Mexican cybersecurity experts and bank customers are rethinking how to keep bank security airtight, especially after a 2018 cyberattack cost Mexican banks $20 million, Wired says.
The attack, which took place a little over a year ago, was possible due to “security holes in the targeted bank systems,” “sloppy and insecure network architecture within the Mexican financial system,” and “security oversights in in SPEI, Mexico’s domestic money transfer platform run by central bank Banco de México, also known as Banxico.” The attackers were thought to have been working for the North Korean state-sponsored group Lazarus, Wired says.
While it’s unclear how hackers specifically broke into the banks’ network, speculations suggest that attackers might have accessed internal servers from the public internet, conducted phishing attacks on employees, compromised employee credentials, and other methods. Wired also says that the SPEI app had “bugs and lacked validation checks,” which made it easy to breach and even “slip bogus transactions through.”
Wired says that attackers may have even gotten in because “the networks also weren’t well segmented, meaning intruders could use that initial access to penetrate deep into banks’ connections to SPEI and, eventually, SPEI’s transaction servers, or even its underlying code base.” This suggestion is especially problematic because attackers may have been able to access, track, and manipulate customers’ data.
Takeaways from decision makers:
While this particular breach cost Banxico millions and millions of dollars, it sparked a wakeup call for its cybersecurity personnel. Since the attack, Banxico has tightened it policies and controls around fund transfers, and established “minimum cybersecurity standards for Mexican banks that link their systems to SPEI,” Wired says.
Plus, Mexican banking institutions are talking to each other now, and sharing knowledge about these types of breaches to prevent future attacks. “The main problem on cybersecurity is that we don’t share knowledge and information or talk about attacks enough. People don’t want to make details about incidents public,” penetration tester and security advisor Josu Loza, who was an incident responder in the wake of these attacks, said at the recent RSA Security Conference.
However, Loza encourages decision makers in the banking space to share information with each other and invest in cyber defense and “network hygiene” to prevent the next slew of attacks, which are inevitable. “[T]he most important thing is the change of mind that makes business users want to pay for better security” he said.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply