Securing the digital space amid the new normal

By Marissa Mae M. Ramos, Researcher

THE RAPID growth in digital transactions has often been cited as the silver lining for economies currently constricted by lockdown restrictions due to the pandemic. Even so, this increase has also exposed businesses and households to an increased threat of cyberattacks.

In an e-mail to BusinessWorld last month, the Bangko Sentral ng Pilipinas (BSP) said the reported cyber incidents were higher compared with pre-pandemic levels.

“With the shift to digital financial services due to the pandemic, the cyber threat landscape has naturally evolved and brought in more opportunities for threat actors…,” the BSP said.

While the BSP did not provide specific figures, one can glean from other sources the extent of the increase in cyberattacks.

In the Asia-Pacific Online Policy Forum last August 2020, internet security firm Kaspersky noted the number of new malicious applications collected increased to 400,000 during the pandemic from 300,000 previously.

Kaspersky also reported in an e-mailed statement on Feb. 15 on cyberattacks aimed at the education sector the use of popular online learning platforms or video conferencing applications as lures. It noted users around the globe who encountered threats distributed under the guise of these applications reached 168,550 from January to June 2020, around 205 times more compared with the number of cases in the same period in 2019. As of January this year, the number of users encountering these threats rose by 60% to 270,171.

To counter these threats, BSP supervised financial institutions (BSFIs) were said to have implemented heightened security controls and processes such as multi-layered network controls, authentication controls, and cybersecurity awareness programs during the pandemic, the central bank said.

“While their tactics were constantly shifting from distributed-denial-of-service (DDoS) to malware attacks, these cyber threat actors heavily relied on social engineering attacks such as phishing,” the central bank said, adding that phishing attacks remain the top cybersecurity concern among banks and other businesses.

Bank of the Philippine Islands (BPI) Head of Enterprise Information Security Management and Data Privacy Jonathan B. Paz shared the same assessment: “Cybercriminals have taken advantage of the surge in the number of people using the bank’s digital platforms. This mass migration to digital channels induced more criminals to shift to phishing and other related scams,” he said in a separate e-mailed response to queries.

Mr. Paz classified three “generic” types of attacks seen during the pandemic: (1) state-sponsored attacks in the form of DDoS or ransomware; (2) wholesale attacks in the form of “advanced persistent threats” (APTs); and (3) retail attacks in the form of phishing, “vishing” or voice phishing, and SIM-swaps.

“Per the latest Interpol report survey covering 194 countries, the retail attacks comprise 59% of all reported attacks in 2020,” Mr. Paz said.

“For the phishing e-mails, there has been a surge of COVID-themed phishing attacks last year. Some of these include offering cures, preferential priority for vaccines, and other COVID-19 related matters,” he said, noting the phishing sites they took down in 2020 increased to as many as 500 a month from 300 previously.

Some victims fall for these phishing sites as these typically include the usual layout and graphics used by banks with promises of gifts and other promotional prizes. Links to the site and e-mail addresses used are also just slightly different from typical addresses in disseminating bank announcements and other information.

“Online scams are all about identity/credentials theft. Banks have implemented multi-factor and out-of-band authentication mechanisms, and encryption.  They have also tightened know-your-customer/onboarding processes to help ensure that clients are better protected by giving them more control over the access to their accounts,” Mr. Paz said.

In a separate e-mail, Maybank Philippines, Inc. President and Chief Executive Officer (PCEO) Officer-in-Charge Abigail Tina M. del Rosario said its incident response amid the pandemic evolved through the adoption of multi-channel and collaborative escalation and detection processes across all of its employees.

“Maybank Philippines adopts a vigilant 24/7 security operation center to monitor, detect and identify security threats; response to such incidents is therefore triggered right away, so incidents that could lead to a potential data breach is immediately contained, without compromise to operations and resources,” she said.

