The Philippines, the Heist and Finance Sectors Cyber Security

Information Security
The Philippines, the Heist and Finance Sectors Cyber Security
Rainer Mar Bacus
Asia Pacific College
The Philippines, the Heist and Finance Sectors Cyber Security

Table of Contents

I. Title Page
II. Table of Contents
III. Introduction / Abstract
IV. Problem Statement and Hypothesis
V. Review of Related Literature
VI. Conclusion and Recommendation
VII. References
The Philippines, the Heist and Finance Sectors Cyber Security

Introduction / Abstract

Last 2016, one of the leading news on what happened with the
RCBC and the Bangladesh Banks $81 Million Dollar Heist made a stir in both
local and international airwaves. Not only that this made a big controversy but
also posed a big problem with the Philippines banking system. Until to this day,
this case has not been solved yet and only $68,000 were retrieved from this
incident.

As per Kaspersky Labs, Philippines is now the 7th most

attacked country worldwide as of 2016. This is a very alarming not only that it
can threaten the countrys financial sector but also be a threat to all of 60 Million
Filipinos or 58% or the total population have access to the internet.

This paper will give us an insight on what we have learned from

the incident. In addition, this paper contains the necessary information from
various sources which we can apply here in the Philippines to further enhance
our financial institutions cyber security measures and what are the things that
users can do to vital information. As a part of the APC BS-IT community and a
proud member of the TELUS IT Team, this is the best topic to tackle especially in
this world where almost everyone is engaged online through social media and
the like.
The Philippines, the Heist and Finance Sectors Cyber Security

Problem Statement and Hypothesis

Currently, the Philippine banking systems status when it comes to

information security is severely inadequate which in this case, was the
Bangladesh Bank Heist of 2016.

Our countrys main financial institution is in dire need of a robust platform

or system that would mitigate the harmful effects of such an attack, if not
prevent it entirely. Hence, what can we do to further enhance the security not
only for the finance sector, but for us as well? What are the lacking in system
which caused this incident? With this, it will help us understand what happened
and the steps we can do to further enhance security.
The Philippines, the Heist and Finance Sectors Cyber Security

Review of Related Literature

The Bangladesh Bank heist is also called Money Laundering. As per

Wikipedia, it is a practice of engaging in financial transactions in order to conceal
the identity, source and destination of money which is a main operation of the
underground economy.

According to Robinson, Money laundering is called what it is because

that perfectly describes what takes place - illegal or dirty money is put through
a cycle of transactions, or washed, so that it comes out the other end as legal or
clean money. In other words, the source of illegally obtained funds is obscured
through a succession of transfers and deals in order that those same funds can
eventually be made to reappear as legitimate income." In other words, money
acquired in not an official way, e.g. through banks, transactions or any
institutions.

Through technology, its easier for people to move money digitally.

However, this gave criminals a way to run it on their hands. Based on Bakers
research, the rise of electronic banking is facilitating the movement of billions of
dollars in illicit funds, exposing vulnerabilities stemming from:
The speed of money movements;
The secrecy surrounding financial dealings;
The sheer number of agencies involved which generates jurisdictional
issues;
The failure of government mandated measures, and hence the need for
private sector actors to take more responsibility

In my opinion, the Philippines do have fail safes created for these

vulnerabilities and also with the Philippine Government which includes the Anti
Money Laundering Act of 2001(RA 9160). This also enforces the Electronic
Commerce Act of 2001(RA 8792). However, theres a lack of evidence since the
money was put to casinos. On that event, these transactions were not covered
The Philippines, the Heist and Finance Sectors Cyber Security

by the law yet, and of course. Only this 2017, when President Rodrigo Duterte
signed the amendment of the law where more than 5 Million will be covered.
According to Douglas and Loader (2000), cybercrime can be defined as computer
facilitated activities accompanied through global Electric networks either
illegally or illicitly by definite entities.

In the banking sector, illegal money transfer and removal from one to
another account are identified as banking fraud according to Wall (2001). He has
also classified cyber-crimes into four broad categories i.e. cyber-deceptions,
cyber-violence, cyber-trespass, and cyber-pornography. The banking frauds are
classified under cyber-deception which is termed as immoral activities including
credit card fraud stealing, and intellectual property violations (Anderson &
Barton, 2012).

ATM frauds, E-money Laundering and Credit Card Frauds are the most
witnessed cybercrimes in the banking sector. In general, all the frauds are
executed with the goal of accessing user's bank account, stealing funds and
transferring it to some other bank account. In some cases the cyber criminals
uses the banking identifications i.e. passwords, e-PIN, certificates, etc. to access
client's accounts; whereas in other cases they may want to steal and transfer
the funds into other accounts illegally. The intention of cyber criminals
sometimes is just to harm the image of the banking firm and therefore, they
block the bank servers blocking the access of clients' accounts (Claessens et al.,
2002; & Hutchinson et al, 2003).

