The Central Bank of Russia detected a new type of fraud during the transfer of funds through an ATM




According to the publication of the Center for monitoring and responding to computer attacks in the financial sphere of the General Directorate of protection and information security at Bank of Russia (FinCERT), the Central Bank reported a new type of fraud during the transfer of funds between cards through ATMs.
The document says, "previously expected  TRF-attacks (transaction reversal fraud) did not occur, but a new method of such an attack was recorded based on the imperfection of the scenarios for processing transfers from card to card using ATMs."
The fraud method is connected with the imperfection of the p2p-transfer scenario (transfer between individuals). In particular, when the transaction is cancelled, the fraudster has the opportunity to withdraw the transferred amount from another card and at the same time keep the money in his account.
The algorithm is quite simple. First, a transfer operation between individuals is selected and the card number of the beneficiary is indicated. The terminal sends two authorization messages to the beneficiary's Bank and to the sending Bank. After two approvals have arrived, the actual translation is performed.
However, the ATM then asks the sender for confirmation of the debit fee, but he does not agree, and a message about the return is sent to both Banks. As a result, the temporary holding of funds is removed from the sender's account, he saves all the money, but the beneficiary during this time withdraws the transfer from his card.
The Central Bank advises Banks to check the correctness of ATM scenarios. So, the approval for the cancellation of the operation to the sender should come only after the message about the successful return of the transferred funds from the beneficiary's Bank.
Another measure to combat this type of fraud is to obtain consent to charge a transfer fee before sending authorization messages for the operation.
The sender bank is responsible for the success of such attacks, said Alexei Golenishchev, the Director of e-business monitoring at Alfa-Bank.
In May, Ehackingnews described another type of fraud with Sberbank ATMs. The attacker did not insert a Bankcard into the machine, chose any operation and did not complete it. When the next customer came to the machine, he saw on the screen of ATM a proposal to insert the card and enter the pin code. When he did all, the operation of the attacker was automatically completed, after which the money was debited from the cardholder's account. Later, Sberbank said that Bank solved this problem and the attackers could not withdraw money anymore.

The National Payment Card System (NPCS) of Russia says the Fast Payment System is secure


According to Dmitry Kolesnikov, Director of the FPS project in the NPCS, the Fast Payments System is completely safe.

Earlier, the Head of Sberbank German Gref said that one of the reasons why Sberbank does not join the Fast Payment System is cybersecurity. So, according to Gref, the system is still unsafe.

"The system is safe, secure, fully complies with all standards. There were no incidents during the operation," said Kolesnikov at the International Forum "Remote Services, Mobile Solutions, Cards and Payments - 2019".

The Bank of Russia summed up the results of the first four months of the FPS. According to Maria Krasenkova, the Head of the Development and Regulation of the National Payment System of the Central Bank, from January 28 to May 28, 500 thousand transfers were made through the FPS for a total of 4.2 billion rubles ($ 64 million). Dmitry Kolesnikov noted that during the operation of the system, about 200 thousand people took advantage of it. According to NPCS, 40% of transfers are made between own accounts, 60% between accounts of different clients.

It is worth recalling that the Central Bank launched a competitor to the Sberbank transfer system, it's a money transfer system (FPS) by telephone number between accounts of different banks. First, only 11 financial institutions joined the FPS, including Alfa-Bank, Tinkoff Bank, Gazprombank, VTB and others. Another 100 banks expressed their desire to join the system. However, Sberbank has not yet expressed its desire to join the FPS. The largest Russian Bank was a monopolist in the market of money transfers between individuals. In 2018, Sberbank earned 47.2 billion rubles ($ 722 million) on transfers, and the launch of the Central Bank system has already hit its revenues. In the future, participation in the FPS is planned to be mandatory for all banks.

The Bank of Russia expects to connect important Banks to the FPS before September 1. However, according to Gref, the agreement with the Bank of Russia on the connection of Sberbank to the FPS has not yet been achieved.

Sberbank lists the major trends in cybercrime

Stanislav Kuznetsov, the Deputy Chairman of Sberbank, said that now there are three main trends in the field of cybercrime. The first trend is DDoS attacks, the number of which continues to increase. The second trend is data leakage. "The whole market is developing in this direction," Kuznetsov added.

According to the representative of Sberbank, the third trend called fraud associated with the methods of social engineering. Kuznetsov explained that criminals often play on the trust of citizens.

"Russia is a unique country, the level of public confidence is very high in everything that is done by state institutions, corporations. This is good, but the scammers use this uniqueness of the Russian population, especially the elderly," says Kuznetsov.

For example, a serious threat is phishing (theft of confidential data through e-mail on behalf of financial and government agencies). According to the Deputy Chairman, about 27-30% of office workers in Russia in different corporations can now safely open such phishing emails. And this is a great indicator.

The representative of Sberbank admitted that he does not see the factors that would help to stop the growth of crimes using the methods of social engineering. According to him, the situation can be changed only with the help of educational activities.

Kuznetsov said that the economic damage caused to the country by hackers in 2018 could reach 1.3 trillion rubles (20 million $). Since the beginning of 2019, Sberbank stopped more than 40 intense DDoS attacks, but the financial structure did not finish its activities for a second.

Thus, cybercriminals often use DDoS attacks, social engineering fraud and data leaks. According to Kuznetsov, information security specialists will try to prevent such violations.

It is important to note that from 2020 the Central Bank may begin to conduct stress tests of credit institutions for resistance to cyber threats.


Emotet trojan one of the biggest malware

Emotet is a banking Trojan that started out stealing information from individuals, like credit card details. It has been lurking around since 2014 and has evolved tremendously over the years, becoming major threat that infiltrates corporate networks and spreads other strains of malware.

