Continuing scams

By mid-December, the Bangko Sentral ng Pilipinas expects to wrap up its probe into a recent spate of unauthorized deductions from GCash accounts.

GCash recently said it had fixed the problem, but the BSP is hoping to identify systemic vulnerabilities so that reforms can be implemented.

The Department of Information and Communications Technology is also looking into the issue. Senators are eyeing their own probe on the latest problems involving e-wallet platforms.

Despite the multiple probes, people aren’t expecting the problems to dramatically disappear. The country’s capability to fight cyberscams is abysmal. Republic Act 11934, the SIM Registration Act of 2022 – the first law signed by Bongbong Marcos as president – needs fine-tuning in its implementation, plus complementary moves by multiple agencies along with additional legislation.

Raids conducted on Philippine offshore gaming operators have shown thousands of burner phones used for a wide range of cyberscams. Where did the POGOs get the phones equipped with pre-paid SIM cards?

Seeing the foreigners rounded up during the raids on the POGOs, I wondered if one of them might have been the foreigner who spoke English with a heavy South Asian accent who, together with another person, scammed me last year using GCash.

The man with the South Asian accent spoke with me on the phone and communicated with me by email. The companion communicated by Viber using a male identity. Because I was mourning the loss of my senior dog at the time, and because I thought the pet community could be trusted, I easily fell for a con game similar to love scams, but this one involving pets.

*      *      *

That was over a year ago, during our final months in The STAR office in Manila’s Port Area, from where the GCash payment was made. So when I decided to press charges, just for the heck of finding out how far the complaint would go in our legal system, I was referred by the Philippine National Police to the anti-cybercrime unit of the Manila Police District.

I went to the MPD to file a complaint, and later submitted an affidavit. The unit has a file of my digital communication thread with the scammers.

The last I heard from the unit was in April this year, when the investigator on case texted me, asking for a digital copy of the police report because he was going to apply for arrest warrants from a Manila court.

I wondered if the warrants would ever be served, since the phone, email and Viber identities of the scammers are surely fake. But I pinned my hope on the GCash account that received the payment, hoping that the owner could be traced.

Over half a year since that last communication, I’ve given up on the case.

A colleague also got scammed by someone who broke into her Facebook family chat group and posed as her brother. She lost P15,000, also paid through GCash. Her nephew forked out P30,000 by bank transfer. Both of them did not bother pursuing a complaint, even if they had records of the cash transactions.

I’ve since learned that the SIM Registration Act does not cover Viber, WhatsApp, Telegram and other OTT or over-the-top messaging platforms.

Techies have said digital payment portals must tighten their requirements to facilitate the accurate tracing of account ownership.

Telcos, for their part, point out that most SIM cards are sold in retail shops over which they have no supervision. Even if the retailers go to the trouble of requiring SIM card buyers to write down personal information before giving the card, or ask for a government-issued ID, there’s no way to verify the accuracy of the data provided or the authenticity of the ID card.

Cybercops say the black market in pre-registered SIM cards occurs at this level of the supply chain, where burner phones are also widely available.

*      *      *

There’s a suggestion to eliminate these retail middlemen and instead centralize the sale of SIM cards in the telco and cell phone giants.

Even if the telcos are willing to take on this role, they will still face the problem of properly verifying the personal data provided by the SIM card buyer. Not all Filipinos have government-issued ID cards with security features such as the passport and driver’s license. The PhilHealth, senior citizen/PWD and pension cards can be easily faked. Up to 3.7 million Filipinos (as of July this year) don’t even have birth certificates.

The national ID, which covers every Filipino from age one and whose card bears security features, is the best reference for basic personal data verification.

While Congress was deliberating on the SIM registration law, telco representatives had appealed for a deferment of the implementation of the law until the national ID system had achieved sufficient coverage.

They wanted telco access to the national ID system for proper verification of personal data provided by SIM card buyers. Lawmakers’ response boiled down to, it’s your problem, deal with it.

Sure enough, after RA 11934 went into effect, testing of the Philippine Identification System carried out by cyber sleuths showed that PhilSys accepted the images even of monkeys and toon Bart Simpson. Like the driver’s license and voter’s ID, PhilSys also ran out of plastic cards, further slowing down the coverage.

As of Sept. 19 this year, according to the Philippine Statistics Authority, PhilSys coverage was at 97.8 percent or 90,017,181 of the 92-million target.

Meanwhile, cyberscammers are exploiting the popularity of Viber, WhatsApp and other OTT messaging platforms that are not covered by SIM registration.

Surely there will be a way of foiling the scammers. But the digital payment sector will have to move ASAP, together with cyber experts, monetary and law enforcement authorities to maintain public trust in e-wallet platforms.