Sun, Oct 13, 2024 | Rabi al-Thani 9, 1446 | DXB ktweather icon°C

UAE: No OTP, ID verification? Some residents face up to Dh120,000 debt from credit card fraud

From emptied accounts to fraudulent credit card charges, customers reportedly face blame and recovery agents — instead of solutions

Published: Fri 27 Sep 2024, 7:30 AM

Updated: Sat 28 Sep 2024, 10:01 AM

  • By
  • Mazhar Farooqui

Ajoy Joseph’s Emirates ID had never left his hands. Yet, a forged photocopy of it was allegedly used to obtain three credit cards in his name, each maxxed out to about Dh30,000. The Indian expat claims he had no knowledge of these cards. It wasn’t until his credit rating plummeted that he discovered the fraud. The scammers had rerouted bank statements to a fake email and OTPs to a number under their control. The Dubai Police are now investigating.

The real mystery, though, is how the banks issued these credit cards without verifying the ID of the person applying. For Joseph, the challenges didn’t end with uncovering the scam. Instead of assisting, the banks turned on him, demanding payment. The debt had ballooned to over Dh120,000, with legal threats looming. After a six-month legal battle, two banks finally relented and waived the charges — but the third is still holding out.


Stay up to date with the latest news. Follow KT on WhatsApp Channels.

Unfortunately, Joseph’s case is far from unique. Across the UAE, residents are grappling with an alarming rise in cyber fraud, with some finding themselves abandoned by their banks. As the number of cyber attacks in the UAE surges, public sector entities now face an average of 50,000 threats daily, according to Dr Mohammed Al Kuwaiti, head of Cyber Security. This includes threats like phishing, DDoS, and ransomware. Banks are not immune; earlier this year, a hacker claimed on the dark web to have accessed a local bank's systems.


From accounts being emptied without OTPs to credit cards being charged for transactions never made, some customers are left cornered, blamed, and hounded by recovery agents — with no one to hear them out or address their concerns.

Sharjah resident Ayesha Naseem claims her credit card was fraudulently used in Qatar, even though she has never left the UAE. Dubai-based housewife Sarika Thadani says her card was charged even after she had blocked it. Abdul Kader, a driver, discovered his account had been wiped out without OTP verification, while welding engineer Pursh Ottam found his card charged without any notification. Pharmaceutical manager Yassin Hashem received OTPs for fraudulent transactions a day after they occurred.

In all these cases, the banks’ responses have been disturbingly consistent. Instead of taking responsibility, some would shift blame to the customers, threaten legal action, and allow recovery agents to harass victims relentlessly. Efforts to reach the fraud departments at these banks have proven futile, leaving many to face an uphill battle for justice.

For many, the legal road to recovering stolen funds and restoring their peace of mind is excruciatingly long. Bollywood actress Ruchika Panday, who lost Dh800,000 in 2018 due to SIM-swap fraud, said it took over four years to resolve her case. “My account was breached because of the bank’s lax security,” she recounted. “The bank manager dismissed my concerns, stating that SIM-swap crimes were rampant and my loss was insignificant compared to others. They even charged me for my bank statement when I asked for it.” It was only after a court verdict that the bank acknowledged any responsibility.

Ayesha Naseem’s fraudulent transaction has now swelled from Dh15,597 to Dh22,705 due to late payment fees, over-limit charges, and interest. “I’ve consulted lawyers, but they’re asking for Dh25,000—more than what I’m contesting. It feels like throwing good money after bad,” she said, expressing frustration over mounting fees and harassment from creditors.

Ayesha said she approached the Dubai Police’s cybercrime unit but was told that the case was outside their jurisdiction since the transactions took place in Qatar. With limited legal recourse, many victims feel trapped in a system where banks act as judge, jury, and executioner.

Yassin Hashem discovered several unauthorised payments on his credit card statement. “All they could tell me was that it was a fraud case they couldn’t help with,” he explained. Despite all eight transactions occurring on March 14, the OTPs were only sent the following day. “When I asked why this happened, the bank simply told me it didn’t matter because they had sent the OTPs.”

Similarly, Abdul Kader’s credit card was billed Dh16,055 for four transactions after attempting to place an order through a Facebook advertisement for discounted meals from a popular burger chain. “When I disputed the charges, the bank said they reviewed the case and found that the transactions were completed using contactless mode, activated through OTPs sent to my registered mobile and email.”

