The big issue: Holey security in action

The big issue: Holey security in action

HITTING THE JACKPOT: Late New Zealand 'white hat' Barnaby Jack demonstrates in 2010 how to hack an ATM so it spews cash. (AP photo)
HITTING THE JACKPOT: Late New Zealand 'white hat' Barnaby Jack demonstrates in 2010 how to hack an ATM so it spews cash. (AP photo)

Cyber-thieves joined the tourist crowds to Thailand early this month and quickly jackpotted 12 million baht from 21 of the distinctive red Government Savings Bank ATMs in Bangkok and five provinces. And walked away with the money.

The thieves were (and maybe still are) on an Asian tour. Eight Taiwan banks got dinged in July for NT$70 million (about 76 million baht) and had to turn off 900 ATMs across the island. “Police are hunting for three men, identified as Russians” who quickly left town, a Taipei fishwrap reported.

Then came Thailand, attacked in the first week of the month, followed by panic. Surveillance video was similar in Taiwan and Thailand - apparently foreign men fiddling in front of ATMs, getting each to spew large numbers of bills from the safe inside each.

Jackpotting ATMs has been going on since a brilliant US-based hacker from New Zealand, Barnaby Jack, demonstrated in 2010 it could be done. He proved it at a hackers’ convention in Las Vegas, and the sight of currency floating out of an ATM as if it were a slot machine payout gave this type of hacking an obvious name.


Barnaby Jack hacks ATM at Black Hat (Video credit: YouTube user SecurityWeek Video Channel)


The whole criminal mess reeked of insecurity and insincerity. GSB covered up the theft for two weeks and then went public only because it had to explain why it was locking down half of its ATMs nationwide — 3,300 of 7,000 total. Then bank president Chartchai Payuhanaveechai said everything would be fine because ATM vendor NCR has software on hand designed to stop jackpotting. Terrific. So why wasn’t that software installed in an urgent update before the big hack attack?

All of this happened on the heels of a different sort of digital banking security campaign by the strangely power-hungry National Broadcasting and Telecommunications Commission. Without a shred of experience in security, the broadcast regulator and official censor leapt into the specialist niche subject of mobile banking security.

Specifically, NBTC’s always interesting chief Takorn Tantasith has developed a fingerprint app he wants you to: 1. Put on your mobile phone and 2. take to your mobile provider and 3. register your fingerprint there and 4. use that fingerprint instead of a mere password to do all your mobile banking.

This will go into the new edition of the book under “good ideas gone horribly wrong”, and not least because paying seven million baht to develop this app is a true moment of “Huh?”

There is a place for using fingerprints instead of passwords.

This isn’t it. For example, in the UK, fingerprints for banking are permitted only by owners of late-model iPhones, which store an encrypted “fingerprint of the fingerprint” deep in the operating system hardware. The bank explains how it re-rencrypts this information and keeps it secure from even bank employees.

No UK bank allows a fingerprint app, for the good reason it’s unsafe. Mr Takorn’s solution has more holes in his claim of Kevlar-quality security than an Olympics 10-metre pistol target.

Let’s bottom-line this. Here’s what happens if you follow the current “strong advice” from the NBTC. Every clerk of every branch of your phone company and bank already has your phone number and ID card (passport if you are not Thai). Name, ID details and phone number are three of the four details you need to set up and then use a mobile banking account.

Now, the fourth and final part, just because the NBTC wants you to. No, scratch that, because the NBTC strongly advises you to ditch your password, register your fingerprints at the phone company, where every clerk already can access all the other details needed to operate your bank account.

Is there a possibility that bank-account thefts will occur after the phone companies and the NBTC and all counter employees of your bank all have all four bits of information needed to operate the accounts? Along that same line, do you think the abbot of Wat Arun is a Buddhist?

One more thing. When you check your bank balance and find you don’t have one, that’s when you believe things can’t get worse, but they do. Because if you had a password and a thief got it and robbed you, you could at least change the password and regain your security.

Good luck changing your fingerprint.

Alan Dawson

Online Reporter / Sub-Editor

A Canadian by birth. Former Saigon's UPI bureau chief. Drafted into the American Armed Forces. He has survived eleven wars and innumerable coups. A walking encyclopedia of knowledge.

Do you like the content of this article?
COMMENT (6)