Dona Amisola Beriña withdrew all that was left in her BDO savings account after she lost P100,000 to one Mark Nagoyo in a hacking incident that showed how even the Philippines' largest bank is vulnerable to fraud.
Now, Beriña hopes the Sy-led bank would return her money, which she needs to keep her online selling business going and to pay for therapy of a child with autism and another with depression.
Beriña could not understand how her account was used to "donate" money to Mark Nagoyo when she availed of full protection via OTP or one-time password. One of her friends alerted their chat group to the hacking on Dec. 9. The theft happened sometime between 2 p.m. when she last checked her account to past midnight the following day.
"Paggising ko ng Friday, nakita ko 'yung shared post ng friend ko galing din sa isang victim. So nag-check ako ulit, nagulat ako na nabawasan na ko ng P100,000," she told reportr.
When Beriña checked her text inbox, she found two text messages from BDOALERT. The first transaction happened at 11:45 p.m. Thursday and another one at 12:12 a.m. Friday. It was a sent as "donation" to a certain "Mark Nagoyo D", to a Unionbank account.
Beriña said she didn't receive any request to "add device" or one-time password (OTP), security features used to ward off fraudsters. She didn't click any phishing link too, "maingat ako sa ganyan," she said.
To avoid another incident, she withdrew all her savings and transferred it to a different bank. "Sana lang maibigay agad ang pera namin, kasi online selling lang po kinabubuhay namin. May mga anak akong nag-therapy for autism at anak na nagkaron ng depression. Recently diagnosed din ako with anxiety disorder," she said.
What happened at BDO?
By the weekend social media was buzzing with complaints from BDO clients, who claimed thousands of pesos from their accounts were transfered to a Unionbank account under the name Mark Nagoyo. Nagoyo in street slang means one had been duped.
On Facebook, netizens who claim they were hacked formed a group "MARK NAGOYO BDO HACKED" with more than 5,300 members as of Tuesday morning.
A "surge" in complaints started since the week of Dec. 6, said Bangko Sentral ng Pilipinas Governor Benjamin Diokno, assuring BDO clients that they would be reimbursed for their losses.
READ: Who Gets Reimbursed After BDO Hacking? Central Bank Explains
"An important reminder: you will never be a victim of cybercrime if you would never give your personal information, such as one-time password, to other people. If you do not give your personal information to others, cybercriminals will never be able to steal your money," the Bankers Association of the Philippines said in a statement.
Clothing importer Nica Cifra-Vega, who lost P50,000 while she was sleeping, told reportr she did not open any e-mail, click on any link, nor received "add device" or "change password" prompts before the incident.
"[BDO has] to do whatever it takes to return our loss and own up that this is clearly a security breach and stop blaming us victims that we weren’t vigilant enough," she told reportr. She withdrew the remaining funds left on her business account.
The cybercrime division of the National Bureau of Investigation (NBI) said it was looking into the incident. Its chief Victor Lorenzo told Radyo Pilipinas his team would look into technical issues to understand the "sophisticated" approach to cyberhacking.
"Dapat alamin din natin kung ano ba 'yung vulnerability na in-exploit nila para ma-improve ng mga bangko 'yung sistema nila para 'di na maulit."
Companies pushing through digital transformation should know how to handle sensitive information in the digital space, including training employees to understand their obligations on protecting clients and keeping their systems up to date, said Edwin Concepcion, country manager of Singapore-based data privacy solutions company Straits Interactive.
To help clients, companies should also release privacy notice in easy-to-read language, he said.
NEWS YOU CAN USE:
Getting Too Many Spam Texts? We Asked Globe, Smart for Help
How to Turn On Two-Factor Authentication, Avoid Getting Hacked
EXPLAINER: How Spam Texts are Used to Steal Your Data
How to protect yourself online
Data protection is the responsibility of service providers and its clients, Concepcion said. For clients, it's knowing how to avoid a more sophisticated "budol-budol" online.
"We also have to accept the fact that as individuals, we can only do so much and organizations can only do so much to provide appropriate and reasonable protection measures," he said.
While the case remains unsolved, here are some tips on how to further protect your identity and your accounts online:
Create a strong password and update it regularly
Instead of using passwords, try passphrases like "ILoveYouSabado!" It's a combination of alphanumeric and special characters, minimum eight characters, which you can easily remember, Concepcion said. Avoid using personal information, such as your child's birthdays and names as passwords, he said.
Regularly update your passwords and avoid using the same passwords for different platforms. If you can, use a separate email for online banking.
"Ma-crack lang 'yung password mo sa isang platform, there's a chance na maka-crack lahat. You're probably using the same password pa," data expert Dominic Ligot told reportr in an earlier interview.
Use multi-factor authentication
Passwords can be easily compromised, Concepcion said. Use biometric verification like digital fingerprints and face IDs as added protection.
When doing online transactions, always log out of the app.
Don't just exit the app, said Concepcion. "The app will still be running behind the background, so you really have to log out."
Customers who use multiple financial apps should also practice logging out of other open mobile apps, he said.
When transacting in online portals, look for the padlock icon.
The padlock icon means the website is encrypted and is implementing the appropriate security needed, said Concepcion.
Control which information to share.
Should you share your mother's maiden name? Do you have to share your complete home address? Proportionality, or knowing the amount of information that needs to be collected for a particular transaction, should always be practiced, Concepcion said.
Excessive sharing on social media of photos and other data, even IDs, can put you at risk, even if it was intended as harmless updates, he said. It's important to be "data aware" and mindful of transactions you're doing, he said.
"The more information you provide online, the higher the risk," he said. "Unless it's really necessary, don't put it online."
Reportr is now on Quento. Download the app or visit the Quento website for more articles and videos from Reportr and your favorite websites.