"Attack on the bank client ...". View from the bank employee
I was very interested in the article Attack on the client bank or Hunting for a million due to the fact that I am a direct participant in the process of remote banking service (hereinafter - RBS) on the part of the bank. A little later, an article appeared Who needs me? therefore, there are a lot of thoughts on this topic and I want to share with everyone (and I have long wanted to register, but there was no right moment). If possible, I will be brief and I will not pour in scientific terms.
Let's separate the flies from cutlets for a start.
There are two main directions of remote (and not only) banking services (hereinafter referred to as RBS) - servicing individuals (Internet banking (hereinafter - IB)) and legal entities (client-bank Internet type systems (hereinafter referred to as ICB)). The article Attack on the client bank or Hunting for a million deals with the issue of legal entities, and the article Who needs me? written under the influence of the first and comments to it, concerns the RBS systems for individuals.
')
What's the Difference? In production and products! The daily turnover of an average company sending payments to a bank is approximately equal to the sum of transactions of an ordinary individual for half a year and a year. From here we get the need for completely different systems for performing operations here and there.
I think I will not be mistaken if I say that 99% of information security systems are built in Java. They are required to perform a small number of operations per second ... sorry, a day. The second requirement is not to blow up the brain to the client and the potential buyer of any other bank products in the future (well, who will give him a loan with a hole in his head!? From here are ready-made forms of payment for various services, a simple and simple interface, operations without using Encryption: All the client needs is an SSL-enabled browser, Java Script and Java RE installed on the PC. Additional authentication factors, such as a mobile phone, a PIN code, one-time analogs, can be used as security tools. manual signature (HSA codes).
Programs like "Client-Bank", and in our case, Internet-Client-Bank (hereinafter - ICB), there are a couple of dozen on the market, I think. Some of them are software installed on the client’s PC, some are web-based clients, and the second is the future, and the first are their own, because using and maintaining them is terribly inconvenient and slow (I’m talking about installing the software on site, setting, etc.). If you want to connect about 100-200 clients per month, and you have as many as 1 employees (as in my case), then you cannot do without a web client.
The main difference between IKB systems and IB is the use of encryption systems (necessarily certified by the FSB!). This, for example, paid CryptoPro or free and open IPRIV. I did not come across others, I will not lie.
The second nuance is several types of payment transactions in various currencies, exchanging files, messages with the bank, interaction with accounting programs, the possibility of multi-level document signing and the interface is not for blondes.
As we see, the differences in RBS systems are fundamental, therefore, the methods of unauthorized access to customer accounts are different for each system. Briefly and clearly, they are described in the articles mentioned above, for which many thanks to the authors.
Access to the account is half the battle. Get the money - that's the goal of intruders. Let's not call them hackers and other "beautiful" words. In Russian, for such people there are simple notation - a thief and a crook. Unsightly, but true.
So, the thief got access to the client's account. When stealing the data of individuals, he can go two ways - use the data of a bank card to buy in online stores (pay for services) or transfer money to another card (or account). When buying in a store, funds are not immediately deducted from the account. They are reserved for onward transmission to the recipient. In this state, they can hang out for up to 30 days, if payment has not occurred and funds have not been requested, they are returned from the reserve to the available balance on the account (they were all that time on the account!). Therefore, it can save the SMS-informing, which is neglected by some short-sighted comrades. The first step is to call your bank and block the card. In parallel with the first case, it is necessary to write a statement to the bank about disagreement with the transaction, in most IB systems this can be done directly on the site. If understanding, law-abiding and responsible employees work in your bank (starting with the management!), The transaction will be canceled and the money will be refunded.
When transferring funds to another account (card) is not all bad. The funds also do not go away instantly. First, the payment should be checked by the operating officer (plus or minus 15-30 minutes). Then the money goes to the settlement and cash center of the Central Bank of the Russian Federation. Then from there they will come to the recipient's bank and there, most likely, they are already waiting and standing near the ATM to immediately withdraw. The owner of the card will then declare that he has lost the card, and he does not know who took it. In this case, SMS can also be saved. Take 50 rubles a month and let these SMS come to you, which one day they will throw you into a cold sweat, and then they will allow you to relax in the evening with a cold beer.
Another way to get your money back is to insure your card. The cost of insurance, for example, in my bank is from 300 to 500 rubles per year (the refund amount is up to 30 thousand rubles). When performing transactions over the Internet and in ordinary stores - this is a very simple way to get rid of a headache. In addition to returning funds to the account, the insurance company will pay up to 2,000 rubles for the restoration of documents in case of their loss. So find out in their banks about this service. Be careful you know who saves.
