BOT tells banks to tighten IT security

[webfact]

BOT tells banks to tighten IT security
The Nation

BANGKOK: -- The Bank of Thailand yesterday asked all commercial banks to tighten IT security and be ready to cope with any invasion of their online services, while continuing close monitoring.

Recently, some commercial banks received an email from an unknown person from a foreign country, threatening to target their network and overwhelm their online services with traffic, which could affect their Internet services.

Tongurai Limpiti, a deputy governor at the central bank, said the central bank and commercial banks focused on risks to the information technology system of each commercial bank, adhering to customer data security and precision, and a system ready for continuous use.

The central bank also asked all commercial banks to have measures in place if such a situation arises so as to lessen the impact on their customers.

Four Thai banks received an email from an anonymous group, demanding payment in Bitcoins and threatening cyberattacks, a source from the IT industry said on Wednesday.

The hacker group called itself "Armada Collective", the source said.

Nothing happened today, an executive of one of the banks said on Wednesday.

Swiss hosting providers reportedly received a similar threat in September. In the email, the group demanded payment of 20 Bitcoins (approximately US$6,000 or Bt210,000). It also specified the deadline and said if payment was not made by then, the hosting providers would see all servers crashed. The payment rate would go up by 20 Bitcoins every day, it warned.

In the email, it also instructed the receivers not to contact the media or they would face permanent attacks.

The Thai Bankers Association, which was expected to issue a statement on the hacker matter on Wednesday evening, has made no move so far.

Meanwhile, only one commercial bank revealed that it had received an email threatening its online service.

In a related development, the Education Ministry website has also been attacked by hackers, the latest among Thai state agencies to be targeted. Education Minister Dapong Ratanasuwan yesterday said the attack took place on Wednesday night and the problem had been solved.

Earlier, the websites of the Information and Communication Technology Ministry and Defence Ministry were targeted in a hacker attack.

Source: http://www.nationmultimedia.com/business/BOT-tells-banks-to-tighten-IT-security-30271912.html


-- The Nation 2015-10-30

[rkidlad]

Yes, signing into my K bank account is as easy as accessing my email. Standard username and password.

[dhream]

And the follow up by BOT to confirm what action if any is taken will be?

[dhream]

Does anyone know if the Government guarantees customers against bank run outs, like they are currently reducing in the UK? And ain't that a cynical move, but don't worry! All is well.

[pinkpanther99]

I read yesterday that some hackers had threatened to launch an attack on the Thai banking system.

I wouldnt be surprised if there is a major attack on Thai banks some time soon, which will expose the shoddy attitude towards internet and IT security here.

Isn't the whole ATM network said to be run on Windows XP or something. And it's a copied version of Windows at that!

[Thai at Heart]

Well, most of their login process for online banking isn't exactly fool proof.

[kiwikeith]

Well, most of their login process for online banking isn't exactly fool proof.

Skimmers paradise !

[bbz404]

Yes, they are in dire need of IT security awareness. One example from today:

I got an email from my Bualuang securities adviser regarding some promotion. She had emailed to her clients directly with all email addresses in copy visible to everyone else!! I kindly made her aware of their own privacy statement in which it clearly says that they will not disclose any personal information without prior consent.

She apologized quite quickly and promised to take me out of her public mailing list. But this apparent lack of privacy concern is very discomforting.

[mrfill]

Hmmm, demanding a ransom of 210000 Bt. Was the note written in crayon?

Did they threaten to send them to bed early if they didn't pay?

[oncearugge]

Well, most of their login process for online banking isn't exactly fool proof.

Is the login process to online banking massively "secure" , complex, and unbreakable in your country of origin or is it simple and user friendly ?

[cekipa]

Firewall. That's what is all about. They need to invest in reliable firewall. Not making online banking a nightmare for customers like getting prior approval if I want to transfer money from my account to another. If the money is in my bank, why I need to make a trip to my branch first to get a bloody approval instead of doing it online straight away?

[Thai at Heart]

Well, most of their login process for online banking isn't exactly fool proof.

Is the login process to online banking massively "secure" , complex, and unbreakable in your country of origin or is it simple and user friendly ?

Fair to say, nothing is unbreakable, but SCB is a simple username password. The bank I use here is multilayered, has unique pictures to evade fishing sites and a key fob to generate a code.

I am no expert but, it would seem far more secure. What do you think?

[Pib]

I expect Thai banks will want to increase their foreign card ATM withdrawal fee from Bt180 to Bt200 to fund the tightening of their IT security.

[elgordo38]

Well, most of their login process for online banking isn't exactly fool proof.

What was the color of your first car. What day and month and year were you married(can never remember this one.) What is the name of your 3rd child by your 2nd wife. Name your 1st wife boyfriend? There that should solve the problem.

[oncearugge]

Well, most of their login process for online banking isn't exactly fool proof.

Is the login process to online banking massively "secure" , complex, and unbreakable in your country of origin or is it simple and user friendly ?

Fair to say, nothing is unbreakable, but SCB is a simple username password. The bank I use here is multilayered, has unique pictures to evade fishing sites and a key fob to generate a code.

I am no expert but, it would seem far more secure. What do you think?

Provide a link to this bank. I will read what they have to say about security and then give an opinion.

[Thai at Heart]

Well, most of their login process for online banking isn't exactly fool proof.

Is the login process to online banking massively "secure" , complex, and unbreakable in your country of origin or is it simple and user friendly ?

Fair to say, nothing is unbreakable, but SCB is a simple username password. The bank I use here is multilayered, has unique pictures to evade fishing sites and a key fob to generate a code.

