Preventing cybercrimes
Since theft is mostly about money, banks are among the favorite targets of crack international syndicates employing the latest technology for their crimes. And the Philippines, given its strict bank secrecy laws, lax anti-money laundering regime, and vulnerable gaps in cybersecurity systems, seems more and more in the crosshairs of these syndicates lately.
The latest breach happened three months ago when the country’s 13th biggest bank — the state-run United Coconut Planters Bank (UCPB) — lost P167 million to cybercriminals who stole the money through ATM withdrawals and electronic fund transfers during the long Independence Day weekend last June 12.
Before this, the Philippines figured in the financial scandal that engulfed German payments firm Wirecard AG, which claimed that $2.1 billion of missing funds were deposited in two of the country’s biggest banks, an allegation denied by the Bangko Sentral ng Pilipinas (BSP) and the two lenders. In 2016, the Philippines was also embroiled in the theft of $81 million from the
Bangladesh central bank when the money was traced to a branch of Rizal Commercial Banking Corp., after which it disappeared in local casinos.
Financial crime syndicates may be attracted to the Philippines because it is one of the few countries still operating under strict bank secrecy laws that prohibit the disclosure of or inquiry into deposits in any banking institution.
Add to this the existing anti-money laundering law that lacks teeth to bring criminals to justice. To be fair, the successful apprehension and prosecution of cybercriminals is an uphill battle in other countries as well, and not only in the Philippines. But, given the difficulty in making the culprits pay for their crimes, it is but proper for the government and local financial institutions to do the next best thing — prevent such crimes.
The first step must be a comprehensive upgrade in cybersecurity, by fortifying the banks’ information technology (IT) systems, the main gateway of criminals in attacking financial institutions and their clients. Any gaps in a bank’s internet infrastructure can be easily exploited by expert hackers, as was evident in the UCPB case where the perpetrators allegedly took advantage of a weekend window when the bank was upgrading its IT security system.
Per a report in this paper on the revamp in the UCPB leadership that followed the heist, the BSP and the Commission on Audit submitted reports that were critical of the bank’s protocols. An official “familiar with the BSP and COA reports” was quoted as saying: “They had lousy controls, lax internal security, their IT [systems] were weak…”
Local banks need to adopt global best practices in, for example, installing firewalls and security software for their entire IT structure to prevent unauthorized entry into their systems. Banks also need to adopt best practices in authentication techniques for financial transactions, including the use of smart cards, facial recognition, and fingerprint sensors in automated teller machines (ATMs).
Millions of pesos were stolen from the UCPB through the unauthorized and repeated withdrawals from ATMs and online transfers. As the pandemic has curtailed physical contact and boosted the use of the internet for financial transactions, more fool-proof verification systems need to be put in place.
It is also important for banks to involve their clients in preventing cybercrimes. For example, frequent alerts and automatic messages to depositors to verify transactions should be the norm. Clients should be updated regularly on how they can protect their bank accounts by informing them of the latest schemes employed by cybercriminals. Likewise, banks need to be reminded often to know their employees very well. Many financial crimes succeed because of the involvement of accomplices within the targeted institutions. The same is true about educating employees on the danger of opening email attachments using the bank’s IT system, to prevent malware attacks that can compromise the bank’s entire operations.
Finance Secretary Carlos Dominguez III, whose department oversees government-owned banks such as the UCPB, vowed last week that the government would see to it that the perpetrators of the latest cybercrime are caught and punished. At the same time, however, he ordered all state-run financial institutions to ensure that their security systems are airtight and up-to-date. This norm should be true as well for all private banks. Since catching and prosecuting cybercriminals are extra-difficult undertakings, prevention — mitigating the possibility of any breach in the system — is the way to go.
The UCPB case is but the latest cautionary tale indicating that Philippine banks are being targeted by sophisticated international syndicates; reviewing and strengthening their IT and security controls should be top priority for these institutions.
