received a text from Bangkok Bank-hopefully a mistake

[orchidlady]

I am a Bangkok bank customer (passbook acct and atm/visa tied to that acct). I recieved a text message from Bangkok Bank at 2:36am last night saying "iPAY OTP for your secured payment...stated the code and gave a code reference". The only problem was I am not signed up for internet payments and I was deep asleep at this time (only saw it in the morning). I am out of town at a seminar and am concerned that someone is trying to access my account tied to my atm card.

I tried calling the bank and have been hung on on 3 times by the English line. I won't be back to Bangkok for a few days to go into my branch at Siam Paragon and there is not a lot of English spoken where I am locally so even if I could get to a branch here I don't think they could help me.

Has anyone had this happen to them? I have used my atm/visa card twice while away, to pay a hotel bill and withdrew money from another bank's atm=both one week ago. I'm checking to find a Bangkok bank atm so I can check on my balance.

[MJCM]

Go to any other Bangkok Bank in the country (no need going to your own branch) and let them see the SMS !!

6pm already so Hurry, but since your up-country I bet they are closed already, maybe try in a big mall in the area.

Edit : // SpElLing

Edited April 25, 2014 by MJCM

[Commander Tamson]

You are right - there's a good chance that someone somewhere has your card details and is / was trying to make a purchase with it. You don't have to be 'signed up' for internet purchases to use the card on-line. But you obviously are signed up for OTP - one time passcode. If you've kept the message it should have quoted the last 4 digits of your card somewhere. Check and you'll know for sure. Obviously however the OTP requirement stopped that particular transaction going ahead, but not all sites seem to require it. If the message you received definitely has the last 4 digits of your card on it, then never-mind the hassle and the fact your having difficulty contacting the bank's hotline, you'd be mad not to persist - your card may already be at its limit and your screwed. Cancel the card immediately !!!!!!!

[momtaz]

OTP = one time password, I am very familiar with this. since usig Kbank (cyber banking) for quite over than 5 years,

what is OTP procedure? when you want to transfer money to another account, you need to add the other bank acc to your list, therefore the bank needs to verify this transaction by sending you OTP by sms (4 digits) to confirm, and after this done, when you will transfer the money also the system will send you OTP sms,

so, as the abive mentioned, not only when to purshase online, it could be someone trying to add his bank account and move out your cash,

I do strongly urge you to rush to any of your bank branches at shopping malls or any, most the bank branches at the shopping malls are open on Sat / Sund, you need to show them the OTP sms to lock your cyber banking, and change your login details,

But, there is something stange in the matter, as for KBank, you will not be able to creat a cyber banking account online by yourself, you need to submit a copy of your passport, and show passbook, ATM, and provide your email, after few days they will send you a link, then you need to active it and set up your password etc, alos they have an excellent English speaking staff, they can help you at any time, for any issue, I wonder how possibly someone created this cyber banking acc online? I do believe Kbank has a better security measurment in this part,

mybe this scam linked with the big scam happened the last 2 weeks ago for SCB and Bangkok bank ATM,

[Farma]

mybe this scam linked with the big scam happened the last 2 weeks ago for SCB and Bangkok bank ATM,

A Dr friend nearly lost his money with that scam. They managed to transfer most of his money from one account into another account of his that had internet access. It was only when SCB contacted him asking why he wanted to withdraw such a large amount that he managed to stop it.

[JimGant]

"iPAY OTP for your secured payment...stated the code and gave a code reference"

The iPAY feature, tied to Verified by Visa (and the MC equivalent), is strictly added security for online purchases. It has nothing to do with Bangkok Bank's iBanking, which also uses OTPs for security, particularly when setting up 3rd party accounts. But, we're talking "iPAY," thus nobody is trying to set up a 3rd party account to transfer out money from your savings account.

