Need to be one step ahead

Last Oct. 10, President Marcos signed Republic Act 11934 or the Subscriber Identity Module (SIM) Registration Act, the first bill he signed into law as chief executive.

The law requires both existing and new mobile phone service subscribers using prepaid SIM cards to register with their respective telco service providers.

New SIMs will not be activated without first being registered while existing ones will be automatically deactivated if not registered within 180 days of the law’s implementation. But they can be reactivated after proper registration has been completed.

But the Department of Information and Communications Technology (DICT) is allowed to extend the registration period for another 120 days.

And there is no limit as to how many SIM cards one person can register under his or her name.

Many smishing and other forms of scam and spam messaging, as well as SIM-based criminal activities use prepaid SIMs for their operations because the perpetrators are anonymous and therefore untraceable.

Prepaid SIMs are also very useful for other illegal activities such as sending threatening, harassing, bullying, and other malicious text messages because again, the sender remains anonymous.

According to Globe Telecom, in 2022 alone, security threats are relentless, with many Filipinos falling victims to phishing scams through text messages. And because of the anonymity of SIM card holders, Globe pointed out that it is much harder for authorities to track down perpetrators carrying out these scams and hold them accountable.

The good news is that, according to Sen. Grace Poe, the law will be fully implemented by Dec. 27. This means that existing prepaid subscribers only have less than a month to register.

The registration can be done electronically through a platform or website that the public telecommunications entities (PTEs) such as Globe, Smart Communications and Dito have established for that purpose.

The bad news however is that the said date may be too late to protect Filipinos from the very real danger of getting scammed out of their Christmas bonus, because we can expect syndicates to work double time to get their hand on the hard-earned 13th month pay of workers.

Last September, the Senate launched an investigation to identify culprits behind large-scale phishing scams where millions of text messages have been sent to mobile users to steal passwords for fraudulent transactions.

Smart and Globe have said they blocked more than one billion spam and suspicious text messages between them this year.

Sen. Poe, who heads the Senate’s public services committee, has called for tighter measures against cybercriminals who prey upon the vulnerable like those who are unemployed, in need or money, or are just unfamiliar with these schemes.

It has also been reported that consumers have experienced a surge in phishing attempts during the pandemic as people relied heavily on mobile devices for shopping, food delivery order, and banking.

These messages manipulate users into not only clicking dubious links, but also sending out login credentials to their bank accounts, allowing these criminals to steal money from their accounts.

To be fair, local banks have been working non-stop to intensify their security measures. Access to online accounts require a new security protocol, specifically the OTP or one-time-password, which is a series of numbers sent to the account holder’s mobile phone, to ensure that a new layer of password challenge is implemented prior to getting access to online accounts.

Still criminals have managed to keep up with the sophisticated measures implemented by banks. If phishing was their sole weapon of choice, their artillery has since grown as they now also dupe people by way of “smishing.”

According to tech security giant Trend Micro Systems, “smishing” is a form of phishing that uses mobile phones as the attack platform. The criminal executes the attack with an intent to gather personal information, including social insurance and/or credit card numbers. Smishing is implemented through text messages or SMS, giving the attack the name “SMiShing.”

In the Philippines, it is not far-fetched that smishing will be or is probably being used already as a way to capture that OTP, to finally gain access to the victim’s bank account. This possibility is more fact than fiction because looking at the recent spate of spam messages we all are getting at least three to five times a day, we can see how scammers seem to have gotten hold of our names, address, and other personal details.

But if achieving their deed via text messaging will become more difficult once the SIM card registration law becomes fully implemented, then these criminals can still use emails, social media accounts, and other online means to dupe unsuspecting victims.

Phishing uses both email and web browsing to trick people into typing confidential information into web sites that look like the sites of real companies, especially financial institutions.

According to the PNP, general phishing attacks are usually sent to masses of emails simultaneously in the hope that someone takes the bait while spear phishing attacks are targeted at specific individuals, such as select groups of people who have one thing in common. And spear phishing techniques are used in 91 percent of attacks.

PNP also recently reported that phishing campaigns are becoming more sophisticated, with many now using reCAPTCHA walls to block URL scanning services from accessing the content of phishing pages. The reCAPTCHA walls prevent email security systems from blocking phishing attacks and making the phishing site more believable in the eyes of the user.

To avoid spear phishing, the PNP advise the public to change their passwords and make them strong ones, contact credit companies immediately, and to update softwares to have the latest patches for viruses and other malware. Users are also advised to exercise scrutiny by checking for suspicious senders, URLs, and attachments which can help them spot the attack before they get to the reCAPTCHA.

While SIM card registration may deter criminal from using text messages for their nefarious activities, we should never underestimate their creativity.

Our law enforcers have to take a more aggressive posture in going after these criminals and should think be one step ahead.

The NBI, for instance, received a total budget of P2.3 billion, with the promise of upgrading the knowhow, skillset, and equipment of its cybercrime unit to go after syndicates. Yet to this day, we haven’t heard of a major bust that really put down a big fish for financial fraud.

But more importantly, government should focus its efforts on cybercrime prevention and fake social media accounts while going after these syndicates.

With the Bangko Sentral ng Pilipinas (BSP) and the Bankers Association of the Philippines pushing for digital transformation for banking and e-payments, the public needs to be assured that their hard-earned money will not disappear in the blink of an eye.

For comments, e-mail at [email protected]