38 people's SCB bank accounts hacked

[blazes]

Does anyone know of a Wikipedia-type article showing a picture of the "skimming device"? In other words, how would one recognise it if it was there....?

[pookiki]

I don't understand why all banks, in Thailand and around the world, don't adopt the ATM chip card that is utilized by Bangkok Bangkok. So far, there is no way that this card can fall prey to such scams. Seems to be an easy enough fix.

[attrayant]

Does anyone know of a Wikipedia-type article showing a picture of the "skimming device"? In other words, how would one recognise it if it was there....?

Krebs on Security has lots of pictures and describes the process in good detail. The fixtures are cosmetically identical to the real ATM, often they are just a duplicate card slot that fits right over the true ATM slot. The end result looks identical to an unadulterated machine. I can't blame anyone for falling prey to this kind of thing.

http://krebsonsecurity.com/tag/atm-skimmer/

I often dance my finger around on the keypad, touching perhaps a dozen buttons. If recorded on video, it would very very difficult to determine which button I actually depressed, and which I merely touched (at least I hope it would).

[attrayant]

I don't understand why all banks, in Thailand and around the world, don't adopt the ATM chip card that is utilized by Bangkok Bangkok. So far, there is no way that this card can fall prey to such scams.

The EVM chip handshake can be intercepted by a nearby receiver, and the captured data can be used to make ordinary magstrip cards. While these cards may not work at chip & PIN-only ATMs, they'll work at the many many traditional strip reader ATMs that are still around, as well as at point-of-sale devices.

Petrol firm suspends chip-and-pin

Organized crime tampers with European card swipe devices

How secure is Chip and PIN?

[mowgus]

I hate sensationalist headlines by TV. "Major security breach at SCB - scores of accounts hacked" would lead someone to think the bank databases itself were hacked...whereas this sounds like the usual ATM scam.

[KhunBENQ]

(mowgus was faster )

What a crap of a newspaper report!!!

"accounts have been hacked", "ATM cards have been hacked":

Nonsense. Are these writers not able to use the correct description / wording?

One specific ATM machine at Tesaban Songkhro Road in Lat Yao sub-district of Chatuchak district has been manipulated with a scimming device.

ATM cards and PIN entries of users have been read.

Copies of the cards have been fabricated and used at Songkhla's Hat Yai district.

No sophisticated hacking of any kind.

Happens so often these days.

As long as the banks do not change to modern chip based ATM cards and readers this will go on.

Some banks (Bangkok Bank) have started with that.

How many people will falsely believe, that this has to do with cybercrime/internet banking?

Poor sensationalist piece of writing

Whenever possible: use ATMs in well observed areas, within shopping centers, within bank branches.

Much less risk of a manipulated ATM machine.

Edited April 9, 2014 by KhunBENQ

[pookiki]

I don't understand why all banks, in Thailand and around the world, don't adopt the ATM chip card that is utilized by Bangkok Bangkok. So far, there is no way that this card can fall prey to such scams.

The EVM chip handshake can be intercepted by a nearby receiver, and the captured data can be used to make ordinary magstrip cards. While these cards may not work at chip & PIN-only ATMs, they'll work at the many many traditional strip reader ATMs that are still around, as well as at point-of-sale devices.

Petrol firm suspends chip-and-pin

Organized crime tampers with European card swipe devices

How secure is Chip and PIN?

Very informative. Thank you. I guess what makes the Bangkok Bank card so secure is that it is bank specific. You can't use the card in other ATMs. While this can be a hassle for some people, I will go with the extra security it provides.

[wprime]

(mowgus was faster )

What a crap of a newspaper report!!!

"accounts have been hacked", "ATM cards have been hacked":

Nonsense. Are these writers not able to use the correct description / wording?

One specific ATM machine at Tesaban Songkhro Road in Lat Yao sub-district of Chatuchak district has been manipulated with a scimming device.

ATM cards and PIN entries of users have been read.

Copies of the cards have been fabricated and used at Songkhla's Hat Yai district.

No sophisticated hacking of any kind.

Happens so often these days.

As long as the banks do not change to modern chip based ATM cards and readers this will go on.

