In the last five years, cybercriminals have found a way effective, accelerated, and cost-effective way to get large amounts of money attacking the financial sector in Latin America, including Mexico, even when it comes to running more complex attacks that require more time.
"Payment systems in Latin America and Mexico have become the new target of the intruders to see that it is really easy to make fraudulent transactions derived from exploiting vulnerabilities in a web service," said Miguel Ángel Mendoza, a security researcher. of the ESET Latin America laboratory, in an interview for El Financiero.
After eight years of attempts, cybercriminals & # 39; reached the nail through the vector of attack called exploit of vulnerabilities, with which they succeeded in taking advantage of the failures in financial sector systems, such as the violations registered in relation to the Interbank Electronic Payment System (SPEI) in Mexico, carried out by groups with the characteristics of Persistent Advanced Threat (APT) Spanish). English)
El Financiero published on May 14 that during the attacks in April there would have been a robbery of around 400 million pesos, of which Banorte was the most affected bank, with a value of 150 million pesos.
"We have seen that cybeques are currently targeted and focused on extracting money. These are complex methods that get higher numbers faster than if they were done with phishing campaigns or Denial of Service (DoS) techniques (other types of attack), since the results would be slower and lower, "explained the expert.
In 2018, 92% of banking institutions in Latin America suffered cyber attacks, according to data from the Organization of American States (OAS). Mexico, Uruguay, Chile and Ecuador are among the most affected countries before this type of violations. The total number of losses in the region is unknown.
In the case of Mexico, although SPEI has not been directly violated, cyber attackers have damaged the infrastructure through which banks connect to the web system.
"This does not mean that it will always be so, probably later they may find a way to do it. So far deficiencies have been identified in how operations are performed, whether by the institution's own process, in technological infrastructure or through an attack on the supply chain of the service provider, "explained the researcher.
An unappealable reality, according to ESET studies, is that vulnerabilities have become one of the main access ports for cybercriminals, who know that the The risk of being arrested in the region is very low.
In 2017, 14,700 vulnerabilities were recorded, representing a record high in the region and double that of 2016, according to CVE details.
Hand in hand with this report, the attacks on banking infrastructure are emerging as a trend that will increase with more sophisticated modes of action, according to estimates from the World Economic Forum.
Because? Basically Mexico and the rest of Latin America are unprotected both in terms of legislation and cybersecurity in different digital sectors.
Therefore, it is necessary that within the digital governance in the region be proposed:
An effective legislative framework to cover theand, in turn, the banks are protected significant budgets in cybersecurity, physical security, operation, and trust controls.
"Specifically, standardization is necessary to achieve the same level of security in Web infrastructure, processes and operations through Cyber Security Centers and highly trained incident response teams," Mendoza said.
The record of these incidents in Europe has been falling since the implementation of its General Regulation on Data Protection (GDPR).
"When this law was launched, everyone was forced to create tools and change their privacy notices, incorporating measures that required full compliance." A GDPR is needed in Mexico so every bank knows how to respond.
Cybertacks that seemed extraordinary have become commonplace and already represent one of the three biggest risks to the global economy, then they should be a top priority on the agenda of governments and banking institutions.