Vadim Uvarov: The Central Bank will help to complicate the life of fraudsters

– Since the beginning of 2022 we fix fold increase in hacker attacks on Russian banks. The peak was in March, when the number increased 20 times compared to the same period last year. Then there was a decrease by 40%, but starting from the 28th of July, the number of attacks again began to grow, mainly is DDoS (denial of service).

Hackers tried to bring down the information resources of banks, to paralyze the citizens ‘ access to remote services credit institutions. But the banks did it, the payment services run smoothly. In particular, this result kierujemy that we are participants of the financial market in 2020.

Now we design new scenarios and methods of responding to them. As the use of foreign software, appliances and services affect the provision of operational reliability, we cannot ignore their withdrawal from the Russian market. So plan along with financial institutions to identify such risks during kierujemy. Exercises with the use of updated threat models will be spent in the near future.

– Does the Bank of Russia notice any new fraud schemes?– As for the current fraud schemes, recently the attackers have not only presented themselves as an alleged “employee” of the Central Bank, but more and more often send documents with the logo and seal of the Bank of Russia to a person in a messenger or by e-mail for persuasiveness.

There are cases when scammers use my data in their legends. It looks very plausible from the outside. But I would like to draw your attention once again, the Bank of Russia, on its own initiative, does not send letters to citizens, does not call or send messages, we do not service accounts of individuals.

In past years, attackers have used schemes that were somehow based on disturbing information related to the coronavirus. Now, with the increasing incidence of COVID, the topic is back on the agenda, and most likely, scammers will return to the old covid legends of deception.

In any case, whoever the caller appears to be – a bank employee, prosecutors, police, an employee of the Central Bank – never tell anyone personal data, as well as your bank card number, a three-digit code on the back of the card or an SMS code. If in doubt, then call the bank yourself by the number that is written on the back of the card or on the website of the credit institution. Follow these simple rules and your money will be safe.

– What will radically change in the fight against cybercriminals in Russia when the law on information exchange between the Bank of Russia and the Ministry of Internal Affairs on cases and attempts of fraudulent transfers comes into force?– Today, when considering fraud cases, due to the current procedure, a lot of time is spent on data requests and correspondence between law enforcement agencies and banks, during which it turns out to which accounts the money was withdrawn, the amount of the stolen amount, and so on.

With our participation, a draft law has been prepared that will significantly change this situation.

The essence of the amendments is to connect the Ministry of Internal Affairs of Russia to the automated FinCERT system of the Bank of Russia, where information about the client’s operation without his consent is received after his appeal to his bank and fixing the fact of fraud. The database “On cases and attempts to transfer funds without the consent of the client” contains information from all Russian banks. This means that law enforcement agencies will be able to receive information almost online about all fraudulent transactions, in particular, about victims and recipients of money, of course, in compliance with all the rules on bank secrecy. Now we are discussing with colleagues from the Ministry the details of the bilateral agreement, which, among other things, will define the procedure and format for the exchange of information.

In turn, the FinCERT database will be supplemented with information from the Ministry of Internal Affairs about the illegal actions committed. This data will help banks to prevent fraudulent transfers. It is assumed that the law will come into force a year after its official publication.

– The Ministry of Finance of Russia has previously indicated that the adoption of this law will allow blocking the entire chain of accounts in one criminal case in connection with fraudulent debits from bank cards using social engineering methods. Tell us in more detail how this is possible within the framework of this initiative?– We are talking about amendments to the law “On the National Payment System”, which were prepared with the participation of the Bank of Russia, they overlap with the previously mentioned draft law on information exchange.

The main tool of fraudsters is the use of methods of influencing human consciousness, the so-called social engineering. Most often, attackers call under the guise of a bank employee and, under various pretexts, ask for the card number and the three-digit code on its reverse side, as well as the confirmation code from the SMS message. Or convince a citizen to transfer money to third-party accounts on their own. Ultimately, all these manipulations come down to the goal – to steal money from a person. Since a citizen formally acts voluntarily, banks in such cases have the right by law not to reimburse the stolen money. Therefore, the percentage of compensation for losses to victims in the total amount of stolen funds is very low.

As a rule, the victim realizes that he has become a victim of fraud, after a while – after a few hours or the next day, when it is impossible to cancel the transfer, and the attackers have already withdrawn the money. The Bank of Russia proposes at the legislative level to introduce a two-day period during which the sender’s bank suspends the transfer of funds to the account, information about which is contained in our database. It also reflects information about the accounts of so-called droppers. These are individuals whose bank cards are used to withdraw and cash out stolen money. The Bank will be obliged to notify the client that his transfer has been suspended and indicate the reason. A two-day period will allow a person who was misled by fraudsters to cancel the transfer of their money to their accounts. However, if after this period the client still insists on transferring to the address of the doubtful account, the bank will be obliged to perform the operation.

