Banks do not want to implement multi-factor authentication and end fraud

[CarderPlanet]

The number of cases of fraud is simply off the charts. Articles about the facts of fraud appear almost every day. This happens with the complete connivance of the state and the police, which are busy with the opposition. And it is likely that it is profitable for the mafia to immerse the people in loans.

Banks realized that in most cases this is a client's problem, and they profit from interest on stolen loans, so they have no interest in actually stopping this chaos, under the guise of protection, they only want to get deeper into clients' pants . Banks make it easy to steal money, but do not allow closing an account even when the client's will to close an account has been announced many times in court.

Two-factor protection of banks is actually one-factor, since fraudsters manage to change customer phone numbers and hijack access to applications and personal account of banks.

Let's try to figure out whether the state, police, banks, people are so powerless in front of swindlers. There is almost no such thing in the European Union, at least on such a scale as in Russia, so the issue has been resolved there. Here are the schemes for hacking user accounts and possible protection options.

How scammers steal money​

A lot of articles from a series of N ways how fraudsters steal money from bank cards describe as different options for the scheme of calls for telephone scammers. In fact, this is exactly one option, which is called "social engineering" or, more simply, a telephone scam.

If you called from a bank, State Service, security service, investigative committee, prosecutor's office, police, FSB, court, then the most correct thing is to immediately hang up and add the number to the black list. Ideally, do not pick up the phone from unfamiliar numbers at all. Everything that the authorities need, they will issue a summons, they will take you for interrogation, and there it is best to use Article 51 and never talk to the security forces . The bank will report everything that is needed in writing in its application or in the personal account of the bank. It is important to remember that you cannot trust any incoming calls or SMS. The sender's number is easy to fake, see how Navalny divorced his poisoner.

It will not be superfluous to repeat that it is not necessary:

• open all letters with the download of all content, thereby the other party knows that the letter has been opened;
• open attached files if you did not expect to receive them;
• follow the link in the letter, SMS, social networks, on various left-wing sites, if you did not expect this link from the bank, for example, by registering or recovering your password;
• do not install unnecessary software.

There are more commonplace ways to lose money - losing control over:

• telephone number;
• email address;
• account of State Services;
• smartphone, computer.

Now we will look at all this from a different point of view.

Keys and protection algorithms​

Entering an information system is like entering a home or opening a car. It's good if you have one key. Better when two. It's very good when you open the door you still need to know where to turn off the alarm, which, if not turned off, then the guard will come. They simply put a toggle switch on cars, which will not turn on until you switch the electrical circuit.

Let's list what types of keys we have at our disposal:

1. Login is usually: email or phone number or card number.
2. Password.
3. The second password is a code word.
4. One-time password table, data on the last operation, personal data.
5. An e-mail account, State Service or whatever.
6. SMS, phone call
7. Smartphone application, one-time password generator, Yandex-Google authentication, blocking amount of the current operation.
8. Hardware one-time password generator, hardware token.
9. Static IP address, subnet, geolocation.
10. Communication in Telegram, WhatsApp.
11. Toggle switch allowing operations in excess of the specified limit. It can be a sequence of certain actions.

I arranged the types of keys in the direction of the difficulty of breaking them.

You can lose your password, it can be stolen by a virus, you can enter it on a phishing site. Clients often name the code word, passport data when they call the bank, and records of telephone conversations are written not only at the bank, but also at telecom operators. Account transaction data can be stolen through social engineering, through cops on the darknet, or simply to track that a customer has just refueled. Other types require already taking possession of the smartphone physically or by infection with a virus. The hardware code generator can only be taken over physically. Viruses are not afraid of him. Static IP can be obtained by hacking the client's WiFi network, but there are many traces, you need to approach your home and light up on cameras. And if you use a VPN to enter the bank, then even hacking WiFi will not help.

The security algorithms include the order of authentication. The information system can offer the user a choice of how to confirm the payment. And only the user knows that on Mondays he confirms with the Yandex-authenticator code, on Tuesday Google, on Wednesday with a hardware token, etc. To transfer a large amount, there can be a sequence of actions in the form of transferring the amount to a newly opened account or a virtual card or deposit, and only from there the transfer continues. A second person may be appointed, who will have to enter the code in the personal account of his bank to confirm the payment. Thus, even if the bandits gain physical access to all the devices and keys of the client, the client himself, force him to enter all the codes and even call the bank by voice and confirm that he is he, then at the level of not even a bank operator,

The main reason for the success of scammers is one-factor authentication​

- Give me the meter of the state border for rent.
- Why meter?
- For the suitcase to pass.

Many keys do not make sense if there is one superkey or if you take possession of one key, you can reissue or change other keys.

Banking information systems should use multi-factor authentication based on independent access keys. In fact, they have one superkey - the phone's SIM card or the client's personal data. There is a steady stream of complaints at Tinkoff Bank, Alfa-Bank and other banks, when fraudsters change the client's phone number, then install the application, receive all the required SMS codes, steal the money that is there, open additional loans and steal more money that is not there.

