2 To 4 Hackers Behind ‘Nagoyo' Account Traced

Probers have traced two to four persons behind an account in UnionBank of the Philippines where funds taken from the hacked system of the BDO Unibank Inc. were transferred, according to an official of the Bangko Sentral ng Pilipinas (BSP). 

Melchor Plabasan, director of the BSP’s Technology Risk and Innovation Supervision Department, said on Tuesday night, Dec. 14, that the persons were behind the account under the name Mark Nagoyo. 

The “two to four persons” are not employees of either BDO or UnionBank, Plabasan told “The Chiefs” on One News / TV5. He declined to say if the persons are Filipinos or based in the country. 

This developed as the National Bureau of Investigation (NBI) said it looking into the involvement of a local syndicate behind the hacking of BDO customers’ online bank accounts. 

“Our initial assessment based on things already gathered showed that a local syndicate, not an international one, may be behind this incident,” NBI cybercrime chief Vic Lorenzo said in Filipino over dzRH. 

“Maybe the affected depositors’ account information had already been compromised, and the hackers used it when they were able to identify the cracks in the security protocols,” Lorenzo said, calling these compromised accounts for the hackers’ later use as “sleeper accounts.” 

It was also possible that bank depositors from UnionBank, which reportedly received the siphoned money, may have also sold their accounts to the hackers, Lorenzo said, calling this modus “mule accounts.” 

In an earlier interview with Radyo Singko, Lorenzo said there was a hint of “sarcasm” that the siphoned funds were transferred to the UnionBank account of a certain “Mark Nagoyo,” whose last name is the Filipino word for someone who was duped. 

The BSP has ordered the two banks to put “remedial measures” in place. BDO vowed to reimburse the losses of 700 bank clients and to improve its security system. 

The BSP has also formed a task group to investigate the hacking incident, which may have been an inside job and a security breach on a web service due for phase-out. 

BDO reimbursing clients 

Journalist-cyber security advocate Art Samaniego told The Chiefs Monday night, Dec. 13, that BDO will not risk corporate embarrassment and will definitely reimburse its depositors the money they lost to hackers. 

BDO has said it will reimburse about 700 clients who were victims of the hacking. 

Bayan Muna party-list Rep. Ferdinand Gaite hopes a congressional inquiry in aid of legislation will help them get the “big picture” and prevent another hacking. 

The Philippine National Police (PNP) said people should be cautious when using social media platforms and avoid responding to dubious emails with embedded links. 

It also reminded bank users not to give away vital information like contact numbers and bank details. 

The PNP Anti-Cybercrime Group said it is willing to help the victims if they would file a formal complaint. 

UnionBank side 

Henry Aguda, senior executive vice president, chief technology and operations officer and chief transformation officer of UnionBank, bared that the bank has already frozen close to about P5 million in funds that would have been involved in the recent incident. 

“We're making sure those funds are safe and we will coordinate closely with BDO on how to proceed with those funds,”Aguda told “BusinessWorld Live” on One News on Monday. 

Aguda explained that in situations like this, “we already have a process for which, if another bank [transmits] to us an issue with regards to funds transferred to our bank, we immediately trace where the funds are moved to.” 

Once the bank traced them, according to Aguda, the bank would coordinate with other institutions for proper action. “We've already talked to them, and they have been notified of the situation.” 

  Should BSP ask them to return the funds immediately, Aguda said the transfer of funds for affected customers is instantaneous. 

Aguda maintained that there was no breach in UnionBank’s system as they “continue to operate with the highest level of cybersecurity vigilance and awareness.” 

“Any threat or any possible action taken against us we monitor closely and proactively prevent,” he stressed. 

Less than 10 accounts involved 

UnionBank chief information security officer Joey Rufo revealed that the bank was able to discover and detect immediately less than 10 accounts that were involved. 

Rufo said the bank has been coordinating with the BSP through their compliance organization over the unauthorized transaction and if it merits returning the funds, “we will do so.” 

“As soon as we get initial communication from them, we will execute accordingly… But we will fully cooperate with whatever BSP asks us to do, as well as whatever BDO requires us,” he pointed out. 

Rufo assured that “all of the people involved will be held accountable for their actions” as the bank has already gathered all artifacts that are necessary. 

‘Mark Nagoyo’ 

Rufo noted that UnionBank has a “very rigorous” know-your-customer process because when applying for a digital account, customers are required to pass a biometric test, take a picture for verification, and submit their identification card (ID). 

He said only an account number is important when transferring money, thus the use of the name Mark Nagoyo may not really prove anything. 

“When someone sends money over InstaPay, InstaPay only requires account number matching. So as long as you provide [the] correct account number, it gets to that destination account immediately,” he explained. 

“Now, the beneficiary name, any person can fill up a name that may not necessarily match the name of the recipient account. That's why these cybercriminals put in ‘Mark Nagoyo’ but it does not reflect [the] real name of the account holder or account number corresponding,” he added. 

Rufo claimed that there are different people behind the account of “Mark Nagoyo” as per their records. 

Aguda also said “Mark Nagoyo” was the name that was typed when cybercriminals did the InstaPay transfer. 

“So anyone can type in Juan dela Cruz or any name there. There is no validation as to whether that name exists or corresponds to any specific account,” he noted.  

Samaniego warned in an interview on “Agenda” on Tuesday that what happened to BDO and UnionBank could happen to any banks. 

The cybersecurity expert expressed belief that BDO’s  testing environment might have shown up and attracted the cybercriminals. 

“BDO is upgrading its system. Papalitan na nila itong sabi nga nila, the 10-year-old web service is for phase out na,” Samaniego said. 

He told “The Chiefs” on Monday night that the BDO online banking mess was due to “compromised system.” 

He also said in an interview with “The Big Story” on One News on Monday that the incident was not a phishing attack. 

He said cybercriminals used bitcoin as an exit so they could hide the money. “When cybercriminals do these things, they need to exit, they need an exit… So the best exit for them is to convert it to bitcoin.” 

Once the money is converted to bitcoin, according to Samaniego, they can pass it to other wallets and they could use it freely. “It’s a form of money-laundering.” 

Data breach, not inside job 

Also on Monday, Samaniego told “One News Now” that the BDO case was likely a data breach and not an inside job. 

“All information that we have points to a data breach because there (were) no text messages or information sent to you or an OTP (one-time password) sent to owners before their accounts were debited,” Samaniego said. 

Citing his “sources,” Samaniego said the money from hacked BDO accounts were used to buy bitcoin so it would be difficult to recover them. 

He believes that this kind of scam has been happening before but it was only last Saturday, Dec. 11, that the number of victims surged.

“This kind of scam has been happening this year. So people complain to BDO but BDO always tells them, you have exposed your personal information, you have exposed your login credentials and you have shared your OTPs,” Samaniego pointed out. 

“So this is not the fault of the bank because you allowed scammers to trick you into believing that you are transacting to the bank,” he added. 

Samaniego also said that the OTPs through text messages are not safe. “Biometrics is safer. Multi-factor authentication key is safer versus the one that is being done through SMS.” 

The safer way now to avoid scam is to make a passphrase instead of a password, he noted. A passphrase is like a password but made up of words separated by space. 

He also reminded the public to be careful in engaging with unsolicited emails and messages. “Mag-ingat po tayong lahat sa paggamit ng mga social media to transact. – With Delon Porcalla, Emmanuel Tupas, Cecille Suerte Felipe