received a text from Bangkok Bank-hopefully a mistake

[JimGant]

Still hard to figure how an on-line purchase was completed without the OTP, hopefully the OP will share all the background, details, etc.

The OP was apparently signed up for iPAY, but doesn't recall doing so. The thief was fortunate in his first two purchases, in that the merchants hadn't subscribed to Verify by Visa (VbV), thus no SMS OTP sent to the OP. But the third time *did* hit a VbV merchant, triggering the OTP.

The OP might want to subscribe to the below SMS service when she gets her new Be1st card:

Receive a free and fast notification whenever more than 1,000Bt is spent using your Be1st Visa Debit card or Bangkok Bank credit card, and when your credit card payment is due. Enroll free today!

[ggt]

Scary stuff...banking...anywhere...has become the criminal elements heist of choice...can not be too careful...

[HooHaa]

above post are a solid warning. you have been compromised....perhaps somebody had viewed your card while you were sleeping? Don't worry about that.....change all your passwords and get a new pin....T\

A lady I knew had gambling debts that were obviously more important than my son and our relationship. All my bank data was compromised, and both my debit cards were missing. The police had 4 complaints of debt against her....

Downright scary...I stopped all banking activity for a year and went back to a mailed...paper check. After one year, I flew back to New York and started a new account.

Yes...it is bad.

very, very subtle. of course we all live your lifestyle and make similar poor choices.

[TallGuyJohninBKK]

The OP might want to subscribe to the below SMS service when she gets her new Be1st card:

Receive a free and fast notification whenever more than 1,000Bt is spent using your Be1st Visa Debit card or Bangkok Bank credit card, and when your credit card payment is due. Enroll free today!

Jim, where are you seeing the BKK Bank offer terms you mention above?

When I look at BKK Bank's home page, I see an SMS alert offer for account activity above 500 baht that has a free signup, but then, as always after a promo period, has a small 10 baht monthly fee charged by the bank.

http://www.bangkokbank.com/BangkokBank/PersonalBanking/DailyBanking/SMSAlerts/Pages/alert.aspx

It's also not clear from their description whether the SMS alert function would apply to ATM withdrawals. Normally, given those are protected by PINs, that wouldn't be an issue. But in these days of widespread ATM tampering and card skimming, even your PIN isn't necessarily safe/private anymore. If I was going to pay for this service, I'd want it to cover ATM withdrawals as well, especially here!.

It also seems from their terms and conditions that they're reserving the right to use this SMS service for marketing related purposes, even though the customer is already paying them for it.

14. The Applicant agrees that the Bank may keep, collect, use, disclose, or give personal information as well as other information of the Applicant to any person for the purpose of rendering this Service or as the Bank deems appropriate or deems beneficial to the Applicant for the purpose of receiving proposals on other services

Edited April 26, 2014 by TallGuyJohninBKK

[orchidlady]

I don't have internet banking with Bangkok Bank--that is why the notice was unusual. I use safari on a mac the rare times I have bought things online from 2 major restaurant, spa and product websites (TCD, G.....) but when I checked my accounts with those two I haven't bought anything in over 6 weeks. The vendor codes for the unauthorized charges were the same as a purchase I made on the first day of Songkran. I stayed in most of the time so it was either a restaurant or one of two supermarkets charges 2 weeks ago that matches the withdrawals made during the middle of the night. The bank is investigating they told me to wait 7-10 days. I will post what they answer to me.

[JimGant]

Scratching my head over the OP's assertion that she hadn't registered for iPAY. And maybe she hadn't .....maybe the thief did when he tried to buy from a VbV merchant.

Registration is mandatory if you wish to buy online from participating retailers. If not already registered, participating retailers will prompt you to register before you make any purchases. If you do not register for your Verified by Visa password, you can still easily shop at non-participating online retailers.

