When Stella received an alert from her bank, she was out for lunch and, as usual, had very little cash on her.
Her debit card had been blocked with immediate effect.
“I was shocked because I wasn’t expecting it,” says Stella, a 24-year-old PR executive, who did not want to reveal her full name.
The Italian-American called the bank the same day and was told her card may have been used online as part of a fraud.
After telling her colleagues, it transpired a few of them had experienced the same issue. That seemed like a like a strange coincidence to her at the time, but reports suggest otherwise.
Last August, an Abu Dhabi-based bank was forced to reissue cards after a possible breach by online hackers, one of a string of recent attacks to be reported in the press.
In total, about a fifth of residents in the UAE were victims of cyber crime last year, according to Norton by Symantec. On average victims lost 30 hours trying to fix an incident of cybercrime and it cost them Dh2,331.
“More than 2 million people in the UAE were affected by cybercrime last year,” says Tamim Taufiq, territory manager for the Middle East at Norton by Symantec. “That number is high.”
And it is rising fast. According to Dubai Police, reports of cybercrime rose from 1,581 in 2014 to 1,820 in 2015 – an increase of 23 per cent.
Gerome Billois, a member of the cybersecurity practice and senior manager at Solucom, a consulting company based in France, aims to reduce that number through his work with ShiftIN Partners, the company’s knowledge partner in the region which is based in Abu Dhabi. Together, they work to educate large businesses in the region including banks, insurers and industrial companies.
He says there are three main types of cyberattacks taking place in the region right now. The first is what he calls hacktivism, when criminals launch attacks based on their ideology, such as the group that hacked 23 government websites in Saudi Arabia last year just to prove the security was poor.
The second is to destabilise a company. “There was a major case in the GCC. It was an attack that occurred against Saudi Aramco. They successfully deleted 35,000 computers,” says Mr Billois.
The third is the one most people associate cybercrime with – for financial ends.
“Today if you steal a credit card number, the price on the black market is between $5 to $75 each card number, depending on the card type. Depending on whether you have all the card details like the card number, the name of the person and the expiration date,” he says.
Stealing the details can be done by either attacking a company or bank and stealing a large amount of data or by targeting individuals in one of two ways.
“The first is a phishing attack, which is when you receive a false email that asks for strange things, either a credit card number or because your account is going to be blocked you have to reply. Usually these emails sound strange and look strange as well,” he says.
“The second one is the viruses that block the computer and data for a ransom. You receive a strange email with a strange type of attachment about invoices or a photo to look at or something like that. You open the attachment and just after your PC is locked. The screen has a message which says we have the control of your computer. We have cyberincripted all the data. If you want to get them back you have 70 hours to pay us, often with Bitcoins,” adds Mr Billois.
Then there is the risk we face when using our cards to pay for purchases online. And the number of us potentially affected by cybercrime via online shopping is increasing.
According to an estimate in 2015, the UAE e-commerce industry is projected to grow by 40 per cent to Dh40 billion by 2020, says Frost & Sullivan.
So how do we know which websites are safe?
“That is a very good question and there are no easy answers because we have no official standards that say if you do that you are secure enough,” says Mr Billois. “All the websites that say we are secure, in fact is not proof of anything because you can write on your website I am 100 per cent secure, but nobody will check and you have no proof that you have been checked.”
One way, he suggests, is to check you have an encrypted communication link with the website. If one exists it will say https in the address bar. There will often also be a grey lock near the name of the website, which indicates the connection is secure between your computer and the website you are visiting.
“But it doesn’t tell you that the website on the other side is well secure and that the offices where the people work are well secure as well, but it’s the first thing to look at. If you do not have that, do not put your credit card number in,” says Mr Billois.
Card providers such as Visa and MasterCard are also working to improve the security of online shopping so that we do not have to be so vigilant.
Neil Fernandes, Visa’s senior director of risk services for the Middle East and North Africa region, says the company has a number of security measures to ensures cardholders are protected. These include one-time passcodes to verify online purchases, text and email alerts, and mobile location confirmation which uses geo-location data to match the location of the phone with the transaction.
“If an individual’s phone is pinging from Dubai and their card is used to buy a coffee at The Dubai Mall, Visa will factor this geo-location match in the risk score,” says Mr Fernandes.
In addition, its fraud monitoring and detection systems analyses and risk scores for every transaction it processes – which stands at more than 61 billion annually worldwide – to help merchants and financial institutions identify fraud.
“The fight against fraud can’t be done in isolation, which is why Visa is focused on working closely with all our partners, law enforcement and government agencies to better deter criminals,” he adds.
Mr Fernandes says the company’s work to date has ensured that system-wide fraud has declined by two-thirds over the past two decades to less than 6 cents out of every $100 transacted – despite transaction volumes having increased by more than 1,000 per cent.
“In the UAE, the rate sits even lower at less than 4 basis points,” he says.
A key partner in the war is the banks which issue cards. While banks are cagey about revealing the number of fraud cases they experience, they are happy to talk about what they are doing to protect their customers.
Phil King, head of retail banking for the UAE for ADIB, says fraud was a lot more prevalent before technologies like chip and pin were introduced to the market.
“ADIB was the first in the country to fully implement them. We have also introduced enhanced security for online transactions, and regularly remind customers to follow tips for protecting themselves and their financial information,” he says.
Banks also tend to be very proactive when it comes to security, which can lead some to block the cards of customers before they become a victim.
And after searching through her bank statements when she arrived back at the office, this as it turned out, was the case for Stella.
“When I first saw that text message I was a bit confused. I thought wait a minute, I wondered if it was on my account or in general. So I started going through my bank statements in the office to double-check if I noticed any suspicious activity but there wasn’t any,” she says.
“My card is my main means of purchasing anything, so it was definitely a hassle because I had to withdraw a pretty large sum of money [but] I guess it was good. It prevented something bigger.”
The expert view on how to protect yourself online
Tamim Taufiq territory manager for the Middle East at Norton by Symantec
• Don’t share your passwords
• Review your bank statements and credit card statements for any irregularities
• Be careful while handling any unexpected or unsolicited email
• If you have children using your computer who don’t know about cybercrime, monitor their online activity
Aref Al Ramli head of electronic and business innovation at Mashreq
• Only visit the internet banking website by using the bank URL and not via links received from a third party
• Don’t respond to or share any personal information by clicking on any of the links provided within such emails
• Act quickly if you suspect fraud. If you think someone is trying to commit fraud by pretending to be your bank, notify the bank immediately
• Change your online banking password regularly
• Do not send sensitive personal or financial information unless it is encrypted on a secure website. Regular emails are not encrypted and are more like sending a postcard. Look for the padlock symbol on the bottom bar of the browser to ensure that the site is running in secure mode before you enter sensitive information
• Make sure your home computer has the most current anti-virus software.
Phil King head of retail banking for the UAE for ADIB
• Register for SMS and email alerts to get notifications of any activity in your bank account
• If you receive any suspicious emails or SMSs, report them to your bank immediately
• Shred all documents containing personal information, which are not required
• Protect your Pins and passwords and do not disclose to anyone