The Sy-owned BDO Unibank Inc. on Sunday, Dec. 12 said it will soon reimburse clients of losses due to cybersecurity breaches and appealed to their customers to protect themselves with vigilance in detecting fraud.
“We thank our clients for their patience and cooperation in protecting their online bank accounts (and) we assure our affected innocent clients that we will reimburse their losses,” said BDO in an official statement.
The country’s biggest bank said the use of “sophisticated fraud technique” breached their cybersecurity over the weekend.
BDO said they have “already implemented additional security controls to block further attempts” and to “continue to protect bank credentials." It also reminded clients to regularly update their passwords to improve account security and to block unauthorized access to their deposits.
“BDO are continuously investing and working towards improving our security infrastructure to protect our clients’ money. While we have put back-end measures in place, we appreciate our clients’ continued vigilance to combat fraud,” it added.
Bankers Association of the Philippines (BAP) president Jose Arnulfo A. Veloso, in the BAP’s own statement on Sunday, said all bank clients should be even more vigilant amid rampant and increased number of cybercrime incidents hounding the banking sector.
“An important reminder: You will never be a victim of cybercrime if you would never give your personal information, such as One-Time Password (OTP), to other people. If you do not give your personal information to others, cybercriminals will never be able to steal your money,” said Veloso who is also president and CEO of Philippine National Bank.
Veloso said the banking community has been regularly issuing public advisories and its “Cybersafe” campaign, and reminding clients to “read the newspapers, follow your banks on Facebook, and watch your favorite social media influencers to know how to be safe while banking online.”
“It is not enough to just know how to avoid cybercriminals. You are our ally when it comes to stopping them from harming other people. Whenever you encounter a cybercriminal, immediately report it to your respective banks and the police. This is so we can work together to take down cybercriminals, such as the fake bank websites they are using to trick others,” said Veloso. “Taking down cybercriminals does not just benefit you, but also other people as these criminals will no longer be able to harm them,” he added.
The BAP has been calling for the quick passage of the Bank Account and E-Wallet Regulation Act under the proposed House Bill No. 9615 to stem the rapid growth of cyber-related crimes in the banking sector. Under the proposed bill, those who are found guilty of phishing will be imprisoned for six to 12 years and fined P200,000 up to P500,000.
The Bangko Sentral ng Pilipinas (BSP) earlier on Sunday said it is coordinating with both BDO and the alleged recipient of the unauthorized fund transfers, Union Bank of the Philippines (UBP).
BSP Governor Benjamin E. Diokno said the central bank “will do everything to ensure the safety and integrity of the financial system as well as the protection of financial consumers.”
The BSP was reacting to social media complaints of hacking incidents where fund transfers were transacted without authority from its owners and depositors. It was posted on social media that amounts ranging from P25,000 to P50,000 were transferred from BDO to one or several UBP accounts.
Diokno said the BSP is in “close coordination with BDO as well as UBP on this incident to ensure that remedial measures are being undertaken, including reimbursement of affected consumers.”
“Rest assured that we continue to collaborate and engage (with) stakeholders,” the BSP chief added, to protect financial consumers from cyber-related crimes such as phishing, SMiShing and other unauthorized transactions.
While BDO is the country’s largest lender, UBP is one of the first banks to offer digital services and is one of six local banks with a digital bank license.
BSP Memorandum Order No. M-2020-066 issued last August said the central bank’s cyberthreat surveillance points to SMS-based attacks as a growing and predominant type of attack and that this attack is effective because of the attackers’ ability to deceive bank clients by convincing them of the urgency of an immediate action.
Smishing, for example, is normally executed in combination with SMS spoofing wherein the SMS sender ID is altered so that the message appears to be coming from a financial institution or entity, according to the memo.
BSP Deputy Governor Chuchi G. Fonacier said they issued the memo not only as a reminder for banks to step up cybersecurity but also to intensify customer awareness of such threats.
She said banks should be extra vigilant against SMS-based attacks and to “provide necessary guidance to minimize impact such as fraud losses and incidents to (banks and non-banks) and their clients,” she said.
Fonacier said the industry – generally – have appropriate cybersecurity protection such as the multi-factor authentication (MFA) controls as back up safety features because the sending of one-time passwords or OTPs have “inherent vulnerabilities and weaknesses.”
“The BSP, in close collaboration with industry players and other regulatory agencies, continues to closely work together to ensure that the industry is able to anticipate and proactively respond to the changing and uncertain cyberthreat landscape,” she added.
The BSP reminded banks to act immediately on customers’ complaints and verification requests in relation to SMiShing and SMS spoofing to minimize financial losses to their clients.