported to have stolen up to 14,000 personal financial details of UAE customers from the PlayStation Network (PSN), out of its 77 million global users.
It does not take rocket science to curb or track them, said an IT security expert. Kazi Mohammad Akram, general manager of Ras Infotech, said: "At the minimum, phone companies should limit the credit a person can transfer from one mobile phone to another," he said.
He said that banks should also put in place safeguards such as multi-factor authentication to help plug gaps. "The use of just the username and password alone is outdated. Reconfirmation codes can be easily added to online transactions to mitigate this kind of risk," he said.
Major Saeed Al Hajiri, Director of Electronic Crimes of Dubai Police, confirmed receiving numerous complaints of phone recharge scams and sought the help of phone companies
Since the unit was established in 2008, police have recorded 278 cyber-crime cases. This jumped 60 per cent to 445 cases in 2010. Though Al Hajiri did not give figures of recharge scams, he said: "Everyone can be a target."
"Cyber crime is not just specific to the UAE, it is everywhere and spans all other countries. The internet is an international public space, anyone from anywhere can scam people from halfway across the world."
While raising public awareness about cyber crimes, legal framework also forms part of the equation, said Al Hajiri, who pointed out that the 2006 Cyber Crime Law needs serious updating.
"There are a lot of things that are missing in the cyber crime law of 2006," he said. "A lot of what the law entails doesn't cover issues regarding credit cards and new electronic crimes came up after 2006 when the law was introduced. We've already raised our concerns with the concerned authorities."
Responding to an XPRESS query on whether any amendments have been planned to the law, Dr Abdul Aziz Al Khalid of the Legislation Department in the Ministry of Justice in Abu Dhabi, said: "The idea has been proposed by various representatives, but no official amendments to the law have been made."
Tips to protect yourself against online fraud
- If you're not comfortable with online banking, get your internet banking account disabled
- Never send your card details via SMS, postal service or e-mail.
- Never reveal your PIN to anybody, including bank staff or family members, or in any transaction over the phone and internet. Don't write it down. Memorise it instead.
- Always shield the keypad when you type in your PIN at an ATM machine or point-of-sale location. Be alert to your surroundings. If there are any physical signs that the machine has been tampered with, alert the bank and use another machine.
- Always retain receipts or sales slips so you can cross-check them against the card transaction appearing on your bank statement. If you see a charge or entry that you don't recognise, contact your bank immediately.
- Ensure that internet shopping websites are secure before you make any payments. Look for the safety padlock on the address bar or an https:// in the website address.
- Never dispose of your card statements in the trash without shredding them first. Even better, opt to have them sent to you electronically if possible.
- If you pay for a restaurant bill with a card, either ask for a portable POS machine to be brought to your table or accompany the waiter to the payment terminal. It's better to be sure than sorry.
- If you lose your card or suspect any fraudulent transaction, call your bank immediately to cancel your card. Diligently check your statements in the months following to make sure the problem has been completely resolved. Report any fraudulent activity to the proper authorities, including the police, in the case of identity theft.
Sources: Visa, Mastercard and HSBC