BPI and BDO: A tale of 2 banks



BDO’s ATMs were hacked; Senate deceived into believing otherwise

Last of 2 parts

THE Senate committee on banks, financial institutions and currencies conducted its inquiry into the state of the banking system to douse any further speculations on what happened to the Bank of Philippine Islands (BPI) and Banco de Oro (BDO) and to placate any concerns that the depositing public might have with respect to the security of Philippine banks.

BPI revealed that it has a cybersecurity operation center which tracks about 20,000 events per second happening within their network infrastructure. It has a third-party provider, FireEye, which gave them a negative report on noise relative to hacks.

FireEye, Inc. is a publicly listed cybersecurity company based in Milpitas, California, that provides services to protect enterprises against cyber threats. FireEye can detect and stop threats across an enterprise’s network before they could wreak havoc.

On the part of BDO, Edwin Reyes, the transaction banking group head, admitted that all IT systems environments have potential points of failure.

Reyes said that only seven automated teller machines (ATMs), out of their 3,700 ATMs, were compromised by “skimming”. This was related to the three recent fraud events that happened to BDO. He added that 95 fraud cases had been filed against the perpetrators.

BDO president Nestor Tan, just a week earlier, had downplayed the reports of ATM fraud and said that these were “nothing out of the ordinary” and cards are disabled if there is reason to believe that they were compromised. He further claimed that ATMs are compromised every now and then.

It is worth recalling, too, that a Bulgarian, Orlin Grozdanov Stoev, was arrested on June 15 for ATM fraud. He was caught in possession of 15 cloned ATM cards, among other things.

According to BDO’s Tomas Mendoza, a skimming device is inserted in the ATM’s card slot to duplicate the data in the card’s magnetic stripe and a pin pad overlay is installed to capture the corresponding PIN. The data stored in these devices had to be retrieved later by the fraudster. Mendoza even claimed that these devices can be bought openly in the dark web.

Peter Louie Magdame, the head of BDO’s Support Services Division, stressed that there was no hacking involved in their bank’s case. He claimed that the term hacking typically happens through bank systems and software. “This is physical. Not hacking per se,” he added.

I beg to disagree with Mr. Magdame.

Magdame’s erroneous claims have no basis, whether it is legal or technical. Magdame is neither a lawyer nor an IT expert. He graduated with a degree in economics from the University of Asia and the Pacific in 2002 and joined BDO in December 2014.

It might not be clear to him what hacking is. What is clear is that Magdame deceived the senators into believing that hacking was not present in the BDO case.

According to TechTerms.com, “A hacker can “hack” his or her way through the security levels of a computer system or network. This can be as simple as figuring out somebody else’s password or as complex as writing a custom program to break another computer’s security software.”

The simplest technical definition of hacking is found in the Cambridge Dictionary. It is defined as “the activity of illegally using a computer to access information stored on another computer system.”

Let’s look at the legal definition of hacking in the E-Commerce Act of 2000.Section 33 (a) states: “Hacking or cracking which refers to unauthorized access into or interference in a computer system/server or information and communication system; or any access in order to corrupt, alter, steal, or destroy using a computer or other similar information and communication devices, without the knowledge and consent of the owner of the computer or information and communications system.”

The ATM fraud committed using BDO’s seven ATMs was clearly hacking – both in its technical sense and in its legal sense.

The PIN is the cardholder’s password to access his account through the ATM, which is obviously a computer-based machine. The PIN requirement is the first level of security in the ATM. The fraudster gained access to the cardholder’s bank account and withdrew money from it using the surreptitiously exposed PIN. This is hacking.

The perpetrator used a skimming device, which is a computer in itself, to illegally access the cardholder’s bank information, which is stored in BDO’s computer, which is obviously another computer. Thus, by Cambridge’s definition, it is hacking.

Relating it now to the legal definition, the perpetrator performs an unauthorized access, or any access for that matter, to steal information (that is, the cardholder’s financial data) without the knowledge and consent of the owner of the computer system (BDO) resulting in damage to the depositor. Legally speaking, this is hacking.

Magdame’s assertion that it was “physical, no hacking per se” is again misleading. He should know that there is a thing called “social engineering.” Social engineering is the simplest form of hacking into a computer system. It relies heavily on human interaction and involves tricking people into divulging confidential information. This is purely physical.

After all had been said and done, BDO should just admit that their ATMs were hacked!



Please follow our commenting guidelines.

Comments are closed.