Ok, when prompted, the thief went thru the registration process. He already had all the pertinent info he needed, so why not? Look at the demo for registering:

http://www.bangkokbank.com/BangkokBank/PERSONALBANKING/DAILYBANKING/CREDITCARDS/BUALUANGIPAY/Pages/Demo.aspx

And look at the phone registration part:

6.1 Enter your mobile number in the “Enter a mobile phone number” field then click “Register Mobile No.” button.

6.2 Wait a moment. Bangkok Bank will send you One Time Password via SMS to your mobile number.

6.3 Enter the One Time Password you receive in the “SMS-OTP” field, and make sure the “OTP Ref.” is matched with the one showing on the screen before entering. In case that, you don’t receive the SMS, you can click the “Register Mobile No.” button again every 1 minute with maximum of three times.

Wow! The thief just plugs in his cell number -- and VbV purchases here we come.......

......except Bangkok Bank doesn't accept your registered cell number via online submission, at least with their iBanking process. You physically submit your cell number in person at the bank. And I bet so too with iPAY registered cell numbers. So, the thief tried to submit his cell number on the application, but it defaulted to the number on file against this account. Any other scenario -- like actually allowing the thief to hijack the OTP system, substituting his own cell number -- would put Bangkok Bank's security under a pretty harsh light. And that doesn't compute, as their security seems to be pretty darn good. Might need to reword their iPAY application form, however -- at least in the "Register a Mobile Phone Number" section.

Anyway, I love a good mystery -- when it's somebody else's money.

[Som wat]

When you return to your branch, change both the username and password of your online account.

[JimGant]

Jim, where are you seeing the BKK Bank offer terms you mention above?

John, go the page you reference, then click on "SMS Card Spending Alert." Assume this covers both POS and online spending.

Yeah, they're not real clear on which SMS service gives you an ATM heads up.... But one of them must -- maybe they consider an ATM transaction a "transfer." Dunno.

[JimGant]

I don't have internet banking with Bangkok Bank--that is why the notice was unusual.

iPAY is not iBANKING. You can have iPAY without having an online account with Bangkok Bank.

When you shopped online, were you, by any chance, redirected to the registration page for VbV (akin to my example in above post)?

[Thai at Heart]

Somoeone has hacked your internet login and is attempting to transfer some funds.

Before getting too carried away with conspiracy theories, please review what iPAY's OTP is all about:

Bangkok Banks Bualuang iPay provides extra security for online purchases. Every time you purchase online with your Bangkok Bank Credit or Be1st Debit card, Bangkok Bank will send you a unique, time-specific One Time Password (OTP) via SMS to your mobile phone this password will be entered into the check-out page to complete your transaction.

The OTP helps to improve the security of your transaction you will only ever be asked for an OTP when shopping with Visa or MasterCard-approved retailers.

....not sure how one could arrive at the conclusion that the OP's savings account (he probably doesn't even have a related iBanking account) is about to somehow be drained using an iPAY OTP....

Well, the very reason you would receive a OTP is because someone is carrying out a transaction that requires an OTP.

Unless of course the OP is having an out of body experience and has done it himself but doesn't realise is, or someone has by accident given the OPs mobile number as the number to send someone elses OTP to.

It can't be drained since there is normally a limit for internet banking, but if o received a message of an OTP for my account to my phone for my account , I would assume someone had tried to make a transaction. That means the OTP has perfectly performed its security requirement.

It still.means however, someone has access to the account via internet.

[TallGuyJohninBKK]

Jim, where are you seeing the BKK Bank offer terms you mention above?

John, go the page you reference, then click on "SMS Card Spending Alert." Assume this covers both POS and online spending.

Yeah, they're not real clear on which SMS service gives you an ATM heads up.... But one of them must -- maybe they consider an ATM transaction a "transfer." Dunno.

Ahhh.... that's weird... I hadn't caught that distinction before.

BKK Bank has FOUR different kinds of SMS alerts (look at the menu at the top left of the webpage), including one keyed to a person's account (labeled SMS Account Alert), the other keyed to a person's debit or credit card (labeled Card Spending Alert).

It looks like the account SMS alerts, relating to payments and transfers, have the 10 baht per month fee, but as Jim noted, it looks like the card-based SMS alerts, relating to card-based purchases, are free.

