Gulf Bank Hacked

Gulf Bank has sent an urgent SMS to some of its customers telling them that their ATM card will no longer work and that they are to replace their cards immediately at their respective branch.

According to sources within the bank, hackers have gained access to customer information and their deposits are now at risk.

Gulf Bank is now conducting a massive campaign to replace all the compromised cards.

More info here from Some Contrast.


  1. I think that NBK is canceled a few cards as well! Its very strange that they could get through to a bank information! Usually they have some safeguards, but I think they were cutting corners and this was the result!

  2. Yeah, it is worrying that banks cannot take care of their security. It is bad enough with all the bank panic happening, we don't need anymore bad news.

  3. They can hack me all they like- I have 8KD in there.
    Big time , eh?

  4. Central Bank starts inquiry into ATM fraud

    ABU DHABI - OCT 06: The Central Bank of the UAE has begun an investigation into international fraud that may involve tens of millions of dirhams and continues to affect ATM and credit card users almost a month after the first reports of problems, financial sources said yesterday.

    The Central Bank summoned officials from an unknown number of banks to a meeting on Sept 25 in Dubai, where they were informed of the investigation and told to give information to government investigators. They were not told when the investigation would be finished.

    Officials at the Central Bank confirmed the meeting and the investigation, but would not elaborate.

    Details of the fraud emerged in early September after several banks told customers in text messages to change the personal identification numbers for their ATM cards. An undisclosed number of people were defrauded, with some bank accounts being wiped out.

    Mohammed Hammadi, 30, of Sharjah, recently opened an account at National Bank of Umm al Qaiwain (NBQ). Yesterday, before receiving his new debit card in the mail, he learnt that his money was gone. “I got a text on my phone yesterday telling me that my available balance was zero,” Mr Hammadi said. “I had Dh23,000 (US$6,262) in the account.”

    An NBQ official said the bank would reimburse customers whose accounts were used fraudulently.

    Several banks have indicated that they also will make refunds to customers who have lost money from their accounts.

    Other banks are still dealing with the issue, taking precautionary measures such as reducing daily withdrawal limits and prohibiting foreign transactions made on UAE-issued cards. National Bank of Abu Dhabi, for example, has sent text messages to customers over the past two days saying it had lowered its withdrawal limit to Dh2,000 a day.

    First Gulf Bank emailed customers yesterday, saying it had also taken additional protective measures.

    “To protect our customers and to avoid any card misuse, we have requested customers to change their PIN immediately,” the email said. “For further protection, we have proactively replaced customers’ cards that have been used in the compromised networks.”

    Some banks have conducted their own investigations, and gave the Central Bank their findings at the Sept 25 meeting. Bankers have expressed frustration at the Central Bank’s role, complaining that it has provided little guidance.

    Officials at several banks have said they have identified a breach at a UAE-based bank as the source of the fraud, which allowed unauthorised people to obtain sensitive data such as PINs and information from magnetic strips on the back of the cards. The data were then used to produce counterfeit cards to make illegal transactions in dozens of countries.

    Officials familiar with last month’s central bank meeting said several banks openly accused the bank that is suspected of being breached. Officials from the bank in question were said to have denied the accusation.

    Fraud crisis bankrupts confidence

    ABU DHABI - OCT 06: It was staff at the US Embassy in Abu Dhabi who first spotted that something might be amiss with the banking system.

    On Aug 26, consular chiefs issued a “warden message” to all American citizens in the country, warning that “in recent days the embassy has received numerous reports of US citizens in the UAE who have been victims of credit and debit card fraud”.

    Americans, said the embassy, should check the balances of their accounts frequently, verify the level of their personal liability and report any case of fraud immediately.

    A few days later, the first of what was to become a flood of personal horror stories began trickling into The National.

    Initial speculation was that “skimmers” might have rigged ATMs with secret “reader” devices, harvesting customers’ data and cloning their cards. But the manager of the anti-fraud division of a US-based credit union had an even more sinister explanation.

    The credit card firm Visa, she claimed, had issued an industry warning that between February and August there had been a banking “network intrusion” in the UAE, “at the processor level”. This, she told The National, suggested that the records of the organisations that acted as the middlemen between merchants and credit card companies had been breached. “Visa,” she said, “is having a hard time figuring this problem out.”

