ATMs on Bangkok's Wireless Road hacked, card users say

[webfact]

ATMs on Wireless Road hacked, card users say
Vorapun Sukkaew
The Nation

Customers of several banks report withdrawals in Ukraine and Russia

BANGKOK: -- THERE HAVE been signs of ATMs being hacked in areas near the All Seasons Place on Wireless Road in Bangkok.

As many as 40 victims have come forward to say that money has either been withdrawn or transferred from their accounts to Ukraine and Russia.

"Up to 16 withdrawals from my account worth a total of Bt100,000 were made in Russia between Tuesday and Thursday [yesterday]," Mayurachat (surname withheld) said, adding that she did not understand what had happened.

"But I have already had my ATM card frozen," she said.

Victims began lodging complaints with the Lumpini Police Station, which oversees the area, on Wednesday.

"We have checked out the ATM machines in question, but found no skimmers of the sort we know about," Colonel Chaiya Kongsap, superintendent of the police station, said.

The ATM cards affected came from different banks and were hacked at different machines.

Pol Lt-Colonel Decha Promsuwan, an investigator at the Lumpini Police Station, has warned people against using ATMs in the area.

"The banks are still in the process of finding out how their customers' information was hacked," he said.

Pakamas Vidhidharm said she used a Siam Commercial Bank (SCB) ATM card to withdraw money from a Bangkok Bank ATM in the area on Monday.

"Soon after, SCB contacted me about a suspicious transaction. Someone had withdrawn Bt20,000 from my account in Kiev," she said, adding that her ATM card has been frozen since.

On Wednesday, she used a Bangkok Bank card to withdraw money from a Bank of Ayudhya ATM in the same area.

"In less than 10 minutes, Bangkok Bank contacted me saying some Bt10,000 had been transferred from my account to Kiev," Pakamas said.

Somchai Pichitsujarit of the Thai Bankers' Association said it was possible that some gangs might be using a micro camera to record users typing their pin number.

He tried to allay concerns, by saying: "People can use their ATMs as usual. If any suspicious transaction is detected, banks will take immediate attention. Besides, banks are responsible for any damages caused by skimming."


-- The Nation 2013-11-08

[yooper2001]

Ukraine is very good at this hacking. In USA I had my cell phone hacked and when I got my monthly sprint bill, it was more then $800.00 The good news that Sprint postponed my bill until it investigated and found out it was coming from Ukraine. They cancelled my bill but I had to change my phone number

Edited November 8, 2013 by metisdead
Underscore removed.

[chrisinth]

The biggest fear I would have would be if someone has come up with a method of accessing/hacking the interbank network between ATM & parent bank.

Although this is heavily encrypted, it is still a wired/wireless connection. I have often wondered about the security, or rather potential breach of security that could happen here.

Of course, I could be totally wrong in my assumptions, but not to be overlooked..................

That would be scary!

[zaZa9]

He tried to allay concerns, by saying: "People can use their ATMs as usual. If any suspicious transaction is detected, banks will take immediate attention. Besides, banks are responsible for any damages caused by skimming."

Really? Thats not what they told me....

[jacko45k]

One has to assume that the ATM machine in Kiev, or wherever, needs to perform a communication to 'Visa Central' or somewhere distant, to determine that there are funds available and a valid PIN has been entered.

Surely a transaction 20 minutes earlier, some 10,000 km (or less) distant, should raise a flag and block the secondary withdrawal attempt.

Or is the system so dumb as to not treat such occurrences as odd, or it doesn't even bother checking anything.

( I know for a fact they seem quick to block withdrawals if you make too many in a day or there are insufficient funds..... is it a case of the banks protecting themselves more than the customers?)

I should be able to supply my bank with a yes/no list of countries where I may or may not use my ATM card.

No, I doubt if I will be going to Afghanistan or Pakistan any-time soon!

Edited November 8, 2013 by jacko45k

[generealty]

He tried to allay concerns, by saying: "People can use their ATMs as usual. If any suspicious transaction is detected, banks will take immediate attention. Besides, banks are responsible for any damages caused by skimming."