Re the card based alerts, the language they use is, you'll get an SMS when:

"1,000Bt or more is spent with your Be1st debit card"

That kind of sounds like they mean via a purchase. Perhaps it also could mean "spent" via an ATM withdrawal, but it's hardly clear that they include that from their language.

http://www.bangkokbank.com/BangkokBank/PersonalBanking/DailyBanking/SMSAlerts/Pages/alert.aspx

Edited April 26, 2014 by TallGuyJohninBKK

[jcnbkk]

Jim, where are you seeing the BKK Bank offer terms you mention above?

John, go the page you reference, then click on "SMS Card Spending Alert." Assume this covers both POS and online spending.

Yeah, they're not real clear on which SMS service gives you an ATM heads up.... But one of them must -- maybe they consider an ATM transaction a "transfer." Dunno.

Ahhh.... that's weird... I hadn't caught that distinction before.

BKK Bank has FOUR different kinds of SMS alerts (look at the menu at the top left of the webpage), including one keyed to a person's account (labeled SMS Account Alert), the other keyed to a person's debit or credit card (labeled Card Spending Alert).

It looks like the account SMS alerts, relating to payments and transfers, have the 10 baht per month fee, but as Jim noted, it looks like the card-based SMS alerts, relating to card-based purchases, are free.

Re the card based alerts, the language they use is, you'll get an SMS when:

"1,000Bt or more is spent with your Be1st debit card"

That kind of sounds like they mean via a purchase. Perhaps it also could mean "spent" via an ATM withdrawal, but it's hardly clear that they include that from their language.

Man I'm confused. OK, back to the top of the page and read it over again..

[TallGuyJohninBKK]

I'm trying to decipher the upshot of the OTP info on the BKK Bank's IPay webpage:

http://www.bangkokbank.com/BangkokBank/PersonalBanking/DailyBanking/CreditCards/BualuangiPay/Pages/default.aspx

They start off by saying:

Every time you purchase online (emphasis added by me) with your Bangkok Bank Credit or Be1st Debit card, Bangkok Bank will send you a unique, time-specific One Time Password (OTP) via SMS to your mobile phone – this password will be entered into the check-out page to complete your transaction.

But then shortly thereafter, they appear to then limit it to only websites that are Verified by Visa or MasterCard SecureCode-registered. So clearly you need the IPay OTP info sent by SMS to complete online transactions at those two kinds of websites.

So, what then about all the potential websites that are NOT registered with VBV or MC SC???

The card scammer/thief can proceed to make fraudulent online purchases without triggering any OTP....and the cardholder wouldn't even know, unless they'd previously registered for the SMS card-based alerts and the fraudulent purchase exceeded 1000 baht. And then, it would only be after the first fraudulent charge had been made???

Or, someone who's registered for IPay and then using the card for an online purchase at a non-VBV or MCSC website would still get an SMSd OTP triggered by the online purchase, but obviously wouldn't be required to enter it order for the transaction to be completed???

Either way, it seems there's a pretty big loophole to be exploited in the event some crook gets ahold of your debit card information.

[fletchsmile]

I'm trying to decipher the upshot of the OTP info on the BKK Bank's IPay webpage:

http://www.bangkokbank.com/BangkokBank/PersonalBanking/DailyBanking/CreditCards/BualuangiPay/Pages/default.aspx

They start off by saying:

Every time you purchase online (emphasis added by me) with your Bangkok Bank Credit or Be1st Debit card, Bangkok Bank will send you a unique, time-specific One Time Password (OTP) via SMS to your mobile phone – this password will be entered into the check-out page to complete your transaction.

But then shortly thereafter, they appear to then limit it to only websites that are Verified by Visa or MasterCard SecureCode-registered. So clearly you need the IPay OTP info sent by SMS to complete online transactions at those two kinds of websites.

So, what then about all the potential websites that are NOT registered with VBV or MC SC???

The card scammer/thief can proceed to make fraudulent online purchases without triggering any OTP....and the cardholder wouldn't even know, unless they'd previously registered for the SMS card-based alerts and the fraudulent purchase exceeded 1000 baht. And then, it would only be after the first fraudulent charge had been made???

