TBA is working with the National Broadcasting and Telecommunications Commission, the digital ministry, and mobile operators to improve security of mobile banking and protect users from criminal gangs, said Yos Kimsawatde, TBA’s head of payment systems.
Yos said four measures were being implemented to tighten mobile banking security:
1. Shutting down fake Line accounts pretending to be official accounts of banks or government agencies.
2. Monitoring SMS senders who do not use real names.
3. Blocking harmful URLs.
4. Coordinating with member banks to improve their apps’ security, such as by limiting accessibility and adding more authentication methods including biometrics.
He added that further measures being proposed to the Bank of Thailand and related agencies include a waiting period after users adjust their transfer limit, and establishing a Central Fraud Registry Office to monitor suspicious transactions using shared information among member banks. He expects these measures to be approved within 4-5 weeks.
The pending Royal Decree on Cybercrime Prevention and Suppression would add further protection against malicious apps, as it would allow banks to suspend suspicious transactions and block suspicious accounts without victims having to file police complaints first, he said.
Money-siphoning gangs using harmful apps usually work in three steps, according to TBA’s emergency response director Chatchawat Asawarakwong.
First, they send an SMS to deceive victims into thinking they have won a prize, or there is a problem with their bank account or tax, or pretending to be a bank offering loans at a special rate. The victim is then instructed to add the criminal’s Line account as a friend.
Second, victims are told via Line to download and install an app in .apk format from outside Google Play Store and then allow the app to access their phone. This allows the criminal to remotely access the victim’s phone without their knowledge.
Third, while victims are using mobile banking app, criminals record their password and personal info using the remote access app, and later transfer money out of victim’s account.
Chatchawat said criminals often pretend to be from one of five organisations to trick victims into believing that they have won prizes, are being granted loans, or have tax problems. The five organisations are the Revenue Department, Department of Special Investigation, Commerce Ministry, Lion Air, and Thai Life Insurance.
Money-siphoning gangs also use dating apps to deceive victims in a similar way to romance scams, he said.
However, instead of asking victims for money or private information, they ask them to install the .apk app to connect with their matched partner.
The TBA advises mobile phones users do the following to stay safe from harmful applications:
1. Regularly check which applications on your phones are using the accessibility service and make sure that no unknown apps are using this feature.
2. Turn on Google Play Protect on your phone, which will block and uninstall any known harmful apps.
3. Use endpoint protection or an antivirus app to protect against harmful apps and malware.
4. If you suspect your phone is being accessed remotely, immediately force shutdown/restart your phone by holding the power and volume buttons down for 10-20 seconds. If this is unsuccessful, try cutting internet access to the phone and alert the bank and police immediately.
5. Avoid using rooted/jailbroken devices, sharing your password or using one that is easy to guess, installing apps from untrusted sources, or clicking on URLs in SMS or chat messages from people you don’t know.
6. Follow updates on technology news and warnings to stay ahead of the criminals.
Related Stories
TMB bank offers compensation for two-day app blackout