ATTY. DODO DULAY
ATTY. DODO DULAY

A LITTLE over a week ago, social media was flooded with reports of livid customers, including many overseas Filipino workers (OFW), who claimed to have lost thousands of pesos from unauthorized transactions from their online bank accounts.

Two local banks made the headlines because of it. The first was the Bank of the Philippine Islands (BPI), which raised the alarm over a fake website that mimicked the genuine BPI website in order to dupe people into parting with their confidential information—and money.

Apparently, some BPI customers received emails asking them to click on a link for BPI Express Online. But instead of going to the official web address “www.bpiexpressonline.com,” victims were redirected to the web address “bpiexpressonlineph.com,” where they were made to divulge personal information regarding their online account.

Many users who did not notice the slight difference in the web address became instant victims. The cyber thieves even invested in a Secure Sockets Layer (SSL) technology to make it appear that it was a “secure” online banking website—ergo, the real deal.

Known as “phishing,” cyber criminals try to obtain sensitive information from customers, such as usernames, passwords, and credit card details (and sometimes, money) via email by disguising themselves as a genuine website. Usually carried out by email spoofing (or email messages with a forged sender address), it directs users to enter personal information at a fake website that appears identical to the legitimate one.

Another bank that faced several complaints is BDO Unibank, the country’s largest lender. Faced with a deluge of criticism in social media from customers grumbling about unauthorized withdrawals and purchases from their bank accounts, BDO issued a press statement apologizing to customers who had experienced fraud.

The bank admitted that there was an “extraordinary rise” in fraud attacks since October last year, particularly in claims of unauthorized online and offline purchases taking place in other countries. BDO said that they are dealing with highly organized crime syndicates who use sophisticated technology to breach accounts.

While the banking sector may be upgrading their cyber security systems, cyber criminals are also hard at work trying to find a chink in the banks’ armor. After all, cybercrime is a lucrative trade.

One analyst estimated that cybercrime cost the global economy $450 billion in 2016 alone. In the US, the FBI reported that the financial losses from cybercrime exceeded $1.3 billion. Meanwhile, in the Philippines, some studies estimate losses from fraudulent credit card transactions alone rose to P506 million in 2016 while the number of online scam cases reached over 500.

Stolen information, for instance, can be sold to the black market. Anyone can buy stolen credit cards and use the information to shop online. There was even a controversial exposé by Rogue magazine in 2012 about a Filipino fashion blogger who rose to international fame in the fashion world and led an ostentatious lifestyle, thanks to stolen credit cards. He purportedly used pilfered “plastic” to purchase designer bags and clothes, and to live the life of the rich and famous.

So, what is the government doing to address the rising incidence of theft and fraud online?

The Bangko Sentral ng Pilipinas (BSP) says it promulgated “pioneering guidelines on information security management that place a renewed focus on cyber security.” The BSP boasted that these guidelines were the “first of its kind in the Asean,” with the amended rules highlighting the role of the board and senior management of financial institutions “in spearheading sound information security governance and strong security culture within their respective networks.”

The BSP also required financial institutions to set up “a 24/7 security operations center (SOC) equipped with advanced technologies and manned by competent analysts to proactively monitor emerging and highly sophisticated cyber threats and attacks” and adopt advanced cyber security controls and countermeasures.

The BSP guidelines, however, mainly left it to the banks and financial institutions what advanced technology, cyber security controls and countermeasures to adopt and implement. As an account holder myself, that doesn’t inspire much confidence, especially with the recent spate of online fraud.

The increasing occurrence of cybercrime is a major threat to the stability of our country’s banking system. And as the country’s central monetary authority, the BSP ought to take the lead in combating online fraud by imposing clear and specific cyber security standards that financial institutions should comply with.

For instance, all financial institutions should be required to use a two-factor authentication (2FA) for all online transactions, whether for purchases or ordinary banking services.

“A two-factor authentication is an extra layer of security that requires not only a password and username but also something that only, and only, that user has on them, such as a piece of information only they should know. Using a username and password together with a piece of information that only the user knows makes it harder for potential intruders to gain access and steal that person’s personal data or identity.”

One of the more common methods is to use SMS technology where a one-time PIN or verification code is sent by text to the account holder’s cellphone. Although not entirely foolproof, it makes it much harder for cyber criminals to steal from your bank account.

In fact, big online companies like Google, Apple and Twitter as well as large online brokerage firms such as E-Trade and TD Ameritrade have all adopted 2FA for their clients. There’s no reason why our banks and financial institutions should not be required to do the same, more so that it’s our money they’re holding.