Or, someone who's registered for IPay and then using the card for an online purchase at a non-VBV or MCSC website would still get an SMSd OTP triggered by the online purchase, but obviously wouldn't be required to enter it order for the transaction to be completed???

Either way, it seems there's a pretty big loophole to be exploited in the event some crook gets ahold of your debit card information.

John I suggest you give it a rest. As usual you dont have a clue what you are talking about. You ve no real experience of these things.

Your interpretations and assumptions and guesses based solely on what you read on the website just add to the misinterpretations and confusion. Doesnt help anyone jumping to conclusions like you do.

Closest to reality are Jim s posts. But there is so much rubbish on this thread it s past redemption and unlikely to be useful to anyone.

All I d really be interested in is whether OP lost out or not. The answer should be no. If not she should pursue.

The rest of the thread just has so much rubbish and misinformation even someone from BBL would take hours to correct.

Cheers

Fletch

Sent from my GT-I9152 using Thaivisa Connect Thailand mobile app

[TallGuyJohninBKK]

Man I'm confused. OK, back to the top of the page and read it over again..

It IS confusing, and unfortunately, BKK Bank doesn't help by, at least as far as I can see late in the night today, not even making ANY mention of the SMS Alerts function anywhere on the main part of its main Be1st VISA debit card webpage. And not even any link to sign up for the SMS alerts on the detail page for its Be1st debit card.

But regarding the different SMS alerts:

--the account-based SMS alerts seem to be chiefly triggered by activities like transferring funds between different accounts or having checks deposited.

http://www.bangkokbank.com/BANGKOKBANK/PERSONALBANKING/DAILYBANKING/SMSALERTS/Pages/alert.aspx

--the debit card-based SMS alerts seem to be triggered by using the card for purchases over a certain amount.

http://www.bangkokbank.com/BangkokBank/PersonalBanking/DailyBanking/SMSAlerts/Pages/SMSspending.aspx

You can sign up for either, or both. But they each cover different kinds of activities.

[lomatopo]

Still hard to figure how an on-line purchase was completed without the OTP, hopefully the OP will share all the background, details, etc.

The OP was apparently signed up for iPAY, but doesn't recall doing so. The thief was fortunate in his first two purchases, in that the merchants hadn't subscribed to Verify by Visa (VbV), thus no SMS OTP sent to the OP. But the third time *did* hit a VbV merchant, triggering the OTP.

The OP might want to subscribe to the below SMS service when she gets her new Be1st card:

Receive a free and fast notification whenever more than 1,000Bt is spent using your Be1st Visa Debit card or Bangkok Bank credit card, and when your credit card payment is due. Enroll free today!

Bolding is mine, and I think this seems the likely scenario.

One can make on-line and PoS purchases with a BBL Be1st Visa Debit Card, without registering for iPay, assuming the merchant does not utilize Verified by Visa.

Registering for iPay allows one to utilize the VbV process.

It seems like anyone could register your credentials for iPay, at least as I understand the potentially flawed registration process (any mobile for the registration OTP-SMS - I did not step through this registration). But, hopefully, the VbV OTP-SMS is sent to the mobile number associated with your account.

Does anyone know if Bangkok Bank offers an ATM-only card?

Is it possible to disable any (PoS, on-line) Visa transactions with a BBL Be1st Visa debit card? Or to limit the usage with VbV merchants only?

I have never used my BBL Be1st (Smart/chipped) Visa for an on-line, or PoS purchase. Can anyone describe the process? Do I have to provide my PIN? Is my identify verified?

It seems like, if you were to lose - or have your details lifted - the potential for fraud/loss is significant. Yes, I understand that SMS alerts would provide notice of activity but by that time it is probably too late.

Edited April 27, 2014 by lomatopo

[TallGuyJohninBKK]

Does anyone know if Bangkok Bank offers an ATM-only card?

Is it possible to disable any (PoS, on-line) Visa transactions with a BBL Be1st Visa debit card? Or to limit the usae with VbV merchants only?

I have never used my BBL Be1st (Smart/chipped) Visa for an on-line, or PoS purchase. Can anyone describe the process? Do I have to provide my PIN? Is my identify verified?

