RSS
Логотип
Баннер в шапке 1
Баннер в шапке 2
2017/07/06 13:42:04

DBO safe system

Most of specialists in information security field well know what risks are born in themselves by the RBS systems and therefore watch the dynamic growth of this segment of the market with quite clear vigilance. The RBS market really grows, but … losses of users of these services grow even quicker. Banks invest in projects on safety of RBS tens of millions of rubles, but there passes time, and swindlers invent a method again to steal money from their clients. The most unpleasant here that the released means of protecting are not preventive measure: generally they are designed only "patch holes", detected owing to already implemented attacks.

Content

Thefts of financial resources from RBS became profitable to hackers and therefore this type of criminal activity becomes more and more popular. According to forecasts of experts, in the near future DDoS attacks "to order" will fade into the background. It is connected with increasing the level of security of computer systems of many companies and also rather great efforts required for carrying out DDoS attacks, than for use a bot networks for theft of money from the RBS systems.

There is a logical question: why still it was not thought up an adequate method of counteraction to any attacks on the RBS systems? The answer seems following: developers of security aids played all this time against hackers on their field, namely — built the systems of protection inside operating system (OS) which a priori is not entrusted environment. The standard computer of the accountant working with the system of Internet banking is in parallel used also for other tasks — correspondences by e-mail, file sharing, Internet surfing, etc. All this sharply increases risk of infection of the computer with the malicious software (viruses trojans etc.). At the same time any of modern anti-virus products does not give 100% of security accreditation that in the maximum degree belongs to technology of rootkits which intercept control of the computer even before loading of the operating system and cannot be detected by classical antivirus tools.

At the modern person all variety of the malicious software is described by the word "virus". However viruses in their classical understanding (having self-replication by the main feature) do not take the leading positions in the rating of computer threats for a long time. Worms and trojans came out on top – they can how to extort money (notorious Trojan.Winlocker and Trojan.Ransom), to collect information on the user (passwords and contact lists according to which they are sent for increase in a covering), and to abduct large amounts of money without the knowledge of the victim (and both the ordinary user, and the large company or bank can be her).

To estimate scales of a situation rather difficult – it is necessary only to judge by news feeds in which are in increasing frequency mentioned "malware", "swindlers" and astronomical amounts of money. But even such approach does not give the broad picture – information on the majority of cases remains unavailable to the general public (owing to imperfection of the legislation of the Russian Federation which is not obliging to disclose to the company information at personal data leakages). It is worth understanding that information in the press seldom is detailed and sketches incidents without reality owing to what the reader does not connect the events with real life in any way. The case described below happened absolutely in one of the Russian companies.

The purpose – the client of bank

In this case nearly the Moscow company which is the client of one of large banks fell a victim. The reason for which malefactors were interested in this company – use of the services RBS (remote banking) provided by bank. From one of machines of the computer park of the company regular access to services RBS of bank, this computer was provided and underwent the attack.

Despite the antivirus set in a system (by the way, from sufficient known producer), the malicious code was implemented and was performed without any obstacles. It is rather striking example of insolvency of signatures in fight against the target attacks and threats of zero day.

Not accidentally was also date of the attack is selected – everything occurred on December 29, actually, before the Newest year. If malefactors managed to perform the plan, losses would not notice at least ten more days.

Scenario

Unfortunately, it was not succeeded to find out how the malware got on the attacked machine. But with a certain share of confidence it is possible to claim that case was not without actions of insiders. One of confirmations – the unique malicious code which is not noticed by an antivirus (and, respectively, not being in anti-virus bases). If it was the mass attack, it would be noticed quickly enough, the signature of a malware would be brought in bases nearly next day then the plan of malefactors would fail.

Respectively, there had to be somebody, having information on use by the DBO this company, the approximate amounts, and even, perhaps, about the means of information security used by the company.

Considering a possibility of participation in this incident of insiders, the malware could get to a system in any way – is sent by e-mail from the entrusted sender, brought on the USB stick by one of clients of the company or is even started by the insider by the machine manually.

The trojan or managed far off, or working independently was a malware. It is known only that the trojan worked according to the following scenario:

  • Waiting of the moment of connection to the system of a key (the certificate issued by bank, which is on the external carrier)
  • Reading of a key
  • Reading of the login and password of access to RBS
  • Translation request of money for the account of the hacker – there was an attempt to display about one million rubles (in a case with independent operation – just sending of all data to the malefactor)
  • Downloading of the application under the name kill.exe which destroys traces of stay of a malware very roughly – killing all system entirely (created the application in a directory with drivers the file in which reading attempt a system fell)

That was succeeded to detect traces of actions of the malefactor only after an output of the attacked machine out of operation, and only on the logs which remained on the server. From loss of a solid amount of money the company was saved by only a lucky coincidence – the malefactor tried to display a fixed amount of money which on the account did not appear as shortly before it paid to the staff of the company salary.

As from the RBS systems money flows away

Let's consider evolution of methods of cracking of the RBS systems for the last four years:

  • Plunder of keys of the electronic signature (ES) from the unprotected carriers.

The simplest and fulfilled technology by means of which the majority of the attacks on clients of the RBS systems storing the EDS keys on USB sticks, disks, diskettes in the folder on the hard drive, etc. still is implemented.

  • Plunder of private keys of the EDS from RAM.

In comparison with the first little more difficult attack. It is usually applied in case of use by the client of means of the protected storage of the EDS keys which allows to take them from the closed area of memory of the device.

  • Unauthorized access to cryptographic opportunities of a smart card.

One of the most dangerous and perspective attacks. Is implemented or by remote control by the computer of the client (class TeamViewer), or using remote connection to USB port (USB-over-IP technology). Restriction for this attack is obligatory connection of a smart card (token) at the time of its carrying out.

  • Substitution of the document by its transfer for the signature to a smart card.

The most difficult and type of the attacks dangerous today. In this case the user sees one information on the monitor screen, and another goes to a smart card for the signature. Data on account balances, the executed transactions, etc. can be in parallel changed. Also it should be noted that each of four listed technologies is effective not only at the level of protection, but also on all "simpler". This situation is illustrated in fig. 1.

File:дбо 01.jpg


Fig. 1. Ratio of levels of protection and technologies of the attacks on means of development of the EDS

A critical set of noncritical vulnerabilities of the RBS systems [1]

The most widespread vulnerabilities have average and low risk levels. However their combination and existence of critical vulnerabilities, characteristic of the separate systems, can lead to serious effects, including to receiving full control over a system.

Image:Критичный набор некритичных уязвимостей систем ДБО.jpg

How to raise the security level when using RBS

Only cardinal change of approach to the solution of this problem will be able to change a situation, namely — transfer of function of control of key parameters of the document from the operating system on the closed Wednesday on the external device. Then functions of protection, integrity and the invariance of the document are implemented not in the operating system which is not entrusted environment, and on the alienable protected carrier. What can act as such device?

For a start we will list requirements to which this device should satisfy. So:

  • not allow to make changes to the operation algorithms;
  • give an opportunity of visual control of integrity of significant fields of the document (an account number, a transaction amount, bank receiver, etc.) in the external (entrusted) environment with its subsequent transfer directly to a smart card for the signature;
  • work with the smart cards hardwiring domestic cryptoalgorithms to meet requirements of FZ-63 for the qualified electronic signature;
  • do not miss the document for the signature until physical clicking the transaction confirmation button.

There is also a number of important parameters of the solution which should be considered in projects on increase in security of the RBS systems, namely:

  • Reasonable price for the end user. It is necessary for preserving of investments and decrease in reputational risks that is especially relevant for those banks which already issued to the clients the protected key carriers.
  • Opportunity for work with smart cards. In view of recent trends, namely — implementations of domestic cryptoalgorithms based on chips of bank payment cards that will always allow each individual to have with itself a key of the qualified electronic signature — support of smart and card technologies gradually becomes necessary in the most different fields of activity.
  • Scheme of work, usual for the user. If use of a new solution imposes additional load of clients, for example, need of regular start of virtual environments from external carriers or reusable manual entry of payment details in documents, etc., it will cause rejection in final customers.