Really? Thats not what they told me....

I has 42,000 baht removed from my account in Pattaya after being distracted by a guy from Eastern bloc area- might be same team. anyway, I ended up going to 3 separate Police stations and none of them would complete a Police Report. also Siam Commercial Bank said that I would not get any money back so just dropped it. so this guy who says the banks will return should fight on our behalf because I am so tired at the laziness and uncaring attitude of the whole system.

[jacko45k]

He tried to allay concerns, by saying: "People can use their ATMs as usual. If any suspicious transaction is detected, banks will take immediate attention. Besides, banks are responsible for any damages caused by skimming."

Really? Thats not what they told me....

I has 42,000 baht removed from my account in Pattaya after being distracted by a guy from Eastern bloc area- might be same team. anyway, I ended up going to 3 separate Police stations and none of them would complete a Police Report. also Siam Commercial Bank said that I would not get any money back so just dropped it. so this guy who says the banks will return should fight on our behalf because I am so tired at the laziness and uncaring attitude of the whole system.

Sorry to hear that...sounds similar to what happened to a friend.

Did you figure out how it was done yet? It would be useful to BMs to know... although generally telling anyone coming too close to get lost might cover it.... including the nosey 4 year old Thai kid.

The one I heard they put something into the card slot causing it to stick inside and came to 'help'... getting you to re-enter the pin when he could see it, and palming the card back to a friend with a skimmer, and then returning it to you, or keeping it.

[Zumteufel]

One has to assume that the ATM machine in Kiev, or wherever, needs to perform a communication to 'Visa Central' or somewhere distant, to determine that there are funds available and a valid PIN has been entered.

Surely a transaction 20 minutes earlier, some 10,000 km (or less) distant, should raise a flag and block the secondary withdrawal attempt.

Or is the system so dumb as to not treat such occurrences as odd, or it doesn't even bother checking anything.

( I know for a fact they seem quick to block withdrawals if you make too many in a day or there are insufficient funds..... is it a case of the banks protecting themselves more than the customers?)

I should be able to supply my bank with a yes/no list of countries where I may or may not use my ATM card.

No, I doubt if I will be going to Afghanistan or Pakistan any-time soon!

I agree it's technical reach. But is't it completely possible to have several card connected to the same account? In those cases it would be rather inconvenient if the transaction was blocked because of distance.

Very good idea with a country blacklist. Can't believe the banks//cc processors haven't thought about that themselves. In fact, it seems like it some countries should be on the blacklist per default.

[kannot]

So all these people got their money back did they??

[lomatopo]

Thai social media is on fire with this - we got a few warnings yesterday during the day. It seems like, based on the localization (Wireless Road, a few ATMs: Kasikorn and Bangkok Bank - a stone's throw from the Lumphini District Police Station ) that several ATMs were skimmed and PINs compromised, quickly sold/transferred to the Ukraine, where they were used at a potentially complicit bank.

[Carrerakiss]

One has to assume that the ATM machine in Kiev, or wherever, needs to perform a communication to 'Visa Central' or somewhere distant, to determine that there are funds available and a valid PIN has been entered.

Surely a transaction 20 minutes earlier, some 10,000 km (or less) distant, should raise a flag and block the secondary withdrawal attempt.

Or is the system so dumb as to not treat such occurrences as odd, or it doesn't even bother checking anything.

( I know for a fact they seem quick to block withdrawals if you make too many in a day or there are insufficient funds..... is it a case of the banks protecting themselves more than the customers?)

I should be able to supply my bank with a yes/no list of countries where I may or may not use my ATM card.

No, I doubt if I will be going to Afghanistan or Pakistan any-time soon!

My Singapore bank requires that I inform them in advance if I want to use my Singapore ATM card outside Singapore. If I don't do that, it won't work.

[pancakeman]

The biggest fear I would have would be if someone has come up with a method of accessing/hacking the interbank network between ATM & parent bank.

