Two Thais Held For Stealing Bt1.7m From Briton

[george]

2 held for stealing Bt1.7m from Briton

BANGKOK: -- A Thai graduate student and two female accomplices were arrested for allegedly stealing Bt1.7 million from a Briton via the e-banking system, police said yesterday.

Tourist Police Division chief Pol Maj-General Adis Ngamjitsuksri yesterday presented 25-year-old student Thanayuth Samatchai, Supichyada Hanrob, 25, and Porntip Roopchaiyaphum, 21, as suspects at a press conference along with 10 items of evidence including five mobile phones, a computer notebook and a PC.

Siam Commercial Bank had alerted the Economic and Cyber Crime Division Centre for Transnational Crime and Electronic Crime Suppression that some thieves had stolen the personal data of a British customer then allegedly transferred Bt1.72 million of his money into a third person's account and withdrawn the cash via ATM.

The investigation concluded that Porntip had given her British ex-boyfriend's ATM and credit-card information to Supichyada, Adis said.

Supichyada reportedly used her close connections with a bank employee to change the password without having the required documents and transferred the money into the account of a person named Kannika Kusima in Surin. Thanayuth and the others used an ATM card to withdraw the cash.

Porntip reportedly received some money, which she used to get back land that had been pawned with a bank.

The investigation also found that Bt100,000 had been transferred from the account to a suspected accomplice, a Cambodian man named Sitha Mo, Adis said.

-- The Nation 2009-03-15

[brahmburgers]

Kudos to Siam Commercial (my bank also) for alerting authorities. Sounds like the g.f./thief had an accomplice "on the inside"

"Supichyada reportedly used her close connections with a bank employee to change the password without having the required documents"

- one would expect that employee will be disciplined also.

good to hear this rip off is being dealt with - and hope the Brit gets all his dough back - and hope he drops the little thief and goes on to greener pastures.

[Briggsy]

I wonder if he'll get his money back though. I doubt it.

How on earth did bank employee change his ATM password? Or am I misreading it?

[TheWalkingMan]

Supichyada reportedly used her close connections with a bank employee to change the password without having the required documents and transferred the money into the account of a person named Kannika Kusima in Surin. Thanayuth and the others used an ATM card to withdraw the cash.

Porntip reportedly received some money, which she used to get back land that had been pawned with a bank.

The investigation also found that Bt100,000 had been transferred from the account to a suspected accomplice, a Cambodian man named Sitha Mo, Adis said.

-- The Nation 2009-03-15

Once convicted, that bank employee should be thrown in the jug. The land should be sold and the proceeds equaling the amount she took given to the Brit.

I hope the guy gets his money back.

TheWalkingMan

[markg]

Well done to the bank for getting to the bottom of this.

I seem to remember a poster on here saying he had had stacks of money taken from his account by ATM and that the bank weren't interested. Wonder if it was the same guy?

The guy should get his money back.

The way it happens in the UK (and i know that this isnt the UK) is that the bank reimburse the money, then the bank seek damages from the thief. The reason they do this, so i've been told, is that the number of thefts from bank accounts is then not reported to the police. Only the victim can report a crime, and if the bank reimburses you then you are not a victim. So the bank dont report it to the police either and this way the number of thefts are not in a publicly viewable system. (police recorded crimes are)

I hope the guy gets his money back one way or the other.

Hats off to the bank and the Thai cops.

[TPI]

Well done to the bank for getting to the bottom of this.

I seem to remember a poster on here saying he had had stacks of money taken from his account by ATM and that the bank weren't interested. Wonder if it was the same guy?

The guy should get his money back.

The way it happens in the UK (and i know that this isnt the UK) is that the bank reimburse the money, then the bank seek damages from the thief. The reason they do this, so i've been told, is that the number of thefts from bank accounts is then not reported to the police. Only the victim can report a crime, and if the bank reimburses you then you are not a victim. So the bank dont report it to the police either and this way the number of thefts are not in a publicly viewable system. (police recorded crimes are)

I hope the guy gets his money back one way or the other.

Hats off to the bank and the Thai cops.

Isn't it amazing...when the "little brown men" do the right thing once, everyone is full of praise..this should be an everyday occurance....how sad that it only happens once in a blue moon

[grantbkk]

Great job by the Economic and Cyber Crime Division Centre for Transnational Crime and Electronic Crime Suppression or ECCDTCECS pronounced "ecstasy's".

[siamjj]

withdraw that much from atm?how long did that take?no daily limit?must be more to this story.

[gonzobrains]

good to hear this rip off is being dealt with - and hope the Brit gets all his dough back - and hope he drops the little thief and goes on to greener pastures.

it did say "ex boyfriend", right?

