The war on cash has reached Thailand in earnest with the launch of its PromptPay electronic payments network. At its heart, the system allows for bank accounts to be linked to mobile phone numbers or ID numbers as part of the related AnyID system that was launched last year, so that bank transfers can be made to those numbers instead of bank accounts. Getting rid of cash – and of privacy – is a trend that is sweeping the world.
The Thai government and banks are trying its utmost to promote the system with heavy advertising all the way to delaying tax refunds for people not using PromptPay within 45 days.
Thailand has never truly had a seamless banking network, with cross-bank transfers being quite expensive – $0.71 (25 baht) for a typical low-value transfer with silly fees even for cross-province cash withdrawals. Most people have multiple bank accounts or walk with cash from one bank to another just to avoid this inter-bank charge, somewhat distorting the statistics on financial inclusion. PromptPay also addresses that with much lower fees – free for transactions under $142 (5,000 baht) to a maximum of $0.28 (10 baht) for transactions over $2,850 (100,000 baht).
The launch itself has been pushed back many times with banks worrying about the KYC standards of their telco partners. But it was finally launched and did not immediately crash, though there were quirks.
The most interesting hack is how people now use PromptPay as a glorified caller ID system. For any missed call, a user can initiate a PromptPay money transfer to that number and then can see the officially registered name of that telephone number as part of the PromptPay confirmation process if it is registered. The transfer does not even have to go through – it can be cancelled after the details are seen. Indeed, this is part of the PromptPay FAQ on how users can verify the recipient first to prevent them sending out cash to a wrong number by mistake.
So at a glance, the central premise of PromptPay – to be able to use your phone number as a bank account – wipes out any privacy associated with that phone number. Using a second, obscure number for PromptPay helps here, but it misses the point.
One potential attack scenario would be to hoover up names and telephone numbers and then get password reset OTPs via an SS7 SMS interception attack (which requires the IMSI of the target). This should be possible. Not trivial, but possible.
What is sorely missing in this entire discussion is privacy. With a government e-payment network, the government sees everything that has happened. While proponents say that only tax cheats have anything to fear from transparency, one would have thought that privacy is a right, not a privilege.
Back when the ICT Ministry was first established, former Prime Minister Thaksin Shinawatra often spoke of how the smart ID card he launched would be used for payments, and how he could see in his Prime Ministerial Operations Center exactly how everyone was spending their money in real time. It is ironic that the junta which came to power opposing Thaksin would make his vision a reality. Then again, it is not that surprising considering how Thaksin’s finance minister is now the current deputy prime minister for the economy and basically doing exactly what he did before.
Into all of this comes the telecoms regulator and new requirements to collect fingerprints for SIM issuance in the name of improving security in the digital age. In an interview with the Bangkok Post, NBTC secretary-general Takorn Tantasit said collecting fingerprints was mandatory, but storing then in the system was optional. [What? – Ed.]
All mobile operators, including MVNOs, will need to install fingerprint scanners by March, and Takorn threatened to punish non-compliance by withholding numbers or even revoking operator licenses.
The cost of installing the fingerprint system to the telco will be around $28-56 (1,000 to 2,000 baht) per subscriber. At the end of 2015, the blended ARPU was $6.2 (220 baht) per subscriber per month. One does not have to be a mathematical genius to see where this is going, but Takorn did lessen the pain somewhat by saying that the fingerprint system costs could be deducted from the telco’s 3.5% Universal Service Obligation payments, despite fingerprinting having nothing to do with universal service provision.
Still, PromptPay is essentially a government e-Payments OTT service, so why should the telcos have to pay so much to help secure it?
More importantly, why does anyone have to pay at all, since fingerprints for every Thai citizen are already in the Ministry of Interior’s Bureau of Registration Administration (BORA) database and the Ministry of Foreign Affair’s passport database? The central idea should be verifying the identify when issuing SIM cards against the existing citizen database (which was the case in Pakistan), not creating yet another database. By having to create its own database at huge cost, is the NBTC saying that the Ministry of Interior’s existing database is not fit for purpose?
On that last point, the answer is: no, it isn’t. In 2013 when the ICT Ministry was set up, we argued that BORA and its citizen database should be transferred from the Interior Ministry to the ICT Ministry. A database’s custodian should not use the database itself, so as to maximize the value of the data for all, as opposed to just making it work for the MOI. But BORA remained with the MOI, and all the MICT got was to help procure the smart cards for BORA, which was beside the point. Had the MICT (now Digital Economy Ministry) succeeded 13 years ago, it would be in the MICT’s interests to have the database work for the NBTC as much as it worked for the MOI.