Electronic Payment Security

Main article: Electronic payment systems in Russia

Bank card fraud

Main article: Bank card and payment fraud

Key Trends in Bank Payment Protection

Main Article: Key Trends in Bank Payment Protection

Security of contactless payments

Main article: Security of contactless payments

Chronicle

2024: The Ministry of Internal Affairs of the Russian Federation revealed a new embezzlement scheme through the Fast Payment System

The attackers have a new scheme for stealing funds from Russians - now they operate through the Fast Payment System. This was announced on January 22, 2024 by the press service of the State Duma deputy RFAnton Nemkin from the words of the official representative of the Ministry of Internal Affairs of Russia Irina Volk. Read more [of Fast Payments (SBP)#.2A2024:. D0.92. D0.9C.D0.92.D0.94. D0.A0.D0.A4. D0.B2.D1.8B.D1.8F.D0.B2.D0.B8.D0.BB.D0.B8. D0.BD.D0.BE.D0.B2.D1.83.D1.8E. D1.81.D1.85.D0.B5.D0.BC.D1.83. D1.85.D0.B8.D1.89.D0.B5.D0.BD.D0.B8.D0.B9. D1.87.D0.B5.D1.80.D0.B5.D0.B7. D0.A1.D0.B8.D1.81.D1.82.D0.B5.D0.BC.D1.83. D0.B1.D1.8B.D1.81.D1.82.D1.80.D1.8B.D1.85. D0.BF.D0.BB.D0.B0.D1.82.D0.B5.D0.B6.D0.B5.D0.B9|here].

2022: Fraudsters began to deceive people more often and steal money through the "Fast Payment System"

In Russia, the number of cases of fraud using the Fast Payment System (FPS), which is being developed by the Central Bank of Russia (CB), has increased. This became known on April 19, 2022. Read more here.

2020

Visa: Trends in payment security

On December 29, 2020, Visa forecasts about the security of payments in 2021 became known.

Evelina Nechiporenko, Senior Director, Head of Visa Risk Management in Russia announced forecasts.

In 2020, under the sign of a pandemic, we witnessed major changes in the global economy that influenced consumer behavior, which in turn led to changes in fraudulent schemes and methods, and also identified security requests. In such circumstances, Visa continued to pay special attention to the security of customers, partners and cardholders to help them navigate the current conditions and confront attackers and cybercriminals.

Current trends in the security of digital payments will remain in 2021. But more importantly, the experience of 2020 will speed up the implementation of solutions and help companies take into account the mistakes of 2020 when developing their business in 2021.

How will the security of payments develop in the new year? Visa has identified three key trends.

Consumer habits that have emerged during the pandemic will become the norm. Trade enterprises and financial institutions need to consider this when updating their anti-fraud strategy.

In 2020, according to the company, the use of contactless cards increased by 41%, mobile payments - by 31%. Russians also began to buy bolder in online stores: every third began to order products online, and almost a quarter of Russians began to use delivery. And people, for obvious reasons, began to pay more attention to security when paying for purchases and using financial services.

To meet the current needs of consumers, merchants and banks will continue to invest in the development of digital opportunities that allow people to shop and use services. These include payment through the site using various mobile devices and applications, instant funds transfer, contactless payment, payment by voice, shopping in stores without sellers, payment by devices connected to the Internet (IoT), which in turn will also attract customers, retain existing ones and increase sales.

An important task that will need to be solved when realizing these capabilities is to ensure the security of digital payments. Trade enterprises and financial institutions will need to update strategies to prevent fraud and counter cybercrime in the omnichannel environment, which is a difficult task. And if the participants in the payment ecosystem do not have the necessary expertise in ensuring the security of payments, then partners who have good experience, tools and reputation in this area can help them do this faster and more efficiently.

Upgrading the payment infrastructure will require solutions to prevent potential threats. More and more participants in the payment market are developing solutions that will make it even faster and more convenient to transfer money, make settlements and exchange information. Real-time remittances, digital currencies, Open Banking support innovation that meets the expectations of digital savvy consumers and will drive e-commerce for decades to come. Clearly, a more active shift by consumers to electronic payments could "push" bad actors to find ways to cheat online.

All participants in the payment industry need to have mechanisms that allow them to identify atypical signs that may indicate fraud, they will also need to work together to eliminate discovered vulnerabilities, and other previously unused mechanisms will be needed to help track suspicious behavior and identify attempts to compromise data. It is also important that the principles of Open Banking and data sharing are used responsibly and ethically in all products, services and technologies. In 2021, the volume of payments in real time will continue to grow, digital currencies will be distributed, data and consumer privacy will be in the spotlight.

The rejection of password and Q/A authentication will accelerate with the adoption of strict client authentication standards such as FIDO (Fast IDentity Online), which is now available in all major browsers and mobile devices.