And, if someone did, indeed, have your debit account number and PIN, it makes no sense that he would sign up for iPAY. Not belonging to iPAY doesn't preclude shopping online -- it just adds additional security for the card holder. Doubtful a thief would worry that another thief would try to steal his "new" account number. (And if, for some reason, he did sign up for iPAY, he'd have provided his, not the OP's, cell number. )

No. When you finally go to the bank to run this down, look for someone complaining about *not* receiving his OTP while online shopping early the other morning. Sounds like a few electrons have gone astray. (Or your "new" cell number is his "old" number, and he forgot to update his profile -- or didn't realize his number had expired and been reissued.....)

[JimGant]

If you've kept the message it should have quoted the last 4 digits of your card somewhere.

No, just a random ref number.

[wooloomooloo]

I wouldn't worry too much about a one time password text message. If someone is trying to hack your account then they should have been thwarted at that stage. I live in UK and make occasional transactions from my Bangkok Bank account and always have to complete with OTP to my mobile.

You can't complete the transaction without the OTP. I would advise to delete the text once and for all if you are certain that it wasn't generated through your own doing. Check your balance and move on if nothing's amiss and change your online password if you're feeling vulnerable.

Edited April 25, 2014 by wooloomooloo

[Thai at Heart]

Somoeone has hacked your internet login and is attempting to transfer some funds.

[JimGant]

Somoeone has hacked your internet login and is attempting to transfer some funds.

Before getting too carried away with conspiracy theories, please review what iPAY's OTP is all about:

Bangkok Bank’s Bualuang iPay provides extra security for online purchases. Every time you purchase online with your Bangkok Bank Credit or Be1st Debit card, Bangkok Bank will send you a unique, time-specific One Time Password (OTP) via SMS to your mobile phone – this password will be entered into the check-out page to complete your transaction.

The OTP helps to improve the security of your transaction – you will only ever be asked for an OTP when shopping with Visa or MasterCard-approved retailers.

....not sure how one could arrive at the conclusion that the OP's savings account (he probably doesn't even have a related iBanking account) is about to somehow be drained using an iPAY OTP....

[orchidlady]

I found a branch at a new shopping center by where I am. Even found an employee with excellent English-very shocked...she ran my account-someone had made two online purchases yesterday for about 6000 baht (the day the code was sent to me while sleeping). I have only bought from two of the largest online Bangkok deal sites using that card (spa deals, restaurant deals and an occasional shopping deal). My last was three weeks ago so the bank is investigating. I had my account shut down.

[MJCM]

You are lucky you found one open before 9 am, here the banks in shopping malls open after 10am and some even after 11am.

But lucky they got it sorted it out for you, but next time don't wait all day to sort this.

Sent from my iPad so Please excuse any typos

[slipperylobster]

above post are a solid warning. you have been compromised....perhaps somebody had viewed your card while you were sleeping? Don't worry about that.....change all your passwords and get a new pin....T\

A lady I knew had gambling debts that were obviously more important than my son and our relationship. All my bank data was compromised, and both my debit cards were missing. The police had 4 complaints of debt against her....

Downright scary...I stopped all banking activity for a year and went back to a mailed...paper check. After one year, I flew back to New York and started a new account.

Yes...it is bad.

[misterphil]

Whenever I transfer money from my Kasikorn online I get the OTP one time password too. Sounds like someone has acceess to your online banking. Do you have online banking? If not maybe someone has set it up without you knowing. If they have access to your online banking they can transfer all your money to another account. They just change the mobile phone number registered to your account. If you have a friend, get to an ATM and transfer all your money to their account just to be safe.

[lomatopo]

she ran my account-someone had made two online purchases yesterday for about 6000 baht

Since the OTP is required to complete the transaction, and the OTP was sent to your phone, I'm having a hard time understanding how the transaction could have been completed?

Further you have to proactively register for the iPay, and you have to register for the OTP SMS service.

If you could follow up with more details and the outcome that would be great.

