Cyberattacks: myth or reality
In the beginning of December last year, the Central Bank and law enforcement agencies have warned of the risk of massive cyber attacks on the financial sector. It did not take place?
December was calm. The fact that we made several warnings orientated banks, prevent active intruders.
What was avoided?
December traditionally has the highest number of cases of attempted theft of funds from physical and legal entities. the Reason: at the end of the year, increasing account balances, are large payments that are paid rewards to individuals that provokes frauds. In 2016, the December peak of fraud was avoided. Information attacks this time, we also did not observe, although usually on a pre-holiday mood going on the stuffing information on the problems of banks, provoking an urgent withdrawal of money by customers. Remember, in 2014, was a powerful attack on a Bank, when citizens in large numbers were seized from his money. Now the joint efforts of law enforcement officers, we as the Central Bank and credit institutions themselves would prevent such problems.
— Who receives information about impending cyber attacks?
— Last year we combined several different sources, including law enforcement data. In fact, now the Central Bank acts as a centre to combat security problems in the financial sector. The study is based on the interdepartmental working group headed by first Deputy Chairman of the Central Bank George Luntovsky. The composition of this working group includes representatives of the FSB, MVD, Prosecutor’s office, the Ministry of communications, Federal service for financial monitoring. For more information gives the information exchange with the banks, which provides Central monitoring and response to computer attacks in the financial sphere (Finсert — a structural unit of the main Directorate of security and information protection of the Bank of Russia. —).
— Overall in 2016 compared to 2015 year the number of cyber crimes of different types increased or decreased?
— We have seen an increase in the number of attempted thefts in the first half of the year. Then there was the arrest of a gang of card fraudsters, the number of crimes has decreased. Over the past year the number of participants of information interaction in the framework of Fincert has increased more than doubled to 330. As for DDoS attacks, their number grew during the second half of the year, and another small surge we experienced in January of this year. The third direction — the distribution of malicious software — we have seen a spike in crime in the middle of the year and realized that by the end of the year their number will grow.
— The December statements preceded by information about the use of the Internet of things in November for DDoS attacks on financial institutions in order to block their normal functioning. How does it work?
In November last year was attacked the websites of the eight organizations, including the Central Bank. The aim of the attacks was the disruption of services and, consequently, the undermining of confidence in these organizations. These attacks were notable for the fact that it was the first large-scale use in Russia of Internet of things. Mainly in the attack were involved in the online video camera and home routers. Analysis of malicious activity showed that theoretically they can increase the power of such attacks, and then taken separately, the credit institution may not deal with it. That is why the Bank together with the Ministry of communications held a separate meeting on this subject with the participation of credit institutions the largest Telecom operators, where he outlined steps to counter this threat.
— What is to be done?
We agreed to exchange information with the Ministry of communications, shared with them the experience to build a monitoring Centre and response to computer attacks. Maybe they will host something like that, again, the information exchange was successful. Well, give advice to his players.
— How the banking sector is able to withstand cyber threats?
— The level of security in credit-financial sphere adequate to the existing risks. In any case, even those DDoS attacks that were in November, December, January, did not cause any harm to credit institutions. Interruption of services was not financial and reputational losses are also avoided. One of those problems that we had in the beginning of last year with misappropriation of funds on the cards, many have drawn conclusions, have upgraded their ABS. During the past year nine credit institutions were subject to serious attempts at theft. The attackers tried to steal about 2.2 billion rubles. At the same time managed to stop the theft of a total amount of RUB 1.4 bn prosecuted.
Photo: Oleg Yakovlev /
— Are you planning to actively engage in the fight against cyberthreats other financial institutions, except banks?
— Yes, planned: all non-banking financial institution. We have to approach insurance companies, microfinance, professional participants of the securities market. Prepared two standards for activities of financial organizations related to information security: one for large the other for microfinancial. I think in the first half of these standards will be enacted.
— These standards will be similar to a Bank?
— We proceed from the necessity to form a protective measure; depending on the types of business risks to form certain protective measures. For example, we are worried about the situation with the electronic sales of insurance policies on the Internet resources that are not owned by actual insurance companies is fraud. Not so long ago, the Bank of Russia was authorized, which allows us to effectively counter phishing sites, can trigger the lock. However, insurance companies also must be concerned about protecting their reputation, track the emergence of malicious resources and to inform its customers, the Bank of Russia law enforcement agencies.
— How cyber-attacks are constantly modifierade. What way have they changed recently?
— In the last month, we can see that cyber is subjected to a sufficiently large number of strong regional banks. These banks began to receive messages from hackers who are threatening to attack, extort from credit institutions money to fight with them; as a rule, the amount does not exceed 15 thousand rubles. Similar threats to the banks did in the European part of Russia and Northern Caucasus, and Siberia. We recommend you to ignore such e-mails, inform about them the Central Bank.
The private interest
— Citizens are most concerned about is not the loss of banks, and their own losses, especially from card fraud. Do you have data, how many banks have compensated clients funds in connection with fraudulent transactions?