Some banks (Bangkok Bank) have started with that.

How many people will falsely believe, that this has to do with cybercrime/internet banking?

Poor sensationalist piece of writing

Whenever possible: use ATMs in well observed areas, within shopping centers, within bank branches.

Much less risk of a manipulated ATM machine.

It's as much of a hack as this usage of the word:

http://www.dailymail.co.uk/news/article-2597518/5-year-old-finds-flaw-Xbox-Live-security.html

[scorecard]

<script type='text/javascript'>window.mod_pagespeed_start = Number(new Date());</script>

Thats the reason i keep a minimal amount in the account linked

to ATM card,just transfer as need,keep loses to a minimum,as

you could never be sure the bank would reimburse you,even if

you are not at fault.I trust banks as much as I would a Cobra,

regards Worgeordie

Me too. A little nuisance to have to go into the more often to manually transfer more funds to the account with the ATM but worth the nuisance for peace of mind.

On another banking item, I've been wondering about the safety / security of using internet banking in Thailand and specifically K bank.

Can any TV members share some specific experiences (good / dad / whatever) about this.

Thanks.

[wilcopops]

The skimmer device I found at a gas station just outside Amata Nakorn was on an SCB ATM - it was the same color as SCB livery and appeared to be attached to the card slot by a powerful magnet.

i went into the counter to tell them and was met with some of the dumbest stares I've ever encountered.

when I got back to the ATM at matter of a couple of minutes later, the skimmer was gone - unfortunately the person I asked to watch the ATM had started playing with their phone and didn't see a thing!

The device was placed on the ATM in the afternoon on a pay-day so there was little time to notify the bank. Although in my case, they re-opened their office stopped my card and issued a new one ALL after hours.

[Old Man River]

I'm not aware of any Thai law or banking regulation that requires Thai banks to reimburse account/cardholders in these kinds of situations.

However, where there's an established hacking incident at a or some group of ATMs, I believe the Thai banks will tend to reimburse in those situations...where there's a group of victims.

That's a different situation, apparently, from where you alone as an individual have some problem, and they try to go to the bank. That's where we hear the repeated reports of customers getting ignored or dismissed or given the run-around.

That said, it would be interesting to know/hear if these victims really do get ALL their stolen funds back, and how long it takes. Normally, there's little if any media follow-up on these kinds of episodes.

Likewise, I also view with a grain of salt anytime I hear news reports talking about government agencies and corporations here being "responsible" for something, because rarely do they seem to actually take responsibility for what they're responsible for.

Like you, I don't know Thai laws. In the US, the bank would be liable.

Sent from my iPad using Thaivisa Connect Thailand

[wilcopops]

<script type='text/javascript'>window.mod_pagespeed_start = Number(new Date());</script>

Thats the reason i keep a minimal amount in the account linked

to ATM card,just transfer as need,keep loses to a minimum,as

you could never be sure the bank would reimburse you,even if

you are not at fault.I trust banks as much as I would a Cobra,

regards Worgeordie

Me too. A little nuisance to have to go into the more often to manually transfer more funds to the account with the ATM but worth the nuisance for peace of mind.

On another banking item, I've been wondering about the safety / security of using internet banking in Thailand and specifically K bank.

Can any TV members share some specific experiences (good / dad / whatever) about this.

Thanks.

I use the SMS service on my phone to top up direct from my Kasikorn a/c. I've been doing this for about 6 years with no problems at all......I've not bought a top-up card in all that time.

[personchester]

SCB has frozen the ATM cards of the 38 victims and will be responsible for the stolen money, he added.

Is this a first in Thailand?? Someone is actually doing the right thing!!!!!

No. Its been done many times in the past in such cases. In fact, as it looks like it was an ATM skimmer operation, SCB is not under any obligation to reimburse these losses as it's the cardholders who allowed their card numbers and PINS to be compromised.

This could of course be the possible, but it is impossible to know until matters are exposed to being part of a ATM partnerships procedure, but it would not apply to all of the 38 financial ATM victims.

