“THIS is human error; there was no hacking.” With those words, Chuchi Fonacier, Bangko Sentral assistant governor for supervision and examination, sought to explain the incident that took place at the Bank of the Philippine Islands on June 7 and for two days disabled the bank’s online and automatic teller machine (ATM) system.
The testimony was enlightening and so were the explanations offered by the officers of BPI. They were reassuring for a banking public that was stressed no end by the stark discovery that depositors could not access their accounts at the bank.
Considering the frequency with which the Senate conducts an inquiry into any subject at the whim of a senator, we think it is pertinent to ask here: Was it imperative for the Senate to expend taxpayers’ money and conduct an inquiry into the incident? What vital information was produced by the inquiry, which would not have been produced by the normal process of investigation that the BSP conducts on such incidents, as part of its work as banking industry regulator?
That said, we will acknowledge here that the Senate inquiry produced significant side information about how the banking system is striving to improve its safeguards and technical capabilities.
At the Senate inquiry, the BSP reported: “We conducted our investigation on the BPI incident. It isn’t complete yet.”
For its part, the BPI officials told the chamber: “We informed our regulators that there was no breach of data privacy… An error in judgment on the part of one of our programmers led to an unscheduled fire generation, causing us to post wrong entries.”
At the same hearing, the Banco de Oro (BDO) unibank told the Senate that only seven out of its 3,700 ATMs were compromised by a skimming hack that occurred last week.
“Seven ATMs affected … from three locations. We have disabled cards that we know have been compromised,” said Edwin Romualdo Reyes, BDO executive vice president and transaction banking group head.
“The BDO case is different from that of BPI. The case is ATM skimming,” Reyes noted.
Skimming happens when illegal devices are installed to read the magnetic strip of an ATM card as transactions are ongoing. The bank received 95 complaints of unauthorized transactions that debited ATM accounts. To prevent this from happening again, BDO is currently upgrading its ATM network.
It would appear that the hearing was not for nothing. It produced significant information that there is an ongoing effort to upgrade the overall security of the Philippine banking system from hacking and other cyberattacks that are now more common.
The BDO hacking incident showed the vulnerability of the magnetic strip card, said the BSP financial consumer protection department. As early as 2013, BSP ordered banks to migrate to the EMV chip card technology, so they would no longer use the magnetic strip.
EMV is the global standard for chip-based credit and debit card transactions that are supposedly more difficult for fraudsters to hack into, compared with the magnetic strip card.
Philippine banks are not yet fully compliant, it turns out. Because of all the requirements and things that have to be done for EMV to happen, the deadline for compliance has been moved to June 2018.
This is important. The EMV Card Fraud Liability Shift Framework (ECFLSF) protects customers from any liability from the use of magnetic strip cards. The liability is the burden of the bank or financial institution that is not compliant with the EMV requirement.
Even so, the EMV will not guarantee that the human error that caused the BPI incident will never happen again.