Recommendations

  • Exclude visit with PCs on which preparation and sending documents to Bank, the websites of questionable content and any other Internet resources of non-productive character (social and P2P networks, conferences and chats, telephone services, etc.), reading mail and opening of mail investments from not entrusted sources, installation and updating of any software not from the websites of producers is performed.
  • Settings of network equipment, corporate and personal network screens the Internet limit access to the network to "white list" from all workplaces in which preparation, signing and sending payment documents is performed.
  • "White list" should join exclusively entrusted websites and hosts of the organization, the banks, tax administrations, other state bodies necessary in production process, servers of updates of system and antivirus software.

  • Provide confidentiality of the EDS keys, allow the authorized use of keys.
  • Use of modern anti-virus providing. Regular updating of the antivirus software.
  • Regular carrying out anti-virus check on computers.
  • Timely installation of updates   of a bezopasnostioperatsionny system  and software  of computers.
  • Settings of network equipment, corporate and personal network screens Internet connection should be limited to "white list" of the entrusted websites.
  • Not work on computers on which preparation and sending documents to Bank, under the accounts having the administrative rights is performed.
  • Minimize the number of users of computers on whom preparation and sending documents to Bank is performed.
  • Install reliable passwords on an input in the computer, provide periodic change of these passwords.
  •    Support the accuracy of system time of the computer local time  to within 1 minute.
  •    Limit physical access to computers on which preparation and sending documents to Bank is performed only the workers who are directly authorized for work with the software "the Internet Bank Client" are allowed.
  • Store key carriers  by method, excluding unauthorized access to them.

Orgmera obligatory:

  • To independently generate secret key;
  • Regularly control a status of the accounts;
  • Not transfer passwords to secret keys, not write and not save passwords together with the carrier a key

2016: The Central Bank will take Internet banking under control

The Bank of Russia will carry out a large-scale inspection of safety of online banking. The regulator will check degree of security of payment online services and mobile applications from cyberthreats. After check of the Central Bank it intends to take this sphere under control and to certify remote services on compliance to requirements of information security.

Now safety of remote service independently defines each bank. The Central Bank is going to take this sphere under control as cases of write-off of means of clients sharply became frequent. In particular, if in January-September, 2015 hackers tried to make 16 thousand unauthorized transactions with accounts of natural persons, then for the same period of 2016 102.7 thousand such attempts were made already. At the same time banks and the regulator this year managed to prevent plunder only no more than 2-3% of means.

Introduction of obligatory certification of remote services means that requirements of the Central Bank to capital adequacy of banks will depend on their compliance to standards of security. The more risks in the systems of online banking, the there are less opportunities to increase crediting and to make investments in other assets. In the future these requirements will be issued in the form of national standards. Specially created interdepartmental working group which part representatives of the Central Bank, Ministry of Finance, the Ministry of Internal Affairs of the Russian Federation, Ministry of Telecom and Mass Communications and FSTEC will be will be engaged in their development.

In particular, the Central Bank will make obligatory double confirmation of the transactions going on remote channels. At the moment most credit institutions use for identification of the client mailing by the SMS of one-time passwords or special electronic USB keys and smart cards (eToken).

Despite the increased concern of the regulator, banks are already ready to take additional security measures because a situation critical. As the head of Information Security Service of bank from top-10 told, because of rapid development of mobile banking many clients use phone as the only payment device. The virus trojan can intercept without effort the password and the user login, and then and the one-time code which arrived by the SMS for operation[2].

2015: The Central Bank requires to strengthen security measures in the RBS systems

On March 10, 2015 became effective the instruction of the Central Bank No. 3361-U on need to credit institutions to organize registration of all devices which their clients use for an input in applications of Internet banking and mobile bank.

It is supposed that to perform operations from the unregistered phone, the tablet or the PC will be impossible. Besides, banks are obliged to block mailing of office SMS (one-time passwords and so forth) when changing by the client of number or the SIM card[3].

"The bank on the basis of the statement of the client determines parameters of transactions which can be performed through Internet and mobile banking. Including the bank sets the list of devices using which access to systems remote banking (RBS) for the purpose of money transfers on the basis of identifiers of these devices, the document says. can be provided – Takzhe bank determines a maximum amount of transfer of the client through RBS for one transaction and (or) for a certain time frame (one day / one month)".

As for a concept of "identifier", it is registered in Provision of regulator 382-P (item 2.6.3). According to the document, the identification information, depending on technical capability, is the IP address, the MAC address, number SIM cards, the phone number and (or) other identifier of the device (further - the identifier of the device). The fact that in Provision use of other identifiers of the device is allowed says that banks, most likely, will be able to implement the new requirement of the regulator for the understanding.

Pavel Golovlev, the head of department of information technology security of SMP Bank told: "As the identifier of the device the bank uses the device IP address. To register the device via which the client is going to come into Internet bank it needs to come to office of bank and to write the corresponding application. If the client changes the device, he needs to address to bank and to update information on the identifier of the device. If loses – that the algorithm of actions in this case should be the same, as well as at loss of the bank card: announce in bank loss of the device and blocking of transactions which will be made from this IP-adresa. Bank, of course, will consider identifiers as without it it is impossible to implement blocking on this sign".
Alexander Novikov, the director of the department of remote banking of B&N Bank, said: "In bank the security issue and registration of mobile devices is solved including using push-notifications are single passwords for confirmation of transactions which come to mobile devices. These notifications are sent by bank to the client directly unlike the SMS that increases security. All mobile devices (phones, tablets) to which push-notifications are connected are displayed in the browser version of Internet bank. At loss of the mobile device the client can quickly come into Internet bank via any computer and delete it from the list. Respectively, swindlers will not be able to use it for obtaining the password".

2012: The Central Bank of the Russian Federation is going to oblige users of online banking to specify IP-and MAC addresses

The Central bank of the Russian Federation published in October, 2012 on the website the draft directive about changes in Provision of 2004. "About identification by credit institutions of clients and beneficiaries for the purpose of counteraction of legalization (washing) of income gained in the criminal way and to terrorism financing".

In this project the Bank of Russia suggests to add several points according to which the user for gaining access to the system of online banking should specify previously IP-and the IAU-address from which connection to the online account will be performed.

"Data on IP-and MAC address (IP-and MAC addresses) by means of which the legal entity provides access to the bank account opened in credit institution for the purpose of performing transactions on it within the agreement signed by credit institution with this legal entity providing its service using technology of remote access to the bank account including Internet banking", – it is told in the draft directive of the Central Bank of the Russian Federation. The similar points extending on individuals and individual entrepreneurs are given in the document.

Completely safe Internet banking is impossible

remote banking (RBS) it is now told about security risks much. Lately statistics – both domestic, and foreign, testimonial of gravity of a question collected. Now in Russia Internet banking every tenth net surfer uses. By estimates of different researchers, losses from online crimes in our country are about 500 million rubles a year. Law enforcement agencies began to give to a fraud problem in RBS significantly more attention, and it is a positive trend.

Perhaps, there is a method completely to secure Internet banking? On this question definite answer – is not present. RBS is a process, and absolutely safe processes do not happen, some risk is present always. However security can be considered as a status at which we accept risk level of use of service both for the user, and for the owner. The quality of the provided service RBS for banks is a question of customer acquisition. The quality is defined first of all by the range of services, convenience of using, availability and security. The security becomes more and more powerful criterion when choosing the RBS system and in no small measure influences the choice of bank.

2019: The Bank of Russia called top-3 the risks connected with mobile banking

The carelessness of the Russian clients of banks and lack of information in questions of information security is the main reason of loss of their money. Specialists of the Bank of Russia reported about it in July, 2019 during the performance on the International financial congress in St. Petersburg.

