Don’t blame victims of hacking, National Privacy Commission chief tells banks
MANILA, Philippines — The banking community should not blame the victims of cyberfraud as financial institutions have the responsibility to protect their clients from potential risks, Raymund Liboro, the head of the National Privacy Commission (NPC), said on Monday.
Liboro took exception to a statement issued by the Bankers Association of the Philippines (BAP) in the wake of mounting social media complaints claiming accounts in BDO Unibank were hacked.
“An important reminder: You will never be a victim of cybercrime if you would never give your personal information, such as one-time password, to other people. If you do not give your personal information to others, cybercriminals will never be able to steal your money,” the BAP had said on Sunday.
“I hope this is not the mindset of the entire banking system,” Liboro said in an interview.
“Privacy and cyber self-management must be matched with greater accountability from banks. Banks must work toward building cyber resilience instead of putting the blame on customers,” Liboro said.
“Socially engineered cybercrimes rely on human weaknesses and instincts—the same instincts that banks rely on in promoting their own products and services,” Liboro said.
A Facebook group named “Mark Nagoyo BDO Hacked” now has more than 4,200 members who claimed to have been victimized by the unauthorized fund transfers.
In Congress, Bayan Muna lawmakers on Monday sought a congressional probe into the reported unauthorized online withdrawals from accounts of BDO clients.
They filed House Resolution No. 2405 urging the House banks and financial intermediaries committee to conduct an inquiry in aid of legislation on the transactions that victimized some BDO depositors.
Albay Rep. Joey Salceda, the chair of the House ways and means committee, has also called for an investigation into the alleged hacking of BDO accounts in recent days.
“More than the admission of the occurrence of security breach or fraud and pursuing reactive measures, the members of the banking industry, as well as the Bangko Sentral ng Pilipinas, should put in place more protective measures and policies to protect the interest of the public and the integrity of the banking transactions,” the measure said.
The resolution was filed on Monday by House deputy minority leader and Bayan Muna Rep. Carlos Isagani Zarate, together with Representatives Ferdinand Gaite and Eufemia Cullamat also of Bayan Muna.
Union Bank of the Philippines, one of the banks involved in the recent spate of hackings, said it had frozen around P5 million from accounts identified as vehicles of cybercriminals who had stolen money from several accounts at BDO Unibank.
“We do not have the figures for the total amount as we are just one of the receiving banks,” UnionBank said in an email reply to the Inquirer. The response was written by UnionBank’s chief technology officer Henry Aguda and chief information security officer Joey Rufo.
In the case of persons who used their accounts to siphon off money from other banks, UnionBank said the filing of money-laundering cases against the “mule accounts” was ongoing.
Asked about safeguards against the opening of “mule” accounts or those used as repositories for funds derived from criminal activities, UnionBank said the first-level know-your-customer (KYC) tools could identify fake ID cards.
At the second level of KYC, the bank said there were human reviewers or account officers checking the bank accounts.
UnionBank said the mandatory registration of mobile numbers of prepaid SIM users could help as part of regulatory reforms to strengthen the defenses against cybercrimes. Another possible regulatory reform would be to strengthen the anti-cybercrime law and classify phishing and other similar offenses as economic sabotage and nonbailable crimes, the bank said.