Thai banks urged to beef up security in wake of cyberactivism

[webfact]

Thai Banks Urged to Beef Up Security in Wake of Cyberactivism
By Teeranai Charuvastra
Staff Reporter


Graphic: Colin / Wikimedia Commons

BANGKOK — Anxious about the possibility of looming cyberattacks, Thailand's banking association today called on its members to improve security measures and end the culture of data secrecy.

The call from the Thai Bankers’ Association came after it saw government websites taken down by a crude but effective assault late last year by technically unsophisticated activists protesting the junta’s plan to gain control over internet traffic. That was followed by more advanced and successful attacks by members of the a borderless hacking collective known as Anonymous.

At Wednesday’s news conference, Yos Kimsawate, an association security expert cited the October denial of service attack as the worst to hit the kingdom in recent years.

“The most serious case has to be the DDoS launched by the activists to protest the Single Gateway,” said Yos, who heads the association’s security unit.

Although the Distributed Denial of Service is among the most basic hacking tools available, it revealed vulnerability in the state’s online infrastructure and encouraged foreign hackers to target the Thai banking system, Yos said.

Full story: http://www.khaosodenglish.com/detail.php?newsid=1453890476&typecate=06&section=


-- Khaosod English 2016-01-28

[Skywalker69]

Start with scrapping the Windows XP i think most of your computers is running on. Get proper firewalls and uppdated virusprogram, but you´r stii not safe.

[kingalfred]

Bangkok

Bank central branch, where access to all system accounts on computers by staff, is still operating Windows XP. If it wasnt so serious I would deem it comical!

Edited January 27, 2016 by kingalfred

[SCARLETIBIS1]

Bangkok

Bank central branch, where access to all system accounts on computers by staff, is still operating Windows XP. If it wasnt so serious I would deem it comical!

My understanding is that the maximum amount of money insured is only about $10K US. Then again, I wouldn't want to have to hire a Thai attorney to go chase it either. With the dollar so strong one wants to convert but the risk is security.

[cyberfarang]

I have only 1 online savings account in Thailand and would never keep more then 10000 baht in that account.

The security for logging in to Thai bank online accounts is weak to say the least, only requires a user name and password to sign in whereas my UK online account requires 5 different processes to sign into my account.

[phantomfiddler]

The laws for prosecution of cyber attackers are desperately in need of big reform, and these scum should be jailed for life or executed. They do not even have the guts to go into a bank and rob it, all done from the safety of their laptop computers. Malicious hackers, like ISIS, should be eradicated, since nothing will stop their gutless antics Maybe a daily TV program showing them getting their just rewards

[SCARLETIBIS1]

Bangkok

Bank central branch, where access to all system accounts on computers by staff, is still operating Windows XP. If it wasnt so serious I would deem it comical!

My understanding is that the maximum amount of money insured is only about $10K US. Then again, I wouldn't want to have to hire a Thai attorney to go chase it either. With the dollar so strong one wants to convert but the risk is security.

Correction. I misspoke. I was told that the maximum insured is 1,000,000 baht which is about 30K US, which is close to the minimum amount needed for a visa renewal (8000000 baht). Still, a very small amount compared to US banks which was 500K.

Edited January 28, 2016 by SCARLETIBIS1

[kannot]

if the online security is as good as the physical security I see at all Thai Branches with money in a few drawers etc often being counted out by the hundreds of thousands its just laughable.............im surprised there arent more bank robberies

[Mr Creosote]

Start with scrapping the Windows XP i think most of your computers is running on. Get proper firewalls and uppdated virusprogram, but you´r stii not safe.

They also need to hire real IT professionals who can read and understand English. The almost security bulletins and updates/patches that come out are not in Thai language and most of these guys do not keep up to date on security measure, largely because they cannot understand any English (among other reasons). Windows based servers are notoriously insecure and must be kept locked down. Users must have social media and other insecure applications blocked and must be trained on the various methods of social engineering, which dupes many into giving away sensitive information. Ideally, these machines need to be running UNIX/LINUX based server software and not only firewalls installed but also software that alerts Admins to "door knob rattling" (attempts to hack in).

