Central Bank changes the approach to making payments to combat hackers


According to “Kommersant”, the Central Bank sent the heads of IT-departments of banks the letter in which asked to 10 February to assess in terms of what they can implement encryption of payments sent to the payment system controller, at the level of the automated banking system (ABS).

ABS Bank, says the newspaper, is a hardware and software complex, which consists of many computers United in a single protected circuit that processes the payment order and formed register of payments. Formed in the ABS registries are doing in the CBD arm (automated work place of the client of the Bank of Russia) — a special computer in the Bank in a separate protected circuit, which takes payments in the CBA.

Implementation of encryption systems in ABS of the Bank, said in a press-service of the Central Bank, the newspaper will protect the data at an earlier stage, “difficult for attackers the conditions of attacks and reduce the level of theft”. The measure, as noted in the controller is proposed based on the analysis of the facts of thefts from commercial banks and takes into account international experience and current trends. “This was the practice in almost all major payment systems,” — said the press service of the Bank of Russia.

The measure of the Central Bank is to introduce encryption of payments at an earlier stage. As explained by an analyst of the center for monitoring and combating cyber attacks, Solar JSOC Alexey Pavlov, banks violate the recommendations of the Central Bank relating to the complete isolation arm to the CBD from the rest of the Bank’s network and transfers data using a secure removable media. When sending rosters often used the staging folder on a file server on the corporate network of the Bank, and in this place hackers replace the file with the registries, resulting in arm CBD come fully or partially fictitious data that are encrypted and go to the Bank. The bogus payment is encrypted can not be detected, however, if you encrypt registers at once in your ABS, then replace them on the way to the arm of the CBD will be impossible.

In banks, “Kommersant” said that appreciate the time and possible cost of introducing innovations. Pavlov announced that the Bank will have to conduct a massive upgrade in the technical sense. Turnkey solutions do not meet all the requirements of the legislation on encryption, you need to connect professionals with a special license from the FSB and at least a year of implementation, noted expert on the encryption of one of the big firms. As a result, the innovation will cost the Bank several million rubles. CB is discussing with market participants the terms of implementation of encryption systems “to determine a comfortable transition period,” said the regulator.

According to the newspaper, the bankers have a negative attitude to the idea of the Central Bank and officially comment on its not want. ABS — hundreds of computers that need more protection, says the head of the IT Department of the Bank from the top 100. The IT specialist from the Bank of the top 50 adds that will be lost the possibility of additional controls: now the Bank can verify the registries are uploaded to the ABS, hit the arm of the CBD and to identify a bogus, and when the encryption in ABS this would not be possible. A representative from a major Bank said that the Central Bank has already asked banks to 30 June of the current year to strengthen security measures at the site arm of the CBD that has a cost, but now changes the approach.

Unapproved, ABS banks, but to make it easy. As noted by Pavlov to crack the ABS need a specialist who is familiar with the system instance of a particular Bank. “Access to the ABS from the outside — this is largely a problem of the used means of protection. To attacks from outside the first barrier is just the specialized system of protection, plus the ABS has built-in mechanisms of protection”, — said the Director of operations and technology Department Absolut Bank Barbara Dobrojan.

Source