E-bank theft a piece of cake for hackers

E-bank theft a piece of cake for hackers

Customers, mobile phone firms must boost weak cyber security

Police warn that any given computer engineering class could include future hackers, like those who have lifted millions from
Police warn that any given computer engineering class could include future hackers, like those who have lifted millions from "secure" Thai mobile banking accounts. (Photo from Facebook page of Mahidol University Computer Engineering)

The recent arrest of three former computer engineering students who hacked into the well-protected information of e-banking customers has thrown the spotlight on the risks facing such electronic transactions.

The Central Investigation Bureau (CIB) is warning customers, banks and third parties such as mobile phone service providers that they are all partly responsible for the vulnerability of e-banking and that their security measures for electronic banking systems are unreliable.

Hackers have found ways to steal passwords and banking information, and gain access to customers' accounts and e-banking services to steal their money, it says.

While stressing the need for banks, mobile phone signal operators and customers to be alert to cyber robbery, police said they are ready to launch a systematic crackdown on the hackers.

Pol Lt Gen Thitirat Nongharnpitak, the CIB chief, launched the campaign after finding there are large numbers of victims nationwide. But victims are not getting adequate help because they have filed complaints with district police stations where officers have limited personal and technological resources to pursue the wrongdoers.

The CIB's Technology Crime Suppression Division decided it would have to figure out how the wrongdoers break into security systems and steal money from people doing e-banking.

One important clue was obtained after the arrest of three former university students who studied computer engineering and used their skills in a criminal way to get quick money.

The arrests followed a compliant lodged by Phakamat Butsayabut with the Technology Crime Suppression Division on July 17. Ms Phakamat had noticed that 163,500 baht was transferred out of her bank account via e-banking without her knowledge four days earlier.

Using their expertise, officers at the division tracked the activity online and were able to locate the suspects in little more than a week.

The officers found them in Yala and nabbed the three suspects on July 28 in the province's Muang district. Officers seized computers and mobile phones which the gang used to ask for One-Time Passwords, or OTPs, often used during financial transactions over the internet.

OTPs are a set of numbers given via mobile phones to a customer and are valid for only one login transaction. OTPs are used with a specific cell phone that the customer has registered with the bank. The password is used to authenticate the customer for making a single online transaction. It is regarded as more secure than user-created passwords.

But Khanchit Iaosakun, 26, one of the three arrested suspects, told police how they can still crack this security system.

Pol Col Somphon Daengdi, deputy chief of the Technology Crime Suppression Division, said the gang used malware, a malicious software spread through emails and dubious websites, that allows hackers to gain access to personal information kept in computers.

Once Mr Khanchit acquired this information, he and his alleged accomplices -- Thongchai Kaeosiphut, 27, and Kornnatsa Aphithanaphiphat, 28 -- used the victims' personal information, such as birth dates, to forge identity cards.

They used photocopies of the fake identity cards to apply for new Sim (Subscriber Identification Module) cards, carrying the victim's mobile phone number, and used that to ask for the OTP from banks.

Once they had the OTP, they transferred the victim's money into accounts they had set up, Pol Col Somphon said.

The gang said they had been doing this for about a month and preyed on many bank customers.

"Within a few minutes after getting the Sim cards they could be off with the victims' money," Pol Col Somphon said.

Victims may not even know their old Sim cards had been cancelled by their mobile phone service providers until it was too late.

Another method employed by gangs is to use a computer virus to steal personal information from victims.

First, the hacker gang builds fake bank websites and lures victims to make financial transactions on them, giving out passwords and other information in the process.

The hackers use this information to transfer money from the victims' accounts on the banks' real websites, according to a police investigation.

"Officers need to know these tricks to plan for ways to prevent the crime," Pol Col Somphon said.

He said his agency needs to gather victims' complaints nationwide and use them to track down hackers.

Simple and convenient for sure, but police are warning that "secure" is not true for all people using e-banking services in Thailand. (Post Today photo)

Pol Lt Gen Thitirat said the arrest of other suspects in Rayong last month led police to suspect there might be connections between the hackers and those running illegal football gambling websites.

It is possible the people running the gambling websites may be selling information about their customers.

The Technology Crime Suppression Division is tracking down a list of suspects for this type of high-tech crime. But this alone will not be enough.

"All sides [banks, customers and third parties] must join hands to build a much better security system, if we truly want to tackle the cyber crime problem,'' Pol Col Somphon said.

Contact Crime Track:


Do you like the content of this article?