Although this is heavily encrypted, it is still a wired/wireless connection. I have often wondered about the security, or rather potential breach of security that could happen here.

Of course, I could be totally wrong in my assumptions, but not to be overlooked..................

That would be scary!

Seems extremely unlikely they cracked the encrypted data, more likely they used hidden cameras to record people entering their PINs, they then setup a clone card in Kiev and go to the ATM and withdraw money.

At the end of the end it's the bank in Kiev that will get screwed when it comes time to settle up.

[Carrerakiss]

He tried to allay concerns, by saying: "People can use their ATMs as usual. If any suspicious transaction is detected, banks will take immediate attention. Besides, banks are responsible for any damages caused by skimming."

Really? Thats not what they told me....

And the police said NOT to use the ATMs in the area. Slight disconnect there AND for maybe the first time, the police are talking the most sense. Everybody knows the banks will only pay out if forced to do so. The first, second, third time of asking, they will always deny responsibility. Who wants that hassle.

[mdmayes]

With my (bank n charge cards) i inform the banks which countries n what dates i will be travelling. Any transactions out of target areas/times are rejected. I also have limits on amount of a transaction. It one way to limit exposure.

You do have to take responsiblity for your own finances...no one else will.

Edited November 8, 2013 by mdmayes

[rob2013]

One has to assume that the ATM machine in Kiev, or wherever, needs to perform a communication to 'Visa Central' or somewhere distant, to determine that there are funds available and a valid PIN has been entered.

Surely a transaction 20 minutes earlier, some 10,000 km (or less) distant, should raise a flag and block the secondary withdrawal attempt.

Or is the system so dumb as to not treat such occurrences as odd, or it doesn't even bother checking anything.

( I know for a fact they seem quick to block withdrawals if you make too many in a day or there are insufficient funds..... is it a case of the banks protecting themselves more than the customers?)

I should be able to supply my bank with a yes/no list of countries where I may or may not use my ATM card.

No, I doubt if I will be going to Afghanistan or Pakistan any-time soon!

That's exactly what citibank does. I have several countries whitelisted and everything else is blacklisted.

This post also raises an important point regarding keeping your money in Thai banks. My money is kept in Australia, and thus under Australian law the bank is responsible if some of it goes missing. What are the laws in Thailand and will the banks give you any protection?

Also keeping any significant amount of money in an account that can be accessed via ATM / Debit card is very careless.

[webfact]

Police hunt international ATM fraud gang

BANGKOK: -- Lumpini police are now seeking cooperation from the Economic Crime Division police to hunt down an international gang which they said was responsible for the stealing of huge sum of money from people withdrawing cash from automatic teller machines (ATM) using skimming devices.

The police’s action came after more than 50 people, mostly customers of Bangkok Bank, lodged complaints with Lumpini police complaining that money in their accounts had disappeared mysteriously, and some said all their money had been cleaned out.

All of them also told police that they discovered the mysterious withdrawals of money from their accounts, after using their cards to check and withdraw money from Bangkok Bank’s ATM at the Apollo Building located within the All Seasons Place office building complex on Wireless Road in Lumpini area.

One customer told police that he went to contact the bank after noticing three withdrawals was charged a 100 baht fee for each draw, meaning that the withdrawal was made from overseas.

Full story: http://englishnews.thaipbs.or.th/police-hunt-international-atm-fraud-gang/

-- Thai PBS 2013-11-08

[chooka]

He tried to allay concerns, by saying: "People can use their ATMs as usual. If any suspicious transaction is detected, banks will take immediate attention. Besides, banks are responsible for any damages caused by skimming."

Really? Thats not what they told me....

I has 42,000 baht removed from my account in Pattaya after being distracted by a guy from Eastern bloc area- might be same team. anyway, I ended up going to 3 separate Police stations and none of them would complete a Police Report. also Siam Commercial Bank said that I would not get any money back so just dropped it. so this guy who says the banks will return should fight on our behalf because I am so tired at the laziness and uncaring attitude of the whole system.

That's a problem if the Thai Banks don't cover you. I know in Australia if you are a victim the banks refund your money.

