As the Philippines sees a rapid surge in digital banking, the nation’s cybersecurity landscape has become a critical battleground for financial institutions. In a recent discussion, Russell Hernandez, chief information security officer, of UnionDigital Bank, and Milko Radotic, vice president for Asia Pacific, iProov, outlined the unique vulnerabilities of the Philippine market and the sophisticated biometric strategies being deployed to protect consumers.

The Philippines presents a unique set of challenges for digital security. Radotic identified three primary factors driving vulnerability: a young population that is technologically savvy that allows for more digital services, the geographical hurdles of an archipelago of more than 7,000 islands requiring remote-first solutions and bandwidth, and a complex documentation environment where the central bank (BSP) accepts different types of government-issued IDs, which makes it challenging to verify each one, unlike in other countries where there is only one or two documents.

Hernandez said the country's high social media and mobile phone exposure makes Filipinos prime targets for "opportunistic" fraudsters. Surprisingly, even the most tech-literate users are at risk.

Initiatives like the ‘Konektadong Pinoy Act’ allows more leeway for telco providers to supply data communication across the country. It helps people make different transactions online and this exposes them to scams and fraudsters. Perpetrators of these scams have become creative, targeting Filipinos via SMS, calls, or even on social media.

"Generation Z is tech-savvy... but I guess with the use of AI and the sophistication of attacks now, it's really hard for the older generation to spot these scams that use AI,” Hernandez said.

The discussion highlighted several prevalent fraud patterns, including account takeover (ATO), mule activities, and onboarding fraud. Russell called account takeover as "account hijacking," where criminals gain full access to login details to exfiltrate funds.

“For the financial sector, we are seeing the trend and I believe for UnionDigital, we’ve been also pro-active in combatting that,” Hernandez said. “That’s actually on our radar, as early as 2023-2024, we are seeing those trends already and that’s why we partnered with iProov.”

Hernandez describes a Mule account as partnering with the fraudster where that account will be the exit for the funds to flow through.

Hernandez also talked about social engineering, and how fraudsters will impersonate government officials to get information out of you. For instance, they will trick you into downloading the new SSS app, which will contain malware that can intercept OTPs and other information that will give the fraudsters access to your bank or allow them to take over your account.

To combat these threats, UnionDigital has integrated iProov’s science-based biometric technology. This system distinguishes between a real human and a digital spoof (like a mask or deepfake) using two levels of assurance: Express Liveness and Dynamic Liveness.

For high-risk transactions, Dynamic Liveness utilizes a unique sequence of colors flashed from the device screen to illuminate the user’s face.

Radotic explained, “For the higher level of assurance we use very specific technology that is using the light on the screen of the device to effectively illuminate the face of the individual that is doing the transaction and the colors of the sequence of the colors is always different, always unique, it’s almost like a one-time key that’s being generated."

This allows the system to verify the person’s physical presence in real-time.

“In terms of onboarding, we really want our customers to experience seamless accessibility, verification with less effort for them to do it,” Hernandez said, when answering the question on how the integration of the biometric security affects user experience.

Hernandez mentioned that before iProov integration, there had been customer friction and user drops. That changed with iProov integration, where verification improved.

As generative AI becomes more accessible, Radotic confirmed that the industry is in a literal arms race. "The tools are available to far more low-level criminals... to the point where you can no longer trust your own eyes to determine if something is real or if it’s a deepfake.”

To stay ahead, iProov operates a global Biometric Security Operation Center and utilizes an in-house "red team" of hackers to test their own systems. This allows them to roll out real-time security upgrades rather than relying on reactive patches.

“The tools that are being made available for good are also being used by bad people for bad purposes,” Radotic said. “It’s an arms race for the technology that we provide to ensure that we are staying ahead of the challenges and the security threats and risks that will come. Because they will come.”

“As far as we know, we are the only company in the world that has a biometric security operations center that effectively monitors all transactions that is happening globally, anonymized transactions, in terms of determining new types of tools, methods, and approaches that criminals are using that try to break biometric systems,” Radotic said. “And we have developed a technology that allows us to effectively rollout in real-time, security upgrades to all our customers and when new types of security threats have been identified. We also actively participate in the dark web to learn what is going on in that space and we have our own in-house red team that is responsible for trying to break our own technology.”

The regulatory environment is shifting to meet these threats. The Anti-Financial Scamming Act (AFASA law) now mandates that institutions use sophisticated fraud management systems. Furthermore, the BSP is encouraging a move away from SMS OTPs, which are no longer considered secure.

For victims of fraud, Russell emphasized the importance of immediate reporting to the financial institution and authorities like the Cybercrime Investigation and Coordinating Center (CICC). Under the AFASA law, there is now a more coordinated response between originating and receiving banks to help recover stolen funds.

Ultimately, the collaboration between UnionDigital and iProov is about establishing long-term trust in digital systems. Russell concluded by anchoring the bank's mission to their brand mantra: "Kaya Mo," which translates to "You can do it,” Hernandez said. “If you have this kind of trust for our customer, you can do secure transactions, we always look at that for our customers and that’s how we provide value."