Jump to content


Banks to return money to cardholders who encounter recent irregular transactions


snoop1130

Recommended Posts

ae1e4ef44423fca2870a9ddc8576ed1d_small.jpg

 

BANGKOK (NNT) - Abnormal money deductions through accounts tied to people’s credit and debit cards have affected many card users this month, with banks having identified irregular transactions involving 10,700 cards so far. The Bank of Thailand said debit cardholders will have their money returned within 5 working days and banks will now implement verification steps for transactions involving very small amounts.

 

Thai Bankers’ Association President Payong Srivanich disclosed that irregular transactions were detected in 10,700 card accounts upon inspection of data from the start of October until October 17. Most of the transactions occurred between October 14 and 17, and involved debit cards and credit cards in roughly equal proportions. However, about 30 million baht of damage was incurred through debit cards whereas about 100 million baht was incurred through credit cards. Mr. Payong reasserted that the fraudulent transactions did not stem from data leaks, but were the results of the perpetrators producing random card numbers and ordering small amounts of deductions that bypassed the verification system in place.

 

Bank of Thailand Assistant Governor Siritida Panomwon Na Ayudhya, who is in charge of the BOT’s Payment Systems Policy and Financial Technology Group, said the central bank is working with the bankers’ association to put in place measures to prevent the problem. Scrutiny over irregular transactions has now been expanded to cover small, recurring amounts. Banks will immediately suspend card use upon discovering an irregular transaction and will inform the cardholder through all available channels. Banks will also be on a special lookout for overseas transactions.

 

Miss Siritida added that debit cardholders will have the stolen amount returned within 5 working days whereas banks will simply cancel the fraudulent transactions in the case of credit card holders, who will not need to pay for any amount or for interest incurred from the irregular transactions. She said the BOT will discuss implementing additional transaction verification steps with card providers such as Visa and Mastercard, but said any new system would have to be accepted by online vendors in Thailand as well as abroad.

 

nnt.jpg
  • Haha 2
Link to comment
Share on other sites

2 hours ago, smedly said:

nonsense

I am also rather surprised, but the perpetrators managed to do almost 4 million *succesful* transactions before they got stopped, and only found around 10 thousand actual card numbers.

 

I didn’t do the math, but the card number has a pattern to it and a check digit, so while it is 16 digits, the set of valid numbers is much smaller, and for expiry date, there are probably only 3x12 possible values (i.e. cards are normally issued with expire date in around 3 years).

 

It is surprising they could hit whatever API they used and basically brute force card numbers, but even if this was a leak, it is still very surprising they can do 4 million transactions without triggering any alarms.

  • Like 1
Link to comment
Share on other sites

I have learned from experience that the first four digits of a CC identifies the card company and the issuer.  I would suspect that there is more public info out there about this if one would put some effort into looking....

 

This thing with the secret number on the back of the card is somewhat of a farce when nearly every transaction requires that you reveal it.

 

 

  • Like 1
Link to comment
Share on other sites

3 hours ago, smedly said:

nonsense

 

Exactly!

I don't think in the big effort to wrap this quickly they really think over that answer.

For online shopping, one will still need not only the 16 digit card number, but a correct expire day/year, and the 3 digit CVV ( card verification value) code too....

 

Truly magical if one can randomly generate all that.

 

  • Like 2
Link to comment
Share on other sites

5 hours ago, smedly said:

nonsense

 

A card number has 16 digits of which the first 4 belong to the bank and so are fixed, The remaining 12 digits belong to the customer. That means there are a one followed by 12 zeros possible card numbers or one trillion. It would be impossible to score a random hit and even if you did the pin number has a further 6 digits or one million possible numbers. So the odds are lengthened to one in a quadrillion.

I have read that the leak has something to do with Paypal, online purchases and customers revealing details of their cards online to false web sites.

Being very paranoid as I am I checked all my cards and all was ok.

  • Like 1
Link to comment
Share on other sites

Maybe Thai banks should divert resources/manpower from requiring so, so much paperwork (like to open an acct) to transaction security.   They can't see the fraudulent transactions because of all the paperwork blocking their view.

  • Like 1
  • Haha 1
Link to comment
Share on other sites

12 hours ago, snoop1130 said:

The Bank of Thailand said debit cardholders will have their money returned within 5 working days and banks will now implement verification steps for transactions involving very small amounts.

Thais rarely return money.(to farangs).  'verification steps' will ensure foot-dragging & time wasting.

Link to comment
Share on other sites

6 hours ago, smedly said:

nonsense

 

So these random card numbers all stemmed from Thailand or has the problem occurred in other countries?

Or is Thailand using some random card numbering that is vulnerable.

Nah, BS, I still believe a data leak as most likely. 

