Cyberattacks on financial institutions in Mexico and Chile are ringing alarm bells at banks across Latin America and the Caribbean
It started with problems processing payments.
Three Mexican banks had some “operational incidents” connecting to the country’s central payments network.
But it quickly it became clear that the troubles were much deeper. Several Mexican banks had been the victims of a highly sophisticated operation coordinated between the online and offline worlds. In late April and early May, digital criminals transferred millions into a network of bank accounts from which real-life “mules” withdrew the money in cash.
The financial cost was huge. All up some 300 million Mexican pesos (USD15 million) worth of transactions are being investigated following the cyberattack. But it goes beyond that.
As banks shifted onto a contingency system, their clients – Mexican companies – were unable to get payments through as usual. Chaos followed, as staff and suppliers waited for payments.
Beyond Mexico’s borders, the attack has shaken banks across the region to the core and brought issues of cybersecurity squarely into the spotlight for financial institutions.
“Immediately when we saw the SPEI problem, we launched a review internally at the bank into all possible points of weakness,” says a tech executive at one of South America’s biggest banks.
As if to drive home the message, an aftershock came from Chile. In June, Banco de Chile, one of the country’s biggest banks, announced that had also been victim to an attack. “Highly sophisticated international criminals” had made off with $10 million from its own accounts, it said.
The size and sophistication of each attack was in itself alarming. But perhaps even more disturbing were the implications: the attacks ripped up an old assumption that hackers would not turn their attention to this region.
“Latin Americans thought that we weren’t a target,” says Daniel Torres, a vulnerability researcher at Bolivia’s national IT incident reporting center, CGII.
Making money, literally
The hack in Mexico was a sophisticated, coordinated event that had been months – possibly years – in the planning. In the information security lingo, an “Advanced Persistent Threat”.
Attackers found a point of weakness in third-party software that several Mexican banks used to connect to the country’s payments system, the SPEI.
They used that to generate false transfer instructions, moving cash from made-up accounts into real ones, according to the Mexican Central Bank’s account.
The SPEI is set up to seek digital approval for each transfer from the bank where the money is withdrawn. During the attack, the attackers hijacked the systems that approve such transfers, green-lighting transactions from fictional bank accounts.
With that, the SPEI recognized the transfers as legitimate, and credited the real accounts with money.
The hackers had tricked the system into depositing money from fake accounts: they literally made money. And finally, a horde of real people withdrew the funds in cash.
Meanwhile in Chile, hackers were working on a project of their own. Having discovered a vulnerability in Banco de Chile’s systems, they exploited a software bug that wiped hard disks to create monumental chaos for the bank’s IT department, Torres explains. While the bank’s tech team focused on getting systems operational again, hackers quietly transferred USD 10 million to an offshore account.
“It was an attack that was months in the planning,” says Torres.
Security in the spotlight
The repercussions have been multiple.
As well as being costly, the attacks in Chile and Mexico have hammered the banks’ reputations. But if there could be an upside to the events, it would be that banks are now doubling down on information security.
“Banks have not been investing enough in security,” says Adriel Araujo, co-founder and chief executive at Hackmetrix. The Santiago-based startup offers an automated series of white-hat style vulnerability probes on a website, to identify potential entry points for malicious actors. The company, which launched in February and was selected to the 2018 cohort of NXTP Labs’ regional acceleration program in June, has seen rapid growth in demand for its services.
“Thanks to the Banco de Chile hacking, the regulators are looking at what they can do to strengthen the system,” says Araujo. “Banks will take more precautions to cover their users – and regulators will move out of the 90s with respect to information security.”
Rommel García, a partner in KPMG Mexico’s cybersecurity division, agrees. The SPEI attacks were the first of their kind in Latin America, but Mexico’s banks can hardly claim to have had no warning, he says. “There had been attacks in other countries, mainly Europe and Asia, and they didn’t take appropriate measures.”
Now, he is seeing banks make serious moves on cybersecurity, says García. They are improving their response and detection capacities, using both new technology and working on deepening their bench of digital security specialists.
Urgently seeking: cybersecurity experts
As the threats becoming increasingly advanced, so must the defenses.
“There’s no single technology – it’s not a question of buying an antivirus software or another program that’s going to solve all your problems,” says García. Rather, institutions need to study their internal systems and processes and assess their vulnerabilities.
“Security is not a product,” says Torres, the Bolivian vulnerability tester. “It’s a process.” He points to the fact that emails that trick recipients into downloading a malicious file remain a common point of entry into enterprise systems.
“Lots of people don’t know how to identify a phishing email,” he says.
That mans that while banks desperately bulk up their headcount in information security, they should also improve defenses in all departments. Any employee connected to a bank’s network represents a potential entry point for malicious actors – so every employee should be trained to recognize dubious emails or other communications.
At the same time, there is an acute need for more professionals who can combat cybersecurity threats. Top of the list are specialists who know how to properly respond to incidents once they have been detected, says García. Additionally need are people who can detect risks – “who can recognize indications that a system might have been compromised, or whether there is a security failure which could indicate that an Advanced Persistent Threat is being developed,” he says.
“That type of knowledge is very limited,” he says. “Very few people have it and it’s in huge demand, both at banks and among consultancies and advisories.”
Are you hiring or looking for a senior technology-related position in a bank, fintech or other financial institution? iupana is now offering free senior industry job listings in our weekly newsletter.
Get your job listing in front of Latin America’s most talented senior banking technology and financial technology executives. And subscribe to the newsletter to see vacancies for senior fintech vacancies across the region, every Monday. It’s quick, freee and easy: full details here.
Panamanian bank Banistmo is testing gamification and QR payments
Banregio integrates e-commerce and deliveries into its app
Innovations on top of old tech amplify challenges for bank cybersecurity in Argentina
Sao Paulo-based neobank prioritizes data analytics, shuns blockchain
Digital lending startups set to get cheaper, easier funding as investors look at new asset classes
Banks and startups in Latin America are using new technology that will cut costs for cross-border payments and currency conversion
How well do you know the strategies of your competitors when it comes to digital transformation in Latin American banking?
Take our quiz to see!
Can I bring you dinner?
Which bank is tapping its POS network and building APIs to offer a delivery service that it hopes will boost client loyalty?
New challenger bank
A new Brazilian challenger bank called C6 Bank is close to launching. It’s billing itself as the #NextBigFin. The bank is backed by the chairman of which traditional bank?
Mexican banks are starting to use artificial intelligence tools. What’s the main application of the technology currently in Mexican banks?
What’s the biggest digital threat to traditional banks today?
Seems you’re a bit behind on what the rest of the market is doing…
Why not sign up for iupana‘s weekly newsletter to get exclusive news and analysis each Monday on how technology is transforming financial services in Latin America and the Caribbean? (It’s free!)
Not a bad effort…
Want to improve your score for next time? Sign up for iupana‘s weekly newsletter to get exclusive news and analysis each Monday on how technology is transforming financial services in Latin America and the Caribbean. (It’s free!)
Great effort – you’re clearly an expert in technology in financial services in Latin America!
Show your friends and colleagues on social media how well you did with these handy sharing buttons.
- Scotiabank makes blockchain plans for accounts, loans
- Alipay hunts for LatAm opportunities after Openpay deal
- LatAm banks face lengthy tech to-do list
- Gut renovation: Banco Galicia’s digital strategy
- Blockchain enthusiasm builds in Brazil, but not everyone wants to be a pioneer
- Santander’s pace of digital onboarding in LatAm shows signs of slowing