In order to increase the likelihood of funds being returned to their rightful owner, we also propose to give banks the right to suspend access to electronic means of payment – that is, to cards, mobile and Internet banking – to owners of dubious accounts from the mentioned database. Accordingly, the droppers will not be able to use them to withdraw the stolen money. And if FinCERT receives information from the Ministry of Internal Affairs about illegal actions committed against the account of such a client on the facts of fraud, then the bank, having seen this information, not only can, but will be obliged to restrict his access to the use of stolen money.

– That is, they will block the accounts of such persons?

– Not to block, but to restrict access to remote channels. In other words, the dropper will not be able to make a subsequent transfer of the stolen money or withdraw it from the nearest ATM. Today, an attacker may have accounts in different banks through which he instantly withdraws money. As soon as information from the police about illegal actions committed against him has been received in the FinCERT database, remote access to his accounts in all banks will be suspended in compliance with civil rights. This means that he has the right to dispose of the money, but this can only be done at a bank branch with a passport. As you understand, an attacker will not do this.

In April, we already recommended banks to use this mechanism, that is, to disable droppers access to remote account management if information about them is contained in the FinCERT database. But we want the bank to have an obligation to do this if there is information from law enforcement agencies about illegal actions committed in the database.

Conscientious cardholders should not be afraid of restricting access to accounts. Information about the account as a dropper account appears in the database of the Bank of Russia when the victim applied to his bank with a statement about the theft of money and the bank sent this information to FinCERT. – If the bank transferred money to the dropper account, what then?

– He will have to reimburse the sender the transfer amount in full, since he did not take any measures to protect the client from money theft, knowing that the information about the fraudulent account was contained in the database of the Bank of Russia.

– How long will the bank have to return the stolen funds?–

The latest version of the bill provides that banks that have made a transfer to a fraudulent account will have to return the entire amount to the client within 30 days from the date of receipt of the application from him. The deadline for cross–border transfers is expected to be within 60 days.

– What is the position of the Bank of Russia regarding the creation of a unified information system for verifying information about subscribers of telecom operators, what will it give to banks?

– The Bank of Russia participates in the development of this bill. Now the phone is mainly used to confirm a particular banking transaction, which plays into the hands of fraudsters.

It is assumed that telecom operators will provide information about the subscriber to the system, in particular, about the owner of the number (full name), about the fact of changing the owner of the number, data on the termination of the communication contract, etc. Using this information, banks will be able to reduce cases of theft of money from customers. So, for example, if the client, under the influence of intruders, has set redirection to a third-party number of SMS messages necessary to confirm banking transactions, the bank will be able to track this fact in the system and prevent fraud. Consultations on the bill are continuing.

– Who, according to the Bank of Russia, should definitely get access to this system, and who by agreement?

– We believe that all banks should connect to the system. The Bank of Russia will also use this system to assess the effectiveness of anti-fraud procedures of financial organizations. The final composition of the participants of the Unified Information System for Verifying subscriber information is still being discussed.

– Now the time limit for detecting and blocking fraudulent sites is two to three days. Is it possible to make the blocking happen even faster and by how much?–

In December 2021, the Bank of Russia received the authority to send information about illegal Internet resources for subsequent extrajudicial blocking. The procedure looks like this. We prepare an opinion on the identified phishing site and send it to the Prosecutor General’s Office, which verifies the legality and validity of the arguments and conclusions. After that, the Prosecutor General’s Office sends materials to block access to Internet resources to Roskomnadzor and informs law enforcement agencies to search for the owner of the site and bring him to justice. As a result, it was possible to reduce the blocking period from several months to several days. For less than eight months of this year, on our initiative, more than five thousand sites were blocked, almost all of them were in foreign domain zones. We set ourselves the task of identifying fraudulent resources at an early stage in order to have time to send them to be blocked in the coming hours after their creation.

– How many fraudulent pages are blocked in social networks with the participation of the Bank of Russia?–

We started doing this from the end of February 2022, and the algorithm of our actions is the same as for the sites. In less than eight months of this year, we have sent more than 900 pages on social networks to be blocked. Most of them were on VKontakte. Illegal microfinance services were most often offered, and there were pages with signs of financial pyramids. The blocking mechanism has shown its effectiveness, and we intend to develop it further so that citizens fall for the tricks of intruders on social networks as rarely as possible.

BestaAdept