 

Link to comment
Share on other sites

51 minutes ago, jobsworth said:

I have read that the leak has something to do with Paypal, online purchases and customers revealing details of their cards online to false web sites.

I get 3 spoof emails a week saying my account has been suspended.  I forward them to Paypal but nothing happens.  I have stopped using Paypal.

Link to comment
Share on other sites

3 minutes ago, mikebell said:

I get 3 spoof emails a week saying my account has been suspended.  I forward them to Paypal but nothing happens.  I have stopped using Paypal.

I get 3-5 of those a week and about s many from the real PayPal trying to get ne to get their credit, or App, or some other feature they offer. I would be more confident if I didn't get all the phishing emails from Nigeria that use their name and copy their appearance. 

Link to comment
Share on other sites

4 hours ago, lkn said:

I am also rather surprised, but the perpetrators managed to do almost 4 million *succesful* transactions before they got stopped, and only found around 10 thousand actual card numbers.

 

I didn’t do the math, but the card number has a pattern to it and a check digit, so while it is 16 digits, the set of valid numbers is much smaller, and for expiry date, there are probably only 3x12 possible values (i.e. cards are normally issued with expire date in around 3 years).

 

It is surprising they could hit whatever API they used and basically brute force card numbers, but even if this was a leak, it is still very surprising they can do 4 million transactions without triggering any alarms.

What's surprising and rather worrying that no "banking system" picked up on these thousands of transactions for the same amount?

  • Like 2
Link to comment
Share on other sites

14 hours ago, snoop1130 said:

fraudulent transactions did not stem from data leaks, but were the results of the perpetrators producing random card numbers and ordering small amounts of deductions that bypassed the verification system in place.

No, it does not work like that.  There certainly was a data leak somewhere.

Link to comment
Share on other sites

6 hours ago, bendejo said:

This thing with the secret number on the back of the card is somewhat of a farce when nearly every transaction requires that you reveal it.

I think not for very small amounts, which is how they got away with it. Quite clever, to dream up a scheme which wouldn't raise alarm bells as they 'attacked' a huge number of cards. Simply by sheer numbers they were likely to make a lot of money, which is what happened.

Link to comment
Share on other sites

3 hours ago, Pib said:

Maybe Thai banks should divert resources/manpower from requiring so, so much paperwork (like to open an acct) to transaction security.   They can't see the fraudulent transactions because of all the paperwork blocking their view.

I opened an account with Kasikorn last week online. What paperwork are you talking about? 

Link to comment
Share on other sites

1 minute ago, Neeranam said:

I opened an account with Kasikorn last week online. What paperwork are you talking about? 

Give Bangkok bank a try...plenty of paperwork.  And I'm sure K bank has paperwork also unless you are Thai and opened an online esavings acct.

  • Thanks 1
Link to comment
Share on other sites

This is why I do everything in cash if at all possible.  I was "done" on 2 occasions in the UK, got my money back, not sure that would happen here.  Both times were on an American Express card - which wasn't my main card, I doubt if I ever used it more than 20 times in total.  I no longer have an American Express card, once could happen to any card, twice is a leaky company, bye.

Link to comment
Share on other sites

7 hours ago, lkn said:

I am also rather surprised, but the perpetrators managed to do almost 4 million *succesful* transactions before they got stopped, and only found around 10 thousand actual card numbers.

 

I didn’t do the math, but the card number has a pattern to it and a check digit, so while it is 16 digits, the set of valid numbers is much smaller, and for expiry date, there are probably only 3x12 possible values (i.e. cards are normally issued with expire date in around 3 years).

 

It is surprising they could hit whatever API they used and basically brute force card numbers, but even if this was a leak, it is still very surprising they can do 4 million transactions without triggering any alarms.

It's not that easy. There is a checksum that needs to mathematically correlate with the 16-digit string. Assuming a successful "guess" of the 16 digits, there is still the matter of the CVV which is specific and non-dynamic. On top of that, the exact month and year of issue complicates the guess-work further. Visa and MasterCard have systems in place to lock, flag, decline or block cards if a certain number of unsuccessful transactions are attempted (for example, when trying to pay multiple times with the same 16 digits but trying different months and years or CVVs).

 

 

Edited by mvdf
Link to comment
Share on other sites

On 27.9.2021 I was notified by sms by one of the banks I use in Thailand (at their head office in Silom Road) that a transaction of over 4,500 Baht was made at 03:40 that day on my debit / ATM card with a company named  ‘RAPPI BANORTE’.

 

My account with this bank is mainly idle, save for a few online internal transfers to my wife’s bank account with the same bank. 

 

I have not used the card for any online purchases, ATM withdrawals or in-store purchases for almost 4 years. The only online purchase I made 4 years ago was with a very reputable coffee capsule vendor. I still make orders with them on a monthly basis, but with a debit card from another bank. I have never made any transactions abroad with the card, nor have I communicated any details to anybody. The card was kept in in a securely locked cabinet in my bedroom at all times for the last 4 years. 

