Criminals have advanced knowledge about the operation of the financial system, warns BC

The Central Bank (BC) warned that recent cyber attacks on financial and payment institutions exposed critical flaws in the digital infrastructure of part of the Brazilian financial system.

According to the Financial Stability Report (REF), released this Wednesday (12), the incidents showed that criminal groups have been acting in a coordinated manner, exploiting weaknesses in third-party technology providers and digital integration systems used by banks.

The attacks, which resulted in the diversion of resources from reserve accounts, occurred in institutions connected to the National Financial System Network (RSFN) through Information Technology Service Providers (PSTIs).

The BC highlighted that none of its own systems were affected, including Pix, but that the cases highlight “concrete risks of events materializing with systemic repercussions”.

Control failures

According to the BC, 606 institutions were evaluated — 453 of them stated they had third-party relationship management policies and 319 included the topic in internal audits. The percentage, however, is still considered low given the system’s level of technological dependence.

“The incidents demonstrated weaknesses in essential controls, especially in the risk management of services provided by third parties and in access control practices”, says the report.

The document points out that companies hired to process data and maintain connections with the RSFN can simultaneously compromise several institutions if they are invaded.

These attacks, according to the BC, have been conducted by criminal organizations with advanced knowledge of the architecture of the financial system, capable of co-opting employees and installing physical devices to gain improper access to corporate networks.

APIs and the new fraud vector

The BC also identified relevant gaps in the risk management of services provided through APIs (Application Programming Interfaces) — technology used to connect systems and enable models such as Banking as a Service (BaaS).

According to the report, criminals have been using these interfaces to automate fraud, such as mass transfers and dispersion of resources, which makes it difficult to track money. Furthermore, institutions with failed customer identification processes (KYC) end up opening accounts used later for illicit transactions.

Research carried out by the BC with 440 institutions showed that few implement robust data validations or mechanisms for detecting misuse and manipulating API behavior.

Technical knowledge

The report highlights that organized groups demonstrate technical mastery over the processes of the National Financial System (SFN), including the institutions’ reserve mechanisms and internal transactions.

This sophistication, according to the BC, requires continuous investments in cyber hygiene, such as access control, multi-factor authentication and periodic review of permissions.

BC shares

In response, the BC has been reinforcing rules for technology providers and limiting the volume of transactions to reduce damage in the event of an attack. The agency has also intensified monitoring of high-impact incidents and is studying new measures to increase the cyber resilience of the financial system.

“The BC continues to respond to relevant cyber incidents that may impact the regular functioning of the national financial system”, concludes the report.