Plans for state and banking digital identification systems will be promoted along with increased trust and along with the development of regulation on interaction and responsibility of the parties. COVID-19 has accelerated demand for solutions that help banks and merchants verify and confirm the client's electronic identity. A digital profile is one of the key elements of identification, so it is very important for a business to ensure its security.

Visa According to the Future In study biometrics , Russia which was conducted even before the start of the pandemic, 92% of consumers in Russia consider fingerprint identification to be the most reliable way to protect personal data. At the beginning of the year, 41% of Russians actively used fingerprint identification, 17% used their face to access their data, and 12% used their voice. In the context and after the pandemic, we expect that the demand for the use biometric of data identification will continue to grow^[1]

The volume of cyber fraud in the Russian Federation using electronic means of payment for 5 months amounted to 1.6 billion rubles

For five months of 2020, the Central Bank recorded about 165 thousand fraudulent transactions using electronic means of payment in the amount of 1.6 billion rubles. This was stated by the head of the regulator Elvira Nabiullina, speaking in the State Duma with a report quoted by Rossiyskaya Gazeta. This became known on June 24, 2020.

According to the Central Bank, the average operation, which is carried out without the consent of citizens, is about 10 thousand rubles, and without the consent of legal entities - 152 thousand rubles. About half of fraudulent transactions occur with the purchase of goods and services via the Internet, a third are transactions related to remote banking of customers, less than 10% - at ATMs and POS terminals.

At the same time, 69% of fraudulent transactions are carried out using social engineering, when people themselves provide their personal data to fraudsters. Therefore, the share of the return of such funds is small^[2].

Key Trends in Bank Payment Protection

Financial institutions are the most secure economic sphere in terms of information security. The reasons are obvious - the risks of economic losses in the case of cyber incidents are direct and observed. At the same time, financial institutions have sufficient budgets and motivation for the qualitative development of IT and information security systems. Nevertheless, information security incidents related to illegitimate transactions are currently common and do not lose their relevance. The author of the article "The main trends in the field of bank payment protection" considers which processes are now at risk, and which are already quite thought out, and their risks are currently minimized. Read more here.

2019

Ministry of Internal Affairs: The number of frauds using electronic means of payment increased by more than 400%

As it became known on November 13, 2019, the Ministry of Internal Affairs of the Russian Federation published statistics on fraud using electronic means of payment.

In accordance with the statistics of the department, for 9 months of 2019, 10.3 thousand frauds using electronic means of payment qualified under Art. 159.3 of the Criminal Code. This is 417.3% more than in the same period in 2018.

In total, from January to September 2019, the Ministry of Internal Affairs recorded more than 205 thousand crimes that were committed using information and telecommunication technologies. This is 69% more than last year's figures.^[3]

Ministry of Internal Affairs: the number of criminal cases of fraud with electronic payments increased 8 times

As follows from the statistics of the Main Information and Analytical Center of the Ministry of Internal Affairs of Russia, in the first half of 2019, the number of registered cases of fraud using electronic means of payment (Article 159.3 of the Criminal Code) reached 6613. This is almost 8 times more compared to the same period in 2018.

In the first half of 2019, there were 157,297 criminal cases under articles of fraud (Article 159 of the Criminal Code). Of these, 105,681 cases were registered in the first half of the year (an increase of 5.4% compared to last year). The rest of the cases relate to previous periods.

The number of cases referred to the court decreased by 5.8% (22,195). The number of cases suspended due to problems with the identification of the accused increased by 6.3% (65,221).

In the first half of 2019, the number of registered crimes under Article 159.2 of the Criminal Code (fraud in receiving payments) significantly increased. A total of 4,441 such cases were registered, which is 27.6% more than last year.

A resident of Chelyabinsk sentenced to 10 months for hacking payment systems

On June 20, 2019, it became known that the court sentenced a resident of Chelyabinsk to 10 months of restriction of freedom for hacking personal accounts in payment systems. The verdict was passed by the Central District Court of Chelyabinsk. Read more here.

2018

Losses from online payment fraud amounted to $22 billion

Juniper Research analysts estimated losses from online payment fraud at $48 billion in 2018. By 2023, these losses will double and reach $48 billion. This is stated in the report of the research company, excerpts from which were published on November 20, 2018. Read more here.

Own services for data protection and payment systems will appear in the Russian Federation

On December 25, 2018, it became known that its own services for protecting data and payment systems will appear in the Russian Federation. Until 2024, it is planned to allocate over 30 billion rubles for information security.

Information security in Russia will be paid special attention. In particular, measures will be taken to create domestic services to protect personal information and payment systems. This was announced on December 25, 2018, by Russian Prime Minister Dmitry Medvedev during a meeting of the government commission on digital development.

