The head of Mexico’s central bank said yesterday that a cyber attack last month cost five financial institutions 300 million pesos (US $15.2 million) due to fraudulent transfers, but didn’t disclose how much of that amount had been withdrawn in cash.
Bank of México (Banxico) Governor Alejandro Díaz de León told a press conference that three banks, a broker and a credit union had been affected by the attack but declined to name them.
He also said that based on international experience it would be up to another six months before it can be determined if there would be a second phase of the same attack. Díaz de Léon explained that the bank is currently working to remediate the security problems.
He added that sanctions would be imposed on banks if it was shown that they failed to comply with security rules by not having a dedicated server to connect to Banxico’s electronic interbank payment system, known as the SPEI.
“If the [fraudulent] application resided in a non-dedicated server or it functioned [in a way] inferior to the established [norm], it is clear that not only is the [criminal] supplier responsible, but also the participant [the bank],” Díaz de León said.
The head of Banxico’s payment system, Lorenza Martínez, previously explained that the system that connects financial institutions to the SPEI, rather than the SPEI itself, had been compromised.
Díaz de León reiterated that statement and assured reporters that the system, similar to the SWIFT global messaging system, had operated efficiently since its creation.
The first known fraudulent transfer occurred on April 17 but Díaz de León said that the scale of that event did not forewarn of the magnitude of the attack to come.
Another security breach 10 days later, on April 27, however, alerted Banxico that something more serious was happening and triggered a larger scale response. Díaz de León described that attack as a “watershed.”
The bank governor said that Banxico’s investigations so far showed that “the attackers, who sought to compromise the institutions, injected fraudulent payment instructions from nonexistent accounts, affecting the transactional account in the SPEI.”
“The participant [the bank] authenticates and validates the identity of the client [and] verifies that he/she has sufficient funds for the operation. It’s when the bank prepares the instruction for the payment and sends it to the SPEI that the process was compromised,” he explained.
The newspaper El Financiero reported Monday that unnamed sources said the money was quickly withdrawn through cash withdrawals from the phony accounts.
However, according to Banxico, no individual clients were affected.
Despite taking more than two weeks to admit that funds had been stolen, the governor said that cyber security has been a priority for the bank since 2013.
Earlier this week, Banxico said in a statement that it was creating a new cyber security unit that would draw up and distribute security guidelines for Mexico’s banks.
Source: El Economista (sp)