MANILA, Philippines – BDO president and chief executive officer Nestor Tan compared banks' battle against skimming of automated teller machine (ATM) cards to being on a treadmill, as he faced lawmakers in a House hearing on Thursday, June 22.
"Ang katunayan po, para kaming nasa treadmill. Lahat ng madiskubre namin, we'll take corrective action, and then something [else] will come up," Tan said. (The truth is, it's like we're on a treadmill. We take corrective action whenever we discover something wrong, and then something else will come up.)
Tan fleshed out the comparison with a thorough description of the race between skimmers and banks. (READ: BDO gets reports of 'potentially compromised ATMs')
First, skimmers placed a camera that would record the input of a client's personal identification number (PIN) code on the ATM's keypad. As a response, banks installed a cover that would shield the hands and the keypad from the camera's gaze as well as from "shoulder surfers" – people who try to look at a client's PIN by peering over their shoulder.
Fraudsters responded with a keypad overlay, a fake keypad put on top of the real keypad to record PIN input. Smaller cameras were soon in use too, which would be attached inside the far end of the PIN pad cover with the use of a magnet.
As for the card itself, fraudsters have been able to replicate it with the use of a device inserted into the "ATM throat" that copies the data on the dark magnetic stripe (mag-stripe) on an ATM card.
Fraudsters then physically retrieve the device, and use the data they obtained in order to access accounts and make withdrawals.
The skimming devices are incredibly hard to see now. "Kapag ininspect 'nyo po, wala kayong makikita," said Tan, as he demonstrated the skimming device inserted into the "ATM throat" at the hearing.
BDO's head of transaction banking products, Tovi Mendoza, also showed the devices at the hearing and explained how these are used, as seen in the video above.
The recent string of BDO skimming incidents resulted in 95 confirmed compromised accounts. BDO blocked 7,800 more suspected to have been compromised.
New security measures
The next security solution that Tan and the rest of the banking industry are looking at is the adoption of EMV cards – which Tan said is "more difficult to read" than today's mag-stripe cards and "has security features."
EMV stands for "Europay, Mastercard, and Visa," after the credit card companies that first advocated the technology.
The Bangko Sentral ng Pilipinas (BSP) set a target completion date for the replacement of the mag-stripe cards – a 50-year-old technology, said BDO's Mendoza – with the new EMV chip-equipped cards: June 2018.
Tan described the transition as a "phasing process," which means it will take time to roll out, the same way a new version of a passport will take time to be rolled out to everyone.
"Hindi po Day 1, lahat mapapalitan ng passport. Hihintayin po, over time, 'yung mga tao, makapagpalit," he said. (Not everyone will get new passports on Day 1. The switch will be done over time.)
By June 2018, the mag-stripe cards will be disabled.
Department of Information and Communications Technology (DICT) Assistant Secretary for Cybersecurity Allan Cabanlong also suggested the use of biometrics as an identity verification measure.
"In other countries, ang ginagamit po nila (what they're using is) biometrics – the vein, not the [finger]print. Maybe the banks can also consider those technologies," he said.
Cabanlong noted that Japan, for example, uses that security measure. – Rappler.com