A virtual paradise for real bank heists.
By Don Quijones, Spain, UK, & Mexico, editor at WOLF STREET.
The year 2018 is turning out to be a bumper year for the world’s burgeoning ranks of bank hackers. Last week alone, Chile’s second biggest bank, Banco de Chile, reported losing around €10 million in a bank heist targeting the bank’s local SWIFT network. And embattled UK lender TSB admitted that 1,300 customers have been victims of fraud attacks since its botched attempt to upgrade its IT system. That number is likely to continue to rise as the bank struggles to get its act together.
These incidents follow on the heels of a flurry of highly sophisticated bank hacks in Mexico. The first attack took place in early January when hackers tried to steal $110 million from Bancomext, a state-owned trade bank. The plan was to siphon off the money via the bank’s connection to the international Swift payment network, but the virtual heist was detected just in time.
It wasn’t the first time hackers had targeted a bank’s connections to SWIFT, which is used by the global banking industry to shift trillions of dollars each day. In 2015 cyber thieves broke into the system to pilfer $12 million from Ecuador’s Banco del Austro. In 2016, hackers tried, but failed, to snatch $1.1 million from Vietnam’s Tieng Phong Commerical Joint Stock Bank. A year later the most audacious cyber attack yet was launched, against the Bangladesh Central Bank. The thieves got away with $81 million.
After that, many banks began tightening the security of their SWIFT messaging networks. But many lenders in Mexico apparently didn’t. Even following the foiled attack in January, Mexico’s central bank failed to warn other Mexican lenders about the raid until late May, by which time hackers had managed to make off with around 400 million pesos ($20 million) from three other Mexican financial institutions.
This time, instead of targeting the SWIFT global payment system, they zeroed in on vulnerabilities in the banks’ connections to the country’s domestic payment transfer system, known as SPEI. The cyber thieves were able to remove the funds by creating hundreds of phantom orders that wired funds to fake accounts across a number of banks, including Mexico’s third largest, Banorte. Accomplices then emptied the fake accounts in cash withdrawals from dozens of branch offices.
The problem became so serious that many of Mexico’s banks were urged to migrate onto a backup connection system, which is a lot slower than the one usually used to connect to SPEI. Days later, Mexico’s second biggest bank, Citibanamex, suffered a day-long system failure that made it impossible for customers to withdraw money from ATMs, pay with their credit or debit cards, or access their online accounts.
The recent hacks in Mexico bear similarities with an attack suffered by the Bank of Chile on May 25, but which was not reported until last week. Hackers infiltrated the bank’s IT systems with highly contagious malware that wiped hard drives and crashed branch and telephone banking systems across the country. But the virus was merely an elaborate distraction.
While the banks’ staff tried to stop the virus from spreading, by disconnecting 9,000 work stations and stalling certain regular operations, the hackers targeted vulnerabilities within the bank’s connections to SWIFT. “Our analysis indicates that the attack was used only as a distraction,” Japanese cyber security firm Trend Micro reports. “The end goal was to access the systems connected to the bank’s local Swift network.”
Eduardo Ebensperger, a Banco de Chile representative, confirmed those suspicions, stating that four fraudulent transactions were carried out before the bank was able to stop further transfers. “We found some strange transactions in the Swift system,” he says. “That’s when we realized that the virus was not necessarily the underlying issue.”
Latin America is increasingly becoming a major focal point — and operational base — for cyber criminals. Brazil is now among the top five countries where cyber attacks originate.
One possible reason for the recent surge in bank hacks is the lack of cyber-security investment, personnel and infrastructure at Latin American banks. “There was a lot of ignorance,” says Federico De Noriega, a partner in the finance group at Hogan Lovells in Mexico City “That tells you people aren’t aware of this risk, or they’re not taking it seriously. I think they’ll start taking it more seriously now.”
Another problem is the potential risk of insider involvement, whether at the central bank or the respective banks that are being targeted. The hackers that recently swiped millions from Mexican banks probably had access to the passwords to authentication tokens for accounts. That would suggest insiders at the respective banks may have helped them infiltrate their systems.
It is the banks who will ultimately foot the bill for any money lost in a cyber attack, according to the Bank of Mexico. As such, they have a clear incentive to get their act together, by identifying and addressing security gaps, installing more secure infrastructure, restricting access to mission-critical data, sharing information with other banks, and creating a pro-active incident response strategy.
But even if they do all that, it remains to be seen whether they can catch up with today’s increasingly sophisticated, well-resourced, highly globalized breed of bank robber. By Don Quijones.