[PEP]

There is one rule that any ATM user must adhere to so as to minimise "Skimming". For the hundreth time please note:- "Cover the key pad when entering your PIN number" (

(Edit spelling)

Edited November 8, 2013 by PEP

[oldsailor35]

One has to assume that the ATM machine in Kiev, or wherever, needs to perform a communication to 'Visa Central' or somewhere distant, to determine that there are funds available and a valid PIN has been entered.

Surely a transaction 20 minutes earlier, some 10,000 km (or less) distant, should raise a flag and block the secondary withdrawal attempt.

Or is the system so dumb as to not treat such occurrences as odd, or it doesn't even bother checking anything.

( I know for a fact they seem quick to block withdrawals if you make too many in a day or there are insufficient funds..... is it a case of the banks protecting themselves more than the customers?)

I should be able to supply my bank with a yes/no list of countries where I may or may not use my ATM card.

No, I doubt if I will be going to Afghanistan or Pakistan any-time soon!

My Singapore bank requires that I inform them in advance if I want to use my Singapore ATM card outside Singapore. If I don't do that, it won't work.

Yes, where 'anything' is concerned, the Singaporeans are far smarter than the Thais, except of course when the RTP are involved.

[chrisinth]

The biggest fear I would have would be if someone has come up with a method of accessing/hacking the interbank network between ATM & parent bank.

Although this is heavily encrypted, it is still a wired/wireless connection. I have often wondered about the security, or rather potential breach of security that could happen here.

Of course, I could be totally wrong in my assumptions, but not to be overlooked..................

That would be scary!

Seems extremely unlikely they cracked the encrypted data, more likely they used hidden cameras to record people entering their PINs, they then setup a clone card in Kiev and go to the ATM and withdraw money.

At the end of the end it's the bank in Kiev that will get screwed when it comes time to settle up.

I agree and would like to think/hope that it remains a secure system. However, the statement was made:

"We have checked out the ATM machines in question, but found no skimmers of the sort we know about,"

Any skimming device will leave marks of fixture/adhesion, same applies for cameras. If no marks were found, it makes me wonder, that's all.

Of course, it depends on how the inspection of the machines was, and by who, for this to become evident. If someone doesn't know what they are looking for, they aren't going to find it.

[chrisinth]

There is one rule that any ATM user must adhere to so as to minimise "Skimming". For the hundreth time please note:- "Cover the key pad when entering your PIN number" (

(Edit spelling)

That is sound advice, but it won't stop your card being "skimmed".

[oldsailor35]

He tried to allay concerns, by saying: "People can use their ATMs as usual. If any suspicious transaction is detected, banks will take immediate attention. Besides, banks are responsible for any damages caused by skimming."

Really? Thats not what they told me....

I has 42,000 baht removed from my account in Pattaya after being distracted by a guy from Eastern bloc area- might be same team. anyway, I ended up going to 3 separate Police stations and none of them would complete a Police Report. also Siam Commercial Bank said that I would not get any money back so just dropped it. so this guy who says the banks will return should fight on our behalf because I am so tired at the laziness and uncaring attitude of the whole system.

That's a problem if the Thai Banks don't cover you. I know in Australia if you are a victim the banks refund your money.

That is correct, i had my credit card scammed 6 months after i used it in a Norwich Indian restaurant.

There was a withdrawal in an English betting shop of $2000.

The Commonwealth Bank of Australia informed me and refunded the money to my account.

[Danbit]

I have aDebit Card from SCB marked Master Card too, I did not expect it was possible to use it outside of Thailand ?

Is it possible from a ATM in Thailand to transfer outside Thailand ?

[DGIE]

clever are those theft. they can become rich in their doings. they are more hi-tech than banks

[Mrjlh]

There are new ultra thin skimmer cards coming out of Europe. But they also need a camera to see the pin number.

http://gizmodo.com/5928513/you-cant-even-see-the-latest-atm-card-skimmers

[TallGuyJohninBKK]

He tried to allay concerns, by saying: "People can use their ATMs as usual. If any suspicious transaction is detected, banks will take immediate attention. Besides, banks are responsible for any damages caused by skimming."

