Hackers Exploit Kuwaiti Shopping Sites to Drain Bank Accounts

04/03/2025

Hackers Exploit Kuwaiti Shopping Sites to Drain Bank Accounts

KUWAIT CITY, Mar 4: In a concerning development, Kuwaiti banks have reported a surge in complaints from customers who have fallen victim to an advanced form of bank card hacking. This new method exploits legitimate local shopping websites, allowing fraudsters to siphon funds from victims' accounts through a series of unauthorized transactions, often originating from abroad

The Evolution of Card Fraud

Previously, card fraud involved copying data from magnetic strips and using cameras or keypad overlays to steal PINs. Fraudsters would then clone cards and withdraw funds. However, with the rise of advanced electronic payment systems, attackers have adopted more sophisticated techniques. These methods enable them to gain control of bank cards and make unauthorized withdrawals, typically around 500 dinars at a time.

How the New Hack Works

The latest scheme targets customers of popular Kuwaiti shopping websites. Victims report making legitimate purchases on these sites, only to discover days later that their accounts have been drained through a series of withdrawals originating from Italy, despite the cardholders being in Kuwait.

Here’s how the scam unfolds:

1. Customers attempt to make contactless smart payments on infected websites.

2. They are prompted to enter a one-time password (OTP) and are told the transaction failed.

3. They are then asked to re-enter their card details to complete the purchase.

4. Days later, they receive notifications of unauthorized withdrawals from their accounts, often for purchases made abroad.

A Growing Threat

This new hacking method exploits vulnerabilities in local e-commerce platforms, allowing fraudsters to copy card data registered on customers’ phones. The stolen information is then used to make repeated withdrawals, often reaching the maximum limit allowed on the card before the victim becomes aware of the breach. By the time customers report the issue to their banks, the hackers have already drained their accounts.

Banks vs. Victims: A Blame Game

Banking sources claim that customers are responsible for the breaches, arguing that they compromised their own security by sharing their OTPs. According to these sources, banks and the Central Bank of Kuwait, as regulatory bodies, are not obligated to compensate victims or recover stolen funds, especially since correspondent banks have confirmed that the transactions were authorized using valid OTPs.

However, victims argue that they followed all protocols for contactless payments and were unaware that the websites they used had been compromised. They also point out that some websites falsely advertised support for payment services like Apple Pay, Google Pay, or Samsung Pay, which were not actually available. This discrepancy, they claim, indicates that the websites themselves were infected with malicious code, absolving them of responsibility for the breaches.

A Persistent Problem

This type of hacking has been ongoing in Kuwait for some time, with no effective solutions from authorities or website owners. Despite efforts to close security gaps, hackers continue to exploit weaknesses in the system, leaving customers vulnerable to fraud.

How to Protect Yourself

1. To safeguard against such attacks, customers are advised to:

2. Set low spending limits on everyday-use cards.

3. Establish a separate, minimal limit for contactless payments.

4. Use virtual cards with limited spending caps, linked to services like Google Pay, Apple Pay, or Samsung Pay.

5. Remain vigilant about suspicious data requests, especially during payments.

6. Report any unusual transactions to their bank immediately.

As hackers continue to refine their methods, both customers and financial institutions must stay ahead of the curve to prevent further losses. Until stronger security measures are implemented, the risk of such sophisticated attacks remains high.