Banks blamed as dozens lose millions after clicking link on online shopping app and getting hacked

[OneMoreFarang]

3 hours ago, stoner said:

after gaining access to their smart phone the hacker would easily be able to get into pretty much all of the persons accounts. 

 

i dont have a banking app on my phone but i have tinder and thai friendly. both of which i remain signed into at all times and simply open the app to check for my loads of likes. 

 

i would imagine a large number of people stay signed into most apps on their phone and simply opening a banking app might give a hacker full access to the persons money ? 

I don't know about tinder, but with my banking apps I have to confirm with my fingerprint if I want to transfer any money. And after not using the app for a few minutes I am automatically locked out and if I want to transfer money I have to login again.

I find it hard to believe that they (seem to) claim that the transfers happened just by clicking on a SMS.

 

And about what really happened: I am sure the banks have detailed log files who logged in at that time and when they confirmed transactions, etc. There are detailed records, just follow the evidence. 

 

[SuperSilverHaze]

My solution

 

No banking apps on the phone.

 

Four accounts, one ATM card

 

 

[SuperSilverHaze]

15 minutes ago, OneMoreFarang said:

just follow the evidence. 

Except when the account was opened with a fake, stolen or paid for ID. The account drained and the criminal long gone.

[ezzra]

This scamming losses become to be out of control where people all over the world are losing billions to scammers and the banks are not any wiser, frankly the banks will do well to employ those scammers instead of those clueless pencil pushers who allow this to happen...

[jacko45k]

3 hours ago, homeseeker said:

Without reading or knowing the way this fraud arose.... may I know how the fraudster could get into a person's bank account without knowing or being given the account user ID/account number and password?

Sadly lacking in details and does little to allay fear.... I got an impression one could click a  SMS received link on your phone and 100,000s of baht can come out of your account....

[rwill]

4 hours ago, webfact said:

He said that none of the victims had loaded any suspect apps or clicked on fake links or used wi-fi other than their own. They had not changed their chargers either.

 

4 hours ago, webfact said:

Naphatsanat, 37, was one of the victims who lost 400,000 baht after getting an SMS from a shopping app about savings.

 

She clicked on the link and had money taken from her account.

Contradicting themselves here.

[phetphet]

3 hours ago, Mason45 said:

Hi there, I've been living in Thailand for the past 22 years and I have a very strict rule where I never use my phone for any banking activity. I use my laptop with an excellent

safe pay feature. By the way what was the app so others may avoid it. Cheers.

Thailand's defamation laws probably prevent anyone from naming the app or apps concerned, for fear of legal action against them.

 

And not a passbook insight or we might have been able to guess which bank.

Edited January 18, 2023 by phetphet

[Jackbenimble]

The operators behind the banks here are little better than 2nd hand car salesmen - the Lawyers are no different either. Banks shouldn't just wash their hands of things like this either - they need to find out how it happened so that they can ideally prevent it from happening again. If they cant assure their customers money is secure they shouldn't be surprised if everyone withdraws their money - then they'll be sorry. Bit late by then though.

[4MyEgo]

4 hours ago, stoner said:

after gaining access to their smart phone the hacker would easily be able to get into pretty much all of the persons accounts. 

I have a banking app which is accessed by my finger print, could they access my account without my finger print ?

[smedly]

3 hours ago, zoltannyc said:

While it sounds very funny, the real issue is that there is a method called "juice jacking"  a cyberattack in which hackers use  a charging port which doubles as a data connection. Essentially, hackers hijack your power supply (hence “juice” jacking) channel and use it to install malware on a victim’s device and/or steal data. This process can include installing tracking programs and mirroring their screen to see (and record) any passwords and PIN codes they enter while the device is charging. 

 

only possible if you use their USB outlet/connection

[topt]

Finally.

My gf has been worrying about this since Saturday or Sunday night when it was reported on Amarin 24 news (about the guy in the Thaiger article linked to earlier)  but I had been unable to find any links.

Surprised it took Asean now so long to pick it up......

[Jonathan Swift]

4 hours ago, MJCM said:

Changed their chargers? ????

Since a charger is plugged right into the data port on the phone a hacked or corrupted fake charger could install malware

[Jonathan Swift]

50 minutes ago, jacko45k said:

Sadly lacking in details and does little to allay fear.... I got an impression one could click a  SMS received link on your phone and 100,000s of baht can come out of your account....

Which is why you never click an unknown SMS message. Those links often lead to malware

[Jonathan Swift]

1 hour ago, SuperSilverHaze said:

Except when the account was opened with a fake, stolen or paid for ID. The account drained and the criminal long gone.

more often than not a trail can be found with a bit of diligence, even when stolen IDs are used. 

[Jonathan Swift]

4 hours ago, jaywalker2 said:

One more reason to stay away from phone financial apps.

Phone banking apps are generally safe and useful for basic things. I have been using them ever since they came out without any problems, going on 10 years. That includes a monthly transfer from Kbank mobile app of 50,000 baht to my US bank. I'm also careful and never open unknown SMS or email links. There was nothing in this story that would point the finger of blame to the bank mobile apps. This appears to be hacked phones used to access bank accounts online, or to access previously used merchant transactions, which would not necessarily involve the mobile app. If user names and passwords are obtained for the account itself the account could be accessed directly through the bank without the mobile app, and that is where the bank's liability comes in, when their security does not catch the attempted fraud. If malware was installed because someone opened a malware link in an SMS code then that's where the trail begins. But this article is sadly lacking in details. 