At this point I finish the story about systems for individuals. I specifically do not consider ways to combat the theft of your information, because about this is written in detail on the website of each bank, Sberbank employees here have also written about this in detail.
After reading some comments about the banking system in our country, I would like to clarify some issues. Our banks, fortunately, are not Swiss banks (which are also not the same as before). The banking system in Russia is transparent. Everybody knows everything and everyone sees everything, where and where the funds go. At the request of the internal affairs bodies, they are given all the information about the operations of a person or organization. Nobody deals with the destruction of payments in the RCC either. The attackers do not need to destroy the traces of their disgusting activity, and they do not and will not do it. The theft system works simply. The funds are transferred to the card accounts of individuals, after withdrawal their card is either “lost” or withdrawn and is not returned. It is possible to force someone to return the money if his guilt is proved. If a person is innocent, then it is considered that he was simply “lucky” when manna from heaven fell into the account. Proving the guilt is very difficult. Draw your own conclusions. Why so - read a little below when discussing the issue regarding legal entities. In any case, if a client of the bank finds himself in a strange situation — someone else's money comes to him, then the bank will no longer want to work with such a client. The second time the attackers will not transfer money to the same account for themselves - in the face of the Ministry of Internal Affairs, they will no longer look like “lucky ones”. Therefore, theft of funds in the information security systems for individuals is not very common - a lot of trouble, and little money. In my memory there was only one case when the client suddenly for no reason asked for a four-digit PIN-1 (when authenticating in IB systems, a 16-digit PIN-2 is used).
And now we go to our sheep, or rather legal entities. How does computer infection occur? Much to the dismay of detective lovers, no insiders are needed. Why share with someone when 90% of users, sitting at the computer, are no different from felt boots, except that the boots themselves cannot press the keys? Links to third-party sites, letters, the absence of a normal antivirus and firewall, the carelessness of administrators who are too lazy to set up at least a proxy, and in some cases the lack of such employees in the staff, do their dirty work. And it is difficult to imagine how a person sitting in Ryazan, Saratov or Moscow has insiders in several dozens of organizations throughout Russia.
Active attacks on our system and customers and the system began in late 2009. During this time, no more than 10 cases of infection were recorded in our region , unfortunately 3 of them were fatal - funds were irretrievably lost, 2 cases - with a happy ending - funds were not written off due to an error in the payment order or did not reach the bank recipient and returned from the RCC CBR. The remaining cases of infection were identified in the early stages and the customers were presented with the "good news" that the computer was Kaka and the admin was a sucker.
The total cost of the damage did not exceed 900 thousand rubles (100 + 300 + 2500 (they managed to return one payment)).
As you can see, the amounts are not astronomical. What is a hundred thousand rubles for an organization that has such payments - 90%, and in the bank there are payments and 10 and 100 times large? Such amounts of banks are not even obliged to control! Control begins with amounts exceeding 600 thousand rubles.
Therefore, the probability of success of such payments is much higher than those mentioned in article 1 and 6 million. In general, I do not understand the process of control and execution of payment by the bank for such an amount. In this case, the controller is obliged to contact the organization and not just ask by phone whether they sent them, but ask for documents confirming the fact of legal transfer of funds. These are the requirements of the law on combating money laundering and legalization of funds.
In our case, the Trojan only sent the “master” a secret key and password to log on to the system. The attacker already registered himself in the system, checked the account balance and, if he had had enough, filled out a payment order and sent the funds to the account (not to his own!), But to nominees who, of course, didn’t see it in his eyes, but when receiving so nice gift, these funds were withdrawn from the account. Here, many can tell me: “Well, here it is! All clear! Here they are - scoundrels and thieves! Catch them! ”To which I, comrades, calmly answer,“ Thermorectal cryptanalysis in the internal affairs bodies of the Russian Federation is not a legitimate way to extract evidence, therefore it cannot be used, and no crime has been detected in the actions of citizens during operations with their bank account. "
That is, in principle, everything is clear who, where and to whom the money was transferred, no one hides it, everyone knows everything, but cannot do anything, since they do not bear any responsibility when they receive money on the account and withdrawing them. Forcing a citizen to return the amount can only conscience, otherwise there is no reason for this, the fault is not proven. Proving his involvement with questions and pleas is impossible at all, he's not a fool :) It’s also not possible to track an intruder by IP-addresses - they don’t work from their home and use unsaved users for their dirty work, who have virtual machine already logged in, etc. For two years, no one was dragged to court anywhere, and not dragged. Therefore, we turn to the third part of our narration ...
