Philippines: Measures vs retail cyberattacks out

• Mar 24, 2022

THE Bangko Sentral ng Pilipinas (BSP) has published a list of recommended countermeasures to cyber fraud and attacks on retail electronic payments and financial services or EPFS.

BSP Deputy Governor Chuchi Fonacier said in a memorandum she signed last March 22 that as financial transactions progressively transition to electronic or digital channels, attacks on retail customers utilizing mobile and internet/web applications have increased.

“The most prevalent among the schemes employed are account takeover and social engineering attacks that involve phishing and its variations (e.g. smishing and vishing),” Fonacier said, adding that these are designed to trick customers into disclosing sensitive personal and account information needed to carry out unauthorized transactions.

Fraudsters are also competent at abusing genuine application features and business rules as well as evading layers of security.

In light of these, Fonacier recommended that BSP-supervised financial institutions or BSFIs conduct ongoing risk assessments of their product features, business rules and application controls, and adopt suitable modifications and mitigation as needed.

To guarantee a consistent and industry-wide response to aggressive phishing campaigns, BSFIs should delete clickable links from emails or SMS sent to retail customers, followed by an information campaign informing customers that it will no longer transmit clickable links.

Customers must also be notified whenever a request to change a customer’s mobile number, email address or account credentials is made through an existing mobile or email account registered with the BSFI.

BSFIs must also implement mandatory fund transfer transaction notification to customers via SMS and/or email for transactions exceeding a predefined amount, a holding period or delay before activating a new soft token on a mobile device and a cooling-off period before implementing requests for key account changes such as those for the mobile number and email address, Fonacier added.

They must also tailor SMS/email one-time passwords (OTPs) messages for purposes such as device registration, fund transfer and profile update, among others.

Any BSFI officer or representative should also be prohibited from manually collecting or inquiring about critical authentication information such client passwords and/or OTPs/pins.

It is also necessary to have dedicated and well-resourced customer help teams that deal with input on possible fraud situations on a priority basis.

BSFIs must also conduct regular customer education campaigns against online scam and phishing schemes, with mechanisms to monitor their effectiveness and relevance, Fonacier also said, as well as implement strong fraud surveillance mechanisms to ensure prompt responses to the growing threat of online scams.

She noted that “the above recommendations are consistent with the risk-based approach espoused under existing regulations on IT (information technology) risk management and financial consumer protection frameworks.”

These, the Bangko Sentral official mentioned, should be used to enhance existing security measures such as multi-factor authentication, calibration of fraud management system rules and parameters, threat hunting exercises and phishing site removal, among others.

Finally, she urged BSFIs to work together and make use of existing information-sharing platforms, such as the Bankers Association of the Philippines Cyber Incident Database, to speed up fraud investigations and money recovery.

“In certain instances, BSFIs may need to seek assistance and cooperate with law enforcement authorities for prompt resolution of cybercrime cases, especially if these involve public safety and security, pursuant to the Cybercrime Prevention Act of 2012 and other relevant laws and regulations,” Fonacier said.

Source: https://www.manilatimes.net/2022/03/24/business/top-business/measures-vs-retail-cyberattacks-out/1837378