The Bank of Thailand (BoT) reportedly plans to overhaul how the country’s financial institutions protect digital banking sessions. The BoT plans to implement daily transfer limits for vulnerable groups, mandate facial recognition technology for high-value transactions, and require more stringent anti-malware protocols for mobile banking apps.
As a fraud-fighting community, we should applaud the effort and intention here. Fraud, scams, and financial crime continue to grow more prevalent, sophisticated, and lucrative. Governments, law enforcement, regulators, and financial institutions must develop networks of trust to keep up and fight back.
But the BoT’s omission of behavior-based solutions misses an opportunity to better protect Thai banking customers both now and in the future.
Let’s examine the proposed protocols and what may be missing.
Protecting vulnerable groups with daily transfers limits
Fraudsters often target teenagers and the elderly. So it makes sense the BoT seeks to better protect those demographics.
However, fraudsters can still profit while not violating a vulnerable account’s daily transfer limit. Such restrictions simply drive bad actors to implement lower-tech strategies, coaching victims to make scam transactions in person instead of online, as we've recently seen in Singapore.
Banks should consider instead employing behavioral-based solutions to monitor fluctuations in daily transfer activity without driving scammers offline. Behavior can then identify whether the person doing the typing, swiping, and/or transacting is the accountholder acting under their own freewill.
Physical biometrics
Physical biometrics (facial recognition, fingerprint scanning, etc.) and multifactor authentication have dominated the digital banking security conversation for years now, and both are usually part of a bank’s security stack. GenAI and a proliferation in social engineering strategies and operations have increasingly rendered those legacy defenses all but obsolete.
Readily available deepfake technology allows fraudsters to circumvent facial recognition requirements. Both text- and graphic-design-based GenAI tools let scammers craft convincing messages to their would-be-victims in a flawless version of the victim’s native language, impersonating any number of official or personal connections to con the victim into willingly handing over login info and/or transferring away their money.
We should anticipate this trend of technological obsolescence to continue and intensify.
Malware and mobile banking
There are many types of malware, but when it comes to how they’re used to perpetuate digital banking fraud, we can separate them into two categories: 1.) Malware on the customer’s device, and 2.) malware on the fraudster’s device.
A “jailbroken” device is one that’s had any software restrictions imposed by the manufacturer removed. BoT recommends detection of jailbroken devices, but our research shows victims don’t have the knowledge to jailbreak their own devices. Current banking malware does not rely on a device to be jailbroken to infect it.
On-device attacks occur when the malware allows attackers to remotely control the victim’s infected device. This type of fraud is particularly insidious because when it occurs, traditional banking fraud detection is bypassed, making it seem as though the account owner performed the transaction.
The fraudster not only can then see OTP codes in SMS or authenticator apps but also gains access to the phone’s PIN, which they can use to bypass any physical biometrics (like fingerprint scanning and facial recognition).
Key characteristics of on-device fraud include:
- Remote access: Malware, often in the form of Remote Access Trojans (RATs), gives attackers full control over the infected device.
- Transaction manipulation: Fraudsters can initiate unauthorized transactions directly from the victim’s device, bypassing traditional security measures.
- Overlay attacks: Banking trojans use fake login screens that overlay legitimate banking apps, tracking users into entering their credentials.
- SMS interception: Some malware can intercept SMS messages containing one-time passwords (OTPs), circumventing two-factor authentication.
Info-stealing malware focuses on harvesting sensitive data from the infected device, which the attacker then uses to commit fraud from a separate device he controls. Banks that require two-factor authentication often mistake reports of account takeover fraud (ATO) with scams. They believe the victim disclosed OTP codes to a scammer, not realizing it was malware that provided these passwords to the fraudster.
Notable aspects of info-stealing include:
- Keylogging: Malware records keystrokes to capture login credentials, PINs, and other sensitive information.
- Form-grabbing:Info-stealers collect data entered into web forms, including credit card details and personal information.
- Screen capture:Some malware takes screenshots when specific actions are performed, such as clicking the mouse.
- Data exfiltration: Stolen information is transmitted to the attacker's command and control (C2) server for later use in fraudulent activities.
Without revealing to bad actors exactly how or why it does so, we can just say: Behavior-based solutions excel at identifying both on-device and info-stealing malware.
Mandating behavioral biometrics in the fraud stack of Thai banks would drastically augment existing defenses, identifying and helping financial institutions to stop the fraud, scams, and financial crime that legacy solutions – including the soon-to-be-implemented ones required by the BoT – might miss.