How hackers stole $20m from Bank of Mexico

Attacks on Bank of Mexico occurred in April 2018 with cash withdrawn from several banks across Mexico

Last May, Mexico's central bank (Bank of Mexico/Banco de México) revealed that hackers siphoned off about $20 million from accounts of five companies through fraudulent transactions.

The attacks happened in April 2018, with some reports claiming that the cash was withdrawn from several banks across Mexico, shortly after the hacking group completed hundreds of fake transfers.

Banco de México took some time to acknowledge the cyber-attacks and to provide details about the money stolen by the attackers.

Earlier in January 2018, the hacking group - thought to be based in North Korea - had tried to steal about $110 million from the Mexican commercial bank Bancomext, but failed to transfer money to accounts under their control.

Earlier this month, cyber-security expert Josu Loza, who had been investigating all these hacking incidents for the past one year, presented his finding at the RSA Security conference in San Francisco, California revealing how weaknesses in the banking system enabled attackers to execute the heists, both electronically and physically on the ground across Mexico.

According to Loza, as reported by Wired, Mexico's central bank failed to take timely and appropriate measures to protect clients' money.

While hackers spent months planning those attacks, multiple flaws in the bank's network security, as well as security lapses in SPEI (Mexico's domestic money transfer platform, run by Banco de México) assisted the hackers in their attacks.

Loza believes hackers likely used public internet to gain access to the internal servers of Banco de México. They may also have launched phishing attacks on bank employees to gain access to bank's network.

Loza claims that the network lacked the kind of segmentation and access controls that would have stopped hackers getting the kind of extensive access to SPEI's transaction servers or even its code base, with just a single breach.

After infiltrating the bank's networks, attackers made a large number of money transfers in smaller amounts, such as $4,000 or $5,000, to dummy accounts under their control.

The group finally used hundreds of 'cash mules' to withdraw money from accounts, who would have received about $250 or so to complete a transaction for the hackers.

Loza says while not many attacks are happening today because of the security measures taken by the banks, the most important thing is "the change of mind that makes business users want to pay for better security".

Loza also emphasised the need for the companies to collaborate to share information and better defend against cyber-attacks.