Banks blamed as dozens lose millions after clicking link on online shopping app and getting hacked

[webfact]

Picture: Thai Rath

 

Thai Rath reported that the founder of social action group Sai Mai Tong Rort, Ekkaphop Leuangprasert took around 20 victims of an online hacking case to meet with police at the HQ of the Cyber Crime Investigation Bureau in Muang Thong Thani yesterday.

 

Ekkaphop said they were part of a group of 100 people who had contacted him personally to say they had lost money.

 

He said that none of the victims had loaded any suspect apps or clicked on fake links or used wi-fi other than their own. They had not changed their chargers either.

 

He said the blame for what happened should be faced by the Bank of Thailand, the finance ministry and banks.

 

Picture: Thai Rath

 

They should bear responsibility and offer compensation to the victims as well as improve the safety of online systems.

 

Naphatsanat, 37, was one of the victims who lost 400,000 baht after getting an SMS from a shopping app about savings.

 

She clicked on the link and had money taken from her account. She blamed the bank for not warning her about transfers in the 100,000s range when she usually only transferred 10,000 at a time.

 

Picture: Thai Rath

 

After being put on hold for 19 minutes it was discovered she had lost close to half a million baht.

 

Police said the methods used in this crime had not been seen before. 

 

They promised that all victims would be interviewed and all evidence gathered in the case to catch those responsible.

 

They advised the public to keep online banking app funds to a minimum. Keep only what you need for your usual expenditure on accounts linked to banking apps. 

 

And spread your money around in different accounts. 

 

-- © Copyright  ASEAN NOW 2023-01-18

 

- Cigna offers a range of visa-compliant plans that meet the minimum requirement of medical treatment, including COVID-19, up to THB 3m. For more information on all expat health insurance plans click here.

 

Monthly car subscription with first-class insurance, 24x7 assistance and more in one price - click here to find out more!

 

Get your business in front of millions of customers who read ASEAN NOW with an interest in Thailand every month - email [email protected] for more information

 

[homeseeker]

Without reading or knowing the way this fraud arose.... may I know how the fraudster could get into a person's bank account without knowing or being given the account user ID/account number and password?

[MJCM]

18 minutes ago, webfact said:

He said that none of the victims had loaded any suspect apps or clicked on fake links or used wi-fi other than their own. They had not changed their chargers either.

Changed their chargers? ????

[jaywalker2]

One more reason to stay away from phone financial apps.

[stoner]

14 minutes ago, homeseeker said:

Without reading or knowing the way this fraud arose.... may I know how the fraudster could get into a person's bank account without knowing or being given the account user ID/account number and password?

after gaining access to their smart phone the hacker would easily be able to get into pretty much all of the persons accounts. 

 

i dont have a banking app on my phone but i have tinder and thai friendly. both of which i remain signed into at all times and simply open the app to check for my loads of likes. 

 

i would imagine a large number of people stay signed into most apps on their phone and simply opening a banking app might give a hacker full access to the persons money ? 

[MJCM]

Just now, stoner said:

after gaining access to their smart phone the hacker would easily be able to get into pretty much all of the persons accounts. 

 

i dont have a banking app on my phone but i have tinder and thai friendly. both of which i remain signed into at all times and simply open the app to check for my loads of likes. 

 

i would imagine a large number of people stay signed into most apps on their phone and simply opening a banking app might give a hacker full access to the persons money ? 

I think it has more to do with the phone used being vulnerable to attacks because of outdated OS or not up to date.

 

 

[simon43]

13 minutes ago, MJCM said:

Changed their chargers? ????

Yes, the chargers were emitting 5g radiation that temporarily hypnotised them into revealing their bank details.  To avoid this risk, I always charge my phone at the end of a 50 metre extension cable, in the middle of my garden...

[ozfarang]

This is exactly where the fault lies,

 

"He said the blame for what happened should be faced by the Bank of Thailand, the finance ministry and banks."

 

The banking system in Thailand is archaic, with the banks taking no responsibility of  funds lost to fraud, with no input from the account holder.

[Mason45]

Hi there, I've been living in Thailand for the past 22 years and I have a very strict rule where I never use my phone for any banking activity. I use my laptop with an excellent

safe pay feature. By the way what was the app so others may avoid it. Cheers.

[TheAppletons]

13 hours ago, MJCM said:

Changed their chargers? ????

Probably refers to this:

 

"The Central Investigation Bureau (CIB) is advising the public to exercise caution when charging their smartphones in public after a Thai man’s Android phone was hacked at the weekend. The CIB believe hackers have found a way of altering charging cables to steal personal information from phone users."

