Hacker Arrested For Causing 50 Million Worth Of Damages To Ais

[george]

Alleged hacker arrested for causing 50 million worth of damages to AIS

BANGKOK: -- Police have arrested a man for allegedly hacked into the computer system of AIS to make up false refill airtime cards for sale.

Police announced the arrest of Thaweesup Lalitsiwimol, 34, at a press conference at the Crime Suppression Division on Tuesday.

Thaweesup allegedly hacked into the computer network of AIS and added more refilling cards' serial numbers and passwords and later sold the cards on Internet.

He also allowed the fake refill cards to have ten times value than ordinary cards, police said. For example, an airtime refill card with value of Bt100 would be able to use for Bt1,000.

Police said the use of airtime by the fake refill card data caused damages worth about Bt50 million to AIS during the past three months.

-- The Nation 2007-05-15

[astral]

Was he an employee with internal access, or an outsider?

[dkstoney]

I wonder who he really works for?

[OxfordWill]

Probably not a hacker but an exploiter, who found a loophole in the way AIS does these things. Will be interesting to see the news about the court case when.if it goes there. I do find it hard to believe 50million is an actual loss.

[ProfessorNiceGuy]

I doubt he is an outsider..........billing systems are extremely complicated and proprietary. Even a normal IT person would be lost in the system. You would have to be very knowledgable to pull this off.

[Oleg_Rus]

oy, mama mia... how boring

the way it was, for you, explain

the serial nuber (is written on the card) PERMUTATED WITH MORONIC KEY, also written on the card, FROM THE BOOK OF random permutation ( look at sub-google) will gibe the whole list.

Now, how to find the method ?

Very easy....

Buy randomly cards and "feed it" to simple Delphi programm, that will look for the match.

More cards you have - faster result.

Same as breaking Wi-Fi, but much faster and easier.

[OxfordWill]

Yup Oleg I agree but he would have needed a way to talk back to the system to increase limits beyond anything prexisting in that system. That would be the unique part of the allegation

[TopDogger]

Probably not a hacker but an exploiter, who found a loophole in the way AIS does these things. Will be interesting to see the news about the court case when.if it goes there. I do find it hard to believe 50million is an actual loss.

Thats what hackers do.. Find exploits, whether it be via computer code / social engineering or otherwise

[Etrigan]

This is an old story with different characters. I remember the same crime being commited and reported just a couple of years ago.

As for 50,000,000 damages, there's more truth in the statement "Taksin is an honest man!"

[george]

Update:

Hacker accused of milking AIS and True for millions

Police describe university graduate as having 'dazzling' computer skills

BANGKOK: -- A Thai man whose previous hacking crime earned him an entry in a book on the world's wittiest thefts has been accused of causing damage totalling more than Bt100 million to two local telecom firms.

Advanced Info Service Plc (AIS) lodged a complaint with police last month that it suffered losses of Bt8 million after an unidentified hacker got into its computer system and manipulated airtime allowances granted to AIS pre-paid cellphone users.

Two years ago, True Corp Plc, which operates Orange cellphone services, lost more than Bt105 million in a similar sting.

Police investigations have pinpointed the same hacker: Taweesap Lalitsasiwimon, 34, who is also known as Phumipat.

At the time he allegedly broke into AIS's system, Taweesap was on bail pending a review by public prosecutors on his alleged hacking into the Orange network.

The suspect, a graduate from Ramkhamhaeng University's Faculty of Political Science, denied any wrongdoing. "After his graduation, he had no permanent job," Crime Suppression Division deputy commander Colonel Kowit Wongrungroj said yesterday.

Armed with an arrest warrant, the Crime Suppression Division (CSD) yesterday raided Taweesap's apartment. He was found to have two computer notebooks, hard disks, three cellphones, phone cards, bank passbooks, ATM cards, SIM cards and a book titled "Plon Yiab Mek" - a compilation of the world's wittiest thefts, including Taweesap's hacking into the Orange network.

The book was a Thai translation of an English edition. Other crimes featured in this book included a 2005 bank robbery in Brazil, in which robbers dug a 200-metre tunnel into the bank and made off with a huge amount of cash.

Taweesap faces charges of faking documents and using those documents in the AIS case.

Kowit said Taweesap had dazzling computer skills and managed to hack into the telecom giant's network in less than 10 minutes.

"Other telecom operators can come forward if they have faced problems likely to have been caused by this suspect," the police colonel said.

Pol Lt Col Wiwat Kamcham-narn, a deputy superintendent at the CSD and chief investigator for the AIS case, said his team had traced Taweesap after locating the owner of a SIM card suspected of earning airtime allowances through manipulation.

"The owner bought the SIM card from Taweesap," Wiwat said.

He said after getting this clue, his team tried to check Taweesap's IP address.

"At first, it seemed like he had hacked into the system via Internet cafes because he used various SIM cards and Internet connections by many service providers. However, we used advanced technology and finally nailed him," he said.

Wiwat declined to disclose the technology used in the investigation.

