BSP allays public fears over bank hacking
MANILA, Philippines — The Bangko Sentral ng Pilipinas (BSP) on Sunday moved to allay public fears triggered by mounting complaints on social media of several bank accounts reportedly being hacked and funds being transferred to the cybercriminals’ fictitious accounts in another bank.
Over the past week, BSP Governor Benjamin Diokno said that monetary authorities have observed a surge in this type of consumer complaints.
He said the BSP was already coordinating with the banks involved — BDO Unibank and Union Bank of the Philippines — to immediately undertake remedial measures, including the reimbursement of the money lost by the affected clients.
Both banks said they have taken measures to protect their clients from fraud.
BDO is the country’s biggest lender in terms of assets and is controlled by the Sy family. UnionBank, majority owned by the Aboitiz clan, is a recognized leader in digital banking technology.
“Rest assured that we continue to collaborate and engage stakeholders to ensure the safety and integrity of the financial system as well as the protection of financial consumers,” Diokno said.
“BSP will do everything to ensure the safety and integrity of the financial system as well as the protection of financial consumers,” he added.
Starting Dec. 11, various posts surfaced on social media such as Facebook about BDO clients complaining of illegal transactions using their accounts to transfer money to the UnionBank accounts of a certain “Mark Nagoyo.” The word “nagoyo” means “to be fooled” in the Filipino language.
BDO said it was aware of a “sophisticated fraud technique” that has affected some of its clients.
Bank president Nestor Tan told the Inquirer that the incident “affects a 10-year-old web service that is for phaseout” and that a replacement should be available early next year.
“We have already implemented additional security controls to block further attempts and continue to protect bank credentials,” BDO said in a statement. “We assure our affected innocent clients that we will reimburse their losses.”
BDO said its clients who use their online banking services have been required to update their passwords.
“Changing their password improves account security and prevents fraudsters from accessing their hard-earned money,” the bank said. “We assure our affected innocent clients that we will reimburse their losses.”
BDO gave no information on the number of depositors who were affected and the amount of money stolen.
The bank added that it was continuously investing and working toward improving their security infrastructure to protect clients’ money.
“While we have put back-end measures in place, we appreciate our clients’ continued vigilance to combat fraud,” BDO said.
UnionBank president Edwin Bautista also noted on Sunday that they already froze several accounts that received money from BDO accounts.
“We will not hesitate to take legal action against individuals who use their accounts to facilitate criminal activities,” he told Bloomberg.
Unlike previous cybercrime victims who either clicked a suspicious link or unsuspectingly gave their data like the OTP, the recent wave of complaints on social media claimed the bank account owners did nothing of that sort.
Many of the complaints alleged that cybercriminals were somehow able to access their BDO accounts even if they did not click on suspected phishing links or disclose any of their banking details in public, indicating that the security breaches were not due to the account holders’ negligence.
They also claimed that they did not receive any SMS prompts or OTPs that someone had logged into their account even when the online transactions exceeded the bank’s daily limit.
A well-circulated example on social media was that of the Facebook post of one Ellard Chua, who claimed that on Dec. 11, he was informed by several people that his name was being used in an alleged BDO Online Banking breach/hacking scandal.
“I did not receive a single peso. Someone is using my name as beneficiary, but the beneficiary account number is not mine. For Instapay transfers, you only need a valid account number, the account name is irrelevant,” he said.
At 12:30 p.m., he said he received a text from BDO that P50,025 was debited from his account and 30 minutes later, he received an email confirmation of the transaction that he “did not initiate nor authorize.” “Clearly, there’s a problem with BDO Online Banking. I hope they can fix it soon,” he said.
Janice de Leon, a resident of Hagonoy in Bulacan, also told the Inquirer that about P12,000 was removed from her BDO Kabayan account—a product that caters to overseas Filipino workers (OFWs) and their families—through several transactions made last Dec. 7.
Records of the transactions showed that payments were made to Steam, an online games vendor and platform based in Germany and the United States. The transaction stamps indicated Hamburg (in Germany) and the payments ranged from P218.40 to P4,328.39 each.
“I did my part to keep my bank account extra, extra secured,” De Leon said. “I don’t know how my account got hacked because I don’t make purchases online.”
She said that she made online transactions through BDO only when paying for her electricity and internet service bills. For other electronic payments, she relies on GCash, which also uses OTPs.
The National Privacy Commission (NPC) said it would also look into reports of data security breach that led to the unauthorized bank withdrawals from BDO and the use of “mule” accounts at UnionBank.
NPC Chair Raymund Liboro said in a phone interview on Sunday that the involved banks must prove that they had the appropriate security measures—organizational, technical and physical—in place when the breach occurred to prove that they were “not grossly negligent.”
“It is not a crime to be breached but it could be a crime if it is proven the data controller was grossly negligent,” he said.
The data privacy officers (DPOs) of both BDO and UnionBank have both reached out to the NPC and reported that they were still looking into the whole picture.
“So we’re awaiting whether they will report it as a notifiable breach within 72 hours with complete details after five days,” Liboro said. “We are already on the ball. Our team is looking at it and already had initial talks with the DPOs.”
Apart from notifying the NPC about the data breach, the bank clients affected must also be notified.
The Bankers Association of the Philippines (BAP), the umbrella organization of big financial institutions operating in the country, on Sunday issued a statement admonishing customers to be vigilant so as not to fall prey to cybercrime.
“You will never be a victim of cybercrime if you would never give your personal information, such as one-time password (OTP), to other people. If you do not give your personal information to others, cybercriminals will never be able to steal your money,” BAP president Jose Arnulfo Veloso said.
He asked users of online banking services to keep abreast of industry developments and, when they become a victim of cybercrime, to immediately report the incident to the concerned bank and to the police.
“Read the newspapers, follow your banks on Facebook, and watch your favorite social media influencers to know how to be safe while banking online,” Veloso said.