    It was several days before some of the main banks in Abu Dhabi reacted by sending text messages suggesting customers change their PINs. “For security reasons we ask you to please change your Visa Electron card in number immediately,” read one typical message, from the National Bank of Abu Dhabi.

    As Ramadan got under way, mobile phones in homes and workplaces began receiving texts as banks including HSBC, Citibank and Emirates NBD requested that customers change their PINs. Long queues of irritable cardholders began to form at cash machines.

    “Together with other UAE-based banks, we have been experiencing an attack on our local accounts from counterfeit ATM card usage abroad,” Jonathan Campbell-James, head of security and fraud risk at HSBC Middle East, said in a statement on Sept 9.

    Customers were being urged to change their PINs “as a precaution” and the bank had “implemented various containment strategies to minimise the threat posed”.

    HSBC’s customer service operators had advice for worried customers, but what they said worried clients even more: if they had not changed their PIN by 6pm the following evening, Sept 10, their account would be deactivated.

    The advice was at odds with what the bank was telling The National – that accounts would not be blocked or frozen, but if PINs had not been changed the refund process following any fraud would be more difficult – but the effect was inevitable. Customers were taking no chances and queues began to form at ATMs as the supposed deadline drew near.

    The customers had plenty of questions. But despite the growing crisis of confidence, bank staff were conspicuous in their absence – and banks failed to extend their Ramadan opening hours to cope with customer queries.

    One British employee of Nakheel, queuing outside his bank in Abu Dhabi, said: “I’m not surprised there’s nobody ... here to reassure me. I’m not sure they could reassure me.”

    On Sept 6 and 7, 39 illegal transactions had been made in the Philippines on a Citibank Visa card belonging to Akram Mirza, a German working in the oil industry.

    Even though his account had a personal daily limit of Dh10,000 (US$2,700), the thieves had managed to siphon off Dh30,000.

    Miriam al Hilali, an Iraqi working for a subsidiary of the Mubadala Development Company, spotted two transactions on her Visa card issued by the National Bank of Abu Dhabi: Dh8,200 had been charged against her account in Kuala Lumpur. But the worst thing about it, she said, was that the thieves appeared to know all her personal banking details: both sums taken had been just below her daily limit of Dh5,000.

    “How can they know this sort of information?” she asked. “I feel used. I’m really upset.”
    On Sept 10, as HSBC’s 6pm deadline approached and its telephone operators continued to insist that cards would be blocked if their PINs had not been changed, long queues formed at the bank’s terminals.

    Wael Jundi, a financial adviser for SinoGulf who found himself in a 30-person queue at Al Wahda Mall in Abu Dhabi, said he had been given the advice on the HSBC telephone hotline at only 4.45pm that day. “This is a disaster,” he said. “They have to give me a reasonable time to change my card. What if I was on vacation or something?”

    Because of dauntingly long queues, many were simply unable to change their PINs before the deadline, even though for many the deadline appeared to be meaningless.

    Despite the threats of mass terminations, in the event very few people had their cards deactivated.

    The following day, however, some banks did act. An undisclosed number of cards were cancelled without warning, leaving customers facing waits of several days before they could be replaced and, in the middle of Ramadan, with banks and other organisations operating short hours, this was a process that for many would prove far from smooth.

    Other banks, including Abu Dhabi Islamic Bank, Citibank and the National Bank of Abu Dhabi, began sending out text messages warning their customers to change their PINs. By now, it was becoming clear that, whatever the nature of the security breach, it was affecting financial institutions throughout the UAE.

    Yet despite the confusion and rumours rife among their customers, on Sept 11 not one of 10 banks visited by The National had posted any signs warning customers of the fraud or telling them what to do.

    Some proved more willing than others to communicate with their customers, especially HSBC, which issued numerous press releases during the crisis. Others said nothing, while some even denied being affected, even though it now appears highly unlikely that any bank could have escaped the far-reaching effects of the security breach.

    Details of the true extent of the fraud were difficult to come by. On Sept 11, Dubai Bank announced it had reimbursed 42 customers whose accounts had been raided and the National Bank of Abu Dhabi said it would issue full refunds. But the banking industry was circling the wagons; no one would say just how much money was involved.

    Information, meanwhile, was confused – and in short supply. Eva Brunczvikova, an Etihad Airways employee, found out about the crisis by chance, and only after she had finished opening a new account. “I wasn’t told by anyone about this inside the bank,” she said. “I’m shocked.”

