Information security in banks

Central Bank policy in the field of information protection in banks

Main article: Policy of the Central Bank in the field of information protection in the banking system

Bank losses from cybercrime

Main article: Losses of banks from cybercrime

Data leaks from Russian banks

Main article: Data leaks from Russian banks

Attack directions

Telephone fraud

Main article: Telephone fraud

Bank card fraud

Main article: Bank card and payment fraud

DDoS attacks on banks

Main article: DDoS attacks on banks in Russia

Hacking ATMs

• Hacking ATMs
• Jackpotting - installation and activation of malware by criminals on an ATM.

Phishing

• Phishing

2024

Using a deepfake to rob a bank. In what situations it is possible, and how to protect yourself from this

In February 2024, the Russian media disseminated information about the case of allegedly using deepfakes to bypass authentication at Tinkoff Bank. The original source suggested that fraudsters allegedly with the help of a deepfake were able to withdraw 200 thousand rubles from the user's accounts. TAdviser discussed with experts how great the risk of bypassing bank authentication and stealing funds using deepfakes is. More

Elvira Nabiullina proposes to fight credit fraud using the cooling procedure

Chairman of the Central Bank Russia Elvira Nabiullina, within the framework of the finance forum Cyber security in mid-February, summed up statistics on financial fraud and proposed additional methods to reduce damage from both fraudulent transactions and credit fraud. More

Attackers attack Russian banks with millions of SMS trying to hack customers' personal accounts

By the end of 2023, the intensity of SMS attacks in the banking sector has sharply increased in Russia. Cybercriminals use previously leaked combinations of logins and passwords on the Internet, trying to gain access to customer bank accounts. This is stated at the end of January 2024 in a study by Servicepipe, which specializes in the development of information security solutions.

According to the Vedomosti newspaper, referring to Servicepipe data, during 2023 the number of SMS attacks on Russian banks increased by 20%. Attackers throw millions of short messages at financial institutions. So, cases of sending more than 600 thousand were recorded. SMS per day to only one bank. According to analysts, the damage from such attacks can reach 2 million rubles. As a result, the costs of organizations for SMS mailings only in six months (by the end of 2023) increased 1.5 times.

Experts from F.A.C.C.T. (formerly Group IB) are also talking about the growing intensity of SMS attacks in the financial sector. It is noted that such intrusions can lead to overload and even failure of certain banking systems. Cybercriminals get the opportunity not only to check the relevance of contacts from the stolen database, but also to gain financial benefits. On the other hand, in the vast majority of banks, all accounts are protected by two-factor authentication, and therefore, even with knowledge of the login and password, attackers will not be able to steal customer funds.

A study by Servicepipe notes that during SMS attacks, cybercriminals use the so-called simulator bots, which act in the most similar way to legitimate users. In 2023, at least 50% of such malicious traffic comes from the territory of Russia, and therefore filtering by geography is ineffective.^[1]

Attackers began to arrange "carpet" attacks on Russian banks

Hackers in early 2024 began to use the method of "carpet attacks" of Russian banks. "We are fixing the trend for the so-called" carpet attacks, "when attackers simultaneously attacked all the resources of a credit institution (not over the top, but all at once)," RIA Novosti reported on January 19, 2024, citing the words of Daniil Bobryshev, head of the department for the development of network and IT infrastructure protection products against DDoS attacks by Servicepipe.

According to the expert, attackers are looking for the most vulnerable Internet services of credit institutions, for example, VPN entry points or remote service services, and it is on them to direct the main volumes of attacks. Previously, hackers simply "went through" all the services of a credit institution and directed an attack on one of them.

Against the background of the constant work of Russian companies to improve the information security circuit, fraudsters are constantly looking for new ways to achieve what they want and steal citizens' data for subsequent use for illegal purposes, said Anton Nemkin, a member of the State Duma Committee on Information Policy, Information Technology and Communications, deputy of the United Russia faction.

{{quote "The number of attacks is still extremely high, and the methods used by hackers are also transforming. But it is worth noting that our country does not stand still either - for example, in the spring of 2024, the Russian national system for countering DDoS attacks should be launched, in test mode it was launched at the end of 2023. Operators, resource owners and, in general, Russian companies voluntarily connect to it, no responsibility is provided. Nevertheless, they themselves should be interested in such work against the background of the constantly growing number of threats, - said the deputy. }}

2023

For the year, the number of cyber attacks on the financial sector rose by a quarter

Since the beginning of 2023, creditfinancial industries the number of cyber incidents in - increased by more than a quarter and reached 6.8 thousand. At the same time, the complexity attacks on is also growing. banks At the same time, the amount of funding does not INFORMATION SECURITY correspond to the level of threats. The growth rate of investments cyber security in is significantly lower than in - 5% IT and 12% per year, respectively. This follows from the report prepared by the specialists of the Solar Group, which the company provided on February 14, 2024.

More than a third of attacks in the banking sector (36%) are related to the exploitation of vulnerabilities. In second place (28%) is unauthorized access to systems and services (including components of an automated banking system and remote banking services, internal document management and key databases). A 14% share was taken by network attacks. At the same time, malware in this area accounts for only 4%, which is lower than in other industries. The latter indicates a high level of basic protection of the financial IT infrastructure, that is, well-configured antivirus protection and strict compliance with information security policies by employees.

There are scenarios for identifying incidents inherent in the banking sector. These include attempts to hack databases (DBMSs) of major banking applications, as well as attempts to use employee accounts by third parties. This is due to the fact that databases contain a lot of confidential information, and employees conduct critical operations. That is why banks are more likely than others to ask to run such scenarios as part of monitoring. In total, Solar JSOC launches about 20 new scenarios for detecting cyber incidents in financial institutions per year (in other industries, this figure does not exceed 10 on average).

The most popular way to deliver hacker utilities, including intelligence tools, HPEs and remote administration tools, is phishing: since the beginning of 2023, the number of phishing emails to Russian credit and financial institutions has grown 1.5 times. Most often, in their mailings, attackers imitated shares or polls on behalf of the bank. And their main goal was not bank card data, but access to the client's personal account.

The external digital threat to banks in terms of acquiring is also preserved. So in 2023, experts from the Solar AURA center discovered 5.4 thousand malicious Internet resources that accept electronic payment from users. At the same time, 96% of these sites are illegal gambling.

Also, about 40% of ads on the darknet are associated with the banking sector. In the top, requests for opening accounts, selling and buying access to your personal account, bank cards, cashing, breaking through data and recruiting employees.

The number of cyber strikes on banking web resources (DDoS and web attacks) is gradually decreasing, which is due to the high security of organizations (the presence of WAF and Anti-DDoS solutions) and the inefficiency of mass attacks. So, in 2023, the number of DDoS attacks in the financial sector decreased by almost 9 times. At the same time, there is an increase in the number of scans of web applications, that is, searching for vulnerabilities to carry out a successful attack.

Against the background of other industries, the financial sector copes better with the constant growth of cyber attacks, the level of protection against basic threats is higher here. But the focus of highly qualified attackers has again shifted to the financial industry, so banks need to pay attention to increasing the level of cyber literacy of employees, who often become an entry point into the organization's IT infrastructure. Also, against the background of technological limitations of SIEM systems in terms of the flow of processed data, it is important to increase the viewing area of ​ ​ its information security monitoring centers through special sensors (NTA, EDR, etc.). In addition, it is necessary to build patch management and vulnerability management processes, especially for public services of companies, through which about 70% of all infrastructure hacks have occurred over the past two years, "explained Alexei Pavlov, Business Development Director of the Solar JSOC Cyber ​ ​ Attack Countermeasures Center.

According to the analyst group of the Solar Group, finance along with, telecommunications IT oil and gas the industry, chemistry and petrochemistry, power transport and are included in the list of key customers of information security vendors, forming 67% of the market among commercial companies and 44% of the total information security market. The financial sector itself occupies 13% in the information security market. In 2023, the costs of financial companies for PAC industries , licenses, implementation work, technical support and services amounted to 18 billion. rubles Since banks quite stable security systems were built long before the dramatic growth of cyber threats began, now the costs are mainly spent on updating and introducing fundamentally new solutions.

Despite the fact that the budgets of financial organizations exceed only the budgets of federal executive bodies - 20 billion rubles in 2023, the industry is experiencing an underfunding problem. Over the year, information security budgets increased by 5%, while the growth of IT budgets in finance amounted to 12% (306 billion in 2022 and 343 billion in 2023)

According to analysts of the Solar Group by 2030, the costs of financial companies for information security can amount to 30 billion rubles with a CAGR of 8%, which corresponds to the growth of the information security market as a whole.

Financial companies in Russia increased information security expenses by 7% to 18 billion rubles

Financial companies in Russia in 2023 increased information security costs by 7% (or 1 billion rubles) in comparison with 2022 - up to 18 billion rubles. Such figures in mid-February 2024 were cited by analysts at Solar Group, citing Rosstat data on industry revenue, IT costs and the average number of employees.

According to Vedomosti, citing a study by the group, information security expenses in the financial sector account for about 5-6% of the budget for all information technologies in the industry. In the financial sector, the IT budget for 2023 increased by 12% to 343 billion rubles. That is, the development of information security in financial companies does not keep up with their pace of digitalization, analysts at Solar say.

Financial companies in Russia in 2023 increased information security costs by 7%

Compared to the total profit of banks in 2022-2023. in 1.7 trillion rubles, spending of 17-18 billion rubles looks completely insignificant, says Dmitry Ovchinnikov, chief specialist of the integrated information protection systems department at Gazinformservice. According to forecasts of Solar experts, by 2030 the annual costs of financial companies on information security can amount to 30 billion rubles with a CAGR of 8%.

According to the Solar Group, in 2023 the number of cyber incidents in the credit and financial industry increased by more than a quarter and reached 6.8 thousand. At the same time, the complexity of attacks on banks is also growing. At the same time, the amount of information security funding does not correspond to the level of threats. The growth rate of investment in cybersecurity is significantly lower than in IT - 5% and 12% per year, respectively.

More than a third of the attacks in the banking sector (36%) in 2023 were related to the exploitation of vulnerabilities. In second place (28%) is unauthorized access to systems and services (including components of an automated banking system and remote banking services, internal document management and key databases).^[2]

A third of Russians faced fraudulent bank applications

A third Russians have encountered fraudulent ones. applications banks This was announced on October 3, 2023. ITFB Group (ITFB Groups) For this reason, 42% only keeps a small amount of money on. to the card

According to the results of the ITFB Group study, 76% of Russians continue to use applications of banks removed from the AppStore and Google Play. At the same time, a third (33%) of respondents note that they faced fraudulent applications, and 4% of respondents lost money.

After the imposition of sanctions against Russian banks and the removal of their applications from smartphone markets, the number of their fraudulent clones spreading through different channels. Respondents faced with clones of banking applications, said that scammers spread links through instant messengers, social networks and e-mail (44%), make phone calls and convince them to install "updated" bank application (35%). fake ON 12% of respondents met on smartphone markets, another 9% went to the phishing site.

Fraudulent clones are as similar as possible to official applications. For example, the "B Bank" application is a VTB fake, TBank App - Tinkoff. They use the official design of the brand, images of maps. Fraudsters do not always manage to distribute malware through smartphone markets, so they widely use social engineering and convince users to install the application using social networks, instant messengers, telephone calls. This is how the applications "Sberbank 2.0" and "Support of Sberbank" are distributed. This software has nothing to do with the bank, behind it are fraudulent programs for remote access to the device. Visually, the clone completely mimics the official application. In order to notice a discrepancy, you need an appointment that an inexperienced user often does not have. Therefore, often people find out that they downloaded fraudulent software after the fact, when the money is lost, "said Nikita Borodkin, head of the iOS development department of the ITFB Group mobile development department.

Russians continue to actively use bank applications, even if they are removed from the markets. So, about 40% of respondents use software installed until February 2022. A quarter of respondents said that after the imposition of sanctions, they downloaded and installed the application using a link from the bank's official website, 12% turned to bank employees for help. In 9% of respondents, the bank's official application is still available in smartphone markets, since the bank is not under sanctions. Some Russians (14%) do not use mobile banking software at all.

When downloading a banking application from the AppStore or Google Play, you cannot always unequivocally establish a match. Both official and fraudulent programs are distributed on markets under third-party legal entities or developers. In order to protect yourself, it is best to turn to the bank manager for help and rely on official sources of information, where the link to the released application is usually indicated, - Nikita Borodkin shared his recommendations.

Many Russians try not to keep a large amount on the card (42%). One in five the respondent (22%) keeps all his money on the card, preferring to set daily, weekly or monthly limits on cash withdrawals or transfers. In this case, even if the fraudster takes possession of the card data, he will not be able to withdraw more than the limit from the card. Fully withdraw all money 9% of respondents.

The Central Bank allowed IT and information security managers without experience in the banking sector to become deputy chairmen of the board of banks

The Bank of Russia Working Group on Optimizing the Regulatory Burden on Financial Market Participants decided to expand the permissible work experience for candidates for the positions of Deputy Sole Executive Body and Member of the Collegial Executive Body of Credit Institutions through the experience of managing departments related to IT or information security activities with a total duration of at least two years. This is stated in a letter signed by the first deputy chairman of the Bank of Russia Vladimir Chistyukhin, sent at the end of September 2023 to the Association of Russian Banks^[3]

Now, according to Article 16 of the Federal Law of 02.12.1991 No. 395-1 "On Banks and Banking Activities" (Federal Law No. 395-1), the qualification requirements for a candidate for the post of deputy sole executive body of the bank include the requirement for his experience in the bank or in state corporations in positions related to banking operations, at least two years.

The Bank of Russia initiative also covers the most important non-bank financial institutions, which include insurance organizations, non-state pension funds, management companies of investment funds, mutual investment funds and non-state pension funds, and microfinance organizations.

The decision of the Bank of Russia provides for amendments to legislative acts, including the Federal Law "On Banks and Banking Activities." This is supposed to be implemented within the framework of one of the bills currently under consideration in the State Duma, the regulator said in a letter.

The Bank of Russia decided to expand the permissible work experience for candidates for these positions after a letter from the Association of Russian Banks^[4] of^[5] It, signed by the president of the association, Garegin Tosunyan, said that there were proposals from credit institutions to improve the qualification requirements for candidates for the post of deputy sole executive body of the bank overseeing the development of financial and technological projects.

In the letter, the association indicates the current qualification requirements established by FZ No. 395-1. At the same time, now the banking business is forced to actively transform, transferring operations to digital form. And to carry out such a transformation, banks are interested in attracting specialists (teams of specialists) with experience in launching and implementing complex digital products. Credit organizations believe that the participants of such teams will be conductors in building sustainable technological processes for quickly making changes to banking products and developing new digital products.

The above is especially important for small banks, since the speed of implementation of digital products can be a key competitive advantage for them, emphasized in a letter from the Association of Russian Banks. At the same time, small credit organizations note that they are acutely experiencing a lack of qualified personnel capable of overseeing such changes.

Given the high mobility of staff in the IT sector, banks lose out to fintech companies in attracting qualified personnel, including due to complex procedures for coordinating candidates and the availability of qualification requirements for experience in the banking sector, the association noted in its letter to the Bank of Russia.

In this regard, credit organizations suggested that the regulator consider the issue of promptly amending Article 16 of the Federal Law No. 395-1, aimed at establishing as a qualification requirement for candidates for the position of deputy sole executive body of the bank in charge of information technology and fintech areas, two years of experience in senior positions in fintech organizations.

The Central Bank will check the readiness of banks for cyber threats without warning

On August 10, 2023, it became known about the decision of the Central Bank of the Russian Federation to check the readiness of banks for cyber threats without warning. Previously, the regulator notified credit organizations about the exercises in advance. Read more here.

Banks will be required to reimburse customers who are victims of fraudsters

Vladimir Putin approved the law^[6]," according to which banks operating in the country are obliged to check all transfers from individuals in case of suspected illegal actions. The law also provides for the possibility of suspending suspicious transactions for up to two days. This became known on July 25, 2023. Read more here.

Updated Xenomorph Trojan automates theft of funds from a bank account

On March 13, it became known that the Imperva Red team at the end of 2022 discovered in, browser Google Chrome vulnerability which is being monitored under identifier CVE-2022-3656. At the time the vulnerability was active, it affected over 2.5 billion users Chrome and allowed to malefactors the theft of confidential ones, files such as cryptopurses accounts. data cloudy provider More. here

Darknet market InTheBox "for a penny" sells malicious packages to steal data from banking applications and crypto wallets

The InTheBox store promotes the Russian web injections on cybercriminal forums to steal credentials and confidential information from bank applications crypto wallets and applications. e-commerce This became known on February 2, 2023. More. here

Blind Eagle group attacks banks in South America

On January 9, 2023, it became known that the Spanish-language group Blind Eagle returned to the cybercriminal arena and brought with it an updated set of hacker tools, as well as one of the most complex chains of infection aimed at Colombian and Ecuadorian organizations.

The phishing attacks victims of the attackers were banks Ecuador, and: Spain Hats

• Banco AV Villas
• Banco Caja Social
• Banco de Bogotá
• Banco Popular
• Bancoomeva
• BBVA
• Colpatria
• Davivienda
• TransUnion

Hackers are known to interrupt an attack if their victim is outside Colombia. Similarly, they act in the course of another malicious campaign, where they impersonate the Ecuadorian Tax Service. True, in the latter case, Blind Eagle does not just deploy trojan victims in the system, but conducts a much more cunning and complex attack using a VBS script built into HTML-. file Through this script, two scripts written in are loaded: Python

• ByAV2.py
• mp.py

According to experts, Blind Eagle is not going to stop and will continue its attacks in order to make even more money from careless victims^[7].

2022

Banks in Russia began to conduct cyber training more often

Banks in Russia in 2022 began to conduct cyber training more often. Moreover, training has spread to employees of all levels - from call center employees to top managers. This became known on February 16, 2023.

On this day, Vedomosti released material with reference to the heads of information security units of large credit institutions. As explained in Sberbank, the exercises are aimed not only at training employees in the correct actions in case of threats, but also at the interaction of other departments with each other. One of the scenarios for development is a massive viral infection (the bank has a ransomware virus simulator that infects workstations of real employees). After that, the bank begins the necessary procedures, without interrupting the customer service process.

The second scenario is exercises with a team of attackers. As a rule, these are hackers who are either part of the bank's team, or they are hired specifically for such exercises. The task of the attackers is to obtain information in various illegal ways. At the same time, only the management of Sberbank knows their action plan. An option is also being worked out when a company is attacked not only from outside, but also when an attack is carried out by one of the employees.

PSB also has its own team of attackers, which is trained not only to detect and repel targeted attacks on infrastructure, but also to identify cases of social engineering, said Dmitry Miklukho, director of the bank's information security department. Also, all bank employees are trained through sending them phishing emails, invitations to illegal sites.

Gazprombank concentrated more on high-quality investigations after the attacks. Employees were taught to collect all digital artifacts and evidence base. This is necessary not only to identify where the attack was carried out and which files and systems were damaged, but also to provide the necessary data to law enforcement agencies and regulators.^[8]

Godfather Android Trojan attacks banks, cryptocurrency exchanges and e-wallets

December 21, 2022 Group-IB announced that it had recorded activity - attacking bank Androidtrojan Godfather users of financial services. More. here

Every second attack on the financial sector is carried out using a ransomware

Positive Technologies analyzed the dynamics of the security of the credit and financial sector. Every second attack on this sector is carried out using malware - ransomware. In addition, experts record a twofold increase in sales of access to corporate networks of financial organizations in darkweb against the background of a decrease in their value by 4 times. This was announced on November 10, 2022 by Positive Technologies.

According to the study, in the first three quarters of 2022, the total number of sales of access to corporate networks of banks in the dark web doubled compared to the same period in 2021. The cost varies from $250 to $30,000. USA depending on the organization and privileges on the network that the buyer receives. According to experts, such an increase in activity may be due to a fourfold decrease minimum price: from $1000 to $250. USA

An analysis by Positive Technologies showed that attackers most often use social engineering methods in attacks on financial institutions (47% of cases) and are less likely to exploit vulnerabilities than attacks on other industries. According to experts, this is due to the better security of the network perimeter of organizations financial industry. Criminals are cheaper and easier to find disloyal bank employees who are ready to provide them with access to systems or confidential information than to hack the company's perimeter by exploiting vulnerabilities.

According to the results of the first three quarters of 2022, the total number of attacks on financial organizations decreased by 16% compared to the same period in 2021. The share of cyber attacks on the financial industry in recent years has generally decreased and as of November 2022 is about 5% of the number of all cyber attacks on organizations. Experts explain this by the fact that banks traditionally invest in security and follow industry standards of information security.

Although for November 2022 the financial sector is best prepared for attacks compared to other sectors of the economy, in general, the level of protection of organizations from an internal and external attacker remains not high enough. This is evidenced by the results of penetration tests and verification of unacceptable events conducted by our experts from 2021 to 2022 for financial institutions. So, within the framework of the internal pentest, in all cases, experts managed to establish full control over the infrastructure, as well as demonstrate the possibility of gaining access to critical systems. If an attacker successfully uses the attack vectors used by our specialists, the company could face serious damage from a cyber attack. told Artem Sychev, Advisor to the General Director of Positive Technologies

Sychev also noted that in Russia, as well as around the world, the financial sector is one of the most interested in ensuring a sufficient level of security: the regulatory framework is constantly improving, continuous information exchange between FinCERT and organizations is maintained (the number of which is more than 800), information security forums are held. Positive Technologies recommends that financial institutions pay special attention not only to regular penetration testing, but also to verification of those events that may entail serious damage and are unacceptable for their activities.

{{quote 'author
= noted Artem Sychev' For November 2022, the bug bounty of the updated type, focused on checking the possibility of implementing unacceptable events, is the only way to check the performance of your information security systems due to continuous training and development of product expertise by experimental means. The credit and financial industry is traditionally the most advanced in Russia in terms of cybersecurity and it is expected that it was this industry that was one of the first to identify unacceptable events for it and became a pioneer in bug bounty programs.}}

According to Positive Technologies, in the three quarters of 2022, financial institutions most often faced theft of confidential data (51% of cases) and shutdown of business processes (42%). As a result of 7% of attacks, companies suffered financial losses.

