In some cases, users are victims of cybercriminals who manage to steal their data.
The management of digital media to carry out banking transactions has increased in recent years in Ecuador, this driven by the ease of access and the diversification of services as well as the capacity restrictions of branches due to the COVID-19 pandemic.
In recent weeks, the breach of customer data of a financial institution that had a market service provider of a benefits program was disclosed. The entity stressed after an extensive investigation that no evidence of involvement or access to the financial institution’s systems was found.
But is it possible to breach the computer security of a financial institution? Gustavo Orbe, Produbanco’s Vice President of Risk Management, explained that the country has specific regulations that provide guidelines on security issues.
“This security is based on controls established in different layers whose main objective is to safeguard customer information and resources. All banks have maintained a process to control the confidentiality, integrity and availability of our clients’ information ”, Orbe specified.
Precisely, the Superintendency of Banks establishes that in order to manage information security “against unauthorized use, disclosure and modification, as well as damages and losses, controlled entities must refer to the series of ISO / IEC 27000 or the one that replaces it ”(Article 15 of Chapter V of Title IX of Book I of the control standards for entities in the public and private financial sectors).
In addition, it is specified that they must have at least functions and those responsible for information security and form an information security committee that is in charge of evaluating and supervising the information security management system or an independent and specialized area with people with experience in information security management leading the implementation and improvement of the service.
In article 17 regarding the security of electronic channels and to avoid fraudulent or unauthorized events by customers, they must comply at least with the performance of a vulnerability test at least once a year, as well as electronic channels with software. antimalware that remains updated, issue online alarms that report the status of these channels, “require strong authentication mechanisms for the registration and modification of information regarding your mobile phone number and email”, establish mechanisms that determine the profile of risks of customer transactions, among others.
“Controlled entities must send their customers messages online through mobile messaging, email or other mechanism, notifying the execution of monetary transactions carried out through any of the available electronic channels, or through cards”, was also specified in the mentioned article.
Orbe indicates that the majority of attacks that manage to materialize as fraud require the participation of the client by giving restricted information, without realizing it, through various techniques. Among the most common attacks that occur are social engineering, phishing, vishing and SIM swapping.
In the first, he specifies that he seeks to gain the client’s trust by appealing to his emotional part through data obtained from social networks and thus obtaining banking information. In phishing, emails are impersonated with the identity of people or entities in which they are asked to click on a link that is included in the email and request information related to accounts and personal data.
The official indicates that the vishing client is called to scare him or pass as a bank official, to inform him of the obtaining of a supposed prize and thus have the information. In the case of SIM swapping, it is identity theft using the change of the cell phone’s SIM card.
The Superintendency of Banks explains that in the event of a violation of services or electronic fraud, the respective complaint must be filed with the Prosecutor’s Office, as well as a claim with the bank that the situation occurred. The entities will evaluate whether the claim is valid to proceed with the replacement of the money, but if the client does not agree with the institution’s decision, they may file their complaint with the Client Ombudsman of each financial entity and also with the Superintendency that will perform the control within the scope of its powers.
Other types of financial scams
The Superintendency of Banks also warned that there are cybercriminals who through WhatsApp contact people offering them an economic incentive in a ‘financial institution’. The client exposes his data and in some cases deposits an amount of money.
This occurs because they are contacted by unauthorized entities and request documentation such as identification, payment roll, basic service form, among others. After this, a ‘financial analysis’ is carried out to determine if the credit is provided or not.
“After the user receives the notification of the approval of the‘ credit ’he is informed that he must make a deposit of a certain amount of money so that the process can be legalized. At this point is where they issue certificates in the name of the Superintendency of Banks in which it is stated ‘that for the value of the credit to be unblocked’ a sum of money must be deposited to an ‘alleged advisor or person in charge of the entity’ “, indicates the institution.
In addition, they are alerted that in some cases they continue to insist and offer credit products for more than one occasion. Through the page of the Superintendency there is a list of 98 unauthorized financial entities. From June 2020 to January 2021, 208 reports of approaches from this type of entities were received.
Recommendations to avoid falling into electronic scams
Financial entities and control institutions carry out information campaigns on the possible risks faced by users, as well as the ways they are used to obtain sensitive information. You can find them on every bank page.
Among the recommendations so that there is no vulnerability of your electronic account are the following:
Do not enter suspicious email links.
Check the sender’s email and make sure it has no spelling mistakes or the email address has unusual characters.
Check that the email does not include threats that something will happen or requests that you take immediate action.
In the address bar verify that the link begins with https: //.
Access your electronic account from secure devices, as well as enter the electronic addresses of your bank’s services.
Do not provide confidential data on websites, emails or calls from strangers who ask for this information.
“Banks do not request sensitive information through any channel, a financial institution will never ask for users, passwords, account or card numbers, security codes, etc. to be confirmed,” says Orbe.