As Banks Embrace Biometric Tracking of Customers, Cybertheft Explodes in Mexico

With impeccable timing.

By Don Quijones, Spain, UK, & Mexico, editor at WOLF STREET.

Criminal organizations in Mexico have branched out into a lucrative new market and revenue stream: big data. They have developed innovative practices to obtain sensitive user information by lifting data from the databases of government agencies such as Condusef, Consar and Buró de Crédito. They call bank customers and spoof on the caller ID screen the phone number of the bank they claim to represent. To gain the target’s trust, they give the credit card security code to the target and ask if it matches what they see on the back of their card. And it goes from there. Now, they’re about to be gifted an invaluable cache of data: the biometric identifiers of Mexican bank customers.

In recent years, Mexico has become a haven for the black market of stolen personal data of all kinds — enough to earn it ninth place in PriceWaterhousecooper’s latest list of “economic crime” hot spots. According to Symantec, in 2015 Mexico lost 101.4 billion pesos ($6.7 billion at the prevailing exchange rate) in breaches, identity theft, and other unlawful cyber activity per year, about 12 times more than the total annual losses from fraud committed against banks.

A large part of the problem is the widespread impunity cyber criminals enjoy in the country, owing to the absence of adequate legal tools and the lack of enforcement of the existing laws. Cyber theft in Mexico is not just the preserve of isolated hackers but is dominated by highly professional criminal organizations. According to Sebastian Brenner, a security strategist for Symantec Latin America, these are “very well structured groups, with experts for every stage of the process: infiltration, capture, commercialization.”

Now, these criminal organizations are eying the most personal data of all: the biometric identifiers of millions of Mexican bank customers.

This year, banks in Mexico are required to begin collecting biometric data (finger prints and iris scans) on all of their customers. Whenever a customer asks for a new home or car loan, cashes a paycheck, applies for a credit card, or opens a new savings account, the bank will have to request the customer’s digital fingerprints and then match those fingerprints with data against information in the database of the National Electoral Institute.

The law is only in its infancy and it’s highly unlikely that all of Mexico’s banks — in particular the smaller ones — will be able to develop the infrastructure needed to comply with the new rules by the end of this year.

As is the case with biometric programs being tried and tested all over the world right now, from the uncharted backwaters of long-forgotten war zones to the bustling metropolises of the West or East, no one is being consulted along the way.

Biometric identification systems are already encroaching into more and more facets of everyday life. Most national passports these days include biometric data. Driver licenses in the US already have them or soon will. In India, biometric data is starting to underpin everything. Meanwhile, millions — perhaps billions — of people have volunteered their digital fingerprints to log into their smartphones and other digital devices. In other words, people are already giving away their most private data to work, communicate, cross borders, or get on planes.

The government of Mexico is already finalizing its own national ID scheme. According to the former Secretary of Finance and Public Credit, José Antonio Meade, by the summer of 2018 all Mexicans will have a single biometric identification number.

The development of a single biometrics database to be used by banks and government raises serious questions about data privacy and financial security. As recent data leaks have shown, most databases remain incredibly porous, even in countries with far more advanced cyber security systems than Mexico. In Mexico almost one-third of all cyber attacks registered in 2015 targeted government agencies. A further 26% were aimed at private sector institutions, including banks. These are the selfsame organizations that will soon be entrusted to protect tens of millions of Mexicans’ most personal data — the biological traits that make them unique.

“Biometrics are tricky,” says Woodrow Hartzog, an Associate Professor of Law at Samford University. “They can be great because they are really secure. It’s hard to fake someone’s ear, eye, gait, or other things that make an individual uniquely identifiable. But if a biometric is compromised, you’re done. You can’t get another ear.” In other words, if the newly harvested data is hacked by one of Mexico’s burgeoning ranks of cyber criminals, which it almost certainly will be, there is no way of undoing the damage done. By Don Quijones.

The London property market is already in trouble. Read…  UK Vows to Crack Down on Money Laundering: What Will This Do to the Property Bubble?

Enjoy reading WOLF STREET and want to support it? You can donate. I appreciate it immensely. Click on the beer and iced-tea mug to find out how:

Would you like to be notified via email when WOLF STREET publishes a new article? Sign up here.

  19 comments for “As Banks Embrace Biometric Tracking of Customers, Cybertheft Explodes in Mexico

  1. ScottS71 says:

    Great article。。 My mind goes straight to hard core criminal activity, like removing an appendage to gain access… I hope it doesnt go this far in Mexico but we have heard about crypto robbers doing similar things..

    • cdr says:

      No, it would be more like creating the equivalent of a burner ear, like a burner cell phone.

      Or, you get into the database, replace the metric for someone’s ear with the burner ear, and then use the burner ear to empty a bank account. If the database is still open, you replace the burner ear with perhaps a burner ass to cover your tracks and laugh about it.

      Of course, you leave fake tracks in the hack to implicate some country that was just standing there, minding its own business.

      • cdr says:

        “Of course, you leave fake tracks in the hack to implicate some country that was just standing there, minding its own business.”

        Any decent hacker could make it look like North Korea or the Chinese did it. But, to really have some fun and incite the CIA beyond apoplexy, why not make it look like North Korea, Russia, and Belgium conspired together to rob Mexican assets using fake biometrics. Then leak it to the NY Times. Good times.

  2. Petunia says:

    With everybody embracing the cloud, distortions will be possible on a massive scale. Never mind changing one person’s data, what happens when millions all have the same fingerprint or iris-print, or conflicting prints over different databases? It’s going to get interesting really fast. Who gets to arbitrate who’s who, and who wins, the guy with the better lawyer? Then there’s gene editing, is it really you after that?