These data correlate with the list of unacceptable events for financial institutions obtained during risk verification projects completed for 2021-2022:

• Withdrawal of funds of a certain amount from the accounts of the organization or customers.
•  Stop operational processes for more than a certain number of hours due to the unavailability of supporting information systems.
• Inaccessibility of digital financial services for customers for more than a certain number of hours.
• Distortion or destruction of information in databases (including backups) used in operations.
•  Use financial institution infrastructure and digital services to attack customers and partners.
•  Leakage of databases containing personal data of customers, bank secrets and other confidential information.

Central Bank will check the security of Russian software in banks

At the end of July 2022, it became known about the decision of the Central Bank of the Russian Federation to check the stability of the IT systems of Russian banks against cyber attacks. In particular, it is planned to check the security of domestic solutions, which began to be introduced after the suppliers of their foreign analogues left the market, a representative of the regulator told Vedomosti.

According to him, the Central Bank has been conducting cyber training with credit institutions since 2020, in 2022 they will be held as planned.

In the second half of 2022, it is planned to conduct cyber exercises taking into account current scenarios of computer attacks, which include the topic of import substitution of software of credit institutions, the regulator said.

At the same time, the Central Bank of the Russian Federation did not specify what exactly will be checked during the exercises and what principles of attacks will be imitated.

Previous exercises were conducted with the participation of 70 Russian banks. According to the source of the publication, the scheme looks like this:

• The Central Bank reports a negative scenario.
• Banks are launching their security systems.
• The Central Bank monitors their work and effectiveness.
• This is followed by a debriefing.

Among the scenario options may be options for disabling certain software or equipment, for example, SAP, Oracle, etc. For example, Oracle database management system (DMS) used all domestic banks in 2021 . This was stated by the developers of the domestic DBMS Postgres Professional. Moreover, the system was used in the "most loaded and critical" places.

1C solutions, own banking products and so on are offered as a replacement. However, there is simply no full-fledged replacement for SAP and Oracle solutions yet, and the created analogues "are largely inferior in their technical characteristics and functionality."^[9]

Scammers trick customers into setting up SMS forwarding to access their online bank

Another scenario of telephone fraud using social engineering methods was recorded. Under the guise of employees of mobile operators, fraudsters force the client to configure SMS forwarding in order to then gain access to the online bank. This was reported to TAdviser by VTB representatives on June 28, 2022. Read more here.

The Central Bank proposed a mechanism for self-recording on the issuance of loans to counter fraudsters

To counter fraudsters, the Bank of Russia has proposed a mechanism for self-recording loans. The Central Bank announced this on June 14, 2022. Read more here.

The Central Bank ordered banks to quickly switch to domestic crypto protection

At a meeting held on April 15, 2022 CENTRAL BANK OF THE RUSSIAN FEDERATION banks with domestic manufacturers, a decision was made on the need to promptly replace foreign HSM modules with Russian ones. Writes about this with Kommersant reference to the participants of the financial market and CryptoPro adviser Vladimir Prostov.

Hardware Security Module (HSM) protects information systems from data disclosure using cryptography. Modules are released in different versions: from a simple expansion card to individual devices with anti-vandal protection. True, they are assembled mainly from imported parts, mostly Chinese, and supplies from the PRC by April 2022 are difficult due to logistics problems.

The publication of the publication says that for small banks, replacement may turn out to be a rather serious financial burden, and a complete transition to domestic systems can take almost a year. According to Dmitry Gusev, deputy general director of InfoTeCS, the complete transition to domestic HSM modules for banks may take several years, since it is necessary not only to produce equipment, "but also to adapt it to work with bank processing systems, as well as support Russian cryptography on final equipment: payment terminals, ATMs."

According to the interlocutors of the publication, Sberbank and VTB will change the modules themselves, the rest of the banks - through vendors. In total, several thousand modules need to be replaced in Russia. The cost of such devices starts from 3 million rubles apiece for non-payment modules, while payment can cost many times more.

Market participants interviewed by the newspaper believe that the Central Bank needs to develop a domestic analogue of the international PCI DSS standard (a comprehensive standard for the security of payment systems), since it is impossible for domestic vendors to obtain a certificate due to geopolitical restrictions, even if they meet the requirements, while banks without such a certificate usually do not want to use equipment from domestic vendors.^[10]

Hackers steal data of 54 million customers of TransUnion credit bureau and demand a ransom of $15 million

In mid-March 2022, hackers demanded a $15 million ransom for 54 million client records stolen from the server of the TransUnion credit bureau in South Africa. Read more here.

Kaspersky Lab prevented cybergrabbing of the Central Bank in Latin America

In mid-February 2022, it became known that during a joint investigation, Kaspersky Lab and Interpol prevented the theft of funds from the central bank of one of the Latin American countries. What state in question is not specified. Read more here.

2021

428% increase in malware

On February 3, 2022, Eset announced that the number of malware detections for Android banking increased by 428% in 2021 compared to 2020. The top five countries in terms of threat activity included Turkey, Russia, Spain, Ukraine and Japan.

Bank threats to Android are developing faster than most. virus ON Moreover, unwanted programs are actively distributed through the official application store: in the Google Play period from September to December 2021, they were downloaded more than 300 thousand times.

The functionality of malicious applications allows attackers to steal user bank data and subsequently make unauthorized purchases, cash withdrawals, as well as transfer funds to third-party accounts.

ESET analysts predict that in 2022 there will be even more malware to compromise online banking.

Despite the abundance of threats, the Android ecosystem is improving and provides platform users with a more secure environment with a high level of privacy. However, in 2022, users need to realize that in many cases they need to take care of personal cybersecurity on their own and make some changes to the default settings of their smartphone, "said ESET cyber threat researcher Lucas Stefanko.

After installation financial applications , review the program permissions. It is necessary to deactivate the functions of working on top of other open applications - so you will protect yourself from the invisible activity of online banking in the event of its hacking. Be sure to prohibit device administration rights and disable external access permissions to to the smartphone or. to the tablet An effective protection measure is the use of additional anti-virus programs of the Mobile Security class.

A third of hacks of IT systems of Russian banks are due to the actions of employees

In about 30% of cases of hacking the IT systems of Russian banks in 2021, employees were to blame - they leaked data, were negligent or participated in fraudulent schemes. Such data in mid-February 2022 were released by RTM Group, which provides information security services.

External hacker attacks accounted for 15% of penetration into banking IT systems in Russia at the end of 2021. This share, according to experts, will fall to 3% in 2022, while the percentage of incidents related to the actions of bank employees, on the contrary, will significantly increase and reach 50%.

Previously, such a significant dynamics in the number of incidents involving internal insiders was not observed, noted in RTM Group, and it may be associated with an increase in the complexity of external hacks and an increase in the cost of internal data. The main goal of the attackers will be the accounts of companies, customers and any information about them, as well as documents and internal correspondence, analysts say.

The head of analytics SearchInform Alexey Parfentiev , in a conversation with "," Businessman explained that it is cheaper and safer for attackers to use insiders, not external schemes. He noted that the law banks is not obliged to establish programs to protect against data leaks and other insider risks. According to Parfentiev, this ON is still in a third of banks.

The banks themselves have a different attitude towards forecasts of increased attacks by insiders. Rosbank "does not expect an increase in internal leaks," Mikhail Ivanov, director of the bank's information security department, told the newspaper. At the same time, the credit institution expects that, "most likely, both external and internal risks will grow," he admitted.

Tinkoff bank A spokesman told the publication that all areas of security were being strengthened there, "based on real data on cyber threats." The level of danger from insiders "practically does not change over time," said the director of the information security department. ICD Vyacheslav Kasimov^[11]

Hackers for the first time in 3 years stole the bank's money from its correspondent account in the Central Bank of the Russian Federation

In mid-December 2021, it became known about the first successful hacker attack on the correspondent account of the Bank of Russia in three years. The system of interbank transfers of CBD AWS (automated workplace of the Bank of Russia client; through this system, banks make settlements with each other from correspondent accounts opened by the Central Bank), the Group-IB company said. Read more here.

Pakistan National Bank attacked by hackers

On the night of November 29-30, 2021, the National Bank of Pakistan (NBP) survived a cyber attack. It affected server systems and servers used to connect bank branches, the internal infrastructure that controls the ATM network, and the bank's mobile applications. Read more here.

Sergey Demidov, information security director of the Moscow Exchange, on the prerequisites for a new information security agenda in the financial sector

Information security risks have evolved and changed orientation, believes Sergey Demidov, Director of the Department of Operational Risks, Information Security and Business Continuity of the Moscow Exchange Group. At the TAdviser IT Security Day conference in October, he shared his vision of new information security risks and the prerequisites for forming a new information security agenda in the financial sector.

Sergey Demidov identifies five main prerequisites for new information security risks:

• remote infrastructure and related attacks (for example, an attack on a New Zealand exchange that led to prolonged downtime);
• massive risks of using personal devices (many cases when an attacker entered endpoints);
• Reduced mindfulness at remote work, making the user more vulnerable to phishing
• loss of logins and passwords;
• overall decline. economies

And now the realization comes that in Russia in our current reality we found ourselves in a different reality, said Sergei Demidov. And over the past year, prerequisites have arisen for the formation of a new information security agenda in the financial sector. One of the prerequisites is the growth of digital business, not only in the technological sector, but also in the real, production sector, where companies begin to develop their business through technological products (for example, KamAZ, Rosavtodor and others have marketplaces).

Another prerequisite is an increase in the number of vulnerabilities, including zero-day vulnerabilities. Last year, an absolute record was set for the number of vulnerabilities discovered, Sergey Demidov emphasized. The race for profit now begins in the digital world, new technologies appear quickly, but do not have time to work out the full cycle of searching for vulnerabilities, respectively, the latter appear more and more.

As a separate item, the representative of the Moscow Exchange outlined an increase in the regulatory burden.

There are more and more regulatory requirements, because regulators see this race, understand that citizens need to be protected from this shaft of vulnerabilities, "says Sergey Demidov.

In the financial sector, the regulator now penetrates all processes. Previously, this was not the case, said the director of the information security department of the Moscow Exchange. Previously, there was a requirement for system protection, then there were regulatory requirements related to products, and now there are requirements related to the processes of developing and operating software products.

Personnel shortages can also be added to the list - about 18,500 information security specialists are missing in Russia annually, according to official statistics from the Ministry of Labor. The country does not have such capacities that this personnel shortage is closed, Sergei Demidov stated.

Summarizing, Sergei Demidov noted that, on the one hand, digitalization is accelerating and there is a need to help businesses earn money, and on the other, there are a huge number of formal requirements and new checks of the Bank of Russia, which are more checked for formal compliance with information protection requirements.

In this situation, it is not clear what to do for an information security specialist: on the one hand, he lives on fear that he may be kicked out, since he violated the requirements of the Central Bank, and on the other, he understands that the threats are probably not there and it is necessary to do the wrong. You can partially relieve the situation by bringing some of the formal and real information security risks for processing to the IT department and synchronizing the IT and information security strategies of the company.

Synergy between IT and information security is needed, - stated Sergey Demidov. - IT also has a staff shortage, and you need to help each other, synchronize work, IT and information security development strategies.

In addition, according to Sergei Demidov, it is necessary to interact with government agencies in matters of policies and standards of information security.

An AI-based method has been developed that allows you to spy on the entered PIN-code at ATMs

On October 18, 2021, it became known that researchers from Italy and the Netherlands developed a machine learning method capable of determining the PIN code entered by a person into an ATM. This method works even in cases where the customer of the ATM covers the input panel with his hand.

The developed method involves training a convolutional neural network (CNN) and a long-term short-term memory (LSTM) module on video recordings of a PIN code input covered by a hand. A system that tracks hand movements and positioning during PIN entry can predict 41% 4-digit and 30% 5-digit PINs in three attempts (the maximum number of attempts a bank allows before a customer's account is locked). The tests involved 58 volunteers who used random PINs.

Since the ATM screen is unlikely to be hidden during PIN entry, the keystroke time can be set by synchronizing hand movements with the appearance of "camouflaged" digits (usually asterisks) that appear on the ATM screen in response to a user's request. Synchronization shows the exact position of the hands in the "hidden" script at the time of input.

Data collection was conducted over two sessions using right-handed volunteers for the study. Each participant typed 100 randomly generated 5-digit PIN codes, providing uniform coverage of all ten possible keystrokes. Thus, the researchers collected 5,800 individual PIN code inputs.

data The kits were divided into training, validation and testing kits, with the training conducted on a processor Intel Xeon running on a 2.60 GHz E5-2670 and equipped with 128 GB of RAM. The data was implemented on Keras2.3.0-tf (TensorFlow 2.2.0) Python and 3.8.6 on three graphic processors Tesla K20m with 5GB of video memory each.

Considering countermeasures to existing systems, the researchers believe that there are no really effective means of protecting against such attacks. Increasing the minimum number of necessary digits in the PIN code will make it difficult to remember numbers, the random order of the number keys on the soft keyboard of the touch screen also causes problems with usability, and screen protectors will not only be expensive to install on existing ATMs, but may also make the attack method even easier to implement. The researchers claim that their attack is workable even when 75% of the keyboard is hidden (closing more makes it difficult for the user to enter text^[12].

Attackers began to use the TCP SYN/ACK Amplification vector for attacks

Cybercriminals resumed DDoS attacks on Russian financial a large-scale sector after a week of calm. The company Orange Business Service announced this on September 29, 2021. At the same time, the number of attacked organizations increased. Attackers use vectors and techniques that were not previously used, the nominal power attacks has decreased, but their complexity has increased.

According to the to data Russian Cyber ​ ​ Threat Monitoring Center () SOC of the international service -provider Orange Business Services, from September 10 to 15, 2021, the number of attacks carried out dropped sharply: no more than ten incidents over 10 Gbps were detected, while over the previous month of observation, on average, five large requests were recorded per day. But already on September 16 at 10:30 the first attack from the wave was detected, characterized by even higher intensity than in the previous month of observations. From that moment to the evening of September 25, more than 75 large-scale incidents of various types were identified, the peak capacity of the most powerful of them was 45 Gbps. At the same time, the number of attacked organizations increased by 10%.

Attackers use unknown types of attacks. For example, the rarely used TCP SYN/ACK Amplification vector began to be massively used before. This attack exploits the features of web servers that are under attack. With the help of special requests, the communication channel connecting the server to the Internet is massively clogged with messages of the same type.

Also, this wave of attacks is characterized by cybercriminals searching for previously untried combinations of techniques and vectors. So, for the first time since August 9, areal attacks affecting 256 or more addresses at a time began to be combined with the TCP SYN vector. It disrupts the operation of services through overflow of the queue for connection to the attacked web server, on which the Internet bank, processing or other external or internal service can operate.

The main feature of this combination is that, despite the low nominal attack power, which averages 2 Gbps, the number of parasitic packets sent to the service selected for attack increases by an average of 400-500 times. At the same time, the attack goes to many services of a financial organization at once, which greatly complicates its reflection.

Earlier, from August 9 to September 9, SOC Orange Business Services recorded more than 150 large-scale attacks on Russian financial institutions. The most powerful was recorded on September 6 - its volume exceeded 150 Gbps, which is three times more than the largest attack recorded by FinCERT on financial institutions in 2019 - 2020.

Cybercriminals are not going to back down. They are systematically expanding the list of techniques and vectors used in the hope of finding vulnerabilities in the security systems of financial institutions. From a technical point of view, in such a situation, the use of protection systems that allow inspecting incoming Internet traffic for prompt detection of anomalies and responding to them comes to the fore. At the strategic level, the critical security component of the entire industry remains the established coordination between financial organizations, the regulator and information security service providers working with market participants, "said Orange Business Services in Russia and SNGOLGA Baranova.

Hackers target Russian financial sector

Since the beginning of August 2021 Russian financial , the market has been subjected to constant large-scale. To the DDoS-attacks This became known on September 13, 2021. At the same time, attackers continue to systematically increase the number and intensity, attacks as well as use not only well-known, but also their most recent types.

Experts began to note a separate interest in the Russian banking sector among cybercriminals back in the middle of summer 2021. In July, the Bank of Russia reported in the media about the risks of "infection" of financial institutions through participants in their ecosystems. In July 2021, information security experts Teresa Walsh and Troels Oerting noted that the vector of attacks is shifting towards third-party suppliers of organizations through which up to 40% of attacks are committed.

In August 2021 FinCERT , he noted a series of large-scale DDoS attacks on at least 12 large, Russian banks processing companies and -. Internetproviders Requests came from, and USA, Latin America Asia reported. In MEDIA early September 2021, the Russian financial sector was again attacked: large and - banks telecom operators providing them with services fell under the influence. communications

From August 9, 2021, the Russian Cyber ​ ​ Threat Monitoring Center (SOC) of the international service provider Orange Business Services records a sharp increase in the number of requests. Trying to achieve their goal, criminals increase their frequency, address space area and power. In addition, attackers combine not only well-known attack vectors such as TCP SYN, DNS Amplification, UDP Flood and HTTPS Flood, but also only recently discovered ones, for example, DTLS Amplification. This type of attack was first seen at the end of 2020 and began to be acutically applied in mid-2021. It exploits vulnerabilities in Citrix servers, and even a small botnet is capable of conducting a large attack.

In total, more than 150 attacks were recorded in a month, from August 9 to September 9, 2021. At the same time, their intensity is constantly increasing. The FinCERT report on the results of 2020 noted that the most powerful attack in 2019-2020 was carried out with an intensity of 49 Gbps (2 Gbps higher than the 2018 record). Already in August 2021, SOC Orange Business Services beat back requests with a capacity of 100 Gbps, and on September 6, this figure exceeded 150 Gbps. Criminals are trying to constantly increase the power of attacks in the hope that telecom providers will not be able to clear traffic in such large volumes.

In addition, during the reporting period, the attackers involved large international botnets. So, SOC Orange Business Services has identified one of the networks based in Vietnam and South America, with more than 60 thousand unique IP addresses, and which was used to organize attacks such as HTTPS Flood on the 3D Secure payment verification service. The difficulty of protecting against this vector is that the traffic is encrypted and its content is not visible to the telecom operator, so it is often possible to highlight the sources of requests only when interacting with a financial institution.

The attackers also used the HTTPS Flood vector to make it impossible to use the banks' application, in which case the attack was carried out from the IP addresses of Russia, Ukraine and. In France other cases, botnet networks from,,, Taiwan Indonesia China Russia and the United States were involved.

The area of ​ ​ the attacked address space is increasing: if in August mainly address requests for specific IP addresses of financial organizations were recorded, then since September attacks have been carried out that affect 256 or more addresses at a time. At the same time, criminals constantly change or combine types of attacks to increase the difficulty of repelling them. Throughout August, the financial market dealt with HTTPS and DNS Amplification vectors, TCP SYN attacks were added to them on August 31, and IP Fragmentation and DTLS Amplification vectors were recorded on September 2. Several types of attacks were repeatedly recorded at the same time against financial organizations: for example, an attack to overflow the trunk communication channel went in parallel with requests in encrypted traffic for a payment service.

According to how persistently and ingeniously cybercriminals act, we can say that we are dealing with a complex planned action aimed at destabilizing at least the Russian financial market. In response to this wave of attacks, we have expanded the functionality of our own DDoS protection automation system, reducing the time from detecting an attack to responding to it to a few seconds. In addition, we connect the most DDoS-prone customers to the capacity of our cleaning center in, Frankfurt capable of withstanding an attack of up to 5 Tbit/s, "said the Chief Operating Officer of Orange Business Services Russia in and. CIS Olga Baranova

Sberbank declared war on telephone scammers, the number of calls from prisons dropped sharply

Sberbank Stanislav Kuznetsov On June 1, 2021, the Deputy Chairman of the Board announced a huge problem of telephone fraud in Russia, including for Sberbank clients. In this regard, the bank adopted a program to combat telephone fraud.

The program includes several elements. Among them is the improvement of the banking anti-fraud platform. It is built on the basis of artificial intelligence algorithms, its own graph database and graph analytics are used. In addition to analyzing transactions, the system analyzes risk events from telecoms, employee actions, operations in automated systems, non-financial operations. In the Sberbank catalog - about 130 studied fraudulent schemes.

The program also involves the development of tools in Sberbank Online, a mobile application, so that they can see that a fraudster is calling. Sberbank customers have a function in the mobile application when a fraudster calls, and a warning red traffic light is displayed.

In addition, the bank helps its customers in the mobile application to check their personal data - where they can be posted in the public domain.

Today, about one and a half million of our clients during this short period, literally 2-3 months of work, deleted the personal data themselves, which were accidentally posted on the network themselves, - Stanislav Kuznetsov cited the data.

A year ago, the structure of all call centers of telephone fraudsters existing around Russian citizens consisted of the following areas: about 40% are prisons, about 40% are near abroad, and about 20% are in Russia.

Moscow Prosecutor Denis Popov, after visiting the Sberbank Cyber ​ ​ Defense Center, organized a joint working group and took all appropriate measures to conduct operational activities directly in prisons, including Sailor Silence and Butyrka, Kuznetsov says. Searches were carried out, dozens or even hundreds of phones were seized. Many fraudulent schemes were opened throughout the country through cooperation also with the FSIN. After that, telephone fraud by penitentiary institutions decreased by about 80%.

Now we fix the majority of call centers in the near abroad and in the territory of our country, "says Stanislav Kuznetsov. - Operational measures, which have been carried out recently by the FSB and the Ministry of Internal Affairs of Russia, show that we are able to correctly recognize and identify these call centers.

Kuznetsov noted that telephone fraud has its own characteristics in Russia: no country in the world has the same large increase in this type of crime. As for direct Sberbank, only the lazy does not attack him, added the deputy chairman of the bank's board.

In the fight against telephone fraud, Sberbank has identified three problems. Firstly, there is no collaboration, says Stanislav Kuznetsov. We all need to create a new ecosystem of information exchange together.

Today, unfortunately, neither law enforcement agencies nor state-owned companies have a single platform for the exchange of information. Even inside the Ministry of Internal Affairs, there are different databases that do not even connect with each other, but you need to look first at one computer, then at another. And from the computer in which you registered the crime, the computer on which this is being investigated does not get - many inconsistencies, - complained the top manager of Sberbank. - That is, there is no single architecture, which we lack.

Sberbank followed this path - the creation of a unified platform for the exchange of information, added a representative of the bank.

In addition, there is a need to change the laws existing today, Sberbank believes. For example, the law on communications, which implies some tightening of actions for all telecoms. Today it costs 8 thousand rubles to get a license, Kuznetsov cited the data, and it can also be lost.

