For now, it’s deny, deny, deny.
By Nick Corbishley, for WOLF STREET:
For seven hours on Friday, three of Mexico’s four biggest banks, BBVA, Citibanamex and Banorte, suffered payment system failures at exactly the same time, leaving millions of consumers unable to withdraw money from ATMs, make payments with their credit or debit cards, or access their online and mobile accounts.
From noon, many of the banks’ customers vented their anger on social media, complaining that they could not carry out transactions of any kind, whether in physical cash (because there was no way of withdrawing money), with their cards or on mobile platforms. While the mayhem caused by the outage may have been short lived, the timing could not have been worse, coming on the Friday of the second quinzena (fortnight) of the month, when most of the country’s workers get paid and huge amounts of money are spent.
Rumors quickly spread that the outage was the result of problems with the Bank of Mexico’s SPEI interbank transfer system, an iteration of the SWIFT global payment system that already suffered a series of cyber attacks last year. BBVA, Mexico’s biggest bank, even said that its system had been disconnected from SPEI for 33 minutes, resulting in a massive pile up of interbank transfers.
The Bank of Mexico — Banxico for short — was quick to quash the rumors, insisting that SPEI was in perfect working order and that any problems that had occurred processing bank payments and transfers were the result of internal issues within the three banks. It was a bizarre claim, given that the chances of Mexico’s three biggest banks suffering virtually identical payment outages at virtually exactly the same time are minuscule.
Stranger still is the fact that this was not the first time in the month of August that Mexico’s financial system had suffered a widespread payment outage. On Saturday August 10, a systems failure at one of the main data centers run by Prosa, Latin America’s largest electronic payments company, left millions of bank customers stranded, unable to make payments or withdraw cash with their debit or credit cards. Many banks’ online payment systems also crashed.
These two incidents, less than three weeks apart, raise fresh questions about the operability and security of Mexico’s banking system — something WOLF STREET has been warning about since April last year when a number of financial institutions reported suffering a massive cyber attack via Bank of Mexico’s SPEI system.
As now, the central bank first denied the rumors that SPEI had been breached. Then, weeks later, it admitted there had been a hack, but it denied that any money had been taken. Finally, over a month after the fact, it conceded that cyber thieves had siphoned off $15 million by creating hundreds of phantom orders that wired funds to fake accounts at different five banks. Accomplices then emptied the fake accounts in cash withdrawals from dozens of branch offices.
An even more audacious plan to steal $110 million was reportedly foiled by a vigilant employee at state-owned lender Bancomext who managed to halt the transfer before it arrived at its destination. It would have been the world’s biggest virtual bank heist.
The latest incidents raise fresh doubts about whether Banxico and the banks it serves are doing enough to keep Mexico’s payments system and customer data secure. A scathing new report by the Organization of American States (OAS) says that banks in Mexico are not even mandated by law to inform customers when a data breach has happened. In the event of a cyber attack, the only obligation banks have is to report the details to Mexico’s market regulators and Banxico, which can choose whether or not to inform the public.
Only four out of ten banks and financial institutions have plans in place to inform customers when their personal information has been compromised, according to the OAS report. “This seems absurd, since there is nothing that protects users or requires that they’re informed (of a data breach or cyber attack),” says Mario Di Costanzo, a financial analyst and former head of the National Commission for the Protection and Defense of Financial Service Users.
For the moment, there’s no way of knowing the exact cause of the latest outage. Neither the banks implicated — BBVA, Banorte and Citibanamex — nor Banxico appear to be taking responsibility. None of the banks have admitted being targeted by hackers. But of course, they don’t have to.
Another possible explanation is that it was a planned event, as part of the final touches being applied to a landmark QR-code and NFC (near-field communication) powered CoDi payment platform set to be launched later this month.
Years in the making, CoDi forms part of a coordinated effort aimed at reducing the size of Mexico’s informal economy, cracking down on money laundering and tax evasion, and gradually transitioning the country toward a cashless economy. As part of this effort, the government is even mulling placing a sweeping ban on the use of cash for tolls and gasoline, which is strongly supported by the country’s banks as well as the payment card companies and fintech firms that stand to benefit.