Loma, I recall we've had this same discussion in a different prior card fraud thread in the past.

Yes, a Be1st Cardholder can disable the POS function on their card by setting the daily POS limit amount to zero. You might think that could be done via online banking where other similar settings exist. But apparently instead you have to call in to BKK Bank and use their automated phone system to go to card limits, and then POS to make the change.

It's been a while, but as I recall, when you use the automated phone system, it will ask you for your full card number and then ATM PIN number in order to gain access to the system.

So effectively, your card becomes an ATM only card. But the nice thing is, even if for only a few minutes to make an online purchase, you always have the ability to reset the POS amount to function, and then go back and reset it to zero again.

When you set the POS amount to zero on a Be1st card, I believe that effectively disables its use for online purchases (as well as in-person swipe and sign transactions.)

After dealing with a prior card fraud thread just like this one, I reset my Be1st card to disable the POS function and I leave it that way. If I ever need to make an online purchase, I call in and enable the function. Then as soon as the purchase is completed, I call back to disable POS again.

Not sure....but in the past, I believe BKK Bank used to offer just a regular ATM only physical card, but I don't think they do any longer.

[TallGuyJohninBKK]

If Jim's theory is correct, and the IPay OTP system only works/is triggered with websites that are VBV or MC SC enabled, that would seem to leave a lot of room for online purchase fraud.

From a cardholder security perspective, it certainly would be of interest to understand with certainty how the OP here, apparently, had two fraudulent online debits lodged against her account and then got a OTP SMS that she says she never did anything to trigger or use.

If this above is correct, I'd be interested to understand why the OTP function only seems to exist for certain kinds of online transactions, but not all.

I have an account with a different Thai bank, and in order to use their online banking to pay ANY bill, I'm required to use their OTP system before I can complete the payment. No choice, no settings, no options. It's simply baked into their system.

So if a bank can do that for bill pays, could they not also do that for online transactions??? Not where you'd have to enter the OTP into the merchant's website, but instead, where you'd have to enter it into the bank's online banking system -- before the purchase would be cleared... Dunno, maybe that's not possible.

[lomatopo]

Yes, a Be1st Cardholder can disable the POS function on their card by setting the daily POS limit amount to zero.

Thanks.

IVR sequence

1333 call center

2 English

3 be1st+other card services

2 change daily limit

3 Inquire about daily limit

then you enter the card number and 4-digit PIN.

My daily limit was/is zero baht, as far as I know I never changed it; so not sure if that is the default setting?

I guess I should try a PoS transaction to see if it is really set to zero.

FWIW, there is an IVR selection to change the PIN (4 digit). Hopefully they verify the current PIN first.

Edited April 27, 2014 by lomatopo

[JimGant]

If this above is correct, I'd be interested to understand why the OTP function only seems to exist for certain kinds of online transactions, but not all.

John, if the merchant hasn't signed up with VbV (or the MC equivalent), when you enter your card number for an online purchase, it does not trigger the VbV 'next layer of security,' i.e., enter a password. And, yes, it certainly does "seem to leave a lot of room for online purchase fraud" (but only in the sense that security is reduced back below the extra layer introduced by VbV). This extra layer of security actually favors the merchant, not you the cardholder -- and they have to pay for it. And some won't.

And it can be troublesome from other aspects. If you haven't signed up your card with your issuer for VbV, merchants participating in this program can -- and do -- refuse you. Look at this travel thread:

http://www.flyertalk.com/forum/credit-card-programs/1092103-capital-one-verified-visa-online-purchases-overseas.html

Wow. I have a Capital One Quicksilver Visa credit card, but searching on their website when I log in for "Verify by Visa" draws a blank. And, I buy my airline tickets to/from Thailand online with my Cap One Visa card -- most recently 3 mos ago on Qatar airlines. But with no problem. However, if asked to register for VbV with Cap One, I'm not sure I could..........at least based on the flyertalk article. ( I did buy online 3 years ago a ticket with Turkish airlines, using my USAA Visa card, unregistered with VbV. No problem.)

(Sorry for the thread creep. However, the above would be nonsensical on a new thread without the context of previous entries.)