There are four leaders of our telecoms who are quite actively opposed to cyber fraud. But about 650 telecoms in the regions are now openly selling telephone numbers to anyone at the regional level, - said the deputy chairman of the board of Sberbank. - Type the words "virtual PBX" on the Internet, and you will see how many offers you will have. And even cooler - "virtual PBX 10 days, 2 weeks for free." This means that you can use phone numbers without handing over your individual data to telecom. Which, in fact, is happening now.

You can resist this. And Roskomnadzor is obliged to follow this, says Stanislav Kuznetsov: to carry out the necessary supervisory measures in order to fight this. There is still something to work on - "Roskomnadzor still does not have enough strength for these events," and all this continues to exist further.

Telecoms, in turn, can see replacement numbers and "turn off the switch" to block this traffic. This requires small amendments to the law on communications. Sberbank, according to Kuznetsov, has been actively engaged in this together with the Ministry of Digital Development for more than six months. This amendment is scheduled for adoption in the autumn session in the State Duma.

Regulation in the field of information security prevents banks from developing. Sharp issues discussed at the TAdviser conference

The regulation of banks in the field of information security is one of the problematic topics that were raised at the TAdviser IT Security Day 2021 conference, held in April. According to Ruslan Lozhkin, head of the information security service of Absolut Bank, there are so many requirements that it becomes difficult to develop in its activities, downshifting is observed.

Everything is spelled out, everything is indicated: how to build an information security policy, how to analyze a threat model - absolutely everything. It remains only to work on documents. Honestly, this is a little stressful, - said Ruslan Lozhkin in an open interview at TAdviser IT Security Day 2021.

And in 2020, regulatory requirements from regulators for banks increased even more.

And this regulator is not always of high quality, often raw, with contradictions, - said Ruslan Lozhkin. - You have to constantly write to the Central Bank and wait for clarification. It all takes time.

The headache of banks is, among other things, import substitution, to which the state pushes them. Here, too, we need not only dialogue, but also some decisive steps. So far, financial organizations are trying to introduce software as high-quality domestic analogues appear, but this does not always work.

This year we have introduced a sandbox of Russian production, now we are looking at SIEM, we are thinking about DLP. But we use foreign means of protection. You have to look for analogues, what to do - there is a law, it must be implemented. This is difficult because the Gartner quadrant is used in the West, it can be targeted and selected. We have only one parameter to choose from: finding software in the registry, and these solutions do not cover all needs. This situation slows down import substitution, - said Ruslan Lozhkin.

So far, it is proposed to extend the requirements for full import substitution not to all financial companies, but only to significant critical infrastructure facilities. Artem Sychev, First Deputy Director of the Information Security Department of the Bank of Russia, spoke about this in February 2021 at the round table of the State Duma Committee on the Financial Market. He cited data that banks have about 90% of software are foreign developments that cannot be abandoned instantly without customer services being affected. However, in all other respects, the regulator's attention to banks is very close.

Let me remind you that the control on the part of the Central Bank on the implementation of these measures is<по защите каналов связи, импортозамещению, а также обеспечению ИБ в целом — прим. ред.> quite tight. Many financial organizations have already encountered this and know that checks are now not formally, but specifically, with certain conclusions. Decisions on the results of inspections and the identification of violations by banks are also not formal: recently, about 17 banks have received fines for non-compliance with information security requirements.

Sychev also added that the Central Bank is moving from inspections to cyber exercises, which will quickly help identify risks associated with information security or the sustainable functioning of banks.

The financial organizations themselves also do not sit idly by, and preemptively conduct such exercises. Sergei Demidov, director of the information security department of this organization, spoke about what this process looks like in the Moscow Exchange.

We regularly check our employees: we send them letters of various contents, practicing their phishing reaction skills. For example, project teams receive a message from Demidov Sergei, that is, from me: "New information security requirements for the project" - and all sorts of incorrect references. And what do you think? Half buy! This struggle will be eternal. We teach a lot, but phishing does not stand still, it develops. The letters had good fakes, things affecting covid or vaccines, especially while they were not yet there. People began to catch on this hook, "says Sergey Demidov.

There is a tendency for the Central Bank to seek to expand its area of ​ ​ regulation beyond the financial sector itself. So, Sergey Demidov in an open interview at the TAdviser event noted:

The Bank of Russia, having recently received broad powers to regulate information security, has noticeably intensified. As you can see from media reports, it goes not only to the financial sector. In its advisory report, the Bank of Russia has already swung to regulate IT companies like Yandex or Mail.ru.

The report for public consultations "Ecosystems: Approaches to Regulation," posted on the Central Bank's website in April 2021, says that, despite the indisputable advantages for the consumer that ecosystem services give him today, one cannot but say that nevertheless  there is a fly in the ointment in this barrel of honey.

The unregulated development of ecosystems today already creates significant arbitration with other business models, challenges the competitive environment, makes the manufacturer dependent on the rules and tariffs of ecosystems, binds the consumer to itself and often determines its consumption model, the Central Bank notes in the report. - The situation is aggravated in the absence of national ecosystems on the market. In such countries, the issue of protecting a national manufacturer is especially acute. But in the countries of origin of global ecosystems - the United States and China - the issue of regulating the activities of both their own and other people's ecosystems is now on the priority agenda of regulators and antimonopoly authorities.

Sergei Demidov also noted that if we talk about the difference between compliance with international and Russian standards and requirements, then it is rather in the method of assessing compliance, that is, in how they check.

In the Russian Federation, they look more at the formal compliance and clear compliance with all points of the requirements, while according to international standards and requirements, the principle of "comply or explain" often applies, which allows in some cases not to comply with the requirements literally, explaining to the inspectors what compensating methods are used in order to fully achieve the goals of ensuring information security, - explained Demidov.

In Moscow, fraudsters draw up loans using biometrics

In Moscow, multiple cases of using customer votes by scammers to issue loans or other financial products have been recorded. This became known on April 10, 2021. Read more here.

Avast: Evolved banking trojan Ursnif attacks users around the world

Researchers at Avast Threat Labs, a division of Avast, a digital security and security solutions representative, found that the evolved banking Trojan Ursnif continues to attack users around the world. For several years it has been distributed through phishing emails written in different languages. The company announced this on March 9, 2021. Read more here.

Scheme of embezzlement of companies' money using application APIs

The Central Bank of the Russian Federation warned banks about a new scheme to steal money from companies, which uses mobile application APIs. This became known in mid-February 2021.

As Kommersant writes with reference to a letter from the Central Bank, in one of the incidents, the attacker used a real login and password to go to the bank's mobile application. After that, he put it into debug mode and studied the order and structure of calls to the Remote Banking API (RBS).

Then the fraudsters found the numbers of the victims' accounts from open sources, created an "order for the transfer of funds, indicating the victim's account in the" Sender's account number "field.

The Central Bank noted that attacks on the RBS systems of banks and on mobile applications have become more frequent, in connection with which the regulator expects that credit institutions will conduct additional control and checks of the RBS systems used. If vulnerabilities are identified, banks are advised to ensure the addition of checks of the ownership of accounts used in banking operations, an authorized customer account.

The head of the information security service of the Eleksnet Group of Companies Ivan Shubin, in a conversation with the publication, said that the scheme described by the Central Bank was still used mainly when embezzling funds from individuals, and not corporate clients, and this is its novelty.

To effectively counteract attackers, banks need, in particular, that each transaction reconciles the client's current account with his account, the expert explained.

The head of SafeTechDenis Kalemberg says that such cyber attacks have become effective due to "gross violations of the principles of designing the logic of the application," which made all other means of protection useless.^[13]

2020

Varonis: Bank employee has access to 11 million sensitive files on average

Varonis, one of the innovators in the global data security and analytics market, released its fourth annual 2021 Financial Data Risk Report, which outlined the most pressing issues related to corporate data security. This became known on December 14, 2020.

Varonis analysts analyzed 4 billion files in 56 financial institutions around the world (banks, insurance, investments) based on a random sample of cyber risk audit results (Data Risk Assessment).

It turned out that on average, an employee of a financial institution has access to 13% of all data stored in the company. This means that even employees of small organizations have unlimited freedom to view, copy, move, modify, and delete data for more than half a million files - including nearly 20% of all files that contain sensitive employee and client data. At the same time, with an increase in the size of the company, the number of available files for all files doubles. In the largest financial institutions, more than 20 million files are available to any employee.

Based on the report data, on average, financial institutions have about 20,000 folders open to all employees. IT professionals need about 6-8 hours per folder to find and manually remove global access, meaning that manually fixing access levels will take more than 15 years.

Another finding of the study is that it takes financial institutions about 233 days to detect and prevent data breaches - the average time to solve a problem in the industry is eight months. This is a sufficient time to cause serious damage to the reputation, income and trust of customers. In addition, more than 64% of financial services companies have over 1,000 confidential files open to each employee. Another 70% of all sensitive data is outdated (that is, stored beyond the deadline).

Varonis analysts also note that the problem with passwords is acute in financial institutions: 60% of companies have more than 500 passwords that never expire, and almost 40% have more than 10,000 ghost users. Their presence, along with privileged users with indefinite passwords, gives hackers a loophole to stealthily steal data or disrupt the company.

Financial institutions, despite their security, are susceptible to the attacks to intruders, largely due to the value of their customers' confidential data. So the average cost of one leak is estimated by analysts at 5.85 million. In dollars 2020, financial institutions boast the lowest average time to detect and respond to an incident, but remote work can significantly increase that time. At the same time, the more time it takes to respond to incidents, the higher the cost of leaks will be. Therefore, the importance of full network transparency and security automation cannot be overstated. As financial services move to remote work through, the Office 365 availability of professional tools to strengthen control and management of increased risk becomes a priority, - said the head of Varonis in Russia. Daniel Gutman

Winnti Group attack on Russian banking software developers

On September 7, 2020, it became known about the attack of the Chinese hacker group Winnti on Russian software developers for banks. Cyber ​ ​ attacks were reported by experts from the information security company Positive Technologies without specifying the names of credit institutions and software manufacturers that could suffer from the actions of cybercriminals. Read more here.

Information security priorities of banks in 2020

In the summer of 2020, TAdviser interviewed domestic specialists in the field of information security and found out from them how the needs of their clients from the banking sector have changed. Building a secure "remote location," developing and protecting RBS systems, fulfilling the requirements of legislation in the field of information security are the key priorities of banks in the field of information security, which experts say in 2020.

Building a Secure Remote

The banking sector, as well as companies from other industries, were forced to organize remote work to maintain their activities. However, earlier banks did not favor "remote," so not everyone was ready to switch to it.

At the beginning of the pandemic, there were emergency purchases of solutions for remote work, but then planned work began. You need to understand that information security and IT in the banking sector are at a fairly high level, and financial and credit organizations were able to rebuild part of their business processes quite quickly, - said Dmitry Gorelov, commercial director of Aktiv.

At the same time, some large banks, preoccupied with the issue, switched to mass remote work in just a week, and small ones could not do this, although it was about the number of users, less than 50-100 times. Therefore, now many organizations in the financial sector are scaling up or building a secure "remote location." They do not spare budgets for this, taking money from other articles and projects, - says Andrey Yankin, director of the Information Security Center of Jet Infosystems.

Ruslan Rakhmetov, General Director of the Intellectual Security Group of Companies (Security Vision brand), believes that credit and financial institutions are faced with the need to "go between Scylla and Charybdis": to transfer many typically offline processes to a remote mode, while simultaneously fulfilling legislative requirements in the field of information protection.

Fortunately, at the beginning of quarantine measures, the Central Bank of the Russian Federation published recommendations for organizing safe remote work for financial organizations, and vendors were able to offer appropriate products and services, he adds.

According to Nikita Semenov, head of the information security department of Talmer, banks were faced with the fact that, observing the requirements of standards in the field of information security, their infrastructure lost flexibility and scalability, and most importantly, it turned out to be absolutely not ready for remote operation, having no ways to quickly solve this situation.

We are certainly not talking about the work of additional bank offices, where the personal presence of an employee is critical. However, the back office also found itself in a situation where employees could not receive the information necessary for work and processed in the internal circuit remotely, the expert explains.

Nevertheless, in connection with the transfer of a large number of banking employees to remote work, as in other industries, solutions to control access to various kinds of information and protect against targeted attacks at the application level have become in demand, said Dmitry Agafonov, Development Director of Inoventica Technologies.

The banking sector was one of the first to implement procedures for controlling information security, privacy and data protection. Therefore, with the transition to "remote work," banks required an increase in the productivity of existing solutions, he adds.

Development and protection of RBS systems

Banks began to focus on the development of their RBS systems, despite the fact that many of their offices and branches during the pandemic continued their work in a limited mode. This trend could be noticed by the frequency of updating the corresponding applications.

From the point of view of applications, banks receive special attention from the relevant regulations of the Central Bank of the Russian Federation Regulations on 382-P and 672-P, obliging them to annually analyze the security of mobile applications and conduct regular tests for the penetration of RBS systems. Today, the main headache of the banking information security officer, where it is cheap and high-quality to analyze the source code and conduct a penetration test, says Cross Technologies.

According to Andrei Yankin, the increased load on RBS systems has led to demand for their protection systems (as a rule, scaling existing ones) and pentests.

Murad Mustafayev, head of the information security service of Onlanta (part of the Lanit group), adds that banks, given the prospects for the development of online banking, which accumulates the increasing volume of personal data on the network at an accelerated pace, prioritize the protection of personal information and strengthen information security tools.

For the financial sector, information security is always one of the pressing issues. At the same time, many of them were actively developing digital channels long before the start of the pandemic. This determines priorities. Protection of online services, APIs, containerization - almost every bank has these issues on the agenda, "says Dmitry Pudov, Deputy General Director for Technology and Development of the Angara Group of Companies.

Compliance with the requirements of legislation in the field of information security

At the same time, some of the priorities for banks in 2020 continue the trends of previous years. First of all, this is the so-called compliance, i.e. compliance with the requirements of legislation in the field of information security, the standards of the Central Bank and the requirements of the FSTEC and the FSB.

The largest banks are actively developing projects for the introduction and modernization of operational response centers (SOC), which make it possible to ensure an operational response to hacker attacks, as well as close the requirements for the exchange of information about incidents with FinCERT and State system of detection, prevention and elimination of consequences of computer attacks, - says R-Vision CEO Alexander Bondarenko.

As you know, the banking sector has the largest percentage of cybercrimes. The level of information security is monitored not only by the banks themselves, but also by the state. Thus, the regulator developed acts establishing requirements for application software in terms of certification, vulnerability analysis, annual penetration testing and analysis of information security vulnerabilities of information infrastructure objects.

This will reduce the risks of using malicious code in software products, which will lead to a decrease in the number of computer incidents. In the first half of the year alone, dozens of banks applied to our testing laboratory for voluntary certification for the OUD4[14] of[15], "says Dmitry Donskoy, Development Director of Echelon Technologies.

In addition, one of the main changes for banks was the need to implement a set of measures aimed at fulfilling the requirements of GOST 57580.2-2018 ^[16]

This is due to the fact that, according to the requirements of Bank of Russia Regulation No. 683-P, credit institutions must ensure a level of compliance not lower than the third in accordance with GOST R 57580.2-2018 from January 1, 2021, - said Viktor Serdyuk, General Director of DialogueNauka.

Recall that according to the third level of compliance (according to GOST R 57580.2-2018), organizational and technical measures of the information protection system process are implemented in significant quantities on an ongoing basis in accordance with the general approaches (methods) established in the financial institution. Control and improvement of the implementation of organizational and technical measures of the information protection system process are carried out randomly and/or occasionally.

Other priorities

Denis Sukhovey, Director of the Technology Development Department of Aladdin R.D., believes that last year's development trend may resume in 2020 - the active use by banks of cryptographic protection tools for their DBMS. This trend is significantly fueled by large-scale leaks from the databases of leading domestic and Western banks.

At the same time, Alexey Sukhov, commercial director of Garda Technology, believes that gradually priorities from protection against external threats are moving to protection against internal threats. According to him, the most high-profile cases of data leaks this year were associated precisely with activities inside banks, and not with hacking from outside.

Lev Matveev, chairman of the board of directors of SearchInform, notes the need of banks for atypical information security products.

Banks, in particular, began to take an active interest in data categorization systems. An illustrative example: we developed our FileAuditor at the request of retail and industry, and since the beginning of 2020 we have carried out several large transactions with banks at once. Also, under the request of clients from the financial sphere, we have developed a product for controlling actions in databases, - says Lev Matveev.

Ilya Kondratyev, Deputy Director of the Information Security Department of AMT GROUP, says that more and more financial clients are interested in protecting cloud environments and containers. In addition, he notes, the needs for automation of information security processes, often carried out using paper document management, have significantly increased - for example, IT and network access management, incident work, information security risk management.

Vladimir Lavrov, head of the information security department of the Softline group of companies, notes that banks have begun to actively use new technologies that allow them to work in conditions of the need to maintain social distance: blockchain, artificial intelligence, the Internet of Things and others. At the same time, he adds that digital transformation carries new risks in the field of information security, generating new trends in this area:

For example, in response to the introduction of biometric authentication, fraudsters have created Deep Fake technology to bypass it. Today, banks have to implement multi-level security technologies that allow them to control interconnected end devices, work and personal gadgets of both employees and their customers.

Murad Mustafayev, head of the information security service of Onlanta (part of the Lanit group), adds that one of the new priorities of banks is the introduction and development of machine learning both in terms of improving the provided service and in terms of information security for tracking and evaluating financial transactions.

According to Ruslan Rakhmetov, General Director of the Intellectual Security Group (Security Vision brand), the sustainable trend is the robotization of analysts' actions when responding to information security incidents.

This helps to increase the efficiency of SOC centers, reduce the routine burden on employees, and during remote work, also ensure timely processing of threats in conditions of a blurred perimeter of protection, a large number of new risks and possible delays in operational communication, - he notes.

Banks in Russia have introduced a new security standard

At the end of July 2020, it became known that banks in Russia had introduced a new 3D Secure 2.0 security standard, in connection with which they began to allow shopping on the Internet without an SMS code. Read more here.

The Ministry of Internal Affairs and Group-IB detained fraudsters who stole money from VIP customers of banks using SIM card clones

On July 16, 2020, it became known that criminal investigation officers Moscow , with the assistance of experts Group-IB , detained the organizers of a criminal group specializing in reissuing SIM cards and stealing money from customers. the Russian banks The group operated for several years, the damage from its activities is estimated at tens of millions of rubles, and even those who were in prison became their victims.

As reported, the peak of SIM card reissue scams occurred in 2017-2018 - attackers hacked Instagram accounts, instant messengers, mail from famous bloggers, entrepreneurs, show business and sports stars, and extorted a ransom to return access. A significant part of the crimes involved gaining access to online banking and stealing money from the victim's bank account.

One of the criminal groups specialized in VIP clients of Russian banks. To collect information about the victim, the crooks used special "breaking" services in telegram channels or on underground hacker forums. As a rule, the owners of such services have established contacts with insiders in banks with the necessary level of access. So they in real time can get not only the personal data of the client, but also the state of his bank account.

At the next stage, fraudsters used the services of an employee of an underground service for the restoration of SIM-cards, also a rather popular service in the shadow segment. Internet Having made a fake power of attorney (the form stands on forums for about 1500, they rubles also use fake seals or print forms on color), the printer girl reissued the SIM card in salons and. cellular communications Moscow The Moscow area girl used a fake driver's license as an identity card.

Immediately after the activation of the SIM-clone card, the victim's cellular connection disappeared, but at that moment the owner of the SIM-card sent requests to the bank for one-time access codes to mobile Internet banking. In some cases, the accomplice of the scammers did not even bother sending a SIM card - she simply sent or dictated the received codes by phone. Money - on average, 50 000-100 000 rubles were withdrawn from the victim's account to third-party accounts and cashed out through a chain of transactions in other cities, for example, in Samara.

At the same time, if in 2017-2018 the criminals withdrew large sums almost instantly, then starting in 2019 - after the banks intensified the fight against frood - they took longer. Fraudsters could make transactions only a day after the reissue of SIM-cards.

For this reason, fraudsters began to choose victims from among wealthy people who were in prison. A prerequisite - the victim must have money in the account and mobile banking is connected. In institutions FSIN those under investigation and convicted are prohibited from using cellular communications, but not only cases of "carrying" smartphones behind bars are known, but also the work of entire prison call centers, which resulted in a joint initiative of the Ministry of Internal Affairs, the FSB and FSIN to block cellular communications in places of imprisonment.

Numerous cases of theft of money from customers of Russian banks became the reason for checking and initiating a criminal case. During the investigation, employees of the Moscow MUR identified the organizers of the criminal group and attracted Group-IB experts. Two organizers of the group were detained in Solntsevo and Kommunarka, their accomplice from the "SIM card recovery service" - in the Moscow region. Another member of the group associated with cashing was caught in Samara. It is noteworthy that one of the members of the criminal group was convicted of similar fraud with the reissue of SIM-cards in 2014-2015, but being free, he again returned to his former craft.

During the search, Group-IB operatives and specialists found numerous SIM cards, laptops smartphones and push-button telephones - "dialers," fake documents - passports and driver's licenses, as well as bank cards and SIM cards tied to them, which received stolen money. For storages confidential information, fraudsters used flash drives-crypto containers. The detainees gave confessions - they were charged with part 4 under article 159 of the Criminal Code of the Russian Federation (Fraud). In the case of several episodes, the number of victims increases, the total damage was estimated at several tens of millions of rubles.

Unlike the schemes known for July 2020 with telephone fraud - vishing, when villains try to get a CVV or SMS code from the victim, the scheme with the re-release of SIM cards is not so massive and is aimed primarily at solid wealthy clients. More and more banks are agreeing with mobile operators on the exchange of data to counter the fraud: in the event of a reissue of a SIM card, mobile banking is temporarily blocked and separate activation of online banking is required, but this rule is not yet valid for everyone. narrated by Sergey Lupanin, Head of Investigations at Group-IB

In order not to become a victim of the scheme with the reissue of SIM-cards, Group-IB experts recommend writing a statement in the salon of the mobile operator that the reissue of the SIM-card is possible only with the personal presence of the subscriber. In this case, even if the attacker gets scan passports and fakes the power of attorney, he will not be able to reissue the SIM card and use it to access mobile banking. It is also important to clarify what the bank will do in the event of a reissue of the SIM card. If the user changes the number himself, mobile phone it is important to inform the bank about this, otherwise there is a risk that the owner of the SIM-card will be able to access the bank account.

Russia remains the world leader in bank virus attacks

In 2019, Russia remained the leader in bank virus attacks. This is evidenced by the data of Kaspersky Lab, released on April 16, 2020.

