Rumors and denials proliferate, as millions of pesos disappear.

By Don Quijones, Spain, UK, & Mexico, editor at WOLF STREET.

On Sunday it was the turn of Mexico’s second biggest lender, Citibanamex, to be the target of customers’ ire after suffering a system failure that made it impossible for customers to withdraw money from ATMs, pay with their credit or debit cards, or access their online accounts. The incident is estimated to have affected roughly 4.3 million people. On Sunday, night the bank, which is majority owned by Citigroup, announced that the problems had been resolved.

But by Monday morning, a whole new problem had arisen. Customers of Mexico’s biggest bank, BBVA Bancomer, owned by Spanish banking group BBVA, had begun reporting problems accessing the bank’s mobile platform. As happened with TSB and Citibanamex, the problems became apparent first on social media. The bank responded to customer complaints on twitter and Facebook by urging them to restart their devices, switch to the 24 hour clock and reinstall the app. It’s not clear whether that is working.

These latest incidents have raised serious questions about the security of Mexico’s banking system — something we warned about at the beginning of April.

At the end of April a number of financial institutions reported suffering a cyber attack via Bank of Mexico’s SPEI interbank transfer system, a version of . Lorena Martínez, the director of Bank of Mexico’s payment systems, denied rumours that SPEI had been breached. “That has not happened,” she said, adding that the problem was detected in the internet application used by some institutions to connect to the central payment system.

While Bank of Mexico (or Banxico for short) admitted there had been a hack, it denied that any money had been taken. Now, weeks later, sources close to the government investigation claim that cyber thieves had in actual fact siphoned off hundreds of millions of pesos by creating hundreds of phantom orders that wired funds to fake accounts at different five banks, including Mexico’s third largest, Banorte. Accomplices then emptied the fake accounts in cash withdrawals from dozens of branch offices.

According to the official narrative, which keeps changing, the transfers hit accounts of financial institutions in the central bank. If true, it means that no clients have so far been affected.

Nonetheless, to avoid any further problems the five affected banks were instructed to migrate onto a backup connection system, which is a lot slower than the one usually used to connect to SPEI. According to Banxico, over 15 more financial entities have since done the same. “We now have more than 20 banks,” said Martínez. “The contingency system is operated by Bank of Mexico and it provides a secure connection to SPEI, but it processes electronic payments more slowly.”

The central bank is using a team of forensic analysts to try to determine the origin of the alleged cyber attacks. The team, which is working with the affected financial institutions, could take up to two weeks to produce any results, according to Martínez. Until then, the banks that share these providers will continue to use the much slower contingency system.

That, in itself, could be a source of problems. Two days before its own payment system went down, Citibanomex complained about the slowness of inter-bank transfers. “There have been delays in certain inter-bank payments sent or received by our customers,” said the bank. But the bank claims its problems on Sunday had nothing to do with the inter-bank payment system, but were instead a result of “internal hardware issues” — a version of events that was hurriedly corroborated by Mexico’s market regulator, the CNMV.

In recent years Mexico has become a haven for cyber crime — enough to earn it ninth place on PriceWaterhousecooper’s latest list of “economic crime” hot spots. In 2017 it is estimated to have lost $7.7 billion as a result of cyber crime, up from $5.5 billion in 2016, placing it fifth at a global level, behind China, Brazil, the United States and India.

Cyber theft in Mexico is not just the preserve of isolated basement-dwelling hackers but is dominated by highly professional, well-resourced criminal organizations. According to Sebastian Brenner, a security strategist for Symantec Latin America, these are “very well structured groups, with experts for every stage of the process: infiltration, capture, commercialization.”

Some of these organizations may well have the financial means and expertise to pull off a cyber attack targeting the Bank of Mexico’s inter-bank payment system. The hackers may have received assistance inside bank branches, since such big cash withdrawals are uncommon, according to one source. In January this year hackers also attempted to rob the government-run export bank Bancomext, but officials said they failed.

This time, they seem to have enjoyed more success. In doing so, they have raised serious questions about the security of Mexico’s banking system, at a time of acute political instability and economic uncertainty. Fears of capital flight are already on the rise.

The irony is that 2018 was supposed to be the year that banks in Mexico would become more secure by collecting and storing biometric data (finger prints and iris scans) on all of their customers, despite the obvious difficulties they would have protecting that data from cyber criminals. Now, it seems they’re having enough difficulty just protecting their own money. By Don Quijones.

A question of lives and money. Read…  Mexican Consumers Demand End to Made-in-Mexico Death-Trap Vehicles 
 

Would you like to be notified via email when WOLF STREET publishes a new article? Sign up here.