Cyber crimes

My colleague in the Op/Ed page, Cito Beltran, had a chilling story last Friday about how a housewife lost P1.7 million in a cyber heist through no fault of hers. Get the details of the story from Cito’s column entitled “Identity theft”.

I asked a banker friend what he thought of the case. This is how he explained it:

“The criminals already had her credit card information (credit card number, expiry date and CVV). They could’ve obtained this via phishing or in some cases, her card information was copied in a recent transaction (that is why we advise clients to ensure that the credit card is always in their possession or within sight – insist on a mobile or handheld POS so that the transaction is done in your presence).

“Since all credit cards have implemented 3-D secure (a protocol designed to provide an additional layer of protection for online credit and debit card transactions. For a 3-D secure transaction to complete, the client has to input a One-Time-Pin (OTP), which is sent to his/her phone number), the criminals then have to find a way to take control of her SIM so they can authorize transactions.

“They did it by using fake credentials, impersonating her at the phone store, and in the process, had her current SIM invalidated  (on the pretext that it got lost). They were then issued a new SIM. (This is called SIM swapping).

“With the new SIM in hand and with her credit card information, they then bought cryptocurrency on Binance, a cryptocurrency exchange. Every transaction was authenticated by an OTP, which was sent to the SIM that was now under their control.

“Banks continue to employ defenses to make online commerce secure – in this case 3-D secure is an industry standard. In addition, banks have employed fraud management systems which detect anomalous behavior. In this particular case, the bank’s fraud management system would have velocity checks (multiple transactions) that eventually locked out the card.

“Since banks and financial institutions have hardened their defenses, cybercriminals have now focused on the client – that’s why phishing, vishing, and SIM swapping are so rampant.

“The Bankers Association of the Philippines and member banks continue to drive information and awareness campaigns on how clients can protect themselves – how to protect their credentials and how to spot spurious sites. In addition, we have also proposed draft amendments to the current CyberCrime Law as these crimes have evolved through time and technology.”

When Cito asked the cell phone company to react, its VP for Communications replied that “the initial assessment of their fraud team shows this is likely a SIM Swap scam again.” Again? Must be prevalent!

The phone company spokesman said this isn’t a breach of their network per se. The subscriber was a victim of identity fraud and “her phone account was used as a means, but it’s ultimately an account takeover of her bank account, which is the target.”

How did she become a target? Did someone with access to her account tip off the cyber criminals?

The cyber criminals went to a branch of the phone company and requested to suspend the victim’s line. The impostor presented a valid ID with the victim’s TIN, but with the impostor’s photo.

The victim also got a call supposedly from an international delivery service, asking her to hang on as he checked the details of a shipment. That gave them the few minutes needed to hijack the SIM electronically.

Scary. But it is nothing new. Many years ago, my wife was also victimized by credit card fraud. My wife’s card, supplementary to mine, was being used to buy stuff in Rome and Hong Kong when she was in Los Angeles. And she still had the card in her hands. The card was cloned.

Our bank, a multinational, investigated and kept us whole.

Then it happened a second time when we were abroad. This time our household helper was a budol budol victim.

She forced her way into our locked bedroom. Among others she got my wife’s credit card and some cash. She gave it to the gang members who used it in Caloocan.

Again, our bank kept us whole. But my wife helped them prosecute a gang member who was arrested for it. The case dragged on for years and my wife patiently attended all the hearings. In the end the sole person arrested was convicted.

In the case that Cito wrote about, I think neither the bank nor the phone company should simply wash their hands and tell the victim sorry na lang you were unlucky. They offered the services and they should take responsibility for its safe use.

If the bank and the phone company shared the amount lost by the bank client/ phone subscriber, the cost to each is about the cost of a 30-second TV commercial. It can win so much goodwill and confidence among their clients/ subscribers.

The BSP and the NTC should step in and keep the depositor whole. Otherwise a loss of confidence in the digital banking system may happen. BSP Governor Ben Diokno assured me in an email that they will look into this.

Perhaps there are precautions that should be universally accepted. The phone company should have the means to check the validity of IDs being used. It should be easy to include a postpaid subscriber’s photo in their database.

Maybe, it is not wise to answer calls from unknown numbers. Because the victim did, it gave the cyber criminals time to electronically capture her SIM.

In the bank accounts of my kids in the US, there is a default limit of $500 that can be transferred online in one day unless the client wants a higher limit. We have that limit too in ATM transactions.

Another good practice in the past that seems to have been abandoned is having the bank text me every time there is an activity in my card, specially if it is beyond my usual expenditure pattern.

We need protection from cyber criminals and only the banking and phone industries, with the BSP and NTC, can make that happen.

Boo Chanco’s email address is [email protected] Follow him on Twitter @boochanco