According to the collected statistics, more than 30% of users in the world who faced banking attacks trojans lived in. Russia The second largest distribution of such malware was (7 Germany % of the total). The top three were (just China over 3%).

In 2019, about 774 thousand users of Kaspersky Lab products were attacked by banking Trojans. More than 35% of them were in the corporate sector, while in 2018 the indicator was measured at 24.1%.

The financial sector accounted for 44.7% of phishing attacks in the world, compared to 51.4% in 2018. The share of phishing attacks on payment systems and online stores in 2019 amounted to 17% and 7.5%, respectively, which approximately corresponds to the indicators of 2018. The share of financial phishing faced by Apple computer owners decreased slightly to 54%.

According to Kaspersky Lab, the number of users of Android devices attacked by bank viruses in 2019 decreased to 675 thousand from 1.8 million a year earlier. Most often, such users were attacked in Russia, South Africa and Australia.

Although the total number of attacks on bankers has decreased in 2019, the growing interest in corporate customer credentials indicates that we do not yet see an end to financial threats. Therefore, we ask everyone to be careful when conducting financial transactions on computers. While we are at the peak of the trend of remote work during the coronavirus pandemic, it is especially important not to underestimate the desire of criminals to steal money, "said Oleg Kupreev, a security expert at Kaspersky Lab.[17]

In every second mobile bank in Russia, fraudsters can steal money

In every second mobile bank, fraudsters can steal money, according to a study conducted by Positive Technologies.

Experts studied 14 popular Russian applications for Android and iOS operating systems, which were downloaded more than 500 thousand times from the Google Play and App Store directories.

According to the results of the analysis, experts came to the conclusion that in 13 out of 14 applications, access to their personal data is possible. 76% of vulnerabilities in mobile banks can be exploited by attackers without physical access to the device.

At the same time, every second mobile banking application has a drawback that allows fraudsters to steal money. To exploit a number of vulnerabilities in client parts of mobile banks, an attacker just needs to install malware on the victim's device, for example, during a phishing attack.

Applications developed for iOS contained fewer vulnerabilities than applications for Android: for example, the shortcomings in the former were not higher than the average risk level, while 29% of the latter contained high-risk vulnerabilities (Android app creators are given more development options, experts explain this difference). All of them are associated with deep linking technology, thanks to which the user can move between applications: it is she who acts as the entry point to the application for hackers.

It also turned out that six of the seven web applications of banks contain vulnerabilities related to insufficient measures to authenticate the user. In practice, the disadvantages of mobile applications are very rarely used. Today, most fraudulent schemes are associated with social engineering, that is, psychological methods of luring citizens of the necessary information about their accounts.^[18]

Surge in unusual cyber attacks on banks and power

Experts from the Rostelecom-Solar Cyber ​ ​ Incident Investigation Center JSOC CERT recorded a surge in a rather rare type of attacks on banks and the energy industry. The chain of malicious activity includes as many as four stages, which allows hackers to gain control in the organization's IT infrastructure, remaining invisible to security tools - antiviruses and even sandboxes. Rostelecom-Solar announced this on February 18, 2020.

The multi-component attack begins phishing by sending office documents to employees power of banks and companies, allegedly on behalf of other organizations - representatives of the industry. Opening an attachment activates an executable that accesses a popular to hosting open source file pastebin.com. From there, a section of code is launched, which in turn sends a download command to the attacked computer picture from the image exchange service imgur.com. Complicating the matter is the use of steganography: malicious is built into the downloaded image, ON allowing hackers to collect and send to their servers full about information the victim.

If the data obtained is interesting for attackers, a further scenario for managing an infected system may include, for example, downloading viruses to steal valuable documents and commercial cyber espionage (in the case of energy companies) or to withdraw funds (if we are talking about banks). In addition, hackers can monetize their actions by selling the points of presence in the infrastructure of organizations.

According to Rostelecom-Solar statistics, 80% of such attacks were directed at banks. But in the remaining 20% of cases that occurred in the power, hackers attacked more actively - about 60% of the total number of phishing emails were sent to specialists from this industry, and their quality also indicates more thorough preparation by attackers.

It is curious that the style of the malicious code is very similar to that used by the Russian-speaking hacker group Silence, which until recently specialized exclusively in banks. That is, either Silence is mastering various industries and ways to make money, or another, very professional group has appeared that successfully imitates the Silence code, knocking down the sights of information security specialists, comments Igor Zalevsky, Head of the Center for Investigation of Cyber ​ ​ Incidents JSOC CERT of Rostelecom-Solar

According to JSOC CERT experts, such a difficult mechanism for delivering malware to the endpoint is extremely rare and usually indicates a targeted attack. Automated defenses - antiviruses and sandboxes - cannot detect such incidents, as they are designed to detect attacks from one to a maximum of two stages. Under these conditions, the security services of organizations are advised to take a particularly careful approach to improving the cyber literacy of employees.

Increase Internet Banking Cyber Risk with End of Windows 7 Support

The Government Center communications Great Britain urges from January 14, 2020 not to use Windows 7 for - Internet banking, as well as email computers with this. OS This became known on January 14, 2020. More. here

2019

Recorded 27-fold increase in data breaches in the financial sector

In 2019, the volume of leaks of personal data and payment information compromised as a result of negligence or illegal actions of personnel of banks, insurance companies, other organizations of the financial segment, as well as as a result of the activity of external attackers (hacker attacks), increased more than 27 times. Read more here.

In Russia, the market for high-tech crimes in the financial sector decreased by 85%

On November 29, 2019, the international company Group-IB presented a global report on Hi-Tech Crime Trends 2019-2020. The reduction Russia in damage from all types of cybercrime harmful using programs aimed both directly at and banks their customers led to a record 85% market fall. According to Group-IB, the market for high-tech crimes financial in the Russian industry decreased to 510 million for rubles the period H2 2018 - H1 2019 against 3.2 billion rubles in the previous period. Against the background of the exodus of financially motivated groups from the "RU" zone, a decrease in the number - and Androidtrojans groups engaged in, the phishing number of crimes against bank customers using social engineering and telephone fraud is growing in Russia.

The Group-IB Threat Intelligence team identifies 5 groups that successfully conduct targeted attacks on banks and pose a real threat to the financial sector in the world. Among them are the "Russian-speaking troika" - Cobalt, Silence and MoneyTaker, as well as the North Korean Lazarus (North Korea) and the group SilentCards from Kenya. Still, only Cobalt, Silence and MoneyTaker have Trojans that allow you to control the ATM dispenser and withdraw money. At the same time, during the study period, only Silence hackers attacked through ATMs, Silence and SilentCards through card processing, Lazarus through SWIFT (2 successful thefts: in India and Malta for a total of $16 million).

Only the North Korean APT group uses the FastCash theft method. It became famous in late 2018, although it was first used in Asia back in 2016. Behind all attacks of this type is the Lazarus group. Silence reduced activity on its own phishing mailings and began to acquire access to target banks from other hacker groups, in particular, from TA505. As of November 2019, SilentCards is the least technically trained among these groups and so far has successfully launched targeted attacks only on banks in Africa.

In relation to Russian banks, Cobalt and Silence carried out one successful attack for the period under study, MoneyTaker - two. The first two Russian-speaking groups shifted their focus to foreign targets, resulting in multiple reductions in "RU" damage. According to the Group-IB report, up to 93 million rubles, that is, almost 14 times reduced losses from targeted attacks on banks in Russia by financially motivated groups. Compared to the previous period, the average amount of theft from targeted attacks on banks in Russia fell from 118 to 31 million rubles.

According to Group-IB forecasts, the "Russian-speaking troika" will continue its geographical expansion outside the "RU." To withdraw money, they will use attacks on the card processing system and Trojans for ATMs. SWIFT will be much less likely to fall into the focus of these groups. Lazarus will remain the only group to commit theft via SWIFT and ATM Switch. Successful attacks on banks will be completed by disabling the IT infrastructure to conceal traces. Presumably SilentCards will remain a local group attacking banks in its region for the time being.

Assessing the market for high-tech crimes in Russia, Group-IB experts distinguish several segments, each of which records a decrease. According to thefts using Trojans for PCs, the "homeland" of which Russia has always been, the damage decreased by 89% and amounted to 62 million rubles. Russian-speaking hackers have stopped creating desktop Trojans. There are only two groups left that steal money in Russia using Trojans for PCs - Buhtrap2 and RTM. Only the latter shows activity.

Trojans for mobile Android devices disappear more slowly, but thefts with this type of malware are ON also on the decline: the damage in this segment amounted to 110 million rubles, which is 43% lower than in the previous period. The number of groups using Android Trojans in Russia decreased from 8 to 5: at the same time, "heavyweights" left the stage - Trojans, on whose account the largest number of fraudulent transactions. The remaining groups abandoned SMS the embezzlement channel, it was replaced by the card2card transfer method, which led to an increase in the average embezzlement from 7 to 11 thousand rubles. In general, over the past period, 22 Trojans went out of use, only 7 others were created to replace them.

The damage from financial phishing in Russia fell by 65% to the level of 87 million rubles. The overall figure was influenced by both a reduction in the number of active groups and a decrease in the 'average check' of the attack. The decline in financial gain led to the withdrawal of 15 groups that made money from phishing attacks. 11 remained active.

Reducing the economic effectiveness of these types of attacks forces fraudsters to look for other ways to earn money on these bank cards. As a result, fraud using social engineering techniques came out on top in terms of the spread of the threat in Russia. First of all, we are talking about telephone fraud - vishing, which since the end of 2018 has literally swept the banking market. Behavioral analysis of user sessions to detect suspicious activity in RBS systems is still the prerogative of large banks. That is why in Russia it is this type of attacks on bank customers that will maintain high dynamics.

The market volume of the carding grew by 33% and amounted to more than 56 billion rubles. (879 680 072 $). The number of compromised cards posted on underground forums increased 38% from 27.1 to 43.8 million compared to the last period. Dumps (the contents of magnetic bands of cards) account for 80% of the carding market. During the study period, 31.2 million dumps were found on sale, which is 46% higher than in 2018. The sale of text data (number, CVV, validity period) is also on the rise, their growth was 19%. The average price for text data rose from $9 to $14, while the average dump price decreased from $33 to $22.

The lowest price is usually set for compromised data of American banks, they, on average, go for $8-10 for fresh text card data and $16-24 for dumps. Traditionally high price on European bank cards: $18-21 per text, $100-120 per dump. Russian cards remain rare in large cardshops, most of which do not work "by RU." Cards of Russian banks are usually in the middle price range, while since the last period the average price per dump has increased significantly - from $48 to $71 (4,500 rubles) and the price per text has slightly decreased from $15 to $12 (760 rubles). At the same time, the maximum price for a dump card of a Russian bank in 2018 reached $170 (10,000 rubles), and in 2019 rose to $500 (32,000 rubles).

JS sniffers have become the next trend working to increase the volume of text data of bank cards on sale. This year, Group-IB experts have identified at least 38 different families of JS sniffers, their number is growing and already exceeds the number of banking Trojans. In terms of the scale of compromise with the help of JS sniffers, the first position is taken by the United States, and the second by the United Kingdom. This threat will be relevant primarily for countries where 3D Secure is not common.

Phishing - remains a "long-playing" method of fraudsters obtaining text data about users' bank cards. Competition in this segment is growing: attackers began to use panels to control web injections and auto-alerting, which were previously the prerogative of banking Trojans. The developers of phishing whales began to pay more attention to self-defense: they use blocking subnets of security vendors, hosting companies, give phishing content only from the IP addresses of the region where their victims are located, redirect them to legitimate sites, check abnormal user-agents.

New Android virus has lost Russian banks

At the end of November 2019, it became known about the attack of a new virus on Russian. banks This Trojan is able to automatically transfer funds through banking mobile applications for, operating system Android experts said. Group-IB More. here

Russian-speaking hackers stopped attacking banks in the Russian Federation and switched to foreign

Russian-speaking hackers stopped attacking banks in the Russian Federation and switched to foreign credit organizations. This was announced at the end of November 2019 by Group-IB in its Hi-Tech Crime Trends 2019 report, compiled based on the results of a study for the second half of 2018 and the first half of 2019.

According to experts, until 2018, Russian-speaking hacker groups more often attacked banks in Russia and the CIS, but then this trend changed dramatically. Cybercriminals "often begin to work in their region: this was the case with Cobalt, with Silence in Russia, as well as with SilentCards in Africa."

Home "regions are a test site for them: having worked out the equipment, they go further. For example, the same "Russian-speaking troika" focused on goals in Asia, Africa, Europe and America, a representative of Group-IB told RBC.

Kaspersky Lab confirmed to the publication the existence of such a trend and noted that hackers are now active in less secure countries in Eastern Europe, the CIS, Asia^[19]

Experts pointed to five groups that, in their opinion, pose a real danger to banks: three of them (Cobalt, Silence, MoneyTaker) are considered Russian-speaking, two more groups are North Korean Lazarus and Kenyan SilentCards.

For the 12-month study period that ended in June 2019, Cobalt and Silence conducted only one confirmed successful attack on Russian banks and concentrated on foreign goals, which led to a multiple reduction in damage from them in the Russian sector, the report said. MoneyTaker attacked twice (in the second case, damage was prevented).

Cobalt robbed a Russian bank in September 2018, another attack was launched in November. Silence in February 2019 managed to steal 25 million rubles from Omsk IT Bank, the report says.

Current IT security issues for banks

Digital transformation increases the quality, speed of interaction between consumers of financial services and financial organizations, but at the same time creates additional risks.

According to Konstantin Markelov, head of the R&D department at OTR, key security risks in the credit and financial sector include:

• financial losses for financial services consumers that undermine confidence in modern financial technologies;
• financial losses of individual financial institutions that could have a critical impact on their financial position;
• disruption of operational reliability and continuity of financial services, resulting in reputational damage and increasing social tensions;
• the development of a systemic crisis in the event of information security incidents due to cyber attacks in organizations significant for the financial market.

In Russia, according to the Center for Monitoring and Responding to Computer Attacks in the Credit and Financial Sector (FinCERT) of the Bank of Russia, the volume of unauthorized transactions from the accounts of legal entities in 2018 amounted to 1.469 billion rubles. (in 2017 - about 1.57 billion rubles, in 2016 - about 1.89 billion rubles, in 2015 - about 3.7 billion rubles). "The decline is obvious and this is a positive fact," says Konstantin Markelov.

In Russia and abroad, the volume of unauthorized transactions using payment cards issued by Russian credit institutions in 2018 amounted to 1.384 billion rubles. (in 2017 - 0.961 billion rubles, in 2016 - 1.08 billion rubles, in 2015 - 1.14 billion rubles). "A multidirectional trend is noticeable here, which is bad," adds the OTR expert.

In his opinion, since digital transformation qualitatively changes the technology of providing financial services, the Bank of Russia at the regulatory level (and each bank at the level of internal regulations and security policies) should formulate new approaches to information security and cyber stability of the financial system, taking into account the following factors:

• changing the architecture of information systems (including the use of distributed register technologies);
• Remote access to financial services and the widespread use of mobile technology
• application of new promising technologies for information security and cyber resistance (Big Data, artificial intelligence, robotization);
• "Internet of Things" as an element of the payment space.

Speaking about the IT security problems of banks, domestic experts most often mention such tasks as the need to protect data, combat fraud and counter targeted attacks.

Data Security

There are more and more systems where a lot of data is collected. In addition, the data is becoming more expensive. Therefore, the task of ensuring the safety of working with them is becoming increasingly important, but not to the detriment of the ability to process them.

As Mikhail Komarov, director of Informatica at DIS Group, notes, previously access to them was significantly limited to protect data. Now this is impossible: such a restriction will slow down business development. Therefore, control over the access and use of data by employees within the organization will be strengthened. In addition, the demand for intelligent data depersonalization solutions will grow, which, on the one hand, protect data, on the other, preserve its features and the ability to process them.

Importantly, these will be tools for both data depersonalization in non-industrial environments and real-time depersonalization in productive systems, says Komarov.

According to Dmitry Pudov, Deputy General Director for Technology and Development of Angara Technologies Group, the relevance of data protection issues is associated with the implementation of a large number of projects that transform the bank's IT landscape - the introduction of systems for analyzing big data, robotic editing, projects for personalizing proposals (related to ML, social mining).

Given the transformation of the approaches used in development and the focus on the speed of delivery of new systems and products, information security risks increase significantly. And this, in turn, forces banks to actively consider methods and solutions that make it possible to find a reasonable compromise between information security risks and the speed of development and launch of new services on the market. Recently, we have noted the interest of banks in the following classes of solutions: privileged user controls, containerization security, Big Data security, open source software analysis and security, he says.

Internal fraud

Sergey Kosetsky, commercial director of X-Com, believes that the protection of information systems of large banks is quite high, and therefore the focus of threats from classic cyber attacks is shifting to the human factor. Evidence of this is a series of high-profile scandals of recent times related to the leakage of personal data of bank customers from the top ten.

Rustem Mannanov, an expert at ICL System Technologies, adds that to protect against an unscrupulous employee, it is worth using User Behavior Analytics class systems. They allow early detection and prevention of incidents. These solutions use approaches such as rule-based scenarios, predictive technologies, machine learning, and anomaly detection.

Ilya Polessky, Director of Business Development at DTG (direction in the Lanit group of companies), considers the most acute problem for banks to be internal security and interaction with partners who disclose data on the main business. According to him, information protection is now associated not only with many products that were not previously available, but also with an abundance of systems integrated into banking activities.

The notorious human factor is what you have to face at all levels of interaction between a financial institution, he notes.

External fraud

With permission to use citizens' biometrics for identification and remote provision of banking services, new types of fraud have also appeared. For example, attackers try to take possession of the "voice profile" of clients through recording phrases and commands in order to pass identification and gain access to operations with funds. Two-factor authentication using the phone also gives fraudsters a field of activity - a SIM card or gadget of a bank client will make it possible to take possession of his accounts.

The main threats also include social engineering fraud. Cases of fraud are also increasing - both telephone and phishing. These are attempts to illegally obtain information from bank customers regarding their plastic cards.

To solve the described problems, the implementation of a variety of solutions is required, ranging from data masking, to various organizational measures, - notes Maxim Tikurkin, CEO of SysSoft.

According to Maria Bar-Biryukova, Deputy General Director of Korus Consulting Group of Companies, to combat these threats, you need to maintain a balance of security and convenience - use automatic monitoring tools, situation centers, and proactively work with users and clients.

Countering targeted attacks

Over the past few years, the most pressing problem has remained the issues of countering targeted attacks. In the event of a successful attack, losses can be measured in tens or even hundreds of millions of rubles, so banks are actively investing in modern means of detecting attacks in the early stages.

Almost all solutions lead to an increase in operational costs for information security, since the means of detecting the signs of cyber attacks require subsequent operational analysis by specialists. This is also due to the increased interest and investment of banks in the creation and development of cybersecurity centers Security Operations Center (SOC), which are a response to the increasing requirements of banks for the operational efficiency of information security units, "says Dmitry Pudov, Deputy General Director for Technology and Development Angara Technologies Group.

According to Pyotr Filatov, commercial director of Oberon, the principle of choosing a "victim" bank is simple: the more business, the more attention and more serious the potential losses that can cost more. For example, user data leaks will cost a large bank many times more in money and reputation: according to Sberbank, losses from cyber attacks in our country are about 650 billion rubles. annually, while the number of incidents continues to increase.

Checks by the Central Bank of the Russian Federation show that not a single bank in Russia fully fulfills its requirements in the field of information security. In 2018, the Central Bank published a standard that regulates the interaction of banks with FINCERT. Studies show that only 25% of banks in Russia use digital innovation along with cybersecurity tools. 44% of banks are limited to infrastructure protections.

Participation in initiatives such as fast payment systems and a "digital citizen profile," as well as the creation of OpenAPI-based partner ecosystems, require banks to take new approaches to cybersecurity. Encryption, blockchain, machine learning and analytics are expected to be used to improve information security measures in the coming years. As a result, more than 50% of security alerts will be processed automatically and in real time based on artificial intelligence. If you look a little into the future, then behavioral biometrics and quantum information encryption technologies will be used to ensure cybersecurity, "says Alexander Rozhkov, sales director of the services department of Softline Group of Companies.

Bell Integrator believes that while the entire fight against cyber crimes is focused on the attacks themselves, it will be more or less parity: increasingly advanced security systems against increasingly advanced hacking and theft tools.

The turnaround is likely to come when the attention of the defending side finally shifts from the attacks themselves to dealing with their consequences. We mean the possibility of rolling back any fraudulent transactions, which will actually call into question the attacks themselves. After all, if the funds you stole can be seized back as easily as they got into your pocket, then the meaning of the theft operation itself becomes dubious. This will not happen tomorrow or even, perhaps, in the next ten years, but blockchain technology creates obvious prerequisites for this, so sooner or later it will definitely happen, "said Andrei Ezrokhi, director of strategic business development at Bell Integrator.

Positive Technologies: APT group technicians in attacks on credit and financial institutions

On October 10, 2019, the company Positive Technologies reported that its experts analyzed the tactics and techniques of ten APT groups that attacked financial companies over the past two years^[20]found out that each of them resorted to, and in to phishing search of bank systems on the network criminals use legitimate utilities for administration and compromised credentials. data More. here

Bank botnet Geost infected 800 thousand. Android devices in the Russian Federation

On October 3, 2019, researchers from Czech the University of Technology, the National Kuyo University Argentina , and the company Avast discovered one of the bank botnets called Geost. The harmful victims of Android RUSSIAN FEDERATION the campaign were at least 800 thousand owners of devices in, in particular, attackers gained access to their bank accounts, in which a total of several million euros were stored. More. here

Central Bank: the number of fraudulent calls with the substitution of bank numbers is growing sharply

On September 27, 2019, it became known about the frequency of fraudulent calls in Russia with the substitution of the bank number. According to the Central Bank, in June-August alone, fraudsters managed to replace about 200 bank numbers.

According to Kommersant, in the summer of 2019, the Central Bank sent information to telecom operators about more than 2.5 thousand numbers from which calls to Russian customers were received. At the request of the financial regulator, operators in 218 cases blocked the number, in 59 - imposed restrictions on the use of financial services, and in 198 - found a substitution of the bank number. However, in more than two thousand cases, no measures were taken due to the lack of legal grounds.

The share of calls with bank number substitution by mid-summer reached 35% of the total number of fraudulent calls, said Ilya Suloev, deputy director of the Otkritie information security department |. Rosbank faced a wave of calls from scammers in early July. Alfa-Bank also recorded the substitution of the number.

