A court in Dubai has ordered a local bank to pay Dh9.5 million ($2.5m) to a customer after he lost that amount in unauthorised transactions.
The court heard how he was the victim of a Sim swap after his personal banking details were leaked.
In the swindle, a new Sim card is issued by the telecoms service provider against a customer’s registered mobile number.
With the help of this new Sim, criminals can obtain OTPs (one-time passwords) and other alerts required to carry out bank transactions.
In this case, they had the customer’s Sim card cancelled and asked the telecoms company to issue a new one, which they used to withdraw money from his account.
Dubai Court of Cassation dismissed an initial ruling by the Dubai Commercial Court of First Instance, which found the bank and a telecoms company were jointly liable.
The new ruling found the bank liable and ordered the bank to pay the customer.
“The bank insisted that our client, the telecom company, was at fault but after taking our argument into consideration, the court ruled in our favour, stating that the transfers could not have happened if the personal details of the bank client were not leaked in the first place,” said Ghassan El Daye, partner and head of litigation Middle East for UK-based law firm Charles Russell Speechlys, which represented the telecoms company.
In April 2015, the customer, whose nationality and age were not disclosed, gave his brother power of attorney to handle all bank transactions on his behalf.
In October 2018, the man was informed that Dh9.5m was transferred from his account over several transactions between August 2 and September 4, 2018.
The bank’s accounts manager called the victim and told him that 49 online bank transfers were processed and only Dh36 was left in the account.
Investigations revealed that fraudsters had managed to obtain a replacement Sim card of the man’s mobile number registered with the bank.
In its verdict, the Court of Cassation said: “Being under the golden category which deals with accounts with large sums of money, the customer’s account should have been turned into an inactive account after no transactions were conducted on it for 28 consecutive months which is a common practice in this case.”
It also said the bank was responsible for the man’s financial loss after it failed to use a strong authentication system.
