The quality of IT security defences continues to improve dramatically as businesses invest heavily to protect their information assets. Frameworks like the General Data Protection Regulation (GDPR) and PCI DSS have added much-needed compliance pressure to ensure that security remains a primary consideration for businesses.

Cybercrime is still particularly profitable however. Far from stopping crime, these new security measures are simply forcing hackers to adjust their angle of attack.

Mexican banks compromised by a partner

Criminals have come to realise that the chances of breaking through the defense in depth structure (multiple security countermeasures) that protect a bank are incredibly slim. So they have started to look at other connected services which may provide an entry point to the bank’s network.

This was certainly the case for five Mexican banks who lost hundreds of millions of pesos to thieves in May 2018. All of the banks used a particular third party software component for connecting payment systems, and it was here that criminals managed to find a security blind spot.

By exploiting the loophole, thousands of fake electronic money orders were generated, directing cash towards bank accounts controlled by the criminals. They then visited physical bank premises and withdrew the cash.

It is estimated that between 300 and 400 million pesos ($15.4 million USD) were stolen before the hacking was discovered.

An important lesson for banks – and other businesses too

Once the external service was compromised, hackers had direct access to a trusted connection, so all their transactions were treated as legitimate. For the banks involved, this incident represents a serious failure of third party risk management.

The truth is that similar attack mechanisms could be leveraged against any business, not just banks. As organisations adopt more hosted IT services and third party connectors, they too stand a chance of being compromised as hackers target contractors, vendors and even software providers.

Data sharing with trusted partners has become crucial to building effective customer-centric services. This trust must be accompanied by a holistic approach to end-to-end security however.

Financial institutions are required to ensure full PCI DSS compliance of any third party systems connected to their own. The merchant/acquirer may not have control of a these external systems, but they are still responsible for every breach of their own defences.

As a result, merchants and acquirers must carefully assess any credentials put forward by third party service providers before they are connected. They will also need to implement a reporting and information sharing process to address security concerns before they are identified and exploited by criminals.

For those merchants and acquirers who have already connected third party services to their own, an urgent review of security should be undertaken. These tests should not be a one-off exercise either. As PCI DSS best-practice demands, merchants and acquirers must routinely assess their security processes and provisions – including connected third party services. Even if they cannot fix issues that are identified, the merchant/acquirer can raise an urgent request with their provider.

The reason that these attacks via third parties have been so successful is because the risk is quite poorly understood. Advantio’s third party risk assessment methodology is specifically designed to identify potential threats and to better protect your business against hacking. To learn more - or to arrange an audit of third party services - please get in touch.

Marco Borza

Written by Marco Borza

I am the Founder of Advantio.
Technology has been my passion since I was a kid; when I first heard the handshake of an old 300bps modem I realised security would be key in an interconnected world. Since then it has become my passion and primary focus.
The reason why I've started my own business is to make IT Security simple.

Certifications: CISSP / CCSA (Checkpoint) / ITIL Foundations / ACSA (ArcSight)/ Linux+/ PCI-QSA / PA-QSA