Data leaks: More than SIM cards

I recently received a text telling me that my account had been put “temporarily on hold” and that I needed to verify my account. There was a link given, which I dutifully clicked and which brought me to a site that looked exactly like the BDO portal, with the boxes to enter the username and password.

I started typing in the username then got suspicious. What caused the suspension in the first place? Shouldn’t there be an explanation?

Fortunately, I looked up the screen and found the site was not BDO’s. My BDO branch of account was close by so I rushed over to check with them. The bank staff confirmed it was a scam to get victims’ private data.

A few days later I received another text, this time telling me it was my Landbank account that had been suspended. Very similar “modus” (Filipino slang for scams, from “modus operandi”) with a link that got me into an authentic-looking, but fake, website.

So much has been appearing in the media warning the public about SMS scams, and certainly the ones I just described point to possible leaks with cellphone numbers and the owners’ names, but I can’t help but think we have a bigger problem of scams that involve banks as well, considering the scam texts I got were for banks where I have accounts.

This has been a concern for me for years now after someone was able to get Citibank (now part of Unionbank) to transfer an amount of US dollars from my account to a small rural bank in Bulacan! Citibank responded quickly to my complaint, but I was aghast when they showed me the documentation that got them to transfer the money: a badly typewritten note, wrong grammar, asking for the transfer to be made, with a good replica of my signature.

I told Citibank at that time that they were inviting data breaches that way. In our high-tech times, why do banks still insist on constantly collecting multiple signatures from clients? How long before our banks will realize that the fewer specimen signatures the better, and why can’t they all be entered electronically, rather than on paper, which is often carelessly filed away?

Common sense tells us that the more signatures there are, the greater the chance of hacking. As the Filipino saying goes, “Paano kung nasa loob ng bahay ang magnanakaw?” What happens if the thief is inside the house (or the bank)?

The irony, too, is that despite all the specimen signatures that are collected, when it comes to check processing, the banks use dumb machines to read signatures and any slight deviation—an uncrossed “t,” an “a” that isn’t fully closed so it looks like a “u”—and the check is denied, the bank calling you to issue a new one.

Be sure, too, about the ink—blue is preferable to black, and red is forbidden, I am told and which I can understand, but I’ve also had checks returned because I used purple and turquoise ball pens. It seems banks are drab colorless institutions that only like the colors of money. Oh, fountain pens are not acceptable either, as are calligraphy pens.

No wonder people are intimidated by banks, people who are poor, people who have difficulties with signing, and the elderly.

I have another pet peeve: why do so many companies, especially condominiums, use such long names that don’t fit into the space given to write the payee name? That and the sometimes complicated amounts that need to be paid can make check-writing a major ordeal.

It may seem I’ve strayed from the topic of data privacy breaches but look at it this way: people who have problems with all the requirements of banks (and companies with long names) are more likely to ask for help from trusted relatives to write out the checks, or withdrawal slips, or deposit slips and that can be a source of data breaches, too. We go back to the problem of inside jobs, literally from within the home.

Who can we trust these days? If only dogs could be trained to sniff out scams and to sign checks.

mtan@inquirer.com.ph

Read more...