KEEPING LINES OPEN
Meanwhile, the BSP has also kept their lines open in communicating consumer concerns and complaints with the BSFIs, particularly when one has fallen to the schemes of these fraudsters. It has been a common practice to loop in the Consumer Affairs unit of the central bank in airing concerns to banks.

“[I]n order to provide a more accessible venue for the public to communicate their concerns, the BSP has recently launched an online consumer chatbot, named BSP Online Buddy or BOB, where the public can submit their concerns and questions regarding their transactions with BSFIs,” the BSP said.

“This is on top of the other available consumer assistance channels such as e-mail, snail mail, telephone/fax, and the Consumer Assistance Desk. Customer complaints received by the BSP’s Consumer Affairs unit are referred to the concerned BSFI for appropriate action,” it added.

Apart from raising consumer awareness, there has also been a campaign to continuously remind banks and other financial institutions of industry-wide best and up-to-date practices in improving cyber protection.

“Cybercriminal activities undermine public’s trust and confidence in the financial system… During the pandemic, the BSP’s approach in addressing cybersecurity challenges include providing a conducive environment for digital innovation, espousing vigorous cybersecurity measures, and promoting dynamic consumer protection mechanisms,” the central bank said.

There have also been baseline assessments of the pandemic’s impact to these financial institutions and their clients by constant surveillance of the operating and cyber threat environment, according to the BSP.

“From providing the necessary regulatory reliefs to fostering greater digital innovation, issuing coherent cybersecurity and technology policies, to ramping up cyber awareness campaigns for financial consumers, the BSP made sure that supervisory actions were risk-informed, data-driven and intelligence-led,” it added.

The Bankers Association of the Philippines (BAP) also launched the BAP Cybersecurity Incident Database (BAPCID) as an information-sharing platform in 2019 which “proactively counter emerging cyber threats and raise overall situational awareness.”

“Since the launching of BAPCID, participating BSFIs were able to have wider visibility on emerging cyber threats having access to threat intelligence reports and statistics. The BSP also uses the platform to share relevant cyber threat specific advisories and memoranda so BSFIs can proactively respond and do the necessary remediation to minimize potential impact and losses,” BSP said.

The central bank further stretched its cybersecurity efforts with a new framework to be introduced this year.

“The BSP is currently developing a Cybersecurity Capability Maturity Model (CCMM) Framework consisting of four levels to facilitate cyber maturity assessment levels of BSFIs, with Level 4 as the most mature and Level 1 as the baseline. With this framework, BSFIs can chart their own progress and pinpoint specific areas where they need to improve to move to the higher level,” the central bank said.

The regulator continues to closely monitor the capability of BSFIs to address evolving cyber threats and risks.

“For instance, cyber spending of BSFIs increased by as much as 43% from 2018 to 2019. This is a good indicator that BSFIs are putting greater emphasis on strengthening cybersecurity and in ascertaining the level of support and commitment of the BSFIs’ board and senior management on cybersecurity concerns,” said the BSP.

Maybank Philippines particularly enhanced its network and infrastructure cyber defense mechanism to strengthen its cybersecurity measures during the pandemic.

“As a leading financial institution within a global network, Maybank Philippines has long realized the impact of cybersecurity risks in its operations and have therefore made significant yet balanced investments in cybersecurity-related activities year on year,” Ms. Del Rosario said, noting the bank took proactive activities to ease risks as well as appoint and scout the right people for their cybersecurity team.

For BPI, Mr. Paz said the bank has intensified its focus and investment on heightening public awareness, saying cybersecurity is a “shared responsibility.”

“For fraudsters to be successful, they need user IDs, passwords, and the registered mobile numbers. The user IDs and passwords are usually captured via phishing e-mails and/or non-secure forms while mobile numbers are attacked either via taking control of the device (e.g., SIM swapping, device binding) and deceiving clients to divulge their OTPs or one-time-passwords,” he said.

“The best defense against these attacks is public awareness,” he added.