UAE: No OTP, ID verification? Some residents face up to Dh120,000 debt from credit card fraud

Ajoy Joseph’s Emirates ID had never left his hands. Yet, a forged photocopy of it was allegedly used to obtain three credit cards in his name, each maxxed out to about Dh30,000. The Indian expat claims he had no knowledge of these cards. It wasn’t until his credit rating plummeted that he discovered the fraud. The scammers had rerouted bank statements to a fake email and OTPs to a number under their control. The Dubai Police are now investigating.

The real mystery, though, is how the banks issued these credit cards without verifying the ID of the person applying. For Joseph, the challenges didn’t end with uncovering the scam. Instead of assisting, the banks turned on him, demanding payment. The debt had ballooned to over Dh120,000, with legal threats looming. After a six-month legal battle, two banks finally relented and waived the charges — but the third is still holding out.

Stay up to date with the latest news. Follow KT on WhatsApp Channels.

Unfortunately, Joseph’s case is far from unique. Across the UAE, residents are grappling with an alarming rise in cyber fraud, with some finding themselves abandoned by their banks. As the number of cyber attacks in the UAE surges, public sector entities now face an average of 50,000 threats daily, according to Dr Mohammed Al Kuwaiti, head of Cyber Security. This includes threats like phishing, DDoS, and ransomware. Banks are not immune; earlier this year, a hacker claimed on the dark web to have accessed a local bank's systems.

From accounts being emptied without OTPs to credit cards being charged for transactions never made, some customers are left cornered, blamed, and hounded by recovery agents — with no one to hear them out or address their concerns.

Sharjah resident Ayesha Naseem claims her credit card was fraudulently used in Qatar, even though she has never left the UAE. Dubai-based housewife Sarika Thadani says her card was charged even after she had blocked it. Abdul Kader, a driver, discovered his account had been wiped out without OTP verification, while welding engineer Pursh Ottam found his card charged without any notification. Pharmaceutical manager Yassin Hashem received OTPs for fraudulent transactions a day after they occurred.

In all these cases, the banks’ responses have been disturbingly consistent. Instead of taking responsibility, some would shift blame to the customers, threaten legal action, and allow recovery agents to harass victims relentlessly. Efforts to reach the fraud departments at these banks have proven futile, leaving many to face an uphill battle for justice.

For many, the legal road to recovering stolen funds and restoring their peace of mind is excruciatingly long. Bollywood actress Ruchika Panday, who lost Dh800,000 in 2018 due to SIM-swap fraud, said it took over four years to resolve her case. “My account was breached because of the bank’s lax security,” she recounted. “The bank manager dismissed my concerns, stating that SIM-swap crimes were rampant and my loss was insignificant compared to others. They even charged me for my bank statement when I asked for it.” It was only after a court verdict that the bank acknowledged any responsibility.

Ayesha Naseem’s fraudulent transaction has now swelled from Dh15,597 to Dh22,705 due to late payment fees, over-limit charges, and interest. “I’ve consulted lawyers, but they’re asking for Dh25,000—more than what I’m contesting. It feels like throwing good money after bad,” she said, expressing frustration over mounting fees and harassment from creditors.

Ayesha said she approached the Dubai Police’s cybercrime unit but was told that the case was outside their jurisdiction since the transactions took place in Qatar. With limited legal recourse, many victims feel trapped in a system where banks act as judge, jury, and executioner.

Yassin Hashem discovered several unauthorised payments on his credit card statement. “All they could tell me was that it was a fraud case they couldn’t help with,” he explained. Despite all eight transactions occurring on March 14, the OTPs were only sent the following day. “When I asked why this happened, the bank simply told me it didn’t matter because they had sent the OTPs.”

Similarly, Abdul Kader’s credit card was billed Dh16,055 for four transactions after attempting to place an order through a Facebook advertisement for discounted meals from a popular burger chain. “When I disputed the charges, the bank said they reviewed the case and found that the transactions were completed using contactless mode, activated through OTPs sent to my registered mobile and email.”

“I dare them to prove they sent me an OTP or e-mail because I didn’t receive anything,” he said. “If they claim this, they need to show proof.” He criticised the bank for failing to alert him about suspicious activity, noting that most charges were made at a household appliances store in Poland. “Shouldn’t they have called to confirm?” he asked.

Obaidullah Kazmi, founder and CTO of cybersecurity firm Credo, suggested that insider involvement might be contributing to the rise in fraud cases. “Banks need to proactively prevent cyber breaches,” Kazmi said, emphasising that adopting advanced technology could drastically improve security. According to him, AI-driven fraud orchestration platforms can detect fraud in real-time by analysing large data sets from multiple channels. “These platforms can adjust instantly to evolving threats, giving banks a significant edge in preventing fraud,” he said.

Kazmi also highlighted the benefits of blockchain-based identity verification and Self-Sovereign Identity (SSI) frameworks, explaining how these decentralised systems make it much harder for fraudsters to forge or tamper with personal information. “The implementation of SIM-swap detection tools, in collaboration with telecom operators, is another way banks can safeguard their customers,” he added. Additionally, behavioural biometrics, which analyses users’ unique behaviours, can serve as an additional layer of security, making it even more challenging for fraudsters to succeed.

Kazmi stressed that the integration of encryption, key management, and secrets management is crucial to safeguarding sensitive customer data, both during transit and storage. “Collaboration among banks, telecom providers, government agencies, and cybersecurity experts is essential,” he noted.

While technological innovations like blockchain and AI-powered fraud prevention are crucial, the legal accountability of banks when these systems fail is equally important. Hossam Zakaria of Dubai-based consultancy HZ Legal recounted a case where a major bank suffered a cyber-attack, exposing sensitive customer data, including account numbers and passwords. “This breach led to unauthorised transactions, resulting in financial losses for many customers. The bank was held liable for failing to protect customer data and was required to compensate those affected,” he said. Another incident involved a phishing scam where customers received fraudulent emails disguised as bank communications.

• Are UAE residents lonely? How work from home, less 'offline' connections affect mental health

• Long Reads