Given the vast size of Mexico’s cash economy, it’s a hugely ambitious undertaking. And given Mexico’s status as a haven for the black market of stolen personal data of all kinds, the apparent vulnerabilities that still exist within Mexico’s payments system as well as the glaring lack of transparency and accountability of the country’s banks, it is also rife with risks. By Nick Corbishley, for WOLF STREET.
“Particularly worrisome” is that this slowdown “has taken place in a context where the US economy is growing above potential.” Read… Bank of Mexico Raises Alarm About Mexico’s Economy
Enjoy reading WOLF STREET and want to support it? You can donate. I appreciate it immensely. Click on the beer and iced-tea mug to find out how:
Would you like to be notified via email when WOLF STREET publishes a new article? Sign up here.
In our highly digital age.
Where many folks barely carry any cash and many businesses don’t even accept cash anymore.
What happens when the digital banking systems fail?
I have a feeling we may find out someday. A better question is “how could we stop banks from initiating capital controls” or “bail-ins?”
I get deal because I have cash and the business needs to make mortgage payment
highly discounted of course
I always keep ample cash available every since I heard Mohamed El-Erian recite a story on WSJ video. He said the Friday before Lehman Bros. collapse he called his wife and told her to take the debit card to ATMs and withdraw as much cash as they would permit because he feared the banks would not open on Monday (the day of the collapse, which of course he could not know about in advance.) If a guy like this thinks there is a scenario in this county when banks might not open, he’s got my attention.
We have a friend who runs a small hedge fund in Singapore. She advised my wife to always have cash on hand. We keep about 40k secreted away + fair bit of gold coins.
When the ultimate crash comes this will all of course be worthless, however there may be a short period before things completely unravel where such provisions may keep you alive
FYI – really not a great idea to be talking about how much cash+gold you have on an open internet forum.
Gold is always worth somethin’
Gold is only worth somethin’ if you can find somebody who wants it and has somethin’. It’s just like any other barter good. That’s why money has value.
BTW, the Fed is hoarding cash and price discovery in the bond market has begun.
Bonds are considered liquid collateral and when there is a bond bull, there is a Eurodollar shortage, so you can both make money on the bonds and enjoy the liquidity.
This answers question about why hold bonds, why not just cash?
However, interest rates are now rising. Cash is actually more liquid than bonds–even government bonds are illiquid if there is too big a race to the door.
That race has begun, hence cash hoarding and rise in rates. This how a credit crunch begins.
Ask the good folks in Puerto Rico, the UK, and now Mexico. Although PR seems to have had it the worst.
Places that won’t have this issue are Japan and Germany, where cold hard cash remains dominant.
“many businesses don’t even accept cash anymore.”
Really? Every place that I buy something takes cash. Grocery stores, gas stations, restaurants, retail stores, auto repair shops, doctor’s and dentist’s offices, etc… So I think you mean some places have stopped accepting cash. The majority of businesses in the U.S that deal directly to people still accept cash.
Anecdotally, my wife and I just returned from a camping trip in Northern Wis. In the smallish city nearby, not only did businesses take cash, but there were 2 restaurants that ONLY took cash – signs on the window indicating such. We thought it was interesting. Probably sick and tired of paying the vig the CC companies demand.
Go into that business, take a bite of a packaged sandwich, eat a meal, get a service done and then offer to pay in cash.
“We don’t take cash”
“Oh, then I will just mail you a check then…”
They will take your cash, (unless you have a very honest face.)
Thank You nick
This wouldn’t be the first or the last such breakdown in SWIFT system security,
In 2016 approximately $100 million were stolen from the central bank of Bangladesh via the Fed bank of NY !!
The planned $1billion heist would have passed through!
as the saying goes “ when there is a will …”
You know the drill!!
and as 2 bananas legitimately asks;
“ how are we to carry on when our Electrons run out of puff?!!”
Cashless society is an anathema to all we hold dear, the absolutely most important principle in our life ( Liberty).
Gentlemen! We are under attack to surrender what generations of young men and women fought to preserve.
What are we to do?
