What should identity theft victims do
Image Credit: iStockphoto

DUBAI: From anger and betrayal to embarrassment and isolation, identity theft victims, face a wide range of emotions. The reason for this is not far to seek.

Of the 76 per cent UAE residents who have lost money at the hands of cybercriminals, only a minuscule number have been able to recover some of their stolen funds according to multinational cybersecurity and anti-virus provider Kaspersky Lab. Researchers at Kaspersky Lab said the number of attacks using malicious mobile software nearly doubled in just a year. In 2018, there were 116.5 million attacks, compared to 66.4 million in 2017, with a significant increase in unique users being affected.

“In 2018, mobile device users faced what could have been the fiercest cybercriminal onslaught ever seen. Over the course of the year, we observed both new mobile device infection techniques, such as DNS hijacking, along with an increased focus on enhanced distribution schemes, like SMS spam. This trend demonstrates the growing need for mobile security solutions to be installed on smartphones – to protect users from device infection attempts, regardless of the source,” said Viсtor Chebyshev, security expert at Kaspersky Lab.

While I have no problem sharing my ID, what is the guarantee that the information I provide does not fall into the wrong hands?

- Sadia Rezvi, a teacher

The findings of UAE-based information security Shred-it paints an equally dismal picture. A white paper issued by them suggests identity theft affected 44 per cent of the UAE population within the last five years. There may be a new victim of identity theft every three seconds in the UAE, said Shred-it.

However these depressing statistics should not prevent victims from reporting the crime to all pertinent agencies. This will not only help you restore your good name it will also help law enforcement agencies to investigate the crime and crackdown against those behind it.

All banks and telecom providers have a fraud division. Notify them immediately and maintain a log detailing the phone number, date, time of the call and the designation of the person you spoke to.

Protecting your phone’s data with a passcode, keeping operating software up to date, logging out of software that’s not in use and turning off Wi-Fi and Bluetooth when you don’t need them can go a long way in protecting you from network vulnerabilities, advises Shred-it.

People need to be more cautious when using their identity (physical or digital) in any platform. Make sure you use your identity through secured channels and don’t share any details of identity on social media.

- Parthasarathy Srinivasavaradan, Chief Information Officer, Standard Chartered

Despite more devices being attacked, the good news is that number of malware files has decreased. This has led Kaspersky Lab researchers to conclude that the quality of mobile malware has become more impactful and precise. “As the world becomes more mobile, the role of smartphones in business processes and day to day life is growing rapidly,” Kaspersky Lab said. “In response, cybercriminals are paying more attention to how they are distributing malware and the attack vectors used. The channels through which malware is delivered to users and infects their devices is a key part of the success of a malicious campaign today, taking advantage of those users who do not have any security solutions installed on their phones. The success of the distribution strategies is demonstrated not only by the increase in attacks, but also the number of unique users that have encountered malware. In 2018 this figure rose by 774,000 on the previous year, to 9,895,774 affected users. Among the threats encountered, the most significant growth was in the use of Trojan-Droppers, whose share almost doubled from 8.63% to 17.21%. This type of malware is designed to bypass system protection and deliver there all sorts of malware, from banking Trojans to ransomware.

How to protect your devices
Courtesy Kaspersky Lab security experts advise the following:

■ Only install mobile applications from official app stores, such as Google Play on Android devices or the App Store on iOS

■ Block the installation of programmes from unknown sources in your smartphone’s settings

■ Do not bypass device restrictions as this might provide cybercriminals with limitless capabilities to carry out their attacks

■ Install system and application updates as soon as they are available — they patch vulnerabilities and keep devices protected. Note that the mobile OS system updates should never be downloaded from external resources (unless you are participating in official beta-testing). Application updates can only be installed through official app stores
1) Don’t be afraid to ask questions when a real estate or bank agent or any other agency asks for your personal information. Ask how it will be used and shared, and how it will be protected

2) If you have lost your identification papers or SIM card or suspect it has been stolen, report the incident immediately. If it’s bank card, SIM or Emirates ID, make sure it’s deactivated

3) Shred everything. If you are just dumping old bills, ATM receipts, bank statements and credit card statements in the trash bin, you may be leaving too much information lying about.

4) Destroy digital data when you sell or dispose your computer or hard drive. Deleting the data or reformatting the hard drive is not good enough as any one with baskic tech skills can recover the data.

5) Don’t conduct online business with companies you know nothing about.

6) Protect your computer and smartphone with strong security software

7) Be wary of phishing emails. Don’t click any links or open any attachment sent from a suspicious email

What’s the guarantee that your ID will not be misused?

Protection of your personal data is your responsibility, say experts even as organisations that demand them claim they have multiple controls in place to prevent data breach

By Sharmila Dhal, Deputy UAE Editor

With reports of identity theft increasingly coming to light in the UAE, several questions are being raised about whether banks, clinics, car rental companies, realtors, even building concierges, are in their right to demand residents’ Emirates ID cards as their submission or detention, for however short a time, can lead to possible misuse.

Emirates ID Authority

The Emirates Identity Authority categorically states that no organisation can forcibly keep a person’s Emirates ID card or use it as a mortgage unless stipulated by a court of law. It has also warned people against providing card details to any entity on the telephone.

190309 emirates id donor
Image Credit: Supplied

While protection of the card and its data remains the holder’s responsibility, residents said the problem lies in the fact that ID details are mandatory for many transactions and they have little control over the data once they share it.