A new surge in fraudulent calls was recorded in September 2019, Artem Sychev, First Deputy Head of the Information Security Department of the Bank of Russia, told the publication. According to him, legislative amendments will also be required to implement technical protection measures.

Many of the Central Bank's appeals received in the summer were "technically incorrect," a representative of VimpelCom explained to the publication. According to him, sometimes the lists provided for blocking numbers indicated those that banks use for outgoing calls to customers. Blocking such numbers would lead to the fact that banks could not get through to customers, the operator noted.

The statistics of the Central Bank reflect only a small part of the problem, Vlad Wolfson, commercial director of MegaFon, told the publication.^[21]

Trend Micro: Banking Security in PSD2

On September 24, 2019, Trend Micro presented a study on the state of banking security within the framework of the payment directive of the European Parliament and the European Commission, PSD2. In a study by The Risks of Open Banking - Are Banks and their Customers Ready for PSD2? talks about the risks that financial structures will have to face, and about the possible methods of cybercriminals who want to take advantage of the vulnerabilities of the Open Banking system.

An updated version of European Union the PSD2 payment directive, also called Open Banking, entered into force on September 14, 2019. The purpose of the PSD2 was to provide users of bank services with additional opportunities and more control over their banking. data The directive also gives third-party companies that specialize in financial technology and provide their services to banks and customers, equivalent banks access to users' data for analyzing and providing financial recommendations.

The PSD2, which will replace the first version of the directive approved in 2007, more clearly describes specific data protection procedures, the rights and obligations of service providers and users, and the purpose of the updated directive is to stimulate innovation and competition in the financial sector. And while it is designed primarily for EU member states, the action and consequences of PSD2 adoption will extend far beyond the European Union. The directive is considered an important step for the entire industry, as it takes full control of customer data from banks and gives users the right to share this information with other financial service providers.

To comply with security PSD2 requirements, banks open their API fintech own companies (when these companies create the data necessary infrastructure for data security and customers agree to transfer this data). But there are a number of concerns about the real readiness of the banking sector and fintech companies to work in PSD2.

Customers who choose to use Open Banking system applications to store and manage their financial data are entering into a completely new relationship of trust: they previously disclosed this information to institutions with a long history and established reputation, and now the data will be transferred to much less well-known third-party service providers who do not have such experience in combating fraud. At the same time, bank protection systems will receive less data to train and identify cases of fraud in real time, as the financial information of their clients will begin to "spray" on several organizations.

Despite the fact that customers will be better aware of phishing and the methods that cybercriminals use to obtain their data, attackers will have new opportunities to deceive - for example, criminals can call themselves representatives of fintech companies working with banks. Also, the adoption of the directive will surely lead to the emergence of new phishing schemes.

Banks have more than once been noticed in the disclosure of personal data of their customers, which were contained in clear text in the URL of their systems and API. At the same time, some fintech companies use clearly insufficient security measures and risky methods of collecting data, for example, screen scanning (collection and analysis of screen data). Therefore, it is very possible that cybercriminals will be able to find vulnerable applications and functions that they will try to use immediately after starting the system.

For attackers, information about banking transactions is extremely valuable - it helps to identify the behavioral patterns of users, their habits, schedule and financial status. Therefore, agencies advertizing that distribute spam and advertise dubious content, as well as some state institutions related, for example, to security or intelligence, will be willing to pay for access to such data.

Over the year of operation, the cyber threat data exchange platform helped banks prevent damage of 8 billion rubles

On August 29, 2019, BI.ZONE, together with the Association of Russian Banks, announced the summary of the first year of operation of the cyber threat data exchange platform, which has already included about 70 financial organizations. During the year of operation, the platform helped banks prevent damage of 8 billion rubles. Read more here.

Amavaldo banking Trojan uses screenshots to steal information

On August 8, 2019, the international antivirus company ESET announced that it had studied a number of banking Trojans that attack Latin American users. Read more here.

Check Point: The number of attacks on mobile banking in the first half of the year increased 2 times

On August 1, 2019, Check Point Software Technologies released the Cyber Attack Tracks: 2019 Mid-Year Report. Hackers continue to develop new toolkits and methods that target corporate data stored in cloud infrastructure; personal mobile devices; various applications and even popular email platforms. None of the sectors are fully protected from cyber attacks, the researchers note. Read more here.

German banks refuse to support authorization using a one-time SMS code

Several German banks announced in July 2019 plans to abandon the use of one-time SMS passwords as a method of authorization and confirmation of the transaction. The reason for the rejection of one-time SMS passwords is the new EU legislation, which will enter into full force on September 14, 2019^[22].

Handelsblatt says Postbank will withdraw support for one-time SMS passwords in August, Raiffeisen Bank and Sberbank Europe (formerly Volksbank AG) in the fall, and Consorsbank will do so by the end of 2019. Deutsche Bank and Commerzbank also plan to withdraw support, but have not yet announced a timeline. Other banks, such as DKB and N26, have never used the technology, and ING has not yet made public statements about its plans.

In 2015, the EU revised the first 2007 directive on payment services (a set of rules governing online payments in the EU) and issued an updated version of PSD 2 requiring the implementation of robust customer authentication mechanisms.

Over the past few years, the number of attacks using the "SIM swapping" method has increased, thanks to which a fraudster can deceive a telecom operator and transfer the user's phone number to another SIM card, gaining access to the user's online accounts with banks and cryptocurrency exchanges.

Cybersecurity experts have been warning against using one-time SMS passwords for several years, but not because of SIM swapping attacks. The problem lies in the inherent and unrecoverable shortcomings of the OKS-7 protocol (SS7), which is used to configure most telephone exchanges around the world. Vulnerabilities in this protocol allow attackers to stealthily steal a user's phone number, even without the provider's knowledge, allowing them to track its owner, as well as authorize online payments or login requests.

Cybersecurity experts recommend using authentication applications or hardware tokens instead of SMS-based authentication.

97% of large banks are vulnerable to cyber attacks

On July 10, 2019, it became known that only three banks out of a hundred received the highest rating in terms of ensuring the security of their sites and implementation SSLenciphering-.

The vast majority of large financial institutions from S&P the Global rating are vulnerable to. hacker to the attacks This the Swiss conclusion was reached by ImmuniWeb specialists following a large-scale study, which examined 100 sites owned by large banks, 2,336, 102 subdomains banking applications, Internet 55 and 298 mobile banking applications API mobile banking applications.

Experts analyzed a number of criteria, including security measures, compliance with the requirements of the General Protection Regulation data EU (), GDPR compliance with standards (), PCI DSS the use of outdated and vulnerable, software the implementation of SSL/encryption, etc.TLS

On the sites of 31% of banks, vulnerabilities or incorrect configuration were found, and 5% of sites contained known vulnerabilities that were exploited, and 13% of resources lacked encryption or there were exploitable vulnerabilities. At the same time, only 4% of sites did not find any problems.

According to experts, 40% of Internet banking applications are vulnerable or contain problems related to incorrect configuration, 7% contained known vulnerabilities, and 2% of applications lacked encryption. Only 15% of the total number of applications studied turned out to be safe.

In terms of PCI DSS compliance, 62% of sites and 58% of internet banking applications performed well, while 38% of sites and 49% of applications failed verification. In the GDPR compliance category, the situation is much worse - only 39% of sites and 17% of Internet banking applications comply with the requirements of the regulations.

The study also found that 29% of sites contain at least one known and uncorrected medium or high-risk vulnerability. Among the most common vulnerabilities were XSS vulnerabilities, as well as problems related to the risk of data disclosure and incorrect settings.

55% of mobile banking applications studied contained vulnerabilities that revealed sensitive banking data, 100% of solutions - at least one minor vulnerability, 92% - at least one medium-risk vulnerability, and 20% of applications were exposed to at least one serious vulnerability^[23].

A resident of the Krasnoyarsk Territory stole funds from other people's accounts using malware

In May 2019, it became known that employees of the "K" department of the Ministry of Internal Affairs in the Chuvash Republic identified a cybercriminal who stole money from other people's bank accounts using a malicious program. The suspect turned out to be a 31-year-old resident of the Krasnoyarsk Territory, who had previously been prosecuted.

According to^[24] in May 2019, the press service of the Ministry of Internal Affairs in the Chuvash Republic, in the spring of last year, the police departments of the cities of Cheboksary, Novocheboksarsk and Kanash simultaneously received three statements from citizens about the theft of funds. An unknown person transferred money from their accounts, but the victims did not receive any SMS messages about the transactions carried out and learned about what had happened only by logging into the mobile application. The attacker stole 10 thousand rubles from two citizens, and a resident of Kanash lost 47 thousand rubles.

Specialists of the "K" department studied the mobile devices of the victims and found malware on them that blocks messages from the bank. The malware hit the phones along with popular instant messengers downloaded from unofficial sites.

A criminal case was initiated against a resident of the Krasnoyarsk Territory under Part 2 of Art. 273 of the Criminal Code of the Russian Federation "Creation, use and distribution of malicious computer programs." According to the Ministry of Internal Affairs, he had previously been prosecuted under Art. 138.1 of the Criminal Code of the Russian Federation "Illegal circulation of special technical means intended for secretly obtaining information."

The suspect is currently under recognizance not to leave. The damage caused to the victims was fully compensated.

TAdviser Card: Information Security Technology Providers for Banks

In April 2019, the TAdviser analytical center released the Information Technologies in the Bank card, which reflected the structure of key banking business processes and noted IT companies developing products and providing services for the digitalization of these processes. The card covered 270 market players - 230 suppliers of IT products used to digitalize the main banking processes, and 40 developers of information security solutions (more).

Positive Technologies: All online banks are exposed to the threat of unauthorized access to bank secrecy

On April 5, 2019, Positive Technologies reported that its experts assessed the level of security of online banks in 2018 and found that 54% of the examined systems allow attackers to steal money, and all online banks are subject to the threat of unauthorized access to personal data and bank secrecy. According to the analysis, most of the studied online banks contain critically dangerous vulnerabilities. As a result of work to assess the security of online banks in each investigated system, vulnerabilities were discovered that could lead to serious consequences.

The threat of unauthorized access to customer information and bank secrecy, for example, to bank statements or payment orders of other users, turned out to be relevant for each investigated online bank, and in some cases the vulnerabilities allowed developing an attack on the resources of the bank's corporate network. Research by Positive Technologies shows that the data is among the TOP most popular products for sale on the darkweb. At the same time, the share of credentials and bank card data directly accounts for more than 80% of the total amount of data sold. The average cost of data for one online bank user is $22. UNITED STATES.

During the analysis, 77% of the surveyed online banks found shortcomings in the implementation of two-factor authentication mechanisms. According to Positive Technologies analyst Yana Avezova, some online banks do not use one-time passwords for critical actions (for example, for authentication) or have too long a validity period. Experts attribute this to the fact that banks are striving to find a balance between safety and usability.

{{quote "Abandoning even some security measures in favor of convenience increases the risk of fraudulent transactions. If there is no need to confirm the operation using a one-time password, the attacker no longer needs access to the victim's mobile phone, and too long a password validity period increases the chance of its successful selection, since in the absence of restrictions on the selection, a one-time password of four characters can be selected in a matter of minutes, "said Yaroslav Babin, head of the Positive Technologies banking system security research group. }}

Comparative analysis showed that the studied ready-made solutions offered by vendors contain three times fewer vulnerabilities than systems developed by banks on their own. But the number of vulnerabilities in productive and test systems has equaled: according to statistics, in 2018, both of these types of systems in most cases contain at least one critically dangerous vulnerability. Experts attribute this to the fact that developers, having tested the system once for security, tend to postpone a repeated security analysis after making changes to the program code, which inevitably leads to an accumulation of vulnerabilities, and over time their number becomes comparable to that found during the initial check.

The main positive trend in the security of financial online applications in 2018 was a reduction in the share of high-risk vulnerabilities in the total number of all identified shortcomings. According to Positive Technologies experts, the share of critically dangerous vulnerabilities has halved compared to 2017. However, in general, the level of security of online banks remains low.

2018

75% of banks are vulnerable to social engineering attacks

On July 5, 2019, the company Positive Technologies presented a summary data of the main types computer attacks in the credit and financial sector for 2018. The document was prepared by specialists FinCERT Bank of Russia together with leading the Russian companies in the field of incident investigation. information security

Assessing the security of the industry, Positive Technologies experts noted that three quarters of banks are vulnerable to social engineering attacks. In 75% of banks, employees follow the links indicated phishing in the letters, in 25% - enter their credentials in a false form; authentications also in 25% of financial institutions, at least one employee launches computer harmful an investment on his work. At the same time, phishing at the penetration stage is used by nine out of ten APT groups.

The security of the internal network of banks is far from perfect. The most common problems in server configuration are untimely software updates (67% of banks) and storage of sensitive data in clear text (58% of banks). More than half of the banks surveyed use dictionary passwords. Positive Technologies specialists, when conducting penetration tests, managed to gain access to ATM management from the internal network in 25% of banks.

The level of security remains low: mobile applications high-risk vulnerabilities are found in 38% of applications for iOS and in 43% of applications for platforms under management. 76% Android of mobile applications have identified unsafe data storage, which can lead to leaks to passwords, financial information and personal data of users.

Positive Technologies experts emphasize the efficiency of APT groups, which quickly apply the opportunities that have appeared in their activities. Thus, the Cobalt group conducted a malicious newsletter 34 hours after the publication of information about the zero-day vulnerability of the CVE-2018-15982. In total, this group in 2018 completed 61 mailings to credit and financial institutions in Russia and the CIS countries.

Another APT group - RTM, which has 59 mailings in 2018 - used domains in the censorship-protected decentralized.bit zone as one of the control centers. However, the features of the blockchain architecture played against the attackers. PT Expert Security Center specialists have developed an algorithm for tracking the registration of RTM group domains (or changing their IP addresses), which allows you to notify banks about emerging control servers a few minutes after the start of their use by attackers (and sometimes before malicious mailing).

Despite the overall rise in attacks in 2018, the financial damage was significantly reduced from the previous year. This is largely facilitated by information exchange within the industry, in particular the launch of the FinCERT automated incident processing system (ACOI). According to FinCERT, the damage to Russian credit and financial institutions from attacks by the Cobalt group in 2018 amounted to at least 44 million rubles, and from attacks by the Silence group - at least 14.4 million rubles. In total, FinCERT received information about 590 attacks on credit and financial institutions, including 177 targeted attacks.

Despite the fact that the FinCERT information exchange system has reduced the amount of losses of banks, the danger of targeted attacks is still high. APT groups are constantly improving attack techniques, improving the quality of mailings, monitoring the publication of vulnerabilities, acquiring zero-day vulnerabilities and introducing them into their arsenal in a matter of hours. Credit and financial institutions can no longer prioritize the traditional construction of protective barriers. The situation has changed: criminals have learned to bypass antiviruses, sandboxes, IDS systems. Banks should assume that a hypothetical attacker is already inside their perimeter; the main task is to minimize the time of his presence in the IT infrastructure and deprive him of the opportunity to act,

Qrator Labs: More than 55% of banks noted an increase in their information security budget since 2016

On March 5, 2019, a company Qrator Labs specializing in countering - and DDoSto the attacks ensuring the availability Internet of - resources presented the results of the study in information security financial sector 2018. The survey was organized among banks and payment systems operating in. Russia The sample includes banks from the TOP 200 rating by assets.

Qrator Labs noted that the number of cyberattacks in the banking sector continues to grow both globally and in Russia, while the attacks themselves are becoming technically more and more complex. The largest players in the industry note an increase in the number of attempted incidents by 1.5-2 times compared to the indicators for the same period in 2017. Awareness of the scale of the problem and risks drives increased investment by most banks in security systems.

55.3% of respondents participating in the study for two years noted an increase in their information security budget since 2016. Also, 35.3% of respondents increased their budget in 2017, and 10.6% of respondents adapted their information security budget to growing threats continuously for two years (2016-2018).

More than half of the respondents note among the most significant consequences of information security incidents financial costs, another half - reputational. An increase in the risk of license revocation is recorded by a third of respondents (a year earlier - about a quarter).

The reaction of financial institutions to European data protection regulation is noteworthy. About a quarter of the banks surveyed note that in 2018 they have already brought their systems in line with the requirements of GDPR (General Data Protection Regulation), and about a third plan to implement this task in the coming year.

"Considering that the GDPR requirement is not presented by Russian legislation, that is, it does not imply the imposition of sanctions and the revocation of the Central Bank's license, the fact that already a quarter of banking systems comply with European regulation standards indicates a high prioritization of banks working with clients with European passports. Most importantly, we see that banks continue to take legally prescribed security seriously in any form. " Artem Gavrichenkov, CTO, Qrator Labs

Stimulates the replacement of previously introduced information security tools, their insufficient level of protection against the background of growing threats, which is confirmed by pentests or already recorded incidents (62% of respondents, 53% - a year earlier). 31% see such a need in the situation of switching to other infrastructures (clouds, etc.), where the solutions used cease to be effective (more than a quarter - a year earlier).

When choosing a WAF (web application firewall) solution, 68% of respondents are guided by solving real technological problems: from protection against zero-day attacks to monitoring the security of frequently updated code. At the same time, for a third of respondents, the key factor is formal compliance with the PCI DSS standard .

More than half of respondents from the financial sector note that in 2018 the level of DDoS threats increased (a similar result was recorded a year earlier). According to another quarter of the respondents, the number of attacks remained unchanged over the same period (more than a third - a year earlier).

More than half of respondents also indicate that they have faced DDoS attacks over the past year (last year there were 26%). In addition to DDoS, the most frequently surveyed companies from the financial sector still face phishing (46%). More than a third claim to have avoided information security incidents over the past year.

"Among the reasons that could provoke such an increase are a sharp drop in the rates of all cryptocurrencies. DDoS attacks remain one of the simplest methods of monetization and malware software, be it infected servers or botnets based on personal computers and phones. In 2017, attackers had the opportunity to use botnets and hacked servers to mine cryptocurrencies with some benefit. As you know, the main costs of mining are electricity, and if access to a computer is obtained in an illegitimate way, then the attacker does not have to pay for energy, and he receives cryptocurrency "out of thin air" regardless of its volumes. In 2018, not only due to the fall in exchange rates, but also the categorical instability of the cryptocurrency exchange rate for cybercriminals, the "good old" ways of making money on botnets have regained a certain attractiveness: conducting attacks for the purpose of extortion. " Artem Gavrichenkov, CTO, Qrator Labs

The majority of respondents (65%) consider hybrid solutions (on the client side with a carrier solution or a distributed network) to be the most effective means of countering DDoS.

As noted in Qrator Labs, the increase in the number of banks attracting external solutions to protect against attacks is also largely due to the increased level of threats in 2018 and the increase in the number of high-speed DDoS attacks using memcache-based amplification techniques, LDAP amplification, attacks using CoAP protocol (Constrained Application Protocol), etc.

Group-IB: more than 70% of banks are not ready to withstand cyber attacks

On February 19, 2019, Group-IB an international company specializing in prevention cyber attacks analyzed the high-tech crimes of 2018, to which its cyber crime experts were involved. According to to data the study, the bulk hacker of the attacks traditionally fell on the financial sector, while 74% of banks were not ready for cyber attacks, 29% were found to have active infections, and in malware 52% of cases there were traces of attacks in the past. Dangerous trends in 2018 include cross-border attacks triggering a "chain reaction," leading to multiple infestations of financial institutions. In 2018, the Group-IB response team recorded the use of this vector in both East and Russia East. To Europe

The total number of reactions (Incident Response) of the Group-IB Computer Forensics Laboratory has grown more than 2 times compared to 2017 year. The main threats faced by the affected companies are led by targeted attacks, competitive espionage, attacks using ransomware viruses, cryptomining. The main conclusion of Group-IB forensic experts is that the vast majority of Russian companies that became victims of hacker attacks in 2018 did not have a plan for responding to a cyber incident, were not ready to mobilize the work of specialized units in a short time and are not able to organizationally and technically resist the actions of attackers. Group-IB experts draw attention to the high probability of repeated incidents in such companies.

Risk group: banks are not ready to repel a cyber attack

According to a Group-IB study, banks accounted for about 70% of hacker activity in 2018. Schemes for cash out by hackers remained the same: through bank cards opened in advance, bank cards, accounts of one-day law firms, payment systems, ATMs and SIM cards. At the same time, the speed of cashing out in Russia increased several times: if 3 years ago the withdrawal of an amount of 200 million rubles, on average, took about 25-30 hours, then in 2018 the company faced a precedent when the same amount was cashed out in less than 15 minutes at a time, in different cities of Russia.

Analyzing the data obtained as part of responses to cyber incidents, experts concluded that 74% of banks attacked in 2018 were not ready for hacker attacks: 60% are no longer able to centrally manage their network, especially in a geographically distributed infrastructure, about 80% do not have sufficient depth of event logging for more than a month, more 65% spent more than 4 hours coordinating work between units. At the same time, the average number of hours spent on meetings, approving access, routine work within the framework of one response when an incident occurs was 12 hours.

Chain reaction

The Group-IB study reveals not only inconsistency in the work of internal divisions and a weak study of organizational procedures necessary to establish the source of infection, the scale of compromise and localization of the incident, but also insufficient technical training of bank personnel. According to the company, 70% of organizations lack or lack specialized skills in finding traces of infection and unauthorized activity on the network. The same number do not have clear procedures for independently identifying the compromise of hardware and software. High risks are borne by the unwillingness of technical specialists to promptly respond to the incident: more than 60% of the affected banks are not able to carry out a centralized one-time change of all passwords in a short time, which allows hackers to attack new targets from inside the hacked bank infrastructure.

A bank whose infrastructure has been compromised may not just lose cash, but also become a threat to other financial market players. By attacking the target, a financially motivated hacker group seeks to maximize the benefits: by gaining control over the bank's systems, it is interested not only in withdrawing money from it, but also in infecting the maximum number of victims. For this purpose, the "domino principle" is launched - malicious mailing from the compromised infrastructure is based on the lists of the bank's partner companies. Such a vector is dangerous, primarily because letters are sent from a real bank, that is, the sender is not forged, which increases the likelihood of opening them in a partner bank. This triggers a chain reaction that can lead to multiple infections of financial institutions. In 2018, we recorded the use of this vector both in Russia and in Eastern Europe.

