Report: Popular UAE chat app ToTok a government spy tool

NEW YORK  — A chat app that quickly became popular in the United Arab Emirates for communicating with friends and family is actually a spying tool used by the government to track its users, according to a newspaper report.

The government uses ToTok to track conversations, locations, images and other data of those who install the app on their phones, The New York Times reported, citing U.S. officials familiar with a classified intelligence assessment and the newspaper’s own investigation.


The Emirates has long blocked Apple’s FaceTime, Facebook’s WhatsApp and other calling apps. Emirati media has been playing up ToTok as an alternative for expatriates living in the country to call home to their loved ones for free.

The Times says ToTok is a few months old and has been downloaded millions of times, with most of its users in the Emirates, a U.S.-allied federation of seven sheikhdoms on the Arabian Peninsula.


Government surveillance in the Emirates is prolific, and the Emirates long has been suspected of using so-called “zero day” exploits to target human rights activists and others.

Zero days exploits can be expensive to obtain on the black market because they represent software vulnerabilities for which fixes have yet to be developed.

The Times described ToTok as a way to give the government free access to personal information, as millions of users are willingly downloading and installing the app on their phones and blindly giving permission to enable features.

As with many apps, ToTok requests location information, purportedly to provide accurate weather forecasts, according to the Times. It also requests access to a phone’s contacts, supposedly to help users connect with friends. The app also has access to microphones, cameras, calendar and other data.

A security expert who said he analyzed the app for the Times, Patrick Wardle, said that ToTok “does what it claims to do” as a communications app, which is the “genius” of the app if it is being used as a spy tool. “No exploits, no backdoors, no malware,” he wrote in a blog post. The app is able to gain insights on users through common functions.

In a blog post Monday, ToTok did not respond directly to Sunday’s Times report, but said that with “reference to the rumors circulated today about ToTok,” the one goal of the app’s creators was to create a reliable, easy-to-use communications platform. The post said ToTok had high-security standards to protect user data and a privacy framework that complied with local and international legal requirements.

ToTok said the app was temporarily unavailable in the app stores from Google and Apple due to a “technical issue.”



The Times says that based on a technical analysis and interviews with security experts, the company behind ToTok, Breej Holding, is most likely affiliated with DarkMatter, an Emirati cybersecurity company that has hired former CIA and National Security Agency analysts and has close business ties to the Emirati government.

Emails sent to ToTok through its website and to the Emirates embassy in Washington were not immediately returned.

source: technology.inquirer.net

For banks in cyber heist, how to get their money back?

New York — Because the sums were large and such attacks are relatively new, the two Middle East banks hit in a $45 million ATM heist face an uncertain path in trying to recover their losses, financial, insurance and legal experts say.

Oman-based Bank of Muscat lost $40 million and United Arab Emirates-based National Bank of Ras Al Khaimah PSC (RAKBANK) lost $5 million in the global heist, according to US prosecutors.

Computer hackers broke into third-party companies that processed transactions for prepaid debit cards issued by the banks, the prosecutors said. Then, gangs in 27 countries withdrew the money from cash machines in two coordinated hits, one on December 21 last year and the other on February 19 this year.

While details of what happened are still sketchy, experts said the banks could bring claims against the processing companies in court, or they could file claims with their insurers and those of the processing companies.

"There's no hard and fast rule," said Dan Karson, the Americas chairman of Kroll Advisory Solutions. "We're in very much a new cybersphere of finance, and allocating liability is still very much evolving."

Any claims by banks against the processing companies would depend on the contracts between the two parties, Karson and other experts said. Those contracts include industry security standards, which are required by the major credit card payment networks, in this case MasterCard.

In most security breach cases, the processing company in question did not fully comply with the standards, said Doug Johnson, vice president for risk management policy at the American Bankers Association.

However, even if the processor failed to comply with security standards, banks may still be unable to get back their money. That is because the contracts between processors and banks, under terms set by credit card companies like MasterCard or Visa, typically limit the processor's liability.

"They can't make everybody whole, or they'll be out of business," said Michael Klaschka of Integro Insurance Brokers, which has many financial institutions as clients. "The bank may have very little recourse against the credit card processor."

In the hit against Bank of Muscat, the processor is enStage Inc., based in Cupertino, California, a source close to the Bank of Muscat said.

In a statement on Sunday, Bank of Muscat said it was examining its options to recover the money. "We reiterate that we are exploring all avenues of recovery so as to protect shareholder interests and will advise the markets accordingly if there are any material developments in this regard," the statement said.

Officials at enStage did not respond to requests for comment on Saturday. EnStage CEO Govind Setlur said in a statement in the Times of India his company had implemented security enhancements since the attack.

In the RAKBANK case, the processor is India's ElectraCard Services, according to people familiar with the situation. ElectraCard Services said in a statement on Sunday that data appeared to have been compromised outside its "processing environment.

MasterCard has said it cooperated with law enforcement in the investigation and said its systems were not compromised in the attacks.

The banks can still try to sue the processors for negligence or other claims, but their success may be limited by their contracts, which include regulations that lay out specific fines and dispute resolution procedures mandated by the credit card companies.

Such lawsuits have proven difficult to win, according to Joseph Burton of law firm Duane Morris in San Francisco, an expert in financial litigation. US federal courts have generally, but not unanimously, found that banks are restricted to contractual remedies.

In one major case, card-issuing banks filed a class action against Heartland Payment Systems after the processor announced in 2009 that hackers had compromised the data for more than 100 million credit cards.

A federal judge in Houston, Texas, dismissed almost all of the claims in 2011, finding that the banks were bound by their contracts, which included regulations set by Visa and MasterCard that govern how banks can seek relief after a breach. The banks' appeal is pending.

Bank of Muscat and RAKBANK could also seek payment from their insurers under their general policies.

Some banks also have additional security coverage for cyber crime, although experts said the market for such policies is still relatively immature. It is not known if Bank of Muscat or RAKBANK carried cyber insurance.

The insurers, in turn, could also press claims against the processors, or the processors' own insurers.

"It's certainly possible that the bank could be left holding the bag," said Frederick Rivera of law firm Perkins Coie, an expert in financial services litigation in the United States.

A complicating factor is that the banks are located in the Middle East, while one of the processors is based in India, making it unclear which courts would have jurisdiction over any litigation. But experts said the requirements that credit card companies impose on banks and processors are global in nature.

Federal prosecutors will also seek restitution for the banks from the defendants arrested in the case, though the amount of funds available likely won't approach the total amount of stolen money.

The US Justice Department indicted eight people it said had withdrawn cash in New York, and prosecutors seized hundreds of thousands of dollars in cash and bank accounts, along with luxury watches and a Mercedes sport utility vehicle.

But the New York cell was just one part of a coordinated global heist. US prosecutors have not said where the ringleaders of the gang were based.

The prosecutors said the gang targeted prepaid debit cards issued by the two banks, using hackers who broke into the payment processing companies to raise account balances and withdrawal limits for the cards.


The heist did not compromise the accounts of any individual customers, unlike in cases of identity theft. In those cases, customers are typically made whole by their financial institution or credit card companies, which in turn seek to be made whole by the company that was breached. — Reuters

source: gmanetwork.com