Hackers break into UAE credit network to fund US purchases

Hugh Naylor

• Last Updated: September 04. 2008 11:34PM UAE / September 4. 2008 7:34PM GMT

Abu Dhabi // An international investigation is under way to find hackers believed to have stolen information from financial servers in the UAE to make fraudulent credit and debit card purchases in the US.

The scheme came to light after a number of employees at the US Embassy – and a handful of other US citizens – had unauthorised purchases show up on their credit and debit cards in recent months, prompting the embassy to issue a warning on its website.

“To date, all of the reported fraudulent charges have been made from the United States,” the message said. “We are aware of no fraudulent transactions originating in the UAE.”

MasterCard is co-operating with law enforcement officials and banks to investigate the issue, Chris Monteiro, the head of the company’s worldwide communications, wrote in an e-mail.

Visa, when contacted, did not respond to questions or comment on the case.

However the manager of an anti-fraud division at a credit union in North Carolina, in the US, speaking on the condition of anonymity, said Visa had warned that there had been “a network intrusion” in the UAE between February and August.

Visa told her that the intrusion had happened “at the processor level”, which she said suggested that computer hackers had penetrated the electronic records of organisations that acted as middlemen between merchants and credit card companies such as Visa and MasterCard.

These organisations, known as “processors” or “acquirers”, are sent credit and debit card information by local merchants. In turn, they process the information and send it on to credit card companies for billing.

“Visa is having a hard time figuring this problem out,” the credit union employee said.

The case has also prompted concerns that security measures designed to protect personal financial information may be too lax in the UAE.

Numerous establishments in Abu Dhabi print customers’ full details, such as customer names, entire card numbers and expiration dates, on receipts.
Many countries, including the US, have laws requiring such details be truncated to prevent sensitive information from being stolen.

Galen Clarke, 22, a photographer for The National who moved from the US in July, noticed his entire credit card number was printed out on several receipts. He took a closer look at them after learning an unauthorised US$642 (Dh2,358) had been charged to his Visa debit card account on Aug 23. As a new resident, Mr Clarke had not yet opened a bank account in the UAE.

Although he was in the UAE at the time, the purchases included $90 of petrol in Florida. Other transactions originating in the US happened at about the same time that he was dining at the Beach Rotana Hotel & Tower in Abu Dhabi.

“I tried using my cheque card to pay for my meal at the Brauhaus, and it came back declined, which I thought was weird because I knew I had the money,” said Mr Clarke, who was later reimbursed by Visa for the fraudulent charges made on his card. “My account went down to $180 – there was no way to explain that.”

Doug Johnson, the vice president of risk management at the American Bankers Association (ABA), a professional association that promotes the US banking industry, said incidents of credit and debit card fraud in the UAE were on the rise, as they were in much of the rest of the world.

It was possible that global hacking networks could have tampered with certain companies’ financial information, he said. Hacker networks have grown “extraordinarily sophisticated”, modelling themselves on multinational corporations operating in countries all over the world, he said.

“The hackers sell data to anyone who cares to buy,” said Mr Johnson. “They might advertise it on the internet, and then resell it further down the chain. Hackers could be from Eastern Europe, for example, and sell their stolen data to people who make clone cards in Latin America.”

Mr Johnson said printing customer names and full card numbers on receipts contravened the policies of most credit card companies.

Recent years have seen an increasing number of credit card and get-rich-quick schemes in the UAE, which have wrested millions of dirhams from residents.

A Middle East manager for an anti-fraud division of a large international bank, who spoke on condition of anonymity, said there had been a rise in so-called “skimming” incidents at ATM machines. Under a typical skimming scheme, criminals rig ATM machines with card-reading data and cameras to steal pin codes. They then compile the information to make clone debit cards.

“There was a rash of this occurring during Christmas time this year,” said the banking official, who is based in the UAE.

hnaylor@thenational.ae