Learn More »

Empowering a Partner to protect Mexican Banks from SPEI attacks

  • Olov Renberg
  • Blog
  • Share

Wired just published an insightful article on the SPEI hack in Mexico. It stems from findings at the RSA conference, a yearly gathering where BehavioSec has shared intelligence for over a decade. As we work with Mexican banks to prevent fraudulent transfers I thought it worthwhile to re-publish this blog post to show the state of hacking and how systems are working together to prevent fraudulent flows of money.

With the Bangladeshi hack in recent memory, it is now clear to everyone that the SWIFT international interbank payment network is vulnerable to attacks. Recently, fraudsters struck again in Mexico. When signs of unauthorized access in the Mexican version of interbank transfer network (SPEI) were discovered at a bank, the Mexican Central Bank kept it quiet and regarded it as an isolated incident.

It’s been approximately one month since the latest cyber attack on SPEI, the interbank transfer system of Mexico. Initially, banks reported that no money was stolen, but in fact large sums of money were removed from the Mexican system and then vanished through several coordinated withdrawals. Multiple news agencies report that up to 300 million pesos ($15.4 million USD) have disappeared in this attack.

Now, this wasn’t the first successful large-scale attack on the Mexican banking system; Apparently the state-run bank Bancomext was the target of a successful attack earlier this year, losing something like $110 million dollars in the process. All of this suggests that Mexico is the pinnacle of at least one highly-sophisticated group of attackers.

The problem is that Mexico, Bangladesh, Ecuador, and Vietnam are not the only places with highly sophisticated attackers. These kinds of attacks could happen to anyone. So what can we learn from these recent attacks and what can we do to be better prepared?

How can these attacks continue to harm us?

There are a lot of suggestions out there on how to combat fraud, something I’m guilty of contributing to myself. A general consensus is that it is important to stay ahead of the fraudster, typically by keeping systems and software up to date, avoiding overly suspicious emails, and utilizing two-factor authentication when available. Most of us know this, even those not in cyber security, yet fraud losses continue to reach new heights every year. Before attempting to combat fraud, we should discuss how prevalent it is in the first place.

The reason fraud continues rising is twofold. First, we have optimism bias; we simply consider our defenses slightly better than those of our average neighbor and view fraud as one of those things that ‘won’t happen to my instance.’ This mindset prevents us from updating systems when first prompted, lulls us into using the same password on every site, and causes us to ignore better security if it is accompanied with even the slightest perceived inconvenience.

This first reason is due to the fact that at the end of last year, close to 10 percent of the global network’s members failed to manage their security. People failed to make stronger passwords and multifactor authentication, for example, which ultimately resulted in fraudsters gaining access.

The second cause of fraud is due to the fraudsters themselves. Successful fraudsters are way smarter, faster, and more agile than we give them credit for. They have access to the same technological advances as the rest of us and are among the earliest adopters of new tools. Instead of being bogged down with all the requests for information, never-ending proof of value projects, quality assurance, and other stuff technology goes through before public roll-outs, they can adapt and use the newest stuff from day one. With technology sharing being as easy as it is today, where a new found weakness can be global knowledge within hours of first discovery, the best tools are not limited to governments and state sponsored actors anymore. Today any tech savvy person with an internet connection can find and use the same attack methods as the most sophisticated criminal groups out there.

This second driver is why Mexico ended up in the bullseye of the fraudsters to begin with. This specific group probably found an exploit and then searched the world for a possible victim, perhaps the result of something as simple as a bank employee trusting a malicious email link.

With this grim picture painted, what is my perfect solution to stop this? Sadly, there is no single silver bullet.

There might, however, be a combination of bullets that could work…

We have partnered up with Gemalto and are jointly working closely with top banks in Mexico, aiding their fraud teams to impede these malicious intruders. We are already live and protecting millions of Mexican bank users who are conducting billions of transactions across multiple platforms. When fully implemented, we will be able to spot automated usage of intrabank transfers, even at the SPEI login and transfer. By utilizing our joint expertise, we add several new factors of automated authentication, empowering banks to identify the imposters and stop the intrusions before they can harm the bank’s customers.

By selecting BehavioSec we made sure we integrated best-in-class Behavioral Biometrics into our Assurance Hub, the Gemalto multi-layer risk and authentication system. The combination of our technologies enables banks and financial institutions to guarantee a frictionless experience to their customers, without compromising on security’ Says Christopher Schenking, Head of Fraud and Risk Solutions at Gemalto

BehavioSec’s role in this is with our pioneered solution, called Behavioral Biometrics. With Behavioral Biometrics, we can verify that only the intended person has access to the money network. In addition, we also automate identification of fraudsters, finding them faster and more effectively than ever before. We accomplish this by transparently observing the very gestures and human uniqueness that creates a swipe or text entry.

Human gestures can be repeated in ways that may look similar to the naked eye. However when they are measured by a behavioral algorithm, they look entirely distinct. The way people hold, swipe, or type on a screen or keyboard varies greatly between people when you look at the individual factors making up a swipe or a keystroke. The benefit here is that even if a fraudster has access to your username and password, they aren’t likely to know the exact way you type them. Better yet, even if they have seen you type, it’s hardly enough to mimic all aspects of your uniqueness. After all, you have had years, if not several decades, of experience being you, whilst the fraudster has none. Now, consider that Behavioral Biometrics can analyze every session from start to finish, and not just the username + password, continuously profiling behavioral patterns. Our technology immediately detects fraud based on the following principles:

·      Is this person typing as they normally do?

·      Is this person swiping as they normally do?

·      Is this person using their usual device?

With Behavioral Biometrics monitoring how interactions are made, we can keep your accounts more secure than ever before. All of this is monitored throughout the session so that security is an ongoing process, not merely a step up or initial login. In Mexico, it was most likely human elements that led to the loss of millions of dollars due to fraud. At BehavioSec, our multi-layered continuous security system leverages the human factor into the strongest link, ensuring that even a simple password can keep an account impenetrable.

Don’t be left behind; they prey on the weak. Schedule a demo with BehavioSec!