News Forum - Ministry reveals 200 apps that steal your cash

[Thaiger]

Since an unhappy Thai man accused a charging cable of stealing the 100,000-baht contents of his bank account, people in Thailand have become hyper-aware of the problems of apps that steal your cash on their phones. The victim insists he had not accessed any suspicious websites, taken any call centre calls or filled in any …

The story Ministry reveals 200 apps that steal your cash as seen on Thaiger News.

Read the full story

[MrStretch]

My wife 'helpfully' shared this info with me last night.

Though I shouldn't be, I am amazed at the number of people in Thailand who download sketchy apps and infect their phones.  It's like they have no concept of safety or security when it comes to their devices.

I did notice, when going through the app list that the government compiled, most of them - according to their names - would appeal to those who love to post their lives online.

[Bluesofa]

17 minutes ago, MrStretch said:

My wife 'helpfully' shared this info with me last night.

Though I shouldn't be, I am amazed at the number of people in Thailand who download sketchy apps and infect their phones.  It's like they have no concept of safety or security when it comes to their devices.

I did notice, when going through the app list that the government compiled, most of them - according to their names - would appeal to those who love to post their lives online.

Could you share it too?
On the ministry's facebook page , I can't see the list of 200 apps.

[MrStretch]

1 hour ago, Bluesofa said:

Could you share it too?
On the ministry's facebook page , I can't see the list of 200 apps.

On their FB page, you need to scroll the right hand column down to 20 January.  You'll see screen shots of the apps listed.

[Chatogaster]

1 hour ago, MrStretch said:

On their FB page, you need to scroll the right hand column down to 20 January.  You'll see screen shots of the apps listed.

A reporter that reports about a list but doesn't link to said list, a government that distributes information it deems important but doesn't make it easily findable/retrievable afterwards (or even at the moment itself: screenshots, really?).

Anyway, here's a link to a somewhat proper source: https://shorturl.asia/pZX0U (lousy way of linking, but at least it delivers a list in PDF-format).

Funny detail: I checked this list earlier this week when Sweet Meet was accused of being malware by some RTP non-expert. It wasn't on the list then, and it still isn't.

[Soidog]

The predominant phones in use in a country like Thailand are all Android based phones rather than Apple running IOS. While Androids phones can be more flexible in terms of download options, they are more open to Malware and Ransomeware attacks. iPhones are not fool proof, but the level of interaction required with clicking links in SMS, Line and emails make them less vulnerable. 
 

One of the biggest threats is having your phone stolen. Biometric systems such as fingerprint and facial recognition are not always foolproof. iPhones for example will unlock with Face ID but also offers the option of a passcode which most people leave enabled. Some Android phone models also offer the same features but many people never learn how to set them up properly. Once a thief gets your phone and can open it, it’s possible to gain access to banking accounts. Again, many people will use the same passcode to unlock their phone and access banking apps.  
 

Additional security such as “Find my iPhone” allow you to remotely lock your phone from a computer or other Apple device if it gets stolen. There is an option for Android Phones called Device Manager but this isn’t a pre installed application and needs to be set up. Most people don’t bother with this security feature either. Top end Android phones such as Samsung have “Find my mobile” (Link below on how to set up and use it).

https://insights.samsung.com/2022/03/15/how-to-use-samsung-find-my-mobile-to-track-down-your-phone/

Ultimately, there will never be a 100% secure phone. Like most security systems, it’s a matter of keeping things up to date and trying to stay one step ahead of the thief. 
 

How many of you for example update your phone operating system and check for updates or have auto-update enabled? 

[Chatogaster]

19 minutes ago, Soidog said:

The predominant phones in use in a country like Thailand are all Android based phones rather than Apple running IOS. While Androids phones can be more flexible in terms of download options, they are more open to Malware and Ransomeware attacks. iPhones are not fool proof, but the level of interaction required with clicking links in SMS, Line and emails make them less vulnerable. 
 

One of the biggest threats is having your phone stolen. Biometric systems such as fingerprint and facial recognition are not always foolproof. iPhones for example will unlock with Face ID but also offers the option of a passcode which most people leave enabled. Some Android phone models also offer the same features but many people never learn how to set them up properly. Once a thief gets your phone and can open it, it’s possible to gain access to banking accounts. Again, many people will use the same passcode to unlock their phone and access banking apps.  
 

Additional security such as “Find my iPhone” allow you to remotely lock your phone from a computer or other Apple device if it gets stolen. There is an option for Android Phones called Device Manager but this isn’t a pre installed application and needs to be set up. Most people don’t bother with this security feature either. Top end Android phones such as Samsung have “Find my mobile” (Link below on how to set up and use it).

https://insights.samsung.com/2022/03/15/how-to-use-samsung-find-my-mobile-to-track-down-your-phone/

Ultimately, there will never be a 100% secure phone. Like most security systems, it’s a matter of keeping things up to date and trying to stay one step ahead of the thief. 
 

