Is the digital wallet registration secure?
text size

Is the digital wallet registration secure?

As Thais sign up for the government handout, cybersecurity remains a concern

Listen to this article
Play
Pause
The Tang Rat app on a mobile screen at Government House as digital wallet registration starts on Aug 1. (Photo: Chanat Katanyu)
The Tang Rat app on a mobile screen at Government House as digital wallet registration starts on Aug 1. (Photo: Chanat Katanyu)

As registration for participation in the digital wallet scheme begins on the Tang Rat application, some people question whether the app is secure enough amid rampant local cyberthreats.

The app's developer, the Digital Government Development Agency (DGA), is adamant that the app's personal data protection measures meet global standards.

The app is the main channel for Thais to register for the digital wallet scheme, with registration via the app running from Aug 1 until Sept 15.

Is the Tang Rat app secure?

The DGA said it adopted a state-of-the-art cybersecurity protection system. The agency, supervised by the Prime Minister's Office, advises people to download the app only at Apple's App Store and Google's Play Store.

The DGA's role is to provide support to state agencies for the development of the digital government scheme. The Tang Rat app was introduced in 2021 to host numerous state services.

At least 20 million people registered for the digital wallet scheme via the app during the first two days of availability, according to government spokesman Chai Wacharonke.

Eligible participants are encouraged to download the app, then click on the right for the wallet, fill in their personal data and scan their faces to create an account.

The system verifies participants' identities and sends their information to related agencies to check for eligibility.

The agency said its personal data protections comply with the Electronics Transaction Committee's guidelines. Information on the app can be accessed by only the owners of the data and authorised persons, according to the DGA.

The agency reiterated it prioritised personal data protection in designing the app, deploying an advanced encryption system and identity authentication for security.

The Tang Rat developers comprise DGA experts and a team of developers with experience in developing apps serving a large number of users.

According to Bluebik, which provides consultancy on digital transformation, DGA hired its employees to support app development for user registration to ensure smooth processing of a massive number of transactions. Bluebik noted it was not involved in the development of the app related to the digital wallet system.

DGA stated it continued to test the app's security, conducting system penetration to plug loopholes before launching and conducting ongoing tests to prevent hacking or unauthorised access.

The app's management and storage of personal data complies with the Personal Data Protection Act and Cybersecurity Act, said the agency.

The DGA also has a "war room" to monitor the app's operations and prevent cyberthreats 24 hours a day.

What are the security concerns?

The agency reported a cyber-attack "blitz" against the app on the first day of the digital wallet registration. The app continued to operate, registering 18.8 million people over the first 24 hours without a crash or data leakage, according to the DGA.

AVM Amorn Chomchoey, secretary-general of the National Cyber Security Agency (NCSA) and a member of the digital wallet committee, said NCSA will mandate third-party penetration testing for the digital wallet payment system. This requirement will be included in the terms of reference for bidding to develop the government's central payment platform for the scheme, he said.

The digital payment system must adhere to global security standards, such as the Payment Card Industry Data Security Standard and have third-party assessment, according to the OWASP Top 10, OWASP API Top 10, OWASP Mobile Top 10, or a smart contract audit (if needed), said AVM Amorn.

OWASP, the Open Worldwide Application Security Project, is a non-profit foundation that works to improve the security of software.

The foundation said its Top 10 is a standard awareness document for developers and web application security, representing a broad consensus about the most critical security risks for web applications. The OWASP Mobile Top 10 is a list of the most prevalent vulnerabilities found in mobile apps.

AVM Amorn said the penetration testing of the payment system should encompass web backends, mobile apps and other relevant components.

He said Tang Rat employs facial recognition from the ThaID app for citizen identity verification to prevent identity theft.

The ThaID app, developed by the Department of Provincial Administration, offers a digital ID verification and authentication system. NCSA conducted a security audit of ThaID, confirming its six-month monitoring and penetration testing regime.

Both the Tang Rat and ThaID platforms informed NCSA they implemented security standards, including end-to-end encryption to protect user privacy and measures to defend against web and Distributed Denial of Service attacks.

NCSA also plans to conduct random security checks on ThaID and simulate attack attempts to assess their security posture, said AMV Amorn.

NCSA also mandates smart contract audits for the related blockchain system, including penetration testing to detect logic flaws and overspending vulnerabilities.

He said NCSA provides secure design and penetration testing guidance during the pre-operation phase of the digital wallet scheme.

After the scheme is completed, the related data must be securely deleted. If the government wants to use such data, it must be anonymised first, said AVM Amorn.

Prinya Hom-anek, executive committee chairman at ACIS Professional Center and Cybertron, said security concerns for the digital wallet span three primary components: the front-end system, the payment gateway, and the back-end system.

He said Tang Rat functions as a front- end interface for users, serving as a multi- purpose app that facilitates single sign-on access to data from various government agencies.

The app is dependent on other government systems and its user registration system requires facial and national ID authentication from the ThaID system.

Mr Prinya said the central payment system is susceptible to tampering, defined as intentional, unauthorised modifications to system components, behaviour or data. This poses a significant challenge to the project's parameters.

Blockchain technology offers a potential solution to this issue by providing tamper-proof capabilities, he said.

Prior to the entire project release, a world-class penetration test is essential for quality control, Mr Prinya said.

Is Tang Rat connected to bank accounts?

According to DGA, the app does not connect with individuals' bank accounts and has never collected bank account information. The app allows state agencies to link their information and services with it under highly regulated and secure methods, stated the DGA.

The app does not allow individuals, private organisations or banks to connect bank account information or other systems to the app, said the agency.

Bank apps or e-wallet operators in the digital wallet scheme must connect their systems with the government's planned central payment platform, which is separate from Tang Rat, noted DGA.

What is the cost to develop a central payment platform?

The cabinet approved the DGA developing the government's central payment platform project with a budget of 95 million baht.

The platform is to connect with various financial service providers and is expected to provide service from October 2024 to March 2025.

On July 11, DGA announced Depthfirst was the winner of e-bidding to develop the registration system for merchants to participate in the digital wallet scheme. The company bid 4.69 million baht for the project.

Do you like the content of this article?
COMMENT (17)