x Abu Dhabi, UAEWednesday 26 July 2017

Fresh calls for tighter UAE banking regulations in wake of $45m cyber heist

Financial firms are being urged to amp up their fraud defences in the wake of a cyber attack in which $45m was stolen from RAKBank and BankMuscat.

Bank Mucat was hit in the $45million cyber heist. Silvia Razgova/The National
Bank Mucat was hit in the $45million cyber heist. Silvia Razgova/The National

The US$45 million cyber heist which hit RAKBank and Bank Muscat has renewed calls for tighter consumer banking regulations and augmented fraud prevention measures.

The payments network Visa has said that the UAE's card fraud prevention mechanisms required greater urgency and authorities should "fast-track" the implementation of the chip and pin system, which banks postponed at the end of last year.

The Central Bank is expected to discuss the security breach, one of the biggest to hit the Middle East's financial system, at its monthly meeting with the banking sector.

The incident had underscored the need for better data security standards and real-time fraud detection systems to notify banks of fraudulent transactions as soon as they happen, said Neil Fernandes, the head of country risk management for the Middle East, North Africa, India and South Asia at Visa.

The banking sector should also resume its push towards implementation of chip and pin systems on debit and credit cards, he added.

"You must be able to proactively deflect these kinds of frauds," he said. "These three multiple layers of security would make the industry much, much stronger."

US authorities charged eight with conspiracy to commit access device fraud and money laundering on Thursday, after uncovering what is alleged to be the New York cell of an international cyber crime ring.

The suspects are alleged to have used prepaid debit cards issued by the two banks to withdraw millions of dollars from ATMs in New York City within a 24-hour period.

They were able to do so after hacking into the networks of Enstage and ElectraCard, two Indian IT firms which processed payments on behalf of MasterCard, and disabling withdrawal limits.

"What we know at this stage is that the systems of the processors were hacked and the data was compromised," said Sami Lahoud, the regional vice president of communications at MasterCard.

"The exact nature of the infiltration is being audited by independent forensic agencies."

MasterCard said its own systems were unaffected, but it has delisted both Enstage and ElectraCard, in which it owns a 12.5 per cent stake, for non-compliance with payment card industry security standards.

"We believe that both processors are working on a plan to get recertified," he said.

While investigations over the breach continued, Visa has called for implementation of chip and pin to be "fast-tracked" to address another security vulnerability of UAE card payments.

The deadline for migration of debit cards to chip and pin, also known as EMV, was set for the end of last year, but was postponed at the urging of the UAE Banks Federation, according to the industry lobby group's annual report.

"Upon the recommendation of the UBF, the Central Bank agreed in principle to postpone the date of compliance to use the EMV chips for all debit cards until the end of 2013," the report said.

Banks including Emirates NBD and National Bank of Abu Dhabi had pressed for an easing of the date for compliance because of the logistical difficulties of reissuing the 10.4 million debit and credit cards in the financial system.

Banks have until the end of next year to reissue credit cards with the new security features.

In the meantime, financial firms are studying their options.

Bank Muscat said on Sunday that it was seeking ways to recover the funds stolen earlier this year.

"We reiterate that we are exploring all avenues of recovery so as to protect shareholder interests and will advise the markets accordingly if there are any material developments in this regard," the bank said.

RAKBank was affected by the attack in December, but did not disclose any details of its Dh17.4m loss until this weekend. The bank's customers were not affected by the incident, it said on Friday.

The bank declined to comment on measures it has taken to improve security on its cards following the attack.

The degree of consternation among financial firms was well deserved if they wish to maintain the trust of their customers, said Wissam Khoury, the regional managing director of SunGard, an IT provider to the financial services industry.

"This should make financial institutions reconsider all types of partnerships, including IT partners, whether they are outsourced or not," he said.