Hacked by charging cable: a myth

Hacked by charging cable: a myth
Plugged into danger: Mobile phone chargers become a debate topic recently as people are worried that their mobile phones can be hacked via charging cables.
Plugged into danger: Mobile phone chargers become a debate topic recently as people are worried that their mobile phones can be hacked via charging cables.

Social media was abuzz after a man posted on his Facebook that 101,560 baht had disappeared from his bank account while he was charging his phone at a public charging station.

As the man insisted he never downloaded unknown applications or clicked on any suspicious links, netizens began to suspect the charging cable was tampered with to steal data from his device.

One theory was that the charging cable was rigged and when it was plugged into his phone, it enabled hackers to take control of his phone and transfer money from his account.

This triggered widespread concerns, if not panic. Many said they now would use their own charging cables and some went as far as considering to remove their mobile banking apps.

The incident was investigated and the facts were finally established. The culprit was not the charging cable, but a fake dating app called “Sweet Meet” which the man had installed on his phone.

The revelation may have brought some relief. But with mobile banking widely used in this day and age, stakeholders can never stress enough how vulnerable people are to scammers and why it is important to keep up our guard against the risk of financial crime.

A malicious cable, really?

Prinya Hom-anek, a cybersecurity expert and member of the National Cybersecurity Committee, was among the first who doubted if such a method was used. Media reports ran the racy headline “robbed by a charging cable.”

“It is impossible. When I first saw it in the news, I thought the media had gone overboard,” he said.

In many cases, mostly on Android phones, people unknowingly can install malicious apps that allow scammers to take control of their phones, according to Mr Prinya.

“They are duped by text messages, ads or phone calls. Whatever it is, they are tricked into installing a malicious programme allowing scammers to access their phones.

“Don’t panic about the charging cable. People should look out for malware, suspicious apps or links. Don’t rush to point fingers. First, check your phones,” he said.

If suspicious apps are found, delete them and factory-reset the devices — the best move for getting rid of malware, he said.

More than 10,000 people fall victim to scammers with financial damages estimated to reach 50 million baht per day, he said, citing information from the Cyber Crime Investigation Bureau.

Mr Prinya also said financial institutions and law enforcement agencies should make a formal pact to step up system security and promote financial and technological literacy among consumers.

Supachai Natong, a 43-year-old electronic device vendor, said he is more concerned about malicious programmes and the devious tactics fraudsters use to lure victims into their trap.

“These criminals always come up with something to get our money. I think all phone users must stay vigilant and think twice before installing any apps,” he said.

Pattraporn Tungpat, a 26-year-old phone technician, said her first thought when hearing about the fraud was malware.

“Robbed by a charging cable…I really doubted it. You plug it in and it suddenly drains your account… that’s unlikely. The phone is infected with malware and gets hacked. That makes more sense,” she said.

She said her customers were not alarmed by the charging cable report and knew that sooner than later, the incident will have been forgotten — like the “exploding keyboard”.

She was referring to the accidental discharge of a gun in a computer classroom at a Nonthaburi school that killed a student in September last year. Several media outlets rushed to headline their reports as “exploding keyboard”.

“Keep abreast of bank announcements and alerts. Beware of risks and threats. They exist,” she said.

Concerned customers

Several phone and peripheral device vendors and technicians have found themselves bombarded with questions from customers who fear they will get more than they originally intended.

Bundit Wongcha, a 39-year-old phone technician, said although police and the Bank of Thailand clarified the fraud was not caused by a charging cable, his customers sound worried when they come for repairs and replacements. He also said many businesses could have been hurt if authorities were slow to respond to the claim.

Watchareena Sornprasarn, 31, a phone vendor, said phone buyers especially those who opt for inexpensive Android devices, seem to have more questions about security when looking for new phones.

She said new phones come with charging cables from manufacturers so customers need not worry about substandard or rigged parts. However, those choosing cheap Android phones will have to tolerate pop-up ads that some third party-apps throw out, she added.

Pornprapa Pannarai, 29, another vendor, said it is business as usual although customers do ask about charging cables. They also want to know how to tell the difference between standard and substandard ones. She urged state agencies to introduce more measures to deal with data theft and financial fraud. “I think safeguarding personal information is the most important thing.”

Chattiwong Somnonnan, a 33-year-old salesman, said his sales were not affected by the hacked charging cable but customers are now more interested in security features and updates. “I’m keen to know how police will deal with these fraudsters. How can they tackle cybercrime and nail these people?” he said.

Technically possible

According to Pol Lt Gen Worawat Watnakornbancha, commissioner of the Cyber Crime Investigation Bureau (CCIB), the man’s phone was installed with a scam matchmaking app called “Sweet Meet”.

Deputy national police chief Torsak Sukwimol said people must not click on any links or download any unauthorised apps to avoid their phones from being infected with malware.

He said it is technically possible for people to use a charging cable to hack into phones. But the rigged device can then only obtain basic information or GPS data and it is not widely available and is used by security experts only.

He said the most important thing is people should avoid downloading apps from external sources suggested by some live-streaming programmes. Smartphone users must download and install apps directly from the Google Play Store or the App Store, he added.

The Bank of Thailand and the Thai Bankers’ Association (TBA), which investigated the fraud, confirmed the man was tricked into installing a fake application with malware.

The malware enabled scammers to control the phone and they would transfer money from the user’s bank account when the phone was not in use by the owner.

Scammers have come up with a number of tricks — text messages, call centres, fake loan applications — and luring people to install malware-embedded applications is the latest. They said financial institutions are in need to develop tools and measures and cooperate with the agencies concerned to effectively respond to the rise of cybercrime.

The Ministry of Digital Economy and Society (DES) has urged mobile phone users to check if they have installed some 200 malicious applications that can allow hackers to steal personal data or take control of their mobile phones.

DES Minister Chaiwut Thanakamanusorn said the 200 malware elements were found by the National Cyber Security Agency and DES posted the list on its Facebook page (https://www.facebook.com/prmdes.official). He urged mobile phone users to delete malware apps and keep their mobile phones updated with security patches.