Liao.Z and Cheung.H,(2008) revealed in their study that customer

interaction with the internet assisted online banking are the ease of use, security
convenience, and also responsiveness to services requirements. They also
suggested, for preventing cyber-banking crime: protecting antivirus & firewall,
restricting the amount of personal information one permit to be in public
domain, making use of low limit distinct credit card for online buying to minimize
the possible loss of things go wrong.
The Philippines, the Heist and Finance Sectors Cyber Security

Recommendation

After the Bangladesh bank heist, the Society for Worldwide Interbank
Financial Telecommunication (SWIFT) claimed they were not hacked and that
they have taken steps to keep their financial transactions secure. As a response
to these last attacks, SWIFT is forcing banks to increase security protocols. Now,
moving money will require additional steps to prove that a real banker is
approving a transaction. Also, moving forward, banks will share more
information with one another about their computer systems. This would form a
unified defense against hackers. SWIFT is also analyzing its own infrastructure to
spot how it's being used illegally.

Information security awareness.

This being put in place by SWIFT for banks to follow, what the Philippine
banking system should do is first educate the people in the banking sector and
their valued customers (account holders) on the cyber security threats. The
country also needs to strengthen its cyber security measures; they should train
more cyber security professionals given that the country only has roughly
around 80 CISSP certified professionals.

Additional means to secure bank and online transactions.

Banks should hire a competent team of cyber security experts to add to
their IT department, they should also train their banking staffs some basic IT for
them to be able to at least detect suspicious activities in their online banking
systems. Staff should be aware of all kinds of online attacks. A one-time PIN can
be sent to a customers registered phone number for some online banking
transactions, the customer will have to enter the PIN for verification when they
log in, the PIN can only be used once.

Banks should also educate their online customers or users to never use
their personal data as passwords and to always change the security questions to
The Philippines, the Heist and Finance Sectors Cyber Security

what wont require them to answer with sensitive personal information. A

frequent change of password would be a good practice, personal information
should also be kept off social media, like your name, Date of Birth, location and
address. Bankers or bank employees should abstain from browsing the internet
on their workstations to either check their emails or go on social media sites, as
most hackers can easily pass through any malicious sites or through their
personal emails with the help of a phishing email to gain access into the bank's
main system.

Secured IT Systems and Frequent Spot-checks

Banks should make it a habit of always upgrading their software,
application and other security tools they might have to decrease the chances of
a cyber-attack breaking through their systems. They should regulate the points
of attack to lessen the likelihood of an attack by restricting which applications
are allowed to run, which log-ins are authorized to access certain information,
and what actions a particular system can perform. This will lessen the weak
points in your security system.

Security analysis data should always be compiled; all their backup plans
should be ready before any hacker makes his move. They should compile a list
of their systems weak points, and map out ways to add protection to those
vulnerable areas. By knowing your security system in and out, you can protect it
better from cyber-attacks.
Banks should also share information with other banks about their systems
and about the cyber security threats they have faced or are facing, this will help
them come up with quick counter attacks and resolution to some of the
cybercrime problem in the banking system.

What we can do?

1. Standard business users should never have full local admin rights
The Philippines, the Heist and Finance Sectors Cyber Security

a. Enable organizations to remove local admin rights while enabling

users to elevate privileges when needed for approved tasks.
Without local admin rights, it would have been difficult for the
attackers to break in, move throughout the network and install
malware.
2. Secure privileged account credentials
a. This includes the credentials for the remaining local admin accounts
on endpoints, domain admin credentials, and privileged SSH keys
and any other credentials that provide access to a sensitive account
or system. This also could have included the SWIFT user credentials
needed to access the digital certificates. By centrally securing
privileged credentials, controlling access to these credentials based
on role, and enforcing multi-factor authentication before granting
access, the attackers would likely not have been able to get the
credentials needed to laterally move through the environment,
reach the SWIFT-connected systems or execute the fraudulent
transactions.
3. Segment off highly sensitive systems from the rest of the IT network.
a. This is often seen in retailers who have separate PCI environments,
in utilities who separate and airgap their ICS systems, and it should
be seen in central banks in their SWIFT-connected environments.
For administration purposes, once these systems are separated
from the standard IT network, remote access should only be
permitted via a designated, secure and hardened jump server.
Using this approach, organizations can tightly control access to
these system, better protect against credential harvesting
techniques and prevent malware from jumping from user
endpoints to sensitive systems.
4. Monitor and analyze all privilege account activity.
a. Privileged accounts protect the most sensitive data and assets, and
as a last line of defense, security teams need to be able to quickly
identify anomalous activity that could indicate an attack is in-
process. In this case, had the Bangladesh Bank been monitoring
SWIFT account activity, they could have been alerted to the
abnormal login patterns, investigated what was going on, and
The Philippines, the Heist and Finance Sectors Cyber Security