Edited April 10, 2014 by personchester

[wolf5370]

I heard on the news yesterday that Microsoft have stopped support and updates for WINDOWS XP.

apparently this is the software used by many banks for ATMs and as such are now potentially more at risk from hackers etc.......... Could this be the first of many?

This is not correct. Microsoft have said several times that they will still support embedded XP system through to summer 2016. ATMs, medical equipment and other closed systems that run on embedded XP ARE still supported.

[wolf5370]

Here's a tip. The devices for skimming read the magnetic strip on the card as it is inserted. The pin number is captured by a pin hole camera on the device pointing towards the keypad. So always cover your pressing hand with the flat of the other - or (as I do) move your fingers around the pad in a pretence of typing and just hit the numbers (with different fingers) as you go - this way they will not be able to guess the number. I am paranoid after seeing these devices in action in the UK - and they are very well disguised!

Also, beware of temporary cash machines - ones that stand alone and are not cemented into the sides of buildings or in bank foyers. A British TV program set up a fake machine in London. Inside the box was a woman with a laptop connected to the simple device. People put in their cards, got the prompt, keyed their numbers and the machine just said "Sorry out of cash" etc - the lap top had captured all details direct from the fake machine! They of course destroyed the information after showing the individual people later that they had captured all their details! They set it up without permission from police or local authorities right in the heart of the busy West End - it sat there all day and then they dismantled it and left - no challenges from anyone.

[TallGuyJohninBKK]

Here's a tip. The devices for skimming read the magnetic strip on the card as it is inserted. The pin number is captured by a pin hole camera on the device pointing towards the keypad. So always cover your pressing hand with the flat of the other - or (as I do) move your fingers around the pad in a pretence of typing and just hit the numbers (with different fingers) as you go - this way they will not be able to guess the number. I am paranoid after seeing these devices in action in the UK - and they are very well disguised!

I think that's good advice. I've taken to doing that (covering my ATM fingers with the palm of my other hand) just as a matter of routine anytime and anywhere I use an ATM.

However, I believe, the crooks who do these kinds of things also have some kinds of equipment where, instead of or in addition to a pinhole camera, they're placing some kind of contact reader under or over the ATM's keypad to capture the keystrokes used.

[hawker9000]

Here's a tip. The devices for skimming read the magnetic strip on the card as it is inserted. The pin number is captured by a pin hole camera on the device pointing towards the keypad. So always cover your pressing hand with the flat of the other - or (as I do) move your fingers around the pad in a pretence of typing and just hit the numbers (with different fingers) as you go - this way they will not be able to guess the number. I am paranoid after seeing these devices in action in the UK - and they are very well disguised!

Also, beware of temporary cash machines - ones that stand alone and are not cemented into the sides of buildings or in bank foyers. A British TV program set up a fake machine in London. Inside the box was a woman with a laptop connected to the simple device. People put in their cards, got the prompt, keyed their numbers and the machine just said "Sorry out of cash" etc - the lap top had captured all details direct from the fake machine! They of course destroyed the information after showing the individual people later that they had captured all their details! They set it up without permission from police or local authorities right in the heart of the busy West End - it sat there all day and then they dismantled it and left - no challenges from anyone.

I was going to ask: can I assume this was a freestanding ATM machine? I avoid them like the plague, no matter how much farther I have to walk.

Skimming's been going on for many years now. Though not specifically an ATM issue, but very much involving banks everywhere, isn't the Heart Bleed Bug a much bigger worry at the moment? http://heartbleed.com/

Edited April 10, 2014 by hawker9000

[wilcopops]

I heard on the news yesterday that Microsoft have stopped support and updates for WINDOWS XP.

apparently this is the software used by many banks for ATMs and as such are now potentially more at risk from hackers etc.......... Could this be the first of many?

This is not correct. Microsoft have said several times that they will still support embedded XP system through to summer 2016. ATMs, medical equipment and other closed systems that run on embedded XP ARE still supported.

Not wheat they are saying on the news.

[potters]

I had mine done last year.

I received nothing from K-Bank.

Hope SCB show more leniency, as at the end of the day the machine in question

belongs to them.

Fingers crossed.

That is when i see the police catch these gangs i would like to spit in their faces.

They are the lowest of the low.

