The scam highlights the importance of data protection both by Thai firms and international firms where credit and debit cards are used. On Monday, it was revealed that commercial banks in Thailand are not impacted by this scam as firms worldwide move to raise the level of security on their payment and transaction platforms to new standards. Thailand’s new data protection law, which imposes higher standards on firms operating here, was postponed this year until 2022 even as the kingdom has suffered multiple high profile hacking attacks in the last three months.
Thai banks and financial institutions will reimburse mysterious withdrawals made over the last week from Thai bank and credit card accounts that have been traced to online merchants registered outside the kingdom. It is reported that tens of thousands of accounts may have been impacted with the prime minister ordering robust action to bring the online scam to a halt and a full investigation.
Thailand’s Prime Minister Prayut Chan ocha has ordered urgent priority be given to what appears to be an online fraud operation linked to shopping channels outside the kingdom which has left thousands of customers in Thailand out of pocket.
The withdrawals appear to be for just over $1 or ฿34.15 but appear to have been processed in an array of transactions overnight on the accounts targeted over more than a one week period.
These are linked with debit cards and credit cards.
Bankers to take full responsibility for the scam which is linked to external merchant platforms and accounts
On Sunday, the Bank of Thailand and the Thai Bankers Association issued a statement on the issue making it clear that the scam does not involve a hack or breach of Thailand’s banking or clearing system but is coming from outside the kingdom through registered online stores linked with shopping account facilities.
The Royal Thai Police and banking security operatives are currently working to trace the identity of the merchants involved.
It has not yet been revealed how many people have fallen victim to the scam but reports suggest that it may number in the tens of thousands while a Facebook page set up by alarmed members of the public over the weekend had already notched up 57,000 followers by Monday.
Prime Minister gives orders to halt the skimming operation public concern grew this weekend
Government spokesman, Thanakorn Wangboonkongchana, said on Monday that the PM has given orders that state agencies quickly and decisively put a stop to the problem.
The Bank of Thailand has assured the public that all wrongful withdrawals will be corrected by the banks or financial institutions involved who have agreed to bear responsibility for the situation.
The public in Thailand is being asked to contact the operations centre of their respective financial institutions and report any suspicious transactions on their accounts.
Absence of notifications, just an array of small withdrawals, over $1 in value, applied to accounts
Many of the victims, speaking online over the weekend, said they were alarmed by the situation since they had not received any alert or notification of the transactions, which had taken place over the last week, from their financial institutions.
It is reported that people discovered the problem when updating passwords for their accounts or checking their balance online.
In some instances, users have had legitimate transactions blocked or held because of funds disbursed through the scam.
Officials: No suspicious app or breach of the bank clearing system involved in the online fraud scheme
Bank officials are anxious to stress that the issue does not involve an illegal online application or hack of the financial system following speculative rumours spread online over the last 48 hours.
It appears the problem is the abuse of legitimate shopping channels and payment facilities by merchants registered outside Thailand by actors who have gained access to hacked data on customer credit and debit card details.
Officials have assured the public that an active investigation is now being pursued to track down those involved with the scam, with particular attention being paid to how the merchant accounts were set up or who used them to perpetrate this scheme.
Credit and debit cards of Thai customers are in play however with large hacks worldwide and dark web criminal forums selling hacked personal details
It is clear that some hacked or illegal access to the credit card and debit card data relating to Thai consumers is involved in this skimming operation.
Hacking and the theft of credit and debit card details has been a serious problem in the last decade with a 2017 hack, originating in China, managing to obtain the details on 147 million American account holders.
Data related to consumers is available online in dark web forums for criminal gangs to exploit for a price
Such data is regularly listed online in dark web forums for sale to criminal networks who use it for online scams such as this one.
This has led major payment processors to recently upgrade the security platform for payments with many banks in the European Union and indeed in Thailand now requiring 3D secure authentication before a payment can be processed.
The Bank of Thailand announced on Monday that the scam did not impact customers with Thailand’s commercial banking system.
Number of significant data breaches in Thailand just over the last three months linked with big firms
Nonetheless, there have been several significant data breaches in Thailand over the last three months which have raised concerns about the safety of the financial data of Thai consumers and indeed visitors to the kingdom.
In September, it was revealed the personal data of no less than 106 million visitors to Thailand was detected by a cybersecurity expert in August.
Bob Diachenko of Comparitech revealed that data related to visitors to Thailand since 2011 had been found on a 212Gb database which had been left unprotected by a Thai government agency.
The data was accessible to anyone on the internet, said the expert firm.
This claim was later confirmed by the National Cybersecurity Agency of Thailand.
The data contained the full name of each visitor, sex, passport number, residence, status, visa type, TM6 or arrival card number as well as the date of arrival in Thailand
‘We do not know how long the data was exposed prior to being indexed,’ a statement by Comparitech revealed.
Large CP Group database hacked in early September after a hack on Bangkok Airways in late August
In September, a database operated by Thailand’s largest conglomerate, the Charoen Pokphand Group or CP Group was hacked.
The hack, on September 7th, saw over 540,000 elements of user information with full names, mobile phone numbers, emails and addresses advertised for sale on the black market.
At the time, the CP Group denied that any credit or debit card details had been uncovered or compromised in the hack.
It followed another hack on August 28th targeting Bangkok Airways, one of Thailand’s fastest-growing regional airlines.
In that hack, some credit card information was obtained by the hackers including passenger names, passport numbers, email addresses and additional data related to previous interactions with the airline.
New data protection law postponed until 2022
In May, the Thai government postponed the enforcement of the 2019 Thailand Personal Data Protection Act until June 1st 2022.
The law aimed to provide operating standards to which all data holders must conform to provide adequate protection to the public.
The wide-ranging law will establish a special office in Thailand for the protection of data.
It also imposes duties on companies managing data, offers protection to the public related to the misuse of such data as well as allowing members of the public to sue companies, who have negligently handled data causing financial loss or damage to the person who is the subject of such data.