Refuse to accept a cashless society that’s what AND get gold and silver in physical form
Last time I was in Mexico I watched with mega interest a cash deposit/exchange. A usual armoured truck showed up escorted by the military in open trucks…all armed with automatic weapons and shotguns. This was in Melaque, Jalisco P. I asked my Father-in-law about it and he remarked they often had bank robberies.
Why would anything change?
Of coures the military also had open road blocks along the highway and searched busses. My brother took a picture and lost his camera for the effort.
I have always found the regular folks extremely hardworking and honest in Mexico. But if a corrupt system continually keeps the majority poor and downtrodden, you are going to have rising crime. As the US upper crust becomes ever more blatantly corrupt, and continues on with the current multi-tiered Justice System where mainly poor and coloured folks go to jail, look no farther than Mexico to understand the future.
Note to self: read some Wells Fargo articles, and Enron. Check out TRump bankrutcies, and re-watch the Godfather this winter.
Trump bankruptcies:
From what I understand, some employees and suppliers got stiffed.
Also, the banks lost a lot, because they stupidly agreed to loan terms with little recourse or collateral. I am sure Trump used negotiations to get these terms and they were all lawyered up- otherwise there would have been expensive lawsuits. That’s the banks’ fault.
You can call it unethical, especially for the employees, etc., but I don’t shed too many tears over big NY banks signing stupid loan notes.
Interestingly, bank loan managers (newly promoted from teller) are rebuked if too few of their loans turn bad. They are told they are missing possible profits by being to conservative in their lending of none of their debtors default. I don’t know how high that goes in the hierarchy, but probably all the way to the top.
Once a upon a time I worked money transfer at major banks, both Swift and Chips. This event stinks to high heaven of an inside job. The fact that multiple banks suffered the exact same failure, points to a known weakness in the system.
If I had to start looking for a culprit, it would be among the programmers that did the last software upgrade. They have inside knowledge of vulnerabilities in the systems. These vulnerabilities may have been mandated from above, so knowing about them doesn’t necessarily help to fix them. Also the people who designed the upgrade would be suspects.
Swift used to be a full recourse system with 3 day settlement. It looks like it is now an instant settlement system, which is the only way the money could have been withdrawn at a teller.
Exactly my thought. I would also include the lowly QA.
Fed Reserve announced last month that they too are now working on instant payment system. Massive demand from the banks to do so.
This event in Mexico is a warning flag against such a system, at least for larger payments (or large numbers of smaller payments by the same actors).
I think your right, just like with the Pemex gas lines it’s probably an inside job.
The cartels can be quite convincing when they want something. From the employee’s perspective, there is more to fear from saying no than yes to a job like that. Reporting any untoward request would be even more dangerous.
There are a lot of movies about combatting the crime families in the US … The FBI had to take a lot of liberties in fighting them, and it took decades before significant progress was made. In Mexico it would be much more difficult, as they just don’t engender the same level of trust in their system.
That being said, I still travel to see friends in Mexico … Cartels typically don’t do things that create a lot of political heat for small amounts of money, like blindly attacking tourists. Robbing the central bank or a large government agency is more up their alley – much more profitable without getting much public anger or political risk.
I’ve visited my friends in Ensenada many times over the years and never had any trouble, but it always helps to be polite when visiting a foreign country.
If you read the details of the Bank of Bangladesh attack, it was extremely subtle and sophisticated.
You don’t need an insider at the institution of attack – you only need someone, somewhere with a reasonable knowledge of how the transfer system works and some type of access to the base software.
Bank of Bangladesh – the base of the attack was a 2 byte change to the software.
I’ve abandoned on line financial transactions and have reverted to paying bills by phone check or paper check and snail mail. There is no security on the internet and banks security procedures are laughable.
They will issue credit cards with your account # but with someone else’s name on the card. Chase issued 8 such cards to parties unknown that I know of only because the cards were mailed to my address.
Capital One sent me a credit card I did not request and SunTrust, to its credit, just blocked my account entirely when they got repeated requests ( from overseas) to issue new cards on my account.
I was told to contact the big three credit reporting agencies to block future attempts to get loans or credit cards in my name which I did but wasn’t it Experian itself that had its ( my ) data hacked? That’s another issue. I don’t recall EVER giving permission to these companies to store my data.
