Swift moves to protect against bank/phone fraud in wake of Bangkok man's 900K loss

[american12bthai]

A BETTER question is to how a BANK creditor can  get my GPS LOCATION with the help of a telecom company.    how?    

 

i can list about a dozen flaws in thai telecom and the various way to exploit it.  the one that blows my mind the most is them handing out your MAC. 

 

with that i can duplicate all your incoming data on your phone to my PC. 

[Peterphuket]

3 hours ago, deepcell said:

wow! really? Another day I was trying to update my phone number with Santander, and it was not possible, should be done in person in the agency. Wife transfer money from her account via phone call and all she was asked was her id number(idcard) and account password, she uses KrungThai Bank.

At SCB it is only possible to get another phone number noted for OTB, when you visit the bank, and bring yous passport with you.

And of course you can proof it is yours account.

[OMGImInPattaya]

2 hours ago, timewilltell said:

I think it may be helpful to understand the Thai mentality regarding fraud and blame here. As a victim of fraud myself where I had a 30 year lease cancelled and two businesses stolen through fraud I can tell you that it is incredibly easy. Not only that but the courts do not seem to want to lay responsibility on anyone.

 

To transfer land or cancel a registered lease or car you need a proxy. Anyone can be the proxy - as stupid as you like. A proxy is a simple form which is signed supposedly by the grantee and two witnesses. It is not signed by the person acting as proxy and the courts place NO responsibility on the proxy to check with the person giving it that the signature is correct. In fact no one has to check at all, nit even the land office  So anyone can write one up, transfer your land or cancel your lease. No one will be held  to blame unless the person receiving the property has not paid for it. And they will have long since disposed of the property or money to prevent you getting any back since they planned the feaud in the first place 

 

If it is a company is being transferred then in contrast to the land office you will need the proxy certified by a lawyer at least, that it is indeed the signature of the person giving the proxy and the lawyer verifies he has checked the identity and that the grantee has signed in front of the lawyer. In one court case the lawyer was found guilty as the proxy form was a fraud and in a second case in identical circumstances the court took the evidence of the lawyer admitting he did not witness the signature and deduced it was careless so not criminal despite a specific law covering professionals verifying forged documents.  This shows the importance placed on fraud and responsibility and countering fraud in Thailand and the weak attitude of the courts towards it.

 

The victim is not protected as responsibility is avoided by anyone pretty much regardless of circumstance with an ' I didn't know' defence. And even if you win the court case - which is horribly expensice - you can forget getting your costs and often even your court fees are not recoverable 

 

So I am not surprised that neither bank nor phone company feel responsible and feel they can just walk away and dump the mess at the victims feet. Not surprised he had to deminstrate outside police hq and expose phone company and Bank in a viral social media expose which is the only way the bank was persuaded to offer even partial compensation. 

 

Thailand simply does not care about fraud and makes little to no effort to bring criminals to justice, happy to leave the victims devastated.

I don't accept your underlying premise that Thai banks "[don't] care" about fraud nor take responsibility for the security of their accounts. Do you have any empirical evidence for this or is this just an opinion? I think it's just as much a responsibility for banks to protect themselves and their shareholders from fraud as well. I mean how easy would it be for me to give you my account information and for you to drain my account and then for me to run to the bank compaining that some "stole" all  my money and demanding to be reimbursed. Meanwhile you and I are relaxing at the Ritz-Carlton resort on Samui diving up the proceeds between us. This is just as likely to happen, maybe even more so, than people actually having funds stolen from their accounts.

[Peterphuket]

3 hours ago, Deepinthailand said:

True are rubish they don't care about customers just your money. I have moved away from all true products which are like there customer service rubish at best.

On the other side well done to the bank concerned.

Is there any bic company in Thailand who cares about there customer?

Please tell me, only one....

[Peterphuket]

13 minutes ago, OMGImInPattaya said:

I don't accept your underlying premise that Thai banks "[don't] care" about fraud nor take responsibility for the security of their accounts. Do you have any empirical evidence for this or is this just an opinion? I think it's just as much a responsibility for banks to protect themselves and their shareholders from fraud as well. I mean how easy would it be for me to give you my account information and for you to drain my account and then for me to run to the bank compaining that some "stole" all  my money and demanding to be reimbursed. Meanwhile you and I are relaxing at the Ritz-Carlton resort on Samui diving up the proceeds between us. This is just as likely to happen, maybe even more so, than people actually having funds stolen from their accounts.

OMGImInPattaya

Why O why, you don't leave????

[OMGImInPattaya]

26 minutes ago, Peterphuket said:

OMGImInPattaya

Why O why, you don't leave????

So it's true...you don't have any evidence...just unsubstantiated hearsay. I would suggest you're the one who should take a hike.

[off road pat]

7 hours ago, meatboy said:

police are waiting to interview the THEIF, shouldnt he be arrested?

