UAE bank customers shaken by spree of ATM card fraud

Graham Cluley
Graham Cluley
@[email protected]

ATM cash machine

It has been a jittery week in the United Arab Emirates for several banks and their many customers.

Citibank, Dubai Bank, Emirates NBD, HSBC, Lloyds TSB, and the National Bank of Abu Dhabi (NBAD) are just some of the banks to have contacted their customers in the region, advising them to change their security PIN codes. The advice follows reports this week that there has been a marked jump in the number of fraudulent transactions made from ATMs in other countries.

In essence, the belief is that criminals have managed to steal card details and PIN numbers of bank customers in the UAE, made counterfeit cards, and then used them to withdraw money in other countries such as Kuala Lumpur and the Philippines.

Sign up to our free newsletter.
Security news, advice, and tips.

Details of how precisely the criminals might have accessed the card and PIN code data is presently unclear, but it is clear that several banks have been rattled by the rise in incidents, and thought it wise to warn their customers to take preventive steps. A number of financial institutions thought the situation serious enough to send an immediate SMS text warning to their customers in the region, rather than rely upon the post.

Banks in the United Arab Emirates issued advisories to their customers

There have been claims, however, that the banks’ warnings have resulted only in causing some of their customers to panic. For instance, it is reported that the HSBC hotline told customers to change their PINs before 6pm, or face having their ATM cards cancelled. Long queues were said to be building at ATMs of various banks as people rushed to alter their security codes.

One interesting point to note is that this is not the first time that banking customers in the area have been troubled by a hacked ATM machine. In March of this year it was reported that thieves had stolen bank card details from an ATM in the UAE over a seven day period, copying details from all cards used in the machine during the period 19-25 February.

What was disturbing about that case was that the gang fitted a card reader inside the ATM, rather than the more normal situation of having it installed externally.

Is it possible something similar has happened again? And, if so, how are the criminals managing to install their devices inside the ATM without being noticed? Alternatively, rogue software inside the banks’ systems could potentially send confidential information out to criminals, or wireless-enabled devices transmit information to hackers waiting nearby.

Clearly if anybody knows what happened in this new case, they’re not talking about it at the moment. It will be interesting to find out what new snippets of information emerge in the days and weeks to come.

* Image of cash machine buttons: Leo Reynolds’ Flickr photostream (Creative Commons 2.0)

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.