Amid the increasing push towards a digital economy, cybersecurity is back in focus after thousands of people fell victim to cyberfraud.

At least 40,000 people suffered losses estimated at over Bt10 million after cybercriminals hacked the victims’ credit and debit cards, Pol Lt-General Kornchai Klayklueng, commissioner at the Cyber Crime Investigation Bureau, said on Monday (Oct 18).

He told a news conference that initial investigation showed the cybercriminals had possibly used three channels to steal key information about credit and debit card holders: card holders who had linked their bank accounts with online applications, criminals sending SMS to trick people into giving them personal information, and criminals harvesting information from card holders making daily transactions at shops or gas stations.

The Bank of Thailand (BOT) on Tuesday estimated losses of Bt130 million from the cyberfraud.

BOT and the Thai Bankers’ Association had issued urgent statements late on Sunday that preliminary investigation showed the mobile banking system had not been hacked, nor was any banking application found to illegally transfer customers’ money.

The BOT and commercial banks told the public that the accounts of many customers had seen numerous suspicious transactions from online purchases abroad.

The banks promised to reimburse customers the losses and suspend the hacked credit and debit cards.

Cybersecurity and risk of fraud

The latest cybercrime comes as the central bank, the government and banks have been trying to promote a cashless society through mobile banking. At the same time, the COVID-19 pandemic has also spurred an increase in mobile banking due to lockdowns, the need for social distancing and protection from infection through a contactless payment system.

Mobile-phone transactions almost trebled to Bt28 billion a day from about Bt10 billion before the pandemic, according to the BOT.

Delivering his keynote speech on Monday morning at a virtual event of the Bangkok Fintech Fair 2021, BOT Governor Sethaput Suthiwartnarueput said that cybersecurity and frauds remain key risks for mobile and internet banking.

Some critics have urged the BOT and banks to do more to improve payment security.

Loophole in the system

Pol Maj-General Niwet Arphawasin, commander-in-chief at the Technology Crime Investigation and Analysis Division, said that hackers had perpetrated the recent fraud by exploiting a laxity in the payment system. He said some banks as well as credit- and debit-card issuers do not report

back to customers if the purchase value is a small amount, and hackers had exploited that loophole through numerous small transactions.

Many card holders found their accounts debited several times with each individual transaction worth less than Bt100, and even as low as Bt37 or Bt17.27, early this month.

People must be vigilant

A cybersecurity expert encouraged customers to be proactive in protecting themselves against hacking and cybercrimes.

“First, people must be aware that there is no cybersecurity any organisation in the world can provide to guarantee users 100 per cent safety,” warned Prinya Hom-anek, a cybersecurity expert.

He said he has high confidence in the security of Thailand’s mobile banking system. He, however, warned there were other channels through which hackers could steal card holders’ information and make illegal transactions.

He said personal financial information could be stolen at shops, department stores or other venues where card holders use their cards for making payments.

The problem with debit cards

Prinya advised people to use a credit card instead of a debit card.

“Credit card holders have to pay the money later, so they can refuse to make payments for goods or services they did not buy. In the case of debit card holders, the money is deducted from their accounts right away, making it difficult for them to make a case for refund when illegal transactions take place,” Prinya said.

Safety strategies

Debit card holders are advised not to link the card to their main savings account.

They should create a separate bank account with a smaller deposit, such as Bt500 to Bt2,000, or depending on the individuals’ risk appetite, he suggested.

Card holders who do not subscribe to short message service (SMS) with banks make themselves easier targets for hackers.

Subscribing to an SMS with card issuers will enable timely scrutiny of suspicious transactions, Prinya said.

Some banks charge a Bt120 annual fee for SMS.

Some debit card holders are not even aware that they have a debit card, as they mistake it for an ATM card, he pointed out.

Prinya admitted that he himself had been a victim of cyberfraud five or six years ago. He said on one occasion someone made credit card transactions in his name in Beijing in China, and in Hyderabad in India, while he was in Bangkok.

“Using a credit card is safer as the card holder can refuse to pay in the event of a fraud. In the case of a debit card, the individual may get a refund only later, after the bank has verified the transaction as illegal,” he said.

Having separate bank accounts may cause some inconvenience, but it will make you safer, he suggested.

By Thai PBS World’s Business Desk