Disturbing breach
Since last week, scores of alarmed and irate clients of BDO Unibank have taken to social media to complain how their deposits were mysteriously drained of thousands of pesos or more, even if they said they did not click on any suspicious links or shared sensitive personal information that would have compromised their bank accounts.
Information shared online by the victims as well as information technology experts revealed a picture of a “sophisticated fraud technique” where cybercriminals were able to bypass the bank’s one-time pin (OTP) security feature to transfer money from the targeted BDO Unibank accounts to an account in another bank brazenly named “Mark Nagoyo” (“nagoyo” is Filipino slang for fooled). The Nagoyo account was with the Union Bank of the Philippines, and the money transferred to it was reportedly used to buy bitcoins.
According to BDO Unibank, close to 700 depositors were affected by the fraudulent transactions.
Realizing the grave implications of the breach, the Bangko Sentral ng Pilipinas (BSP) as well as BDO Unibank and Unionbank were quick to address the hacking incident. BDO Unibank chair Teresita Sy-Coson and president Nestor Tan themselves came out to assure distressed clients that the bank would restore the accounts hit by cybercriminals and that additional security controls have been put in place to protect the bank’s system.
Unionbank froze around P5 million from “mule” accounts where money from the compromised BDO Unibank accounts had been parked and then moved. Unionbank president Edwin Bautista said the bank would “not hesitate to take legal action against individuals who use their accounts to facilitate criminal activities.”
BSP Governor Benjamin Diokno also assured the public that the BSP would “do everything to ensure the safety and integrity of the financial system as well as the protection of financial consumers.”
BDO Unibank has explained that the cyberhacking incident emanated from its 10-year-old web service that is due to be phased out early next year. That is not much comfort to a public that expects banks to be on top of their system security, and aware that this incident is not an isolated case. As the country’s banking system has embraced the digital shift due to the COVID-19 pandemic, which closed bank branches and restricted mobility, the Bankers Association of the Philippines (BAP) revealed last month that more than P1 billion has gone down the drain so far this year due to fraud, such as unauthorized bank withdrawals and fund transfers.
How seriously vulnerable is the country’s digital banking system? After all, if BDO Unibank, the country’s largest bank in terms of total assets, loans, deposits, and trust funds under management, could be breached this way, how much more the smaller banks and financial institutions?
So far, the burden of protecting the accounts—and seeming blame for their compromise—have leaned heavily on the ordinary depositors. The messaging from both the banks and the BAP focused on getting clients to “never share login information” and “regularly change the passwords of their online bank account.”
BAP President Jose Arnulfo Veloso was heavily criticized last Sunday after he scolded depositors as if they were the perpetrators of the cyberheist. In Veloso’s formulation, “You will never be a victim of cybercrime if you would never give your personal information, such as one-time password, to other people. If you do not give your personal information to others, cybercriminals will never be able to steal your money.”
Veloso was obviously not listening to the stories of the aggrieved depositors, most of whom insisted that they never received an OTP request to warn them that their accounts were being subjected to unauthorized access. That the OTP and other security features were bypassed pointed to shortcomings by the bank’s system, and not negligence on the part of the depositors.
National Privacy Commission chair Raymund Liboro correctly pointed out that the highly profitable banking and financial institutions are responsible for securing their digital systems, especially as online transactions are only bound to increase. “Privacy and cyber self-management must be matched with greater accountability from banks,” stressed Liboro. “Banks must work toward building cyber resilience instead of putting the blame on customers.”
The BSP and the banking sector need to act with dispatch and transparency on this disturbing incident, not only in terms of establishing and explaining how the breach happened (“It is not a crime to be breached, but it could be a crime if it is proven the data controller was grossly negligent,” said Liboro), but also in pinpointing, apprehending, and successfully prosecuting the culprits behind it. At stake is nothing less than the people’s trust in the banks and financial institutions to whom they entrust their hard-earned money.