I am no expert but, it would seem far more secure. What do you think?

Provide a link to this bank. I will read what they have to say about security and then give an opinion.

A link to my bank? Try just about any of the domestic British banks or any offshore ones you like.

[camo007]

PCI Scan of the Online Banking and Merchant transaction pages shows all but 1 to be non compliant with PCI standards. Man in the middle attacks here are most easy and add to that the skimmers at Central World Shopping center department shops... Its much worse then you think... Who has paid a Central Department shop and seen them putting your credit card number hand typed into the PC? This POS terminal is not PCI approved and or dont meet the requirements at all and is not encrypted. Millions of cards are on the deep web from Thailand for sale from just this alone!

[chilli42]

.... tells banks to tighten security. Does this suggest that they need to be told to have tight security? If so I have my money in the wrong place.

[laislica]

Well, most of their login process for online banking isn't exactly fool proof.

Is the login process to online banking massively "secure" , complex, and unbreakable in your country of origin or is it simple and user friendly ?

My Spanish bank issues me with a personal security keys card.

A matrix of numbers columns 1-10 against rows A-J.

The cross points have numbers.

Each card is randomised and unique.

My card is tied to my account.

If I want to change my card I go into the bank and ask for a new one.

When making transactions I must enter the codes from two cross points.

This is in additions to the usual user name and password.

[Nowisee]

Why do you got to give them ideas...jeez.

I expect Thai banks will want to increase their foreign card ATM withdrawal fee from Bt180 to Bt200 to fund the tightening of their IT security.

[Pib]

Well, most of their login process for online banking isn't exactly fool proof.

Is the login process to online banking massively "secure" , complex, and unbreakable in your country of origin or is it simple and user friendly ?

My Spanish bank issues me with a personal security keys card.

A matrix of numbers columns 1-10 against rows A-J.

The cross points have numbers.

Each card is randomised and unique.

My card is tied to my account.

If I want to change my card I go into the bank and ask for a new one.

When making transactions I must enter the codes from two cross points.

This is in additions to the usual user name and password.

One of my U.S. credit unions implemented such a card/matrix system to log onto online banking about 5 years ago....it only lasted about 6 months before they aborted it because so many customers did not like it....the credit union reverted back to just User Name and Password to log on.

[camo007]

Password free logins are now the norm. You install and app on your phone and when you try log into your online Banking it sends a message to your mobile asking you to enter the password and if its you. Microsoft and others started this KEY system a while back but its now catching on. So you attempt to login and then you have to approve the login from your mobile.

[topt]

Does anyone know if the Government guarantees customers against bank run outs, like they are currently reducing in the UK? And ain't that a cynical move, but don't worry! All is well.

Yes - mentioned in many threads in banking section. Currently 25m baht but supposed to reduce to 1m baht (I think sometime next year) - but many think this may be delayed - again

Edited October 30, 2015 by topt

[DiDiChok]

Having worked in IT for 35 years, I fully agree with the BOT. The proper security they're talking about is not to do with complicated passwords or code cards at all.

I'd like to see the Thai Banks using extended validation (EV) certificates to ensure security between the online users and the Banks. As long as you're using Firefox or Chrome, you can see what I mean by following this link: https://online.tsb.co.uk/personal/logon to a UK Bank's logon. The URL in the browser's address bar turns green to indicate when the connection is secure. I'm pleased to note that Kasikorn has now swapped over to using EV but not all Thai Banks have yet.

For a full techhie explanation if you're interested, see here: https://www.grc.com/fingerprints.htm

I was shocked when I found out about Microsoft's deviousness and stopped using Internet Explorer immediately. I'm now a convert to Firefox.

[Skywalker69]

Are the banks of Thailand still in use of Windows XP?

[FredNL]

On several hackers blogs you can find instructions for hacking almost every ATM. Especially the old ones they're having in Thailand still running on an illegal
Windows XP or ME version. I will not say if I have tested it !!! But believe me... Easy to hack the ATMs in Thailand.

Hacking bank's servers, just have to ********* the database and you can access every account..

[Pib]

Are the banks of Thailand still in use of Windows XP?

Many do but it's Windows XP "embedded" which is still supported by MS.

Edited October 30, 2015 by Pib

[jacko45k]

I think action by all of them to minimize skimming would be a good target.

It is all too frequent. Many years ago all ATM were planned to be replaced by chip reader types instead of magnetic strips.

Never seemed to happen.

[jacko45k]

Well, most of their login process for online banking isn't exactly fool proof.

Is the login process to online banking massively "secure" , complex, and unbreakable in your country of origin or is it simple and user friendly ?

One of them uses a small key-fob which generates a code required for access and some transactions.

I recall I complained about it as overly complex when first introduced.

Subsequently they have produced a simpler, secondary option, more restricted login ability.

The other is exactly the same as my Thai bank.

I believe the security lies in what transactions internet banking will permit, especially transfers to a new 3rd party, which they make more stringent.

Problem is I have too many passwords and login IDs in my life!

Edited October 30, 2015 by jacko45k

[Thai at Heart]

Well, most of their login process for online banking isn't exactly fool proof.

Is the login process to online banking massively "secure" , complex, and unbreakable in your country of origin or is it simple and user friendly ?

One of them uses a small key-fob which generates a code required for access and some transactions.

The other is exactly the same as my Thai bank. I believe the security lies in what transactions internet banking will permit, especially transfers to a new 3rd party, which they make more stringent.

Well the bank I have in Thailand simply has a username and password. That's it.