[fdsa]

1 hour ago, SuperSilverHaze said:

My solution

 

No banking apps on the phone.

 

Four accounts, one ATM card

 

 

unfortunately the banks make it impossible, for example I recently had to install my very first banking app because Krung Thai Bank discontinued their online banking.

At least all other banks still support the online banking.

[fdsa]

1 hour ago, ezzra said:

This scamming losses become to be out of control where people all over the world are losing billions to scammers and the banks are not any wiser, frankly the banks will do well to employ those scammers instead of those clueless pencil pushers who allow this to happen...

ahahah, the real world experience is when a hacker reports some vulnerability to some company, the company files a lawsuit against the hacker instead of rewarding and/or hiring that hacker.

[fdsa]

49 minutes ago, 4MyEgo said:

I have a banking app which is accessed by my finger print, could they access my account without my finger print ?

it depends.

Given the average programmer is well below the average, I suspect the answer is "yes"

[jaywalker2]

Most people store their passwords and user ID's on their phones, which makes them vulnerable to hackers.  However, financial and other institutions seem determined to make us more and more dependent on our phones whether we like it or not. I don't think security is the only reason either -- when they have access to your phone, they have access to practially your whole life.

[fdsa]

13 minutes ago, jaywalker2 said:

Most people store their passwords and user ID's on their phones, which makes them vulnerable to hackers.  However, financial and other institutions seem determined to make us more and more dependent on our phones whether we like it or not. I don't think security is the only reason either -- when they have access to your phone, they have access to practially your whole life.

exactly. And "they" are not some random hackers but the financial and other institutions themselves.

for example, Krung Thai bank shares your personal data (if you carelessly click "yes" and "I accept" on all prompts) with insurance companies such as AXA, and their banking app wants to know your location, guess why. I believe if you pay for some medicines or hospital treatment with the banking app, and/or if you get spotted in a pharmacy or hospital, you will get surprised with your insurance premium on the next year renewal.

Edited January 18, 2023 by fdsa

[jacko45k]

42 minutes ago, Jonathan Swift said:

Which is why you never click an unknown SMS message. Those links often lead to malware

Well i get them... but as they are in Thai, they simply get deleted.

[hotchilli]

5 hours ago, jaywalker2 said:

One more reason to stay away from phone financial apps.

I don't use any online banking apps... simple as that.

A pain sometimes but 100% safe.

[kingstonkid]

5 hours ago, stoner said:

after gaining access to their smart phone the hacker would easily be able to get into pretty much all of the persons accounts. 

 

i dont have a banking app on my phone but i have tinder and thai friendly. both of which i remain signed into at all times and simply open the app to check for my loads of likes. 

 

i would imagine a large number of people stay signed into most apps on their phone and simply opening a banking app might give a hacker full access to the persons money ? 

Sure also that many save their password so that they don't have to keep enternng it

[JackGats]

1 hour ago, 4MyEgo said:

I have a banking app which is accessed by my finger print, could they access my account without my finger print ?

I think the finger print system is Samsung's, not the bank's. It is called Samsung pass. The app is as safe (or no more safe than) your smartphone when it is logged off. 

[Foghorn]

6 hours ago, homeseeker said:

Without reading or knowing the way this fraud arose.... may I know how the fraudster could get into a person's bank account without knowing or being given the account user ID/account number and password?

If the poster told you how and what app they may be prosecuted by the the criminals for theft of intellectual property and defamation,  this is thailand 

[jacko45k]

13 minutes ago, kingstonkid said:

Sure also that many save their password so that they don't have to keep enternng it

Pretty sure most of the banking apps do not permit an autofill by Google or whatever.... in my case it is my fingerprint that gets me in. Now maybe some people keep a little text file somewhere with passwords in.... I often get that impression when I see Thais at ATMs''' that they are looking up their PIN on their phone.

[JustThisOnePostOnly]

Simple solution if you must charge using 3rd party charger: bring your own cable and make sure it isn't data-enabled.

[jacko45k]

2 minutes ago, JustThisOnePostOnly said:

Simple solution if you must charge using 3rd party charger: bring your own cable and make sure it isn't data-enabled.

Hard to know what you get these days... what with new phones not including a charger. I was disappointed  a cable I had could not be used for data between my phone and laptop.... 

The thought that a public charger station may have some tiny malicious device in a cable or connector is quite frightening... fortunately it seems I only ever need to charge my phone at home....

[jaywalker2]

5 hours ago, ozfarang said:

It's pathetic, can't use a bank app for fear of fraud. What a system here in Thailand.

 

I have an Australian bank app and been using it for years and never had a problem, no disappearing funds, no hacks and no worries

It's the same in the United States particularly with Venmo apparently which has been mired in controversy.

[jacko45k]

2 hours ago, Jackbenimble said:

The operators behind the banks here are little better than 2nd hand car salesmen - the Lawyers are no different either. Banks shouldn't just wash their hands of things like this either - they need to find out how it happened so that they can ideally prevent it from happening again. If they cant assure their customers money is secure they shouldn't be surprised if everyone withdraws their money - then they'll be sorry. Bit late by then though.

Hmm.. I wonder how the people who got scammed by the Kasikorn bank employee who was taking money on Buakhao and pretending it went into high interest accounts (with passbook). That must be a year ago now and I wonder if ever victims got refunds?