They just want to give him more time to put the money in a safe place and flee......

[Shatian]

21 hours ago, jacko45k said:

No, True did not give any of his money to the thief, the bank did that. True reissued his SIM card to the thief without requiring to see his National ID card and he was able to use that. It was really a case of 3 parties being rather negligent, including the victim himself. You seem to presume the seller of a weapon is guilty of any crimes it is used in.

You are also wrong with this analysis. True has a fair share of the blame. All sim cards are registered now and one could not come claiming that his sim is missing and True issued him a new one without verifying if he is really the owner of that sim that he wants a replacement. Had True checked his ID, they would have known that the sim that he was requesting was not registered in his name-the thief of course. So True is at the genesis of the problem and should shoulder 90 percent of the losses. 

[Chicog]

A friend of mine was duped into filling out one of those fake tax forms a few years ago, and when I found out I told him to contact his bank immediately.

His bank had received written instructions to change his address and send new cheque book and cards, and the account had been emptied.

One of the cheques, I shit you not, was made out to "Mrs. Napoleon Kodogo" or something.

Anyway, the bank apologised, closed the accounts, opened new ones and replenished his funds.

A few weeks later, and I still shit you not, this very large High Street bank got another address change letter from the same crooks and the whole process was repeated!

 

In this case I don't think you can blame Kasikorn, although it's good that they've now realised that they aren't the only ones that can be exploited.

The weakest link in the chain, etc.

Edited August 23, 2016 by Chicog

[Shatian]

21 hours ago, captspectre said:

I would never trust true for anything and if there was another company in thailand that offered satellite service i would switch in a second! true is UBC with a haircut!

I think AIS does. I have AIS with a monthly bill about 550 baht and can watch Euronews, France 24, NHK, ASIA news or so, DWTV and a host of other channels in English including so many Thai channels. But Not CNN or Al Jazera anyway.

 

[rjwill01]

7 hours ago, Si Thea01 said:

 

Agree with you about the negligence aspect with two but I think you may be a little hard on the customer seeing we do not know the full extent of the circumstances surrounding the incident..

 

True issued the sim without proper procedures being followed.   There is also the possibility of employee involvement but like most reports, no one gives out concise information, however, despite this, it is an avenue of investigation that should be followed, if it has not been already.  This would alleviate any suspicions that might be aroused.  If everything is as stated then it is a  clear case of Negligence without any form of criminality being attached.

 

With the Bank, it allowed the password to be changed via telephoning their call centre and then then the entire account to be emptied without, it appears any checks undertaken to ensure the transaction was legitimate.  They have however, agreed to reimburse the customer, which one would believe they are duty bound to do. Hopefully, they have undertaken an investigation to ensure there was no involvement of their employee or customer.  Forgive my cynicism. Again, if everything is above board, then a plain case of negligence without any criminality attached. 

 

Thirdly, the customer.  Most Thais that I know and who are business people and others who are not, have the SMS alert, as I do.  Not knowing if the victim had this protection, it is hard to be critical of him but even if he did, he would not be able to prevent the total withdrawal if made in one transaction and approved by the Bank.  If he did not have this alert and there were a number of transactions, then I would say, at the very least, he was foolish but not negligent.  Again though, regardless of the circumstances he should be included in the inquiry in order to dispel any suspicions as to his possible involvement.  Sorry for being cynical.

 

 

In defense of the customer, he didn't do anything wrong. Even with the sms alert, it probably went to the thief for approval. 

[Jdietz]

7 hours ago, varun said:

Somebody please explain to me how the transfer of funds actually happened.

 

Correct me if I'm wrong:

 

The final frontier in the chain was the KBanking App.

 

1) The perp setup the app on his phone with the victim's credentials and initiated a transfer from the victim's account into his own.

2) The prerequisite to perform the above was that the app had to be 'bound' to the SIM card/number of the victim.
3) This is where the perp was able to get a new SIM card in the victim's name.

4) Since he presumably knew the victim's account number & account name, he requested a OTP from the bank

     to setup the app with the new SIM card.

 

Am I missing something here?

 

Almost.

 

1. Get the bank account number from your target, as well as the mobile phone number connected to that account (prereq)

2. Bluff your way into a new Sim card for said phone number. You can now receive OTPs (One Time Passwords) and messages from the bank

3. Go to online banking site to transfer money. To do so, you need a username and password. 

4. Bluff your way into the Bank's call center to reset the account's password. It will send instructions to your shiny new sim on mobile to verify it's "you"

5. Transfer money. Again an OTP will be sent but at this time that's meaningless.

6. Profit.

 

As you see with even basic security checks in place this should never be possible. (Step 2 and 4) and both have to fail for this to succeed.

