Banks blamed as dozens lose millions after clicking link on online shopping app and getting hacked

[Liverpool Lou]

1 hour ago, Pedrogaz said:

Wouldn't a picture of the online shopping app be a good idea so people could recognise it and avoid it?????

Only if that online shopping app has been proved to be the culprit and, so far, that isn't the case.   

[pkspeaker]

6 hours ago, HuskerDo2 said:

Imaging if these incredibly intelligent and creative criminals would channel their energies towards things that would make the world a better place. Just not these criminals but all criminals. The world would be such a better place. Pipe dreaming. Too many people out there that are to lazy to work and would rather use their time stealing from hard working folks.

 

As far as the Thai banking system...... it's lacking an awful lot just like the RTP and govt officials that can't seem to make common sense decisions.  

yea really, their smart enough to do that & the work involved and the risks, you wonder why they don't just get a well paying job coding

[pkspeaker]

22 hours ago, SuperSilverHaze said:

My solution

 

No banking apps on the phone.

 

Four accounts, one ATM card

 

 

i have found that online banking itself isn't necessary, all places allow you to pay with a debit card(after entering pin#) & alot of them allow you to pay with the BTS rabbit tap card (which is the fastest way to pay) and the GRAB app also allows you to use a debit card w/o having an online banking service.  it's just a few vending machines that i have to use cash and sometimes it's not taking coins or paperbills.

Edited January 19, 2023 by pkspeaker

[fdsa]

3 hours ago, NativeBob said:

Microchip in charger? Sure-sure )

Click-a-link and loose money? Sure 3 times ) 

if you do not know something it doesn't mean that it doesn't exist.

 

 

 

Edited January 19, 2023 by fdsa

[fdsa]

2 hours ago, Negita43 said:

I have said for a long time that the idea of OTPs (one time passwords) and banking apps are not secure because most people want convenience not security so they put everything including passwords on their mobile phones - hack the phone and the criminal has all he or she needs. Two DEVICE security is more secure where the app is on one device and the passwords are on another. For convenience I have 1 banking app on my phone with never more than £200 in the account. The rest of my online banking uses two devices - a notebook for accessing the account and where they insist, a mobile phone for receiving the OTP.

this.

Discussed in another thread already: https://aseannow.com/topic/1281581-do-you-trust-the-security-of-your-andriod-smart-phone/?do=findComment&comment=17806247

 

Edited January 19, 2023 by fdsa

[NativeBob]

1 minute ago, fdsa said:

if you do not know something it doesn't mean that it doesn't exist.

That the Earth is flat and Satan is watching ) 

ROFL 

[fdsa]

1 minute ago, NativeBob said:

That the Earth is flat and Satan is watching ) 

ROFL 

I do not know if your examples are true or not, but I know for sure that the two quoted before are true and very real.

[NativeBob]

1 minute ago, fdsa said:

I do not know if your examples are true or not, but I know for sure that the two quoted before are true and very real.

Very impressive! Congratulations. Now we all know that you know what I might don't know as you think that you know it. But I don't. 

[fdsa]

Do you insist that rogue microchips in chargers/cables do not exist and that it is impossible to get a device infected by simply clicking a malicious link?

 

Edited January 19, 2023 by fdsa

[jacko45k]

5 hours ago, LS24 said:

Fraud involving bank accounts is a worldwide issue. People need to be vigilant with any unsolicited emails, phone calls, texts and chats.

Pal of mine lost a lot of money when some crook persuaded a phone company to utilize his phone number, and issue a SIM, on a different network.

[Puccini]

On 1/18/2023 at 9:02 AM, webfact said:

...Naphatsanat, 37, was one of the victims who lost 400,000 baht after getting an SMS from a shopping app about savings.

 

She clicked on the link and had money taken from her account...

I think we don't have the full story here. What exactly happened after she clicked on the link?

 

Did a self-executing program start and install some malware? This appears to be a possibility.

 

Or did a website open on which she was asked to type some information about her bank account and she did that?

[LS24]

9 hours ago, NativeBob said:

That the Earth is flat and Satan is watching ) 

ROFL 

 

Here is a link to an article that refers to the Los Angeles District Attorney's warning on such things.

 

https://www.silicon.co.uk/security/cyberwar/public-charging-stations-steal-data-315655

[Xin Loi]

On 1/18/2023 at 9:36 AM, MJCM said:

I think it has more to do with the phone used being vulnerable to attacks because of outdated OS or not up to date.

 

 

The problem IMO is lack of education and net smarts. The net sharks here, are very aware of the lack of it and catch many people every day. A friend of mine lost over 400K to these guys and most of them aren't hackers. What made it even worse to pursue it, they had to do the brown envelope thing too. I get many sucker bets every day and most of them come from social media. A simple call or email, a sob or BS story, a bank or phone account threatened, private information asked for and freely given, maybe even a little cash transaction, done deal. No hacker involved, if you get my drift.....

 

[mommysboy]

As with anything in Thailand it's so difficult to get anywhere near the facts, but as I understand it the story is about RAT (Remote Access Trojans) being unwittingly downloaded on to a device, and from thereon a hacker can have his way on your smartphone.

