"The easy technique of downloading the paid LINE sticker with free of charge, just CLICK here". This post has been shared in Facebook.
One Facebook user, Sonthichai, wondered if it was really that easy and decided to check it out. He clicked and followed the instructions, step by step.
It started with, "Just change your ID from Thailand to Japan", which he did, and then filled in his username and password on the AppleID page.
The last step, according to the instructions given to him, was to wait for an email reply from Apple, but Sonthichai received none. He went to sleep and thought nothing more about it.
The next afternoon he got an SMS alerting him of a transaction worth 66,500 baht. He frantically called his bank to clarify that he had bought nothing, but the bank informed him that it involved the purchase of a 15-inch MacBook Pro with Retina display.
Much as Sonthichai tried to explain there had been a mistake, the bank was not convinced and his request to halt or void the transaction went unheeded. The bank informed him the transaction came with an Apple credit card number, so it wasn't their responsibility.
He then tried to log on to his AppleID, but his username and password were rejected. A salaried worker, only then did he realise his AppleID has been stolen, and the theft probably occurred the night he had gone to sleep without receiving an email reply after he had filled in his username and password on the AppleID page, not aware that he was dealing with a fake website.
Next, Sonthichai took his problem to Apple Singapore but was told his account was not registered in the system. He insisted he was the real ID owner and was put through to Apple's security division. It was able to track that there had been a name change, but he had to verify this himself by answering some questions. But before that, he was asked to repeat the verification code that Apple sent to his iPad, another of his Apple devices that he had registered with the company. Sonthichai gave them the code and the last digits of his credit card number. The entire process took more than two hours.
"I was so glad that my AppleID was back, so now I could access the system. I found there was a purchase order from Sonthichai, but the receiver was a different person, a Duangpon Sukari." While the bank refused to help or act to void the transaction, Sonthichai promptly took his case to the police.
"I don't know what technique the hackers use because I could do nothing to stop the transaction or cancel the purchase," he explained.
Half an hour after he was able to re-access his Apple account, he tried to log on again, but was denied access. At that moment he figured out that he had forgotten to change his "security" questions.
In the "Forgotten Password?" box, the hacker had changed his security questions, and replaced them with his own questions and answers. He contacted Apple again. "Your account has no credit card information," was the reply from Apple, and he could no longer use his four-digit number to verify himself. Now his AppleID as well as the security backup were completely in the hands of a crook.
"Apple said that I could guess the questions and answers five times and then let me have another AppleID. That's only way they could help me, but how could I guess correctly something that I did not set?"
All the while, Sonthichai was busy at the police station, his case proving quite complicated for them. Some even refused to consider his case and asked him to gather more evidence. One night he decided to call Apple US, and was stuck with the same predicament.
"They suggested the only way out was to disable the account, and I said yes, definitely. But why didn't Apple recommend me that in the first place?" said Sonthichai, adding that contacting Apple was not as easy as enjoying one of its devices.
Thereafter, he changed all passwords of his accounts with Gmail, Facebook and Twitter.
Sonthichai is not the first victim of Cloud computing fraud. Last May, a university student also lost his AppleID. He could not figure out when his account was hacked or how it was done.
Since 2006, internet banking hacking incidents in Thailand have increased from just one to 48 cases this year. The complaints were lodged with ACIS Professional Centre at pantip.com website.
Prinya Hom-anek, CEO of the centre, explained that if the victim is not aware of the log-in and sign-in on fake AppleID pages, all his personal data pertaining to credit cards, email address, notes, photos, everything that he put on the Cloud (iCloud in this case) will appear in real time on the hacker's side and the hacker can take complete control of the account.
In the case of Sonthichai, the AppleID page is apples.thmy.com and the user did not notice he was not the correct website. To deal with the security side of AppleID, there are five questions. If you can answer two of them, you then can reset the system, and this is the weakness that opened up the system to the hackers.
Prinya explained that username and password are no longer enough. But users must be more aware of the ''forgotten password'' questions. If you make it too easy, it can be easily guessed by the hackers, and all personal data you put in the account or on the Cloud can be stolen.
In dealing with internet banking, users must thoroughly observe the web page and don't forget to notice the URL _ the correct one should be https://www.... which means it is the secured page of the banking website.
The revolution in technology has also facilitated users of mobile apps, thus the internet banking app has been developed as embedded programmes in the device, so it does not show the URL. So it is the duty of users to be on guard whenever they do the internet banking. Users should set a password to lock their smartphones, and not leave the device with others.
TECH THREATS INCREASE
''The electronic banking system typically takes advantage of customers,'' said Prinya, and suggested that besides concerns stemming from forgotten passwords, users should not put confidential data on the Cloud.
Another way to secure bank accounts is for holders to use pre-paid credit cards with limited sums for their AppleIDs _ like the Paypal system. The Cloud's vulnerability to privacy attack was one of the top tech-threats of 2012. Prinya pointed out that the phenomenon of ''consumerisation'' or the iPad effect, and ''Bring Your Own Device'' (BYOD) in which employees bring their own smartphones and tablets to the workplace, subscribe to services such as Gmail and Hotmail, and backup their data on the Cloud or use the Cloud service for keeping personal data such as Dropbox, SkyDrive and Google Drive, and save their photos on Instagram or Flickr.
All these services can be easily accessed by breaking into user IDs and passwords. And normally the user ID is the email address and people usually use the same password for every service they subscribe to because it's easy to recall.
''The problem is once your user ID and password are compromised, the hacker has control over your personal data,'' he said. Most people are subscribers of at least one Cloud service _ Apple, Google (Gmail), Microsoft (Hotmail, Skype), Yahoo, or Facebook What's driving this trend is users' desire for lower cost, simplicity, and more security. Driving the trend for vendors is the ability to have more control of the solution stack and obtain greater margin in sales as well as offer a complete solution stack in a controlled environment, but without the need to provide any actual hardware.
Deputy chief of the Department of Special Investigation, Yanpol Yangyuen, noted that the systems of both Apple and LINE have been strong, but it was the users who gave away the keys to the thieves. A lot of people turn out to be victims as they are attracted by free services offered on the net. Some hackers target money, but some want access to your personal data.
Sonthichai is just one of many who have lost their AppleIDs, but there are many others who are not aware of how big the impact of loosing the user ID can be on their lives.
About the author
- Writer: Sasiwimon Boonruang
Position: Life Writer