[Tonyzill]

The bank is responsible for the theft and should therefore reimburse thier customer, however in the usual Thai manner they will refuse, delay and try and not to accept thier responsibility.

I have had one friend this happened to and it tooks months with Solictors and going to the Press to get his money back.

[Ponbkk]

I take such comfort in remembering SCB CALLING me on the phone one day to tell me my username (yes, username, not password) was too short and I must change it or my account would be deactivated.

I know that my passport number is on record at that bank. It also doesn't give me comfort that the government requires copying of my passport in dubious situations where persons obtaining that information have no training/certification in privacy matters and the government is not seeing to the maintainance of privacy of that information.

[SmartFarang]

Seems his online banking password was changed, not his ATM password.

They did not use his ATM card. They used his online banking account to transfer money into a "friendly" account. Once it's in a 3rd party account, it's then easy to transfer around and withdraw cash using a bunch of ATM cards.

This is why an online banking password is much more valuable than an ATM pin code, and you should never do online banking from shared computers - such as in an internet cafe. You can move up to limit of hundreds of thousands of baht per day using online banking, but only tens of thousands using an ATM card.

I wonder if he'll get his money back though. I doubt it.

How on earth did bank employee change his ATM password? Or am I misreading it?

[wrecker]

Not really smart thieves. A Thai bankaccount and thus a Thai bank that stands to lose money, that means always big trouble.

[SmartFarang]

To transfer 1.7m in blocks of up to 200k into ten different 3rd party accounts for example: 10 minutes.

To withdraw cash 200K cash in blocks of 50k per day from each of those ten accounts: 4 days.

Or, simply go to bank teller and withdraw 200k in cash from each account: 10 minutes.

Easy.

withdraw that much from atm?how long did that take?no daily limit?must be more to this story.

[andyc2006]

Kudos to Siam Commercial (my bank also) for alerting authorities.

Well done to the bank for getting to the bottom of this.

Hats off to the bank and the Thai cops.

I'll withhold my kudos to the bank until I hear that they're reimbursing the victim, given that they're partially responsible.

Even if they reimburse the victim, at that point, they've only done what they should have done. Why pat them on the back? Are the standards that low in Thailand?

The bank is responsible for the theft and should therefore reimburse thier customer, however in the usual Thai manner they will refuse, delay and try and not to accept thier responsibility.

Exactly.

[redscouse]

people, the money was not being withdrawan from his bank account via atm, the password that was changed was not the password for his atm card, it was the password for his online banking. they gained access to his account online then transferred the money to a different account, it was this account they withdrew the money from via atm.

read the OP, it normally helps

Edit, smartfarang has already pointed it out

Edited March 16, 2009 by redscouse

[redscouse]

one way to avoid key readers for your bank account is to alter the number and password when typing in, the reader picks up all the digits, however you then delete the digits that you added.

example, if your account number is 12345678, type in something like 12372545678 then delete the added digits, the reader does not know what has been deleted. same with names and passwords.

[Ponbkk]

one way to avoid key readers for your bank account is to alter the number and password when typing in, the reader picks up all the digits, however you then delete the digits that you added.

example, if your account number is 12345678, type in something like 12372545678 then delete the added digits, the reader does not know what has been deleted. same with names and passwords.

I believe the ATM card reader reads the account number from the magnetic tape on the card, you do not punch it in.

Online, KEYBOARD LOGGERS will log the backspaces and deletes and a good interpreter can decipher the password still from the text output that can be automatically emailed to him.

[redscouse]

one way to avoid key readers for your bank account is to alter the number and password when typing in, the reader picks up all the digits, however you then delete the digits that you added.

example, if your account number is 12345678, type in something like 12372545678 then delete the added digits, the reader does not know what has been deleted. same with names and passwords.

I believe the ATM card reader reads the account number from the magnetic tape on the card, you do not punch it in.

Online, KEYBOARD LOGGERS will log the backspaces and deletes and a good interpreter can decipher the password still from the text output that can be automatically emailed to him.

yes sorry I was talking about online, not atm, can it even read if you highlight a few numbers to be deleted at the same time?

[JimsKnight]

good to hear this rip off is being dealt with - and hope the Brit gets all his dough back - and hope he drops the little thief and goes on to greener pastures.

it did say "ex boyfriend", right?

The honeytrap is what first came to mind on seeing this. Be careful who you share your ATM details with...

[fobuff]

"Tourist Police Division chief Pol Maj-General Adis Ngamjitsuksri yesterday presented...."

Yow....

I think this is the first time the Tourist police do something (sic) after the bank gave them everything...

