Despite Wave of Cyber Attacks, Banks in Mexico Double Down on Biometric Tracking of Customers

For hackers, biometric data is the Holy Grail. 

By Don Quijones, Spain, UK, & Mexico, editor at WOLF STREET.

In a move fraught with risk, Mexico, a country that has become a haven for the black market of stolen personal data of all kinds, is about to build a big biometric database to be used not just for the benefit of government institutions but also for the nation’s banks.

Last year a law was passed that gave Mexican banks until the end of August 2018 to collect biometric data (finger prints and iris scans) on all their customers. Foreign-owned subsidiaries of global banks like Citi and BBVA were thrilled with the initiative arguing that it would help them combat identity theft. It could also help lenders fulfill their “know your client” (KYC) anti-money laundering checks, at much lower cost.

The ultimate goal is to develop a unique identification system that will work alongside the government’s national ID scheme, which is apparently in the final stages of development. But Mexico’s banks — in particular the smaller ones — struggle to develop the infrastructure needed to comply with the new rules by the end of August.

So in the past week, the banks were granted a nine-month extension to harvest their customers’ biometric data — and not just their fingerprints and iris features. The lenders will now also be collecting their customers’ facial and voice characteristics, all of which will be stored on a super-secure, highly centralized platform that no hacker, no matter how skilled, resourceful or Russian, will be able to penetrate. At least that’s the plan.

But what happens if the database on which all this data is stored is itself not secure? Mexico has hardly proven itself to be a safe place for valuable data. Last year it won ninth place on PriceWaterhousecooper’s list of global “economic crime” hot spots. The country’s banks cannot even keep their own payment systems secure, let alone a centralized database full of priceless information on their customers.

In the last two months hackers have made off with around 400 million pesos ($20 million) from three Mexican financial institutions, including one of its biggest banks, Banorte. First they targeted vulnerabilities in the banks’ connections to the country’s domestic payment transfer system, known as SPEI. Then they removed the funds by creating hundreds of phantom orders that wired funds to fake accounts across a number of banks.

This happened just months after a group of cyber criminals came close to stealing $110 million from Bancomext, a state-owned trade bank. It would have been the world’s biggest ever virtual bank heist.

Part of the problem in Mexico is the widespread impunity cyber criminals enjoy, owing to the absence of adequate legal tools and the lack of enforcement of the existing laws. Cyber theft in Mexico is dominated by professional, well-funded criminal organizations. In nine months’ time, those organizations could have the chance to get their hands on the most personal data of all: the biometric identifiers of tens of millions of Mexican bank customers.

If that data is hacked, there is no way of undoing the damage. You cannot change your iris like you can change your password.

As recent data leaks have shown, most databases in general remain incredibly porous, even in countries with far more advanced cyber security systems than Mexico — as demonstrated by the Equifax hack in the US. Yet these biometric technologies are being rolled out with dizzying haste by banks and other financial institutions.

Last year Mastercard set a deadline of April 2019 for the blanket use of biometric identification for its services across the whole of the EU. UK global bank Standard Chartered has begun rolling out fingerprint and other biometric technologies across 15 of the 31 African and Asian markets in which it operates, as part of a $1.5 billion technology investment package. According to Standard Chartered, it is the largest deployment of any form of fingerprint biometric technology by any international bank.

Passports around the globe have had biometric features for years, as have other forms of IDs, including many driver’s licenses in the US. In India, over a billion people have been enrolled in Aadhaar, India’s biometric ID system. In China, biometric systems are now so advanced and so widespread that they’re used for surveillance purposes of people on the street. People now sign into their smartphones with biometric data.

In Mexico, as elsewhere, there’s been no public debate about the potential implications of harvesting biometric data on such a large scale, including the fact that use of data about body parts is largely unregulated, and many companies want to keep it that way.

With biometric passports, people have a choice: no passport, no international travel. Mexican bank customers will probably be granted a similar ultimatum: either comply with your bank’s requests for your biometric data, or risk losing access to banking services. A recent headline in the Mexican financial daily El Financiero sums up the attitude perfectly: “Bid farewell to PINs, the banks will have your complete biometric data”. All that was missing was a little tag at the end with the words “whether you like it or not.” By Don Quijones.