Almost every third Russian (29%) falls a victim of cyberswindlers. 27%, and on a share of thefts of bank cards – 11% fall to the share of embezzlement as a result of loss of the mobile device.

The most part of the victims (80%, and this indicator continues to grow promptly) falls into a trap the swindlers using methods of social engineering. According to experts, in a question of theft of money psychological welcome were accorded much more effectively than operation of vulnerabilities in mobile devices.

Most often malefactors contact the client of bank and under the guise of the employee of the financial organization entice at it the necessary data (passwords, verification codes) for money transfer. Without thinking of possible risks, citizens resignedly transfer the passwords to the third parties.

According to Izvestia, since the beginning of current month at least 17 people suffered from similar fraud. In total the damage for the amount of 6 million rubles was caused to them.

For fight against a similar type of fraud it is necessary to increase cyberliteracy of the population using special state programs, otherwise the situation will be aggravated, experts are sure.

The main source of date leak in Russia – financial institutions to which share a quarter of all incidents (25%) falls. Further the government and law enforcement agencies (18.8%) follow.

2018: More than a half of the RBS systems contain critically dangerous vulnerabilities

Positive Technologies analyzed applications of banks - a share of the DBOK systems [4] in which critically dangerous vulnerabilities are detected [5], decreases every year. If in 2015 vulnerabilities of the high level of risk contained in 90% of the analyzed systems, and in 2016 in 71%, then in the 2017th already only in 56%. But despite the noticeable growth of level of security, the current shortcomings still bear serious threats for banks and their clients.

On average in 2017 about 7 vulnerabilities were the share of each RBS system that there is more indicator of 2016 when only 6 shortcomings were the share of each finance application. However shares of vulnerabilities of the high and average level of risk considerably decreased. For example, in a third of online banks there were no critically dangerous shortcomings, and the previous year vulnerabilities of the high level of risk were in all financial web applications, except one.

"Cross-site Accomplishment of Scenarios" (75% of systems) and "Insufficient protection against the attacks directed to interception of data" (69%) which allow to make attacks on clients of banks became the most widespread vulnerabilities of online banks in 2017 (for example, to intercept cookie values or to abduct credentials). More than a half of online banks (63%) contained vulnerability of the high level of risk "Insufficient authorization" which allows the malefactor to get unauthorized access to the functions of the web application which are not intended for this level of the user. Besides, vulnerabilities in 94% of online banks could be used by malefactors for access to the data which are a bank secrecy of clients and personal information.

With mobile banking applications the situation is similar: shares of vulnerabilities high (29% instead of 32% in 2016) and the average level of risk decreased (56% instead of 60%). Respectively, the share of vulnerabilities of the low level of risk increased; the companies aim to take measures for elimination of critically dangerous vulnerabilities first of all. Nevertheless in half of systems (48%) one critically dangerous vulnerability was revealed at least. In 52% of mobile banks of vulnerability allowed to decrypt, intercept, pick up credentials for access to mobile application or at all to bypass authentication process. As a result the malefactor can have an opportunity to make transactions in mobile bank on behalf of the legitimate user.

At the same time the IOS-APPLICATION was protected better again, than their analogs for Android. The share of vulnerabilities of the high level of risk in the IOS-APPLICATIONS made only 25% while in the Android-applications it occupies 56%. Practically for all considered mobile banks (except one) experts analyzed two identical applications developed for different operating systems, and in certain cases mobile application for iOS did not contain vulnerabilities which were detected in the Android-application.

The majority of the RBS systems (68%) were developed by financial institutions independently. But if in 2016 the applications created by banks contained twice less vulnerabilities, than systems unrolled on ready platforms, then a year later the situation changed: the applications created on "boxed" solutions had less critically dangerous vulnerabilities. Vendors began to pay more attention to security issues while banks still lack experienced developers in the state and competently built process of safe development.

2017: From every third online bank it is possible to steal money

At the beginning of July, 2017 Positive Technologies published results of a research according to which the share of the finance applications containing critically dangerous vulnerabilities in 2016 decreased, however the overall level of risk of the revealed vulnerabilities became much higher. Shortcomings of mechanisms of identification, authentication and authorization were most widespread.

According to the company, the popularity of electronic financial instruments in Russia for the last year considerably grew thanks to development of contactless payment systems: technologies of NFC payments using smartphonesthe Apple Pay and Google Wallet joined already usual PayPass and payWave. However security of public web and mobile applications in the financial sphere still leaves much to be desired as all vulnerabilities and threats known in area of security of applications are characteristic of such applications noted in Positive Technologies. At the same time in case of banking applications implementation of threats leads to serious effects, including plunder of money, unauthorized access to personal data and a bank secrecy and also reputation losses for business.

The research of the company showed that in 2016 the share of critically dangerous vulnerabilities of finance applications grew by 8%, and a share of vulnerabilities of the average level of risk — for 18%. At the same time in the productive systems almost twice more vulnerabilities, than in systems which are in development are revealed. And the finance applications developed by vendors on average contain twice more vulnerabilities, than those which are developed by banks independently.

Most online banks (71%) have shortcomings of implementation of two-factor authentication. 33% of appendices of online banks are contained by the vulnerabilities allowing to steal money, and in 27% of applications the malefactor can get access to the data which are a bank secrecy.

As for mobile banks, in every third application it is possible to intercept or pick up credentials for access. According to the experts Positive Technologies, a bank IOS-APPLICATIONS is still safer, than their analogs for Android. At the same time server parts of mobile banks are protected much worse than client: vulnerabilities of a high risk are found in each studied system.

The research also allowed to reveal vulnerabilities in the automated banking systems (ABS) which usually are considered as unavailable to the external malefactor. In practice two thirds of the vulnerabilities revealed in the core banking system were critically dangerous, including such which allow to get administrative access to the server. Similar access gives the chance to the malefactor, remaining unnoticed, to perform any fraudulent operations connected with money: for example, to create new accounts and to point to them any quantity of money, or to substitute the payment orders sent to the Central Bank.

2016: The number of unauthorized money withdrawal from bank cards through Internet banking increased in Russia by 5.5 times

In a year, from July, 2015 to June, 2016, the number of unauthorized money withdrawal from accounts of holders of bank cards through Internet banking increased in Russia by 5.5 times. 93% of the losses connected with unauthorized removal are the share of a bank fraud using Internet banking.

At the same time on theft of the cash removed from the ATM only 4% of insured events, and 3% - are the share of loss of the bank card, experts counted AlphaInsurance, having analyzed statistics of handling on insured events of the bank cards which happened to clients of the company.

Bank account management using modern technologies through applications on the Internet, from the computer or mobile, is widely used by many financial institutions and first of all banks. Swindlers do not stand apart and too actively practice these technologies for the purpose of mercenary enrichment.

According to experts AlphaInsurance, the basic reason of sharp increase of number of losses on unauthorized removal connected about the Internet by fraud is insufficient awareness of the population regarding the correct use of new Internet technologies.

A large number of cases of unauthorized removal occurs because of holders of cards as they provide access to the third parties to information intended for private use without understanding, than it can turn back for them.

Besides every year the age of holders of bank cards grows, and their knowledge in the field of modern banking technologies remains at the previous level. Often this level just zero.

Victims willingly call passwords in personal accounts and PIN codes, it is worth called to be provided by the employee of the bank in whom at insured the account is opened. Though in rules on use of bank cards and instructions which issue some banks it is specified that nobody can call the PIN code, even being in bank, not to mention "employee", calling by telephone. Most often swindlers say that they solve any suddenly arisen problem with the account, or money transfer.

2014

Main vulnerabilities of online banks: authorization, authentication and Android (research of 2014)

Vulnerabilities of the high level of risk in the source code and also massive faults of authentication mechanisms and authorization in many systems of remote banking allow to carry out unauthorized transactions or even to receive full control over a system from the external malefactor that can lead to significant financial and reputation losses.

