Central Bank of the UAE reports ATM fraud to lenders
Technorati Tag: Security Breach
Date Reported:
2/27/08
Organization:
Central Bank of the UAE
Contractor/Consultant/Branch:
Unknown lender
Victims:
ATM customers
Number Affected:
Unknown
Types of Data:
Bank card and account details, PIN numbers, and possible other related information.
Breach Description:
The Central Bank of the UAE has issued a statement claiming that criminals installed a card skimming device and video camera on at least one ATM in the UAE. Bank card details and PIN numbers were exposed in the attack that lasted from February 19th - 25th, 2008. Every customer that used the compromised ATM(s) during the time in question has been affected.
Reference URL:
ArabianBusiness.com news story
The Central Bank of the UAE press release
ITP News online story
Report Credit:
The Central Bank of the UAE
Response:
From the online sources cited above:
The card details of potentially thousands of UAE residents have been stolen by a gang of fraudsters who hacked into a bank's ATM machine
We have been informed by one of the banks operating in the UAE that a gang of computer professionals has managed to insert an electronic reader into the card reader of one of its ATMs, which enabled them to copy the data of all the cards used in the said ATM during the period 19-25 February 2008.
[Evan] Obviously I don't use ATM machines in UAE much, but aren't there controls in place to prevent most tampering? The ATMs around here in Minnesota (US) would be very difficult (not impossible) to mess with.
They have also managed to compromise the PIN through a small video camera placed above the ATM.
We attach herewith the list of ATM cards belonging to your customers who have used the ATM Machines belonging to the bank which has advised us of the ATM fraud.
[Evan] Judging from this statement, this appears to be a copy of the letter sent to the banks affected. I think it would be wise for the Central Bank to disclose the banks to the public so that affected customers can be better prepared.
We, therefore, advise you to:
1- Block the usage of the attached ATM cards;
and
2- Either to replace the cards or change the Pin numbers as deemed appropriate.
3- Fully checking all you ATMs to make sure there are no traces on ATM skimming devices or tampering on the ATM.
It is not known whether the gang has been caught, how much money had been stolen or the exact number of people affected.
Please report to the Central Bank - UAESWITCH any losses on the attached card numbers and the transactions originating country immediately.
For any clarifications, banks should contact the UAESWITCH immediately on Tel. No.: (02)6915395, Fax No.: (02)6674521 or email attention Mr. Aden Omar, for action.
Interesting Comments on the ArabianBusiness.com Story:
Posted by KANDARP BAXI, DUBAI, UAE on 3 March 2008 at 16:50 UAE time
" Also it is high time one gets to know which bank / where etc rather than wait to go to the ATM and find out your account has been 'swiped' out.
All the more reasons for this information to be given ASAP, considering the pathetic customer service in most banks."
Posted by Avikul Hemmad, Dubai, UAE on 3 March 2008 at 16:38 UAE time
" The idea of publishing such news should be to inform the public about the modus operandi and ways to detect and avoid problems.
How would the layman identify "skimming machines" or whatever they are called, if they don't know what to look for? Why don't you give more details so bank customers and the general public can be wary???
Incomplete reporting only adds to the confusion."
[Evan] I agree with these two commenters. I don't understand why the Central Bank of the UAE even decided to make anything public if there is nothing actionable for the people affected. There is not enough information to help anyone.
It is often very (and I mean VERY) difficult to notice good card skimmers and cameras. Here is an example borrowed from the University of Texas.
Card skimmer being installed
Card skimmer after installation
Camera to capture PIN numbers hidden in an innocent looking brochure box
Camera is now installed.
This is only an example. There are more sophisticated skimmers and cameras out there. Diebold has a pretty good whitepaper ATM Fraud and Security.
Commentary:
Good commentary from ArabianBusiness.com:
"Skimming attacks normally involve the placement of a fake card reader over the regular card reader in an ATM, which reads and records the data from the card's magnetic strip, while either a hidden camera or a nearby observer, known as a ‘shoulder surfer', steals the PIN."
"The stolen details can then be used to create fake cards or make purchases online, or the data may be sold on to other gangs of fraudsters.
Skimming fraud has been seen in most regions of the world, and banks usually take measures to protect machines, such as installing plastic guards to prevent the installation of illicit card readers, camera monitoring of ATMs and regular inspections of machines."
"Most skimming attempts now either target high usage ATMs for a very short period of time to steal the maximum number of card details in a short amount of time, or machines in out-of-the-way locations where the reader will not be detected as quickly."
[Evan] It is unusual that a skimming device and video camera were installed for such a long period of time. It is important as bank customers to be cognizant of anything that seems a little out of place when using ATMs. If something is noticed, report it to the bank as soon as possible. Personally, I prefer to use ATMs at bank branches and ones located in buildings or rooms that require card access.