How many of you for example update your phone operating system and check for updates or have auto-update enabled? 

 

For ordinary victims, biometric systems are as near to foolproof as you can get (it's only high-level targets who may get kidnapped, or whose fingerprints may get copied).

A find-my-phone feature is available on even the cheapest androids, and the set-up is either absent or trivial (*). It does depend on GPS to be enabled all the time however, which I'm not a fan of.

PS: I generally disable auto-updates. However, I do check regularly and perform a manual update if the change history report warrants it.

(*) That statement is from memory. I would have verified which is the case, but unfortunately I forgot my phone when going home. I'll retrieve it tomorrow morning and then check if I have some money left ;-)

 

[Soidog]

7 minutes ago, Chatogaster said:

For ordinary victims, biometric systems are as near to foolproof as you can get (it's only high-level targets who may get kidnapped, or whose fingerprints may get copied).

A find-my-phone feature is available on even the cheapest androids, and the set-up is either absent or trivial (*). It does depend on GPS to be enabled all the time however, which I'm not a fan of.

PS: I generally disable auto-updates. However, I do check regularly and perform a manual update if the change history report warrants it.

(*) That statement is from memory. I would have verified which is the case, but unfortunately I forgot my phone when going home. I'll retrieve it tomorrow morning and then check if I have some money left ;-)

Biometrics are secure but only if you disable passcode. As I mentioned, I have facial recognition, but I have disabled passcode. There are occasions where the facial recognition didn’t work, most recently with having to wear a face mask and being unable to quickly input a passcode was a pain. The key thing, however you do it, is to:

Make Biometrics as secure as possible in settings.

If you have a passcode make sure they are different across banking Apps.

Make sure you know how to remotely lock and find your phone should it be stolen. 
 

Unless you really need to have banking Apps in your phone, then don’t. Keep them in your iPad or tablet locked away at home. 

[Grumpish]

That my bank recently dumbed down the level of security on its online banking,  to make it more compatible (and cheaper to maintain?) says to me that mobile banking apps are NOT secure. For contactless payments best to set a low transaction limit. 

[Chatogaster]

7 minutes ago, Soidog said:

Biometrics are secure but only if you disable passcode. As I mentioned, I have facial recognition, but I have disabled passcode. There are occasions where the facial recognition didn’t work, most recently with having to wear a face mask and being unable to quickly input a passcode was a pain. The key thing, however you do it, is to:

Make Biometrics as secure as possible in settings.

If you have a passcode make sure they are different across banking Apps.

Make sure you know how to remotely lock and find your phone should it be stolen. 
 

Unless you really need to have banking Apps in your phone, then don’t. Keep them in your iPad or tablet locked away at home. 

Those are valid points and it's all good advice.

Just a minor detail: disabling pass-codes is not essential (I haven't because it's nice to have a backdoor). Just make sure that every pass-code is random and unique (just like passwords - and that's what pass codes are - they should be unique per account/usage). In my case, access to the phone, access to the banking apps, and access to the banking apps account are protected individually and independently (+ any international transfer requires a separate confirmation by a physically separate device). However, I wouldn't recommend to anyone who doesn't know what they're doing to skip the disabling of pass-codes, like you adviced.

[Soidog]

11 minutes ago, Chatogaster said:

Those are valid points and it's all good advice.

Just a minor detail: disabling pass-codes is not essential (I haven't because it's nice to have a backdoor). Just make sure that every pass-code is random and unique (just like passwords - and that's what pass codes are - they should be unique per account/usage). In my case, access to the phone, access to the banking apps, and access to the banking apps account are protected individually and independently (+ any international transfer requires a separate confirmation by a physically separate device). However, I wouldn't recommend to anyone who doesn't know what they're doing to skip the disabling of pass-codes, like you adviced.

Agreed. I was referring to the unlock passcode of the phone, not the passcodes used to access Apps. By disabling Unlock passcode on an iPhone, it means that unless they have the correct biometric data, then they are unable to unlock the phone.

[Chatogaster]

9 minutes ago, Soidog said:

Agreed. I was referring to the unlock passcode of the phone, not the passcodes used to access Apps. By disabling Unlock passcode on an iPhone, it means that unless they have the correct biometric data, then they are unable to unlock the phone.

I'm aware of what you referred to. I've not experimented with facial recognition (I suspect that an animated AI-generated image could easily fool the system), but it's just annoying to want to access your phone when fingers are wet (causing finger print recognition to fail). A backdoor via a pass-code to access the phone is fine as far as I'm concerned (as long as it's non-guessable and there are further obstacles ahead when it comes to abusing any illegitimate phone access).