"Double bottom" cyber attack

According to Group-IB, at least 17% of the companies in which the response was carried out were re-exploited by previously unresolved vulnerabilities within a year after the last infection. In the overwhelming majority of cases, this was the result of non-compliance with recommendations to eliminate the consequences of the cyber incident, as well as negligence on the part of bank personnel. In addition, during 2018, 29% of financial sector organizations were found by Group-IB experts to have active infections, the existence of which the internal information security service had not previously suspected. In 52% of cases, traces of attacks in the past were found.

In 2018, the Group-IB response team recorded cases when a cyber incident led to the creation of a sharply negative background around the bank, which provoked an information attack, reputational losses, and in some cases, withdrawal from the market.

A negative background is being created around the bank intentionally or in fact: assessments of potential damage, an unacceptably low level of protection, a probable revocation of the license. This leads to an outflow of customers and partners, the bank is faced with insufficient capitalization. The use of a cyber attack as a tool to damage reputation and drive a competitor out of the market is another dangerous vector that could potentially develop further, since the level of cybersecurity of small banks is still extremely low.

The situation in the information security market of banks in 2018

Automation of business processes in the banking sector has gone beyond the application of standard solutions familiar to banks, such as ABS or RBS - systems for automating banking operations or remote customer service. Information technologies are trusted by more and more tasks to optimize atypical processes using new mathematical models and algorithms - this is automation of management of various types of risks, claim and claim work, solutions to combat fraud, etc.

When implementing a digital transformation strategy, a high-tech bank becomes much more vulnerable to cyber threats, said Dmitry Livshits, CEO of Digital Design. Therefore, the goal of automation is not only to reduce operating costs by speeding up internal processes or providing new services to customers.

Information security comes first, and, I believe, in the next two years this direction will hold the lead among banking informatization trends, he notes.

Maxim Bolyshev, deputy director of the banking ON RS-Bank company's department, R-Style Softlab says CENTRAL BANK the banking sector is currently under scrutiny as cyber attacks become more frequent, targeted not only by bank customers but also by banks themselves. In this regard Bank of Russia , he develops requirements for (cyber security for example, 382-P or 552-P) and insists on their implementation. The Central Bank organizes the participation of information exchange of banks with to FinCERT collectively combat cyber threats.

Vladimir Volkov, senior vice president of Technoserv, believes that the financial sector is a trendsetter in information security, a benchmark for the rest of the market. Banks are the most tasty piece for cybercriminals of various degrees of preparation and the opportunity to quickly monetize their skills and skills.

A large number of regulatory requirements in the field of information security apply to the banking sector, from traditional international PCI DSS and SOX, to new mandatory requirements issued over the past year by the Central Bank of the Russian Federation and Swift in the field of information security. Let me remind you that FinCERT first began its work and only now all other industries are starting to connect to the state system for countering computer attacks of STATE SYSTEM OF DETECTION, PREVENTION AND ELIMINATION OF CONSEQUENCES OF COMPUTER ATTACKS. Sberbank is building perhaps the largest corporate Security Operations Center (SOC) in the world - the fight against cybercrime is carried out daily, as attackers constantly find new ways to attack banks, says Vladimir Volkov.

Another key segment for banks is the provision of so-called "real" security.

Banks' understanding of the problems in protecting their information systems, the presence of logical holes is the preservation of not only the bank's funds, but also its reputation. Technoserv can offer banks protection against cyber threats, including technologies such as sandboxes, protection against targeted attacks, building SOCs with a special emphasis on working out methodology, processes (for example, incident response, vulnerability management), he adds.

banks An interesting situation is developing: on the one hand, it is necessary to rapidly bring new online products to the market and constantly change IT infrastructure in order not to lag behind the market; on the other hand, to ensure a high level of security. The main call for information security services is to find and maintain this balance.

A common solution to this problem is the formation of typical information security services, which are convenient to use IT and business, as well as a strong involvement in information security issues of these blocks, - said Vadim Shustov, Deputy General Director of Jet Infosystems.

According to him, from the point of view of regulation in the field of information security, in Russia the pressure on the financial sector is one of the strongest, but the regulator itself is obviously the most advanced in this area.

His demands are not an empty formality - they are really dictated by the sad examples of hacked banks. As a result, the requirements are tightened every year and their implementation, especially for small financial and credit organizations, is becoming more and more an unbearable task, Shustov believes.

Anatoly Naboka, director of corporate customer relations at SysSoft, believes that EDR solutions are of greatest interest from a security point of view - incident detection systems at workplaces with the ability to quickly respond to them. New interesting players appear on the Russian market in this segment: for example, predictive Carbon Black information security systems are now entering the market, combining the functionality of EDR, antivirus, managed search and threat sorting systems, as well as security solutions at the data center level.

Banks are interested in such tools, since they take a proactive approach: EDRs collect and analyze large amounts of data and help prevent new types of attacks previously unused by attackers. For a financial organization, this means a level of cyber defense that provides an obvious competitive advantage, "notes Anatoly Naboka.

Russians were given large sentences for stealing money from Internet banks

In Moscow, the consideration of the case of a gang of cybercriminals who hacked into the personal accounts of citizens in banks ended, after which various amounts of money were withdrawn from there^[25].

In total, we are talking about 30 episodes that fall under several articles of the criminal code: the creation, use and distribution of malicious computer programs, illegal access to computer information, fraud in the field of computer information. The group consisted of two leaders and four of their accomplices, all of whom received different terms.

"Brothers Dmitry and Yevgeny Popelyshy were sentenced to eight years in prison with a fine of 900 thousand rubles each, three more received sentences from four and a half to six years in prison with fines of up to 700 thousand rubles. They will serve their sentences in a general regime colony. Another defendant was sentenced to three years probation, but amnestied, "said Maria Mikhailova, press secretary of the Savelovsky court.

Information security problems of banks

In the Russian banking sector, there is an increase in the level of information security. Due to the emergence of a large number of cyber threats, financial organizations are moving from "paper" security to a real layered approach that is based on risk assessment. So in 2017, the number of information security incidents in the financial sector more than doubled compared to the previous year. Attacks occur both on customers - individuals and legal entities, and on banks and payment systems.

Low level of IS culture

The high proportion of successful attacks is primarily associated with a low level of information security culture among both customers and bank employees.

Neglect of the basic rules of cyber hygiene entails risks, for example, social engineering - a tool for cyber fraud, which can also serve as the beginning of a large-scale cyber attack, - explains Maria Voronova, head of consulting at InfoWatch Group of Companies.

The solution of the voiced problem, in her opinion, contributes to the high-quality regulation of information security issues in the industry - on January 1, 2018, a new GOST for the protection of information of financial organizations came into force. The standard offers an integrated approach to planning, implementing, monitoring and improving the information protection process in financial institutions.

Andrey Gridin, Head of the Information Security Solutions Department at Force - Development Center (Force Group FORS Group), believes that it is necessary to inform employees about the importance of security, conduct briefings on the basics of information security with examples from practice, introduce personal responsibility of each employee, and, if necessary, involve administrative resources.

A similar opinion is shared by Sergey Sherstobitov, CEO of Angara Technologies Group. According to him, the loss of confidential data, as a rule, is not associated with "holes" in IT systems or imperfection of technical means of protection, but with the human factor, therefore, special attention should be paid to training personnel in the field of information security and raising awareness in information security.

Anton Golovaty, director of business development at Lanit-Integration, adds that financial institutions have more and more of our data. At the same time, with the growth of the number of joint platforms, the amount of personalized data from banks and their partners will only grow, and the information will be even more detailed. Therefore, the question of protecting personalized data in the future will be even more relevant, he is sure.

Alexey Trefilov, director of ELMA, talks about the danger that lies in wait for customers.

Convenient banking services have become familiar to everyone. Paradoxically, the convenience and availability of banking services make us more frivolous. If everyone around them constantly uses the phone to pay for services and receive information about the status of the account, then this seems absolutely safe to us. Therefore, it is very easy to lose vigilance and, for example, accidentally allow some game on the phone to read your SMS, including from the bank, - he explains.

Phishing and DDoS attacks

According to a study by Qrator Labs, the most common companies in the financial sector face phishing (30%) and DDoS attacks (26%). Read more here.

Weak interaction between information security and IT specialists

As a rule, when building new or modernizing existing systems, information security specialists do not participate in the design process, but only "agree on the documentation," and information protection is limited to placing equipment in a secure segment, providing network access and distinguishing user rights, and after entering the system, information protection tools are "hung" on it. As a result, performance problems begin, says Andrey Gridin, head of the information security solutions department at Force - Development Center (Force Group FORS Group).

According to him, to solve the problem, the requirements for integration/interaction with the components of the information security system must be clearly formulated. IT specialists should be regularly briefed on the application/implementation of these requirements. The mandatory inclusion of the information security specialist in the design team at the stage of system design or modernization should also be regulated.

Mobile Workplace Protection

According to experts, it is no longer enough to ensure security at the level of a mobile application. When a personal device becomes a full-fledged workplace for employees, a broader but equally reliable way of protecting data is needed.

Dmitry Livshits, CEO of Digital Design, says that to eliminate this problem, his company has developed a solution that allows an arbitrary corporate customer application to be immersed in a secure environment, the so-called secure container. In it, you can work with any application on a personal device without worrying that the information will leak into the outside.

The integration of the application into the "container" is implemented by "wrapping" - automatically replacing the standard libraries used in the application for working with files, a local database and a network with their encrypted counterparts, he explains.

Security of mobile and internet banks

Maxim Nikitin, Vice President of Maykor, CEO of BTE (BTE), notes that in the banking sector, the security problems of mobile and Internet banks continue to remain relevant due to insufficient data encryption and the ability to launch a mobile application in public Internet networks, where there is a high probability of interception of traffic.

The solution lies on the surface and consists in the development and implementation of improved encryption systems and testing applications for the possibility of attacks in a public place, he explains.

Information Security Not Certified

Banks are faced with the fact that in order to process huge amounts of data that grow on a daily basis, they cannot increase resources in the same way endlessly. It makes sense to transfer at least part of the data to the clouds, where not only centralized resources concentrated in the data center, but also end workstations rush.

Therefore, the relevance of the transition to the clouds is growing, but with the implementation of the standards of the Bank of Russia and other regulatory documents in terms of fulfilling the requirements for information protection, notes Mikhail Golovachev, General Director of Amtel-Service. At the same time, the problem, according to him, is that many modern information security tools are not certified for compliance with information protection requirements.

Big cybercrime finances

Cybercrime is a huge, well-organized business that operates billions of dollars worldwide every year. Antivirus programs or data protection technologies do not always protect against cyber attacks, because hacker technologies are as constantly improving as security tools.

The main problem is that the financing of cybercrime is an order of magnitude higher than the funding of companies that are fighting it. As a result, IT criminals continue to grow their capabilities and the growing need for new IT security technologies. In general, information security employees will still be valuable personnel for credit institutions for a long time, - said Alexey Kolesnikov, sales director of iSimpleLab.

Yuri Goltzer, Technical Director of the CRM Department of Navicon, adds that the mechanisms for protecting customer information are constantly being improved, including the development of the latest encryption algorithms.

In 2017, testing of quantum encryption tools began: the Russian Quantum Center (RCC) launched the first quantum protection communication line in Russia between two Sberbank offices. Now experiments in the use of quantum computers to ensure data security are closely monitored by developers of blockchain projects. In addition, banks see prospects for protection against cybercrime in creating universal mechanisms for working together with governments and law enforcement agencies. According to market participants, in order to make markets, tools and systems of cybercriminals ineffective, it is necessary, first of all, to establish communication between banking systems of various countries, "says the representative of Navicon.

He also recalls that at the beginning of the year, American banks and online lenders Citigroup, Kabbage, Depository Trust & Clearing Corporation, Hewlett Packard and the Swiss Zurich Insurance Group announced the creation of a consortium on cybersecurity in the field of fintech - it will be managed by the World Economic Forum.

We see similar initiatives around the world. For example, the UK offices of Lloyds joins Barclays, Deutsche Bank, Santander UK and Standard Chartered have merged into the Cyber ​ ​ Defense Alliance. The tendency to unite against the general threat will only grow, - Yuri Goltzer is sure.

The Ministry of Justice ordered banks to conduct pentests and cybersecurity audits

Banks will be obliged to comply with new cybersecurity measures, among which information security audits, various penetration tests (penetration tests), and mandatory certification of used software equipment are mandatory. The document was signed in the summer of 2018 by the Ministry of Justice of the Russian Federation. Of course, compliance with these requirements will fall on the financial burden not only on the shoulders of banks, but also on the shoulders of their customers. Thus, the amendments to the position of the Central Bank of 382-P finally acquired a completed form and were registered by the Ministry of Justice. On June 26, two days ago, the Central Bank sent this document to banks. Now credit institutions will have to use software certified by the FSTEC.

Experts believe that in some cases banks do not pay due attention to certification, which leads to the subsequent detection of vulnerabilities in programs. Only financial organizations with strong information security specialists can afford security analysis. Pentests will now be held annually, according to the document, and every two years credit institutions will have to carry out an external cybersecurity audit. The main concern in this situation is the increase in spending. The Central Bank believes that spending will not be excessive.

Banks of the Russian Federation have the opportunity to block operations to withdraw funds through RBS systems

On June 5, 2018, the State Duma of the Russian Federation approved in the third reading a government bill aimed at countering theft of funds when performing operations using remote banking systems (RBS).

The document establishes the procedure for banks to act when identifying signs of illegitimate transactions - that is, transfers of funds made without the knowledge and consent of the account holder. The bank or the money transfer operator is obliged to suspend the execution of the order for a period of no more than two working days, as well as block the electronic means of payment for the same period, if signs of a money transfer are found without the consent of the client.

These characteristics are determined by the Central Bank of the Russian Federation. Along with this, the bank is invited to provide the right to perform similar actions when identifying additional signs of money transfer without the consent of the payer - their banks will have the right to establish independently in accordance with the requirements of the Central Bank.

After the suspension of the transfer of funds and the blocking of the electronic means of payment, the bank will be obliged to immediately request confirmation from the client about the possibility of executing the payment order (resuming the use of the electronic means of payment). Upon receipt of the client's confirmation, the bank will be obliged to execute the order (resume the use of the electronic means of payment) immediately, if not received, to perform similar actions after two working days.

In addition, a special procedure is introduced for the bank's actions aimed at returning funds to the rightful owner in the event of an unauthorized debit from the client's account. This procedure is intended only to protect legal entities: for individuals, the refund procedure was enshrined in an earlier law.

The bill enshrines the powers of the Central Bank to form and maintain a database on cases of money transfer without the consent of the client and determine the procedure for sending and receiving information from the specified database by money transfer operators, payment systems operators and payment infrastructure operators.

The banking system around the world suffers colossal losses due to the actions of cyber fraudsters who steal funds from the accounts of individuals and organizations, - said Dmitry Gvozdev, General Director of Information Technologies of the Future. - Attackers are constantly improving their tools used for theft, but illegitimate transactions always have certain indicators by which they can be identified. The proposed bill regulates the procedures to be taken if a suspicious transaction occurs. The only question so far is how competently the lists of signs of such transactions will be compiled - at the level of the Central Bank and individual banks.

The document will enter into force 90 days after its official publication; apparently, in the fall of 2018, it will already be in effect.^[26]

ECB to bring in hackers to probe financial sector cyber security

The European Central Bank (ECB) announced in May 2018 the launch of a cybersecurity verification program for the banking system. According to Kommersant, citing a bank statement, the systems will be tested for strength by full-time employees, as well as specially hired teams of hackers who will try to detect shortcomings by modeling real hacking attempts.

The corresponding project is called the European Framework for Threat Intelligence-based Ethical Red Teaming (TIBER-EU). The program is advisory in nature - the ECB emphasizes that EU member states can decide for themselves when and how to conduct inspections of their financial institutions.

During the tests, it is proposed to use "a full range of techniques used by real hackers." In particular, the ECB proposes to subject critical systems of financial institutions to conditional cyber attacks.

Based on the results of the inspections , recommendations will be made to improve the specific security system of a particular financial institution, the ECB specified. At the same time, the explanations to the TIBER-EU program say that "the authorities will recognize the passage of tests only if not only internal specialists, but also external parties participate in them."

Positive Technologies: Banks' web applications are most vulnerable

Positive Technologies specialists prepared statistics on web application vulnerabilities, which were investigated as part of the work on automated security analysis using PT Application Inspector in 2017.

An automated analysis of the source code found that all web applications have vulnerabilities, with only 6% of the systems examined lacking high-risk vulnerabilities.

The financial sector is most at risk, as expected (its share is 46% of the total number of web applications investigated). High-risk vulnerabilities were found in all applications of banks and other financial institutions.

Financial, as well as government organizations, Positive Technologies experts say, are most interested in analyzing the source code, since their web resources are priority targets for cybercriminals, which is confirmed by the company's regular analytical reports.

Automated security analysis using PT AI showed that all tested web applications contain vulnerabilities of varying degrees of risk. When classifying vulnerabilities by risk, it was found that most of them (65%) belong to the average level of danger, 27% to the high level.

The most common vulnerability identified by automated analysis of application source code is "Cross-site scripting," with which an attacker can carry out phishing attacks on web application clients or infect their workstations with malicious software (found in 82% of tested systems).

Based on an analysis of the consequences of exploitation of vulnerabilities identified in web applications, Positive Technologies specialists compiled a rating of security threats. The most common threat is the ability to attack users of a web application (87% of banks and all government agencies are affected by it).

As emphasized in Positive Technologies, most users of such web resources are very poorly aware of information security issues and can easily become victims of cybercriminals. In addition, other critically dangerous vulnerabilities are common among the web resources of government agencies. For example, when examining the web application of the administration of one of the municipalities, a high-risk vulnerability "SQL Injection" was discovered, with the help of which it is possible to obtain sensitive information from the database.

Denial of service vulnerabilities pose the greatest problem for online retailers, since a web application for an e-commerce organization fails directly due to financial losses. In addition, the more popular the online store, the more customers visit it every day and the more likely it is that an attacker will try to exploit the vulnerabilities of this web resource to attack its users.

Web applications are one of the main targets for cybercriminals, because a large number of uncorrected vulnerabilities and their ease of exploitation help attackers successfully achieve their goals - from stealing sensitive information to accessing internal resources of the local area network, said Anastasia Grishina, analyst at Positive Technologies. - It is important to understand that most vulnerabilities can be identified long before the attack, and analysis of the source code of web applications allows you to detect several times more critical vulnerabilities than testing systems without code research.

FinCERT: the main facts about financial fraud in Russia

As it became known in February 2018, FINCERT [[Central Bank

= = = FinCERT: top facts about financial fraud in Russia

As it became known in February 2018 FINCERT CENTRAL BANK , he released an overview of fraudulent financial transactions Russia in 2017.

The first successful attack via SWIFT

According to the review, in 2017, hackers for the first time successfully attacked a Russian bank through the SWIFT system and stole 339.5 million rubles. According to Vedomosti and Kommersant, Globex Bank became the victim of the attack. President of the financial organization Valery Ovsyannikov confirmed that "there was an attempt to attack," but noted that customer funds were not affected. The bank disclosed the amount of theft at the end of December 2017: hackers were able to withdraw about $1 million, but most of the funds were blocked and returned.

In general, according to experts, the use of the SWIFT channel is unusual for Russia. As a rule, hackers use cards to withdraw funds. In world practice, this system is used much more often.

Fraud with accounts of legal entities

In 2017, companies tried to steal funds 841 times. At the same time, the volume of such operations in 2017 decreased by 17.4% to 1.57 billion rubles. We managed to return a little more than half of this amount.

The greatest interest for fraudsters is amounts from 100 thousand to 1 million rubles. This segment accounts for half of fraudulent transactions with company accounts. Just over a third - per segment from one to ten million.

The most popular way to steal money is to inject malicious code, since operations are mostly performed from desktop computers.

Attacks on cards

According to the FinCERT review, the average amount of card fraud in 2017 in Russia amounted to 3 thousand rubles. This figure has decreased, as has the volume of transactions of cybercriminals with cards issued in Russia, which in 2017 amounted to about 1 billion rubles.

Slightly less than half of the transactions on Russian bank cards take place outside of Russia. At the same time, the absolute leader in the number and volume of fraudulent transactions using bank cards in Russia is Moscow, the review notes.

A possible explanation for the decrease in interest in theft from bank cards, according to experts, could be the increasingly active development of cryptocurrencies and, as a result, the switching of the attention of fraudsters to them. However, this trend may be short-lived. Legislative regulation of the cryptocurrency market may lead to an increase in fraudulent transactions, according to FinCERT^[27].

Legislative regulation of the relevant market (cryptocurrencies - approx. TAdviser) can reduce its attractiveness for attackers, which may entail an increase in their activity in the field of remote payment services and, as a result, an increase in the number and volume of unauthorized transactions, the review says.

As it turned out, many Russians and companies prefer not to contact law enforcement agencies in case of fraud with their bank card. So, in the case of 97% of unauthorized transactions using cards, it is either known for sure that there was no appeal to the law enforcement agencies, or there is no data on such an appeal. Only 20% of legal entities facing fraud appealed to law enforcement agencies.

Attacks on ATMs and terminals

According to statistics, the interest of fraudsters in them is decreasing. Thus, the volume of illegal operations with them decreased by a third to 230.7 million rubles. And the damage from the actions of fraudsters amounted to 42 million rubles.

According to FinCERT, several ways to hack ATMs are mainly used: connecting devices to devices that allow them to be controlled, remote control after infection with a virus and physical impact on them (for example, explosion).

The attention of the attackers switched to CNP-transactions (English Card not present transaction), in which the card holder may not be physically present during and at the place of payment. The volume of the latter is insignificant (by about 1.5%), but increased, amounting to 726.4 million rubles.

2017

TAdviser and VMware study

The company VMware presented in December 2017 the results of a study of the largest financial institutions conducted in conjunction with a think tank. TAdviser According to the report, more than half (52%) of banks insurance companies Russia and the CIS increased their budget for information security in 2016-17 due to growth cyber threats and activity. malware^[28]

The study once again confirmed that over the past year, the number of information security threats to the corporate sector has grown significantly - this is confirmed by 80% of the surveyed financial organizations. Only 16% recorded the preservation of the previous level of cybercrime. Reputational and financial losses (including lost profits) are the most critical consequences of information security incidents in financial institutions, according to about 50% of respondents. Therefore, amid the growth of cyber threats, more than half (52%) of companies have increased the budget for protective equipment.