 

The glaring problem is that the OTP code is also sent to the same device, therefore it is no security at all- in fact it is 'open sesame'.  This is somewhat like a PIN being printed on to the back of a lost debit card for instance.

 

I believe there is something in these stories. As such, I suspended internet banking on one of my accounts which has a high balance, in favor of one where I keep pocket money. True, the customers have been a bit foolish, but not that much imo, and the system is basically flawed for the reasons stated above. The banks accept no responsibility and likely the real victim will never see the money again.

[lkn]

On 1/20/2023 at 12:10 PM, mommysboy said:

The glaring problem is that the OTP code is also sent to the same device, therefore it is no security at all- in fact it is 'open sesame'.  This is somewhat like a PIN being printed on to the back of a lost debit card for instance.

This is not my experience: When I do online banking from my desktop (web browser), I need to confirm transfers with an OTP sent to my phone (so two devices).

 

But when I do transfers on my phone, I have to first verify with biometrics (Face ID) to open the part of the app where I can set up transfers, but I also have to enter a PIN to confirm the transaction (final step), no OTP. So this is two factor (biometrics + PIN) and does not involve OTP.

 

This is both with KTB Next (Krungthai) and K+ (Kasikorn). I have not used other Thai banking apps.

 

Though for “Scan&Go” there is no initial biometrics confirmation, and at least for KTB Next, the confirmation PIN can be disabled for amounts below a configurable threshold (though by default, this PIN is required).

Edited January 21, 2023 by lkn

[mommysboy]

41 minutes ago, lkn said:

This is not my experience: When I do online banking from my desktop (web browser), I need to confirm transfers with an OTP sent to my phone (so two devices).

 

But when I do transfers on my phone, I have to first verify with biometrics (Face ID) to open the part of the app where I can set up transfers, but I also have to enter a PIN to confirm the transaction (final step), no OTP. So this is two factor (biometrics + PIN) and does not involve OTP.

 

This is both with KTB Next (Krungthai) and K+ (Kasikorn). I have not used other Thai banking apps.

 

Though for “Scan&Go” there is no initial biometrics confirmation, and at least for KTB Next, the confirmation PIN can be disabled for amounts below a configurable threshold (though by default, this PIN is required).

Interesting, clearly though fraud is happening, and to that extent some banks are vulnerable to 'RAT's'.  Biometric confirmation would surely stop this.

 

But to me it's more important that the banks involved compensate customers.

[liddelljohn]

this scam is also rife in UK , certain shopping apps can install scam software also certain Fintech apps from legitimate companies  are compromised  . the  scammers can then access your bank accounts , cradit cards and empty them , some UK banks are aware  and compensate  but HSBC is denying  victims by saying its impossible and many people have lost large sums of money  but the Police  and other banks admit its a problem , HSBC will eventually have to pay up too .

 

, Its a new development started in May last year obviously now in Thailand , the original

software is Russian , Itonly affects Phone financial app software on Both android and I phone ,, best thing is not to have any bank or shopping software on your phone .. Computers are OK for now

[lkn]

5 hours ago, mommysboy said:

But to me it's more important that the banks involved compensate customers.

I guess first we need to figure out what actually happened. If this was a remote exploit with no interaction from the victim, one would think that more people would have been affected.

 

There recently was a thread on this forum about how Revolut would not compensate (all) victims of fraud, and reading the article, it was people who had actively transferred money to a third party, even ignoring in-app warnings about it, but as one of the victims said, the person on the phone told them to ignore these warnings…

 

The lawyer in this story claims the victims did nothing, but then it goes on to report that one of them received an SMS from a Thai shopping app, which seems to indicate that perhaps the victim did actually do something to facilitate this scam…

[mommysboy]

1 hour ago, lkn said:

I guess first we need to figure out what actually happened. If this was a remote exploit with no interaction from the victim, one would think that more people would have been affected.

 

There recently was a thread on this forum about how Revolut would not compensate (all) victims of fraud, and reading the article, it was people who had actively transferred money to a third party, even ignoring in-app warnings about it, but as one of the victims said, the person on the phone told them to ignore these warnings…

 

The lawyer in this story claims the victims did nothing, but then it goes on to report that one of them received an SMS from a Thai shopping app, which seems to indicate that perhaps the victim did actually do something to facilitate this scam…

It depends what we mean by 'facilitate this scam.'  Personally, I don't think these people knowingly passed on information pertaining to their bank accounts.  On the other hand, the banks must have known there was a vulnerability- some seem to have solved that issue.  Why not the others?

[Jingthing]

Hmmm.

I've been getting a lot of strange SMSs in Thai that ask me click and they show baht figures kind of indicating they are something I should know about. I translated the messages, they don't make any sense to me, but of course I haven't clicked on any of the links.

 

[jacko45k]

7 hours ago, Jingthing said:

Hmmm.

I've been getting a lot of strange SMSs in Thai that ask me click and they show baht figures kind of indicating they are something I should know about. I translated the messages, they don't make any sense to me, but of course I haven't clicked on any of the links.

 

Yes me too.... they seem to be telling me I have been approved for a loan and stuff lie that. They also appear to come from Thai numbers that get blocked immediately.