According to the prime minister, the fourth project within the framework of the Digital Economy program is dedicated to information security. According to the project, by 2024 it is planned to allocate over 30 billion rubles for information security, of which 18 billion rubles. will be allocated from the federal budget.

Here the main role is played by Russian software, we will take measures so that our services are born, which can guarantee the protection of personal data, the protection of payment systems. Dmitry Medvedev, Prime Minister of the Russian Federation

The prime minister stressed the importance and relevance of the issue of information security. Medvedev noted that as of December 2018, cybercrime and cyber wars are a serious threat, so it is necessary to take all measures to protect both ordinary citizens and government agencies, business and critical infrastructure.^[4]

2017: Requirements of the Central Bank to protect payments on the Internet

The Bank of Russia proposed in September 2017 to expand the list of requirements for the protection of information when transferring funds on the Internet. The corresponding draft amendments to the regulation of the Central Bank are posted on the portal for the disclosure of draft regulatory legal acts.

In particular, the requirements must be increased for operators for money transfers, which should ensure the safety of operations on the Internet.

money transfer operator based on the client's application... defines restrictions on the parameters of transactions that can be carried out by the client using the Internet banking system, "the document says

Operators need to improve security with certain technological measures that ensure the identification of the client, the authentication of his electronic messages when transferring funds and the ability to control the details.

The amendments also regulate the operator's ability to confirm the client's right to conduct an operation or set restrictions, including: the maximum amount of the transfer, the list of possible recipients of funds, the time of the operation, the geographical location of the devices with which customers carry out operations.

Operators must report incidents to the Central Bank, as well as "on planned measures to disclose information about incidents."

In addition, the amendments establish the need and obligation of operators to annually test systems for the penetration of information security threats.

It is proposed to amend Bank of Russia Regulation No. 382-P, dated 9 June 2012, "On Requirements for Ensuring the Protection of Information in Money Transfers and on the Procedure for the Bank of Russia to Monitor Compliance with the Requirements for Ensuring the Protection ^[5] Information in Money Transfers."

2013:16 recommendations for the safety of online payments from the Central Bank

On August 5, 2013, Bank of Russia Letter No. 146-T was published, containing a number of recommendations to credit institutions to improve the security of the provision of retail payment services on the Internet.

The Internet payments market, along with the e-commerce market, existed a few years ago in a "parallel reality" regarding the Russian financial market, the Central Bank and changes in Russian legislation. However, the annual growth of the e-commerce market by more than a quarter and the increasing interest of Russians in cashless payments on the Internet and the use of bank cards have generally changed the situation.

In Letter No. 146-T, a number of items describe the standard functions of the fraud monitoring system of an organization engaged in ensuring payment security. It is recommended to update the mechanisms of the fraud monitoring system at least once every two years, and when new risk factors appear and major changes are made to the system, information protection is recommended to promptly and promptly adapt the risk analysis system for them.

Multi-factor payer authentication is recommended to improve the security of online payments and reduce the risk of fraudulent transactions. As the compilers of the Letter explain, authentication factors include "possession of an object or device (for example, a personal identifier), knowledge of certain information (for example, a password), possession of certain permanent inherent properties (for example, fingerprints)."

For the same purpose, it is recommended to use dynamic client authentication - authentication, in which one of the steps uses a password with a limited validity period and a limit on the number of uses. Recommendations for confirming payment transactions using one-time passwords delivered to the client via an alternative communication channel correspond to the format of the XML protocol 3-D Secure (3D-Secure) and the practice of international payment systems: Verified by Visa, MasterCard SecureCode and J/Secure. Attention is also paid to the importance of using payment monitoring mechanisms, including for risk analysis. The monitoring criteria are the frequency, amount, place of payment and the recipient of the payment.

All recommendations for ensuring the security of retail payments should be taken into account both when transferring the functions of a money transfer operator to outsourcing, and when drawing up contracts with subagents providing electronic means of payment that allow you to receive retail payment services via the Internet.

And, of course, significant attention in the Letter is paid to measures to improve the literacy of individuals - payers. It is recommended that retail funds transfer operators inform customers about the possible suspension of receiving services, about unsuccessful attempts to gain access to them, about the possibility of managing limits for making payments via the Internet. These recommendations are aimed at increasing the level of trust of the population in non-cash forms of funds and motivation for their active use. One of the tools for popularizing non-cash cash transactions among the population is the possibility of insurance of payer risks.

Thus, Letter No. 146-T is a collection of basic recommendations to improve the level of security in the provision of retail payment services via the Internet, aimed both at developing risk management systems and information protection on the part of money transfer operators, and at increasing literacy and awareness of users of retail payment services on the Internet.

Notes