Check the security of the Internet, mobile and other remote banking service will begin in 2017. The quality of payment services banks will check with the point of view of protection from cyber threats, said in the “financial stability Review” published on 2 December by the Central Bank. Although branchless banking in Russia has long existed, still this area does not controlled by government agencies. Each Bank provided (if not provided) security the client operations remote channels as considered necessary.
As evidenced by the review, the regulator does not intend to be limited to only one security check online banking and remote payment services for corporate clients (the “client–Bank”, etc.). The Central Bank also promises to introduce a certification of such remote services “for compliance with the requirements of information security”. That is, in fact, to introduce regulation in this area, securing the requirements that must be mandatory to meet the e-banking services. In the future, they will be issued in the form of national standards. To develop requirements needs a specially formed interdepartmental working group, which in addition to the staff of the Central Bank comprises representatives of the Ministry of Finance, Ministry of internal Affairs of Russia, Ministry of communications and FSTEC.
It’s not just words. Their Central Bank intends to support business. The degree of compliance with banking remote services security standards will depend on the requirements of the regulator to the capital adequacy of credit institutions. That is, the more risks in online banking systems, the higher requirements for capital adequacy of the Bank concerned, the fewer the opportunities to increase lending and invest in other assets.
On a relevant work of the Central Bank has held. “We [Bank of Russia] have all the safety systems that went through the certification, periodically pass the load test procedure to ensure that in the event of an emergency security”, — said the Chairman of the Central Bank Olga Skorobogatova in the state Duma on 2 December. According to her, as a result, the Bank of Russia is protected from cyber-attacks, and as the financial system as a whole, “the work has only just begun”.
The desire of the Central Bank to take control of the remote banking service initiated by a sharp increase in the number of incidents when the result of fraud being charged customers via remote channels. Thus, as follows from the statistics of the Central Bank, the efficiency of banks with a growing number of such fraud is low. Only in January—September 2016 the hackers tried to make using the payment services 102,7 thousand unauthorized transactions with the accounts of natural persons, whereas over the same period in 2015, these attempts were recorded only 16 million While the damage to private customers against any fraudulent activities for the first three quarters of this year amounted to about 1.25 billion rubles according to statistics of the Central Bank, banks and the regulator this year can prevent the theft of no more than 2-3% of the funds.
The situation with the protection of means of corporate clients of banks looks a bit better. Since the beginning of the year, the Central Bank recorded a total of 365 unauthorized withdrawal of funds through e-banking services, in the first three quarters of 2015, such attempts have been made 840. The amount stolen as a result of cyber attacks, funds of legal entities also significantly lower. So, in January—September 2016 hackers tried to withdraw from the accounts of companies about 1.1 billion rubles, but the banks and the Central Bank managed to save almost a third of the money.
Recorded this year and cases where hackers tried to steal the money of the banks are in the correspondent accounts of the Central Bank. Of 2.87 billion rubles to protect against hackers managed slightly more than half of the operations of 1.1 billion rubles. banks have blocked yourself, another 570 million rubles, the Central Bank saved suspending transfers from the accounts.
For and against
The official comments of the bankers traditionally positive (that is since banks typically encounter new regulatory initiatives). Sberbank hopes that innovations should reduce the risks throughout the system, said the Chairman of the Board of Sberbank Stanislav Kuznetsov. “The market is now the requirements of banks to quality of payment applications are very different,” he confirmed .
“The need to establish common quality standards payment applications is long overdue. Scammers are increasingly using remote banking service for their attacks, accounts of legal entities become objects of their attacks,” says Director of e-business monitoring Alfa Bank Alexei Golenishchev.
Standardization of the payment application by the Central Bank is a beneficial impact on all banks and will affect the reduction of operational risk (taken into account together with credit and market risk when calculating the capital adequacy of banks, according to Basel Committee requirements. — ) adds the Executive Director of acquiring and transaction of the business of the Bank “Russian standard” Ivan Glazachev.
However, financial experts are not so optimistic about the plans of the regulator. As noted in an interview with the head of Department of protection of online payments company Group-IB Pavel Krylov, the security certification of payment services will reduce the risk of production of defective new payment application. “If the client device Bank already infected with malicious code and payment confirmation is done entirely on him, his money is stolen. Given the fact that by this logic, and fraudsters operate, only one certification of payment applications and systems will not change the situation cardinally,” — said the expert.
This issue of the Central Bank also intends to resolve. Speech on the introduction of mandatory double confirmation of transactions running on remote channels. Now the majority of credit institutions use to identify the client sending SMS one-time password or a special electronic USB-keys and smart card (eToken). “It is standard practice for the banking market, but many players are working on additional security measures because the situation is critical” — anonymous recognizes the head of information security at Bank of the top 10. According to him, because of the rapid development of mobile banking, many customers use the phone as the sole payment device. “Trojan virus can easily intercept the password and user ID, and then received by SMS one-time code for the transaction. Therefore, it is a creative task for the Central Bank — how to protect these services,” — said the banker.
However, according to IT experts, a double identification can be avoided. “For example, the transaction security may be achieved at the expense of the additional inspection device, with which it is performed, — said a leading anti-virus expert “Kaspersky Lab” Sergey Golovanov. — So, in some banks, the system already checks to see when was the last time you installed the updates to the client device, when I updated the antivirus what malware they found, and if it is on smartphones, it is additionally checked, whether they prorecovery”. All this passed as part of the payment order and analyzed banking systems “antipode”. Then the system decides on the operation,” — said the expert.
The banks themselves are also working on a more thorough identification of customers using remote channels. A top Manager of a large private Bank said that some credit organizations develop mechanisms to identify the customer, such as biometrics or just photos. But, according to him, the additional cost is ready to bear mainly the big banks. “Small and medium-sized players are less concerned about cyber security problems, so they are more vulnerable to hacker attacks,” adds the banker.
With the participation of Catherine Markhulia