With impeccable timing.
By Don Quijones, Spain, UK, & Mexico, editor at WOLF STREET.
Criminal organizations in Mexico have branched out into a lucrative new market and revenue stream: big data. They have developed innovative practices to obtain sensitive user information by lifting data from the databases of government agencies such as Condusef, Consar and Buró de Crédito. They call bank customers and spoof on the caller ID screen the phone number of the bank they claim to represent. To gain the target’s trust, they give the credit card security code to the target and ask if it matches what they see on the back of their card. And it goes from there. Now, they’re about to be gifted an invaluable cache of data: the biometric identifiers of Mexican bank customers.
In recent years, Mexico has become a haven for the black market of stolen personal data of all kinds — enough to earn it ninth place in PriceWaterhousecooper’s latest list of “economic crime” hot spots. According to Symantec, in 2015 Mexico lost 101.4 billion pesos ($6.7 billion at the prevailing exchange rate) in breaches, identity theft, and other unlawful cyber activity per year, about 12 times more than the total annual losses from fraud committed against banks.
A large part of the problem is the widespread impunity cyber criminals enjoy in the country, owing to the absence of adequate legal tools and the lack of enforcement of the existing laws. Cyber theft in Mexico is not just the preserve of isolated hackers but is dominated by highly professional criminal organizations. According to Sebastian Brenner, a security strategist for Symantec Latin America, these are “very well structured groups, with experts for every stage of the process: infiltration, capture, commercialization.”
Now, these criminal organizations are eying the most personal data of all: the biometric identifiers of millions of Mexican bank customers.
This year, banks in Mexico are required to begin collecting biometric data (finger prints and iris scans) on all of their customers. Whenever a customer asks for a new home or car loan, cashes a paycheck, applies for a credit card, or opens a new savings account, the bank will have to request the customer’s digital fingerprints and then match those fingerprints with data against information in the database of the National Electoral Institute.
The law is only in its infancy and it’s highly unlikely that all of Mexico’s banks — in particular the smaller ones — will be able to develop the infrastructure needed to comply with the new rules by the end of this year.
As is the case with biometric programs being tried and tested all over the world right now, from the uncharted backwaters of long-forgotten war zones to the bustling metropolises of the West or East, no one is being consulted along the way.
Biometric identification systems are already encroaching into more and more facets of everyday life. Most national passports these days include biometric data. Driver licenses in the US already have them or soon will. In India, biometric data is starting to underpin everything. Meanwhile, millions — perhaps billions — of people have volunteered their digital fingerprints to log into their smartphones and other digital devices. In other words, people are already giving away their most private data to work, communicate, cross borders, or get on planes.
The government of Mexico is already finalizing its own national ID scheme. According to the former Secretary of Finance and Public Credit, José Antonio Meade, by the summer of 2018 all Mexicans will have a single biometric identification number.
The development of a single biometrics database to be used by banks and government raises serious questions about data privacy and financial security. As recent data leaks have shown, most databases remain incredibly porous, even in countries with far more advanced cyber security systems than Mexico. In Mexico almost one-third of all cyber attacks registered in 2015 targeted government agencies. A further 26% were aimed at private sector institutions, including banks. These are the selfsame organizations that will soon be entrusted to protect tens of millions of Mexicans’ most personal data — the biological traits that make them unique.
“Biometrics are tricky,” says Woodrow Hartzog, an Associate Professor of Law at Samford University. “They can be great because they are really secure. It’s hard to fake someone’s ear, eye, gait, or other things that make an individual uniquely identifiable. But if a biometric is compromised, you’re done. You can’t get another ear.” In other words, if the newly harvested data is hacked by one of Mexico’s burgeoning ranks of cyber criminals, which it almost certainly will be, there is no way of undoing the damage done. By Don Quijones.