Vulnerabilities of the high level of risk in the source code and also massive faults of authentication mechanisms and authorization in many systems of remote banking allow to carry out unauthorized transactions or even to receive full control over a system from the external malefactor that can lead to significant financial and reputation losses. Such outputs contain in a research of the vulnerabilities of RBS detected by experts of Positive Technologies in 2013 and 2014 in work flow on the analysis of security for a number of the largest Russian banks. We present some results of this research in this article.

Within the research 28 systems of remote banking physical (77%) and legal entities (23%) were considered. Among them there were also mobile systems of RBS provided by a server and client part (54%). Two thirds of systems (67%) were own developments of banks (C were used by Java,# and PHP), the others were unrolled based on platforms of the known vendors. The majority of the RBS systems (74%) were in commercial operation and were available to clients, and a quarter of resources made the test stands ready to transfer to operation.

General results

Nearly a half of the detected vulnerabilities of the RBS systems (44%) has the high level of risk. Approximately identical amount of vulnerabilities have an average and low risk degree (26% and 30%). In general, vulnerabilities of the high level of risk were revealed in 78% of the studied systems.

The most part of vulnerabilities (42%) is connected with errors of sale of mechanisms of protection of the RBS systems put by developers. In particular, shortcomings of mechanisms of identification, authentication and authorization belong to this category of vulnerabilities. On the second place — the vulnerabilities connected with errors in the code of applications (36%). Other vulnerabilities in the basic are connected with configuration shortcomings (22%).

Most often in the RBS systems the vulnerabilities connected with a possibility of identification of the used software and with predictable formats of identifiers of users (57% of systems) met. More than in half of systems (54%) errors in a program code like "Cross-site accomplishment of scenarios" are found. If with this vulnerability in a system the client of bank follows specially created malicious URL, attacking can get access to the RBS system with the privileges of this client.

Also the vulnerabilities allowing to implement attacks on sessions of users (54% of systems) are widespread. Here the vulnerabilities connected with incorrect completion of sessions, incorrect setup of cookie-parameters, a possibility of parallel operation of several sessions for one user, lack of a binding of a session to the client's IP address, etc. belong. At the successful attack the malefactor can get access to a personal account of the user with his privileges.

Vulnerability of a high risk "Implementation of external entities of XML" which is detected in 46% of systems was among the most widespread. As a result of its operation the malefactor can receive contents of the files which are stored on the vulnerable server, given about open network ports of a node, to cause failure in service of all RBS system — and also, in some cases, to address any node on behalf of the vulnerable server and to develop the attack.

Failure in system maintenance of RBS can be caused using different vulnerabilities in a half of the studied resources (52%).

The majority of widespread vulnerabilities has the average or low level of risk. Nevertheless, in combination with features of functioning of the DBO specific systems it can lead to implementation of serious security risks, including theft of confidential data (89% of systems) and theft of money (46%).

Image:уязвимости онлайн-банков 2014 02.png

The studied RBS systems contain also a number of essential shortcomings at the level of logic. For example, in a number of systems the possibility of the attacks on the basis of incorrect use of algorithms of rounding of numbers was detected. Let's tell, the malefactor transfers 0.29 rubles to US dollars. At the cost of one dollar of 60 rubles, the amount of 0.29 rubles corresponds 0.00483333333333333333333333333333 dollars. This amount will be rounded to two signs after a comma, i.e. up to 0.01 dollars (one cent). Then the malefactor transfers 0.01 dollars back to rubles and receives 0.60 rubles. Thus the malefactor "wins" 0.31 rubles. As a result of automation of this procedure, considering lack of restrictions on the number of transactions in day and to the minimum amount of transaction and also a possibility of operation of vulnerability like Race Condition ("A race status") — in some cases the malefactor can receive unlimited cash amounts.

Vulnerabilities on developers It is more vulnerabilities of a high risk in the RBS systems provided by vendors (49%) than in the systems of own development of specific bank (40%). Besides, systems delivered by professional developers on average contain 2.5 times more vulnerabilities at the level of an application code, than the systems of own development. This fact can be explained with the fact that when using software from vendor the bank in questions of quality of the code relies mainly upon the supplier. At the same time the difficult architecture, cross-platform and a large number of functions of the RBS systems not always allow vendor to provide the due level of security at the level of an application code.

Image:уязвимости онлайн-банков 2014 03.png

Vulnerabilities of mechanisms of protection

The most widespread lack of mechanisms of identification of the RBS systems is the predictability of a format of the identifier of an account (64% of systems). Knowing several identifiers existing in a system, the malefactor can calculate the mechanism of their formation and pick up necessary. 32% of the studied systems disclosed information on the accounts existing in a system, returning different answers depending on existence of the entered identifier; in 20% of cases of the RBS system contained both above-mentioned vulnerabilities of identification.

58% of the considered systems had shortcomings of implementation of an authentication mechanism — weak password policy, insufficient protection against selection of credentials, a possibility of a bypass of the CAPTCHA mechanism or lack of obligatory two-factor authentication at logging into the personal account.

79% of systems contained different shortcomings of authorization and protection of transactions. At the same time in 42% of cases the malefactor could get unauthorized access to data of users (to personal data, information on accounts, payments, etc.), and in 13% of systems the violator could perform directly banking activities on behalf of other users.

Image:уязвимости онлайн-банков 2014 04.png

Vulnerabilities of mobile clients =

The client software for OS Android is more vulnerable in comparison with applications for iOS. In particular, critically dangerous vulnerabilities contain in 70% of applications for Android and in 50% of applications for iOS. On average each appendix based on Android is contained by 3.7 vulnerabilities while for the IOS-APPLICATION this indicator is equal to 2.3.

Most often in mobile systems of RBS the vulnerabilities connected with unsafe data transmission (73%) met further there are an insufficient protection of sessions (55%) and unsafe data storage in mobile application (41%).

Image:уязвимости онлайн-банков 2014 05.png

Though the most widespread vulnerabilities of mobile systems of RBS have an average or low risk degree, in some cases set of the revealed shortcomings allowed to implement serious security risks. For example, one of the studied applications sent the broadband message containing received from SMS-soobshcheniye bank (with the one-time password for transaction) which could be intercepted by the third-party application. Besides, this mobile application performed journalizing of important data, such as user account owing to what at successful infection of the device of the user with a malicious code attacking could get full access to authentication data and carry out transactions on behalf of the user of mobile application.

91% of the attacks using mobile bank Trojans are aimed at Russia

According to results of the research of mobile threats conducted by Kaspersky Lab together with the Interpol from August, 2013 till July, 2014 60% of the attacks prevented by protective products of the company on Android devices were aimed at theft of money of users. Swindlers in most cases were interested in finance of Russians, however users in Ukraine, in Spain, Great Britain, Vietnam, Malaysia, Germany, India and France were also subject to the attacks.

Worldwide for the studied period of more than 588 thousand users of Android faced bank and SMS Trojan. It by 6 times exceeds an indicator for the previous same period.

In general 57% of all registered incidents were connected with family of SMS Trojan who send short paid messages on premium numbers without the knowledge of the owner. The majority of similar cases (64.4%) affected the Russian users. Also similar attacks were mentioned in Kazakhstan (5.7%), in Ukraine (3.3%), in Spain (3.2%), Great Britain (2.4%), Malaysia (2.3%), Germany (2%), India (1.6%) and France (1.3%).

At the same time in 2% of cases SMS Trojan acted together with bank malwares — such approach allows to steal data of bank cards and also login credentials to the systems of online banking. The rating on number of incidents with mobile bank Trojans is also headed by Russia — 91% of the attacks fell to its share. At the same time in 12 months the number of similar malwares grew by 14 times. New versions were received using minor changes in the original code which can interfere detection of the malware with the protectant.