[MJCM]

^ + 1

This is from the BBL iPay site - http://www.bangkokbank.com/BangkokBank/PersonalBanking/DailyBanking/CreditCards/BualuangiPay/Pages/default.aspx

No more memorizing – Instead of having to remember a password, a new OTP will be sent to you each time – this means that no-one else can copy and re-use your password; and it means that as long as you have your mobile phone in hand you can easily access your password.

and how to register for this, you need to Provide the required personal information for verification.

and to pay online it states

To confirm an online transaction, Bangkok Bank will send an SMS to your registered mobile phone containing a One Time Password. Enter this password to verify payment.

And I have no idea if it's possible to add 2 mobile nrs to an account. So maybe the OP should check with BBL if there is another phone nr added to the account.

Edited April 26, 2014 by MJCM

[slipperylobster]

Whenever I transfer money from my Kasikorn online I get the OTP one time password too. Sounds like someone has acceess to your online banking. Do you have online banking? If not maybe someone has set it up without you knowing. If they have access to your online banking they can transfer all your money to another account. They just change the mobile phone number registered to your account. If you have a friend, get to an ATM and transfer all your money to their account just to be safe.

It is with absolutely no difficulty that a 10 year old kid can download a keylogger which can start up as a hidden service in windows. It may even look like one of the hundre or more dll files in your system 32 folder....which...by the way, when opened, will delete itself and move to the temporary folder.

So what?

well, if you have used an internet cafe for banking, every key pressed has been recorded, the webcam snapped a shot of your face, your banking password has been saved...(yeah those are asterisks, but the keys have been logged already anyways.

forgot to say...if you need more security...or you feel like everything you put on an international wire is being scrutinized, go ahead and at least use the onscreen keyboard to enter passwords. you mouseclick on each letter. That sort of helps defy keyloggers.

Such is the sheer weakness of Microsoft Windows. Please use a Live Linux Distro that leaves no traces on the computer...even yours. Small learning curve, but maximum safety.

If you like, look at sites such as AutoIt forum. A simple programming language, that, at one time, was not detected as a virus or script. Now it is.

Windows is not for banking.

Edited April 26, 2014 by slipperylobster

[MJCM]

Windows is not for banking.

I tend to agree, but the problem is that for example one of my banks uses a Smart Card Reader system. No support for this under Linux/Mac, however for my Thai Banks, I use a Ubuntu Live CD.

[slipperylobster]

On screen keyboards...i forgot, a simple 5 minute program can become a substitute for windows on screen keyboard...looking almost identical the the real one. It renames the real one, pops up in it's place and records every key pressed anyways. Look at the immediate rewards for getting an email password. One can get on your account, and immediately change your password...thus locking you out. Now they send a new address to every addressee in you contact list.....perhaps notifications... so much info...and so easy. Literally thousands of interested people are cultivating the internet.

Read anything interesting ...even in the USA...about millions of accounts being compromised????

http://www.pcworld.com/article/2089780/16-million-online-accounts-probably-compromised-german-government-warns.html

[bangkokpoppys]

Whenever I transfer money from my Kasikorn online I get the OTP one time password too. Sounds like someone has acceess to your online banking. Do you have online banking? If not maybe someone has set it up without you knowing. If they have access to your online banking they can transfer all your money to another account. They just change the mobile phone number registered to your account. If you have a friend, get to an ATM and transfer all your money to their account just to be safe.

It is with absolutely no difficulty that a 10 year old kid can download a keylogger which can start up as a hidden service in windows. It may even look like one of the hundre or more dll files in your system 32 folder....which...by the way, when opened, will delete itself and move to the temporary folder.

So what?

well, if you have used an internet cafe for banking, every key pressed has been recorded, the webcam snapped a shot of your face, your banking password has been saved...(yeah those are asterisks, but the keys have been logged already anyways.

forgot to say...if you need more security...or you feel like everything you put on an international wire is being scrutinized, go ahead and at least use the onscreen keyboard to enter passwords. you mouseclick on each letter. That sort of helps defy keyloggers.

Such is the sheer weakness of Microsoft Windows. Please use a Live Linux Distro that leaves no traces on the computer...even yours. Small learning curve, but maximum safety.

If you like, look at sites such as AutoIt forum. A simple programming language, that, at one time, was not detected as a virus or script. Now it is.

