Dishonesty of Employee and SIM Swap Fraud – Bank in the United Arab Emirates
The Fraud:
The insured are a large bank in the United Arab Emirates. As much as USD 1.5million was stolen from customer accounts.
An employee accessed the bank’s system and obtained the customers’ personal account information. This was provided to external fraudsters who called the bank’s telephone banking line posing as the customers. They were required to answer security questions to verify the customers’ identities. The fraudsters used the stolen information to correctly answer those questions.
The fraudsters then requested various actions on the accounts. A One Time Password (“OTP”) was required to authorised these. The OTPs were sent to the customers’ mobile telephone numbers which were registered on the bank’s system. The criminals intercepted the OTPs using replacement SIM cards which they had improperly obtained for the customers’ mobile phones.
Using the above modus operandi the fraudsters carried out the following:
- Changed the customers’ registered mobile telephone numbers to their own;
- Obtained the customers’ internet banking usernames;
- Established new internet banking passwords;
- Obtained replacement debit cards and a chequebook; and
- Obtained codes necessary to effect cardless withdrawals at ATMs of the insured.
The criminals used this access to misappropriate approximately USD 1.5million within three weeks from the customer accounts. They did so by way of internet banking transfers and cash and cheque withdrawals.
The dishonest employee fled to his native country shortly before the fraud was discovered. Police attempts to locate him were unsuccessful. Two of the external fraudsters were however arrested and their trial is yet to begin. The monies themselves appear to have been quickly dissipated and it is unclear whether they will be traced.
Risk Features:
- The security questions to verify customer identities were weak and the information necessary to answer them was available on the system to many of the bank’s employees.
- A significant reliance was placed on the fact that the OTPs necessary to authorise a wide range of transactions would be sent to the customers’ mobile telephone numbers held on the bank’s system. This was vulnerable to a SIM swap fraud.
- The accounts were targeted as being ones with significant balances but which were used infrequently. This maximised the amounts to be targeted whilst minimising the chances of quick discovery.
- The external fraudsters also targeted other banks in the UAE, recruiting bank employees to provide customer information in return for payment. It is likely that employees at the mobile phone companies were also in collusion.
Solutions:
- Access to confidential customer information has been restricted to certain senior employees only.
- Security questions have been made more difficult to answer by anyone other than the genuine customer.
- The reliance on OTPs is being reviewed and alternatives implemented.
- Customers must now answer security questions which are embedded into the online portal in order to gain access to their internet banking accounts.
