Late-night Transfer Sparks Alarm

Fraud Through Near Real-Time Transfer Service Raises Alarm Over Bank Security Gaps

TDT| Manama

Email: mail@newsofbahrain.com

An alleged late-night transfer of BD1,000.220 through a near real-time electronic fund transfer service has triggered renewed concern over digital banking security in Bahrain after a customer of a prominent international bank reported that the amount was siphoned off without his knowledge or authorisation.

Narrating his ordeal during an interview at the office of The Daily Tribune, he said the unauthorised transaction occurred at 11:53pm on December 1, 2024 prompting him to contact the bank immediately.

The bank allegedly told him that the money had already been moved to another financial institution and could not be traced, adding that the case would be closed. He subsequently filed a complaint with the Criminal Investigation Directorate and notified the Central Bank of Bahrain.

Unauthorised login

According to the customer, the bank’s Fraud Risk Team informed him on December 26th that the unauthorised login had originated from outside Bahrain on the night of the breach.

A second login attempt on December 9th reportedly failed after the account had already been disabled. The team also confirmed that he had no involvement in the fraudulent activity.

He said the breach was particularly unsettling because he had been using a Google Pixel 8 Pro running the latest Android system, a device known for some of the most stringent security features, raising questions about how the intrusion occurred.

Concerns grew further when the customer compared the bank’s cybersecurity controls in Bahrain with those in its UK headquarters.

Password system

He said the password system allowed only letters and numbers, did not mandate password changes, permitted reuse, and failed to trigger alerts after incorrect login attempts.

The system did not freeze or slow down access after repeated wrong entries of passwords or one-time passcodes, he added.

He said one of the most troubling aspects was that eight successful logins were recorded within a single hour on the night of the incident.

He questioned how multiple one-time passcodes were generated and how fraudsters received them despite him never sharing any codes and typically logging in only from Bahrain or India.

Attempts to obtain one-time passcode delivery records from his telecom provider were unsuccessful because such information is released only to institutions.

Inquiry

He said the bank did not pursue that line of inquiry.

The customer added that after speaking with friends and acquaintances he learned of several others who faced similar incidents involving smaller amounts with the same bank, a pattern that he believes requires urgent attention.

Despite multiple follow-ups, he said the bank has refused to reimburse the stolen amount.

Cybersecurity specialists say the incident highlights the urgent need for stronger digital banking protections in Bahrain.

They point to minimum security standards, stricter SIMswap verification procedures, improved coordination between financial institutions, and real-time transaction alerts as essential steps that banks should enforce.

Verification

They also recommend enhanced fraud-monitoring tools, delays for suspicious transfers and closer coordination with telecom operators to verify unusual login activity.

Experts note that while customers must remain vigilant through strong passwords, two-factor authentication and careful verification of communication channels, systemic protections from banks and regulators are crucial.

They say coordinated efforts between government bodies, banks, telecom operators and consumers are needed to counter increasingly sophisticated digital financial threats.

Experts also say the incident has intensified discussions around Bahrain’s banking cybersecurity framework, with calls for stronger enforcement, greater transparency in fraud investigations and clearer accountability measures to protect customers as digital threats continue to evolve.