Last month in Thailand, all eyes were on a high-profile cyber attack where one person lost his life savings of just under one million baht ($28,000) when criminals managed to get access to his e-banking account by getting a replacement SIM card issued with false documentation.
They then proceeded to reset his e-Banking password and using SMS one-time passwords cleaned out his account. The NBTC recently (September 8) held an open forum entitled, “stealing money via the mobile phone” inviting activists and academics to discuss the matter and suggest a way forward.
TrueMove, the telco at the center of the attack was only there to observe, but after repeated invitations, Chakkrit Urairat, deputy director for regulatory relations, finally took the floor in Q&A to deliver his telco’s side of the story.
Chakkrit explained that the case was much more than the simple case of TrueMove sloppily issuing a SIM to a criminal with no checks. He said that the victim had been the target of a long, sophisticated phishing attack.
He said the victim was transacting a sale over social media. The criminal had asked them to open a K-Cyber (Kasikorn Bank e-banking account), asked them to send over their ID card and their K-Cyber username, which the victim did, in order to pay them. The details were sent out of band through LINE IM.
TrueMove said that the criminal then photoshopped a fake copy of the ID card and went to a True shop at the busiest time of the day to ask for a replacement SIM to be issued. The criminal told True that the original ID card had been stolen along with his wallet and phone. In such cases,True’s policy is up to individual shop attendant’s discretion in each case whether they should issue a new SIM or not.
Chakkrit blasted data protection laws saying that while True would like to add additional security questions, doing so was possibly illegal. For instance, asking for the last number called would mean showing the shop attendant the recent call log which was a breach of data privacy laws.
The TrueMove deputy director said that the entire incident was part of an unfortunate and expensive learning curve.
Doctor Pravit Leesathapornwongsa, National Broadcasting and Telecommunications Commissioner, pointed out that when a credit card is lost, the card owner does not need to be held responsible. This has been backed up by supreme court rulings. Why, then, is it different when it comes to money stolen through this type of sophisticated social engineering attack.
Pravit cynically suggested that the atypically quick resolution to this matter (Kasikorn bank refunded the money lost and True gave him a free iPhone 6+ and free calls for a year) was because the government could not afford a security scandal just when they were launching the PromptPay / AnyID national e-payments system.