Mexico Tells Banks to Take Steps to Guard Against Suspected Hack

(Bloomberg) -- Mexico’s monetary authority asked about a dozen banks to take emergency measures to shore up the country’s electronic payment network after a suspected cyber attack disrupted some transfers last week.

The lenders have been instructed to connect to the system via a backup method that’s seen as less vulnerable to outside intrusions, but has never before been so heavily utilized. The three banks believed to have been targeted in the attack were also ordered to hire external consultants to investigate what exactly caused the issue, according to the central bank.

“One thing we’re certain of is that the system’s infrastructure has not been compromised,” said Lorenza Martinez, the head of operations at Banco de Mexico. “The main question is -- what was the origin of the problem.”

Consumers could see a slowdown in transfers this week, especially on Monday, which is a pay day for many Mexican employers, according to officials at Grupo Financiero Banorte, which confirmed it is using the alternate connection system. The lender, as well as Banco del Bajio SA and Banco del Ejercito, were the firms that were directly targeted last week in the suspected cyber attack, according to people familiar with the matter. The central bank said it’s too early to tell whether the problems were a result of a malicious hack.

Cyber attacks targeting banks appear to be happening with more frequency in Mexico, said one of the people, who asked not to be identified without authorization to speak publicly. A spokeswoman for Mexico’s banking association, known as the ABM, declined to comment.

No deposits have been compromised in the incident and all the money in the system has been accounted for, the central bank said in a statement Friday evening.

Banorte, which handles the most payroll deposits after BBVA Bancomer, had its connection to the transfer system interrupted a little before 6 p.m. Thursday evening and problems continued for most of Friday, according to data from Mexico’s central bank. Banjercito lost connection Tuesday morning and disruptions continued through Friday. BanBajio saw temporary connection disruptions Thursday that extended into Friday.

Other banks, while not directly targeted in the apparent attacks, also suffered from the fallout. Corp. Actinver’s transfers were interrupted Thursday and Friday, while the local unit of JPMorgan Chase & Co., Mexico development bank Banobras and Banco Base also experienced minor outages last week, the data show.

The payment system, known as the SPEI, was established in 2004 and lets users electronically transfer money between deposit accounts through a private, encrypted network operated by Mexico’s central bank.

“Payment systems around the world are easy targets for hackers because they’ve been around a long time and typically lack the security measures that today’s world needs,” said Eldon Sprickerhoff, founder of eSentire, a cybersecurity firm based in Canada.

Worldwide, a string of attacks on banks’ connection to the Swift network -- the global equivalent of the SPEI -- has prompted the 12,000-member group to enact new security measures. The most famous of those attacks came in 2016 when criminals initially siphoned off more than $100 million from the central bank of Bangladesh (a portion was later recovered). In January, hackers attempted to steal money from Mexico’s Bancomext, the government-owned export bank, by attacking its Swift connection, causing the lender to temporarily suspend operations in its international payment platform. While the cases involved breaches at firms -- not the network itself -- Swift set out to ensure members were taking necessary steps to protect confidence in a global system that moves roughly $5 trillion daily.

Banxico doesn’t have any reason to believe the current issues with domestic payment transfers is related to the attempted heist of Bancomext funds in January, Martinez said.

About 10 percent of the global network’s members had failed to comply with the new measures -- such as improving passwords and adopting multi-step authentication -- by the end of December, highlighting the lack of resources at small institutions dedicated to cyber defense as well as the inadequate attention paid by regulators in some emerging markets.

“It’s very hard to implement fixes and upgrades to payments systems because they’re being used constantly, with millions of transactions taking place every day,” Sprickerhoff said.

Banco de Mexico alerted the public to the dangers of cyber attacks in a report in October, saying that regulators have acknowledged the possibility that these could include systemic attacks on financial systems. In the report, the central bank played up the importance of the authorities in preserving the stability of financial systems when faced with such attacks.

The central bank held a conference call Saturday afternoon with Mexican banks to discuss the cyber attacks, one person familiar with the matter said.

©2018 Bloomberg L.P.