THOSE who warn banks of the possibility of cyber attacks are too late. It has already happened. In 2007, I experienced a cyber attack where my account with Banco de Oro Unibank Inc (BDO) was fraudulently divested of P50,000.
The hacker’s identity can be established, at least by BDO if it is interested. The hacker fraudulently withdrew P50,000 from my account at 10:30 on August 16, 2007 from BDO terminal 6654. This is sufficient information for BDO to find out who the hacker was.
I did not know that my account had been hacked until a few days later when I did a balance inquiry. Yikes! What I thought was an account with a healthy balance was one where I had almost no money at all.
To find out what happened, I went to the branch where I kept the account. The first thing that worried me was that no one in the branch knew that the fraudulent transaction had taken place. Since it was a telebanking account, which had a daily limit of P20,000, then a withdrawal of P50,000 should have rang alarm bells. It did not.
The second aspect which concerned me was the bank’s reflex, exemplified by the local area supervisor, which was that if there were a problematic transaction then it had to be the customer’s fault. Within hearing distance of the customer, the supervisor wondered aloud about the customer’s veracity (or lack of it). He was reassured by the branch staff that I was a customer of long (11 years) and of good standing. Thank you.
Eventually, after a delay causing me mental anguish and sleepless nights, BDO deigned to replace the money that had been stolen, seemingly by one of its own employees.
BDO tried to tell me that it had “firewalls” to protect its customers from fraudulent transactions. I replied that this was demonstrably untrue since BDO did not know about the problem until I reported it.
Later, being dissatisfied with BDO’s response, I reported the matter to the Financial Consumer Affairs Group (FCAG) of the Bangko Sentral ng Pilipinas (BSP). FCAG kindly approached BDO on my behalf. The response from BDO legal was that under the bank secrecy law (RA 1405) it could not tell BSP anything. I explained that I disagreed with this creative interpretation of RA 1405, a law which is designed to protect the customer, not to protect the bank and its doubtful employees.
I believe BSP should have tested RA 1405 long ago in the courts, if necessary. Case law would then have been developed which establishes the circumstances under which RA 1405 applies and those where it does not.
I respect those who work for BSP because I have had helpful dialogue with its members. But I believe that BSP is not sufficiently feared by those who perpetrate fraud, falsify documents, and thereby cause the Philippines banking system to be not well regarded on the international stage.
BSP tells me that its role is to ensure the implementation of safe banking practices.
It has a long way to go.