“I dare them to prove they sent me an OTP or e-mail because I didn’t receive anything,” he said. “If they claim this, they need to show proof.” He criticised the bank for failing to alert him about suspicious activity, noting that most charges were made at a household appliances store in Poland. “Shouldn’t they have called to confirm?” he asked.

Abdul Kader

Abdul Kader

Obaidullah Kazmi, founder and CTO of cybersecurity firm Credo, suggested that insider involvement might be contributing to the rise in fraud cases. “Banks need to proactively prevent cyber breaches,” Kazmi said, emphasising that adopting advanced technology could drastically improve security. According to him, AI-driven fraud orchestration platforms can detect fraud in real-time by analysing large data sets from multiple channels. “These platforms can adjust instantly to evolving threats, giving banks a significant edge in preventing fraud,” he said.

Kazmi also highlighted the benefits of blockchain-based identity verification and Self-Sovereign Identity (SSI) frameworks, explaining how these decentralised systems make it much harder for fraudsters to forge or tamper with personal information. “The implementation of SIM-swap detection tools, in collaboration with telecom operators, is another way banks can safeguard their customers,” he added. Additionally, behavioural biometrics, which analyses users’ unique behaviours, can serve as an additional layer of security, making it even more challenging for fraudsters to succeed.

Kazmi stressed that the integration of encryption, key management, and secrets management is crucial to safeguarding sensitive customer data, both during transit and storage. “Collaboration among banks, telecom providers, government agencies, and cybersecurity experts is essential,” he noted.

While technological innovations like blockchain and AI-powered fraud prevention are crucial, the legal accountability of banks when these systems fail is equally important. Hossam Zakaria of Dubai-based consultancy HZ Legal recounted a case where a major bank suffered a cyber-attack, exposing sensitive customer data, including account numbers and passwords. “This breach led to unauthorised transactions, resulting in financial losses for many customers. The bank was held liable for failing to protect customer data and was required to compensate those affected,” he said. Another incident involved a phishing scam where customers received fraudulent emails disguised as bank communications.

Many unwittingly disclosed their login credentials, leading to unauthorised transactions. Zakaria noted, “The bank was found negligent for not educating customers about phishing risks and was required to compensate them.” In a third case, a technical glitch in a bank’s online system resulted in unauthorised access to customer accounts. Although the bank addressed the issue, it was still held accountable for the losses incurred by customers. Zakaria outlined three key scenarios where banks may be liable for compensating customers. First, if a bank fails to implement adequate security measures such as encryption and multi-factor authentication they may be held liable for breaches.

Obaidullah Kazmi, CREDO

Obaidullah Kazmi, CREDO

Second, banks can be responsible if an employee is involved in insider fraud. Lastly, if a bank does not promptly notify customers of unauthorised transactions, it may be liable for any resulting financial losses.

“Banks in the UAE have a duty of care to protect their customers,” Zakaria said. Victims of account breaches should seek legal advice to understand their rights and options for compensation. As part of efforts to enhance cybersecurity in the financial sector, the Central Bank of the UAE (CBUAE) recently conducted a real-time cyber-attack simulation exercise to test the resilience of the UAE’s banking sector against potential threats. Additionally, the UAE Banks Federation organised RaCE, a two-day cybersecurity webinar focused on best practices in data privacy and protection as businesses adapt to hybrid work environments. Yet, many victims are still waiting for resolution. This tendency to shift blame onto customers rather than acknowledge shortcomings is not uncommon among banks. In fact, it has been proven that banks can be held accountable for such frauds. In a 2019 case, a UAE-based bank was ordered to compensate a customer who lost over Dh4.5 million due to a SIM card swap scam. Another customer was awarded Dh9.5 million in 2022 for a similar incident, as ruled by the Dubai Court of Cassation. But how many victims can afford legal recourse?

10 cases where banks are liable for account breaches

Hossam Zakaria,  HZ Legal

Hossam Zakaria, HZ Legal

  1. Processing unauthorised transactions on a customer’s account.
  2. Failing to secure customer data, leading to identity theft.
  3. Delaying notification of suspicious activity on a customer’s account.
  4. Neglecting to protect customer information from cyberattacks.
  5. Misusing customer funds through bank employees' actions.
  6. Not providing adequate security measures for online banking transactions.
  7. Inaccurately reporting account balances, resulting in financial losses.
  8. Allowing unauthorised access to customer accounts by third parties.
  9. Failing to investigate and resolve customer complaints about account breaches.
  10. Violating customer privacy rights, causing financial harm.

(Courtesy: HZ Legal)

ALSO READ:


Next Story