RBS are most vulnerable for Cross Site Scripting

The Positive Technologies company provided in the summer of 2014 analysis results of security of the websites and the rating of the most widespread vulnerabilities of the websites. According to a research, recently the quantity of the websites with vulnerabilities of a high risk considerably increased. 62% of the websites in 2013 contained vulnerabilities of a high risk. This indicator is 45% higher than last year's. A considerable part of the studied portals belonged to banks — because of the become frequent attacks in this sphere.

In total during the tests according to the analysis of security which were carried out by the company in 2013 about 500 websites were studied, for 61 of them more profound analysis was carried out. The most part from the considered websites belong to the Russian companies, but some foreign systems entered a research also.

The research was based on the actual results of works on the analysis of security which was carried out by experts using instrumental and manual methods by request of owners of the corresponding systems. Thus, for each considered system information on vulnerabilities which there obviously are present entered (each vulnerability underwent manual verification).

In most cases the analysis was carried out by methods of a black or gray box (i.e. researchers were in the same conditions that potential attacking), and source codes of applications were provided for 13% of systems in addition for the analysis. Among the considered applications there were websites which are in commercial operation and the test systems at a stage of acceptance for operation.

The most widespread vulnerability of 2013 — cross-site accomplishment of scenarios (Cross Site Scripting) — meets for 78% of the studied websites. This shortcoming allows attacking to influence contents of the web page displayed in the user's browser including for the purpose of distribution of a malicious code or obtaining credentials of the victim. For example, in case of the vulnerable system of Internet banking the malefactor can create the link relating to the real website of bank in which upon transition the user will see a false form of authorization. The data entered by the user will be directed to the malefactor's server.

On the second place in popularity (69%) — insufficient protection against selection of identifiers or passwords of users (Brute Force), for example, owing to absence or incorrect sale of the CAPTCHA mechanism.

In top-10 rating two vulnerabilities of a high risk — "Implementation of operators of SQL" (43%) and "Implementation of external entities of XML" (20%) also entered.

The websites written in the PHP language were the most unsafe: 76% from them contain critical vulnerabilities. Web resources on Java (70%) and ASP.NET (55%) are less vulnerable. Dangerous vulnerability "Implementation of operators of SQL" meets for 62% of the websites written for PHP, for other languages this indicator is much lower.

In banking sector the most part of fraud in Russia is connected with false cards (generally result of a skimming). The damage from online fraud which directly not for 100%, but is connected with shortcomings of the RBS systems was made by 1.6 billion rubles.

According to a research, any of the studied RBS systems did not correspond completely requirements of the standard of security of PCI DSS. For the RBS systems of the most relevant there was a vulnerability of the average level of risk "Cross-site accomplishment of scenarios" which meets in 75% of the RBS systems and can lead to attacks on users through a phishing and distribution of a malicious code. As for vulnerabilities of a high risk which allow to attack server components, the most widespread vulnerabilities which are found in half of the considered RBS systems can lead to failure in service and to reading files on the server. However in the current research only the overall level of risk of vulnerabilities according to a technique of CVSS (Common Vulnerability ScoringSystem) whereas for the RBS systems shortcomings of logic of system operation and an opportunity to turn the detected shortcomings into withdrawal of money are crucial was estimated. And, as shows the last year's research Positive Technologies, often the combination of vulnerabilities of the average level of risk can lead to theft of money from the client.

Also demand for the analysis of security of the websites of media increased that is connected with loud cases of their cracking and distribution of misinformation. Besides, the websites of public institutions, industrial enterprises and telecommunication companies were investigated.

2013: In what Internet banking costs us

For the first three quarters 2013 according to Symantec the number of financial trojans increased three times, and today they are one of the most widespread types of threats. In order that it is better to understand scales and mechanisms of work of financial trojans, experts of Symantec analyzed more than 1000 configuration files of eight Trojan programs directed against banking systems.

In 2007 the advanced financial trojan under the name Zbot (Zeus) appeared. It was created by the Russian virus writer under the nickname Slavik/Monstr and was on sale in the black market for thousands of dollars. Two years later this trojan had a competitor under the name Spyeye which author was certain Gribodemon. The price of a new product was more available and was $700. The underground market of financial trojans prospered.

Since then the market underwent significant changes: in 2011 the source code Zeus was stolen and uploaded publicly that led to the sharp collapse of its price. From this point the set of versions of Zeus, including modifed Ice IX and Citadel which began to fight for the market began to appear. Gangs of cybercriminals also created the alternative Zeus options intended for private use as, for example, the well-known Gameover which appeared in July, 2011. In a month after the publication of the source code Zeus somebody Xylibox by cracking got access to the source code Spyeye that led to the similar collapse of the price. At the moment any information on further development of two of these trojans by their creators is absent. Many present financial trojans borrowed acceptances and architecture of Spyeye and Zeus.

By May, 2003 there were about 20 different bank trojans. And as financial institutions strengthened protection and the systems of identification of frauds, malefactors adapted. Since then there was a set of bank trojans. Unfortunately, implementation of new, reliable technologies of protection happens quite slowly, and malefactors successfully use vulnerabilities present, still imperfect, mechanisms. For the last few years trojans became much more sophisticated, and financial trojans are one of the most widespread types of threats today.

For the first nine months 2013 the number of cases of infection of financial institutions increased by 337%. These are nearly half a million infections a month. In order that it is better to understand scales and mechanisms of work of financial trojans, experts of Symantec analyzed more than 1000 configuration files of eight Trojan programs directed against banking systems. Information on the attacked URL addresses and also on the strategy of the attack is stored in these files. Strategy vary from simple redirection of users to difficult web inzhektov (Web injects), capable to automatically perform transactions in the background.

The analyzed configuration files contained more than 2000 addresses belonging to 1486 organizations victims from which nearly 95% are financial institutions. Remained 5%– it is the companies offering online services, for example to media, the job search websites, auctions and services of e-mail. It indicates a wide scope of such trojans: malefactors will attack any targets capable to make profit. Subjects to the attacks are financial institutions practically all types – from commercial banks to credit cooperatives.

Main objective of malefactors are the websites of classical banks, however, in addition, as potential subjects to the attacks also organizations of new type are considered. In attempts to maximize profit malefactors begin to attack popular and, respectively, profitable networks of financial transactions, such as American Automated Clearing House and also the European Single Euro Payments Area (SEPA) which underwent the attack quite recently.

Key points of a research:

  • Subjects to the attacks using financial trojans are more than 1400 financial institutions;
  • More than 50% of trojans were attacked top-15 financial institutions of the world;
  • The most "popular" bank is located in the USA, and it was attacked by 71.5% from all analyzed trojans;
  • Two main strategy of the attack are recognized: "the focused attack" and "large dabs";
  • Organizations in 88 countries became subjects to the attacks;
  • Expansion of a zone of actions of swindlers at the expense of regions of the Middle East, Africa and Asia continues;
  • Now not only electronic banking systems, but also the companies which are engaged in other types of activity become subjects to the attacks;
  • The existing acceptances are improved: automation is provided and accuracy increases;
  • For the first three quarters 2013 the number of financial trojans increased three times.

2011-2012

For 2011 hackers stole about 2.3 billion dollars USA from systems remote banking (RBS). The CEO of the company Group-IB Ilya Sachkov said that malefactors daily perform about 50 robberies of the RBS systems of different banks of century To Moscow.

Generally swindlers aim at the small and medium companies which as a result of the attacks declare bankruptcy. Malefactors receive about 2 million rubles for one of 50 robberies the number of crimes in the field of RBS for 2012 increased by 200%.

In 2011 as analysts speak, use of the Trojan programs was the most popular method of illegal withdrawal of money from bank accounts. This trend will remain as the number of users of online banking and in Russia, and around the world constantly increases. Present 2012 was marked by growth of the narrowly targeted attacks. Details of credit cards and bank accounts with a big separation are in the lead in the list of information offered to sale in the black virtual markets.