[TallGuyJohninBKK]

Thanks JIm...

I guess I'm partly taking offense that what I perceive to be a falsely inflated sense of security that the BKK Bank website seems to suggest relating to OTPs... particularly, their language about "every time you purchase online..." you'll get a OTP.

Well, as they later detail below, it isn't quite EVERY time someone attempts an online purchase with their card. It's just SOMETIMES.

How many cardholders delve into the guts and details of all this? People will tend to think, OK, I've signed up for OTPs.. and I'm protected... Well, not quite.

[TallGuyJohninBKK]

My daily limit was/is zero baht, as far as I know I never changed it; so not sure if that is the default setting?

No, I don't believe the BKK Bank default setting for POS transactions is set to off/disabled... I believe it's set to enabled, perhaps 50,000 a day or something like that.

From my recollection of the prior bank card fraud thread where we had a similar discussion, you had at least indicated back then that you were setting your POS to off then.

[lomatopo]

you had at least indicated back then that you were setting your POS to off then.

Nope, never did it. At least I've never used the 1333/Call Center before.

I might have made this change/request in person when I got my new chipped Be1st card, and changed my mobile number? But I don't think I did then either.

The good news is that my PoS is set to zero, now I just have to confirm that by trying a purchase.

[TallGuyJohninBKK]

Just as an aside, relating to U.S. credit cards, I had an interesting discussion the other day about the typical call-in activation process when you get a new or updated card.

For all my cards, normally, they arrive with a sticker asking you to call in from your home phone, enter the card number and then usually some item of personally identifying info, like the last four digits of your SSN.

Well recently, I had one of my replacement cards go missing in the mail. So I was talking to the bank staff about that, and I asked whether I could keep the same account/card number for the replacement card they were going to mail. And I said that because, I presumed, no one else could actually use my credit card if it had gotten lost/stolen in the mail, because the thief wouldn't know any of my personally identifying info.

And to my considerable surprise, the bank CSR told me that that kind of activation is only required for SOME kinds of uses of the credit card. And that for other kinds of uses, a thief could actually use the un-activated card to make some kinds of transactions, having absolutely none of my personal information except for the mislayed/misdelivered/stolen card.

I had never heard that before. I had always assumed an un-activated card would be useless -- without going through the activation process. But the CSR told me that was wrong. So, that made having to settle for a new card account number go down a little easier.

[Travel Dude]

OP, you really do not seem to be a very smart person

[TallGuyJohninBKK]

Reminded by this thread of the problems that can arise with bank card fraud and security, I spent some time this afternoon checking that my BKK Bank card's daily POS (Point of Sale) purchase limit was still set to zero, and making sure my wife's card likewise was set to zero for POS purchases, as well as activating the card-activity (purchases) SMS alerts for her account.

In the process of doing that, I was reminded via BKK Bank's automated telephone system that the LOWEST daily ATM cash withdrawal limit you can set for their debit cards is 50,000 baht per day. So if someone somehow (a skimmer/thief) does happen to get a hold of your card info and PIN number, they can drain your account by up to 50,000 baht per day via two or three back-to-back ATM withdrawals, assuming your balance is large enough.

There doesn't appear to be any means to restrict the per day ATM cash withdrawal use of the card any lower than that -- other than by keeping a sufficiently low balance in any card-linked account.

[orchidlady]

Travel Dude I would love an explanation of your assinine comment. I was out of town teaching a seminar from early morning to evening. There were numerous problems with the room(which for reasons unknown to me had to change every day for 6 days), acoustics, and more crap not germaine to this issue which i have no control over. My first priority was to the 200 seminar attendees i was being paid to teach. I tried calling at lunch and got disconnected 3 times. I found a bank Usually everything is arranged by my university. Due to personnel change we were just told to go do it without any support.

I contacted the bank as soon as I could when the seminar was over. The money was taken out of my account. I don't use the card much except for withdrawing cash at atm bank so I wasn't sure when it was last used other than during the past week. I have never signed up for internet banking. When i first got my account I did not have a work permit. When i got one never bothered to sign up for internet banking. The account is frozen the card has been cancelled.

