BSP foils attempt to hack website

BSP Governor Amando M. Tetangco Jr.  ARNOLD ALMACEN/INQUIRER FILE PHOTO

BSP Governor Amando M. Tetangco Jr. ARNOLD ALMACEN/INQUIRER FILE PHOTO

The Bangko Sentral ng Pilipinas is the latest government institution that hackers targeted but it successfully defended itself because of robust security features, BSP Gov. Amando M. Tetangco Jr. said on Thursday.

The attempt to hack the BSP website came amid a warning from global financial network SWIFT about recent multiple cyberfraud incidents targeting its system.

SWIFT’s disclosure came as law enforcement authorities in Bangladesh and elsewhere investigated the February cybertheft of $81 million from the Bangladesh central bank account at the Federal Reserve Bank in New York.

Tetangco said the cyberattacks had been limited to the BSP website, not its information technology infrastructure and systems. The BSP website contains publicly available data.

The website has firewalls and intrusion-prevention systems, according to the BSP chief. “We continue to update the firewalls and the security features as we move along. It is a continuing effort,” Tetangco told reporters on the sidelines of The Bank of the Philippine Islands (BPI) Foundation’s Financial Inclusion Summit 2016.

“Our website is up and running. We remain vigilant and continue to follow security protocols for its protection,” Tetangco later said in a text message to reporters.

The BSP has advised entities it supervises to make sure that they have robust security systems.

Defenses beefed up

Banks in the Philippines are beefing up defenses against hacking, with huge investments being poured into security systems, in the wake of the theft of $81 million from the Bangladesh central bank account at the New York Federal Reserve Bank.

The Senate and the Anti-Money Laundering Council are looking into how the stolen money wound up with two casinos and a junket operator in the Philippines in one of the biggest cyberheists in history.

Bangladesh’s central bank was vulnerable to hackers because it did not have a firewall and used secondhand, $10 switches to network computers connected to the SWIFT network, an investigator said.

SWIFT, or the Society for Worldwide Interbank Financial Telecommunication, is a cooperative owned by 3,000 financial institutions.

The BSP was not always successful in preventing hacking.

In September 2012, the BSP website was hacked by “Anonymous Philippines,” which was protesting the anticybercrime law.

 

Comelec hacked

Last month, a hacker group defaced the website of the Commission on Elections (Comelec). Then on April 6, a second hacker group posted the entire Comelec database on voters online, with mirror links where the data would also be downloaded.

Leaked were personal details of more than 55 million voters, including names, birthdays, home addresses, e-mails, parents’ full names and in some cases passport details and text markers of fingerprints.

On April 23, Malacañang said hackers forged a Palace website and used it as cover for the hacking of the Comelec voter database.

BPI firewalls

In a related development, Ayala-led BPI seeks to evolve into a fully digital bank in the next few years while also investing heavily to beef up firewalls against hacking.

Cognizant of disruptive technologies gnawing at areas used to be dominated by traditional banks as seen in Western markets, BPI president Cezar Consing said after the bank’s shareholders meeting last week that a significant portion of the bank’s budget was “dedicated to making sure that we are leading the way in terms of all these technology changes.”

Just on security-related technology, BPI is spending around P600 million annually, said Ramon Jocson, BPI executive vice president for enterprise services. This budget excludes the cost of educating employees on changing technologies. Compliance and security comprised about 50-60 percent of the bank’s annual spending, he said.

The common hacking that affects individual customers, usually starts from their homes, according to Jocson.

He said BPI was looking at security in a holistic and systemic way—people, process and technology.

“Whenever there’s request for credit, we do callbacks … Levels of authorization are very important,” Jocson said.

At the same time, Jocson said people should be aware, relationship managers should be conscious that clients are aware, that bank employees do not share information with outsiders. Awareness, he said, would be the best safeguard to intrusion.

Info from social media

“Most of the bank hacking that recently happened is due to social engineering: Hackers are able to get sensitive information via social media from bank employees themselves,” he said.

Last year, about 244 million of 328 million transactions handed by BPI were coursed through electronic channels. These channels pertain to automated teller machines or ATMs (152 million), online or mobile banking (73 million) and point-of-sale transactions (19 million), where volumes grew by 9 percent, 21 percent and 15 percent, respectively.

ATMs, for instance, have been attacked by fraudsters who steal money through skimming devices but the shift to the more fool-proof EMV card technology by the end of this year is expected to address this.

Read more...