
BDO Transaction Banking Group SVP Tomas Victor Mendoza showing a deep insert skimmer, a more complex skimming device used on ATM machines, during the Committee on Banks and Financial Institutions and Currencies an Committee on Finance Joint inquiry into BPI and BDO鈥檚 recent electronic banking glitches. Inquirer/Rillon
After extensive explanations at the opening of a Senate hearing聽 on the glitches and theft that hit Bank of the Philippine Islands (BPI) and Banco De Oro (BDO),聽 Sen. Francis Escudero on Wednesday said there was no reason to label the incidents as hacking or a terrorist attack, noting that the Philippine banking system is one of the strongest in Southeast Asia.
But Escudero, chair of the Senate Committee on Banks, Financial Institutions and Currencies, added he was looking at pushing a legislation that would address the 鈥渢ransnational implications鈥 of hacking and 鈥渟kimming.鈥
鈥淗acking is a transnational [crime] so what we want to look at is if there鈥檚 a possible legislation to make [hackers] accountable here in the country even if they are outside the country,鈥 Escudero later told reporters.
The committee started its inquiry into the technical glitch that caused unauthorized transactions in the accounts of some BPI depositors two weeks ago and the latest incidents of 鈥渟kimming鈥 affecting several BDO automated teller machines.
The BDO officials ruled out hacking as the cause of the unauthorized ATM withdrawals that were reported by some cardholders.
鈥楲apse in judgment鈥
BPI executives said 鈥渁 lapse in judgment鈥 by a programmer and not a hack job caused the glitch at the bank on June 6, but they told the committee that no client had lost money.
They said BPI officials responded to correct the situation in 37 hours, a response time which a Bangko Sentral ng Pilipinas (BSP) said was 鈥渇airly acceptable.鈥
The BDO executives sought to assure the panel that the bank was taking measures to protect its clients, which include the migration to the EMV (Europay, MasterCard, Visa) system from the 50-year-old magnetic stripe technology. The shift will be completed by 2018, they said.
鈥淚t鈥檚 not hacking per se, but fraud that attempts to steal,鈥 said Peter Magdame, a BDO vice president.
95 skimming cases
In skimming, culprits steal card credentials 鈥 usually using devices attached to ATM machines 鈥 and use them for unauthorized withdrawals.
BDO executive vice president Edwin Reyes said that the recent skimming cases involved three separate events that came to the bank鈥檚 attention and affected seven ATMs in three locations.
鈥淭here were 95 cases and as a result, we disabled the cards that have been compromised,鈥 said Reyes, adding 鈥渢here was no cause for worry.鈥
Tomas Victor Mendoza, BDO senior vice president, also showed how skimming was done using actual devices鈥攁 PIN pad overlay and deep insert skimmer鈥攅mbedded in ATMs and how this had evolved over time.
Mendoza said while all banks were investing heavily in technology to counter fraud, unscrupulous people were also continuously updating devices to steal from bank depositors, describing the challenge as a 鈥渕utual escalation.鈥
鈥淲e come out with a new technology but tomorrow fraudsters come in with a better technology. It鈥檚 an arms race,鈥 he said.
EMV system
But the EMV system would help protect bank cardholders from theft, particularly due to the liability shift, said Melchor Labasan, deputy director of the BSP鈥檚 core IT specialist group.
鈥淭here is no evidence that the EMV can be compromised. But it鈥檚 not a silver bullet so banks must find other mechanisms to protect clients鈥 we need to always fortify our security defenses,鈥 Labasan added.
Cesar Consing, BPI president and chief executive officer, said what happened on June 6 was a 鈥渄ata processing error鈥 that caused the 鈥渕isposting in bank accounts鈥 of 1.5 million of the bank鈥檚 8 million customers.
鈥淭o fix the problem, we had to take down our electronic channels, services related to ATM cards, mobile and internet banking,鈥 Consing said.
鈥淭he investigation showed it was a case of human error, not hacking. We also informed our regulators there was no breach of data privacy,鈥 he added.
鈥業mpaired鈥 transactions
Joseph Albert Gotuaco, BPI executive vice president and chief financial officer, said what was affected from June 7 to 8 was the ATM cash acceptance machines, as well as online and mobile banking, and this 鈥渋mpaired鈥 500,000 to 600,000 transactions on those two days.
Ramon Jocson, BPI executive vice president, said a female programmer, who was not identified, was responsible for the glitch.
鈥淪he owned up to the mistake,鈥 Jocson said, adding that the specialist had been reassigned and her access to her system聽 had been blocked pending the bank鈥檚 investigation.
He said he had determined that the bank鈥檚 system had not been hacked because there had been no traffic of 鈥渆scalated privileges鈥 in the network, which was confirmed by service providers.
Assistant Governor Chuchi Fonacier of the BSP said investigation of the BPI glitch was continuing but said so far there was no evidence of 鈥渉acking or computer glitches, just human error.鈥