UAE bank told to pay for Dh4.7 million after SIM swap fraud

Industrial & Criminal cases

Dubai: A recent judgment by a Dubai court, which held a local bank responsible for a Dh4.7 million SIM card swap fraud, serves as a reminder to all banks and telecom providers to adopt tighter security measures, a Dubai-based lawyer has said on Sunday.

Ghassan El Daye, Partner and Head of Litigation for the Middle East with the UK-based law firm Charles Russell Speechlys, said that in a landmark judgment, the Dubai Commercial Court recently found a local bank responsible for a SIM card swap fraud that cost a customer Dh4.7 million in life savings.

The case dates back to 2017 when the customer’s money was stolen from his account which the bank had then closed without his knowledge.

Our comments

Denis Kalemberg

Chief Executive Officer

This case explains how criminals can take over the acoount, if a bank uses SMS OTP as a main 2FA solution for log-in and money transfer in digital banking.
To cut a long story short, the simple way to protect bank clients from the risk of SIM-swapping is to refrain from using SMS as a confirmation method and to move to proper authentication solutions.

In this perspecting, it is important to udnerline, that PayConfirm works independantly from telecom operator and even in offline-mode.

El Daye said the court has ordered the bank to pay the customer Dh4.7 million with a nine per cent interest from the date the case was lodged.

“This judgment is significant because it involves new essential factors related to the UAE’s banking sector and its customers. The judgment suggests recommendations for banks and telecom providers, including the need to apply strict security measures, carry out continuous monitoring, upgrading of PIN numbers and tighter background checks on employees,” said El Daye.

He said telecommunications companies should also impose tighter controls over SIM card replacement applications as several scams have been reported in the country.

“It must be forbidden to issue a replacement SIM card unless the holder of the card goes physically to the bank and telecommunications provider with original ID.”

According to Al Daye, his client, who used to work in the UAE, had opened a savings account at the local bank in Dubai in 2015 before he moved out of the country, leaving behind Dh4.7million in the account. But to the horror of the man, whose nationality and age wasn’t disclosed by the lawyer, the account showed zero balance in May 2017. The man then lodged a criminal complaint. But a Charles Russell Speechlys litigation team, headed by El Daye, advised him to pursue a civil case in order to get his money back.

During a court hearing in September this year, the victim’s defence said the bank should be held responsible based on facts and expert findings. The bank had insisted it’s the client’s responsibility since he had possession of the original SIM card and PIN number. It had argued that he should have objected to the transactions within 30 days of reviewing the account statement.

According to case documents, the bank failed to disclose its internal investigation reports to an expert appointed by the court and claimed the incident was a result of faulty transactions.

“For such a scam to succeed, our client’s confidential information must have been deliberately exposed by some bank employees who had access to it,” said El Daye.

The expert’s report submitted to court was in favour of the client and stated that confidential data, including official documents and contact numbers, were illegally revealed to others by a bank employee.

“This information was illegally passed on to other suspects who used it to obtain a replacement SIM card for the client’s phone number from the local telecommunications service provider in Dubai,” the lawyer said.

The fraudsters were able to change the PIN code connected to his bank services before logging him out and transferring the money.

However, the Dubai Commercial Court rejected the bank’s claims in October 2019 and held it responsible for the scam.

How SIM swap cards work

Once cyber criminals have gathered enough information on a target, they create a false identity. First, they call the victim’s cell phone provider claiming that his or her SIM card has been lost or damaged. Then they request a replacement SIM. Most telecom providers won’t acquiesce to those requests unless security questions are answered, but the fraudsters come prepared, using the personal data they’ve collected to defeat the security checks.

As the victim’s SIM card stops working, the criminal gains access to any online service that requires security codes to be sent to a user’s mobile phone. Banks do ask for confirmation via text messages to the phone number but since it’s already with the criminal, victims remain in the dark even after their bank accounts have been drained.

How to protect yourself from SIM swap fraud:

If your cell phone number stops working for an unknown reason, get in touch with your telecom operator immediately.

Register your number for SMS and email alerts to stay updated about transactions on your bank account.

Don’t respond to unsolicited calls and text messages asking for your bank details.

by Gulf News