BDO’s advisory misses the point: Security limits were bypassed

DECODED: TECH, TRUTH, AND THREATS

By Art Samaniego

When BDO released its advisory on the viral case of unauthorized transactions, it framed the issue as a matter of “social engineering” and even “familial fraud.” The message was clear: don’t click suspicious links, don’t share personal details, don’t give away your OTP.

While those reminders are valid, they miss the central question that every depositor deserves to ask: how did the transactions bypass the bank’s own limits?

As a cybersecurity analyst and tech support professional, I know that daily transfer and withdrawal caps are not there for convenience, they are hard security controls. Think of them as circuit breakers.

Even if someone manages to phish your OTP, those breakers should trip the moment the transaction volume exceeds the allowable threshold.

If P189,000 was removed from an account when the cap was P50,000, that means the safety measures didn’t work.

Customers cannot override these limits. If they were crossed, the compromise happened inside the bank’s systems, not on the customer’s phone.

That’s why I find the advisory lacking. It places the burden entirely on depositors while avoiding the uncomfortable truth: when institutional safeguards fail, that is not negligence, it is a systemic lapse.

OTPs, fraud monitoring, and limits exist precisely because we know phishing and scams happen every day. If those defenses are bypassed, blaming the victim is both unfair and irresponsible.

If banks want to restore trust in digital banking, they need to do more than remind customers about phishing.

They must explain why limits were not enforced, strengthen monitoring, and make restitution when systems fail. Otherwise, people will keep asking a very simple but powerful question: If your security layers can be breached so easily, how safe is our money really?

RELATED STORY:

BDO addresses viral post on alleged unauthorized transactions