[JimGant]

So if someone somehow (a skimmer/thief) does happen to get a hold of your card info and PIN number, they can drain your account by up to 50,000 baht per day via two or three back-to-back ATM withdrawals, assuming your balance is large enough.

Yeah, but only if you haven't replaced your old non-chip card with the Be1st "smart" Debit/ATM card. Fraudsters can duplicate on a bogus plastic card your magnetic strip data. But not your chip data. So, if such a bogus card were manufactured, the fraudster would get a "no can do" 'cause the account's ATM function has been setup to only work with a "smart" card. Only if the fraudster stole your card -- and also knew your PIN -- would there be problems. But skimmers don't usually double as robbers.

Zero out your debit POS option, and you should be pretty darn secure with your Be1st "smart" Debit/ATM card.

Use a US Visa card to do your 'card present' POS shopping (Visa USA has superior protections) -- Cap One's Quicksilver seems today's best choice, with no foreign transaction fee, and 1.5% cash back on everything.

For online, I've used "Shopsafe," which I had with MBNA, and which remained when Bank of America took them over. It generates an artificial account number and CVV number, and you pick expiration date and $ceiling. Thus, you're sending online card data that, besides $ceiling and expiration, also becomes tied to only the first merchant you use it with. All this, of course, is tied to your real account of your Visa credit card -- but this data never surfaces during online shopping.

Bank of America sucks when it comes to their Debit/ATM cards -- but their array of credit cards, particularly their award varieties, are pretty competitive. Their Travel Rewards Visa card has no foreign transaction fee, and gives 1.5 points per dollar. This is nice for travel awards -- if that's your thing -- but if you want cash rewards, this only translates to .9 per dollar. Quicksilver is better -- but doesn't have a Shopsafe feature.

From all on this thread, not overly impressed with VbV and iPAY. My biggest worry is that, when I next buy an airline ticket online, I'll be stymied because the airline subscribes to VbV -- and insists I do too. But there's nothing that says my account data is better protected when I shop with a VbV merchant........so I'm not rushing out to sign up. (Unfortunately, I can't use the protection of "Shopsafe" when I buy an airline ticket online -- I have to use a real account number on a card I can physically produce at check-in.)

[TallGuyJohninBKK]

Just to see, I did the signup process today for BKK Bank's IPay service with Verified by Visa for my Be1st Visa debit card -- the mag strip kind, not the "smart" chipped kind.

I do believe, a person needs to use their debit card number and PIN number to gain access to the registration system. But once you've done that, I believe you can select whatever mobile number you choose for those SMS alerts. It didn't seem to be fixed to the mobile number that may already been associated with one's bank account.

Meanwhile, it will be interesting to see how the whole planned rollout by the various Thai banks of chipped debit cards occurs under the Bank of Thailand's direction over the next year or two. The news reports I've seen have talked about when they plan to start, but I haven't seen much about how long the transition is expected to take, nor whether it will be a collective/interoperative system, or one where each bank's chipped cards will only work with their own ATMs. I'd love to hear/know more about those plans.

[orchidlady]

OK, I do use verified by visa so I had signed up for iPay (I thought this was internet banking which I have never had with BKK Bank). In the past I have made maybe 1 purchase a month using verified by visa.

UPDATE: This morning when I woke up, I had received another message giving me another OTP code for a purchase requested at 5:00am...sleeping again. I immediately called the bank, gave the prior investigation code number and was told "someone probably made a mistake entering their phone number....just wait until the bank calls you" I said yes, just wait until all the money is taken from my account? The online center can't check whether the money was taken. She said i could go into a branch to find out. The only problem is I am teaching 12 hours all day until 8 PM and leave tomorrow AM to go to another 7 day seminar upcountry. I did find out the vendor where the charge was put through. It is an European travel website--never heard of it and used it for booking air ticket.

Another poster had mentioned maybe the account was comprimised while i was traveling. I stayed at a hotel in Chiang Mai for 3 days before going to the seminar location upcountry. I did pay my account with the visa debit card. When I get back the second week of May I can go into my branch and get more answers.