[wolf5370]

I heard on the news yesterday that Microsoft have stopped support and updates for WINDOWS XP.

apparently this is the software used by many banks for ATMs and as such are now potentially more at risk from hackers etc.......... Could this be the first of many?

This is not correct. Microsoft have said several times that they will still support embedded XP system through to summer 2016. ATMs, medical equipment and other closed systems that run on embedded XP ARE still supported.

Not wheat they are saying on the news.

I have heard this on the news several times also - however they have made statements that embedded will be covered until 2016. On further checking (for this reply) I got this:

Will all ATMs be vulnerable on April 8?

This gets a bit tricky. While the vast majority of cash machines run XP, some of those use a variant of Microsoft's operating system called Windows Embedded. The software is designed specifically for appliances and industrial machines, such as ATMs, cash registers and thermostats. One version of XP Embedded will lose support next week at the same time as the PC platform. Another will keep getting patches until Jan. 12, 2016.

So it depends which version the machine is running, and there's pretty much no way of knowing whether the ATM you're typing your pin into is at risk.

http://www.bloomberg.com/news/2014-04-03/six-things-you-need-to-know-about-atms-and-the-windows-xp-ocalypse.html

So, clear as mud then. Depends which version of Embedded XP is being used.

[wolf5370]

Here's a tip. The devices for skimming read the magnetic strip on the card as it is inserted. The pin number is captured by a pin hole camera on the device pointing towards the keypad. So always cover your pressing hand with the flat of the other - or (as I do) move your fingers around the pad in a pretence of typing and just hit the numbers (with different fingers) as you go - this way they will not be able to guess the number. I am paranoid after seeing these devices in action in the UK - and they are very well disguised!

Also, beware of temporary cash machines - ones that stand alone and are not cemented into the sides of buildings or in bank foyers. A British TV program set up a fake machine in London. Inside the box was a woman with a laptop connected to the simple device. People put in their cards, got the prompt, keyed their numbers and the machine just said "Sorry out of cash" etc - the lap top had captured all details direct from the fake machine! They of course destroyed the information after showing the individual people later that they had captured all their details! They set it up without permission from police or local authorities right in the heart of the busy West End - it sat there all day and then they dismantled it and left - no challenges from anyone.

I was going to ask: can I assume this was a freestanding ATM machine? I avoid them like the plague, no matter how much farther I have to walk.

Skimming's been going on for many years now. Though not specifically an ATM issue, but very much involving banks everywhere, isn't the Heart Bleed Bug a much bigger worry at the moment? http://heartbleed.com/

The temporary one they set up for the TV show was quite clever. They set up a flat-sided advertising column and had the ATM machine embedded into this "wall" - as it looked like it was in a wall (albeit as makeshift wall) - this gave the "technician" space to sit inside with the laptop comfortably - and I guess a camera crew also - all was make shift and put up and removed in the same day with a small box van. With somewhere like London's West End (theatre land / restaurant and world famous shopping / Leicester Square etc) the footfall is massive and almost all of it passing trade - so people do not notice "new" ATM machines. It looked like it had been set up in The Strand, near Trafalgar Square (opposite from Charring Cross Train Station) - local workers would likely use banks along the The Strand or in the station - so I guess mostly tourists and visitors get hit.

[kaveh]

talk about hacking 38 accounts? ... it is not a major security breach. if hackers exploit a known security hole, they will gain access to potential unlimited number of account. so it actually seems like social engineering on these accounts, meanwhile atm cards these days are immune from traditional hacking/cracking techniques.

[frankphuket]

Maybe there is more to it. My SCB credit card had been hacked last month as well. And to our surprise we found out that my wife's with different number, etc was also used by someone else. Never used my credit card on ATM, etc

[hawker9000]

ATM skimmimg and credit card fraud aren't really the same thing. Someone who manages to get hold of enough of your personal info, can do some pretty hair-raising things with your account, without even having to know the credit card no (like getting themselves added to the account, with their own card and number). 'Nothing to do with ATM skimming.

I never use ATMs in Thailand at anything but machines located at the actual bank branches, and so far 'haven't had any problems. (I also receive SMS texts whenever the card is used, which I like.)