 

https://thethaiger.com/hot-news/crime/android-users-urged-not-to-charge-phones-in-public-in-case-they-get-hacked

[ozfarang]

1 minute ago, Mason45 said:

Hi there, I've been living in Thailand for the past 22 years and I have a very strict rule where I never use my phone for any banking activity. I use my laptop with an excellent

safe pay feature. By the way what was the app so others may avoid it. Cheers.

It's pathetic, can't use a bank app for fear of fraud. What a system here in Thailand.

 

I have an Australian bank app and been using it for years and never had a problem, no disappearing funds, no hacks and no worries

[MJCM]

13 minutes ago, simon43 said:

Yes, the chargers were emitting 5g radiation that temporarily hypnotised them into revealing their bank details.  To avoid this risk, I always charge my phone at the end of a 50 metre extension cable, in the middle of my garden...

5555555 love it and love your vivid imagination ????????

 

[MJCM]

5 minutes ago, TheAppletons said:

Probably refers to this:

 

"The Central Investigation Bureau (CIB) is advising the public to exercise caution when charging their smartphones in public after a Thai man’s Android phone was hacked at the weekend. The CIB believe hackers have found a way of altering charging cables to steal personal information from phone users."

 

https://thethaiger.com/hot-news/crime/android-users-urged-not-to-charge-phones-in-public-in-case-they-get-hacked

Aha thx, so that refers to USB PORTS, not the actual charger.

 

so connecting a phone with the USB cable to a PUBLIC charging USB port could leave your phone vulnerable 

[zoltannyc]

21 minutes ago, simon43 said:

Yes, the chargers were emitting 5g radiation that temporarily hypnotised them into revealing their bank details.  To avoid this risk, I always charge my phone at the end of a 50 metre extension cable, in the middle of my garden...

While it sounds very funny, the real issue is that there is a method called "juice jacking"  a cyberattack in which hackers use  a charging port which doubles as a data connection. Essentially, hackers hijack your power supply (hence “juice” jacking) channel and use it to install malware on a victim’s device and/or steal data. This process can include installing tracking programs and mirroring their screen to see (and record) any passwords and PIN codes they enter while the device is charging. 

 

[thaibeachlovers]

46 minutes ago, homeseeker said:

Without reading or knowing the way this fraud arose.... may I know how the fraudster could get into a person's bank account without knowing or being given the account user ID/account number and password?

Hackers probably know more about how the systems work than the guys trying to stop them. Internet crime pays for the criminals, and very little chance of being caught.

 

News like this confirms my choice to never buy anything on line.

[thaibeachlovers]

33 minutes ago, MJCM said:

I think it has more to do with the phone used being vulnerable to attacks because of outdated OS or not up to date.

 

 

Ah, so your solution is for everyone to have to be tech savvy. Like that's going to happen.

Every time I go to supermarket the oldie in front of me is putting their pin number into the machine without hiding it from potential muggers behind them.

[KhunBENQ]

Brilliant communication.

No names, no useful hints except "have little money", "spread it" ???? Worse fear mongering is hardly possible.

Keep it under the pillow?!

 

I use online banking since ages even with a system before the internet banking came up via phone.

And knock on wood not a single Deutschmark, Swiss Franc, Euro or Baht has ever gone for unknown reasons.

Robbed by the biggest Swiss bank. Greedy speculators bailed out. Worse than money under the pillow.

[2baht]

Can anyone remember the days when people robbed banks, well now................................................................!

[Confuscious]

51 minutes ago, MJCM said:

Aha thx, so that refers to USB PORTS, not the actual charger.

 

so connecting a phone with the USB cable to a PUBLIC charging USB port could leave your phone vulnerable

I am not sure about that.

On Android, if you connect your phone to any other device via the C-mini (USB) port, the phone will switch into "charging" mode.

On this mode, the other device has no access to the phone.
In order to get access  to the phone system, you need to swith the phone to "Data transfer mode".

To simply access a phone data over a "Public" phone charging system means that the hacker would have access the public charger system to allow this hacker to download the data.
Seems too far stretched to me.

I think that the way this hacker works, is by people giving the hacker access to your phone by clicking on the link which put the phone on data transfer mode and put the caller on "Hold" while doing his/her hacking.

"The phone was put on hold ....." explains everything.

 

[MJCM]

40 minutes ago, thaibeachlovers said:

Ah, so your solution is for everyone to have to be tech savvy. Like that's going to happen.

 

Where did I say that?

 

It's easy to blame the bank but Due Diligence by persons themselves could (maybe) have prevented this.

