BPI to invest more in cybersecurity

Published August 12, 2022, 5:10 PM

by Lee C. Chipongian

Ayala-led Bank of the Philippine Islands (BPI) will increase the budget for its IT and cybersecurity systems as they add more services including cheque deposits in their mobile banking app this year.

BPI officials, in their first #BPITechTalk: BPI Online and Mobile App on Friday, Aug. 12, did not disclose how much investments they will allot for digitalization and to strengthen its cybersecurity, except assuring their clients that they will maintain their reputation as the bank with the highest budget for its IT security controls.

The bank usually spends about P10 billion a year for its IT and cybersecurity investments. BPI has close to eight million to nine million clients and three or four million unique active users of its online and mobile apps.

BPI vice president for consumer platforms business, Fitzgerald Chee, told reporters that 60 percent of their client base is enrolled in the bank’s electronic platform. “There’s a lot of room for us to develop and grow this digital space and transactions. We plan to continue to introduce new features to make it easier for clients to transact and to shift (to digital) … including allowing cheque deposits via the app,” he said. Introduction of e-cheque is also coming out for the banking sector soon, he added.

BPI vice president and head of corporate affairs, Owen L. Cammayo, meanwhile said the bank continues to invest heavily in cybersecurity as a demonstration of their commitment to their near nine-million strong customer base.

“It does not mean it’s because we have a lot of cybersecurity (issues) it just means that we are committed to take care of our customers’ funds. That’s our obligation…

We all need each other’s help. We have to work together to communicate that. Education and awareness is really key to create a much safer, cybersecure environment,” said Cammayo.

BPI’s enterprise informaion security and data protection officer, Jonathan John Paz, who presented the bank’s numerous secure mobile app development, said they do extensive monthly tracking on fraud.

“We are infact increasing our budget for expenses for cybersecurity but it’s driven not by any fraud numbers. It’s driven by the threat landscape. It is evolving. The ability to launch attacks, the threshold for doing so, the skill, have been increasing lately because of several developments like Ransomware,” he told reporters.

Paz said BPI has been able to contain these cybercrimes and regular hits to its cybersecurity controls. “We’d like to take keep it at zero as much as possible. It has been contained notwithstanding the exponential growth in terms of transactions made online,” he said.

Even during the height of the pandemic in 2020 and 2021, when cyber attacks were rising, BPI has put a lid on these attempts to breach their systems. “We are able to keep to a low levels for much of the pandemic. We saw a spike early in the pandemic but those numbers have since gone down. The incidences have been contained and they are nowhere near proportional to the skyrocketing increase in transactions being performed online,” he stressed.

Paz, however, warned the banking public that it does not take much technical know-how on the part of hackers or cyber criminals to commit fraud. “You don’t need to be a good programmer to be able to launch Ransomware attacks. Tools are readily available on the darknet. Even people in highschool can launch attempts. No need to have years in hacking to be able to craft malware,” he said. The darknet, also known as darkweb, is an encrypted internet world not searched by regular search engines and typically hidden. Hackers are readily available on both the darknet and the searchable internet.

“The threat landscape is evolving and that’s the main driver of our expenses. We are trying to keep up,” said Paz.

Cammayo cites data and even the Bangko Sentral ng Pilipinas (BSP) that most cybercrimes are committed by hitting on human nature’s weakest point.

“The primary reason or weakest link in any cybersecurity incident will always be the user. We can categorically say that it’s not because of our cybersecurity systems. There’s no breach, there’s never been a breach. However, because of the user issues, that’s where cybercrime pounces on. We’re (users) the weakest link because we get influenced by the drama and emotions, and we fail to realize that we are being duped,” he said.

Chee emphasized that BPI is “very careful” they do not make mistakes. “We want to limit our exposures. What we’ve done is we introduced an ability to be able to personalize to the individual (based on their) risk appetites. To set how much you will allow for every transaction,” he said, adding that despite Covid and other headwinds that may constrain economic sectors amid a recovering economy, BPI’s mobile banking has much potential and room for growth.

Paz said right now, BPI is adopting and maintaining an open API security framework, implementing secure coding, security control baseline/checklist, and an updated quality assurance processes. It also regularly conducts diligent exercises of vendor management, subscribes to brand/online asset protection service, and has a strong project management governance.

BPI is also keeping close watch on the threats to mobile banking, such as the continued proliferation of malware. There was a noted 80 percent increase in new banking trojans.

Paz also disclosed that 68 percent of digital banking fraud come from mobile channels, of which 59 percent are from apps and nine percent from browsers.

He also pinpoints rogue apps as threats. The industry has seen a 49 percent increase in rogue apps since the third quarter last year; a 274 percent increase in brand abuse; and 34 percent from downloading from third party sites. Bypassing official appstore defense mechanisms is another threat to mobile banking that are increasing this year.

BPI currently has about five digital solutions. The 171-year old bank has the EOL or BPI Mobile for retail, the Biz Link for top corporates and BanKo for their self-employed and micro-entrepreneur customers. The bank also has “mini apps” for mini digital solutions.

Most cyber incidents reported to the BSP target retail customers. These cyber criminals were not even “highly technical” or using advanced tools, said the BSP.

Based on the BSP’s cyber threats surveillance, in 2021 the top three types of cyber incidents reported by banks and non-banks were: phishing; “card not present” fraud; and identity theft.

The most common cyber fraud is phishing and other variants such as smishing and vishing. It leads to account takeover and social engineering attacks. These are intended to manipulate customers into disclosing sensitive personal and account information necessary to execute unauthorized transactions.

The BSP has received almost 10,000 consumer complaints in 2021 and while not all are cyber-related, it is a significant chunk or rising threats against financial consumers, both online and offline.