2012

Clients of RBS in Russia lost $446 million in a year (-9%)

In 2012 in the systems of remote banking in Russia about 9% less funds, than were stolen the previous year.In September, 2013 in the status report on cyber crime in the country the Group-IB company specializing in investigation of computer crimes reported about it.

According to the company, in particular, in 2012 the Russian clients of banks through the RBS systems lost about $446 million while in 2011 the similar amount was $490 million. The average amount of plunders at the bank clients made by cybercriminals was about 75 thousand rubles for individuals and about 1.6 million rubles for legal entities, counted in Group-IB.

For assessment of volumes of fraud in the systems of Internet banking specialists of the company used the formula considering the number of the acting criminal groups performing similar activity, the average number of successful plunders in day, the average amount of plunders and the number of the working days in a year as are stolen only in the working days. For assessment of volumes of fraud the company used the data obtained from own practice from the Central Bank and other financial institutions.

Decrease in volumes of the means stolen through the RBS systems in 2012 in Group-IB is connected with several factors. One of them in the company call liquidation of a number of large criminal groups. The new groups which succeeded them could not achieve similar success, the founder and the head of Group-IB Ilya Sachkov explains.

Among other factors he notes implementation a solutions antifraud by the largest banks in Russia and the organization of the interbank list of thick woolen clothes – exchange of information about the persons and the organizations involved in cashing in of kidnapped persons of money that allows to stop fraudulent transactions in time.

Among top trends of 2012 regarding thefts of money through the RBS systems in Group-IB note use of the POS terminals used to calculations for bank cards in outlets and points of a public catering in Moscow and other large Russian cities. According to specialists of the company, software, necessary for thefts of these bank cards, in this case someone from the staff of the outlet often helps to set. Also there are sales quotations of the modified POS terminals ready to use with criminal objectives.

Ilya Sachkov preferred not to read specific names of outlets in Moscow where in 2012 similar incidents took place, having noted only that than the point is more popular and than more bank card transactions in it are made, that high probability to run in it into the infected POS terminal.

One more key trend in Group-IB call the attacks through banking mobile applications. So, in 2012 the counterfeit applications allowing to obtain data of bank cards of clients of Sberbank and Alfa-Bank for smartphones based on Android OS were detected and withdrawn from Google Play online store.

At the end of 2013 it is hardly worth expecting decrease in volumes of thefts through the RBS systems, Ilya Sachkov told TAdviser.

Sberbank stopped embezzlement through RBS channels for the amount of 1.2 billion rubles.

In 9 months 2012 Sberbank stopped more than 5 thousand attempts of embezzlement of individuals for the amount more than 500 million rubles and also over 400 attempts of embezzlement of legal entities for the amount more than 770 million rubles through RBS channels. Thereby Sberbank prevented plunders for the amount more than 1.2 billion rubles. As a result of successful interaction of Sberbank with law enforcement agencies a number of the organized criminal groups performing plunders at clients of the Sberbank Onl@yn and Client Sberbank system are exposed and delayed.

About 8 million individuals and more than 700 thousand legal entities use RBS channels of Sberbank.

"Consolidation of efforts of a security service of Sberbank, divisions of the Ministry of Internal Affairs, FSB and commercial specialized organization for investigation of computer crimes "Group of Information Security" allowed to expose and stop activity of the most dangerous and active criminal groups which participants performed the activity from the different cities of Russia and from abroad", – the vice chairman of the board of Sberbank of Russia Stanislav Kuznetsov noted.

The department of security of Sberbank notes significant growth of cases of installation of the skimmingovy equipment in 2012: 1115 cases in 3 quarters 2012 in comparison with 496 for 2011. Now in Sberbank more than 73 thousand devices of self-service are used, more than 85 million bank cards are in circulation.

The efficiency of interaction with law enforcement agencies in the field of the counteraction to the skimmersky groups which are engaged in equipment installation, intended for data collection of a magnetic band of the card and the PIN code increases. In 2012 members of seven criminal groups performing installation of the skimmingovy equipment in the territory of Moscow and the Moscow region in Irkutsk, Barnaul, Kazan and Yaroslavl are delayed. On the basis of collected proofs were sentenced to different terms of deprivation of freedom of 7 people, and for the first time 2 criminals were condemned according to Article 272 of the Criminal Code of the Russian Federation – illegal access to computer information.

Positive Technologies: two thirds of the RBS systems can be cracked

The Positive Technologies company provided in the fall of 2013 results of an analytical research of vulnerabilities of the RBS systems for 2011 and 2012. Works were carried out within rendering services in the analysis of security to a number of the largest Russian banks. More than 70% of all tested solutions belong to the RBS systems servicing individuals.

As it appears from the report, the malefactor can get access to key components (OS or DBMS of the server) every third RBS system. In some cases capture of full control over a system is possible that it allows to perform in it any cash transactions, to perform attacks on adjacent complexes in internal network of bank (core banking system) or to cause failure in service. 37% of the RBS systems allow to get access to personal accounts of certain clients and to execute unauthorized transactions with their accounts.

Vulnerabilities of a high risk were revealed in every second RBS system. But even the lack of critical shortcomings of security does not mean at all that financial resources of bank and its clients are reliably protected. For unauthorized transactions at the level of the user of the RBS system it is enough to violator to use several separate vulnerabilities of an average risk degree (and such shortcomings of protection were detected in all considered systems).

The common problem of the RBS systems considered in the report consists in not worked authentication mechanism, including in the weak password policy and insufficient protection against selection of credentials (Brute Force). 82% of systems were subject to similar vulnerabilities. Each of more than 60% of the studied RBS systems contained at least one of shortcomings of the mechanism of identification of users — a predictable format of identifiers or disclosure of information on the identifiers existing in a system. Besides, more than 80% of systems contained different defects performed by the authorization mechanism, and in three systems multi-factor authorization at transaction was absent at all. Separately the specified shortcomings, as a rule, do not bear serious risks for a system, but their combination can be used by the malefactor for gaining access to personal accounts of users by selection of identifiers, passwords and for the subsequent transactions.

Estimating vulnerabilities of the RBS systems of different producers, experts of Positive Technologies found out that the greatest number of critical errors contains in products of the known vendors. Systems delivered by professional developers on average contain nearly 4 times more vulnerabilities at the level of an application code, than products of own development. Moreover, critical vulnerabilities such were detected only in systems from vendors. The difficult architecture, cross-platform and a large number of functions of the similar systems not always allow vendor to provide the due level of security.

Security of web applications of the RBS systems

The research center Digital Security (the Digital Security guard) Research Group (DSecRG) provided results of an annual research of security of the DBO domestic systems in 2011. This year within the research attention was paid not only to code safety of plug-ins of the browser, but also architecture of the RBS systems, web interfaces and the application software and also processes of distribution of corrections by developers to banks. In general, as showed results of a research, the level of security of web applications of the RBS systems still remains extremely low — in two years the situation changed, says Digital Security company a little.

In 100% of the studied systems class XSS errors (cross-site scripting) were revealed. This type of vulnerability is the second most popular in the list of vulnerabilities of OWASP Top 10. To show that in the context of RBS system operation this type of errors is really dangerous, the method of use of the given vulnerability was developed for deception of the user and the EDS installation on the counterfeit payment order even in case of use of protection in the form of a smart card or tokens. At the same time such attack is possible without infection of the workstation of the client of bank, emphasized in Digital Security.

As it was set by researchers, the majority of software of banks works with tokens, using web technologies that also gives to the malefactor pressure levers. For example, the malefactor can is reserved to touch the PIN code from a token from any website or even imperceptibly to set the EDS. Besides, architecture errors which allow to bypass verification of the EDS at acceptance of the payment order, for example, in case of influence of vulnerability of type of a SQL injection were found. So, the malefactor can change the status of the payment order using a SQL injection without the EDS installation then such payment order will be included in the core banking system where there is any more no such concept as the EDS and therefore it will be performed (if other parameters of the payment order do not cause suspicion in the bank operator), explained in Digital Security. Except a large number of errors in web applications, problems with ActiveX plug-ins on clients are still also relevant.

