Globalized Digital Bank Robbers Feast on Latin America

A virtual paradise for real bank heists.

By Don Quijones, Spain, UK, & Mexico, editor at WOLF STREET.

The year 2018 is turning out to be a bumper year for the world’s burgeoning ranks of bank hackers. Last week alone, Chile’s second biggest bank, Banco de Chile, reported losing around €10 million in a bank heist targeting the bank’s local SWIFT network. And embattled UK lender TSB admitted that 1,300 customers have been victims of fraud attacks since its botched attempt to upgrade its IT system. That number is likely to continue to rise as the bank struggles to get its act together.

These incidents follow on the heels of a flurry of highly sophisticated bank hacks in Mexico. The first attack took place in early January when hackers tried to steal $110 million from Bancomext, a state-owned trade bank. The plan was to siphon off the money via the bank’s connection to the international Swift payment network, but the virtual heist was detected just in time.

It wasn’t the first time hackers had targeted a bank’s connections to SWIFT, which is used by the global banking industry to shift trillions of dollars each day. In 2015 cyber thieves broke into the system to pilfer $12 million from Ecuador’s Banco del Austro. In 2016, hackers tried, but failed, to snatch $1.1 million from Vietnam’s Tieng Phong Commerical Joint Stock Bank. A year later the most audacious cyber attack yet was launched, against the Bangladesh Central Bank. The thieves got away with $81 million.

After that, many banks began tightening the security of their SWIFT messaging networks. But many lenders in Mexico apparently didn’t. Even following the foiled attack in January, Mexico’s central bank failed to warn other Mexican lenders about the raid until late May, by which time hackers had managed to make off with around 400 million pesos ($20 million) from three other Mexican financial institutions.

This time, instead of targeting the SWIFT global payment system, they zeroed in on vulnerabilities in the banks’ connections to the country’s domestic payment transfer system, known as SPEI. The cyber thieves were able to remove the funds by creating hundreds of phantom orders that wired funds to fake accounts across a number of banks, including Mexico’s third largest, Banorte. Accomplices then emptied the fake accounts in cash withdrawals from dozens of branch offices.

The problem became so serious that many of Mexico’s banks were urged to migrate onto a backup connection system, which is a lot slower than the one usually used to connect to SPEI. Days later, Mexico’s second biggest bank, Citibanamex, suffered a day-long system failure that made it impossible for customers to withdraw money from ATMs, pay with their credit or debit cards, or access their online accounts.

The recent hacks in Mexico bear similarities with an attack suffered by the Bank of Chile on May 25, but which was not reported until last week. Hackers infiltrated the bank’s IT systems with highly contagious malware that wiped hard drives and crashed branch and telephone banking systems across the country. But the virus was merely an elaborate distraction.

While the banks’ staff tried to stop the virus from spreading, by disconnecting 9,000 work stations and stalling certain regular operations, the hackers targeted vulnerabilities within the bank’s connections to SWIFT. “Our analysis indicates that the attack was used only as a distraction,” Japanese cyber security firm Trend Micro reports. “The end goal was to access the systems connected to the bank’s local Swift network.”

Eduardo Ebensperger, a Banco de Chile representative, confirmed those suspicions, stating that four fraudulent transactions were carried out before the bank was able to stop further transfers. “We found some strange transactions in the Swift system,” he says. “That’s when we realized that the virus was not necessarily the underlying issue.”

Latin America is increasingly becoming a major focal point — and operational base — for cyber criminals. Brazil is now among the top five countries where cyber attacks originate.

One possible reason for the recent surge in bank hacks is the lack of cyber-security investment, personnel and infrastructure at Latin American banks. “There was a lot of ignorance,” says Federico De Noriega, a partner in the finance group at Hogan Lovells in Mexico City “That tells you people aren’t aware of this risk, or they’re not taking it seriously. I think they’ll start taking it more seriously now.”

