It started with problems processing payments.
Three Mexican banks had some “operational incidents” connecting to the country’s central payments network.
But it quickly it became clear that the troubles were much deeper. Several Mexican banks had been the victims of a highly sophisticated operation coordinated between the online and offline worlds. In late April and early May, digital criminals transferred millions into a network of bank accounts from which real-life “mules” withdrew the money in cash.
The financial cost was huge. All up some 300 million Mexican pesos (USD15 million) worth of transactions are being investigated following the cyberattack. But it goes beyond that.
As banks shifted onto a contingency system, their clients – Mexican companies – were unable to get payments through as usual. Chaos followed, as staff and suppliers waited for payments.
Beyond Mexico’s borders, the attack has shaken banks across the region to the core and brought issues of cybersecurity squarely into the spotlight for financial institutions.
“Immediately when we saw the SPEI problem, we launched a review internally at the bank into all possible points of weakness,” says a tech executive at one of South America’s biggest banks.
As if to drive home the message, an aftershock came from Chile. In June, Banco de Chile, one of the country’s biggest banks, announced that had also been victim to an attack. “Highly sophisticated international criminals” had made off with $10 million from its own accounts, it said.
The size and sophistication of each attack was in itself alarming. But perhaps even more disturbing were the implications: the attacks ripped up an old assumption that hackers would not turn their attention to this region.
“Latin Americans thought that we weren’t a target,” says Daniel Torres, a vulnerability researcher at Bolivia’s national IT incident reporting center, CGII.
Making money, literally
The hack in Mexico was a sophisticated, coordinated event that had been months – possibly years – in the planning. In the information security lingo, an “Advanced Persistent Threat”.
Attackers found a point of weakness in third-party software that several Mexican banks used to connect to the country’s payments system, the SPEI.
They used that to generate false transfer instructions, moving cash from made-up accounts into real ones, according to the Mexican Central Bank’s account.
The SPEI is set up to seek digital approval for each transfer from the bank where the money is withdrawn. During the attack, the attackers hijacked the systems that approve such transfers, green-lighting transactions from fictional bank accounts.
With that, the SPEI recognized the transfers as legitimate, and credited the real accounts with money.
The hackers had tricked the system into depositing money from fake accounts: they literally made money. And finally, a horde of real people withdrew the funds in cash.
Meanwhile in Chile, hackers were working on a project of their own. Having discovered a vulnerability in Banco de Chile’s systems, they exploited a software bug that wiped hard disks to create monumental chaos for the bank’s IT department, Torres explains. While the bank’s tech team focused on getting systems operational again, hackers quietly transferred USD 10 million to an offshore account.
“It was an attack that was months in the planning,” says Torres.
Security in the spotlight
The repercussions have been multiple.
As well as being costly, the attacks in Chile and Mexico have hammered the banks’ reputations. But if there could be an upside to the events, it would be that banks are now doubling down on information security.
“Banks have not been investing enough in security,” says Adriel Araujo, co-founder and chief executive at Hackmetrix. The Santiago-based startup offers an automated series of white-hat style vulnerability probes on a website, to identify potential entry points for malicious actors. The company, which launched in February and was selected to the 2018 cohort of NXTP Labs’ regional acceleration program in June, has seen rapid growth in demand for its services.
“Thanks to the Banco de Chile hacking, the regulators are looking at what they can do to strengthen the system,” says Araujo. “Banks will take more precautions to cover their users – and regulators will move out of the 90s with respect to information security.”
Rommel García, a partner in KPMG Mexico’s cybersecurity division, agrees. The SPEI attacks were the first of their kind in Latin America, but Mexico’s banks can hardly claim to have had no warning, he says. “There had been attacks in other countries, mainly Europe and Asia, and they didn’t take appropriate measures.”
Now, he is seeing banks make serious moves on cybersecurity, says García. They are improving their response and detection capacities, using both new technology and working on deepening their bench of digital security specialists.
Urgently seeking: cybersecurity experts
As the threats becoming increasingly advanced, so must the defenses.
“There’s no single technology – it’s not a question of buying an antivirus software or another program that’s going to solve all your problems,” says García. Rather, institutions need to study their internal systems and processes and assess their vulnerabilities.
“Security is not a product,” says Torres, the Bolivian vulnerability tester. “It’s a process.” He points to the fact that emails that trick recipients into downloading a malicious file remain a common point of entry into enterprise systems.
“Lots of people don’t know how to identify a phishing email,” he says.
That mans that while banks desperately bulk up their headcount in information security, they should also improve defenses in all departments. Any employee connected to a bank’s network represents a potential entry point for malicious actors – so every employee should be trained to recognize dubious emails or other communications.
At the same time, there is an acute need for more professionals who can combat cybersecurity threats. Top of the list are specialists who know how to properly respond to incidents once they have been detected, says García. Additionally need are people who can detect risks – “who can recognize indications that a system might have been compromised, or whether there is a security failure which could indicate that an Advanced Persistent Threat is being developed,” he says.
“That type of knowledge is very limited,” he says. “Very few people have it and it’s in huge demand, both at banks and among consultancies and advisories.”
Are you hiring or looking for a senior technology-related position in a bank, fintech or other financial institution? iupana is now offering free senior industry job listings in our weekly newsletter.
Get your job listing in front of Latin America’s most talented senior banking technology and financial technology executives. And subscribe to the newsletter to see vacancies for senior fintech vacancies across the region, every Monday. It’s quick, freee and easy: full details here.