The Central Bank of Kuwait has notified the Communications and Information Technology Regulatory Authority of the occurrence of fraudulent operations using local numbers, saying the number of fraudulent cases on bank cards at local banks increased by about 6 times last year compared to what was recorded in 2020. It pointed out that according to reports from local banks, the total number of fraudulent cases on bank cards reached 8,082. thousand during 2020, while it doubled to 65,492 thousand in 2021 and declined to 54,066 thousand cases in 2022.
The Central Bank stated in response to a question by MP Muhannad Al-Sayer that the causes of fraud on bank cards are mostly limited to phishing via e-mail and phone, by luring the customer saying they have won financial prizes or fabricating a scenario to update the bank card, or stealing bank cards by trickery or copying them, reports Al-Rai daily.
Another fraudulent activity is exploiting the data obtained from bank customers, as well as using credit cards to purchase from unsafe or fraudulent sites. He pointed out that there is cooperation between the Central Bank and several official bodies in the field of awareness of the dangers of fraud and electronic crimes, such as the Ministries of Information and Interior, the Capital Markets Authority, the Directorate-General of Civil Aviation, the Financial Investigation Unit, and the Public Authority for Anti-Corruption (Nazaha).
The Central Bank stated that CITRA was contacted on February 21, 2022 and last September 13, to take what it deems appropriate regarding the results of the study of complaints from some customers about their exposure to cases of fraud through the use of remote communication applications.
He added that it was also addressed to place the matter under its consideration regarding the occurrence of many fraudulent operations through the use of phone numbers issued through some telecommunications companies operating in the country.
The Authority was also contacted last month to oblige all telecommunications companies to display the full name of the calling party on the mobile phone screen for legal entities. Such as banks, government agencies, and official financial institutions.
The Central Bank stated that there is coordination and cooperation with the Interior Ministry to open a rapid communication channel between them by identifying a liaison officer from each side to immediately report fraudulent operations, indicating that it has developed an integrated system to receive customer complaints through the complaints units of the banks themselves, in order to provide sufficient guarantees for customers to decide on their complaints and obtain their rights.
The Central Bank explained that, as part of its initiatives, it obligated local banks to take several measures to ensure the maximum levels of security when banking cards, points of sale, or bank customers carry out their operations electronically. These measures are represented in the following:
First: Measures related to bank cards:
- Verification via websites. Issuing and renewing bank cards in a way that prevents immediate use unless activated by the customer.
- Activation of debit cards and credit cards by the customer through secure channels such as the customer service center or ATMs.
- Determine the number of incorrect attempts to enter the PIN for debit cards on all channels such as the customer service center and ATM machines, so that the card is suspended after 3 incorrect attempts and is only activated by the customer’s contact with the customer service center.
- Limit the number of incorrect attempts to enter the expiration date of the debit card on the payment channel of the Shared Automated Banking Services Company (KNET) to be only 3 attempts, after which the card will be suspended until the customer contacts the customer service center.
- Ensure that transactions made on credit cards are not passed using only the data on them, and make sure to request additional data such as residential address or a secret code to verify the validity of transactions made using credit cards other than the data available on the original cards.
- Sending messages to customers regarding unacceptable transactions on bank cards, to inform the customer of any transactions that require the bank to be informed about them.
- Obligating all stores not to continue scanning customers’ bank cards (Double Swipe) during payment on point-of-sale devices on the automated systems of those stores, and to take the necessary measures against non-compliant stores.
He stated that there are measures related to websites and related applications, which are:
- Applying the principle of double entry to the bank’s websites and related applications.
- Do not complete the registration process on websites and applications except through the debit card number and its PIN only.
- Do not allow the same answers to personal questions to be repeated when registering on the website and its applications.
- Modifying the mobile phone number and email address through the bank branch or customer service center is not permitted through the bank’s website or applications.
- Giving the customer the ability to stop the bank card (debit cards and credit cards) through the website.
- Do not allow the customer’s data to be stored on the devices used in the process of accessing the website and its related applications, in a way that does not enable the customer to enter without entering his data.
- Set the appropriate period to close the page of the website and its related applications as a result of not using this page, a maximum of 5 minutes, with the need for the customer to log out.
The Central Bank noted that it issued a circular last September 18 regarding procedures to protect customers from electronic fraud, by taking the following measures:
- When adding a new beneficiary to the list of beneficiaries through online banking services or mobile banking applications, compliance must be made to the list of beneficiaries. As follows — Send a text message containing the verification code (OTP; When a beneficiary is added, a text message and another alert are sent to the customer through the bank’s mobile application, as well as an email, including the name of the new beneficiary and directing the customer to contact the bank if he does not know about it; The bank must not activate the beneficiary until 12 hours have passed unless the customer contacts the bank to confirm adding the beneficiary on his part; the identification number of the customer’s previously registered device or smart chip is not recognized (such as using a VPN from outside Kuwait for a device or SIM that was not previously registered with the bank), the customer must be contacted from the bank’s official telephone service systems to verify that the operation was completed with his knowledge and approval. Before passing any banking operations.
- Banks must develop additional security systems that allow the issuance of security codes to carry out banking operations through their applications on mobile phones, in a way that ensures that no operation is carried out from another device.