The Central Bank recognized the problem of busting numbers in the Quick Payment System (SBP). The system is designed in such a way that it makes it possible to obtain the name and patronymic of the client who linked the number to the card or accounts, as well as the names of the banks in which they are located. This is the primary information for fraudsters specializing in social engineering. In total, as part of the fight against data selection, the Central Bank blocked more than 23 thousand numbers. But such a lock is a temporary measure, in the system of another bank, the blocked phone number is perceived as “clean” and the selection can be started again.
The curator of FinCERT (a division of the Central Bank) Artem Sychev said on February 20 during the Ural Forum on Information Security that the SBP allowed to block 23.3 thousand operations on suspicion of attempts to search the numbers.
As the Central Bank explained, 23 thousand telephone numbers for use in SBP were blocked. Of these, 169 locks are bank-confirmed attempts to transfer money without the consent of the client. “It is important to emphasize that client data are not stored in the SBP,” the Central Bank noted. “At the same time, the antifraud system ensures the blocking of numbers from which iterations or attempts to send requests to banks participating in the SBP in order to find out whether it is possible to transfer or another client of these banks. ” “SBP can be used as a mechanism for obtaining information,” notes Maya Glotova, general director of KartStandarta.
The Bank of Russia quick payment system has been operating since the end of January 2019. According to the Central Bank, over the course of the year, about 9 million operations worth 80 billion rubles were carried out in it. Currently, 42 banks are connected to it, another 160 credit organizations have submitted applications for connection. The system allows citizens to transfer money by mobile phone number to a client connected to the SBP bank. Thus, the attackers pick up the data, figuring out where a particular person has accounts, and then using social engineering methods they achieve the transfer of funds from the client’s account to their accounts or accounts of dummies.
–
In informal conversations, bankers emphasize that the number blocking system used in the SBP is not a very effective measure. Its meaning is that after five unsuccessful attempts to determine the bank in which potential victims keep an account, the phone number from which the selection is made is blocked for a day. But for other banks, if the number of rebounds is less than five, blocking does not occur. Given the number of SBP participants, social engineers have up to 200 attempts to identify banks.
23.3 thousand phone numbers
blocked the central bank for use in SBP
–
The National Payment Card System (NSPK, SBP operator), identifying such cases, informs banks. Banks themselves, which in the anti-fraud internal systems establish more stringent cut-off conditions (for example, three unsuccessful attempts), do not transmit such data. Thus, a significant part of the information simply does not reach the NSPK, which significantly reduces the scale of the problem, market participants say.
Therefore, banks prefer to insure themselves. According to Ivan Pyatkov, a member of the board of Alfa Bank, the bank monitors operations through the SBP using internal anti-fraud systems. The Russian Standard Bank reported that now protection against “busting” of payee banks is already working at all levels of the SBP without the goal of making an operation that allows such actions to be blocked in a timely manner. VTB Bank said it had taken organizational and technical measures that did not allow criminals to substitute bank numbers when calling customers.
However, in the fight against data selection it is worth comparing the pros and cons, experts point out. So, the director of the information security department of the ICD, Vyacheslav Kasimov, notes that it is impossible to obtain significant results in the framework of SBP by enumerating numbers – the maximum that you can find out is five to ten phone numbers and first names, which social engineers can then use. “If you block the possibility of enumerating numbers completely, then the SBP will not work, so here we must minimize the risks,” he explains.
– .