Finally, why in the hell are social security numbers used as ID! They are on every job application, employer, bank account, doctors office etc that you have ever had. I’ve occasionally found them on line on public records that county clerks failed to conceal!
There definitely is security on the internet. If there were not, then the whole thing would have fallen apart long, long ago.
You are under no liability for mistakes and insecurities at credit card companies. The credit card company is the one who is risking their money, not you. Although I suppose it could get annoying to have to deal with those fake cards, it’s not like you are at any risk of losing real money.
What’s the problem with social security numbers as ids? It’s just a number. What are you worried about exactly?
I think you are being overly paranoid. Not using modern money systems is your own choice and you are of course free to do as you like, but I think you are just making your life needlessly more difficult.
I find cash doesn’t need internet security
and my cash is protected by glock
Sounds nice, until the robbers decide to shoot you first rather than guess if you have a gun.
Difficult, life gets difficult if you have no cash and lose your piece of plastic. Not the other way around.
Online banking is handy for monthly payments, but for day to day transactions I prefer a little cash. Sometimes money can be saved if cash is on hand, depending on the goods or services being purchased.
Re “What’s the problem with social security numbers as ids? It’s just a number. What are you worried about exactly?”
Seems grasshopper here has never known any of the millions of victims of identity theft… maybe doesn’t have anything to lose either.
Social Security Number is the Rosetta Stone for identity thieves, at least until we build a better system.
Name, SSN and birthday will let you steal almost anything from anyone.
Don’t use either SSN or birthday online.
I work in the IT field. I have been a Business Systems Analyst for many years and I have always told family and friends that everything in IT is becoming so complex and convoluted that things will start to fail, and quite often, fail quite spectacularly. The height of usuable technology was actually in the 1970’s. We lived in a modern society then, but we were not so tied to electronic media and digital assets. The society was slower, but much more sane. Welcome to the age of insanity.
I work in “the IT field” also. I am a software developer. I don’t know what a “Business Systems Analyst” is though. I have never met one. What do they do exactly?
I completely disagree with your assessment of technology. The “height of technology” is a very broad term and you seem to be making more of a social commentary than a technical one.
I do agree with you that smartphones and tablets are net negative in their affects on social interaction, but the idea that technology from the 1970’s is superior to what we have now in any way is completely ludicrous.
I am still waiting for robot slaves. I don’t think they will happen in my lifetime, or my kids’, or grandkids’ lifetimes, but a thousand years from now, I fully expect the world to be a utopia of leisure where only robot slaves work. And believe me people in that age will not be looking at the 1970’s as “the height of usable technology”!
after 20 years in IT, when companies outsourced their programming, they get what they deserve
FAILED SYSTEMS that crash repeatedly
didn’t happen in our time since we BULLET PROOFED them
run windows and get what you deserve(same for apple)
but hey, mils will gladly watch their iphones instead of actually working and THINKING
Who do you think did the outsourcing? It wasn’t the millennials, who are in fact doing the the vast majority of programming at all the US software companies these days. And the current generation of morons who spend all their time on their phones had its corresponding phone-less generation of morons preceding it. Many of whom gutted the country with their “F*ck you I got mine” mentality.
There is many orders of magnitudes of software doing many orders of magnitudes more things today than there were in the 1970s. I have great respect for the engineers of the 1970s but let’s not pretend like software today isn’t a whole different, much bigger and much more sophisticated ballgame.
I’m curious about when ‘your time’ was though. When was this magic age when computers didn’t crash?
ZeroBrain: I understand your point, and it is certainly true that millenials’ “I got mine jack” mentality is not what got us to where we are today. But to extrapolate that the millenials will not also have their own “I got mine jack” mentality once they get theirs, is, I think, overly optimistic.
As far as I can tell, every generation is equally as wonderful and as terrible as every other.
joe saba:
I agree with you. The important thing to understand is that outsourcing really got going when we started to have lots of executives who majored in French Literature and then got an MBA from Harvard. That is to say, people who are completely ignorant about how software works.
I think things will get worse, not better.