All data that banks ask over the phone is not a factor in customer authentication. Fraudsters can call and find out on behalf of the bank, the recording of the conversation can leak.

There were also stories of how SIM cards were forged in some Mukhosransk.

What should the state do​

Stop blocking opposition sites by RosKomPozor and take up their direct responsibilities as telecom operators who, without proper authorization, sell telephone services to fraudsters, and even allow them to change a phone number.

Track scam call centers. They are also identified by keywords. Voice recognition works well.

The courts should punish banks for cases where fraudsters received loans under fake documents, and bank employees did not exercise due diligence. After all, the IRS charges wild taxes and penalties for failing to exercise due diligence when choosing service providers.

The Criminal Code of the Russian Federation has article 293 Negligence. Here it is exactly what it is: “Negligence, that is, failure or improper performance by an official of his duties as a result of an unfair or negligent attitude towards service or duties in office, if this entailed causing major damage or a significant violation of the rights and legitimate interests of citizens. "

What banks should do​

1. Implement as many options for customer authentication and payment confirmation as possible. If the client wants to have 10 independent keys, then let him have. If at least one of them loses, then he goes to the bank with his feet. Shame on banks that allow you to install an application and get access to money for fraudsters who have previously changed the client's phone at the bank.
2. Make them really independent. Or some of them. There must be at least three independent keys at the request of the client. Lost any of the three - go to the bank.
3. Prohibit remotely changing the phone number or authorizing a reissued SIM card. Not everyone can do it. But at least give customers this increased security option.
4. Implement notification systems not only via SMS, but also HTTP notifications and emails, which can be wrapped up even on the same smart column. If the SIM card or smartphone is taken away, the client will no longer receive a notification.

In the meantime, in every article on VC.ru and banki.ru, PR services of banks, in the best traditions of Dr. Goebbels' students, lie about how they care about security.

What should bank customers do​

1. Listen to scammers' Youtube calls. After listening to a few more similar conversations, you yourself will feel a divorce.
2. Better not to talk at all on incoming calls. Hang up the phone as if the connection was disconnected and call the bank yourself at the number on the website. Ideally, do not use telephone communication, but have your own manager in Telegram, WhatsApp or the bank application and constantly delete correspondence in messengers, and do not write in the manager's name that this is such and such a bank.
3. It is even better to create a separate secret telephone number for each bank, which is not used anywhere else. Some operators offer virtual (additional) mobile numbers. The main thing is not to lose control over such a number.
4. Create a separate email for each bank, which is nowhere to be seen. For example, in Google it is done like this [email protected]. But still, it's essentially one email and the protection is so-so. You can rent a VDS , buy your own domain and register any addresses and e-mail aliases on it. Alias like [email protected] is much safer. And if a personal advertising offer comes to such an address, then you will know with a high degree of probability where your personal data came from. Therefore, this is a reason to change your email and phone number at the bank.
5. Send a link to this article in support of your bank and require additional types of protection and prohibition of remote change of number and authorization of a new SIM card.
6. Do not install third-party software or games on your smartphone and computer. If they are vital to you, then do not put banking applications there. Buy VDS and go to the LC of banks from a clean operating system, where there is nothing extraneous. Malicious software can gain access to your VDS, but this is a little more difficult, especially if you configure a firewall with two-factor authentication.
7. Do not open links and files that were not requested. Looking at the headers of an email often suggests that it is left. But a number of headers can be faked.
8. Do not give access to your contacts to any applications.
9. Write to your deputies with the requirement to introduce a legislative initiative obliging banks to use a hardware token at the client's request and a ban on remote changing of the phone. It is clear that this is most likely a useless measure, but suddenly.
10. If you rent or host a server for your accounting and banking, here is a small list of basic things that will help you sleep better:
11. The operating system and software need to be regularly updated, often, updates closerabilities that scammers have already learned about.
12. Be sure to configure your firewall and allow a limited range of IP addresses.
13. Install antivirus, make sure its virus databases are up to date.
14. Install fail2ban utility to eliminate the situation with brute-force passwords.
15. Set up or order monitoring , this will help to respond in a timely manner in case of problems.
16. Even if you have a system administrator, order minimal administration on the hoster's side. As they say, one head is good, but two are better!
17. If your website collects personal data, order an audit, contact support and make sure that everything complies with 152-FZ, because you can also lose money by hitting a fine from the state.

Conclusion​

The article was supposed to contain a table with data on the protection mechanisms supported by banks , but the PR services of the banks froze twice. First, they asked to send them requests by mail, and then, seeing that there was nothing to fill out the table with, they simply sent boorish replies. If you know a bank that uses additional degrees of protection, then write in the comments, preferably with a link to the bank's page where this information is indicated.