Results of this research were provided at the international ZeroNights 2011 conference in November in St. Petersburg. During the Zero Nights conference exploits and 0-day were shown to vulnerability in the user plug-ins of the RBS systems. According to specialists of Digital Security, such vulnerabilities are dangerous that they allow to implement target attacks on users of a system, compromising their workstations.

"In spite of the fact that we tried to pay attention to problems of the RBS systems two years ago — noticeable improvement of quality of the code did not happen — Alexey Sintsov, the head of the auditing department of cybersecurity of Digital Security commented on results of a research. — So, for example, a year ago one vulnerability was found in a product what it was told the developer. The developer released update, but other code did not begin to check for existence of the same problems. It is logical that in a year the similar problem was found again, in other code location of the same program. Besides, practically in all applications — both the web, and ActiveX — are not applied the known and popular protection gears. And in two years the situation did not exchange. For example, we did not meet the RBS systems which would use flags for protection of cookie and, especially, protection against the attacks of the class clickjacking".

According to Alexey Sintsov, the research also showed that there are big problems with distribution of corrections of the found vulnerabilities for a long time. "So, for example, still we see the solutions applied by many with an outdated client part of ActiveX with vulnerabilities which it was told the developer more than a year ago. Moreover, the same situation and with web vulnerabilities (in a server part) when after detection of vulnerabilities the developer releases updates and sets them within one specific implementation of RBS. At the same time one and a half years later we see other implementation of the same developer with similar vulnerabilities due to use of the general core of a system. So today in practice we see that most of developers of the RBS systems is banal hide cybersecurity problems in the products from banks and do not even try to think of their security".

The Russian systems of the remote banking (RB) are under a sight of the international hacker group stealing millions of dollars a week. Growth of number of invasions into the banking accounting systems is more than 200%.

2011: Attacks of a trojan of Carberp

Main article: Carberp (trojan)

Premises and trends of development of fraud in RBS of Russia

Banks offer electronic payments, mobile payments, and become suppliers of infrastructure. Traditional banks have infrastructure, banking licenses, connection to payment systems and financial markets. They expand a framework of payments and offer the clients personal financial management by an asset portfolio and various financial products. What means safety of payments in such ecosystem? Payments between the companies are regulated by agreements between the enterprises (B2B). Individual payments are initiated by the electronic payment document containing instructions of the client to bank to transfer a certain amount of money from a customer account in this bank according to certain payment instructions (B2C)

The people using banks for storage of money become more and more in our country, and regions join more and more actively a tendency to store finance in financial institutions. As a result, the number of the people using services of these organizations in full increases. Not only the specialists capable to protect themselves in the information sphere, but also the ordinary people paying not enough attention of a computer security already occur among users of RBS. The number of users of banking services already reached the level which is seriously interesting malefactors, and growth of popularity of RBS does not slow down - due to regional development[6].

The first premises – proliferation of users of services

The number of the paid services provided by banks by means of RBS from payment of the mobile phone before payment of the credits and penalties, constantly grows. Thus, all increasing number of users is imposed on more and more active use by these users of services of banks.

The second premises – expansion of quality and number of the provided services

Besides, users actively use mobile devices for performing banking transactions. The fact that any person from any gadget can work with bank accounts has both positive, and negative sides for the industry. On the one hand, it allows banks to minimize costs for offices, reducing maintenance expenses of users. – if still banks read out themselves from another rather protected structures, the main part of transactions was conducted in the local area networks of bank, without going beyond the organization or local offices, now interaction with bank happens in the Internet and if a server part is still protected well, a client part is almost not protected.

The third premises – use of mobile platforms at all their variety for work with RBS

Existing solutions are capable to protect the personal computer or the notebook, but at the same time they consume too many resources to remain effective on gadgets with their parameters limited in comparison with full-fledged computers. There is a need for new approach to protection which would consist not in permanent monitoring of new threats and protection against them, and in pro-active protection of the infrastructure of the devices working with banks. Such approach, in addition to optimal resource consumption and lack of need for regular updates, has additional plus – ensuring integrity of a system protects not only from epidemiological threats, but also from the "targeted" attacks and threats of zero day which are not detected by antiviruses at the time of emergence.

The fourth premises – protection of all range of devices insufficient today and platforms

With light of the future responsibility of banks to clients their care of safety of the client comes to a new round of development. Whether it means that new technologies of pro-active protection will be implemented into systems connected with RBS in the nearest future, differently banks will incur escalating losses?

Protection options

Having addressed statistics it is possible to notice that 70% of the attacks on a client part of RBS happen at storage of keys on the unprotected carriers. The large number of banks passes to technologies of two-factor authentication with storage of key information in not taken view of eToken or in a smart card. If to consider that they can integrate in themselves both the bank card, and the access card to other services, for example, to the portal of state services and other, then such solution becomes competitive advantage for those who reacted in time. If the reputational and financial risks arising at implementation of RBS technologies are not indifferent for bank it should offer the client modern security aids.

Image:USB-ключи и смарт-карты eToken ГОСТ.jpg

Besides, legislators push bankers to more responsible address with means of clients. For an example: law No. 161-FZ establishes that" … the operator on money transfer is obliged to compensate a transaction amount, the client made without consent if he does not prove that the client broke an order of use of the electronic payment instrument …". As at analysis of such situation to do without strict authentication, it is difficult to provide. At the same time one of the main moments for banks consists that means of authentication and data protection shall be certified. It gives a guarantee of reliability of the implemented solution and provides compliance to requirements of the Russian legislation in the field of use of means of cryptographic information protection.

However existence of means alone of two-factor authentication at the moment does not guarantee protection against losses any more. It is extremely desirable to add authentication on a token or a smart card with one more factor. Some banks already offer clients options with additional introduction of one-time passwords. This system can be implemented differently, in the form of the OTP tokens or applications functioning on the mobile phone, using the SMS channel, special SIM cards or the protected SD maps installed in the mobile device. Good option of an additional authentication factor is the biometrics. It can be used as an access facility to a token if the reader of a smart card is equipped also with the biometric sensor. Application of biometrics does interception of the password to an USB key to much more problematic.

Traditionally main problem of remote banking consists in providing the power of attorney of the environment of execution of banking applications. In the software practically of all developers there is rather large amount of vulnerabilities, and the RBS system here not an exception at all.

In the conditions of constantly developing means of attack protection should answer adequately. In the market there were already means providing the entrusted environment for performing transactions of the electronic signature. Among them - computers in which means of a trusted boot are implemented in BIOS (for example, Kraftway companies). It allows to exclude influence of the viruses loaded before start of a system, and the viruses modifying BIOS (implemented in the form of a hypervisor in BIOS - such virus cannot be detected the means started after it).

There were in the market also smart card readers with visualization of significant fields of the signed document. The payment document after formation is transferred on USB to the reader and significant fields of the document are brought to its screen. Imposing of the signature is initiated by clicking of the button on the device and happens in his isolated environment, and already signed document is transferred back to the computer. Thus, the possibility of the attacks with substitution of the document and with occupation of control of the computer is excluded.

The skill level of personnel, its sufficiency and motivation and also the budget of information security has a serious impact on safety of RBS. Insufficient qualification and motivation conduct to it, apparently, for a long time bothered, but to still current problems as the set password by default on network equipment, the uniform password on different resources, remote access in circumvention of the general rules and the politician. Universal virtualization and aspiration "in clouds" also do not reduce quantity of problems. The limitation of the budget of the small organizations and individuals, deficit of specialists often lead to delay in process of implementation of a full range of necessary technologies and deceleration of reaction to the arising new threats. Only careful and comprehensive risks assessment and well thought over management system for them can help out.

Mobile banking

At the moment the number of users of RBS grows due to increase in number of the people using online banking via mobile phones.

