In the Spring of 2018, hackers infiltrated Mexico’s Interbank Electronic Payment System (SPEI), a network that allows customers of participating banks to electronically transfer or receive money. The cybercriminals created phantom orders that caused SPEI to wire funds from legitimate accounts to fake ones in other institutions. The money was then promptly withdrawn from branches and ATMs in dozens of locations.
The cyberattack targeted five banks, including Banorte, Mexico’s second-largest bank. In the end, the Mexican central bank tallied the losses at 300 million pesos, or roughly $15 million.
Since then, cyberattacks on SPEI, which can process as many as seven million payments on a busy day, seem almost routine. In October of last year, French insurer AXA reported an attack on its network connection, but the company said it didn’t suffer any losses. Though the central bank issued a “red alert” to the 90 financial institutions that participate in SPEI to take precautions, as recently as September, Banorte and Scotiabank alerted customers to interruptions in their payment systems.
Special report: Banking tech
1. The outlook: Banks finally embrace the digital age
Banks pursue high-tech strategies to win customers and improve efficiency
2. Trends in fintech: Q&A with Luiz Marcelo Calicchio
C6 Bank’s co-founder explains how to compete in a digital ecosystem
3. Security challenges: Banks struggle to cope with rising cyber threat
The expanding digital footprint fuels a rising cyber threat
The attacks on SPEI demonstrate a huge challenge facing Latin American banks pursuing a digital transformation. As they replace legacy processes with high tech alternatives, such as artificial intelligence and machine learning, they also expand their vulnerability to cyber criminals. And the threats will grow as the region slowly moves toward a system of open banking that allows third parties, such as e-commerce retailers and ride-hailing services, access to customer financial data.
Those weaknesses are made even worse by the fact that banks, slow to invest in cybersecurity, haven’t built up adequate defenses. Many are often out-gunned by sophisticated criminal organizations, based a continent away and armed with an arsenal of the latest in high-tech tools. What’s more, efforts to combat cyberattacks have been hampered by the reluctance of banks, fearful of reputational damage, to promptly report data breaches that could provide an early warning to other institutions.
Fernando Thompson, director of information technology at the Universidad de las Américas in Puebla and an expert on cybersecurity, says the initial attack on SPEI likely took months to plan and speculates that the thieves probably launched multiple attacks before they were discovered.
“The hackers that are attacking the banks are no longer the young guy working alone in a garage. We are now talking about very organized groups from around the world, in Asia, attacking the banks,” he says.
When Mexican authorities arrested the eight-member group behind the SPEI attacks in May, officials say the group had been stealing millions of dollars a month, possibly for years. The group said their goal was to steal enough money to buy a third-division soccer team.
A 2018 survey of 191 financial institutions in Latin America and the Caribbean by the Organization of American States (OAS) found that 92% of banks in the region experienced a digital security event and that one in three fell victim to at least one successful attack. The OAS estimated that digital security incidents and the time it takes to recover cost banks in the region about $809 million in 2017.
The Mexican financial system is especially prone to cyberattacks, says Thompson. The size of the market — a $1.3 trillion economy with 120 million consumers — combined with lax internet security, little government oversight and the widespread use of pirated software that’s missing the latest security updates make Mexico an attractive mark.
“Mexico is an easy target — it’s like a Shangri-La for the hackers,” he says.
Luis Niño de Rivera, president of the Association of Mexican Banks, objects to singling out Mexican institutions as more vulnerable than others. He says the banks have set up a system called the Malware Information Sharing Platform through which they communicate incidents in an effort to warn others of potential attacks.
Still, bankers acknowledge that it’s a challenge to keep updating systems given the pace of technological change. “It’s an unfair competition,” says the information security chief at a major bank in the region, who asked not to be named. “No matter how fast the companies move, our adversaries always seem to have more time and resources.”
And the job isn’t made any easier because banks in the region have been slow to adopt emerging technologies such as artificial intelligence, machine learning and data analytics to combat cybercrime, according to the OAS.
The OAS survey of financial institutions in the region found that almost half had yet to deploy advanced technologies to combat cyberattacks. And instead of spending more on cybersecurity, 46% of those surveyed said their digital security budgets were unchanged in 2018 from the previous year.
Regulators are taking steps to compel banks to tighten security. The Mexican central bank has created a unit to investigate cyber crimes and has asked local banks to take greater measures to protect themselves and their users.
In Brazil, the National Monetary Council, whose members include the central bank governor as well as the ministers of finance and planning, issued rules in 2018 that require banks to formally adopt procedures and controls to combat cyberattacks and prepare a response plan if a data breach is detected. The new regulations in Brazil also require banks to be more transparent and promptly report data breaches and prepare an annual report for the central bank on cybersecurity incidents.
Still, it’s a challenge for banks to figure out where the next attack will come from. Over the summer, cybersecurity firm Kaspersky detected a new form of malware in some banks in Mexico and Colombia that infects ATMs, allowing accomplices to empty the machines. The firm suspects the malware was deployed with the assistance of bank employees who understood the institutions’ digital infrastructure.
Dmitry Bestuzhev, director of research and analysis for Latin America at Kaspersky, says the best way to dissuade attackers is to devote the same resources and energy to building the appropriate security systems at the same time an application is being developed.
“It’s all about reaching ‘cyber immunity’ or making the cost of a successful cyberattack so high for the threat actor that the investment necessary would outweigh the gains,” he says.