FROM the halls of Congress and of financial regulators, words have echoed across the street that government is taking the “digital pickpocketing” cited in social media seriously.
So serious in fact that Finance Secretary Carlos G. Dominguez III vowed to push for a unified cybersecurity system.
Dominguez told reporters on Monday he will “suggest” to the Department of Information and Communications Technology (DICT) the adoption of an arrangement created by the insurance cluster for a shared cybersecurity system.
The Department of Finance (DOF) chief earlier instructed government financial institutions (GFIs), state-run pension fund and insurance agencies and the revenue and treasury agencies to enter into their respective memoranda of agreement (MOAs) on a shared cyber-defense strategy.
The DOF chief’s proposal came after BDO Unibank Inc. admitted that “a sophisticated fraud technique” has affected some of its clients.
Likewise, Union Bank of the Philippines Inc. (UBP) President Edwin R. Bautista—quoted by Bayan Muna Party-list representatives—said that fewer than 10 of its clients were among those that received funds from BDO Unibank accounts. These transactions have been flagged on social media by clients as fraudulent.
Banks concerned
Dominguez told reporters he is “very aware” of the complaints of many depositors and have brought the matter up to the top management of the banks concerned and the Bangko Sentral ng Pilipinas (BSP) “as early as two weeks ago.”
He added: “As early as 18 months ago, all the GFIs embarked upon a program to strengthen all their cybersecurity defenses in anticipation of precisely this type of criminal activity.”
Dominguez expressed confidence that banks have already taken steps to protect their clients and “bring the perpetrators to justice.”
He said he recently ordered the creation of a working group composed of representatives from these agencies to work on identifying the potential cybersecurity threats and cases of cyber fraud that they may encounter, and on determining ways of eliminating or mitigating these risks.
Agencies have entered into MOAs for shared cybersecurity defense strategy.
These include the following institutions: the Land Bank of the Philippines (LandBank); United Coconut Planters’ Bank (UCPB); the Development Bank of the Philippines (DBP); the Insurance Commission (IC); Philippine Health Insurance Corp. (PhilHealth); Philippine Deposit Insurance Corp. (PDIC); the Government Service Insurance System (GSIS); the Social Security System (SSS); the Bureau of the Treasury (BTr); Bureau of Internal Revenue (BIR); and, the Bureau of Customs (BOC).
Dominguez also said the government may tap the expertise of the private sector in coming up with a shared cyber defense strategy covering state institutions and agencies under the DOF.
Measures, mechanism
At the House of Representatives, several lawmakers filed a resolution directing the House Committee on Banks and Financial Intermediaries to look into the reported widespread fraudulent online bank withdrawals from clients of the BDO Unibank.
Bayan Muna Reps. Carlos Isagani T. Zarate, Eufemia C. Cullamat and Ferdinand R. Gaite filed House Resolution (HR) 2405 after several online bank users complained of the unauthorized online access of their bank accounts.
Likewise, House Ways and Means Chairman Joey Sarte Salceda filed two resolutions calling various House committees to hold hearings not only to assess the safety features in digital banking but also the ability of law enforcement agencies to enforce laws against financial cybercrimes.
Salceda filed HR 2406 urging the Committees on Public Order and Safety, and Public Accounts “to conduct hearings, in aid of legislation, on the capacity of law enforcement agencies to apprehend, detect, investigate and prosecute financial cybercrimes.”
Salceda also filed HR 2407 urging the Committee on Banks and Financial Intermediaries “to conduct hearings, in aid of legislation, on the safety and security measures and user protection mechanisms being undertaken by banks and electronic payment solutions providers to protect their customers from being defrauded.”
“Without adequate protections from banks for their retail users, ordinary citizens are compelled to use digital payment solutions due to mobility restrictions and convenience even when they are not certain about the security of their hard-earned savings,” Salceda said.
Bayan Muna reps
SALCEDA cited Republic Act (RA) 10175 or the Cybercrime Prevention Act as penalizing computer-related fraud or the unauthorized input, alteration or deletion of computer data or program or interference in the functioning of a computer system, causing damage thereby with fraudulent intent.
However, according to Salceda, law enforcement agencies do not yet have specific anti-financial crime units that are otherwise typical in other countries.
“Financial crimes similar to the reports could be prosecuted under the aforementioned provision of RA 10175 if law enforcement agencies have the capacity to apprehend, detect, and investigate financial cybercrimes,” he said.
Bayan Muna representatives said Congress should protect the welfare of the Filipino people against these fraudulent activities, especially amid the pandemic and economic crisis.
Ensuring measures
According to the Party-list group, some victims posted pictures of texts and email that showed the unauthorized fund transfers.
“More than the admission of the occurrence of security breach or fraud and pursuing reactive measures, the members of the banking industry, as well as the BSP, should put in place more protective measures and policies to protect the interest of the public and the integrity of the banking transactions,” the group added.
The Bayan Muna representatives also called for speedy reimbursements of the affected consumers of their lost hard-earned money.
BDO Unibank has released a statement saying the financial intermediary has already implemented additional security controls.
The bank said it has also required its online bank users to update their passwords. The listed bank gave assurances it will reimburse the losses of affected innocent clients.
For his part, BSP Governor Benjamin E. Diokno said the central bank is also “in close coordination with BDO as well as UBP on this incident to ensure that remedial measures are being undertaken, including the reimbursement of affected consumers.”
Safeguards
Senator Joel Villanueva asked the Duterte government last Monday to convene an inter-agency task force to promptly come up with countermeasures to effectively “block digital pickpockets” and “immediately get to the bottom of this and institute measures to prevent it from happening again.”
This, as he aired growing concerns that “any delay will corrode the public’s faith in our banking system,” reminding it is “a relationship based on trust.”
Villanueva suggested the President can call the DICT, the BSP, the National Privacy Commission and the National Bureau of Investigation, among others, that can be tapped to join the lead agencies in the task force.
Villanueva said he was airing the appeal for heightened cybersecurity to foil digital pickpockets preying on workers’ e-wallets and bank accounts.
The senator also reminded that if ordinary employees guard their hard-earned money against pickpockets, “banks should also make sure cybercriminals don’t pick the digital wallets of those who gave them their hard-earned pay for safekeeping.”
At the same time, the chairman of the Senate labor committee prodded government authorities to treat the security breach in one bank “as if it were a cyber-attack on our country of the grave kind.”
Reminding that “this goes beyond one company,” Villanueva emphasized that “the national reputation is (also) at stake,” warning that “the Philippines cannot be seen as having a porous banking system because such weakness will only entice cyber criminals to attack us.”
