BSP probes cybertheft of P167 million from UCPB
MANILA, Philippines — Hackers exploited the Philippines’ Independence Day weekend last June to steal millions of pesos from the government-controlled United Coconut Planters Bank (UCPB) through a combination of massive automated teller machine (ATM) withdrawals and online transfers over the three-day holiday.
In at least one case, the perpetrators of this heist—believed by authorities to be a syndicate of Nigerians and Filipino cohorts—bypassed built-in computer safeguards to make 57 withdrawals during this period from a single ATM and emptied the machine’s entire stock of P4 million in cash, the Inquirer learned.
Bank officials and government regulators confirmed that the total loss to UCPB amounted to P167 million, which was first reported by bilyonaryo.com on Tuesday evening.
The Bangko Sentral ng Pilipinas (BSP), attached agencies of the Department of Finance involved in overseeing the operations of the bank and UCPB itself are now investigating whether the heist was perpetrated solely be external parties or whether they had help from coconspirators inside the bank.
Authorities are also looking into the possibility of a bigger syndicate operating in the local banking system because some of the funds stolen from UCPB were transferred via Instapay online money transfer facility to accounts in other local banks, from where they were promptly withdrawn.
A ranking bank official, who requested anonymity because several internal and external probes were still in progress, said the hackers created 13 bank accounts with UCPB in May of this year and left them dormant until the heist a month later.
“All those parties who opened the accounts are included in the complaint the bank filed with the National Bureau of Investigation,” the official said, adding that the account holders with other banks that received the stolen funds from UCPB were also included in the complaint.
“These guys were very good and they used the three-day weekend to give them more time to make the withdrawals,” said another official familiar with the details of the heist, adding that the interconnected ATM networks of banks in the country also made it easier for the perpetrators to withdraw from UCPB through other banks’ cash machines.
“In one case, they withdrew money from a single Bank of the Philippine Islands ATM 57 times during those three days,” he said. “When we checked the videos of the ATMs, the person making the withdrawals were black.”
He added that it was the NBI which identified the people making the ATM withdrawals as Nigerians, adding that some of them were on the government’s watchlist of potentially suspicious personalities.
“What we are trying to determine now is whether these hackers had help from within the bank,” he said.
A ranking government official who has been briefed about the heist said the problem began in February of this year when UCPB decided to upgrade its two decade-old information technology system from another service provider to one offered by Microsoft.
“In the process, a vulnerability was left open,” the official said. “And that’s what these hackers exploited.”
Another bank official explained that UCPB had initially adopted the Microsoft service but excluded the security features until it was convinced recently by the US-based firm to upgrade this as well.
After the heist, it was found that hackers used this gap to insert malware into UCPB’s computer systems using an email attachment.
“There were no safeguards during this transition period,” the official said.
According to the official, the installed malware allowed the hackers to manipulate UCPB’s system and lift ATM withdrawal limits from P20,000 a day to P9,999,999 — far in excess of the P4 million that a single cash machine can hold.
They were also able to go around transfer limits of the Instapay service of P50,000 a day.
“They only used Instapay because those are realtime transactions,” the official said. “PesoNet (a similar interbank money transfer service the specializes in larger volumes) does batch processing, which is slower, but makes it easier to detect anomalies.”
