Outsmarting online fraudsters at their own game

Font Size

By Melissa Luz T. Lopez
Senior Reporter

LIKE MOST INDUSTRIES, the banking sector has been left with no other choice but to follow their clients onto the digital space.

It’s well and good to offer electronic banking solutions with the promise of a seamless and more convenient user experience, but protecting people’s money and personal data has proven to be all the more challenging once mounted online.

Just as bank branches are embedded with several layers of protection — from shockproof steel vaults, time-activated locks, surveillance cameras, and security guards — transactions in the digital space also need similar, if not heavier security protocols.

Banks have been shaken up by the glaring need to go digital to suit changing consumer demands, especially in the face of stiff competition from nonbank firms offering new channels outside the traditional brick-and-mortar system. After all, the tech-savvy millennial market in the Philippines prefers to go paperless rather than face the laborious process of filling up forms and submitting printed documents.

Banks had to act fast before these financial technology firms beat them at their own game — it was a “digitize or perish” scenario as one banker put it. As a result, banks are pouring billions of pesos into setting up their cloud-based database systems, online and mobile banking channels for retail customers, and digital clearing platforms.

Just as bank branches are embedded with several layers of protection — from shockproof steel vaults, time-activated locks, surveillance cameras, and security guards — transactions in the digital space also need similar, if not heavier security protocols.

While setting up these cyber firewalls appears to be a daunting task, an expert said financial firms (or even businesses in general) need to make sure that basic lines of defense are in place in order to deter digital crimes.

“We need the new hammer that will hit these new nails…There are some really basic concepts that we’ve known for a very long time that we’re just not doing. If we did those, we’d be in a better place,” Brendan Laws, director for Solutions Architecture at Secureworks, Inc., said in an interview.

The American technology and cybersecurity firm said among the most common ways to steal client data is via e-mail phishing, where users are duped into giving their private information through fake websites sent and shared online.

“When we are in a situation where there’s always a new threat, if we’re always looking for a new space or tool to solve that problem while we ignore doing some very basic general hygiene items, we’re not putting ourselves in a good position,” Mr. Laws added.

He noted that among the “basic” security details which firms often overlook include the use of two-factor authentication to validate a person’s online identity: “Implementing that one simple thing removes a whole bunch of the new threats that are simply trying to get access to your information.”

The same measure has also been prescribed by the Bangko Sentral ng Pilipinas (BSP) for financial firms. Since September 2017, the central bank has required all banks and credit card issuers to put in place a multi-factor authentication (MFA) system for online transactions.

The more stringent security controls are expected to deter fraudsters from stealing money and private data. Among the MFA options include using a password or personal identification number; presenting a payment card or a one-time password sent via text message; and using a fingerprint or retina scan.

The BSP has also stood firm on its June 30 deadline that requires all card-issuing companies to shift to using microchip-embedded cards and veer away from the magnetic stripe variants, with the former seen to quash skimming attempts where thieves copy a person’s bank details and drain accounts without the owner’s knowledge.

The central bank set minimum standards on managing information technology risks in 2013, with the rules regularly updated to address particular stress points. The BSP went as far as requiring banks with “complex” IT systems to put up 24/7 security operations centers to monitor and foil any attacks. In turn, all lenders need to install baseline security standards for both their back-end systems and branches.

The BSP has always been lobbying for constant vigilance as banks and even regulators cannot afford to be vulnerable to such risks. The neighboring Bank Negara Malaysia foiled a cyber attack back in March, which had the local regulator reminding Philippine banks to be “extra careful” in handling wire transfer requests.

In 2016, a Philippine lender was used as conduit by thieves who stole $81 million from the Bangladesh central bank, as Dhaka’s internal system was reportedly hacked to send payment instructions from their account at the United States Federal Reserve.

The 2018 Cyberthreat Defense Report pointed out that human error is often the root of digital breaches, with the lack of skilled personnel and low security awareness preventing them from identifying cyber attacks as they come.

IP Converge Data Services, Inc. said offices need to instill a “cybersecurity culture” which means taking simple but proactive steps. These include training employees in using long and strong passwords (which uses a mix of uppercase letters, lowercase letters, symbols, numbers); recognizing and avoiding suspicious e-mails and website links; and limiting the installation of computer programs and data, to name a few.

The very allure of using digital channels is ease of access, which is also the exact feature which cyber criminals are looking to exploit. However, it turns out that online fraudsters can be outsmarted at their own game.

Scott Zoldi, chief analytics officer at global credit scorer FICO, said there are “broad options” for banks and other firms to detect fraud via computer-aided behavioral analytics, particularly to block dirty money transactions.

“By bringing artificial intelligence (AI) in there, we have a model that’s not going to be dependent on well-known rules and that allows new cases to be identified, it allows false positives to be reduced,” Mr. Zoldi said in a phone interview. “That will change the landscape with respect to making it harder for money launderers to commit their crimes.”

The good news is that the Philippines is roughly in the middle of the pack compared to its peers in adopting such firewalls.

“The Philippines is not behind, they are leveraging machine learning models, credit risk scores, automation… As I look at it across Asia, I would think the Philippines is above average for sure,” Mr. Zoldi added.

The BSP has also revealed that it is exploring the use of AI in doing its own regulatory work. BSP Deputy Governor Chuchi G. Fonacier said the so-called “RegTech” eyed for rollout entails the collection of industry data by way of electronic submissions for faster and more efficient information sharing. Chatbots are also being eyed for the processing of consumer complaints.

Ultimately, the goal is to bring more Filipinos into the formal financial system while keeping them out of the radar of thieves and scammers.