Another problem is the potential risk of insider involvement, whether at the central bank or the respective banks that are being targeted. The hackers that recently swiped millions from Mexican banks probably had access to the passwords to authentication tokens for accounts. That would suggest insiders at the respective banks may have helped them infiltrate their systems.

It is the banks who will ultimately foot the bill for any money lost in a cyber attack, according to the Bank of Mexico. As such, they have a clear incentive to get their act together, by identifying and addressing security gaps, installing more secure infrastructure, restricting access to mission-critical data, sharing information with other banks, and creating a pro-active incident response strategy.

But even if they do all that, it remains to be seen whether they can catch up with today’s increasingly sophisticated, well-resourced, highly globalized breed of bank robber.  By Don Quijones.

“With Amelia, we graduate into automating the knowledge worker, the customer service agent.” Read…  Humans Need Not Apply: AI to Take Over Customer Service Jobs

Enjoy reading WOLF STREET and want to support it? You can donate. I appreciate it immensely. Click on the beer and iced-tea mug to find out how:

Would you like to be notified via email when WOLF STREET publishes a new article? Sign up here.

  23 comments for “Globalized Digital Bank Robbers Feast on Latin America

  1. Bookdoc says:

    This kind of problem is what makes me leery about cryptocurrencies. They exist online and it looks like anything can be hacked one way or another.

  2. peter says:

    Makes you wonder if the old ways of posting cheques and actually going into a bank in person are, in hindsight, the safest. Back to the future maybe?

    • Jon says:

      Peter, yup, cash is king. Think about how much effort it would take to steal $20 million.

  3. R Davis says:

    Thank you for this article & it’s forerunner, you are a champion among men.
    Mainstream Media would never have told us.
    if this activity became commonplace.
    Only a miracle from God could help us in a cashless economy.
    Our selfappointed Lords & Masters & their false sense of security will be the end of us – sooner rather than later I fear.

    • MC01 says:

      Indeed, but reporting on cybercrime heists in Latin America would somehow detract from the continuous, and with hindsight hilarious, stream of paid-for shill pieces on why people with no knowledge of local markets nor local connections should pour money into Latin America.
      Of course you can make good money in Latin America, but like all other investments you should first hear about both possibilities and risks, not merely on how much Argentina’s GDP will grow from here to 2020 (the latest hilarious PR piece I read).

      Keep these pieces coming.

  4. Mean Chicken says:

    It’s amazing what can be accomplished with some well written java script files.

  5. Javert Chip says:

    Well ya knew sooner or later even not very bright bad-guys were going to figure out stealing Brazilian and Argentine currency was a bad deal; by the time you filled a semi-truck with bales of bank notes, you discovered the whole truck-load wasn’t worth the gas to drive the whole mess to the dump.

    No wonder citizens do stupid stuff like invest in crypto.

    I just got back from a trip to Papua New Guinea. Some of those incredibly remote islands actually use carved banana leaves and yams as ‘money”. How long does a carved banana leaf (or yam) last in year-round tropical heat?

  6. Vexser says:

    When you *had* highly skilled staff with lots of specialist internal knowledge that you have suddenly replaced/obsoleted by outsourcing, offshoring or AI-ing, then you have lovingly created an Advanced Persistent Threat for your business. All of this stuff is highly technical and requires intimate insider knowledge of the technology and internal procedures. An outsider cannot hope to get such information which can be practically leveraged in a timely fashion. When CCCP collapsed, all of a sudden there were heaps of state trained experts in computer espionage and nuclear physics without jobs. So the middle east all of a sudden started getting nuclear and the west has been on the receiving end of some very sophisticated (Russian Mafia financed) infrastructure attacks. All corporates need to take heed of this, including IBM who is systematically “obsoleting” very knowledgeable “older” workers who still need to eat. If you think other nation states aren’t monitoring them you are delirious. If your business relies on 3rd party technology and you don’t have in-house expert Gurus who can support and understand it intimately in real-time then you are begging to be “pwned.” Using ignorance as an excuse is simply hysterical.