Part of the problem is that IT is not the best paid profession in Thailand and therefore isn't very attractive, as a profession, for the best and brightest.

[Mr Creosote]

I have only 1 online savings account in Thailand and would never keep more then 10000 baht in that account.

The security for logging in to Thai bank online accounts is weak to say the least, only requires a user name and password to sign in whereas my UK online account requires 5 different processes to sign into my account.

Me too. However, I was told recently at Immigration that I should have my requisite 400K (for marriage visa) in my Thai account rather than my international bank account here because international banks dont use bank books (book banks?). Even after giving them a signed and stamped print out of my bank activity from the Thai branch of the international bank, they fussed and recommended I put money into the Thai bank. No <deleted> way.

[fred Kubasa]

Yup ! Time to wake up that unarmed, palsied, 75 year old man, ( security guard ), dozing

near the door !

[gandalf12]

They need to go to a Unix based operating system

[hobobo]

I have only 1 online savings account in Thailand and would never keep more then 10000 baht in that account.

The security for logging in to Thai bank online accounts is weak to say the least, only requires a user name and password to sign in whereas my UK online account requires 5 different processes to sign into my account.

Me too. However, I was told recently at Immigration that I should have my requisite 400K (for marriage visa) in my Thai account rather than my international bank account here because international banks dont use bank books (book banks?). Even after giving them a signed and stamped print out of my bank activity from the Thai branch of the international bank, they fussed and recommended I put money into the Thai bank. No <deleted> way.

I have a Sterling account and a Baht account with the same Thai bank, and Immigration are happy to accept both. The Sterling account doesn't issue a bank book but monthly statements. Three of those make the Immigration happy.

[cyberfarang]

Bangkok

Bank central branch, where access to all system accounts on computers by staff, is still operating Windows XP. If it wasnt so serious I would deem it comical!

My understanding is that the maximum amount of money insured is only about $10K US. Then again, I wouldn't want to have to hire a Thai attorney to go chase it either. With the dollar so strong one wants to convert but the risk is security.

Correction. I misspoke. I was told that the maximum insured is 1,000,000 baht which is about 30K US, which is close to the minimum amount needed for a visa renewal (8000000 baht). Still, a very small amount compared to US banks which was 500K.

Yea right, and could you imagine what it would be like trying to claim compensation in Thailand? If the bank goes or money stolen by hackers you may just as well write it off.

The best security is to not have too much money accessible in Thai online accounts.

[wandasloan]

They need to go to a Unix based operating system

Why do you think they haven't?

There are people here who think the banks are running their countrywide networks on XP, which would be a heck of a trick worth a worldwide write-up, but why do you think they aren't on a Unix system?

[SunsetT]

The laws for prosecution of cyber attackers are desperately in need of big reform, and these scum should be jailed for life or executed. They do not even have the guts to go into a bank and rob it, all done from the safety of their laptop computers. Malicious hackers, like ISIS, should be eradicated, since nothing will stop their gutless antics Maybe a daily TV program showing them getting their just rewards

'phantomfiddler'..........What a great name for a cyber scammer............

[jabis]

They need to go to a Unix based operating system

Why do you think they haven't?

There are people here who think the banks are running their countrywide networks on XP, which would be a heck of a trick worth a worldwide write-up, but why do you think they aren't on a Unix system?

I know that my bank's internet banking uses windows from response headers, mainly ASP.NET session & cookie information (and old as crap flash banner ads - hooray for security) so I would assume that the backend would be using IIS/ASP.NET endpoints as well, for account transactions

[Shaunduhpostman]

Way to go doods, let's conflate people who are resisting/protesting absolute government control of the internet with people who break into banks and steal money. Standing up for your rights is no different than robbing people...yeah right.

[chicowoodduck]

I took most of my money out of Lieland years ago....just keep my wad under my bed in my shoes.....?

[Tom Cahill]

Bangkok

Bank central branch, where access to all system accounts on computers by staff, is still operating Windows XP. If it wasnt so serious I would deem it comical!

Hits and misses there Your Highness. Might I suggest that educating the staff about how computers work, would be incumbent on them understanding how the internet works. This would enable them to get round the country's firewall and they'd spend their whole day watching bang bang movies, and would be more distracted that usual.

