From fear to facts

As a result of the Ctalk article titled “Identity Theft,” various institutions and individuals have made extra effort to post, publish and share warnings and precautions on how to avoid “Identity Theft.” While it is good for people to be borderline paranoid and vigilant, we should also act based on facts, not fear. As expected, people will automatically look for someone to blame or hold responsible. Consumers will blame telcos and banks, institutions will point out that people need to be more vigilant and responsible, etc. The sad fact is it is nobody’s fault but everybody’s responsibility.

Current scams in the Philippines are all still old school or activated by persons and not fully automated or computer-based attacks. These scams are very elementary compared to “institutional hacking” that targets government offices or big business to kidnap or hijack data or operations.

In the “Tan case,” it was clear that a criminal group conducted a two pronged attack: first targeting and gathering financial data about “Mrs Tan,” namely the bank she does business with and perhaps to find out if she was a viable target worth the risk. Anyone in the upper 20 percent income bracket in the Philippines would surely be among viable targets. Someone took time to study the target either based on social status or lifestyle, perhaps tracked her transactions and got hold of her account number or ATM details.

Anyone who conducts business nowadays generally relies on bank-to-bank transfers, even the simple and small amount transactions for online purchases are done through credit card or some bank-related instrument. You sell a product, the buyer will ask for your bank details. The buyer then sends his driver, assistant or contacts his bank and provides YOUR bank details. It’s the way business is done. Even ATM cards, G-Cash transfers are all linked to your bank accounts or credit cards.

The fact is that at some point in all our lives, we will be victimized based on our transactions and spending pattern. Some Filipinas, sadly, are even victims of romance by sweet-talking foreign and local frauds who promise them marriage, migration, etc., only to be romanced, robbed and dumped.

Having collected the needed information, the second attack on “Mrs. Tan” was to intercept her mobile device or SIM card in order to gain control of bank passwords and One Time Passwords or OTP sent out by banks to trigger certain transactions online. Based on current requirements of two government IDs and affidavit of loss to replace lost licenses, phones, etc., the SIM swap is so doable. You might say: “Then telcos should have more requirements.” The fact is they would like to, but many customers always raise the “privacy” card and how inconvenient or complicated additional requirements are just to fix a problem.

We are all big on the word “SIMPLIFY” until we become VICTIMS. I already suggested that subscribers and clients should be required to submit latest photo and fingerprint samples in addition to the standard 2-ID protocol. Fifteen years ago, my wife Karen dropped off our daughter at a “kiddie play center” inside a mall and they required the parent or guardian to have their fingerprint scanned to be counterchecked when the child is fetched. The Philippine Statistics Authority and the DFA now records your iris to be imbedded in the ID or passport chip.

Unless these added measures are required by law and acknowledged as a necessary security measure by customers, criminals with a laptop, a high-end printer and a hungry-for-work rubber stamp maker will all end up producing fake IDs, fake rubber stamps for fake affidavits of loss. Even the DOJ needs to clean up notary publics and affidavits.

Clearly, the two-pronged attack was done “physically” and never involved a “breach” of any system. It was plain data mining and “hocus pocus” which is good, but still leaves us with the reality of scams and attacks and other issues that need to be addressed. All the laws against identity theft and bank fraud may be tough but it is only tough if imposed on arrested criminals. The government and law enforcement agencies need to be able to arrest and parade criminals and make an example of them. Why is it that the cops and NBI manage to arrest foreign fugitives or scammers, prostitutes but never their pimps, etc.? Why is there a very low count on capture of bank and telco scammers?

Unfortunately, when it comes to fraud, the mentality is phone scams and banks scams and credit cards are covered by insurance so after all is said and done, they are merely an inconvenience to customers and not a priority of the cops. Unless the banking and telecoms industry puts up a bounty or pressure on law enforcement, they can’t expect to win the war against criminals. The fashion industry and intellectual property developers realized this many years ago and have worked out an “arrangement” where companies do the initial info gathering, pass it on to the IPO, PNP and NBI and providing logistics or incentives for the successful arrest of counterfeiters.

Last but not the least, let me lift a portion from the letter of Globe on the matter reminding consumers “to embrace the principle of shared responsibility in protecting one’s personal details, online accounts and online transactions.

Having said this, we continue to educate our customers on data privacy and data security. Once again, we remind our customers not to share personal information such as birth dates, anniversary dates, school or company ID, TIN, passport details and other information on social media, as these may compromise a customer’s data security. In some instances, scammers may also call pretending to be telco or bank representatives requiring personal information and bank details, in exchange for some offers or perks. Bank statements, utility bills, delivery packages and other documents that contain one’s personal information disposed of in an unsecured manner can also be a source of identity theft.”

All it takes is practice! Stay safe.