 

I had never heard of the company, but a quick internet search showed that ‘RAPPI BANORTE’ is an online delivery company in Mexico (like Lazada and others in Thailand). 

 

When cancelling the card by telephone with the bank’s customer service, I was informed that I should also report the fraudulent use to the police and send the bank a copy of the report.

 

I handed in the police report in one of the bank’s branches in another province, and the branch manager offered her profuse apologies for the incident. A few hours later the money was returned to my account in full.

 

I really hope that they can find the perpetrators and the source of this scam and get (at least part of) the money back, because in the end we, the banks’ customers, will pay for the loss they have incurred through the fees we are charged. 

 

 

 

 

  • Like 2
Link to comment
Share on other sites

18 hours ago, snoop1130 said:

Mr. Payong reasserted that the fraudulent transactions did not stem from data leaks

Yeah, sure. It's not our fault but we'll refund 

For banks to cover the losses there must be a whole heap of damning evidence to show they are to blame.

Link to comment
Share on other sites

2 hours ago, Pdib said:

On 27.9.2021 I was notified by sms by one of the banks I use in Thailand (at their head office in Silom Road) that a transaction of over 4,500 Baht was made at 03:40 that day on my debit / ATM card with a company named  ‘RAPPI BANORTE’.

 

My account with this bank is mainly idle, save for a few online internal transfers to my wife’s bank account with the same bank. 

 

I have not used the card for any online purchases, ATM withdrawals or in-store purchases for almost 4 years. The only online purchase I made 4 years ago was with a very reputable coffee capsule vendor. I still make orders with them on a monthly basis, but with a debit card from another bank. I have never made any transactions abroad with the card, nor have I communicated any details to anybody. The card was kept in in a securely locked cabinet in my bedroom at all times for the last 4 years. 

 

I had never heard of the company, but a quick internet search showed that ‘RAPPI BANORTE’ is an online delivery company in Mexico (like Lazada and others in Thailand). 

 

When cancelling the card by telephone with the bank’s customer service, I was informed that I should also report the fraudulent use to the police and send the bank a copy of the report.

 

I handed in the police report in one of the bank’s branches in another province, and the branch manager offered her profuse apologies for the incident. A few hours later the money was returned to my account in full.

 

I really hope that they can find the perpetrators and the source of this scam and get (at least part of) the money back, because in the end we, the banks’ customers, will pay for the loss they have incurred through the fees we are charged. 

 

 

 

 

Me too and exactly the same type of transaction but different details: RAPPI CITI BANAMEX.... It looks like a Mexican Peso amount of 2,700 was the debit.

I don't use the debit card linked to my account very often but I suspect that this is due to a leak of data from a Thai company that may or may not have been admitted.

My claim is currently being investigated by Bangkok Bank and am cheered that you received a reversal.

Link to comment
Share on other sites

9 hours ago, hotchilli said:

What's surprising and rather worrying that no "banking system" picked up on these thousands of transactions for the same amount?

In my case the bank's system did pick up the fraudulent transactions (all under 100 baht) and automatically refunded them with 2-3 days. Except for one larger amount (over 2,000 baht) which is under investigation.

Link to comment
Share on other sites

6 hours ago, mvdf said:

It's not that easy. There is a checksum that needs to mathematically correlate with the 16-digit string. Assuming a successful "guess" of the 16 digits, there is still the matter of the CVV which is specific and non-dynamic. On top of that, the exact month and year of issue complicates the guess-work further. Visa and MasterCard have systems in place to lock, flag, decline or block cards if a certain number of unsuccessful transactions are attempted (for example, when trying to pay multiple times with the same 16 digits but trying different months and years or CVVs).

The checksum algorithm is public knowledge, so they would filter out obvious invalid numbers before trying them.

 

As said, I haven’t done the math, so I don’t know how much this reduces the number of valid card numbers (when you already know the vendor code). I would also think that many failed attempts would block the vendor or at least add heavy throttling, but I would have thought that even the millions of valid transactions would have been flagged, because even a simple heuristic should flag this as highly unusual.

 

Hopefully there will be a post-mortem with more details, but if this is limited to Thailand, probably not.

Link to comment
Share on other sites

15 minutes ago, lkn said:

but I would have thought that even the millions of valid transactions would have been flagged, because even a simple heuristic should flag this as highly unusual.

As I said above, my bank (Bangkok Bank) did flag these transactions and refunded them automatically.

Link to comment
Share on other sites

If they didn't that would be the final nail in the coffin for Thailand.  

When people start taking your money and you have no recourse that's when people pull money out and run.  Speaking of which, can you really pull all your money out?  I wonder how many hoops they would put you through.  Maybe none but I do wonder.  

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.