Zantetsu
A business systems analyst is generally defined as someone who knows something about the business system for which he is developing software.
Maybe you’ll meet one someday.
It’s an odd term. I’ve never heard of “developing software” called “analysis” before. It’s not a term that has ever been used in any software company I work for; but I’ve never worked for a bank or financial institution so maybe their terminology is different.
Zantetsu,
The word analyst has been a part of programming since the 70’s: systems analyst, programmer analyst, and business systems analyst which was more of a Wall Street term from the 90’s.
Zantetsu
Don’t know where you have been for the last 30 years. Every software organization I have ever worked for (I am a consultant, so I work with many different orgs) has Business Systems Analysts (sometimes just called Business Analysts). The BSAs/BAs are usually the link between the Business and IT. They are the people who write and document the requirements. The requirements may be one or many forms: Word Docs, Viseo Diagrams, BPWs, Activity Diagrams, and on and on.
40 years ago when computers were just coming in we were told that yes, lots of jobs would be lost but computers were going to free us up for a “utopia of leisure”. They lied then and they are lying now. Leisure is only fun if you have the money to enjoy it. Who is going to give money to all the millions of people who will be put out of work by these “robot slaves”?
I agree that most of the systems in use today were available in the 70-80’s. Much of the utility of those systems is being hidden or deprecated away to keep Silicon Valley afloat. My biggest laugh is the cloud, in the 60’s it was called time sharing.
Careful Petunia, those Amazon/google/apple grifters won’t want anyone figuring out they aren’t the first and only sources of this service. How dare the smaller businesses fend for themselves, and how dare you suggest what they do is possibly someone else’s idea from decades ago only put in a new package.
I hope the next generation has a source of information offered to break them out of the trap, but the phones seem to keep them from looking for an out.
Since we are naming names, let’s add twitter to the list.
Systems don’t fail, people who design systems fail. If a corp’s entire IT is run by H1Bs, it will be garbage. If it’s run by people who actually know what they’re doing, know how to test properly, know how to plan for outages, etc, things work well.
Sadly though, it’s hard to find non-H1B shops anymore.
Saying systems don’t fail, it is always human failure is an explanation that explains nothing. System development of high complexity or leading edge systems development involves risks because there are always constraints of some kind. The better you can assess the risks and mitigate them the more likely you will be successful. Sometimes the best efforts of the best people can fail. I guess if we don’t try hard things we won’t fail.
Staffing an entire IT with H1Bs could be a risk but maybe not if all you needed was competent back-end support. I could see that working. As far as cheap staffing due to H1B abuses go, that is a political problem which Congress has weighed in on in favor of free enterprise, high CEO and executive compensation, shareholder profits above all else and thus the need for perpetually rising quarterly profits. Under those directives, management always loves their employees until that quarterly dip in profits is projected…at which time, of course, managements says they will take a 25% pay cut, cancel all executive stock options, bonuses and miscellaneous perks and promises to be the first employees to be laid off if it comes to that.
Meanwhile…DJIA is up 500 today on news that the recession was and is a figment of the MSM’s imagination.
Exactly what I’ve been saying in my podcast and articles. Someone is listening. 10-year yield bounced 10 basis points. Yup.
Gotta admit, fading the MSM’s market opinion has been a gold mine all year!
It’s almost like the handful of media companies get paid to hype any news that’s the opposite of reality, to panic people into populating the other side of the trade so the scammers can profit. All you need is enough gullible sheeple who still believe the MSM…
Actually that could be a brilliant business model – MSM could book revenue without even having to burden us with advertising! And the hype usually attracts bigger audience for the ads, too.
I think that Wolf should join CNN, since they already got a guy named Wolf, so our Wolf would fit right in. Then hype the scam of the day while secretly telling us insiders that he knows its a scam. Just put a simple code-word into the broadcast, something you don’t normally use, like “plethora”, to indicate when reality is opposite the spin of the day. (I was gonna suggest “Russian puppet” but apparently that one’s been overused already.). When the market zigs we can zag. Wolf gets famous (I mean, famous-er) and we all get rich at the expense of some dumb schlubs! Without even having to work for it! (Except Wolf, but we love him, and did I mention he’s famous-er too?)
