Breaking banks to make them stronger: inside financial VAPT
By Pierce Oel A. Montalvo, Researcher
FORGET STEEL VAULTS 鈥 today鈥檚 financial industry is built with code, and security is a high-stakes game of who finds the digital backdoor first.
The fintech industry continues to expand. Data from the Bangko Sentral ng Pilipinas (BSP) showed that digital transactions grew to 55.3% of the total retail transaction value in 2023 from 40.1% in 2022, signaling a growing acceptance of digitalization among consumers.
Similarly, the central bank resumed accepting digital banking license applications effective Jan. 1, 2025, now allowing four more digital banks to operate in the Philippines.
Amid rapid growth, financial institutions in the Philippines continue their race to fortify their digital operations. The BSP has reinforced its cybersecurity stance through Memorandum M-2024-029, which provides detailed guidelines for financial institutions following the implementation of the Anti-Financial Account Scamming Act (AFASA) in July 2024.
The AFASA law was only a glimpse of what was to come in the 2024-2029 Financial Services Cyber Resilience Plan (FSCRP), a roadmap for the Philippine financial ecosystem鈥檚 security, launched August last year.
鈥淚t鈥檚 our commitment to creating a robust, secure, and resilient聽financial system that can withstand cyber聽incidents and recover quickly from them,鈥 BSP Governor Eli M. Remolona, Jr. said at the launch of the FSCRP.
Deep Web Konek, a cybersecurity advocacy group based in Manila, said that Philippine banks are becoming more proactive in their cybersecurity efforts.
Its coverage on breaches and threat intelligence reveals that data from myriads of Philippine companies continue to be leaked, to be sold in dark web markets 鈥 including banking credentials.
鈥淭his indicates gaps in detecting and mitigating breaches before fraud occurs,鈥 the group said in an e-mail interview.
Considering these breaches, Philippine banks have made progress in strengthening their cybersecurity, adopting measures like penetration testing and red teaming, the group added.
A key component among the requirements listed in the M-2024-029 memo is a mandatory Vulnerability Assessment and Penetration Testing (VAPT), which must be performed to ensure Bangko Sentral-supervised financial institutions (BSFIs) maintain a proper Information Security Program.
鈥淗owever, inconsistencies remain, and not all institutions rigorously implement these defenses,鈥 Deep Web Konek said.
鈥淪ome banks pass security audits but remain vulnerable to real-world attacks, especially through social engineering and application programming interface exploits.鈥
While banks and financial service providers rush to digitize their operations, the challenge lies in ensuring their security measures keep pace with innovation. This dynamic has spurred both banks and cybersecurity firms in the Philippines to strengthen local VAPT capabilities, recognizing it as a critical aspect of modern financial security.
WHAT IS VAPT?
The finance industry continues to be compromised. IBM鈥檚 X-Force Threat Intelligence Index showed finance and insurance ranked second among targeted sectors in 2023, accounting for 18.2% of cyberattacks globally.
Locally, cybercrime complaints have tripled to 10,004 reported cases in 2024, totaling almost P198 million in losses among cybercrime victims, data from the Cybercrime Investigation and Coordinating Center showed.
Cyber fraud losses among BSFIs also soared by 212% year on year in 2023, with account takeovers, identity theft, and phishing accounting for almost 60% of total cases, according to the BSP.
These figures underscore the growing necessity of ensuring, through rigorous testing, that banks are safe.
鈥淰APT requires a risk-based approach to effectively identify and mitigate security vulnerabilities,鈥 said the BSP in an e-mail statement.
The BSP Manual of Regulations for Banks requires these tests for BSFIs. Vulnerability assessments (VA) refer to the identification of security vulnerabilities in systems and networks using automated vulnerability scanners.
Meanwhile, penetration testing (PT) involves subjecting systems or networks to simulated or real-world attacks that exploit vulnerabilities under controlled conditions. Both terms are often jointly referred to as 鈥淰APT.鈥
鈥淭his risk-based approach tailors cybersecurity assessments to the unique complexities of each BSFI鈥檚 IT operations,鈥 it added.