Fobuff

[TAWP]

one way to avoid key readers for your bank account is to alter the number and password when typing in, the reader picks up all the digits, however you then delete the digits that you added.

example, if your account number is 12345678, type in something like 12372545678 then delete the added digits, the reader does not know what has been deleted. same with names and passwords.

Offtopic, but all modern keylogger (both hardware and software solutions) can handle these situations now.

[siamiam]

one way to avoid key readers for your bank account is to alter the number and password when typing in, the reader picks up all the digits, however you then delete the digits that you added.

example, if your account number is 12345678, type in something like 12372545678 then delete the added digits, the reader does not know what has been deleted. same with names and passwords.

Offtopic, but all modern keylogger (both hardware and software solutions) can handle these situations now.

I am not a computer savy person, but I will share what little knowledge I think I have, (please let me know where I am wrong and pass along any helpful advice, as I want to protect myself as much as I can). I do internet banking from public computers in many countries, (India, Sri Lanka, Thailand, Laos, China), and have done so for a couple of years now without a problem. I never type in passwords or other sensitive info, but rather copy and paste it. This is true for everything, (like email, etc.), not just online banking. Also, I don't press the 'enter' key, but instead click the 'log on' etc. screen buttons with the mouse.

ALSO: before I ever do anything on public computers I go through their 'internet options' menus and set them up to not save encrypted data, empty all private data when browser is closed, don't save passwords, etc., etc.. Each browser is different in this regard, but perusing the Security, Privacy, Advanced, etc., sections of Internet Options, or just Options, will reveal what I am writting about here.

If you like, you can make a shortcut email and send it to yourself. This would be a jumble of numbers and letters that can be copied and pasted to create id's and passwords, etc.. I log into my email by copying and pasting the user id and password from the browser address bar.

ALSO: I have several different email addresses that are hosted by what I call my prime address. I never log into my prime address unless it is a real emergency. If one of my secondary addresses gets hacked, the hacker can not change the password - this can only be done from the primary address account. This is benificial, but I wont go into it here.

I talked to the head of internet banking at my bank, this was 9 months ago. At that time he told me the bank, (in an english speaking 'western country'), had not had a customer victimized by 'captured screen' technology so far. I don't know what steps, if any, can be taken to protect yourself against 'captured screen' technology, but as of 9 months ago, it was not a high probability threat.

As I have said, I am not a computer savy person, but figured I would add what I could to the conversation here. Maybe someone out there on ThaiVisa can teach me more than I know. It would be appreciated. Cheers, siamiam

[bungy007]

Supichyada reportedly used her close connections with a bank employee to change the password without having the required documents and transferred the money into the account of a person named Kannika Kusima in Surin. Thanayuth and the others used an ATM card to withdraw the cash.

Porntip reportedly received some money, which she used to get back land that had been pawned with a bank.

The investigation also found that Bt100,000 had been transferred from the account to a suspected accomplice, a Cambodian man named Sitha Mo, Adis said.

-- The Nation 2009-03-15

Once convicted, that bank employee should be thrown in the jug. The land should be sold and the proceeds equaling the amount she took given to the Brit.

I hope the guy gets his money back.

TheWalkingMan

Any chance that strings could be pulled and 'tea money' paid so that she has to share a cell with Simon if he gets banged up for two years? Just one way of balancing out injustices!

[Tompa]

I don’t have an internet banking account in Thailand, but have it in both Sweden and Singapore. For both these banks you need your normal password plus a digi pass that creates a new password each time in order to login to your account. Even if someone should crack your normal password, there is no way they can access your account without the digi pass = Very safe. Can’t for the life of me understand why Thai banks wouldn’t use a similar system?

Tompa,

[Sturbuc]

Seems his online banking password was changed, not his ATM password.

They did not use his ATM card. They used his online banking account to transfer money into a "friendly" account. Once it's in a 3rd party account, it's then easy to transfer around and withdraw cash using a bunch of ATM cards.

This is why an online banking password is much more valuable than an ATM pin code, and you should never do online banking from shared computers - such as in an internet cafe. You can move up to limit of hundreds of thousands of baht per day using online banking, but only tens of thousands using an ATM card.

I wonder if he'll get his money back though. I doubt it.

How on earth did bank employee change his ATM password? Or am I misreading it?

1. you can set a daily / per transaction limit for your online banking too. Ask your bank.

2. For every transaction i do need a certain transaction number, valid only once. If somebody gets my username and password/pin, they can look in my account but any transaction will be denied.

The transaction-numbers might be taken from a list (unsafe because to be copied!!) or send to your mobile by SMS on the spot.

So i don't really understand how they could pick up so much money without his knowledge.

[747gmm]

Seems his online banking password was changed, not his ATM password.