The U.S. Department of Homeland Security published an alert on Emotet in July 2018, describing it as “an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans,” and warning that it’s very difficult to combat, capable of evading typical signature-based detection, and determined to spread itself. The alert explains that “Emotet infections have cost SLTT (state, local, tribal, and territorial) governments up to $1 million per incident to remediate.”

Emotet poses a grave risk for individuals and businesses of all sizes. Here's a look at what you can do to safeguard your business against this pernicious Trojan malware.

Emotet infections typically start with a simple phishing email that contains an attachment or a link to download a file. The recipient is persuaded to click the link or open the file and they unwittingly set in motion a macro that downloads a malicious payload. As soon as the device is infected, Emotet starts trying to spread to other devices on the network.

The addition of new capabilities into Emotet, inspired by other successful malware such as WannaCry, has made it a much more potent threat capable of moving laterally and infecting entire networks alarmingly quickly. It’s a modular Trojan that’s often employed as the vanguard of a bigger attack, piercing the outer defenses and then downloading other banking Trojans and spreading them around.

As persistent and pernicious as Emotet is, you can take effective action to guard against it.

First, ensure that you don’t have unsecured devices on your network. Take steps to identify and secure unmanaged devices. Eradicate potential blind spots like internet of things devices. Even if Emotet appears to be confined to an unsecured machine, the threat has not been neutralized because it’s polymorphic, constantly updating itself and working towards spreading further. Given enough time, it has a good chance of finding a weakness in your defenses that can be exploited.

Hackers stole 150 thousand rubles from the accounts of Belarusian enterprises through the Client Bank

At the beginning of April 2019, the police received a statement from an employee of one of a metropolitan organization, who reported that an unknown person had made unauthorized access to the computer of the organization, which uses the Client Bank software.

As it became known, the hacker not only made unauthorized access to the organization's computer, but also infected it with malware, which allowed him to make illegal payments to a certain account.

It turned out that the scammer had used RTM malware (Redaman) and sent it by e-mail.

During the investigation, it was found that the attacker made three money transfers to the account of another Bank. The amount of damage was about 30 thousand rubles (470 $). The account to which the amounts were transferred was opened in the name of the foreigner.

The investigators found out that the hacker gained access to the Bank account via a USB key, which the chief accountant had left inside the computer after the end of the working day. This allowed remote access to the system and illegally transfer money.

It was established that such a malicious program was sent by e-mail to more than 90 business entities, the total damage amounted to more than 150 thousand rubles (2 350 $).




Half of the online Banks in Russia does not have enough security

More than half of the Internet applications of Russian Banks were not sufficiently protected. According to the research of Positive Technologies, attackers can view some programs and also edit the information in them.

Cybersecurity Experts analyzed dozens of applications. In their opinion, 61 percent of programs have extremely low or low levels of protection.

It turned out that every second online Bank (54 percent) allows attackers to make fraudulent transactions and theft of money. For example, scammers can spoil the number to which the auto payment is set up or steal the victim's card number.

In addition, according to researchers, almost 80 percent of Banks carry out many operations without additional protection. You can transfer funds or disable the sending of one-time passwords without confirmation by SMS.

Earlier it became known that 85 percent of all ATMs are vulnerable to attacks aimed at stealing money. It turned out that Banks prefer not to update the ATM software, as it requires additional costs.

Information security Experts note that radical measures are needed to correct the situation.

Are enough safeguards built within BHIM?

About BHIM:
BHIM (Bharat Interface for Money - Bhim App) is a Mobile App developed by National Payments Corporation of India (NPCI), based on the Unified Payment Interface (UPI). It was launched by Narendra Modi, the Prime Minister of India, at a Digi Dhan programme at Talkatora Stadium in New Delhi on 30 December 2016. (source:Wikipedia)

Issues:

The BHIM application has an option to create a payment address(Virtual ID). It auto suggests a persons name+(value) as a many of the typical Indian Names are already taken.


Example if a person called Vijay Kumar R is trying to create a personal payment address he will be suggested "vijaykumarr" . This is the primary identifier and during transfer it does not do any further checking. A simple mistake in the name might cause a catastrophe for the sender.

If a person by mistake types in "vijaykumart" (instead of "vijaykumarr") the application will show the proper full name as "Vijay Kumar" and it is highly probable that a person would send the money to the wrong person as the name is matching. Since the BHIM application is mostly targeted towards "New Adopters" mostly from rural locations they might not be able to find the difference or spot a mistake on what they are typing.

The application should ask for a secondary detail (Eg:Mobile Number,Bank Name etc) about a person and cross check it with the database and only process it if the details are matching.

When it comes to NEFT and IMPS it has multilayer verification , even if the user gives a wrong inputs it will not send the amount if any of the details are incorrect.


BHIMNEFT/IMPS
Checks Full NameNoYes
Checks Bank AddressNoYes
Checks Account NumberNoYes

There is an option to refund the money back to the senders only on the receivers end. It does not have any option to raise a complaint on the senders side. Many of the banks are unable to get the money back if it is wrongly sent to another person. There is no option in the UPI ecosystem for such cases. How can this be ? Why did they not think about this?

The same issue was faced by us when we sent about 9200 to the wrong ID.  The bank (Axis) that we used could not get our money back, even though we made a compliant within few minutes.  It was also not possible for us to track who it was sent to and request them to send it back.

We recommend that people stick to the traditional NEFT and IMPS for any high value transactions as there is no support in the UPI system for raising issues during transactions.