Such evaluations there. We plan to oblige banks to disclose information about such operations, including various articles, such as compensation in connection with the attacks, and technical failures. Now discussing with banks the details of this innovation. I think that this year we have a new form of reporting for banks will release and fill her need with the following. We need this accountability need to talk with MIA about the scale of the problems, prompting them to increased interest in this type of case. Do you know if someone the damage from the SMS-mailing “your card is blocked, call back”?
— No, but you?
— So far the only thing we know the approximate scale of the problem. On the day we received three to four complaints of citizens on this topic. Banks send such requests every day for a few pieces. If we extrapolate this to the number of accidents, of which we are not notified, the scale is really big. I would say that thousands of these SMS are sent a year, so this is a very serious problem. How many of these attempts were successful, we don’t know. At the end of last year, the Bank of Russia has launched an information campaign, including in regional media to alert people about this type of fraud.
To help you in this case, the increase of responsibility for carrying out fraudulent transactions on cards? Do you support the upcoming bill?
Yes. It assumes that toughening the criminal penalties for such operations up to eight years. Now the punishment for such crimes is very mild: two years probation on the embezzlement of several hundred million. It turns out that you can and so, conditionally, to live a quiet life with the money.
The problem of theft of money from citizens concerns not only fraudulent transactions on cards. Risks arise when the use is not sufficiently protected by online banking systems. Do you plan to bring these systems under control and when?
— We this year, in February, for the first time began to conduct inspections of the systems for remote banking services remote banking. The objective is to study the protection status information to commit payment transactions. This year we plan to hold more than a hundred of such checks.
— What will test the Central Bank?
— The aim is the examination of the actual state in the field of technologies of information security in the payment transactions. This means that going to be paid for the entire technical process connected with the payments.
Photo: Oleg Yakovlev /
— Do you plan to establish any special requirements or recommendations for banks according to the results of those checks?
In the middle of the year must be outstanding additions to an existing standard (capital adequacy, taking into account also operational risk, which includes fraud. — ). Also there is the option of creating a separate standard that increase the attention of banks to operational risk. This issue is under discussion, but in more simple words, there are two choices: requirements to increase banks ‘ capital or the accrual of additional reserves on the magnitude of existing risk. As a rule, the risk in such cases, it is possible to estimate the amount of average daily balance on correspondent account of the Bank. So consider that for the Bank to be more profitable: either to freeze the money, or more reasonable amount after all directly into increase in the protection of clients ‘ money.
— How banks will be selected for audits?
It was the prerogative of supervision. We will participate in such inspections.
— Do the banks have resources to meet all these innovations? How relevant is the issue of transmission security issues at least partially outsourced?
— We believe that for many organizations, this will be the way out. Indeed, in addition to insufficiency of resources may be a lack of personnel. In General, for a number of organizations, these issues can be addressed through the use of outsourcing services. For this we prepare some recommendations — just outsourcing. Frankly, this document is much debated and difficult to push: it is very difficult to formalize recommendations for quality requirements and other characteristics of outsourcing.
— Do you plan to establish minimum requirements for the qualification of banking specialists in the field of cyber security?
— The problem of training of such specialists is quite acute. Especially for high-tech and rapidly developing banks. Soon there will be a second round of discussions on recommendations on the qualification requirements of security experts. I really hope that in the middle of the year we will release them. After that we will move in the direction of formation of the educational standard.
— A lot of questions on the background of sanctions causes and the use of Russian and foreign software to combat cyber threats. It’s safer?
— If to speak about the security in the financial sector, 80% is used by domestic developments: automated banking system, means of remote maintenance. The problem is that it all eventually works on database management systems and operating systems, not Russian production. We do not plan issuance of documents for import substitution. However, cooperate in this matter with the Ministry of communications.
As a judge for hacking
Article 272 of the criminal code, under which subject to hacking, provides till seven years of imprisonment for “illegal access to legally protected computer information.” The norm is relatively rare; during the first half of 2016 was convicted 57 people, including 24 people is the basic charges, from the data of the judicial Department of the Supreme court. Against 18 people doing about the hacking was for various reasons discontinued court – for example, in connection with repentance or application of the Amnesty.
For the full year 2015, the courts sentenced on charges of hacking 207; imprisonment in a colony and the penalty received one of them. Four acquitted in respect of 67 ceased business.
Most of the sentences annually accounts for hacks for selfish reasons or major damage (part 2, article 272). Some are less punished for hacking in groups or with use of official position.
Behind bars units
The colony hackers fall into a few cases. Most often, violators of articles of the criminal code about computer security (including, in addition to illegal access to information, spread of viruses and the violation of rules of storage of information, which caused major damage) were sentenced to restriction of freedom, conditional imprisonment or a fine, from the data of the judicial Department. Only one Russian in the beginning of 2016 got a real time on one of these articles, and it was a period lasting up to a year. A total of 20 persons were released from punishment on Amnesty.
In the vast majority of cases break-ins, viruses or organizations leak was heard in a special manner. It implies the plea that this case be expedited and the relatively mild penalty of not more than two thirds of the maximum term or a fine.
awaiting a response to a request to the interior Ministry on the number of criminal cases initiated under the article on illegal access to computer information.