Just recently, UAE banks suspended several accounts of customers who had failed to update their Emirates ID details, leaving them unable to use their credit and debit cards.

“While I have no problem sharing my ID, what is the guarantee that the information I provide does not fall into the wrong hands?” asked Sadia Rezvi, a 44-year-old teacher.

“Potentially, it can so easily happen,” said her colleague Maria, 40.

Multiple controls

Speaking in general, Parthasarathy Srinivasavaradan, Chief Information Officer, Standard Chartered, told Gulf News, “As a bank , we have multiple controls and gateways before authorising and processing any customer initiated transactions. We have a secured mechanism of storing the soft copies of EID along with the transaction details, which only authorised personnel have access to.”

Online credit card purchase
Image Credit: Pixabay

He said for any financial or non-financial data, the bank has a data-centric approach to apply its security policy consistently across all data states, throughout the organisation.

Even so, he said, “People need to be more cautious when using their identity (physical or digital) in any platform. Make sure you use your identity through secured channels and don’t share any details of identity on social media. Be extremely cautious if you are using a public device or public network. Ensure your log off immediately once you are no longer using the online platform. Additionally, you must not disclose your account number, card numbers, CVV, OTP/PIN numbers received from the bank to anyone over the phone or through any means.”

He said, “While using any digital instrument to store any information, make sure you have a firewall or anti virus, and you lock your instruments while not attending to them. Do not install any unauthorised software which can transfer data from your phone.”

What cyber security experts say

Maher Jadallah, regional director at cyber security major Tenable, said, “The use of identity information online to complete many transactions is a security measure, however it can inadvertently pose a risk if intercepted. Instead, the use of VPNs offer substantial privacy enhancements when using public or untrusted WiFi connections. They can mask which sites are being visited but more importantly can keep data safe from prying eyes so are an absolute must for most users nowadays.”

Maher Jadallah, regional director at cyber security major Tenable
Maher Jadallah, regional director at cyber security major Tenable Image Credit: Supplied

He said, “There are numerous ways that facilitate identity thefts. Social engineering is one common method. All too often, individuals will expose intimate details on social channels - be it Facebook, Instagram, etc., that allow a threat actor to piece together key information. For example, many security questions will include mother’s maiden name, date of birth, first street or pet. Another is for an attacker to contact an individual, either by email or phone, and trick them into revealing personal information.”

He said information stolen during data breaches is also pieced together. “We’ve seen massive databases of compromised information published published on the dark web - the most recent being 620 million stolen online accounts offered on a cyber-souk.”

He said in addition to VPNs, Password Managers are another way for users to safeguard themselves online. “We live in a world where the need for passwords can be in the hundreds for the average user. If an individual relies on just one or two that are reused across multiple accounts, the likelihood of one being discovered and used in a credential stuffing attack is highly likely. Another easy option is to enable two-stage verification on accounts, where present, as this dramatically increases the difficulty for a malicious user to take over your account. To prevent the risk from malware or key-loggers on your devices, use anti-spyware and antivirus software. Also keep up to date with patches as the majority of malware targets known vulnerabilities.”

Another cyber security expert Jeff Ogden, General Manager, Middle East, at Mimecast said, “There are no guarantees that data shared online with anyone will remain confidential. You just have to trust that the organisation you’re handing over this information to has the right measures in place to keep data encrypted and safe. The assumption is that any reputable organisation will do everything in their power to ensure they don’t fall victim to a data breach.”

Jeff Ogden, General Manager, Middle East, at Mimecast
Jeff Ogden, General Manager, Middle East, at Mimecast Image Credit: Supplied

He said online criminals can easily automate large volumes of attacks using stolen confidential information while masking their true location, making them hard to catch. “Cybercrime is fast becoming a trickle-down economic system with multiple layers of fraud and criminality. Data is bought or sold quickly while advanced hacking tools are offered on shared profit subscription models.”

He said the most common form of identity theft is Business Email Compromise or impersonation fraud. “This is where an attacker harvests stolen private information on an individual, then sends highly-convincing emails to trick people to hand over money for confidential data.”

Legal protection
Federal Law No.9 of 2009 with respect to population register and identity cards stipulates against any tampering, erasing, modifying or distorting of the cards. The card has to be carried by its holder at all times and produced on request as per the law. Emirates ID cards consist of a unified number besides other information which is stored in a electronic chip. It also has security details that protect the privacy of the holder.

Comment from Dubai Police

Dubai police urged people to contact their banks to freeze their accounts and cancel credit cards if they suspected identity theft incidents.

identity theft, hacking, cybercrime
Image Credit: Pixabay

Victim can lodge a complaint on www.ecrime.ae regarding electronic crimes ranging from online blackmail, hacking and illegal money transfers to crimes committed against credit card-holders.

Colonel Saeed Al Hajiri, director of the Cyber Crimes Department, said the platform can be accessed from computers or smart devices.

“The victim clicks on the site, registers himself by entering the details like the Emirates ID number and the phone number and then writes the details of the incident. The platform has been launched to encourage people to come forward and lodge their complaints in a confidential and secure way if they are victims of e-crimes,” Col Al Hajiri said earlier last year.

He said the new platform will reduce the margin of error and help achieve the Dubai Police’s goal of making the city safer in a transparent way.