An industry dogged by non-believers who fret about privacy and fraud. Read…  Consumers Stubbornly Cling to Cash, after Multiple IT Fiascos & Payment Systems Outages

Enjoy reading WOLF STREET and want to support it? You can donate. I appreciate it immensely. Click on the beer and iced-tea mug to find out how:

Would you like to be notified via email when WOLF STREET publishes a new article? Sign up here.

  12 comments for “Despite Wave of Cyber Attacks, Banks in Mexico Double Down on Biometric Tracking of Customers

  1. peter says:

    Perfect way to make more people go back to cash really!

  2. Jon says:


    We’re going to get a bigger mattress, right?

  3. Paulo says:

    My Credit Union asked me last year if they could have my picture on file to bring up for wicket transactions. No problem; no iris scans, no fingerprints, just a hi Paul, what do you need today? Coincidentally, I only use the front counter for getting larger sums of cash that the machine can’t give out within 24 hours. I give them my number (one of the oldtimer numbers) and up it comes. The cash is for my cash using lifestyle.

    Actual account banking we do online from rural home. Iris scans and finger prints are just too intrusive and totally unnecessary. Thinking back to some of the army roadblocks I have seen down in Mexico over the years, I suspect the purpose is more about control and submission than customer service.

    Ya think? :-) Maybe the new guy will put an end to it.

    • Bookdoc says:

      I agree 100%-the government of Mexico is so corrupt, ANYTHING that a criminal can do they will do. The officials are chosen by nepotism and bribes and they all want to make money from their position. Nothing happens in Mexico without some sort of bribe. I lived there as a teen and worked there in the 80s/90s. My sister lived there until recently as the security was so bad she didn’t eave the house without an armed guard.
      If Mexico is collecting data, I feel its primary purpose will be subjugation of the populace!

      • Ambrose Bierce says:

        Mexico is the least subjugated nation in N.A. Due to geographic difficulties during the conquest by Spain there are still some places where Spanish is not spoken and with the various dialects there is no universal form of Spanish. When you say criminal you aren’t referring to the general form of lawlessness, but organized crime, which provides employment. The majority of Mexicans are hard working, honest, Catholic people.

  4. Jack says:

    It’s most likely about control and submission, Phase 1. Phase 2 will be RFID implanted on your body for the purpose of complete control. Once complete control is achieved the New World Order agenda will have been achieved.

  5. easy to fake a fingerprint, and they left everywhere by everyone

  6. raxadian says:

    Well, good news for the thieves I guess?

  7. Emanon says:

    I had a job that required a security clearance back in the 1990s.

    Over a decade later, the OPM had a massive hacking breach of security.

    The Chinese most likely have my fingerprints on file now. It’s also likely that the hackers sold them off on the black web. That’s 5.6 million sets of prints.

    If the US Government can’t secure the files for people with clearances, does anyone really think that some outsourcing center in Bangalore is going to be a safe guardian of their biometrics?

    Once they are stolen, then they are useless for the rest of your life.

  8. L Lavery says:

    Isn’t the best way to avoid identity theft simply to be anonymous? It works for the hackers. What we really need is some sort of digital cash, a form of money/token that A can send to B without A knowing B nor B knowing A, much like sending e-mail, much like physical cash.

  9. unit472 says:

    I had a housekeeper steal a dozen blank checks from me and on an almost daily basis she forged one to the tune of $2451. Now I almost never write a check anymore. Maybe a couple a year for a transaction that I can’t pay through my bank ‘bill pay’ service or by credit card so I was upset my bank did not notice the ‘unusual activity’ in my account. They did reimburse me but forged checks are a real vulnerability for banks. They really don’t need biometric data to stop this form of fraud. A signature comparison would work as well as using their own algorithms to detect ‘unusual activity’ which seems to cover credit card purchases

  10. Maximus Minimus says:

    Hopefully, Mastercard will enable ApplePay with their card after the biometric ID. It’s beyond ridiculous that credit cards allow contactless payment defeating the security of the pin. Anybody can use it if the card is stolen.

Comments are closed.