A software vulnerability is suspected of being to blame for a hack through which criminals transfer more than 300 million pesos (over US $15 million) out of Mexican banks.
Officials from Mexico’s central bank confirmed to Reuters that a series of “irregular” and unauthorised interbank money transfers involving large sums of money were detected late last month.
Unnamed sources have told the media that hundreds of millions of pesos were fraudulently wired out of banks in a co-ordinated heist at several institutions while accomplices d the accounts in cash drained recipient accounts at “dozens” of branch offices.
Bank of Mexico Governor Alejandro Diaz de Leon gave a preliminary estimate that approximately 300 million pesos had been involved in the heist but that not all of it had yet been withdrawn and so could still be successfully recovered. Other local media reports have quoted anonymous sources suggesting the amount of money stolen by the hackers is even larger, perhaps as much as 400 million pesos (US $20 million).
Diaz de Leon said that an investigation into precisely what had happened is ongoing. He also apologized to customers:
We are very conscious that this has affected users, and we are sorry about that and we are taking immediate actions to recover the speed of the system with full security.
The bank governor has declined to name the banks that have been hit, but media reports have claimed that Mexico’s second-largest bank, Banorte, was affected.
For now, mystery surrounds precisely how the hackers managed to drain the banks of such a substantial amount of money.
Lorenza Martinez is the head of operations at the Bank of Mexico (Banxico for short). Martinez told Reuters that the central bank’s SPEI interbank transfer system – similar to SWIFT used elsewhere in the world – was not compromised but pointed the finger of blame at third-party software which connected to the payment system.
In an advisory published on Banxico’s website, financial institutions using SPEI are told to implement additional controls to increase their chances of detecting irregular transfers and verify the integrity of their operations.
That’s good advice, as clearly more needs to be done to stop hackers from fraudulently stealing funds from bank systems. Not only are there understandable concerns about the huge amount of money involved in such heists, but harm is also being done to the general public’s trust in the banking system if there continue to be headlines of security failures.
Organized criminal gangs have taken advantage of SWIFT to steal large amounts of money. Banks have been targeted with bespoke malware that exploits the SWIFT system, as in the case of Bangladesh Bank where criminals successfully made off with $81 million.
And last year a hacking gang abused the SWIFT banking network to steal $60 million after planting malware on a Taiwanese bank’s servers.
In the opinion of Bank of Mexico Governor Alejandro Diaz de Leon, some Mexican financial institutions may have fallen foul of lax security:
Perhaps, some financial institutions perceived the attacks in Bangladesh as something very distant. But criminals look for vulnerability and once they see it they are going to exploit it.
Whether you’re a bank or not, a small business or a home user, I think that last sentence is a truth that we can all agree upon.