Bank robbers

Bank robbers have gone high tech. Unfortunately, neither the banks nor the regulators are ready to deal with them. Our laws are also so behind the high tech criminals.

In the case last week, the good news is that BDO Unibank  has committed to reimburse the losses of close to 700 clients affected by the unauthorized electronic fund transfers that resulted in losses of between P25,000 to P50,000 for each affected depositor.

Nevertheless, the Bangko Sentral ng Pilipinas (BSP) created a task force composed of cyber and anti-money laundering experts to investigate the matter and submit recommendations within 30 days. The BSP elaborated that penalties and/or sanctions may be imposed depending on the results of the investigation.

In a way, what happened wasn’t as bad as what experts fear. The nightmare scenario is a ransomware attack on major banks or even financial markets, disrupting the flow of money and confidence in the system. If that happens, panic could be caused by social media ablaze with images of broken ATMs or inaccessible brokerage accounts.

The financial industry is a large target for many different groups – from organized criminals seeking to steal money to politically motivated groups attempting to make a statement, CNN commented in a report.

In the BDO case, depositors complained that there were illegal transactions in their accounts that transfered money to the UnionBank accounts of a certain “Mark Nagoyo.” The word “nagoyo” means “to be fooled” in Tagalog.

The crooks are obviously thumbing their noses at the banks, regulators, and depositors. They seem confident they can get away with their crime.

According to a report of Manila Bulletin, they received information from a reliable source that “the UnionBank Account #1094211022533 was used to buy Bitcoin worth P5 million from the cryptocurrency market on Dec. 11. The hacker siphoned money from BDO victims, transferred it to the UnionBank account number using a fictitious name, and immediately bought Bitcoin from it. The scammers hurried to do it over the weekend because they know that complaints are usually taken care of during office hours.”

Bulletin reported that they found about 20 names and account numbers used by the scammers to receive money from BDO victims.

Apparently,  when you transfer money, the names are irrelevant to the bank. What’s important is the correct account number that would receive the transfer. True enough, Bulletin quotes one of the victims, “when we checked, one of the victims’ accounts, transferred money to an account with a name that says GDHDVD HDJDHDH V verifying what Ellard Chua ( a victim) said that account names are irrelevant in money transfer.”

Victims interviewed by Bulletin all said that the cybercriminals did not trick them into clicking a malicious link to get their credentials.

Asked what steps account holders could do to protect their accounts, a victim with above average knowledge of online banking said: “Nothing. It’s a security breach. Until BDO secures their systems, users can only do one thing, that is to deactivate their online banking so that nothing could be debited.”

As I wrote in a previous column, government needs to update cyber crime laws and train an elite group of computer experts who can be steps ahead of the cyber criminals. Of course this is not going to happen.

Nestor Tan, BDO president, told the Inquirer that the incident “affects a 10-year-old web service that is for phaseout” and that a replacement should be available early next year. So the banks must also be steps ahead of the Nagoyos out there.

The BSP has been extolling the benefits of digitizing the banking system. But cases like this will seriously reduce the confidence of depositors on the system we now have. Until the BDO tells us what happened, it is easy to suspect someone inside the bank is working with the crooks.

As for Union Bank, how could someone named Nagoyo been able to open an account? Who was the officer that authorized the account opening? The Know Your Client principle holds the bank accountable.

Apparently, Union Bank has a relatively liberal KYC requirement for opening an account online. Also, during the pandemic, they onboarded around 1.8 million ayuda benefeciaries.

I am told that in our poorer barangays, there are syndicates offering P3,000 to P5,000 to buy such accounts. So if you have lost your job or you have already cashed out your ayuda, selling a bank account you will no longer use is a no-brainer.

That is why there should be a law against “mule” accounts – the act of selling your accounts to other entities that may use it for criminal purposes. This is akin to fencing.

UnionBank is also one of the few banks that offers direct linkages to cryptoexchanges (e.g. Coins.ph, etc.). As soon as the funds were received in the mule accounts, they were then used to buy cryptocurrency.

The good news, according to a CNN report, is that banks -- at least in the developed countries, have some of the most robust cyber defenses in the private sector.

But a cyber security consultant also told CNN that the risk-reward calculus is affected by the fact that some sophisticated hackers have recently begun using automation to dramatically speed up their attacks, making them harder to detect.

“It’s going to be a much greater threat to financial institutions,” the chief security strategist at a threat intelligence firm told CNN. To keep up with the bad guys, he urged banks to rely more on cyber defenses powered by artificial intelligence.

It is a “constant cat-and-mouse game” between companies and hackers. “Just when you develop a new defense and you think you’re squared away,” he said, “some actor will find a way to circumvent it.”

It is a big challenge, but one that financial institutions must meet. Public confidence in the industry is at stake.

Boo Chanco’s email address is [email protected]. Follow him on Twitter @boochanco