By Bianca Cuaresma & Oliver Samson
Conclusion
THE seemingly most reported form of bank scams are always through the use of plastic money, such as credit cards, debit cards and automated teller machine (ATM) cards, and those done in cyberspace.
The techniques of card thieves, scammers and fraudsters have been wide-ranging—spanning from the most outright theft of the physical card to e-mail, wherein the sender pose as the financial consumers’ bank or credit-card company agent.
In 2013 the country lost some P220 million in bank scams and frauds, as reported by the Bangko Sentral ng Pilipinas (BSP) to the Senate.
Skimming, for example, has been one of the more notorious forms of electronic scams, where scammers illegally copy information from the magnetic strip of a credit card. Scammers then use the information stolen to manufacture counterfeit credit cards or to use in online transactions.
Phishing has also been apparent in recent technologies, where victims are sent e-mails from their bank or credit-card company looking like the “real thing” and asking for crucial information, such as log-in information and passwords.
Phishing
ANGEL Redoble, chairman of the Philippine National Police Anti-Cybercrime Group Advisory Council, explained that phishing is usually executed through sending emails.
Redoble told the BusinessMirror the e-mail entices the victim to visit a malicious web site and make them supply their login credentials.
“The more sophisticated phishing attacks that we have seen are those pretending to be your bank and telling you to update your login credentials by redirecting you into a web site that mimics the web site of your bank,” he explained. “While some are able to identify this scam, many of our netizens are still vulnerable to this kind of identity theft.”
Phishing may also be done using methods and forms other than e-mail, according to the central bank. The BSP cited other methods as mobile-phone text messages, chat rooms, fake banner ads, message boards and mailing lists and fake job-search sites and job offers. “Fake browser toolbars may also be used to get information.”
Skimming
REDOBLE said skimming is done through the use of devices that are used in restaurants and other establishments where the perpetrators are those who are also working in these establishments.
When you pay using your credit or debit card, these suspects swipe your card to their skimming devices and download all the information from your card.
“The vulnerable item or target here are the credit-cards,” Isaac Sabas, CEO of Pandora Security Labs, told the BusinessMirror. “This is because the credit card vendors or merchants are not keen in securing the customers’ credit-card information.”
Sabas, who founded the homegrown security solution developer, explained “given that we utilize technology and software to transact, attackers turn their attention into circumventing the business logic of the software or even attacking it to get credit-card data.”
“Once credit card data is harvested, anyone with the credit-card holder’s information can use the card as if they were the owner,” Sabas said.
Another skimming device is the one installed on ATMs, Redoble said.
“Unsuspecting ATM users are victimized by merely doing legitimate transactions in the ATM,” he explained. “It is usually installed on the card entry part, when you slide your card into it, the skimming device will also download all your information.”
The latest skimming device is the connectionless skimming device, Redoble said. This type of device victimizes cards that are using radio-frequency identification, he explained.
“If your card and the device are within range, your information will be downloaded without the need to get hold of your card.”
Response
As a response to the ever-evolving nature of bank scammers and fraudsters, the BSP is rolling out several more stringent reforms to the banking industry’s security, taking advantage of the fact that the sector is in the pink of health.
As of end-June this year, the total resources of the Philippine financial system stood at P15.8 trillion, 9.6 percent higher than the previous year’s P14.4 trillion.
The Philippine banking system’s assets also grew during the year by 12.2 percent to P12.5 trillion as of the first half of the year. Latest capital adequacy ratios show the banking industry is well above local and international thresholds.
“The pursuit of continuing reforms coming from a position of strength proved beneficial to the Philippine financial systems it continued to be sound and stable as evidenced by sustained asset expansion, improved asset quality, adequate liquidity and strong core earnings for the first half of the year,” the central bank said.
As such, the BSP is set to take advantage of this “position of strength” to implement recently established regulations and craft new ones to protect banks and consumers from scams, particularly in the rise of electronic transactions across the globe.
Interventions
Deputy Governor for the Supervision and Examination Sector Nestor Espenilla Jr. told the BusinessMirror the BSP prepared an “array of interventions” to counter scams in the country.
“[These range] from required physical improvements, like EMV [Europay, MasterCard and Visa] chip installation to guard against card skimming, to enhanced cyber-security risk management practices such as active account monitoring and real time transaction confirmation, to issuance of public advisories, to financial literacy programs,” Espenilla said.
In mid-2013, the monetary board issued a circular mandating banks to enhance their information technology risk-management framework to the evolving schemes of information thieves and skimmers.
Among the measures mandated was the shift from the magnetic stripe technology to a more secure EMV chip-enabled card by 2017.
Espenilla earlier said this banks are already “on track” with the deadline set next year.
Espenilla also told the BusinessMirror they are currently preparing further upgrades to the banks’ mandated information technology risk management standards.
Regulations
IN response to huge losses in scam activities, the central bank mandated all banks operating in the country to upgrade all ATM terminals and cards to shift from the magnetic stripe technology to the EMV chip technology.
“In the past, it was the hidden camera that was the solution. Banks could validate who and when people withdrew from which ATM machine,” the BSP Governor Amando M. Tetangco Jr. earlier said. “It turns out that not all ATM machines have the camera…. But more important, people now use hats to cover their faces so the camera has become ineffective.”
“Our solution then [from a technology perspective] is the chip-based card to replace the magnetic strip,” Tetangco added. “You cannot ‘skim’ a chip [that] is physically embedded in a card but not in its replica.”
The central bank is also bent on subjecting the entire banking industry to new and stricter security standards, as it announced this year their plans of drafting new guidelines to address emerging cyber-security threats, especially following the $81-million cross-border Bangladesh heist.
Espennila added that some elements in the new mandate of the BSP will require banks to craft their own defined cyber risk-management process.
Espenilla also said they are looking to implement “more stringent cybersecurity requirements” for BSP-supervised financial institutions with high cyber-risk profile.
“This would include adoption of more sophisticated security solutions, establishment of Security Operations Center, conduct of advance security tests such as compromise assessment and red-teaming exercises,” the deputy governor said.
Espenilla said added that are likely to roll out these new regulations in the first quarter of 2017.
Image credits: Nonie Reyes