鈥淰APT is a way for banks to ensure that the systems and applications they roll out to serve customers are being audited by a third party or an external provider, to ensure that the features or applications they roll out are secure,鈥 Secuna Software Technologies, Inc., a cybersecurity firm that offers penetration testing, said in a video interview.
BSFIs with digital or electronic financial services are also required to conduct VAPT tests at least annually.
鈥淢eeting the annual VAPT requirement involves careful planning, allocation of resources and execution,鈥 the Philippine National Bank鈥檚 (PNB) Office of the Chief Information Security Officer (CISO) and Data Privacy Officer (DPO) said in an e-mail interview.
鈥淓ach activity should be properly scheduled including assigning of champions and determining the scope of review, required tools, connectivity to the systems and credentials to be used in the testing.鈥
鈥淏SFIs must ensure providers have the necessary expertise to meet their operational and security needs,鈥 said the central bank.
To make sure banking operations are not affected during VAPT exercises, separate setups are often employed to prevent tests from interfering with the bank鈥檚 critical systems.
Otherwise, attack simulations and exercises would be employed during non-critical days and hours, said Red Rock IT Security, a cybersecurity service provider.
鈥淚t鈥檚 also important to have backups and extra systems in place, so that in case of any setbacks, systems can be recovered quickly, minimizing downtime and potential data loss,鈥 it said in an e-mail interview.
Carlos T. Tengkiat, CISO of Rizal Commercial Banking Corp. (RCBC), said that business units within the scope of VAPT exercises also require coordination.
鈥淭hese include provisioning of test accounts, personnel to do a walkthrough of the system, and allocation of resources to address any findings that may come of the exercise,鈥 he said in an e-mail interview.
During the VAPT exercise, which could last upwards of a month, banks and cybersecurity firms cooperate with one another to find critical flaws in the bank鈥檚 systems, recommend changes, and implement solutions 鈥 all happening within a set timeframe.
鈥淰ulnerabilities are assessed on their impact. These are then addressed based on the criticality of the systems involved,鈥 Mr. Tengkiat said.
The PNB鈥檚 Office of the CISO/DPO added that remediation of the vulnerabilities is a collaborative effort between the business owner, Infosec and IT team.
鈥淭his requires remediation planning, analysis, testing, deployment and validation if the fix deployed resolved the issue.鈥
Considering these extensive measures, VAPT exercises help banks reach global standards in security, strengthening consumer trust.
鈥淔inancial institutions must adhere to regulatory and international compliance requirements to follow cybersecurity best practices,鈥 Justin David G. Pineda, president of Pineda Cybersecurity, said in an e-mail interview.
Red Rock stated that institutions are implementing stronger and more reliable practices such as adhering to the CIS Critical Security Controls, a globally recognized benchmark for the implementation of safeguards for various systems.
鈥淕lobal benchmarks, like the Penetration Testing Execution Standard (PTES) and Open Worldwide Application Security Project (OWASP), are available for reference,鈥 said the BSP.
The central bank added that it does not accredit VAPT providers for BSFIs.
鈥淚nstead, it requires BSFIs to conduct due diligence using a risk-based approach when selecting service providers.鈥
VULNERABILITIES
Through VAPT exercises, banks can work on preventing discovered exploits in their system, ensuring that their services are secure. In the industry, cybersecurity firms continue to discover common vulnerabilities in the financial industry.
Mr. Pineda said that his firm usually finds vulnerabilities in unpatched workstations and servers, with updates available that have yet to be implemented.
鈥淯nfortunately, vulnerabilities with critical severity can severely damage IT assets and exfiltrate confidential and highly confidential data.鈥
He also added that parameter tampering is a common vulnerability they still observe in financial apps and sites.
鈥淔or example, you may send money supposedly worth P100 but modify it to P10,000 using tools. If successful, the data sent may be different, or you may even send money more than what you have in your account,鈥 Mr. Pineda said.
Likewise, Red Rock said that security features like one-time passwords (OTPs) were observed to be vulnerable points.
鈥淭here are instances such as the misconfiguration of OTP implementations which disrupt the intended process allowing the OTP to be bypassed or manipulated to even be received by the attackers.鈥
It has highlighted several other security vulnerabilities, ranging from broken access controls that enable unauthorized account access to insufficient input validation that could allow balance manipulation through negative amounts.
