Posted:
06 May 2026
Vaibhav Maniyar
In 2022, the Dubai Court of Cassation ordered a bank and a telecommunications company to jointly repay a client Dh1.5 million that was drained through SIM swap fraud. The court found both parties collectively liable for security breaches in their respective systems.
The Central Bank of the UAE has issued a directive requiring all financial institutions to eliminate SMS and email-based OTP authentication by March 31, 2026, mandating the adoption of methods such as Emirates Face Recognition, biometric verification, and mobile-based soft tokens.
The directive covers banks, finance companies, exchange houses, insurers, and payment service providers, essentially every licensed entity that touches a customer transaction. The transition began on July 25, 2025, when banks started moving customers to app-based authentication for domestic and international financial transactions.
SMS OTPs were never designed for financial authentication.
The problem is that the infrastructure underpinning SMS i.e. the SS7 signalling protocol that routes messages between networks, was built in 1975 and was never designed with security in mind. Its vulnerabilities are publicly documented, widely exploited, and essentially unfixable without replacing the protocol entirely.
As mentioned earlier, in the UAE, the banking industry has incurred considerable losses from SIM swap fraud schemes, where well-organised syndicates work closely across networks and target banks directly.
The mechanics are straightforward enough that even unsophisticated attackers can execute them by convincing a mobile carrier to port a victim's number to an attacker-controlled SIM, then intercept every OTP that number receives.
In 2024, 56% of UAE residents experienced at least one scam attempt every month, with 27% reporting financial losses and an average loss per victim of $2,194. Every percentage point in that figure represents customers calling their bank's fraud line, disputing transactions, and forming a view of whether their institution deserves their continued business.
Since July 2025, every fraudulent transaction that has passed through an SMS OTP flow and every SIM swap, every SS7 exploit, every social engineering call that ended with a customer reading a six-digit code aloud has been the bank's financial loss to absorb.
The CBUAE's approved replacement methods include fingerprint and facial recognition, FIDO2-compliant cryptographic passkeys, and in-app push notifications confirmed with biometrics. Under the new system, transaction approvals are carried out directly within the bank's mobile application.
A customer receives a notification, reviews the transaction details, and confirms their identity using biometrics such as fingerprints, Face ID, or a PIN without needing to check an SMS inbox. This operates within a protected app environment, making interception considerably harder for an attacker.
Intercepting an SMS requires access to the SS7 network or the victim's phone carrier both achievable with the right criminal connections. Replicating a person's fingerprint or facial geometry from a live-detection-enabled scanner, on a device that has already been device-bound to a specific customer, requires physical access and bypasses nothing.
Several major banks including Emirates NBD, ADIB, and FAB had already completed the shift to biometrics or in-app solutions by September 2025, months ahead of the March 2026 deadline.
| Further Reading: Biometric Identity Proofing |
|---|
March 2026 marks the end of the permitted transition window. It does not mark the end of the exposure that banks accumulated between July 2025 and whenever they actually completed their migration.
Customers who suffered fraud during that window, through authentication methods the regulator had already flagged as inadequate, retain their right to pursue recovery. The Dubai Court of Cassation's 2022 ruling established that security system failures in both the bank and the carrier constitute joint liability. A bank that continued issuing SMS OTPs after the CBUAE identified them as a security risk, and whose customer was subsequently defrauded through that channel, is not occupying a strong legal position.
Every day of continued SMS OTP use after July 2025 has been a day of uncompensated fraud risk, accumulating quietly until a customer files a claim or a court issues a ruling. The technology to eliminate that exposure exists, the regulatory framework mandating it is already in force, and the banks that moved early have already demonstrated it works without driving customers away.
We use essential and functional cookies on our website to provide you a more customized digital experience. To learn more about how we use cookies and how you can change your cookie settings, kindly refer to our Privacy Statement. If you are fine to resume in light of the above, please click on 'I Accept'.
Comments