 

[sambum]

8 hours ago, simon43 said:

 

 

 

Read the news report again.  It says 'Swift' (ie quick or rapid), not 'SWIFT'

 

 

 

Quite correct, but a bad choice of adjective by the author of the article  - surprised  if he doesn't get hit by a defamation suit!

[Si Thea01]

7 minutes ago, rjwill01 said:

In defense of the customer, he didn't do anything wrong. Even with the sms alert, it probably went to the thief for approval. 

 

I have to apologise, you are quite correct.

[Jonmarleesco]

'Kasikorn bank had already announced they would reimburse Phansuthee but True refused to do so ... ... They have offered the victim of the crime a phone and free calls for a year.' Perhaps an intensive social media campaign would change their minds.

 

'... police named the thief as Siam Theuangphon, a Ratchaburi native, and said that they will soon interview him in connection with the matter.' So he's in custody, awaiting interview? Or he's taken advantage of the advance notice? 

 

[oldlakey]

6 hours ago, Songlaw said:

Nice shooting. Unfortunately, among the typos, was an 'if.' So as of his writing, ezzra had not found himself eligible for the 'consolation prize.'

I see what you are saying Songlaw

I was thinking the double double it it was just for for emphasis  555555555

Ezzra I am glad you did not win the prize anyway 5555555555

Absolutely nothing to do with the typos just the money 55555555

[skippybangkok]

'Kasikorn bank had already announced they would reimburse Phansuthee but True refused to do so ... ... They have offered the victim of the crime a phone and free calls for a year.' Perhaps an intensive social media campaign would change their minds.

 

'... police named the thief as Siam Theuangphon, a Ratchaburi native, and said that they will soon interview him in connection with the matter.' So he's in custody, awaiting interview? Or he's taken advantage of the advance notice? 

 

The responsibility to keep your money safe lies with the bank.


Sent from my iPhone using Thaivisa Connect

[Tonawatchee]

14 hours ago, Somtamnication said:

" They have offered the victim of the crime a phone and free calls for a yea ".   TRUE should have paid the million, not Kasikorn. Or at least 50 50.

 

Maybe TRUE should be made to change their name to LIE for 1 year in addition to the 900,000 THB.

[skippybangkok]

 

Maybe TRUE should be made to change their name to LIE for 1 year in addition to the 900,000 THB.

Banks world wide are going toward voice biometrics being fully aware that it's not fool proof ( if you believe it's 100% accurate - your living in fairytale land ). Whether it's OTP, voice bio metrics or other security measures - it's solely the banks role to identify the risks. This is not the first sim swap fraud, and banks would not sue a telco cause they know there is no legal basis for it

It's all about convenience - risk balance. I am at scb and they are more strict




Sent from my iPhone using Thaivisa Connect

[free123]

21 hours ago, meatboy said:

police are waiting to interview the THEIF, shouldnt he be arrested?

well... maybe but not sure...remeber the guy holds 900000  bhat now if he agree to split with the cops 50/50 then they clear him from the crime and blame the whole thing on the burmese bank cleaner.....mai ben lai...never forget  in LOS ,same same but different = women looks same like evrywhere in the world but maybe at a certain body part you find a different situation....cops look same like everywhere in the world uniforms etc...but often they play a different game ...laws are there they seem to protect the citicen from the crime but maybe the different is they dont apply if you are one of the rich and powerful....and and and...

[Jonathan Swift]

What True corp is failing to see in the forest for the trees is the revenue loss due to bad press. So let them be cheapskates and throw a few crumbs at the guy, but they will lose millions in the long run

[jacko45k]

22 hours ago, pkspeaker said:

still dont understand what happened.. he got a new simcard as if the old phine card had been lost.. didn't the victims phone immediatly go offline, or rather cant they tell that the simcard is still responding to the network as the victims phone would still be on.. and what is this 'password'. when i wire money from a desk like that picture shows i need the passbook and my passport id... ?

Each bank has different procedures but in my case he would have to be able to get into internet or mobile banking (no mention how he did that) and then register a new recipient (which would need the OTP), and make a transfer to that new recipient account. Which again in my case would be for a limited amount being 'new'.

 

Obviously we are not being told the methodology, but it appears the thief, who was pretty smart, took advantage of  2 or 3 weaknesses in procedure and privacy and they added up to a direct access. A good lesson on discretion wrt bank cards, ID numbers and copies (immigration have it all) and setting transaction limits.

[skippybangkok]

What True corp is failing to see in the forest for the trees is the revenue loss due to bad press. So let them be cheapskates and throw a few crumbs at the guy, but they will lose millions in the long run

Think you better get a copy of the quarterly reports - the only one with declining revenues and subscribers for many quarters has been DTAC

Sent from my iPhone using Thaivisa Connect

[Moonlover]

22 hours ago, Hawk said:

 

Usually people keep the user name showing at all times, there is a little box that asks whether you want the machine to permanently remember your user name and password. If the password is not available then a simple request will have it sent to your mail box, as the crook had the same sim number then google, gmail or whatever will automatically connect to it.