Additionally, it has identified a lack of security awareness training that leaves organizations vulnerable to phishing and social engineering attacks.
Based on its evaluations with clients from the financial industry last year, Secuna has observed injection attacks, where malicious actors enter malware into ordinary text fields, giving hackers an entry point into a bank鈥檚 database.
It has also observed access control issues where users can access unauthorized areas or data, and authentication and session management issues where login systems and user sessions are not properly secured.
Additionally, Secuna鈥檚 data revealed information disclosure issues where sensitive data is unintentionally exposed, and security misconfigurations where systems are set up with weak or incorrect security settings.
SETBACKS
While VAPT exercises help banks identify and patch vulnerabilities in their systems, the process itself isn鈥檛 immune to challenges. The effectiveness of these security assessments often depends on complex interactions between the banks鈥 existing infrastructure and the cybersecurity firms鈥 testing capabilities.
In a double-bind, cybersecurity firms could get hindered by their own clients due to their clients鈥 technological setbacks. This affects the very tools and results these firms may use to test and diagnose vulnerabilities properly.
For Red Rock, a common challenge is the lack of usable logs for investigation 鈥 鈥渁kin to investigating a crime scene without any security camera footage to review.鈥
It also said that while capturing system snapshots is the crucial next step after a security incident, it frequently encounters cases where the relevant computers have already been wiped clean.
鈥淚n this instance, it would be comparable to investigating a crime wherein the victims鈥 bodies were already disposed of and missing,鈥 Red Rock said.
Meanwhile, Mr. Pineda said that despite outlining clear requirements and prerequisites during the planning and scoping phase, some clients attempt to proceed with incomplete data and setup due to the resource-intensive nature of the preparation process.
Another challenge for the firm is the depth of the assessment.
鈥淚n VAPT, you usually try to simulate what an attacker would actually do,鈥 Mr. Pineda said. 鈥淗owever, in actual testing, the customer will sometimes halt intrusive tests, which may affect the quality and results of the tests.鈥
Secuna identified slow vulnerability remediation as a widespread challenge across all sectors, not just finance.
It added that despite offering a month of unlimited retesting and validation services to verify their clients鈥 security fixes, organizations often fail to address all identified vulnerabilities within this timeframe, even though such security issues demand urgent attention.
鈥淚t鈥檚 pretty much obligatory that [security vulnerabilities] should be addressed as soon as possible, because the longer we keep those vulnerabilities out in the open without fixing them, the higher the risk that they鈥檒l be discovered by malicious hackers or threat actors.鈥
GOING BEYOND COMPLIANCE
These hindrances, as constraining as they may be, only point towards a need for more rigorous and VAPT exercises for financial institutions in the Philippines.
鈥淥rganizations should go beyond compliance by including more assets in the testing scope instead of just focusing on assets that are needed to meet regulatory requirements,鈥 Secuna said.
鈥淭he government should establish clear requirements for VAPT and Red Teaming engagements to ensure penetration testing is performed effectively, rather than relying solely on automated VA,鈥 Red Rock said.
鈥淚 always say that VAPT programs should be included in all phases of the IT service lifecycle,鈥 said Mr. Pineda.
鈥淚f we do security assessments as early as project initiation/inception, we can identify weaknesses and fix them prior to implementation.鈥
On the bright side, financial industries continue to develop their security posture in light of developments in VAPT.
Mr. Tengkiat said that one of the main goals of the RCBC is to address vulnerabilities not only at the tail end but also during development.
鈥淲e are currently shifting our development approach to adopt more of the DevSecOps (development, security, and operations) approach.鈥
鈥淔rom 2020 to 2024, PNB undoubtedly saw a significant improvement in its security processes,鈥 the PNB Office of the CISO/DPO said.
鈥淭he VAPT program helped in strengthening the Bank鈥檚 security architecture and played a key role in fostering a security-centric culture within the organization.鈥
鈥淯nder the Financial Services Cyber Resilience Plan, BSP is considering updates to VAPT requirements, focusing on scope, deliverables, team qualifications, and methodology,鈥 said the BSP.
鈥淏SP is also benchmarking testing methodologies from other jurisdictions and will make policy improvements as needed.鈥
