TL;DR: Bank attacks in Latin America accelerated during the pandemic, with more than 91 billion attack attempts in the first half of 2021 and multiple incidents affecting online banking, ATMs, and payment systems, according to GlobalSign. The pattern shows how cloud migration, ransomware, and weak banking controls turn operational disruption into customer and reputational damage.
At a glance
What this is: This is a roundup of banking attacks in Latin America that shows how ransomware, malware, and online banking compromise can disrupt financial operations and customer services.
Why it matters: It matters because financial institutions rely on identity, access, and trust controls for customer systems, and these incidents show how failures in authentication and service protection can quickly become business-wide disruptions.
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
👉 Read GlobalSign's overview of banking attacks in Latin America
Context
Banking attacks are not only a malware problem. They are a control problem, because financial services depend on authenticated access, network segmentation, certificate trust, and fast containment when adversaries get in. In Latin America, the pandemic accelerated digital banking and cloud adoption, which increased exposure where identity and access controls were already uneven.
The article is fundamentally about how disruption in banking systems translates into financial, operational, and trust loss. For IAM and PAM teams, the identity angle is clear: banking portals, service accounts, certificates, and user authentication flows all sit in the path of impact, especially when attackers can move from one compromised system to another.
Key questions
Q: What fails when a bank relies only on login authentication?
A: Login checks do not stop malware that lives inside the session, watches transactions, or alters activity after the user is already authenticated. Banks need controls that cover the endpoint, the session, and the transfer itself, because compromise often happens after the password has been accepted. That is why transaction monitoring and device integrity matter as much as credentials.
Q: When should financial institutions prioritise segmentation over broader platform consolidation?
A: They should prioritise segmentation whenever payment systems, online banking, and administrative tools share enough trust that one compromise could affect all three. Segmentation limits the blast radius and gives responders room to contain ransomware or operator-led intrusion before the impact reaches customers. In banking, shared convenience often becomes shared exposure.
Q: What do security teams get wrong about certificates in banking environments?
A: They often treat certificates as static infrastructure rather than managed trust identities. In practice, SSL/TLS and S/MIME certificates support authentication, encryption, and service trust, so expired, unmanaged, or duplicated certificates create hidden exposure. Banks should assign lifecycle ownership and track revocation the same way they track privileged accounts.
Q: Who is accountable when ransomware disrupts customer banking services?
A: Accountability sits with the teams that own containment, recovery, identity governance, and service resilience, not just with the SOC. Regulators and auditors will look for evidence that access paths, service identities, and recovery procedures were governed before the incident and executed quickly after it. In banking, resilience is a management obligation, not only a technical one.
Technical breakdown
Ransomware entry into banking environments
Banking ransomware typically begins with an initial foothold through phishing, exposed remote services, or a compromised endpoint that is connected to internal systems. Once inside, operators look for weak segmentation, administrative access paths, and systems that can be reached from the same trust zone as payment or online banking services. In the Banco Pichincha example, the reported use of Cobalt Strike suggests a post-compromise operator toolkit rather than simple file encryption. That matters because the real danger is not just the payload, but the operator's ability to stage access, survey the environment, and decide when to detonate impact.
Practical implication: isolate banking, payments, and administrative zones so one foothold cannot reach systems that control customer-facing services.
Why banking malware targets web sessions and transaction flows
Financial malware often sits between the user and the banking site, watching sessions, altering transactions, or harvesting credentials while leaving the page apparently functional. Trojans like Carioca are built to collect data in real time during normal user activity, which is more valuable than a simple password dump because it captures context, session state, and transaction intent. In banking, that means authentication alone is not enough if the session, browser, or endpoint is already compromised. Controls need to treat the endpoint and the transaction path as part of the trust boundary, not just the login event.
Practical implication: add transaction monitoring and endpoint integrity controls, not just login authentication, for high-risk banking activity.
Certificates, S/MIME, and SSL/TLS as trust controls
The article points to certificates and encrypted email as part of the security stack for financial institutions. That is important because certificates are identities for systems, services, and communication channels, not just technical add-ons. When they are poorly managed, expired, or inconsistently used, attackers gain room to impersonate services or intercept sensitive traffic. In financial environments, certificate trust supports online banking, secure messaging, and API-to-API communication, so certificate lifecycle management becomes part of resilience. This is where identity governance overlaps with cyber resilience: the trust fabric must be managed continuously, not only during deployment.
Practical implication: inventory certificates and enforce lifecycle ownership so banking trust channels do not degrade silently.
Threat narrative
Attacker objective: The attacker objective is to disrupt financial operations, pressure the institution, and create conditions for theft, extortion, or wider compromise.
- Entry occurs through compromised banking infrastructure or malware delivery, giving attackers a foothold in systems that support online banking or internal operations.
- Escalation follows when the operator toolkit, such as Cobalt Strike, is used to extend control, survey the environment, and prepare disruption across multiple banking systems.
- Impact is achieved by encrypting or disabling services, interrupting ATMs, online banking, or payment processing, and forcing operational shutdowns to contain spread.
NHI Mgmt Group analysis
Banking attacks are increasingly an identity and trust problem, not only a malware problem. The article shows that customer impact comes from compromised services, payment channels, and access paths, not just from the payload itself. In banking, identity controls govern who and what can touch transaction systems, so IAM, PAM, and certificate lifecycle management become resilience controls as much as access controls. Practitioners should treat banking trust paths as attack surfaces that need continuous governance.