Ok Hawk, I've put your notion to the test that a 'simple request' will result in my password being sent to me.

 

First I must contact my bank and furnish them with my name, my email address, my primary account number, my date of birth and my passport details. They, in turn will send me a 'temporary password', to enable me to access my on line account. (Given that I know the user name of course) I will then be able to choose a new password for my future use. Only then will I be able to fully access to my account.

 

Hardly a simple procedure wouldn't you agree and I'm sure that other banks will follow similar, stringent procedures.

 

None of the above information would be available on the new SIM that the perp obtained from True. There had to be collusion with other parties to enable him to access the victim's account. Maybe even with the victim himself, knowingly or unwittingly.

 

As I said previously, There's more to this than meets the eye.

 

And I also agree with other commenters that say that True is not responsible for the loss. Granted, they were slack in allowing the issue of the replacement SIM , but that's a different issue.

 

After all, if someone went into a petrol station and bought a can of fuel and then later used that fuel to mount an arson attack, you could hardly hold the petrol station responsible, could you.

[amrishtony]

Well, more than the bank its the fault of the phone company for not following their rules. So the phone company in question MUST compensate the victim as well. Not just with a year's of free phone service and a new phone.

[Hawk]

9 minutes ago, Moonlover said:

Ok Hawk, I've put your notion to the test that a 'simple request' will result in my password being sent to me.

 

First I must contact my bank and furnish them with my name, my email address, my primary account number, my date of birth and my passport details. They, in turn will send me a 'temporary password', to enable me to access my on line account. (Given that I know the user name of course) I will then be able to choose a new password for my future use. Only then will I be able to fully access to my account.

 

Hardly a simple procedure wouldn't you agree and I'm sure that other banks will follow similar, stringent procedures.

 

 

It really is not a difficult procedure at all, the guy already had the name, email address, bank account number, phone number, date of birth, address and ID number.  It takes about 20 minutes while you sit and drink your coffee.

[Moonlover]

38 minutes ago, Hawk said:

It really is not a difficult procedure at all, the guy already had the name, email address, bank account number, phone number, date of birth, address and ID number.  It takes about 20 minutes while you sit and drink your coffee.

Hawk, you are misinterpreting what I'm saying. I am not saying that he could not have obtained this info, clearly he somehow did. I am merely saying that the info could not have been obtained from the SIM and that collusion is likely.

[Huk]

On 8/22/2016 at 6:47 PM, Si Thea01 said:

 

Agree with you about the negligence aspect with two but I think you may be a little hard on the customer seeing we do not know the full extent of the circumstances surrounding the incident..

 

True issued the sim without proper procedures being followed.   There is also the possibility of employee involvement but like most reports, no one gives out concise information, however, despite this, it is an avenue of investigation that should be followed, if it has not been already.  This would alleviate any suspicions that might be aroused.  If everything is as stated then it is a  clear case of Negligence without any form of criminality being attached.

 

With the Bank, it allowed the password to be changed via telephoning their call centre and then then the entire account to be emptied without, it appears any checks undertaken to ensure the transaction was legitimate.  They have however, agreed to reimburse the customer, which one would believe they are duty bound to do. Hopefully, they have undertaken an investigation to ensure there was no involvement of their employee or customer.  Forgive my cynicism. Again, if everything is above board, then a plain case of negligence without any criminality attached. 

 

Thirdly, the customer.  Most Thais that I know and who are business people and others who are not, have the SMS alert, as I do.  Not knowing if the victim had this protection, it is hard to be critical of him but even if he did, he would not be able to prevent the total withdrawal if made in one transaction and approved by the Bank.  If he did not have this alert and there were a number of transactions, then I would say, at the very least, he was foolish but not negligent.  Again though, regardless of the circumstances he should be included in the inquiry in order to dispel any suspicions as to his possible involvement.  Sorry for being cynical.

 

 

With regards to the third point "the customer". He may well have SMS alerts ... which would go straight to ...... the new SIM card in the perp''s Phone! 

[Si Thea01]

13 minutes ago, Huk said:

With regards to the third point "the customer". He may well have SMS alerts ... which would go straight to ...... the new SIM card in the perp''s Phone! 

 

 

Yes, I responded to a similar post 22 hours ago and realised my error. maybe you should take a little time to read other posts and you would realise that.

[gdgbb]

On 23/08/2016 at 6:45 AM, dcnx said:

They gave 900,000b of his money to a thief, and the best they can do is offer him a free phone and usage for a year?

 

Did I read that right?

 

No, you didn't, True didn't give away any of the man's money.  He's already got his money back, should he be given more than he lost?