Almost a third of respondents (28%) also fear measures by regulators (such as revoking licenses) as a result of a successful attack or data breach. However, whatever the consequences, no one has any doubt that they are inevitable.

Banks actively offer their customers the possibility of online interaction, for example, through online banking and mobile applications. Therefore, it is not surprising that DDoS attacks (28%) were noted among the most common threats to financial sector companies. The inaccessibility of a mobile or online bank, even within a few hours, can significantly spoil the bank's reputation or lead to direct financial losses. Among other threats, respondents noted phishing (26%) and ransomware attacks (10%).

The digital transformation of the banking business also involves moving computing to the cloud. For example, according to ^[29]the United States 81% of respondents from banks with assets of $100 billion or more and 68% of banks with assets of $15 billion to $100 billion ^[30] currently mastering cloud computing. However, financial companies in Russia have serious concerns about the cloud model. So, more than two-thirds (70%) consider losing or stealing data to be the main risks when migrating to the cloud. By a wide margin, respondents noted downtime due to the fault of the provider (26%).

The use of mobile devices to solve work problems is becoming the norm for the bank employees themselves. However, more than half of financial institutions (53%) do not use any mobile device management (MDM/EMM) solutions, which can lead to corporate data leakage as a result .

The danger to business is that it is not just the number and scale of attacks that are growing - increasingly attackers are using unknown malware. These are malware that a traditional antivirus cannot track, because data about them is not yet in the databases of information security companies. An effective response to this new threat is the "zero trust" model, which was made possible by the use of Software-Defined Networks (SDN) - it is implemented in VMware NSX. According to the survey, half of banks ( 50%) and insurance companies are guided by the "zero trust" model when building information security systems, but only 4% of respondents have already deployed software-defined networks. Fortunately, almost half of organizations (40%) confirm their plans to use SDN.

"In today's digital economy, data is a major asset of banks and insurance companies. Their leakage or unauthorized access to them can lead to critical consequences for the entire organization. SDN technologies (software-defined networks) are designed to help our customers respond to these information security challenges, "says Alexander Vasilenko, head of VMware in Russia and the CIS. - VMware's information security strategy, together with partner solutions, provides built-in protection across all levels of networks, clouds, and endpoints. For example, thanks to VMware NSX microsegmentation technology, if one network segment is hacked, you can stop the spread of the epidemic to other segments. This approach can significantly minimize damage, even if attackers have already managed to penetrate your network. "

Google Play booms Trojans masquerading as mobile bank apps

Group-IB at the end of November 2017 noted a wave of mass distribution of Trojans masquerading as mobile applications of the country's leading banks. Group-IB specialists block the resources from which these applications are distributed, but their volume is constantly growing.

Trojans designed for mobile devices under control OS Android are distributed not through the official store, but Google Play through advertisements in search engines. At the same time, Group-IB experts noted the high quality of fake programs, which confuses many users who do not pay attention to suspicious "little things." More. here

Qrator Labs and Valarm study

This study was conducted in a field survey format. Respondents were asked to answer the questions of the questionnaire. The survey was organized among banks and payment systems operating in Russia. The sample includes banks from the TOP 200 rating in terms of assets.

Information Security Budget

The information security industry naturally continues to grow. According to the survey, more than a third (32%) of respondents from the financial industry confirmed an increase in their information security budget in 2016, and another 39% noted the preservation of investments in security in the same volume.

It is noticeable that the growth of information security budgets becomes directly related to the practical component: financial organizations plan to increase security costs, facing a real threat. This is noteworthy for two reasons: while formal compliance with regulatory requirements ceases to be the main driver of growth, nevertheless, proactive security tactics and planning of an information security architecture based on at least penetration testing (or pentesting) is still not such a driver.

13% of respondents reported that the budget for information security in their organizations in 2016 decreased slightly. At the same time, the respondents generally note the lack of connection between budget cuts and the real level of threats - the reasons for the decrease in information security budgets mainly lie in a different plane and do not depend on the state and challenges of information security discipline. In fact, in 2016, a significant part of information security departments was tasked with optimizing costs while maintaining and even increasing the required level of protection from external unfavorable conditions, although in the industry as a whole, the trend towards budget growth remains at the moment.

Replacement of used protective equipment

Protection methods introduced earlier today provide an insufficient level of security: threats have grown in existing areas, and new risks have appeared.

In the vast majority of cases, the main incentive for updating the information security infrastructure is external activity: incidents related to the demonstration of insufficient protection and problems that are organized either by "black hats" - crackers, or "white" - testers. More than a quarter of respondents see the need to replace the security used when switching to new infrastructures (clouds, microservices, etc.), where the solutions used are no longer effective.

A significant role in making a decision to update the used protective equipment is played by the question of the origin of the purchased products: about 13% of respondents answered that they are primarily inclined to replace import solutions with Russian analogues.

Acquisition of WAF solution

As the main factor for buying a WAF solution, respondents noted protection against vulnerabilities for 0 days - 37%. Only new generation solutions that use a non-signal approach to detect attacks have this ability. Still, a significant part of companies use WAF to comply with the PCI DSS standard - 27%.

36% of respondents use WAF to ensure a high pace of development: 19% - to protect frequently updated code and 17% - to use virtual vulnerability patching. The increase in the number of companies using security solutions during the code writing phase indicates a general increase in awareness of standard information security practices and the formation of a qualitative approach to ensuring comprehensive protection of web applications.

Threat types

More than half of respondents from the financial sector (55%) note that over the past year, the level of DDoS threats has increased. As before, DDoS attacks on financial sector organizations are organized more often than on companies from other industries, for example, retail, and the media. However, now it is important not only that attackers have full knowledge of where exactly the funds of interest are stored, but also they understand with what methods this money can be obtained. By launching a DDoS attack as a distraction, malicious attackers can hijack the cashless payment management system and thus be able to transfer money between any accounts until they are discovered.

It follows that the security systems used in financial institutions are imperfect, and approaches to the development of IT infrastructure require revision and renewal.

The threat of denial of service attacks continues to grow, with nearly half of those surveyed experiencing at least one DDoS attack in 2016. Faced with the presence of measures to protect against attacks, attackers usually switch their attention to other targets. Including, probably, due to this, a number of companies in the financial sector faced DDoS attacks in 2016 for the first time. At the same time, however, about 20% of companies are in the focus of attackers and are forced to use advanced protection methods. Among the main reasons leading to the financial institution falling into the focus of the organizers of DDoS attacks are both the size of the organization and its popularity in the market, and the lack of adequate countermeasures introduced to combat DDoS attacks, as a result of which the organization can become easy prey for cybercriminals.

Thus, as various solutions are widely implemented to combat DDoS attacks, the market landscape may change. In particular, the expected complication of "trial" attacks will continue to lead to the evolution of defenses and to an increase in the threat to organizations and entrepreneurs that do not plan to adequately challenge investments in information security.

The most frequently surveyed companies from the financial sector face phishing (30%) and DDoS attacks (26%). Compared to the 2015 survey, the threat of DDoS attacks remained about the same (24% in 2015). The preservation of the number of DDoS attacks and attention to them by the banking sector at a fairly high level is due to the wave of massive DDoS attacks on a number of large Russian banks: in 2016, the websites of many well-known financial organizations from the top 10 were attacked.

The threat of phishing has grown significantly (from 21% in 2015 to 30% in 2016) due to companies entering the ICO. The relentless excitement around the ICO has led to a high risk of fraud, and average users have no exact idea how to provide their own protection and tend to overlook internet fraud. In ICO, phishing has become a serious problem, and this allows us to judge that in related industries, for example, in the financial sector, the focus of attackers is also shifting towards this method of gaining access to confidential user data.

The shift in focus towards phishing is one of the consequences of the development of tools available to cybercriminals. In particular, despite the fact that the number of hacks per unit of time in general has remained at the same level in recent years, at the moment financial institutions can no longer always detect and accurately record such incidents in a timely manner.

The average number of attacks on web applications in the financial sector, according to Valarm, is 1,500 per day. The main part of them are automated tools and scanners. This activity of automated tools creates a large information background and complicates the identification of real incidents. According to Valarm statistics, the main attack vectors on web applications are the implementation of SQLi operators - 26.8% and cross-site query spoofing (XSS) - 25.6%. Increased interest in these types of attacks is associated with the ability to obtain information about client databases and personal information of users. The third and fourth places are taken by going beyond the directory values ​ ​ - 25% and remote code execution - 19.5%. At the same time, the bulk of incidents - 60% - are associated with remote code execution.

Types of solutions used

The majority of respondents (68%) consider the most effective means of counteraction DDoS hybrid solutions (on the client side with the participation of an operator solution, or a distributed network).

Information security remains a significant priority for financial sector organisations, a priority that has grown steadily, the study found: the industry is in a wake-up phase. Market participants have so far inadvertently focused on information security threats, but to a certain extent we can already talk about the achievement by Russian financial institutions of a certain level of maturity in matters of risk protection and management. Rethinking security policies in the banking industry will continue to develop, as evidenced by the fact that spending on information security is not reduced, but, on the contrary, is mainly growing. In the near future, with the growth of the budget, we will see an increase in the level of security of companies.

Sberbank: Most of the embezzlement of money from customer accounts "occurs at the hands of customers themselves"

Much of the fraud involving embezzlement of money from customer accounts "occurs at the hands of customers themselves." This was announced by the head of the service to TAdviser in November 2017. cyber security Sberbank Sergei Lebed They themselves give their passwords, their cards, phones, transmit SMS confirmation codes. Such fraud is called social engineering, and within social engineering "self-translation," he says.

As part of social engineering, attackers find a reason why a person can commit actions leading to the loss of money. As a rule, selfish interest is involved - for example, buying something at a discount or an interesting commercial offer. An excuse is also used that an alleged relative of the client was in trouble, Lebed told TAdviser.

Elderly people who think about their grandchildren, children and, having received a request, immediately run to the ATM, do what the attackers tell them, he notes.

According to him, there are often cases when the bank's fraud prevention systems "see" that fraud is happening and why: when a client for no reason began to transfer money to a fraudster's card, and we know that this is a fraudster's card. In this case, we stop the transaction and call the client to warn and stop.

It happens that even the employees of Sberbank themselves fall for the bait of social engineers, it follows from the words of Sergei Lebed.

Technical ways to protect Sberbank's customers are quite effective, but countering social engineers poses a rather large problem. The bank sees its decision in increasing the financial and computer literacy of the population. According to Sergei Lebed, the bank is doing a lot of work in this area: explanatory work both at Sberbank sites and on federal channels.

The representative of Sberbank added that one of the tasks of the cybersecurity service, in addition to preventing theft of funds, is to ensure the stability and continuity of the bank's business processes and customer service. Sergei Lebed told TAdviser that there were zero minutes from computer attacks of Sberbank's downtime in 2017: "that is, we did not interrupt the bank's activities for a second due to various attacks."

Silence virus attack

On October 31, 2017, Kaspersky Lab announced a new cyber attack on banks. Hackers send infected emails to financial institutions that disguise themselves as messages from real people.

Attackers use a Trojan called Silence, which is attached to phishing emails. Often the text of letters looks like a standard request to open an account, Kaspersky Lab warns.

Attackers use legitimate administrative tools to go unnoticed. This complicates both the detection of an attack and attribution, "said Sergey Lozhkin, senior antivirus expert at Kaspersky Lab.

The emails contain infected.chm attachments (help file Microsoft). When an attachment is opened, the attached html file containing the malicious javascript code is automatically launched. The script loads and activates the dropper, and it already loads Silence Trojan modules that operate as services: Windows a control and monitoring module, a screen activity recording module, a communication module with control servers and a program for remotely executing console commands.

Thus, hackers seize control of an infected computer and can send letters with a malicious attachment on behalf of real bank partners.

Attackers gain access to the internal banking network, for some time study its internal infrastructure and record video from the computer screens of bank employees. After analyzing how banking software is used, attackers transfer funds.

The first attacks using the Silence Trojan were recorded in July 2017. The spread of the virus continues by the time of writing the article (October 31). Hacker attacks using this virus have been seen in Russia, as well as in Armenia and Malaysia.^[31]

Banks will have the right to block customer accounts when conducting dubious transactions

The Government of the Russian Federation submitted to the State Duma a bill developed by the Ministry of Finance of the Russian Federation, which gives banks the right to block cards and customer accounts if their financial transactions appear suspicious to credit institutions. If theft is suspected, the bank must immediately contact an individual by phone or e-mail, with a legal entity - in the manner prescribed by the agreement on the use of an electronic means of payment. The legislative initiative of the authorities led to a surge in activity on social networks: users fear a possible mass blocking of personal accounts of citizens in banks without good reason, and also express concern whether credit organizations will abuse their right.

The criteria by which financial transactions can be classified as doubtful have not yet been determined.

Comment by CERIH Capital Management IC expert: It is immediately worth emphasizing that the prepared document is called "On Amendments to Certain Legislative Acts of the Russian Federation (in terms of countering theft of funds)." Thus, the law is initially aimed at protecting respectable citizens and complicating the life of exclusively fraudsters trying to steal money from the accounts of legal entities and individuals.

To do this, the Ministry of Finance proposes to give banks the right to suspend the transfer of money for up to two working days when identifying signs of such a transfer without the consent of the payer. In case of suspected embezzlement of money, the bank must immediately contact the client to receive confirmation that it is necessary to check the payment.

How the newly adopted law will work largely depends on the by-laws supplementing it. In this case, we mean the development of criteria by which financial transactions conducted by customers can be classified as suspicious. This work will be entrusted to the Central Bank, and the accuracy of the wording of the regulator depends on whether law-abiding citizens will have problems. Therefore, we propose to wait for the publication of this document and only after that draw conclusions about how accurately it reflects the current economic realities.

Another underwater stone will be the right of credit institutions themselves to supplement or change the list of signs established by the Central Bank of the Russian Federation in accordance with the peculiarities of their activities. It is important to understand whether in this case the right of legislative initiative is meant or whether credit organizations, without waiting for a response from a higher authority, will build relationships with clients based on their own criteria and assessments. If the situation develops according to the second option, it is impossible to exclude the occurrence of confusion in the banking sector as a whole, since each bank will have its own criteria for blocking accounts. Moreover, customers will have problems not because of the abuse of banks by their powers, but because of their desire to play it safe.

It is important how, in the light of the new law, interaction between a credit institution and its client will be built in the event of a controversial situation. Today, when blocking an account (for example, in the case of making or withdrawing large amounts on a card, with large transfers to a client's bank account or when transferring large amounts to a third party), the bank asks for explanations and copies of documents confirming the source of funds. At the same time, after consideration, the bank may refuse to unblock the client's account with the wording "Documents do not explain the economic meaning of operations."

Today, already at the first refusal of the bank to conduct the operation as dubious (regardless of whether there was a violation in reality or not), customers are blacklisted by refuseniks. It is formed by Rosfinmonitoring and the Central Bank and, starting in June of this year, is provided to banks. And although the list itself is informative in nature, it is often the inclusion in the list that serves as the basis for the bank's refusal to serve the client. At the same time, today there is no mechanism for the rehabilitation of clients who were included in this list by mistake. And such, according to a number of experts, can be up to 10 percent.

Today, the opinion is expressed that after the entry into force of the new law, banks should expect a massive outflow of personal funds from banks and, as a result, a decrease in transaction volumes. Allegedly, this process has already been actively underway over the past six months. We believe such concerns are exaggerated, for at least two reasons.

• Firstly, a client who takes his funds from the bank on the grounds that the bank allegedly can freeze his account at any time should have an alternative mechanism for settlements with counterparties. At the moment, there is no such reliable and effective mechanism outside the banking system.

• Secondly, commissions for settlement and cash service of clients, the use of money transfer systems and various payment services make up a significant share in the income of credit and financial institutions. Reducing the number of their customers will automatically lead to lower profits.

Payment terminals in Russia under attack by Trojan

In early July 2017, Kaspersky (formerly Kaspersky Lab) announced that a modification of the Neutrino Trojan, which attacks POS terminals and steals bank card data, was actively spreading in Russia. According to company statistics, the country accounted for a quarter of all attempts to penetrate this malware into corporate systems. Algeria, Kazakhstan, Ukraine and Egypt also fell into the zone of interests of Neutrino. Small businesses account for approximately 10% of all infection attempts.

The Neutrino modification for POS terminals is not quite a typical version of this malware, which has long been known to researchers and has repeatedly changed its functions and distribution methods. This time, the Trojan is hunting for bank card data that passes through infected payment terminals. At the same time, Neutrino does not immediately start activity and starts collecting information - once in the operating system of the POS terminal, the Trojan waits for some time. Experts believe that in this way it is most likely trying to bypass security technologies that run suspicious code in an isolated virtual environment, the so-called "sandboxes," with a short period of work.

"Neutrino once again serves as confirmation that cyber threats are constantly evolving. New versions of well-known malware are becoming more complex, their functionality is expanding, and appetites are growing. And as the number of different digital devices increases, areas of malware spread are also widening. In such conditions, proactive protection against all the diversity of cyber threats is needed more than ever before, "said Sergey Yunakovsky, antivirus analyst at Kaspersky Lab.

Kaspersky Lab security solutions recognize the new Neutrino modification as Trojan-Banker.Win32.NeutrinoPOS and block its activity.

Petya ransomware virus attack

The regulator reported on June 29, 2017 that the Petya virus attack began by sending emails with the virus attached. "In the text of the messages, attackers convinced the user to open a malicious file, after which the malware was activated. Presumably, the infection occurred by exploiting the CVE-2017-0199 vulnerability (execution of arbitrary code from Microsoft Office and WordPad applications), "the Central Bank explained.

Malware introduced as Pokemon Go

In Russia, there are massive cases of illegal withdrawal of funds from credit cards using malware, which is distributed under the guise of the Pokemon Go game. The program intercepts SMS sent by the bank, and also provides access to Internet banking. For the widest possible distribution of software, criminals took advantage of the popularity of the Pokemon Go game, the official release of which has not yet taken place in Russia^[32].

The news was reported at a press conference on combating cybercrime by Denis Durov, head of the "K" department of the Ministry of Internal Affairs of the Russian Federation for the Yaroslavl Region, and Yevgeny Efremov, deputy manager of the Yaroslavl Region Department of the Central Bank of the Russian Federation for the Central Federal District.

Durov said that in 2016, 200 criminal cases related to fraud and 92 cases related to the illegal withdrawal of funds from credit cards were opened in the Yaroslavl region. According to him, the main ways to steal funds are connecting special devices to ATMs, phishing and using malware, and the latter method is becoming more and more common.

However, phishing remains the most common way to steal funds from cards. During a phishing action, criminals call victims, introduce themselves to bank employees and request credit card data, Durov notes. As of October 1, 2016, 2.1 million credit cards were issued in the region. Many cardholders are not sufficiently informed about security measures when working with them and consider it normal to report card data to a bank employee by phone.

Browser plugins - a means to steal funds from maps

On January 27, 2017, the company Yandex reported in the media: confidential data about users' bank cards are stolen through extensions for. browsers Cybercriminals have learned to steal data by distributing malicious plugins from more than 80 thousand sites on the network. Internet

This refers to infected software extensions that provide users with useful information without going to special sites - currency rates or weather forecasts. Such programs are distributed through an extension store or from unverified sources, and can be executed in both stationary and mobile versions of browsers^[33]

By installing unverified malicious plugins, the user gives cyber fraudsters access to, to passwords logins and bank card data. According to the statement of Yandex representatives, 1.24 million users face such problems every month.

To protect against this type of threat, in addition to general recommendations, it is necessary to use only legal extensions from official stores. At the same time, these threats are divided into two types: the threat of infection of a personal computer with malicious software that steals payment card data when paying on the Internet, as well as the threat of infection of the device from which the online management of a bank account (Internet bank, mobile bank) is carried out. Nikolay Pyatizbyantsev, head of the incident management department of the information protection department of Gazprombank

The first type of threats, according to the expert, can be neutralized using 3D-Secure technology.

A fraudster, having stolen all card details and a one-time password, will not be able to use them for the next operation. Some banks grant cardholders the right to prohibit transactions without this technology. It should be borne in mind that an infected computer and a mobile device to which a disposable device comes are SMSpassword different devices. Nikolay Pyatizbyantsev

The second type of threat is much more serious and difficult to protect against it.

In this case, the following can be recommended: a mobile phone on which disposable ones come - SMSpasswords should not be used for online banking (mobile bank) - it is necessary to allocate a separate device (computer, smartphone, tablet) from which access and management of a bank account is carried out, this device should not be used for any other purposes other than online banking, including it cannot be used to view Internet pages, social networks, email, special software should be installed on the device that implements the function "default ban" or "white lists" (everything that is not allowed is prohibited). Nikolay Pyatizbyantsev

Gref: 98.5% of cybercrimes occur in the financial sector

The share of cybercrimes in the financial sector in 2016 amounted to 98.5%. This was announced in January by the head of Sberbank of Russia German Gref. At the same time, Gref stressed that despite the fact that the number of crimes committed in the cyber environment is in the millions, the number of people convicted of committing them does not exceed several dozen people.

"If you look at the allocation of specialists who are involved in cybercrime investigations, the proportion will be almost the opposite: most investigative officers are investigating traditional crimes. Or they are trying to investigate cybercrime in traditional ways, and so it (cybercrime) is absolutely not sought, it is a waste of time and money, "Gref quotes TASS

.

The head of Sberbank believes that in order to solve the problem, it is necessary to radically revise the training programs for training law enforcement specialists, including taking into account the planned amendments to the Criminal Code of the Russian Federation.

The amendments developed with the participation of Sberbank and submitted to the State Duma provide for the withdrawal of cybercrimes from Article 159 of the Criminal Code of the Russian Federation "Fraud" and its inclusion in Article 158 of the Criminal Code of the Russian Federation "Theft" simultaneously with tougher punishment - up to 10 years in prison.

"Dr.Web": an increase in the number of attacks on Android systems is expected

On January 20, 2017, Doctor Web analysts announced the likelihood of a significant increase in the number of banking Trojans on the Android platform (Android bankers) and an increase in the number of attacks made through them.

Modern banking Trojans for Android OS are created by virus writers and sold as commercial products through underground Internet sites. On the hacker forum, the source code of one of the malicious applications appeared in the public domain with instructions for using it. Doctor Web virus analysts believe this could lead to an increase in the number of Android bankers and an increase in the number of attacks made with them^[34]

The creators of the viruses published the source code of the malicious application in December 2016, and Doctor Web specialists discovered an Android banker created on the basis of information provided by cyber criminals.

