Citing rising concerns on phishing and cyber attacks targeting bank customers and personnel, the Bangko Sentral ng Pilipinas ordered financial institutions to beef up their defenses. Phishing is the attempt to get sensitive information such as usernames, passwords and credit card details by pretending to be a trustworthy entity in an electronic communication like e-mail.
“In response to the growing concerns on cyber attacks involving fraudulent e-mails and websites aimed at customers and employees of financial institutions, BSP-supervised financial institutions are advised to sustain resilience efforts and continue to perform rigorous risk assessments of their current technology environment,” Deputy Governor Nestor Espenilla Jr. said in Memorandum No. M-2017-017 issued on May 10.
In addition to implementing risk-based authentication methods for customer accounts, it said BSP-supervised financial institutions should also ensure adequate access control measures were in place for systems that support the provision of electronic products and services such as authentication servers, application servers, domain name system (DNS), including domain registry services, regardless of whether these were managed internally or by a third-party service provider. For outsourced systems, it said BSP-supervised financial institutions, as part of their outsourcing risk management framework, should have a sufficient level of assurance that the service provider was maintaining robust security controls.
Also, stronger authentication methods other than the use of passwords should be adopted for high-risk/sensitive systems that are managed by privileged users such as network and system administrators,” Espenilla added.
BSP-supervised financial institutions should also be mindful of domain hijacking, whereby attackers modify a financial institution’s domain name records to redirect users to unauthorized websites. In such cases, additional security measures such as registry lock feature for top-level domain should be adopted,” according to Espenilla, referring to multi-factor authentication (MFA). —BEN O. DE VERA