Cloud migration has expanded the blast radius of banking incidents. The article links digital transformation and cloud dependence to higher threat exposure, which is exactly what we see when trust boundaries become more distributed than the control model that manages them. A cloud-connected bank needs clearer segmentation, stronger privileged access oversight, and better service identity hygiene because one compromised endpoint or admin path can now affect more systems. Practitioners should re-evaluate where banking workloads inherit trust from shared infrastructure.
Transaction integrity is the real control objective in online banking. Malware that operates inside a session can bypass simple credential checks by watching or altering activity after login. That means the security model has to protect the transaction path, not merely the authentication event. For IAM and fraud teams, the governance question is whether controls can detect session abuse, device compromise, and abnormal transfer behaviour before funds move. Practitioners should align identity checks with transaction risk.
Certificate and email trust are part of financial identity governance. The article's reference to S/MIME and SSL/TLS is a reminder that trust in banking depends on managed cryptographic identities, not only on user accounts. When certificates are unmanaged or inconsistently deployed, attackers can exploit gaps in service trust and secure messaging. This is where NHI governance intersects with banking security: certificates, service identities, and API trust relationships need the same lifecycle discipline as human access.
Latin American banks are facing a governance gap in remediation speed. The article's repeated emphasis on post-attack disruption shows that containment and recovery determine the real cost of an incident. That aligns with our research showing that 91.6% of secrets remain valid five days after notification, which is a strong signal that remediation processes often lag compromise. Practitioners should measure how quickly identities, secrets, and certificates can actually be revoked when a banking incident occurs.
What this signals
Certificate trust and service identity hygiene will matter more as banking continues to decentralise. Institutions that move faster on cloud and digital banking without matching lifecycle controls will expand their exposure faster than their governance can keep up. The practical signal is clear: inventory service identities, certificates, and access paths before the next incident forces that work under pressure.
Banks should expect attackers to keep targeting the transaction layer, not just the perimeter. That means fraud monitoring, device trust, and privileged access review need to be coordinated with incident response and recovery planning, especially where online banking and payment systems share infrastructure.
The governance gap is no longer whether a bank has security tooling, but whether it can revoke trust quickly enough when a compromise is found. That is the operational test for identity and resilience programmes in financial services.
For practitioners
- Segment banking trust zones Separate customer-facing banking platforms, payment systems, admin environments, and endpoint management tools so a single compromise cannot spread laterally across critical services.
- Harden transaction monitoring Correlate login, session, device, and transfer patterns so malware that operates after authentication is detected before high-value transactions complete.
- Build certificate lifecycle ownership Assign explicit owners for SSL/TLS and S/MIME certificates, track expiry and revocation, and remove unmanaged trust assets from banking service paths.
- Test containment on payment systems Exercise shutdown and isolation procedures for online banking and interbank payment services so teams know how to stop spread without losing control of core operations.
Key takeaways
- The article shows that banking disruption is driven by control failure across authentication, segmentation, and trust management, not by malware alone.
- The scale of attack activity in Latin America, combined with incidents affecting major banks, shows that financial institutions face both operational and reputational risk at the same time.
- Banks need faster containment, stronger certificate ownership, and tighter transaction monitoring if they want to reduce the blast radius of future attacks.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| MITRE ATT&CK | TA0006 , Credential Access; TA0008 , Lateral Movement; TA0040 , Impact | The article describes ransomware and malware activity that depends on access, spread, and disruption. |
| NIST CSF 2.0 | PR.AC-4 | The article highlights trust, authentication, and access control failures in financial systems. |
| NIST SP 800-53 Rev 5 | AC-6 | Least privilege is central when attackers try to move from one banking system to another. |
| CIS Controls v8 | CIS-5 , Account Management | The article's trust and access themes align with account and service identity governance. |
Review access governance around banking services and tighten least-privilege pathways for customer and admin systems.
Key terms
- Banking Ransomware: Ransomware that targets financial institutions to disrupt payments, online banking, or internal operations rather than simply encrypt files. In banking environments, the main risk is service interruption and loss of trust, especially when attackers can move from one system to another before containment begins.
- Transaction Integrity: The assurance that a banking transaction cannot be altered, redirected, or replaced after the customer or system has approved it. It depends on device trust, session protection, and monitoring across the full payment path, not only on successful login.
- Certificate Trust: The confidence that a certificate correctly identifies a system, user, or service and protects data in transit. In financial services, certificate trust supports secure messaging, website protection, and service-to-service communication, so lifecycle management is part of operational security.
What's in the full article
GlobalSign's full article covers the incident detail this post intentionally leaves at a governance level:
- Named case summaries for Banco Pichincha, Banco de México, Banco Nación, and the Carioca malware campaign.
- Localised context on how banking attacks in Latin America evolved during the pandemic and why small and mid-sized banks were exposed.
- The article's own framing of user protection, banking website security, and digital certificate use in financial institutions.
- A source-specific narrative of the incidents and the author's perspective on bank security in the region.
👉 The full GlobalSign article adds the incident-by-incident context behind these banking attacks.
Deepen your knowledge
NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management for practitioners responsible for trust paths and access control. It helps identity and security teams build the lifecycle discipline needed to govern privileged access across modern environments.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org