Windows is not for banking.

Really fascinating topics - what is your view on Safari/Mac security?

[umbanda]

My opinion.

To have online access to your bank account, if not necessary, do not make sense with so many online "experts" in this world.

[Tchooptip]

On screen keyboards...i forgot, a simple 5 minute program can become a substitute for windows on screen keyboard...looking almost identical the the real one. It renames the real one, pops up in it's place and records every key pressed anyways. Look at the immediate rewards for getting an email password. One can get on your account, and immediately change your password...thus locking you out. Now they send a new address to every addressee in you contact list.....perhaps notifications... so much info...and so easy. Literally thousands of interested people are cultivating the internet.

Read anything interesting ...even in the USA...about millions of accounts being compromised????

http://www.pcworld.com/article/2089780/16-million-online-accounts-probably-compromised-german-government-warns.html

Would that works with Apple?

[slipperylobster]

Whenever I transfer money from my Kasikorn online I get the OTP one time password too. Sounds like someone has acceess to your online banking. Do you have online banking? If not maybe someone has set it up without you knowing. If they have access to your online banking they can transfer all your money to another account. They just change the mobile phone number registered to your account. If you have a friend, get to an ATM and transfer all your money to their account just to be safe.

It is with absolutely no difficulty that a 10 year old kid can download a keylogger which can start up as a hidden service in windows. It may even look like one of the hundre or more dll files in your system 32 folder....which...by the way, when opened, will delete itself and move to the temporary folder.

So what?

well, if you have used an internet cafe for banking, every key pressed has been recorded, the webcam snapped a shot of your face, your banking password has been saved...(yeah those are asterisks, but the keys have been logged already anyways.

forgot to say...if you need more security...or you feel like everything you put on an international wire is being scrutinized, go ahead and at least use the onscreen keyboard to enter passwords. you mouseclick on each letter. That sort of helps defy keyloggers.

Such is the sheer weakness of Microsoft Windows. Please use a Live Linux Distro that leaves no traces on the computer...even yours. Small learning curve, but maximum safety.

If you like, look at sites such as AutoIt forum. A simple programming language, that, at one time, was not detected as a virus or script. Now it is.

Windows is not for banking.

Really fascinating topics - what is your view on Safari/Mac security?

I have not seen many Macs in Internet Cafes....possibly because of their costs. Mac Operating system is much more secure but the browser/router security is the same. Bank pages are encrypted...the problem is only the pa hssword security, and personal security questions. My input has more to do with Microsoft Windows, and their software.

Possibly leaving Network Sharing in the "on mode" when using wifi at airports may allow people to view your document folders or spreadsheet files. I was naive enough to save all my passwords in one place, as I had so many. Now I use keepass.

Routers with WEP only for security are very much open to being aircracked. It would take many hours to get the password. WPA2 is good.

[Tchooptip]

My opinion.

To have online access to your bank account, if not necessary, do not make sense with so many online "experts" in this world.

Banks are not equals as far as security is concern, with HSBC premier,since August2013, to access my bank online I need or my IPhone with a dedicated software or a little box my bank provided me.

I enter my 8 figures password in the telephone program, then receive back a 6 figures password, that works only 10 seconds, to enter in my computer, then only can I access my account.

But if I wish to make any operation like transferring money, back to the telephone not the same program not the same 8 digits password, for receiving another 6 digit password working again only 10 seconds. I do not know if it is perfect but certainly more difficult to crack!

[slipperylobster]

On screen keyboards...i forgot, a simple 5 minute program can become a substitute for windows on screen keyboard...looking almost identical the the real one. It renames the real one, pops up in it's place and records every key pressed anyways. Look at the immediate rewards for getting an email password. One can get on your account, and immediately change your password...thus locking you out. Now they send a new address to every addressee in you contact list.....perhaps notifications... so much info...and so easy. Literally thousands of interested people are cultivating the internet.