 

Every webpage of almost every bank has a text warning of Don't Click on any Links etc etc, but people still click it because he "you won xxx THB" in a SMS is just to tempting.

 

 

 

 

 

 

 

[MJCM]

5 minutes ago, Confuscious said:

To simply access a phone data over a "Public" phone charging system means that the hacker would have access the public charger system to allow this hacker to download the data.
Seems too far stretched to me.

No apparently it's not

 

https://www.fox26houston.com/news/cyber-thieves-can-hack-cell-phones-through-public-charging-stations

[tomazbodner]

1 hour ago, MJCM said:

Changed their chargers? ????

Google up Juice-jacking. Microchips can be hiding inside USB chargers at public locations, or inside USB cables. They act like a computer host, which triggers an auto installation of malware into the phone when connected to such cable or charger.

 

It is therefore always advised you plug your own charger into a power socket rather than use USB socket, and to use your own charging cables. Also disable USB data mode by default and only enable them when connected to trusted computer manually.

[tomazbodner]

23 minutes ago, Confuscious said:

I am not sure about that.

On Android, if you connect your phone to any other device via the C-mini (USB) port, the phone will switch into "charging" mode.

On this mode, the other device has no access to the phone.
In order to get access  to the phone system, you need to swith the phone to "Data transfer mode".

To simply access a phone data over a "Public" phone charging system means that the hacker would have access the public charger system to allow this hacker to download the data.
Seems too far stretched to me.

I think that the way this hacker works, is by people giving the hacker access to your phone by clicking on the link which put the phone on data transfer mode and put the caller on "Hold" while doing his/her hacking.

"The phone was put on hold ....." explains everything.

 

Usually intent is not to download data. As having data inside cable or USB charger won't be so easily accessible. Intent is to install a malware through known OS vulnerabilities to run in the background, which intercepts traffic to extract data, and send it to online repository, accessible to threat actor.

 

Probably the simplest attack would be Man in the middle (rerouting all data to go through actor's servers to extract information) and replay attacks where actor could mimic legitimate connection to the bank that was just established, to basically be logged into the session without knowing any credentials.

 

User could minimize possibility of this happening by requiring OTP for any account changes, or transaction of any amount to second phone - NOT the one that has bank app!, which would require both phones to be compromised (or hack an SMS gateway, which would be extremely difficult).

[robblok]

2 hours ago, stoner said:

after gaining access to their smart phone the hacker would easily be able to get into pretty much all of the persons accounts. 

 

i dont have a banking app on my phone but i have tinder and thai friendly. both of which i remain signed into at all times and simply open the app to check for my loads of likes. 

 

i would imagine a large number of people stay signed into most apps on their phone and simply opening a banking app might give a hacker full access to the persons money ? 

Maybe you should not speculate too much. Kasikorn Bangking app you have to give passwords every time even if its open for a while you will have to give a password again.

So what your implying is not correct.

 

I do wonder how just clicking on a link ends up in losing money. Been using bangking aps forever never a problem. But i dont click on sms stuff.

[CharlieH]

Troll off topic post and responses removed.

[fdsa]

52 minutes ago, Confuscious said:

On Android, if you connect your phone to any other device via the C-mini (USB) port, the phone will switch into "charging" mode.

On this mode, the other device has no access to the phone.
In order to get access  to the phone system, you need to swith the phone to "Data transfer mode".

some CPUs have backdoors allowing full access to the data on the phone without any confirmation from the users, Mediatek was caught for that many year ago, but later they claimed to "fix" that "vulnerability".

[fdsa]

6 minutes ago, robblok said:

I do wonder how just clicking on a link ends up in losing money. Been using bangking aps forever never a problem. But i dont click on sms stuff.

I believe there is some bullshít API like PromptPay or some other SendMoneyInstantlyWithoutAnyConfirmations which allows money transfers without any confirmations.

[Liverpool Lou]

3 hours ago, homeseeker said:

Without reading or knowing the way this fraud arose.... may I know how the fraudster could get into a person's bank account without knowing or being given the account user ID/account number and password?

I don't think that it would be prudent for anyone to provide you with that information...for obvious reasons.

[Liverpool Lou]

2 hours ago, stoner said:

i would imagine a large number of people stay signed into most apps on their phone and simply opening a banking app might give a hacker full access to the persons money ? 

Banking apps log out after a short period of inactivity, they cannot be logged-in permanently.

[Liverpool Lou]

3 hours ago, MJCM said:

Changed their chargers? ????

There have been many reports of the dangers of phone hacking through rogue chargers/USB cables.