    • Laughing Eagle says:

      Avoid 23andme database.

      • Enrique says:

        23 and me is all kinds of Evil. I think the whole business plan was predicated on selling info obtained therefrom to the insurance industry.

        And when the modelling for setting peoples’ insurance rates is a giant black box to begin with, it takes little imagination to envision one’s DNA (supposed) propensities being used against one.

  3. WT Frogg says:

    Pero Che !!!!! What could possibly go wrong ?? ( sarc on)

    Personally I distrust this new “security” with a passion. IMO it is little more than security “kabuki theater” in pursuit of Orwell’s 1984 .

    My cellphone (fully encrypted btw) has a fingerprint scanner built in which I REFUSE to use because I don’t trust Google’s data security anymore than |I trust my bank’s data security. An 8 digit Pin just to get into the phone + all important apps are LOCKED with a different Pin.

    Your only real solution is to keep a VERY close eye on your data regardless of who has it ( banks, cloud or govt.) If you are not running your data thru a top notch VPN whenever you are online you are tempting fate. HTTPS is not absolute and can be compromised…..just ask the 3 letter agencies.

    • Argus says:

      Soon we will be required to sport the Biblical “mark of the beast” as per Revelations.

      • cdr says:

        No, just in China in a few years, and only if your social score is too low after repeated warnings. It may seem harsh, but would you rather see a billion screaming Chinese each demanding their personal versions of freedom for the first time ever in history? Makes me think of Yellowstone at a bad time.

        From what I have read, the Mexicans could learn a lot from the Chinese about biometrics.

  4. It could be the problem in Mexico is a well capitalized and active criminal underclass, which like the Mafia of old, eventually they want to get into legitimate businesses, or (even) high finance. Fox once promised to legalize drugs, when Bush2 was going to build his wall, because the problem as he saw it was American demand for illegal products. Technology is stripping governments ability to legislate morality, case in point China’s pathetic capital control mechanism, and generally price fixing (tariffs come when the thieves haggle) most notably through interest rate manipulation. There is always the oldest face recognition, you walk into the bank where people know you. Old tech returns at extremes of technological advance, and the most secure way to send a message is to write a letter. Nobody looks at that.

  5. WES says:

    In the good old days you could only scam one victim at a time and it was time consuming. Today the incentive to scam is much greater because for the same effort you get to scam millions at a time.

    In the past risk was spread out over many different locations whereas now risk is concentrated in one location. This has there by increased the risks exponentially!

    People are so caught up in implementing this new technology that they don’t see the big picture harm they are doing to their fellow human beings!

    • intosh says:

      “People are so caught up in implementing this new technology that they don’t see the big picture harm they are doing to their fellow human beings!”

      Even though, this is happening more often with technology, it’s not limited to it. Look at manufacturing outsourcing. The USA have embraced it for decades. It is only recently that the pain became apparent and the public backlash more pronounced. It’s been 10 years of honeymoon with Facebook. It is just now that a portion of the ignorant mass realizes its abuse on personal data (which should have been apparent that it was inevitable, given Facebook’s business model). It’s gonna be the same story with biometrics, AI, “sharing” economy and cash-less economy. The unsuspecting masse is embracing assitant tech (Amazon Alexa and friends) now. The tech will go beyond voice and 24h voice recording (Google Pixel 2 phone is already listen 24/7. Right now, it is to provide the “what song is playing?” feature) to include video. So in a couple of years, the assistant-enabled devices will listen and watch 24/7. The masse will gladly adopt them in the name of convience. And then, in about 10 years time, a portion of that same masse will cry foul on those same technologies.

  6. John says:

    Perhaps its high time to punish the perpetrators when caught. Maybe public hangings would deter future criminals. But then that could never happen right? I have heard that in some places it was advocated that corruption by a politician would result in their hand being amputated. I thought that’d be a great idea, but have yet to see any politicians rail for that to happen. I wonder why….lol

    • JungleJim says:

      The problem is your statement “when caught”. At the rate things are going, getting caught is becoming less and less likely.

      But let’s also not forget that in Europe when pickpockets were publicly hanged, other pickpockets would frequently circulate in the crowd picking pockets.

    • Anon1970 says:

      ” In late April 1945, in the wake of near total defeat, Mussolini and his mistress Clara Petacci attempted to flee to Switzerland, but both were captured by Italian communists and summarily executed by firing squad on 28 April 1945 near Lake Como. His body was then taken to Milan, where it was hung upside down at a service station to publicly confirm his demise. ” – Wikipedia

      The Italians had the right idea.

  7. John says:

    See, that’s the problem Don. The criminals like in your article above, are quite often also politicians. Until people demand real punishment it will never end.

  8. Margaret Bartley says:

    Anyone in the security business will tell you that it’s the insiders who are most likely to make off with the most amount of cash. CCTVs are aimed at the clerks, not the customers. it’s pretty much impossible for a bank teller, a casino card dealer, a parking lot attendant to slip a $20 in their pocket. It’s the managers who are embezzelling.

    Same thing with IT.

    There will be some outsiders who are capable of conducting a phishing operation to gain access to corporate networks, but most of this is being done in cahoots with insiders. It could be insiders at the banks, insiders at the outsourcing companies that write the software, or hold the data, or maintenance companies.

    Having said that, most of the IT work is being done by huge outsourcing firms with millions of employees. These are the Big Boys, owners of which are also the investors in the billion-dollar hedge funds and equity investment funds. They are the ones hiring the lobbyists to write the rules, and enforce the laws.

    Guess how success we will be in trying to dislodge them? About as successful are we are in getting them out of the drug trade, or the illegal weapons trade….

Comments are closed.