Hackers change tactic, target small amounts from bank accounts
MANILA, Philippines — Fraudsters are shifting to other methods and techniques to illegally retrieve card information from unsuspecting individuals in light of the measures undertaken by the industry and the Bangko Sentral ng Pilipinas (BSP) for consumer protection.
There have been an increase in BIN (bank identification number) attacks targeting savings and even payroll accounts of unsuspecting bank clients.
Antonio Moncupa, vice chairman and chief executive officer of East West Banking Corp., said several banks have been targeted by this new method of skimming accounts using e-commerce sites such as Google and iTunes.
“Bank identification numbers are being attacked, hitting some other banks the last few weeks. It is not a hack as they don’t get into the bank system but rather, they use some algorithm,” Moncupa said.
Moncupa said the fraudsters are targeting small amounts so that no one-time password is needed. “By the way, we are now addressing that,” Moncupa said.
Under the scheme, fraudsters use the internet to access software, allowing them to generate new card numbers from an existing good one. These numbers are in sequence order within the same card bank identification number that are tested at merchants’ internet sites.
The numbers that prove to be successful are then used at different internet-based merchant sites to find a “hit.”
According to Moncupa, as a result of the new scheme, e-commerce transactions in the future could become less convenient as safeguards would have to be put in place.
“Unfortunately that will mean some e-commerce sight will become less convenient,” Moncupa said.
Union Bank of the Philippines president Edwin Bautista told The STAR the bank’s anti-fraud system is capable of two defensive approaches against BIN attacks.
“BIN attacks using algorithms is countered by software engineering,” Bautista said.
The Aboitiz-led bank check attack patterns by looking at number of transactions across a narrow range of cards over a short time period and at the same time has a predictive algorithm that flags probing, testing, and hitting patterns done from external sources.
“In addition, we employ a randomizer algorithm in generating card numbers so that it is not possible to guess CVV, card number and expiry dates given one or two known variables,” Bautista said.
BSP Deputy Governor Chuchi Fonacier said the regulator is now looking into the matter.
As early as 2017, the BSP issued Circular 958 on the adoption of multi-factor authentication techniques for sensitive communications and high risk transactions due to the increasing propensity and sophistication of cyber-attacks involving fund transfers, payments, and other transactions via online channels.
- Latest
- Trending
