These Incidents Raise New Questions about the Security & Operability of the Banking System in Mexico
For now, it’s deny, deny, deny.
By Nick Corbishley, for WOLF STREET:
For seven hours on Friday, three of Mexico’s four biggest banks, BBVA, Citibanamex and Banorte, suffered payment system failures at exactly the same time, leaving millions of consumers unable to withdraw money from ATMs, make payments with their credit or debit cards, or access their online and mobile accounts.
From noon, many of the banks’ customers vented their anger on social media, complaining that they could not carry out transactions of any kind, whether in physical cash (because there was no way of withdrawing money), with their cards or on mobile platforms. While the mayhem caused by the outage may have been short lived, the timing could not have been worse, coming on the Friday of the second quinzena (fortnight) of the month, when most of the country’s workers get paid and huge amounts of money are spent.
Rumors quickly spread that the outage was the result of problems with the Bank of Mexico’s SPEI interbank transfer system, an iteration of the SWIFT global payment system that already suffered a series of cyber attacks last year. BBVA, Mexico’s biggest bank, even said that its system had been disconnected from SPEI for 33 minutes, resulting in a massive pile up of interbank transfers.
The Bank of Mexico — Banxico for short — was quick to quash the rumors, insisting that SPEI was in perfect working order and that any problems that had occurred processing bank payments and transfers were the result of internal issues within the three banks. It was a bizarre claim, given that the chances of Mexico’s three biggest banks suffering virtually identical payment outages at virtually exactly the same time are minuscule.
Stranger still is the fact that this was not the first time in the month of August that Mexico’s financial system had suffered a widespread payment outage. On Saturday August 10, a systems failure at one of the main data centers run by Prosa, Latin America’s largest electronic payments company, left millions of bank customers stranded, unable to make payments or withdraw cash with their debit or credit cards. Many banks’ online payment systems also crashed.
These two incidents, less than three weeks apart, raise fresh questions about the operability and security of Mexico’s banking system — something WOLF STREET has been warning about since April last year when a number of financial institutions reported suffering a massive cyber attack via Bank of Mexico’s SPEI system.
As now, the central bank first denied the rumors that SPEI had been breached. Then, weeks later, it admitted there had been a hack, but it denied that any money had been taken. Finally, over a month after the fact, it conceded that cyber thieves had siphoned off $15 million by creating hundreds of phantom orders that wired funds to fake accounts at different five banks. Accomplices then emptied the fake accounts in cash withdrawals from dozens of branch offices.
An even more audacious plan to steal $110 million was reportedly foiled by a vigilant employee at state-owned lender Bancomext who managed to halt the transfer before it arrived at its destination. It would have been the world’s biggest virtual bank heist.
The latest incidents raise fresh doubts about whether Banxico and the banks it serves are doing enough to keep Mexico’s payments system and customer data secure. A scathing new report by the Organization of American States (OAS) says that banks in Mexico are not even mandated by law to inform customers when a data breach has happened. In the event of a cyber attack, the only obligation banks have is to report the details to Mexico’s market regulators and Banxico, which can choose whether or not to inform the public.
Only four out of ten banks and financial institutions have plans in place to inform customers when their personal information has been compromised, according to the OAS report. “This seems absurd, since there is nothing that protects users or requires that they’re informed (of a data breach or cyber attack),” says Mario Di Costanzo, a financial analyst and former head of the National Commission for the Protection and Defense of Financial Service Users.
For the moment, there’s no way of knowing the exact cause of the latest outage. Neither the banks implicated — BBVA, Banorte and Citibanamex — nor Banxico appear to be taking responsibility. None of the banks have admitted being targeted by hackers. But of course, they don’t have to.
Another possible explanation is that it was a planned event, as part of the final touches being applied to a landmark QR-code and NFC (near-field communication) powered CoDi payment platform set to be launched later this month.
Years in the making, CoDi forms part of a coordinated effort aimed at reducing the size of Mexico’s informal economy, cracking down on money laundering and tax evasion, and gradually transitioning the country toward a cashless economy. As part of this effort, the government is even mulling placing a sweeping ban on the use of cash for tolls and gasoline, which is strongly supported by the country’s banks as well as the payment card companies and fintech firms that stand to benefit.
Given the vast size of Mexico’s cash economy, it’s a hugely ambitious undertaking. And given Mexico’s status as a haven for the black market of stolen personal data of all kinds, the apparent vulnerabilities that still exist within Mexico’s payments system as well as the glaring lack of transparency and accountability of the country’s banks, it is also rife with risks. By Nick Corbishley, for WOLF STREET.
“Particularly worrisome” is that this slowdown “has taken place in a context where the US economy is growing above potential.” Read… Bank of Mexico Raises Alarm About Mexico’s Economy
Enjoy reading WOLF STREET and want to support it? Using ad blockers – I totally get why – but want to support the site? You can donate “beer money.” I appreciate it immensely. Click on the beer mug to find out how:
Would you like to be notified via email when WOLF STREET publishes a new article? Sign up here.