As the country has seen a growth in online transactions, so did cyber attacks.
Hackers are extremely adept and continuously evolving to ensure they can get access to sensitive data. With new protocols to ensure data security, hackers are using social engineering to manipulate potential victims into giving up information to their financial accounts, among others.
One of the most common ways of getting information from you is phishing and its variations “smishing” (where hackers will send you seemingly legitimate text messages) and “vising” (where hackers will send you a voice message).
To counter these attacks, the Bangko Sentral ng Pilipinas (BSP) has published their Memorandum No. M-2022-015, with the subject: Recommended Control Measures Against Cyber Fraud and Attacks on Retail Electronic Payments and Financial Services.
The memorandum, signed by Chuchi G. Fonacier, Deputy Governor of the Financial Supervision Sector of the BSP, last 22nd of March, has recommendations to eliminate possible exploits hackers can use, increase notifications to alert people into immediate response, and strengthen protocols.
The recommendations include:
- Removal of clickable links in emails or SMS sent to retail customers followed by an information campaign that the BSFI will no longer be sending clickable links.
- Customer notification through existing mobile or email registered with the BSFI whenever there is a request to change a customer’s mobile number, email address, or account credentials.
- After the conduct of a thorough risk analysis and assessment, the implementation of the following controls: a) Mandatory fund transfer transaction notification to customers through SMS and/or email for transactions exceeding a predefined amount; b) Holding period or delay before activation of a new soft token on a mobile device; and c) Cooling-off period before the implementation of requests for key account changes such as those for the mobile number and email address.
- Personalized SMS/Email OTP messages for device registration, fund transfer, and profile update, among others.
- Restriction to any BSFI officer or representation from manually obtaining or inquiring about critical authentication information such as customer password and/or one-time password/pin (PIN).
- Creation of dedicated and well-resourced customer assistance teams that deal with feedback on potential fraud cases on a priority basis.
- Conduct of regular customer education campaigns against online scam and phishing schemes with mechanisms to monitor their effectiveness and relevance; and…
- Adoption of strong fraud surveillance mechanisms to ensure prompt responses in dealing with the growing threat of online scams.
These recommendations are meant to bolster current security controls, such as multi-factor authentication and taking down phishing sites, among others.
The memorandum also encourages the BSP’s Supervised Financial Institutions (BSFIs) to collaborate with information sharing platforms – the Bankers Association of Philippines Cyber Incident Database, was mentioned – to conduct fraud investigations and recover stolen funds. The memorandum goes on, saying the BSFI may need to seek assistance and cooperate with law enforcement for cybercrime cases.