How to deal with cyberattacks
Over the weekend, social media was flooded with posts about unauthorized transactions in the accounts of BDO Unibank clients. The hacked BDO accounts were reportedly used to transfer money to a Unionbank account that was subsequently used to purchase cryptocurrency. In a statement released Sunday, BDO acknowledged the use of a “sophisticated fraud technique” that affected some account holders and vowed to investigate. The bank also assured the public that it was going to improve its security measures and reimburse the victims.
It’s hard to tell at this point which vulnerability was exploited in this hacking. One theory is that the exploit involved a mechanism that may have circumvented some key controls, including the one-time password (OTP) system. Some victims have claimed that they did not initiate or approve the transactions via OTP, which should be triggered by a login using a new device.
Although one bank experienced this particular attack, any bank and financial institution can become a victim. Hence, everyone needs to stay alert and be doubly conscious about protecting sensitive information at all times.
Some attacks, however, do not require victims to reveal their information to criminals. Instead, malicious actors take advantage of vulnerable computer networks, weak controls, or third parties to gain access to information and do harm. One example of such attacks is the SIM swap, which involves gaining control of a phone number to which OTPs are sent. Another example is a Man-in-the-Middle (MitM) attack, which involves criminals eavesdropping on insecure networks to steal usernames, passwords, and other information sent over the Internet.
According to the US Federal Bureau of Investigation, these attacks are used to bypass OTP and other multifactor authentication (MFA) systems completely. While users can take steps to avoid these attacks, such as using fully encrypted services and software-based time-based OTP (TOTP), they can still become victims if a database or registry containing their information gets breached by criminals.
So what can be done to mitigate exposure to cyberattacks?
For the long term, a whole-of-society approach must be adopted where all stakeholders are protecting themselves and applying basic security measures so that everyone can be safe.
The Bangko Sentral ng Pilipinas has cybersecurity measures in place, such as the guidelines contained in BSP Circular No. 808 s. 2013 on information technology risk management for banks and other BSP-supervised institutions.
The Department of Information and Communications Technology (DICT) has issued a series of memorandum circulars on cybersecurity since 2017. However, implementation and compliance remain a challenge among public institutions.
Other government agencies need to take heed of the steps mandated by the BSP and the DICT to be proactive on cybersecurity preventive measures.
Since cyberattacks can happen to any organization in any industry, an executive policy requiring all critical infrastructure owners and operators to adopt minimum information security standards is required. This can include mandating the establishment to establish proper incident response and incident reporting mechanisms. Information sharing, which helps organizations learn from the mistakes of others, is strong in countries like the US, South Korea, Japan, Australia, and the European Union.
For immediate steps, telcos should look into message attestation, i.e., knowing the source of a message, and putting stronger controls for SIM replacement. Banks should also consider TOTP instead of SMS OTP.
Individuals should revisit habits that might compromise their personal information. Sharing one’s PIN (e.g. asking other people to do one’s bank errands) and a loose attitude toward data privacy (e.g. leaving billing statements lying around or throwing them in the trash without shredding) can lead to scams and fraud. This bank hacking incident should serve as a reminder to take greater caution.
While information security measures and cyber hygiene cannot guarantee zero attacks, they can help mitigate risks, help organizations respond faster and better to incidents, and ensure resilience when the next cyberattack strikes.
(With inputs from Sam Chittick)
—————-
The authors are part of Secure Connections, a cybersecurity project of The Asia Foundation-Philippines. The views expressed in this article do not necessarily reflect the views of The Asia Foundation.
###—###
#ColumnName
COMMENTARY
Lito Averia, Liel Pascual,
William Yu, Angelo Gutierrez,
and Grace Mirandilla-Santos