[Mr Creosote]

I have only 1 online savings account in Thailand and would never keep more then 10000 baht in that account.

The security for logging in to Thai bank online accounts is weak to say the least, only requires a user name and password to sign in whereas my UK online account requires 5 different processes to sign into my account.

Me too. However, I was told recently at Immigration that I should have my requisite 400K (for marriage visa) in my Thai account rather than my international bank account here because international banks dont use bank books (book banks?). Even after giving them a signed and stamped print out of my bank activity from the Thai branch of the international bank, they fussed and recommended I put money into the Thai bank. No <deleted> way.

I have a Sterling account and a Baht account with the same Thai bank, and Immigration are happy to accept both. The Sterling account doesn't issue a bank book but monthly statements. Three of those make the Immigration happy.

Lucky for you. At Samut Prakarn Imm. they balked until we kicked up a fuss. They wanted a statement ON THE DAY of visa application which is impossible to do, since my branch is downtown BKK. I gave them an updated statement from the day before with more than enough to cover the minimum balance but they still fussed. I will probably drop 400K in the Thai account two months before the visa date and hope nobody hacks me. LOL.

[mrfill]

Bringing a website down (which is all a DDoS can do) does not mean your account data has been accessed and is more inconvenient than dangerous.

And a single gateway would not prevent it happening.

But, better 'spend' a few billion pretending it does

[Bench499d]

They need to go to a Unix based operating system

They also need to hire real IT professionals who can read and understand English. The almost security bulletins and updates/patches that come out are not in Thai language and most of these guys do not keep up to date on security measure, largely because they cannot understand any English (among other reasons). Windows based servers are notoriously insecure and must be kept locked down. Users must have social media and other insecure applications blocked and must be trained on the various methods of social engineering, which dupes many into giving away sensitive information. Ideally, these machines need to be running UNIX/LINUX based server software and not only firewalls installed but also software that alerts Admins to "door knob rattling" (attempts to hack in).

Part of the problem is that IT is not the best paid profession in Thailand and therefore isn't very attractive, as a profession, for the best and brightest.

More than likely the banks are using mainframes at the back-end, probably IBM machines, possibly running UNIX-like operating systems. International-standard stuff.

Those mainframes will be dumping data overnight to data warehouses, possibly Microsoft SQL Server, which power the back-end of those ASP.NET websites.

The idea that they need to move to UNIX/Linux-based software is absurd to boost security. Microsoft Windows Server and SQL Server are standard platforms around the world and, like any operating system and application software, should be configured with security in mind. This applies to Linux and its software as much as Windows. If all your web developers are Microsoft trained then why re-invest in a training them on a different platform? Better to spend the money on security training.

[Mr Creosote]

They need to go to a Unix based operating system

They also need to hire real IT professionals who can read and understand English. The almost security bulletins and updates/patches that come out are not in Thai language and most of these guys do not keep up to date on security measure, largely because they cannot understand any English (among other reasons). Windows based servers are notoriously insecure and must be kept locked down. Users must have social media and other insecure applications blocked and must be trained on the various methods of social engineering, which dupes many into giving away sensitive information. Ideally, these machines need to be running UNIX/LINUX based server software and not only firewalls installed but also software that alerts Admins to "door knob rattling" (attempts to hack in).

Part of the problem is that IT is not the best paid profession in Thailand and therefore isn't very attractive, as a profession, for the best and brightest.

More than likely the banks are using mainframes at the back-end, probably IBM machines, possibly running UNIX-like operating systems. International-standard stuff.

Those mainframes will be dumping data overnight to data warehouses, possibly Microsoft SQL Server, which power the back-end of those ASP.NET websites.

The idea that they need to move to UNIX/Linux-based software is absurd to boost security. Microsoft Windows Server and SQL Server are standard platforms around the world and, like any operating system and application software, should be configured with security in mind. This applies to Linux and its software as much as Windows. If all your web developers are Microsoft trained then why re-invest in a training them on a different platform? Better to spend the money on security training.

What he said :-)