4 days ago
UAE: Card skimming on the rise; how to keep your money safe from scammers
When Sharjah resident Mohammed Zubair placed an online McDonald's order after an offer he saw from a Facebook ad, the last thing he expected was to see Dh350 deducted for a purchase in Russia. It turned out, the ad was a scam, and all it needed to work was a One-Time Password (OTP) inserted by the victim into the seemingly official website.
'I clicked on the ad, which appeared to be from McDonald's and showed huge discounts. We placed an order for 3 deals, and I received an OTP. Without checking the full details, I entered the OTP on that website. Immediately after, I received a bank message stating that Dh350 had been deducted for a purchase in Russia, even though my order was only Dh50. On rechecking, I noticed the website was slightly different and turned out to be fake.'
This sort of act is known as card skimming, where a malicious actor gets a hold of card details through fraudulent ways. Traditionally, it involves the 'skimmer' having to physically go to a card machine, either at a store or ATM, and altering the machine or placing hidden cameras to catch the sensitive information. Nowadays, the term 'digital skimming' involves card skimming, which is carried out over the internet and makes it harder to detect, cyber analysts say.
'Digital card skimming is a growing problem due to the ongoing rise of digital payments across all types of purchases – from digital goods to services and food,' Mohammed Abukhater, regional vice president for the Middle East, Türkiye and Africa at F5, a technology company, told Khaleej Times.
'The problem is magnified by the fact that cybercriminals do not always use stolen card details immediately – they often sit on them for weeks or months, which can make it more difficult to detect.'
Abukhater added that there has also been a notable increase in 'remote purchase fraud and authorized push payment", which is when a victim is tricked into making a purchase themselves.
Adrian Dinca, principal analyst at cybersecurity firm Sophos' Red Team, advises that once a victim suspects their card has been compromised, they should immediately freeze their card. 'A good measure is also directly calling the bank in order to cancel any suspicious transactions as well as issuing a new card, if necessary,' he told Khaleej Times. He says victims should also look at previous transactions in case that money has been withdrawn in small amounts before it is noticed.
Red flags
Dinca said that there may be signs, or red flags, that one can notice before an attack has taken place. He breaks it down into two: physical flags and digital ones. 'For physical, always be on the lookout where you are using your credit card. Classic methods of skimmers placed on top of legitimate terminals are still being used to date and are getting more and more difficult to spot,' he explained.
To make sure there is nothing suspicious when paying at a terminal, Dinca suggests physically checking it. 'I know it sounds a bit silly, but trying to jiggle the terminals, keypads and such can usually help in such actions,' he said. 'There are of course easier ones to spot, where keypads are bulky, they stick out and feel 'off' to the touch.'
As for digital flags, Dinca said it ranges 'from phone calls or messages asking you to provide a payment information for a random service, to more sophisticated phishing e-mails asking users to update their billing details.' He added, 'Ultimately ask yourself: would the service really ask me to provide them with my payment details through this method?'
Broadly speaking, Dinca says that mobile wallets are safer than traditional wallets, but that each technology has its own risks. He explained that mobile wallets have enhanced security features to safeguard the user, like Multi-Factor Authentication (MFA) or using a unique, encrypted code that even if intercepted, cannot be reused. However, he cautioned that even the mobile wallets' protections are not always perfect. With digital wallets, attackers may be able to receive and hold the information for longer periods and even clone the card.
He said, 'I cannot stress enough: all these systems can be defeated with enough research time, so end users must ultimately not fully rely on them for their protection. The safety starts with our own vigilance.'
