Hackers Steal Over $15.3 Million From Mexican Banks
Earlier in the week, reports suggested that hackers had targeted Mexico's interbank payment system, stealing over $15 million. The Bank of Mexico in its statement has now confirmed this hack that went on for the past several weeks. Talking to reporters, central bank governor Alejandro Diaz de Leon said that the "approximately 300 million pesos ($15.3 million)" were taken during the heist.
Consumers accounts aren't and were never the target, he confirmed.
In a report earlier this week, Reuters had suggested that criminals managed to take millions of pesos out of 5 Mexican banks by creating "phantom orders that wired funds to bogus accounts and promptly withdrew the money." Several hundreds of false orders were made by thieves to move funds to fake accounts, involving tens of thousands to hundreds of thousands of pesos in each case.
This money was then taken out through cash withdrawals, which has sparked worries if the hackers had inside help since such big cash withdrawals are uncommon and demand approvals.
Possibly a compromise of a third party facilitating software
It remains unclear how the hackers managed to infiltrate the payment system, but the central bank governor called it an "unprecedented" attack on the interbank payment system that allows banks to make real-time transfers between each other. It is being speculated that hackers may have attacked an external provider that facilitates such a connection between banks.
At least five such attacks were recorded. Lorenza Martinez, head of Banxico’s payment system, called it a cyberattack citing evidence that has been collected so far.
Mexico’s SPEI system that is a domestic version of the SWIFT global messaging system - itself having dealt with massive cyberattacks - wasn't targeted. The problem appears to be with the software developed by third-party providers to connect to this payment system that moves trillions of dollars every day.
"There’s no evidence that would allow us to say with certainty that this is over,” Diaz de Leon said. "We’re taking corrective and mitigating action." According to reports, banks have switched to a more secure but slower technology to connect to the payment system. The country also established a one-day waiting period on money transfers of over $2,500.