The Juniper Research analytical company counted that in 2011 the number of users of mobile banking activities in the world reached 300 million. Watching development of the world market of e-commerce, experts predict noticeable raising of audience of followers of mobile banking – to 530 million people by 2013. Analysts are sure that the popularity of mobile banking will grow, despite economic problems in the world and threat of aggravation of global recession. Moreover, solutions of mobile banking will give to banks the chance to increase operational efficiency and with the smallest costs to hold and attract the consumer.

Recently experts even more often speak about prospects of such solution as the SIM card with the EDS "onboard". The main field of its application – use of the mobile phone for commission (confirmation) of the transactions requiring execution of strict procedures of authentication of data and subjects of information exchange that is relevant also for RBS. Creation of such device requires efforts, however for today it is represented the best solution against the accruing shaft of frauds and can serve serious break to creation of reliable services of security.

Human factor on the party of fraud

Taking into account entry into force of provisions of the law No. 161-FZ "On the National Payment System", since the beginning of 2013 banks are obliged to indemnify loss from fraudulent transactions to clients – individuals. In other words, swindlers will steal means not from clients of bank, and from him. Therefore banks are very anxious with gain of security measures now.

Fight against fraud in the field of RBS can be separated into 2 directions conditionally: increase in protection on client side or gain of security measures on the party of bank. Unfortunately, the main problem of implementation of the systems of protection on client side is the human factor. Whatever means of protecting the bank offered the client, there will always be a method to bypass them. The person can be deceived easily, using methods of social engineering or forging the text on the screen, he can lose vigilance, to forget something, to distract, be mistaken – completely it is impossible to exclude these factors. However now citizens have an occasion to become more attentive. According to the above-mentioned law, the bank will not indemnify to the client loss from fraudulent transactions if it proves that the person broke an order of use of the electronic payment instrument.

Hi-tech methods of fight

On the party of bank for fraud prevention are used intellectual an antifraud system which perform the multicriteria analysis of each payment order which came on execution to bank. Shows long-term experiment of fight against fraudulent payments in the RBS systems that these means of protecting are effective. However an antifraud system it has to be improved continuously taking into account evolutionary development of cyberswindlers.

For example, even the most intellectual antivirus cannot detect the last modifications of a virus if on it fresh bases of descriptions of viruses were not timely delivered. In an antifraud system everything is similar – normal installation and single setup of a system will not save banks from fraudulent activity. If a system is not improved, after a while its efficiency decreases to zero. The key moment at operation of such solution is presence at her developer of service who finishes an antifraud system taking into account the current situation on fraud.

Approach at which the bank independently develops an antifraud system in a root wrong – the corresponding experts should be engaged in it on a centralized basis. Creation of own solution is similar by efficiency to development of own anti-virus system by forces of bank. Any bank will not face all viruses therefore will not know a subtlety of all methods of commission of fraud.

Fraud in RBS: evolution by eyes of experts

The first mass cases of theft of means through the RBS systems in the Russian Federation were recorded in 2006-2007. Clients – individuals were the victims of swindlers at that time. The choice was not accidental – caring for convenience of work of clients, for payment confirmation in most cases banks demanded from clients of input of the normal "confidential" password. Scratch cards, the EDS keys and the more so sending one-time passwords for the mobile phone of wide circulation had no – support of such means of protecting was implemented in RBS of limited number of banks.

Protection level which provided the normal password did not maintain any criticism. Even the school student could set and configure the keylogger (the crimeware identifying a symbol set from the keyboard) to learn the "confidential" password of the potential victim.

It should be noted that use of unsafe means of payment confirmation was compensated by limited functionality of the RBS system. In most cases the client was given an opportunity to look at a remaining balance on the accounts, to pay utilities or to recharge the mobile phone.

The last functionality (payment of services of mobile operators) was also used by malefactors for theft of funds from a customer account: initially they went to the account of the mobile phone (Which SIM card was, as a rule, bought in the underground passage), then means were brought to other accounts via specialized gateways. After theft the SIM card was thrown out, and it was almost impossible to find malefactors.

The small payment amount which malefactors could steal from one client was connected with limits on a payment amount which set mobile operator and bank.

Distinctive feature of fraudulent payments of that time was the fact that malefactors were in every possible way reinsured and therefore worked in the RBS system via the anonymous proxy-servers which are in other countries. Such campaign was the peculiar organizational barrier complicating work of law enforcement agencies for conducting investigation and search operations and search of the malefactor.

However this feature allowed an antifraud systems simply and to effectively detect the fact of work of the malefactor, and respectively, to prevent embezzlement.

Fraud development: theft at legal persons

The limitation of functionality of RBS of individuals did not allow malefactors to take all advantage of remote service, namely, to make payments for large sums directly on bank cards. Therefore, the functionality of a specialized software using which data for authentication in RBS were abducted extended a new opportunity – in addition to the login and the password, malefactors could copy the files containing the EDS keys.

As a result of it, at a boundary of 2007-2008 the explosive growth of fraud in RBS of legal entities began.

The first cases of embezzlement from accounts of legal entities a little in what differed from theft in RBS of individuals – the fraudulent payment filled up means on the mobile phone, or accounts of virtual wallets of electronic payment systems (generally Yandex.Money and WebMoney). The initial amounts which malefactors abducted from accounts of legal entities were slightly more than similar fraudulent payments from accounts of individuals.

In most cases malefactors, as before, made fraudulent payment from the same computer, continuing to be connected to RBS through the IP addresses of other countries, using anonymous proxy-servers.

Such fraudulent payments effectively were detected an antifraud systems: as a rule, legal entities seldom make payment for benefit of electronic payment systems or recharge on the mobile phone.

Besides, having recorded surge in fraudulent payments, most the payment systems allowing to fill up virtual wallets with bank transfer exposed own limits. For example, a system Yandex.Money at the moment allows to fill up the e-wallet with the payment order on the amount no more than 15 thousand rubles that does it inconvenient for withdrawal of funds.

Automation of crime

Progress of development of the malicious software used by malefactors gave an opportunity of the automated theft of the classified information of the client required for an input and creation of payment in the RBS system (i.e. the login, the password, secret key of the client and also the IP address of the RBS server with which the client works).

All collected information was automatically consolidated on the central server, and to malefactors was rather consecutive to come under collected accounts of clients and to steal funds from their accounts.

It is characteristic that such automation led to some "job specialization": the groups specializing in data acquisition for crime commission and the groups specializing directly in theft of funds from a customer account began to form (using the data purchased in "the black market" from the first group).

One of features of this period was the fact that, despite general "handwriting" of fraudulent payments different clients, in overwhelming number of cases it had a work from different "net" computers. It is possible to assume that malefactors worked from virtual machines, every time recovering the operating system from a "net" image (so, for example, the option "Revert to snapshot when power off" in properties of the virtual machine of VMware works). Most likely, it was made not with the purpose to destroy any proofs of unlawful activity, and incompatibility of different versions of superstructures for browsers which should be installed for work in the RBS system.

The new functionality of the malicious software allowed not only to copy contents of secret keys, but also information on arrangement of the corresponding files on a disk. If earlier the malefactor had to save files with keys in the temporary folder on a disk and to recustomize a client part of RBS on new location of files (that was one of effective "signaling devices" for an antifraud system about suspicious actions of the client), then now these files began to be located automatically in the same disk space which was used on the client's computer. Even if the client stored key files on a diskette (in the operating system this disk was visible as B:), then on the computer of the malefactor disk B was emulated: on which similar directories were created, and the RBS interface did not notice substitution of the computer of the client.

See Also

Notes

  1. * according to Positive Technologies company
  2. the Central Bank will take Internet banking under control
  3. the Central Bank submitted to banks new requirements for fight against fraud in the field of RBS
  4. to the RBS systems in this research online banks and mobile banking applications
  5. belong
  6. Remote banking: more dangerously every year