Past Breaches:
Unknown
Date Reported:2/27/08
Organization:
Central Bank of the UAE
Contractor/Consultant/Branch:
Unknown lender
Victims:
ATM customers
Number Affected:
Unknown
Types of Data:
Bank card and account details, PIN numbers, and possible other related information.
Breach Description:
The Central Bank of the UAE has issued a statement claiming that criminals installed a card skimming device and video camera on at least one ATM in the UAE. Bank card details and PIN numbers were exposed in the attack that lasted from February 19th - 25th, 2008. Every customer that used the compromised ATM(s) during the time in question has been affected.
Reference URL:
ArabianBusiness.com news story
The Central Bank of the UAE press release
ITP News online story
Report Credit:
The Central Bank of the UAE
Response:
From the online sources cited above:
The card details of potentially thousands of UAE residents have been stolen by a gang of fraudsters who hacked into a bank's ATM machine
We have been informed by one of the banks operating in the UAE that a gang of computer professionals has managed to insert an electronic reader into the card reader of one of its ATMs, which enabled them to copy the data of all the cards used in the said ATM during the period 19-25 February 2008.
[Evan] Obviously I don't use ATM machines in UAE much, but aren't there controls in place to prevent most tampering? The ATMs around here in Minnesota (US) would be very difficult (not impossible) to mess with.
They have also managed to compromise the PIN through a small video camera placed above the ATM.
We attach herewith the list of ATM cards belonging to your customers who have used the ATM Machines belonging to the bank which has advised us of the ATM fraud.
[Evan] Judging from this statement, this appears to be a copy of the letter sent to the banks affected. I think it would be wise for the Central Bank to disclose the banks to the public so that affected customers can be better prepared.
We, therefore, advise you to:
1- Block the usage of the attached ATM cards;
and
2- Either to replace the cards or change the Pin numbers as deemed appropriate.
3- Fully checking all you ATMs to make sure there are no traces on ATM skimming devices or tampering on the ATM.
It is not known whether the gang has been caught, how much money had been stolen or the exact number of people affected.
Please report to the Central Bank - UAESWITCH any losses on the attached card numbers and the transactions originating country immediately.
For any clarifications, banks should contact the UAESWITCH immediately on Tel. No.: (02)6915395, Fax No.: (02)6674521 or email attention Mr. Aden Omar, for action.
Interesting Comments on the ArabianBusiness.com Story:
Posted by KANDARP BAXI, DUBAI, UAE on 3 March 2008 at 16:50 UAE time
" Also it is high time one gets to know which bank / where etc rather than wait to go to the ATM and find out your account has been 'swiped' out.
All the more reasons for this information to be given ASAP, considering the pathetic customer service in most banks."
Posted by Avikul Hemmad, Dubai, UAE on 3 March 2008 at 16:38 UAE time
" The idea of publishing such news should be to inform the public about the modus operandi and ways to detect and avoid problems.
How would the layman identify "skimming machines" or whatever they are called, if they don't know what to look for? Why don't you give more details so bank customers and the general public can be wary???
Incomplete reporting only adds to the confusion."
[Evan] I agree with these two commenters. I don't understand why the Central Bank of the UAE even decided to make anything public if there is nothing actionable for the people affected. There is not enough information to help anyone.
It is often very (and I mean VERY) difficult to notice good card skimmers and cameras. Here is an example borrowed from the University of Texas.
Card skimmer being installed
Card skimmer after installation
Camera to capture PIN numbers hidden in an innocent looking brochure box
Camera is now installed.
This is only an example. There are more sophisticated skimmers and cameras out there. Diebold has a pretty good whitepaper ATM Fraud and Security.
Commentary:
Good commentary from ArabianBusiness.com:
"Skimming attacks normally involve the placement of a fake card reader over the regular card reader in an ATM, which reads and records the data from the card's magnetic strip, while either a hidden camera or a nearby observer, known as a ‘shoulder surfer', steals the PIN."
"The stolen details can then be used to create fake cards or make purchases online, or the data may be sold on to other gangs of fraudsters.
Skimming fraud has been seen in most regions of the world, and banks usually take measures to protect machines, such as installing plastic guards to prevent the installation of illicit card readers, camera monitoring of ATMs and regular inspections of machines."
"Most skimming attempts now either target high usage ATMs for a very short period of time to steal the maximum number of card details in a short amount of time, or machines in out-of-the-way locations where the reader will not be detected as quickly."
[Evan] It is unusual that a skimming device and video camera were installed for such a long period of time. It is important as bank customers to be cognizant of anything that seems a little out of place when using ATMs. If something is noticed, report it to the bank as soon as possible. Personally, I prefer to use ATMs at bank branches and ones located in buildings or rooms that require card access.
Past Breaches:
Unknown
Posts Atom 1.0
Comments