What’s not to love?
They’re crazy. The pop is based on the latest announcement of talks with China. THEY have always been open to talks, the only thing that changes is the US mood swings. It’s only been a week since: ‘I hereby order all US cos to leave China.’
So Dow tanks 600.
Big mood swing! ( after howl from virtually all US business and of course Wall Street)
‘China phoned last night and they want to get back to the table’
Wow. China blinked.
Except they didn’t. Within hours the editor of the CCP newspaper tweeted he knew of no high- level contact. Next day the Chinese govt denied it. Now two sources inside the WH have told US reporters the ‘China phoned’ was made up.
It won’t be long before the next mood swing because nothing can change the fundamentals of the US trade deficit with China, which has risen all through the tariff phase. Just wander through the world’s largest retailer, Walmart, and ask what it would take to have that stuff made in the USA. And it looks like it’s easier to find another supplier of soy beans than of 80 dollar (wholesale) 32 inch TVs. (Last US TV, Zenith 1995)
Nick Kelly
Before you blame all things bad on the US, remember China & US had negotiated a deal at the beginning of the trade war, and China reneged on the negotiated deal.
China has abused the commercial relationship with the US for a very long time. Hard to feel bad for the guys who consistently break the rules.
Going cashless should be great. Criminals won’t need a gun and a mask to rob banks anymore. In fact they won’t even need to rob banks. They can just rob the consumer accounts directly. Even the U.S. can’t keep PII safe, there is no way that account info in a cashless society will be safe.
Also, I wonder, in a cashless society, why do you need a bank? Couldn’t you just use a bitcoin type wallet instead?
Yea; Crypto has a spectacular track record of eliminating theft.
LOL. And the first theft occurs at purchase. Ya, it’s a limited edition. So what? Bring out a numbered limited edition of a chain letter.
A way to conduct business? The big claim (I guess, it can be hard to analyse even the claims of the actual advantage let alone their veracity) is that the transaction is anonymous and without trace. In which large legal transaction does the payer not want proof of payment ?
That leaves illegal transactions. The ones I know of were physical not virtual. They were either between trusted parties or along the lines of: ‘I got thee money. You got thee stoff?’
But let’s say we are talking big time, like Silk Road. Is the idea that once an organization comes under Federal investigation, its computers can’t be hacked? Before the order can disappear into the block chain it has to be entered.
PS; with that bit of dialogue, I was just borrowing from Scarface. None of the pot guys I’ve met were Hispanic.
Bitcoin requires a “bank” in that someone has to service your transactions on your behalf since no consumer level device has the storage or bandwidth necessary to hold the ‘global ledger’. So end users end up having to trust a third party for services related to storing and using their ‘money’ anyway.
Bitcoin is a beautiful concept but has fundamental flaws that make its theoretical promises unrealizable in practical reality.
There is far more money laundering and tax evasion and illegal activity in cash based business than in cashless tranfers. Cash is completely fungible and dishonest businesses can cook their books or launder with no oversight.
Sitting in a country that can’t stop robocalls, we really can’t make fun of south of the border. Can anyone imagine things when Artificial Intelligence takes full flight? 5G? In Mexico, I would imagine there are still plenty of people who do not have bank accounts, so that part of the population still feels safe (from the bank cartels anyway).
Being the last customer in line at closing time at Costco in Eureka (HUMBOLDT COUNTY), California, one rainy Monday evening, I watched the cashier and bagger work to count thousands of dollars in cash to put in the old-school pneumatic tube for deposit. I casually asked how much cash Costco-Eureka took in daily and was informed that Costco-Eureka (a SMALL Costco) took in 8 times more cash than ANY OTHER Costco in the whole country.
Why would that be, in HUMBOLDT COUNTY, Emerald Triangle, California?
Bingo. Cash is the lifeblood of illegal businesses and the mob. It’s funny to hear people express concerns about corruption in cashless transfers when the most corrupt societies in the world are those that operate on a cash basis.
ATMs are not part of the cash economy.
Going into a bank and cashing a check or financial instrument and walking out with cash is.
Possession is 9/10s of the law and 100% of the cash economy.