Cyberthieves Hit Mexican Banks & Rail Europe

Cybersecurity incidents affecting Mexican banks and Rail Europe, a favorite of American travelers, serve as reminders of the threats to financial institutions and payment infrastructures that could seep into the U.S.

According to reports, hackers were able to tap hundreds of millions of pesos (about $15.4 million) from several Mexican banks, including No. 2 Banorte and others. Alejandro Diaz de Leon, head of Mexico’s central bank, said the attacks resulted in illicit transactions of $18 million to $20 million.

The criminals created fake orders that wired funds to bogus accounts then immediately withdrew the cash. Banks blocked some of the attempts to fraudulently transfer funds, the sources said.

Diaz de Leon told journalists the attack on the payment system was unprecedented and he hoped measures taken would stop future incidents but was not certain that the cyberattacks are over.

The attacks reportedly, first noticed in late April, appear like those waged against the SWIFT interbank messaging system.

During one attack in February 2016, hackers used the SWIFT messaging system of Bangladesh’s central bank systems to submit 35 payment requests to the Federal Reserve Bank of New York. The New York Fed became suspicious and denied 30 of the requests, but not before the release of $81 million to a foreign exchange broker. It was a combination of social engineering, malware and insider knowledge that led to that compromise.

Jeannie Warner, security manager at San Jose, Calif.-based app-security provider WhiteHat Security noted smaller financial institutions and emerging markets have immature security processes and insufficient expertise. “Outsourcing many security checks and tests makes more sense than trying to hire and retain expert security talent. Here in the heart of the Silicon Valley, it is inexcusable not to have default passwords, up-to-date patches, and multi-factor authentication for logins to financial systems. Emerging markets are a softer target, but their money spends just as well to thieves.”

Warner also pointed out financial regulators may not have paid close attention, but there is also a failing in calling out how to secure third-party apps and APIs. “Most of the regulations focus on securing networks, with applications left something of a black box. Only PCI DSS calls out specific checks for applications.”

Meanwhile Rail Europe, a site used by Americans to buy train tickets, revealed a three-month data breach of credit cards and debit cards. The announcement came via a letter filed with the California attorney general, in which the company said hackers put credit card-skimming malware on its website between late-November 2017 and mid-February 2018. The cyberthieves then snatched credit card numbers, expiration dates, and card verification codes –  everything needed by a fraudster to carry out unauthorized purchases. They also stole name, gender, delivery and invoicing addresses, phone numbers, email addresses, and in some cases usernames and passwords of customers on the website.

Paul Bischoff, privacy advocate with UK-based tech site Comparitech.com explained the breach at Rail Europe is disconcerting not only because of the type of breached data, but how thieves accessed the information. “Data breaches typically occur when a hacker gains unauthorized access to a database. In this case, however, the hackers were able to affect the front end of the Rail Europe website with ‘skimming’ malware, meaning customers gave payment and other information directly to the hackers through the website.”

Bischoff warned that affected customers should also look out for targeted phishing scams in the months ahead.

Anthony James, chief marketing officer with San Jose, Calif.-based cloud security firm CipherCloud, cautioned about the specific targeting of POS and retail systems worldwide for the past several years. “POS systems are a great place to clandestinely obtain good, clean credit card data, which can be immediately used or sold for high value on the dark web. All it takes is the right software and access through the perimeter to the financial network.”

In addition, James said “At the point of the transaction, many of the cards use the EMV chip and hence are pretty resilient to fraud. But all these attackers want to do is to intercept the numbers so they can use them in transactions where the chip does not come into play.”