According to an informed source, Taweesap and his accomplices broke into the Orange computer network together. But he allegedly operated alone when he hacked into the AIS system.

The source said after Taweesap broke into the AIS system, he illegally modified information on the pre-paid call cards and airtime allowances. For example, an airtime allowance worth Bt100 was changed to Bt1,000. The number of pre-paid call cards was also modified.

Taweesap announced the sale of cheap airtime allowances via pop-up ads on the Internet. Interested customers were asked to transfer money to a bank account before they got passwords for the cheap airtime via SMS.

One computer expert said it was not too difficult for an expert to hack into a network system.

"There are hacking guidelines and even hacking programmes available on the Internet," he said on condition of anonymity. He said he would be able to hack into computer systems too, but he never thought about doing it.

He said system administrators should keep checking their systems to prevent hacking and to improve anti-hacking measures all the time.

--The Nation 2007-05-16

[Simmo]

Their database system must be a joke. Fields like pre paid card value would be non modifiable in any decent system.

[lazeeboy]

Their database system must be a joke. Fields like pre paid card value would be non modifiable in any decent system.

a good tax right off or a price increase now can go ahead .if this guy is this good they should employ him to catch others trying to do the same .a bit like catch me if you can,then again not that smart he got caught

[astral]

a good tax right off ...........

A mere drop in the ocean, when set beside the 30 Billion they made from TOT

Imagine the stupidity of getting caught twice by the same guy.

Don't these people ever learn and close loop holes.

What a joke they are.

[OxfordWill]

Thats what hackers do.. Find exploits, whether it be via computer code / social engineering or otherwise

No, exploits are what crackers/exploiters do. Hacking is a far bigger deal requiring actual skill rather than luck or procedural/inside knowledge.

Doing a search around Thai sites on this story it looks like this guy is something of a cult celebrity. Government should do as US has done and offer him a job!

[thai_narak]

it's all crap... he acted alone? that's BS!

it is not easy to hack into company's network unless you have accomplices. i have been working in telecom networks for many years and yes i can say that there are ways to go into the system from a public internet connection via VPN or any tunneled secured networks but you should have passwords, secureid card, etc. to be able to access via VPN or company intranet. after accessing, one should know the IPs of the billing systems plus again, user and password. from one server to another, again, user and password. brute force attack is not possible in this case...

this is an inside job! he is not even in a computer field but a graduate in poilitical science... common people! use your common sense!

Edited May 16, 2007 by thai_narak

[ProfessorNiceGuy]

Adding to that, Billing systems are immensely complex, thats why your bills get screwed up so often. Even if he was a genius, i doubt he would be able to crack a complex billing system as an outsider without expert training. After all, there are checks an balances in the system, and one change in one part would throw the whole system off balance.

[Plus]

I guess they didn't include him in the World's Wittiest Thefts" book for nothing, as Nation claims.

[thai_narak]

I guess they didn't include him in the World's Wittiest Thefts" book for nothing, as Nation claims.

of course he can be in the book due to the fact that the police and investigators are stupid to believe him that he is alone in this crime. but what i'm saying is that, he is not alone and he got accomplices inside AIS (and many of them). they have been doing this since 2 years ago (maybe more) and everybody knows where to buy "sim phi" or "ghost sim card". if you are frequent in MBK center you will know about this scam.

i think the guy they caught is just the "sales" person getting codes via his e-mail thru internet cafes and selling the codes or SIMs to his customer. all he needs is SIM writer which is also available in panthip plaza. the real hackers are inside AIS working in the billing centers and pre-paid systems.

[Mid]

i think the guy they caught is just the "sales" person getting codes via his e-mail thru internet cafes and selling the codes or SIMs to his customer. all he needs is SIM writer which is also available in panthip plaza. the real hackers are inside AIS working in the billing centers and pre-paid systems.

sounds a lot more likely .................

[TopDogger]

Thats what hackers do.. Find exploits, whether it be via computer code / social engineering or otherwise

No, exploits are what crackers/exploiters do. Hacking is a far bigger deal requiring actual skill rather than luck or procedural/inside knowledge.

You don't know what your talking about... If anyone exploits/cracks a system/network/software they are said to have "hacked it" & are labeled a "hacker".

http://en.wikipedia.org/wiki/Hacker

Edited May 17, 2007 by TopDogger

[Phano]

How do you say it in thai................."Catch Me iF You Can?"

[bkk_mike]

Kowit said Taweesap had dazzling computer skills and managed to hack into the telecom giant's network in less than 10 minutes.

Shouldn't the line be:

AISs network security is a joke, and Taweesap took less than 10 minutes to hack into the telecom giant's network.

He said system administrators should keep checking their systems to prevent hacking and to improve anti-hacking measures all the time.

Like enforcing passwords that aren't 123456, and using some sort of number generator (like the RSA SecurIds, or Bloomberg's very natty combined fingerprint reader + number generator), if they're going to allow external access to what's supposed to be a secure network.

Passwords by themselves do not make a secure network.