They did not use his ATM card. They used his online banking account to transfer money into a "friendly" account. Once it's in a 3rd party account, it's then easy to transfer around and withdraw cash using a bunch of ATM cards.

This is why an online banking password is much more valuable than an ATM pin code, and you should never do online banking from shared computers - such as in an internet cafe. You can move up to limit of hundreds of thousands of baht per day using online banking, but only tens of thousands using an ATM card.

I wonder if he'll get his money back though. I doubt it.

How on earth did bank employee change his ATM password? Or am I misreading it?

1. you can set a daily / per transaction limit for your online banking too. Ask your bank.

2. For every transaction i do need a certain transaction number, valid only once. If somebody gets my username and password/pin, they can look in my account but any transaction will be denied.

The transaction-numbers might be taken from a list (unsafe because to be copied!!) or send to your mobile by SMS on the spot.

So i don't really understand how they could pick up so much money without his knowledge.

Guys thought you may like to hear my tuppence worth. The Thai girl set up the online bank account... using all the personal data strategically extracted from her ex. farang partner during their relationship.

He only has a normal passbook & ATM card to access his account. He goes offshore and works for 28 days in the middle of the ocean during which time she whacks him for the big 1.7m. First thing he notices on return to LOS & goes to the ATM is that his account has been effectively robbed.

[sassienie]

A British man has recently been sentenced to 18 years and 9 months in jail for using dodgy ATM cards to steal 100000 baht.

Be interesting to see what sort of sentences these Thai people get for stealing 1.7 million baht.

[TheWalkingMan]

A British man has recently been sentenced to 18 years and 9 months in jail for using dodgy ATM cards to steal 100000 baht.

Be interesting to see what sort of sentences these Thai people get for stealing 1.7 million baht.

My guess it will be considerably less than the 18+ years.

TheWalkingMan

[TAWP]

one way to avoid key readers for your bank account is to alter the number and password when typing in, the reader picks up all the digits, however you then delete the digits that you added.

example, if your account number is 12345678, type in something like 12372545678 then delete the added digits, the reader does not know what has been deleted. same with names and passwords.

Offtopic, but all modern keylogger (both hardware and software solutions) can handle these situations now.

I am not a computer savy person, but I will share what little knowledge I think I have, (please let me know where I am wrong and pass along any helpful advice, as I want to protect myself as much as I can). I do internet banking from public computers in many countries, (India, Sri Lanka, Thailand, Laos, China), and have done so for a couple of years now without a problem. I never type in passwords or other sensitive info, but rather copy and paste it. This is true for everything, (like email, etc.), not just online banking. Also, I don't press the 'enter' key, but instead click the 'log on' etc. screen buttons with the mouse.

ALSO: before I ever do anything on public computers I go through their 'internet options' menus and set them up to not save encrypted data, empty all private data when browser is closed, don't save passwords, etc., etc.. Each browser is different in this regard, but perusing the Security, Privacy, Advanced, etc., sections of Internet Options, or just Options, will reveal what I am writting about here.

If you like, you can make a shortcut email and send it to yourself. This would be a jumble of numbers and letters that can be copied and pasted to create id's and passwords, etc.. I log into my email by copying and pasting the user id and password from the browser address bar.

ALSO: I have several different email addresses that are hosted by what I call my prime address. I never log into my prime address unless it is a real emergency. If one of my secondary addresses gets hacked, the hacker can not change the password - this can only be done from the primary address account. This is benificial, but I wont go into it here.

I talked to the head of internet banking at my bank, this was 9 months ago. At that time he told me the bank, (in an english speaking 'western country'), had not had a customer victimized by 'captured screen' technology so far. I don't know what steps, if any, can be taken to protect yourself against 'captured screen' technology, but as of 9 months ago, it was not a high probability threat.

As I have said, I am not a computer savy person, but figured I would add what I could to the conversation here. Maybe someone out there on ThaiVisa can teach me more than I know. It would be appreciated. Cheers, siamiam

Copy and paste can be grabbed by many software-keyloggers (a misnomer as they are often a combination of things and keylogging is one of the features, as just that feature alone produces a lot of huge logs and very hard data to dig through to find any value from unless it's a targeted attack).

But anything you do that is 'not ordinary' will render the most common 'hijackers' useless, as many of the applications aren't built by professionals. However it doesn't matter how careful you are if you are a target of an aimed attack, but that is usually only the case against corporations and the for instance gaining access to a specific persons account, using combinations of hardware keyloggers (if posssible) and a multitude of trojan-packs using different attack vectors (including the famous 'click here to watch Britneys latest nud_e pictures'-exe's in the email).

Eventually, if they re persistent enough, they will get you. Unless you input is feed to you from a secondary source, for instance a secure login device.