    • Frederick says:

      Older workers who still need to eat? I’m older and not working and am eating very well because I planned ahead or as they say “prepared for a rainy day” I have little sympathy for anyone who hasn’t done the same

  7. Maximus Minimus says:

    “Accomplices then emptied the fake accounts in cash withdrawals…”
    What can you do with suitcases of cash other than looking Chinese and buying real estate on the West coast. /sarc
    Large amounts of cash would arise suspicion almost anywhere, you’ve got to launder it.

    • MC01 says:

      I’ve personally found that few people question the provenance of large amounts of cash, especially when they are at the receiving end of it.
      Pecunia non olet, as Vespasian was wont to say.

      And yes, I know the press likes to report there are all kinds of laws to limit cash payments, withdrawals and deposits, but if you dig under the surface you’ll find that things are much more nuanced than they seem.
      For example in countries like France and Italy bank directors are the ones tasked with deciding if to report “suspicious” cash movements to the authorities and they face no penalties if they never do so.
      Even in countries where banks are under some sort of Orwellian scrutiny there are other, and mostly legal, ways to get around cash controls without arising any suspicion.

      Latin America, which is well known for the chaotic state of its banking industry and even more chaotic politics, is a place where such cash controls are akin to the infamous “grida”, the draconian laws regularly passed by the Spanish governors of Milan which ended up being unenforced apart from the occasional unlucky scapegoat.

  8. Steve finney says:

    Perhaps it should come as no surprise that something called a net, is actually full of holes.

  9. Gershon says:

    With banks treating non-executive employees as expendable “headcount,” one wonders how many financial institution insiders are being recruited by hackers and organized crime groups.

  10. Petunia says:

    In the last century I worked money transfer at a couple of large NYC banks. This reeks with insider collusion.

    If you look at the Swift info on the net, you will see they only offer real time settlement (immediate) to high profile customers. If you are moving money for regular customers there should be some settlement lag time. In my day it was 3 days, I expect it is shorter now. This would allow for many customers to see their money disappearing and would give them time to file complaints and ask for compensation (return of their money) from the bank.

    In order for the bank to hide a large scale theft for any length of time after a complaint from a customer, there has to be an insider willing to hide the complaint and the request for compensation. Many people may have the authority to do it within the money transfer department or upstairs in the C suite.

    Money erroneously sent can easily be clawed back before settlement or not.

    • raxadian says:

      The problem is that since everything is done digitally, the hackers can fake everything, even being high profile customers. Or if they don’t get that high, just do stuff while nothing seems to be going wrong to the average joe, aka almost everyone who works at a bank.

      Financial institutions of all kinds don’t seem to realise how important keeping everything up to date technologicaly is nowadays.

      I mean the Equifax breach happened because they did not install an update. And it was on Linux. that was literally just typing a few lines, press enter and let the OS do the rest, then a few lines more, press enter and you are done.

      In Latin America is just worse because they use older versions of programs and Windows.

      Brazil is slighty less vulnerable because us state policy to use Linux, but that might change with the current or future president.

      • raxadian says:

        Ooops seems Brazil uses Windows now. Sorry.

      • Petunia says:

        The larger customers may be the hardest to hack because they use highly automated systems which keep track of request and match up acknowledgements or the lack thereof. These discrepancies are addressed immediately by a human or by their systems.

        Ironically, the smaller customers are the easier targets because they don’t keep close tabs and they transfer money less frequently. Their complaints are also easier to bury.

  11. 4Corners says:

    Comparatively small-time but here’s a case of Latin Americans coming up norte to hack ATMs in the US:
    SALT LAKE COUNTY (News4Utah)- It’s called “jackpotting” and five Venezuelans were arrested after officials say they tried their luck at an ATM in Sandy.

Comments are closed.