PromptPay sows doubts
If anyone has questions about joining the e-payment system dubbed PromptPay, they should start with Phansuthee Meeluekij. That name may not be familiar, but he is the man who hit the headlines last week for every wrong reason. Mr Phansuthee is the small-business owner from Ayutthaya whose bank account was cleaned out by cyber thieves. Both the somewhat elaborate theft and the response by everyone involved are not just unacceptable. They should cause second thoughts about the security of the entire e-payment project currently pushed by government agencies and banks.
PromptPay is a system instituted by the Ministry of Finance, backed by several agencies for a variety of reasons. It is actually an entirely logical extension to the long-established move towards using technology to do business. Thais of every strata are familiar with ATM cards and most have become somewhat comfortable with making payments without cash or cheques. PromptPay aims ultimately at a cashless society. It should be noted that not everyone supports PromptPay or even anything beyond simple debit-card or credit-card transactions. Conservative, which is to say older people, want to handle actual cash. Opponents claim the only real reason for PromptPay is to put every payment in the country in the records of the Revenue Department so they can be taxed.
Whatever the pros and cons of PromptPay and electronic banking, security is a must. If cyber thieves steal only a small amount of money in the e-payment system, distrust will quickly prevail. Just like regular banking, e-payment customers must have 100% confidence the system will take, hold and pay out funds only as instructed. And that is exactly what did not happen in Mr Phansuthee’s case.
Briefly, the auto accessories shop banked the money he made. He used and trusted the large Kasikornbank (KBank). He had access to his bank account through his mobile phone and the K-Mobile Bangkok app. But online thieves got a photocopy of his ID card — as most people provide many times in their lives. They “socially engineered” True Corporation staff to give them a SIM clone of Mr Phansuthee’s personal mobile. They asked KBank for a one-time pass code to enter and use the victim’s account. Then they quickly drained 986,700 baht, leaving Mr Phansuthee with 58 satang.
What came next was much like a surreal tale from Kafka. KBank said it was not their fault, but offered to credit Mr Phansuthee for one-third of his loss (this was raised to 100% after media attention). A spokesman for the National Broadcasting and Telecommunications Commission — it regulates mobile phones — noted it wasn’t their fault, but said the True staff should have requested an original ID card, not a photocopy. True Corp wasn’t available to respond. And so on.
This came less than a month after Finance Minister Apisak Tantivorawong assured everyone there was “no chance” unauthorised people could see PromptPay accounts. That followed a warning by the Bank of Thailand’s director of risk management that any electronic theft of PromptPay would be the fault of the user. That director, Budsakorn Teerapunyachai, said no bank or phone company would be held to account.
Ms Budsakorn could not think of any cause of such theft except by malware. This shows a lack of study and failure to consult experts. From the start, knowledgeable people have warned the Bank of Thailand and PromptPay vendors of the dangers involved. By failing to properly account for PromptPay’s inherent risks, authorities have ironically risked losing public trust. If in doubt about that, ask Mr Phansuthee.
Knowledgeable people have warned the vendors of the dangers involved.