stopped the attackers before they were able to execute 35

transactions.
5. Lastly, by controlling applications on endpoints and servers,
organizations can apply application whitelisting policies that meet their
risk tolerance.
a. By doing this, organizations can proactively prevent unknown and
malicious software from infiltrating the environment and detect
when new applications enter and spread throughout the
environment. In this case, Bangladesh Bank could have recognized
the malware during the earlier stages of the attack.
The Philippines, the Heist and Finance Sectors Cyber Security

Conclusion

After the Bangladesh Bank heist of 2016, cyber security problems facing the
current banking industry was brought to the fore. Vulnerabilities and loopholes
were exposed. One effective measure to mitigate such attacks would be the
implementation of training programs on a regular basis for bank employees. This
would include mostly non-IT personnel, especially those who handle sensitive
transactions and documents.

However, what needs to be really addressed is the lack of cybersecurity

professionals employed in the Philippine banking sector. The shortage does pose a
problem in strengthening and enhancing cybersecurity measures. As Matt
Middleton-Leal, regional director of UK & Ireland at CyberArk said, attention and
budget for cybersecurity in banks is all too often focused on defending the
perimeter, allowing blind spots to form, obscuring whats actually happening inside
the network. This can be tackled by employing more IT cybersecurity professionals.
The Philippines, the Heist and Finance Sectors Cyber Security

References / Citations

The Daily Star & Reuters, Bangladesh Bank responsible for $81 million heist: RCBC.
(December 14, 2016). Retrieved from
http://www.thedailystar.net/business/bangladesh-bank-responsible-81-million-
heist-rcbc-1329568

Kim Zetter, That Insane, $81M Bangladesh Bank Heist? Heres What We Know.
(May 17, 2016). Retrieved from
https://www.wired.com/2016/05/insane-81m-bangladesh-bank-heist-heres-
know,

Bangko Sentral ng Pilipinas. (September 29, 2001). Anti-Money Laundering Act of

2001. Retrieved from
http://www.bsp.gov.ph/regulations/laws_aml.asp, [September 29, 2001]

Agence France-Presse. (February 06, 2013) PH Casinos Exempt from Tougher

Anti-Money Laundering Law, Retrieved from
http://www.rappler.com/nation/21209-ph-casinos-exempt-from-tougher-anti-
money-laundering-law

FreeAdvice Staff. Money Laundering. Retrieved from

http://criminal-law.freeadvice.com/criminal-law/criminal-law/money-
laundering.htm

Robinson, J. (1995). The Laundrymen: Inside the Worlds Third Largest Business.
New York, N.Y.
The Philippines, the Heist and Finance Sectors Cyber Security

Baker, Raymond W. (Autumn 1999)"The Biggest Loophole in the Free-Market

System". The Washington Quarterly.

Douglas, T., & Loader, B. D. (2000). Cybercrime: Security and surveillance in the
information age: Routledge

Anderson, R., Barton, C., Bhme, R.,Clayton, R., van Eeten, M. J. G., Levi, M.,
Moore, T., & Savage, S. (2012). Measuring the cost of cybercrime

Claessens, J., Dem, V., De Cock, D., Preneel, B.,&Vandewalle, J. (2002). On the
security of todays online electronic banking systems. Computers & Security, 213:
253-265

Z. Liao and M. T. Cheung (2008), "Measuring customer satisfaction in internet

banking; A core framework," Communications of the ACM, vol. 51, no. 4, pp.
47-51.

The Society of Honor. (November 16, 2015). Banking in the Philippines, Part I:
The fundamentals. Retrieved from https://joeam.com/2015/11/16/banking-
in-the-philippines-part-i-the-fundamentals/

Middleton-Leal, Matt. (June 17, 2016). Learning the Lessons of the Bangladesh
Bank Heist. Retrieved from https://www.financedigest.com/learning-the-
lessons-of-the-bangladesh-bank-heist.html
The Philippines, the Heist and Finance Sectors Cyber Security

Gulle, Jimbo Owen. (April 1, 2016) Philippine Banking System is Strong and
Stable. Retrieved from
http://www.thestandard.com.ph/news/supplements/banking-
report/219955/philippine-banking-system-remains-strong-and-stable.html

Jodesz Gavilan. (April 27, 2016). The state Of Cybersecurity in the Philippines,
Retrieved from http://www.rappler.com/newsbreak/in-depth/130883-
state-cybersecurity-philippines