This Trojan under the name Android.BankBot.149.origin is distributed under the guise of harmless programs. After downloading to a smartphone, tablet and installation, the banker requests access to the functions of the administrator of the mobile device in order to complicate its removal. Then hides from the user, removing his icon from the main screen. Then the virus connects to the control server and waits for commands.

The Trojan can perform the following actions:

• Send SMS messages

• intercept SMS messages;

• request administrator rights;

• Execute USSD requests

• Get a list of the numbers of all available contacts from the phone book.

• send SMS with the text received in the command to all numbers from the phone book;

• track the location of the device through GPS satellites;

• request additional permission to send SMS messages on devices with modern versions of Android OS,

• making calls,

• access to the phone book

• work with a GPS receiver;

• obtaining a configuration file with a list of attacked banking applications;

• Show phishing windows.

The Trojan steals confidential information from users by tracking the launch of bank-client applications and software for working with payment systems. The sample examined by viral analysts "Dr.Web" controls the launch of more than three dozen such programs. As soon as the virus detects that one of them has started working, it downloads from the control server the corresponding phishing form for entering a login and password to access the bank account and shows it on top of the attacked application.

In addition to stealing logins and passwords, the Trojan is trying to steal information about the bank card of the owner of the infected mobile device. To do this, the virus monitors the launch of popular applications such as Facebook, Viber, Youtube, Messenger, WhatsApp, Uber, Snapchat, WeChat, imo, Instagram, Twitter, Play Market and shows on top of them a phishing window for the settings of the Google Play catalog payment service. When SMS arrives, the Trojan turns off all sound and vibration signals, sends the contents of messages to attackers, and tries to remove intercepted SMS from the incoming list. As a result, the user may not only not receive notifications from credit institutions with information about unplanned transactions with money, but also will not see other messages that come to his number.

The stolen data is uploaded to the management server and is available in the administration panel. With its help, cyber criminals receive information, control a malicious application. The capabilities of this Trojan are quite standard for modern Android bankers. However, since cyber criminals created it using the information available to everyone, many similar Trojans can be expected to appear.

The main security problems of mobile and Internet banks

The security problems of mobile and Internet banks have been known for a long time, and the new vulnerabilities that are being discovered, as a rule, do not significantly change the current threat models.

Experts are confident that the main problems over the past 3-5 years have remained: a priori untrusted environment (mobile device), the danger of infecting a mobile device and computer via the Internet, the lack of built-in security tools in software products by developers of RBS and Internet banking systems, as well as failure to fulfill elementary security requirements by users.

Alexey Sabanov, Deputy General Director of Aladdin R.D., believes that the task has a solution only in those banks where the losses are able to count and qualify the composition of IT, information security and business divisions at their best. Professionals, when it is one team, always find a solution, it does not matter, purely organizational or organizational and technical means, he is sure.

Alexey Sizov, head of the fraud prevention department of the Information Security Center of Jet Infosystems, calls the client's vulnerability a key problem in using RBS services.

Any protection scheme is directly related to the actions or knowledge of the client. And, it means that whatever means of protection or confirmation of operations we provide to the client, it can be compromised both from the outside and by the user himself, - Sizov is sure. - It is the relative ease of influence on the client, his credulity, ignorance, negligence in handling information security means that allows attackers to bypass the most advanced means of protection.

At the same time, the use of mobile platforms only reduces the resistance of products and service channels to fraud. If using a PC and a mobile phone for operations (formally, these are two independent channels), some degree of information security is provided, then combining the program, authentication methods, and payment confirmation into one point, this threshold decreases.

Someone solves this problem by reducing the types of permissible transactions, setting limits on such platforms, but most do not distinguish between classic web banking and mobile in terms of risks. Unfortunately, this leads to the fact that today the greatest growth is recorded among attacks in the segment of mobile platforms, the expert notes.

Another of the problems is the increase in the share of the use of social engineering by cybercriminals in attack schemes on customers. On the one hand, this indicates an increase in the security of the technical aspects of banking services, but on the other hand, it shows the simplicity and vulnerability of the client side.

If yesterday the "social network" was used exclusively to obtain part of the client's data, and the attack was carried out in the "no clients" mode, and the user himself did not contribute to the commission of an illegal operation, today there are more and more phrases from clients "what have I done." Today, social engineering is not only an opportunity to conduct one illegitimate operation, but also a way to get full access to an account or payment instrument that "negates" many technical aspects of protection against intruders, says Alexey Sizov.

Maykor-BTE Managing Partner Maxim Nikitin, among the typical problems in the field of security of mobile and Internet banks, attributes the insufficient level of data encryption and the ability to launch a mobile application in public Internet networks, where traffic interception is likely.

The solution lies on the surface and consists in the development and implementation of improved encryption systems and testing applications for the possibility of attacks in a public place, he believes.

Dmitry Demidov, head of the CRM department at Norbit (part of the LANIT group of companies), sees a big problem in authorization tools from a security point of view. In particular, he notes that simple authorization through the code received in an SMS message is easily hacked. However, the use of other authorizations greatly complicates the activation of mobile and Internet banks.

Banks solve this problem in different ways - through activation using ATMs or through branches. Now several projects are underway to create such tools - both using the hardware component and using only software. I really hope that this problem will be resolved, "he says.

In addition, the development of mobile applications is often carried out in a very short time. Perhaps few others have seriously studied the hacking resistance of mobile applications, Demidov said.

I believe that the speed of implementation of functions can be put at the head, to the detriment of working out security issues. It is possible that we still have to hear in the news about hacks of mobile applications, the expert notes.

At the same time, Vitaly Pateshman, Sales Director of BSS, speaking about the increasing relevance of RBS security issues, notes that an expert in the field of preventing and investigating cybercrime and high-tech fraud, the company Group-IB conducted an audit of the security of the DBO BSS platform, which showed that these solutions today have a high degree of security.

In addition, we have implemented new capabilities through integration with the Group-IB solution and with SafeTech solutions, "says a BSS representative.

Maxim Bolyshev, Deputy Director of the RS-Bank Banking Software Department of R-Style Softlab, identifies three main security problems. So, in his opinion, the security of Internet banks is contrary to the convenience of use, so banks are forced to look for a compromise between convenience and security. The second problem is the high cost of an electronic signature for individuals, as a result of which it is not widespread among this group of users. And the third is a large number of diverse malware for mobile devices and the absence of a universal solution that guarantees 100% security for the bank and the client.

Yuri Terekhin, director of financial institutions at FORCE-Center for Development, calls the increase in the volume of hacker attacks while reducing their professional level the main problem.

According to him, this is due to the fact that highly professional groups of hackers have shifted to a more marginal sector compared to retail, and began to carry out attacks on the banks themselves and payment systems (SWIFT). At the same time, the high availability of vulnerability hacking tools allows attacks on retail clients by non-professionals or novice hackers. But, since this is a passed stage for banking information security, the losses of banks in this direction, presumably, are not growing.

Well-known protection methods for mobile and Internet banks will continue to be improved in order to increase the security of client funds, Terekhin said. - Multifactor authorization using biometric data (fingerprint, iris, voice recognition, etc.) will be more widely used.

Mikhail Domalevsky, manager of the development department of the information security department of the Softline group of companies, offers a look at the security problem of the Russian banking system as a whole. According to him, 2016 turned out to be a turning point for information security in the banking sector. It was this year that they openly started talking about the actions of hackers, scammers and cybercriminals in general, about the scale of harm they cause to banks.

Previously, banks and their clients rarely suffered large financial losses directly from hacker attacks, trying first of all to protect themselves from "leaks" of the client base through insiders and prevent such information from trickling into the media. Now, due to hacker attacks, the bank may actually lose its license, "the expert says. - In response to this challenge, financial institutions are combining resources and efforts to create their own monitoring and response centers for information security incidents, to develop interbank exchange to combat the withdrawal of stolen funds.

According to Domalevsky, the regulator also does a lot to protect against hacker attacks. Thus, the Central Bank issued a number of additional regulatory documents in the field of information security, in particular, the provision "On requirements for the protection of information in the payment system of the Bank of Russia." This document obliges banks to report cyber incidents in a tight time frame.

The creation by the regulator of its own Center for Monitoring and Response to Computer Attacks in the Financial Sphere (FinCERT), its integration with existing commercial and banking information security monitoring centers, a clear regulation of interaction between all participants in the process should in the future reduce the number of targeted attacks of organized cybercrime and reduce losses from cyber attacks on banks to permissible, - said the representative of Softline.

2016

Russia is the leader in the number of mobile banking Trojans

In 2016, the number of malicious installation programs on mobile devices around the world tripled compared to 2015, to 8.5 million, according to a report by Kaspersky Lab. We are talking about programs containing viruses that the user installs on the device both deliberately (for example, by purchasing a dubious application in the store) and unknowingly (an already infected device acquires and installs the application itself^[35].

At the same time, Russia turned out to be the leader in the number of mobile banking Trojans, that is, programs designed to steal users' financial information. This type of threat was encountered by 4% of mobile users. Australia follows with a 2.26% share. "The most popular mobile banking Trojan Svpeng was distributed mainly in Russia," the company said in a statement. Last year, South Korea took the lead in this specialized ranking with a share of 13.8% of all attacked users. Russia was third with 5.1%.

In terms of the share of users attacked by mobile malware of all varieties, Bangladesh was the leader, where 50.09% of owners smartphones or tablets faced viruses and malware. The top three also (Iran 46.87%) and Nepal (43.21%). Then China comes (held the first position last year; in the top three there were also Nigeria and). Syria

In Kaspersky Lab, such results were explained by the fact that in these countries the so-called advertising Trojans are very common, which gain access to the system settings of the smartphone for displaying ads. These programs can also steal financial information or install third-party applications without the user's knowledge.

Positive Technologies: How money is stolen from the bank

On December 16, 2016, Positive Technologies presented a detailed report on the investigation of one of the incidents in the banking sector, during which several million rubles (equivalent in local currency) were stolen from six ATMs of a financial institution overnight.

The case helped avoid larger losses: attack tools clashed with NCR ATM software, which prevented attackers from fully completing their money withdrawal tasks.

Positive Technologies experts noted a number of details characteristic of modern cyber attacks on financial institutions:

• Attackers are increasingly using well-known tools and built-in functionality of operating systems. In a particular case, the commercial Cobalt Strike software was used, including the Beacon multifunctional Trojan of the RAT (Remote Access Trojan) class, which has the ability to remotely control systems. Used: Ammyy Admin, Mimikatz, PsExec, SoftPerfect Network Scanner and Team Viewer.

• The use of phishing mailings remains one of the successful vectors of the attack due to the insufficient level of awareness of employees in information security issues. The vector of infection of the bank's infrastructure is based on the launch of the documents.exe file from the RAR archive sent by e-mail to one of the employees and containing malware. Targeted sending of emails imitating financial correspondence and messages from the information security service was carried out for a month. Several employees launched the file from phishing emails at different times, and the infection occurred due to a disabled (or using outdated databases) antivirus on the workstation of one of them.

• Targeted attacks are becoming more organized and distributed over time. The investigation showed that the start of the attack came in the first week of August. In early September (after consolidation in the infrastructure), attacks began to identify the workstations of employees responsible for the operation of ATMs and the use of payment cards. And only in early October, attackers downloaded malware to ATMs and stole money: the operator sent a command to ATMs, and dummies (drops) took the money at the agreed moment.

Attacks on bank customers are fading into the background today, giving way to attacks on bank network infrastructure. The attackers realized that not all financial institutions invest enough in their security, and some do it only "for show," in order to meet the required standards. Maxim Filippov, Business Development Director of Positive Technologies in Russia

Positive Technologies. November 2016

During the investigation of the incident, Positive Technologies experts collected many host and network indicators of compromise, they were sent to FinCERTB Bank of Russia in order to disseminate information among financial institutions and prevent such attacks in the future.

"During the reporting period, FinCERT recorded a significant number of attacks related to the substitution of input data for the CBD AWS (changing the content of the XML document used to form an electronic message sent to the Bank of Russia). The attack was carried out according to the following scheme: In most cases, an email was sent to a credit institution by cybercriminals containing malware that was not detected by antivirus tools... "

Banking Trojan Tordow 2.0 tries to gain root privileges on smartphones

Comodo researchers have identified a new version of the Tordow banking malware that attacks users in Russia. The Trojan is trying to gain root privileges on the device, which makes fighting it extremely problematic.

Tordow 2.0 is capable of performing ransomware functions, as well as intercepting phone calls, SMS messages, downloading and installing applications without the user's knowledge, stealing login passwords, rebooting devices, and, most dangerous, manipulating bank data and destroying mobile antiviruses. Read more here.

SWIFT warns banks of growing threat of cyber attacks

SWIFT management sent a letter to client banks in December warning of the growing threat of cyber attacks. A similar document was at the disposal of Reuters^[36] of ^[37].

SWIFT's letter also states that hackers have improved their methods of cyber attacks on local banking systems. One new tactic involves using software that allows hackers to access technical support computers.

"Threats

are persistent, sophisticated and have a good degree of adaptability - and have already returned to normal," SWIFT said in the letter. "Unfortunately, we continue to observe cases in which some of our customers are currently compromised by thieves, who then send fraudulent payment instructions through SWIFT - a similar type of message used to steal Bank of Bangladesh funds."

6-fold increase in the number of cyber attacks on Russian banks

In December 2016, the Central Bank of Russia published a review of financial stability, in which it reported more than a sixfold increase in the number of cyber attacks on credit institutions.

According to the Central Bank, from January to September 2016, the number of unauthorized transactions on accounts of individuals and legal entities using remote banking systems amounted to 103.1 thousand against 16.9 thousand for the same period in 2015.

At the same time, the volume of successful hacker attacks decreased by 25%: if in the first three quarters of 2015, criminals managed to steal about 2.16 billion rubles from banks, then after a year - 1.62 billion rubles. Individuals stole 1.2 billion rubles in January-September 2016, legal entities - about 387 million rubles.

The Bank of Russia believes that financial institutions incur losses from the activities of cyber fraudsters for the following main reasons:

• vulnerabilities in IT systems and payment applications;

• deficiencies in information security and lack of proper compliance with the requirements established by regulations and industry standards;

• lack of the necessary coordination of banks' activities in the field of countering mass and typical cyber attacks.

To check online banking systems for vulnerability to cyber attacks, the Central Bank intends to create an interdepartmental working group, which, in addition to representatives of the regulator, will include employees of the Ministry of Internal Affairs, the Ministry of Communications, FSTEC and the Ministry of Finance. By 2018, it is planned to create a system of standardization, certification and control of online services of banks and make appropriate changes to the legislation.

In addition, the Central Bank is going to introduce a mandatory double confirmation of transactions going through remote channels. By the beginning of December 2016, most credit institutions in the Russian Federation use one-time passwords or special electronic USB keys and smart cards to identify a client via SMS.^[38]

FSB warned of impending cyber attacks on Russian banks

On December 2, 2016, the Federal Security Service (FSB) of the Russian Federation announced the upcoming cyber attacks on Russian banks in order to destabilize the national financial system.

The FSB of Russia received information about the preparation by foreign special services in the period from December 5, 2016 of large-scale cyber attacks in order to destabilize the financial system of the Russian Federation, including the activities of a number of major Russian banks, the Russian special services said in a statement.

According to her, server power and command centers for cyber attacks are located in the Netherlands and belong to the Ukrainian hosting company BlazingFast.

The siloviki found that hacker attacks will be accompanied by mass sending of SMS messages and publications on social networks and blogs of a provocative nature regarding the crisis of the credit and financial system of Russia, bankruptcy and revocation of licenses from a number of leading banks of federal and regional significance.

The attack is designed for several dozen cities in Russia, the security service said, adding that measures are being taken to neutralize threats to economic and information security.^[39]

The Central Bank reported that the regulator is aware of the upcoming cyber attacks on banks and is working with special services to suppress them.^[40]

BlazingFast, which the FSB considers involved in the plans of cyber attacks on the Russian Federation from the Netherlands, has confirmed information about customers there and will check their possible illegal activities. This was reported to RIA Novosti in BlazingFast.^[41]

We have mostly foreign clients. We have few Russian or Ukrainian clients... Yes, we have in the Netherlands. Since you called, and this information has already appeared somewhere, then we will now quickly begin to check this whole thing, - a representative of the company told the agency.

Trend Micro: Trojans are the main threat to the financial industry

On September 22, 2016, Trend Micro Incorporated published a report on information security for the first half of 2016, The Reign of Ransomware, according to which banking Trojans remain one of the most significant threats in the financial industry.

In the reporting period, there was an increase in the activity of the QAKBOT Trojan - a multi-component threat, the purpose of which is: bank data, information about the usual user actions, other confidential information. The main difficulty in combating Trojans of such a type as QAKBOT is their continuous evolution and the emergence of modifications.

Trojans attack banks, their corporate customers, whose employees perform banking transactions using devices operating on the corporate network. Stolen bank information is used by attackers to conduct fraudulent transactions or sold on underground sites for profit. From the actions of banking Trojans, financial organizations suffer losses to compensate for losses incurred by their clients as a result of cyber attacks.

The technology that can protect the user's system must be comprehensive, the research company noted in the report. The system must block threats from, Internet from malicious files and email. In addition to protecting endpoints, banks should use protocols on their sites two-factor authentications and motivate customers to be extremely careful when opening email messages, visiting sites and downloading files.

A group of 50 hackers detained for embezzlement of 1.7 billion rubles

In June 2016, the media, citing law enforcement agencies, reported^[42]hackers stole more than 1.7 billion rubles from Russian bank accounts using malware. 50 cybercriminals who were active across the country were detained. As part of the operation to detain hackers, more than 80 searches were carried out in 15 regions of the country.

The Ministry of Internal Affairs of Russia, together with the FSB of Russia, detained 50 suspects of committing numerous embezzlement of funds from the settlement accounts of legal entities, as well as from correspondent accounts of credit and financial institutions using malicious software, - said the official representative of the Ministry of Internal Affairs of Russia Irina Volk.

She added that as a result of operational measures, fictitious payment orders for 2.2 billion rubles were blocked.

The FSB Public Relations Center told Interfax that as a result of the searches, computer equipment, communications, bank cards issued on dummies, as well as financial documents and significant amounts of cash were seized.

A criminal case was initiated under the articles "Organization of a criminal community and participation in it" and "Fraud in the field of computer information."

2015

Banks in the EU obliged to share information about cyber attacks

On December 8, 2015, it became known that European officials supported the first law for the EU on the regulation of cybersecurity. It obliges companies to share data on attacks on their services. In case of refusal, sanctions may be imposed on them, reports Reuters news agency.

Representatives of the European Commission, the European Parliament and the countries of the European Union after a five-hour discussion agreed on the adoption of the cybersecurity bill. One requirement is that companies will have to disclose incidents related to hacker attacks on their computer systems to the authorities. Otherwise, they will face large fines.

This applies to organizations and enterprises representing areas of critical human activity, including the transport industry, power, the financial sector and health care. The requirements also apply to internet companies such as Google, Amazon and eBay, but do not apply to social networks.

In addition to the need to notify about cyber attacks, European businesses will be required to ensure a high level of information security of their infrastructures.

According to Andrus Ansip, Vice President of the European Commission for the EU Single Digital Market, the new legislative directive is aimed at increasing consumer confidence in online services, especially international ones.

"The internet knows no boundaries: the problem in one country can easily spread to the rest of Europe. That is why the EU needs global cybersecurity solutions. The adopted agreement is an important step in this direction, "Ansip said

.

He also noted that in this case we are talking about the first law ever adopted regulating cybersecurity issues throughout Europe. It is not specified when the new requirements will come into force.^[43]

Positive Technologies: Top Trends in Bank Cyber Attacks in 2015

On October 15, 2015, representatives of Positive Technologies (Positive Technologies) spoke at the conference "Trends in the development of high-tech crimes - 2015."

Among the main trends in the banking sector, experts noted an increase in cases of fraud in cashless transactions (purchases in online stores, etc.) and attacks on processing with cashing out stolen funds through ATMs (losses in each of the known cases range from $3 million to $14 million). The number of physical attacks on ATMs has also grown: from traditional tricks such as the "Lebanese loop" to GreenDispenser viruses, which allow hackers to extract banknotes from ATM cassettes.

According to Positive Technologies experts, the global loss in 2014 for plastic card fraud alone amounted to about $16 billion. At the end of 2015, this figure is expected to increase by 25% and approach 20 billion. This is due to an increase in the volume of banking operations, and not good preparation of criminals. At the same time, over the past 20 years of observation, the share of fraud cases in the total volume of operations has practically not changed: fraudsters earn about 6 cents from every 100 dollars passing through, and banks this figure changes from year to year by only plus or minus half a cent, while maintaining the average value.

Since 2006, since the introduction of the international standard for bank card transactions with an EMV chip, the volume of losses associated with skimming (theft of card data using a special reader - skimmer) has been steadily decreasing. And although the level of losses is still high, experts expect a significant decrease next year. This is due to the fact that in October 2015 the United States joined the global practice, which accounts for about two-thirds of global losses.

2011: Carberp Trojan attacks

Main article: Carberp (Trojan)

What information security standards affect financial sector companies in the Russian Federation?

• STO BR IBBS-1.0-2014
• Bank of Russia Letter No. 49-T, dated 24 March 2014, "On Recommendations for Organizing the Use of Malicious Code Protection Tools in Banking Activities"
• Bank of Russia Regulation No. 382-P, dated 9 June 2012, "On Requirements for Ensuring Information Protection when Making Money Transfers..."
• GOST R 57580.1-2017 "Security of Financial (Banking) Transactions. Information protection of financial institutions. Basic set of organizational and technical measures. "
• Critical Information Infrastructure Act
• 152-FZ "About Personal Data"

• PCI DSS

• PP No. 1119 "On Approval of Requirements for the Protection of Personal Data during its Processing in Personal Data Information Systems"
• Bank of Russia Regulation No. 552-P, dated 24 August 2016, "On Requirements for the Protection of Information in the Bank of Russia Payment System"

And also

• Requirements FSB (for cryptographic license holders)
• 149-FZ ON INFORMATION, INFORMATION TECHNOLOGIES AND INFORMATION PROTECTION
• 63-FZ "On Electronic Digital Signature"
• TRADE SECRET 98-FZ
• Civil Code
• Criminal Code
• Administrative Code of the Russian Federation

Unified Biometric System (UBS)

Main articleUnified biometric identification system

Cyber Risk Insurance

Core ArticleCyber Risk Insurance

Notes