Read anything interesting ...even in the USA...about millions of accounts being compromised????

http://www.pcworld.com/article/2089780/16-million-online-accounts-probably-compromised-german-government-warns.html

Would that works with Apple?

I think Apple is less a target. Windows is just so bloated with registry items and dlls..... They have been around on computers long enough for people to hack away. I would say anyone who had an apple computer and wanted to whip up an executable file could do the same. One step further, are scripts running in JAVA on websites. and Adobe Flash. For instance, the sites that can turn on your webcam/voice (they do request your permission). A good Security program installed would tell you. Unfortunately, sometimes they can be turned off. For example...this site turns on your webcam (with permission)http://www.boostcam.com/

Edited April 26, 2014 by slipperylobster

[slipperylobster]

My opinion.

To have online access to your bank account, if not necessary, do not make sense with so many online "experts" in this world.

Banks are not equals as far as security is concern, with HSBC premier,since August2013, to access my bank online I need or my IPhone with a dedicated software or a little box my bank provided me.

I enter my 8 figures password in the telephone program, then receive back a 6 figures password, that works only 10 seconds, to enter in my computer, then only can I access my account.

But if I wish to make any operation like transferring money, back to the telephone not the same program not the same 8 digits password, for receiving another 6 digit password working again only 10 seconds. I do not know if it is perfect but certainly more difficult to crack!

Mine has a choice of doing that with my phone, or just answing security questions that only I am supposed to know...these are random questions from information I never even gave my bank. Like an address at a Box Location I used for only 2 months about 25 years ago. I had to rack my brains to come up with the answer to that. Anybody who worked with me would know. Crazy stuff. I wonder where they dug up all that info. I have had at least fifty addresses in my career. Computer generated from some puzzle palace somewheres. I still need a password after all those questions. But better than before.

[TallGuyJohninBKK]

From the details provided by the OP thus far, it sounds like her ATM/debit card data has been compromised, skimmed, etc... And someone else was trying to use her card data to make some online purchases. But when they did so, it triggered the bank's system to send the IPay OTP to her mobile phone.

Presumably the scammer(s) wouldn't have known that the OTP feature was enabled when they tried to make the purchases.

[TallGuyJohninBKK]

.she ran my account-someone had made two online purchases yesterday for about 6000 baht (the day the code was sent to me while sleeping).

Did the two fraudulent online purchases get debited from your BKK Bank account, even though presumably you never entered in the SMS-sent OTP code that was sent to your mobile? Or they were attempted but rejected for lack of the OTP?

Did you check to see if there was any second phone number added to your account, or if someone had changed the registered mobile number to one other than yours?

[lomatopo]

Did you check to see if there was any second phone number added to your account, or if someone had changed the registered mobile number to one other than yours?

In my limited experience with BBL, there is only one, single mobile number associated with the SMS features. And to change the phone number, required an in-person visit to the branch associated with my account with ATM/Visa debit card, passbook, passport, and the signing of many, many copies.

The OP has mentioned being currently out of town for a seminar, so maybe the card was skimmed during this trip? And also said...

I have only bought from two of the largest online Bangkok deal sites using that card (spa deals, restaurant deals and an occasional shopping deal). My last was three weeks ago so the bank is investigating.

So maybe it was compromised from one of these "Bangkok deal sites"?

Still hard to figure how an on-line purchase was completed without the OTP, hopefully the OP will share all the background, details, etc.

[fletchsmile]

I found a branch at a new shopping center by where I am. Even found an employee with excellent English-very shocked...she ran my account-someone had made two online purchases yesterday for about 6000 baht (the day the code was sent to me while sleeping). I have only bought from two of the largest online Bangkok deal sites using that card (spa deals, restaurant deals and an occasional shopping deal). My last was three weeks ago so the bank is investigating. I had my account shut down.

Please let us know how you get on with the investigation, and who bears the loss.

You shouldn't be bearing the loss if you have acted reasonably. The bank has procedures as part of its investigation, and if you've acted reasonably you should be fine.

Cheers

Fletch

Edited April 26, 2014 by fletchsmile