Really? Thats not what they told me....

Banks may be "responsible" for skimming because it's their ATMs... But in Thailand, that doesn't seem to be the banks necessarily being willing or eager to reimburse their customers who have lost money due to ATM or bank fraud.

Based on a lot of member reports here over time, the usual bank response seems to be to blame the cardholder and suggest they did something wrong or that the lost funds were taken by a Thai wife or some other personal acquaintance.

Although, in these cases, with the funds being illegally transferred to places like Russian and Ukraine, perhaps the bankers will be a bit more accommodating. Still, it would be quite interesting to hear just how long it takes, if ever, for these victims to get their funds restored.

Another good reminder for anyone with a Thai bank account linked to an ATM card:

--1. Set comfortably low daily limits on ATM cash withdrawals, Point of Sale (POS) purchases and bank fund transfers. The banks' default limits are often quite high, but you can change those.

--2. If your bank offers them, set up things like having to receive and enter an SMS'd confirmation code in order to make transfers or bill payments, and SMS or email notifications for account transactions.

[andygunther]

One has to assume that the ATM machine in Kiev, or wherever, needs to perform a communication to 'Visa Central' or somewhere distant, to determine that there are funds available and a valid PIN has been entered.

Surely a transaction 20 minutes earlier, some 10,000 km (or less) distant, should raise a flag and block the secondary withdrawal attempt.

Or is the system so dumb as to not treat such occurrences as odd, or it doesn't even bother checking anything.

( I know for a fact they seem quick to block withdrawals if you make too many in a day or there are insufficient funds..... is it a case of the banks protecting themselves more than the customers?)

I should be able to supply my bank with a yes/no list of countries where I may or may not use my ATM card.

No, I doubt if I will be going to Afghanistan or Pakistan any-time soon!

I agree it's technical reach. But is't it completely possible to have several card connected to the same account? In those cases it would be rather inconvenient if the transaction was blocked because of distance.

Very good idea with a country blacklist. Can't believe the banks//cc processors haven't thought about that themselves. In fact, it seems like it some countries should be on the blacklist per default.

I have this working on my card, its only works in Europé. If I need it somewhere else I need to open the card over my internetbank ( where and how many Days )

[MoonShadow]

One has to assume that the ATM machine in Kiev, or wherever, needs to perform a communication to 'Visa Central' or somewhere distant, to determine that there are funds available and a valid PIN has been entered.

Surely a transaction 20 minutes earlier, some 10,000 km (or less) distant, should raise a flag and block the secondary withdrawal attempt.

Or is the system so dumb as to not treat such occurrences as odd, or it doesn't even bother checking anything.

( I know for a fact they seem quick to block withdrawals if you make too many in a day or there are insufficient funds..... is it a case of the banks protecting themselves more than the customers?)

I should be able to supply my bank with a yes/no list of countries where I may or may not use my ATM card.

No, I doubt if I will be going to Afghanistan or Pakistan any-time soon!

Most Western/international banks use "out of patten'" behavioural systems which monitor your usual patten of spending/cash withdrawals etc and then 'flag' anything out of the ordinary. If you travel a lot it can be a nuisence otherwise good practice as it involves the bank calling you to verify the transaction before confirming it.

[Nov 13]

One account for real amounts of money. No ATM card or internet banking for it.

Other account with ATM and internet banking for small amounts of living money topped up monthly.

[tragickingdom]

It is completely unacceptable that banks are not paying the damage. It are the Thai banks that are 50 years behind the rest of the civilised world. No matter if we are talking cheques that are not in use in any other country except for that other backwater the US but also the magnetic strips on ATM cards. The magnetic strip should have been replaced long time ago with a chip. Europeans for instance going to countries like Thailand will have to ask permission to use their atm cards and when they are back they have to replace them, such is the scale of skimming in Thailand. It is like paying with a creditcard in Malaysia 20 years ago, it renders any card useless within days.