    By Sept 14, almost a week after news of the widespread fraud broke, it was clear that the banks had yet to develop a common strategy.

    The Central Bank had remained silent on the issue, issuing no statements and not responding to media requests for comment.

    And a new bank strategy emerged, which appeared designed to frustrate customers even more. Without warning anyone, banks began reducing the daily limits on cards, leaving consumers with the impression that, unable to tackle head-on the security issue, the banks had resorted to limiting potential losses.

    Barclays was among those that reduced withdrawal limits on accounts without notifying customers, a mystifying failure of service given the widespread PIN-change texting in which many banks had earlier indulged. “We inform them when they call us,” said a Barclays employee, “because this situation is not going to be for long.”

    Most, of course, found out only when they tried to withdraw money from their accounts.
    “This was a total surprise and very inconvenient,” said one man who had tried to withdraw Dh8,000 and found himself limited to half that amount.

    “This is bad communication from the bank; it’s like they don’t really care about the customer.”

    Experts in affiliated financial industries were beginning by now to worry about the credibility gap that was opening up between banks in the UAE and the rest of the world, where fraud occurs but is handled with minimum inconvenience to customers.

    Although it is standing advice to all bank customers throughout the western world that PINs should be changed frequently, demanding a wholesale change by all customers would be unheard of, let alone with a day’s notice. Further, follow-up after the cancellation of cards was poor.

    Customers in some cases were told a new card would be with them in two working days but had to wait in excess of a week or 10 days for the cards to be delivered. Some were told, just prior to the Eid al Fitr holiday, that accompanying PINs would be sent by post within a further four working days.

    “If the UAE is to take itself seriously as a world-class financial hub, the ATM security breaches this week should serve as a wake-up call to both the banking community in the region as well as regulatory bodies,” Paul Sherry, the Middle East director of F5 Networks, which specialises in bank security systems, said in a statement on Sept 13.

    “People seriously doubted the trust they had placed in their banks.”But the problem was not yet over. Accounts continued to be hit and, in a further apparent gesture of helplessness, some banks began to close accounts they believed to be vulnerable without explaining how they had reached that conclusion.

    Others stopped customers using their cards abroad. Again, no statistics were made available, but this decision was certain to have come as an unpleasant surprise to many who were travelling overseas.

    The lack of centralised information meant it was impossible for customers to make informed judgements about what to do with their money. Which banks were being hit? Which — if any — were safe?

    Incomplete details continued to emerge, but on Sept 14 executives at three banks confirmed that illegal attempts to withdraw money overseas from UAE accounts were continuing, with one bank confirming it had had 58 such cases.

    “It’s a well-co-ordinated, well-organised fraud network,” said Arup Mukhopadhyay, the executive vice president of retail banking at Abu Dhabi Commercial Bank.

    Michael Miebach, the managing director of Barclays in the Middle East, revealed that banks were working closely with Visa and MasterCard, the companies behind the world’s two largest card networks, to discover how and where the breach had happened and who was behind it.

    The Central Bank, meanwhile, maintained its silence, and one insider said no advice or instructions had come down the line.

    “Clearly, if there had been leadership from the Central Bank right from the beginning, it would have stopped all the different approaches adopted by individual banks,” said one senior banker.

    The first concrete news about the nature of the fraud emerged on Sept 16. Sources close to investigations being carried out by financial institutions told The National it was thought that the complexity of the fraud ruled out the usual suspects – such as hackers and skimmers – and that whoever was behind the crime had breached the network that banks use to share ATM data.

    It was, in short, beginning to look like either an inside job or a breach perpetrated by someone who had detailed knowledge of, and access to, the banking system.

    Officially, the banking community was saying nothing, but word began to leak out that one bank may have been responsible for the haemorrhage of sensitive information, and that the others would be demanding compensation. One banker, speaking on condition of anonymity, said: “We’re quite close to having completed the case for the prosecution and we have a fairly clear idea of how this occurred.”

    Almost three weeks later, no arrests have been made and the police have yet to become involved.

    The bank suspected of being breached meanwhile has denied it was the source of the problem.

    It was also not until Sept 16, four weeks after the crisis broke, that the Central Bank e-mailed a statement to The National: “The said subject is related to banks’ security systems, not the Central Bank