Today, the Cyber Technology Investigation Division (CTID) of the police force held a press conference to announce the apprehension of criminals involved in three separate syndicates. These criminals were identified as individuals who were trading personal information on the Dark Web. Notably, one of the individuals apprehended was Mr. Nattapong, a 28-year-old, who was selling an API Bypass Face Scan program that allowed criminals to transfer money from their victims’ devices without the need for facial recognition. Incredibly, these transfers could amount to over 50,000 Baht without triggering any face scanning protocols.
The API Bypass Face Scan only required the victim’s PIN and OTP code, which could be obtained from their phone. This bypass did not require the victim to open any banking applications and allowed instant transfers exceeding 50,000 Baht. This vulnerability likely arose from a design flaw in the banking system itself, where the API server failed to verify if the client’s face recognition was genuine before granting access. Consequently, this loophole enabled the application to lock the user out from performing any other functions besides money transfers.
Mr. Nattapong is charged with five offences under sections 6, 7, 8, 9, and 12 of the Computer Crime Act.
TLDR: The police arrested individuals involved in three criminal groups selling personal data on the Dark Web. Mr. Nattapong, one of the culprits, was selling an API Bypass Face Scan program that allowed criminals to transfer money without undergoing facial recognition. The program exploited a flaw in the banking system by not verifying the authenticity of facial recognition, only requiring the victim’s PIN and OTP code. Mr. Nattapong faces multiple charges under the Computer Crime Act.