In 99.99% of banks, RBS clients give valuable instructions on how and what to do to avoid such situations ... As you understand, 99.99% of clients wanted to give a damn about valuable instructions from banks
And the ways of counteraction are really simple and very cheap:
I would like most customers to stop hoping for "maybe" and assume that if the money is in the bank, then nothing will happen to them, and if anything happens, the bank will return everything. As part of the RBS, banks fully fulfill their part of the contract - they provide the means and ways for the client to quickly solve their problems, take care of its security, advise how to behave in the Internet society. Unfortunately, many customers do not know that the responsibility for the safety of keys and the cleanliness of the discs lies primarily with them, and not with the bank. The presence of signs of infection on the hard drive automatically makes the client guilty (although it is in fact) and the further struggle for his hard-earned money in court (if it reaches him) will not be crowned with success. And is it worth condemning someone if you left the door wide open and went to work?
Types of client banks
Let's separate the flies from cutlets for a start.
There are two main directions of remote (and not only) banking services (hereinafter referred to as RBS) - servicing individuals (Internet banking (hereinafter - IB)) and legal entities (client-bank Internet type systems (hereinafter referred to as ICB)). The article Attack on the client bank or Hunting for a million deals with the issue of legal entities, and the article Who needs me? written under the influence of the first and comments to it, concerns the RBS systems for individuals.
')
What's the Difference? In production and products! The daily turnover of an average company sending payments to a bank is approximately equal to the sum of transactions of an ordinary individual for half a year and a year. From here we get the need for completely different systems for performing operations here and there.
I think I will not be mistaken if I say that 99% of information security systems are built in Java. They are required to perform a small number of operations per second ... sorry, a day. The second requirement is not to blow up the brain to the client and the potential buyer of any other bank products in the future (well, who will give him a loan with a hole in his head!? From here are ready-made forms of payment for various services, a simple and simple interface, operations without using Encryption: All the client needs is an SSL-enabled browser, Java Script and Java RE installed on the PC. Additional authentication factors, such as a mobile phone, a PIN code, one-time analogs, can be used as security tools. manual signature (HSA codes).
Programs like "Client-Bank", and in our case, Internet-Client-Bank (hereinafter - ICB), there are a couple of dozen on the market, I think. Some of them are software installed on the client’s PC, some are web-based clients, and the second is the future, and the first are their own, because using and maintaining them is terribly inconvenient and slow (I’m talking about installing the software on site, setting, etc.). If you want to connect about 100-200 clients per month, and you have as many as 1 employees (as in my case), then you cannot do without a web client.
The main difference between IKB systems and IB is the use of encryption systems (necessarily certified by the FSB!). This, for example, paid CryptoPro or free and open IPRIV. I did not come across others, I will not lie.
The second nuance is several types of payment transactions in various currencies, exchanging files, messages with the bank, interaction with accounting programs, the possibility of multi-level document signing and the interface is not for blondes.
The basics of banking and hacking skills, or rather theft
As we see, the differences in RBS systems are fundamental, therefore, the methods of unauthorized access to customer accounts are different for each system. Briefly and clearly, they are described in the articles mentioned above, for which many thanks to the authors.
Access to the account is half the battle. Get the money - that's the goal of intruders. Let's not call them hackers and other "beautiful" words. In Russian, for such people there are simple notation - a thief and a crook. Unsightly, but true.
So, the thief got access to the client's account. When stealing the data of individuals, he can go two ways - use the data of a bank card to buy in online stores (pay for services) or transfer money to another card (or account). When buying in a store, funds are not immediately deducted from the account. They are reserved for onward transmission to the recipient. In this state, they can hang out for up to 30 days, if payment has not occurred and funds have not been requested, they are returned from the reserve to the available balance on the account (they were all that time on the account!). Therefore, it can save the SMS-informing, which is neglected by some short-sighted comrades. The first step is to call your bank and block the card. In parallel with the first case, it is necessary to write a statement to the bank about disagreement with the transaction, in most IB systems this can be done directly on the site. If understanding, law-abiding and responsible employees work in your bank (starting with the management!), The transaction will be canceled and the money will be refunded.
When transferring funds to another account (card) is not all bad. The funds also do not go away instantly. First, the payment should be checked by the operating officer (plus or minus 15-30 minutes). Then the money goes to the settlement and cash center of the Central Bank of the Russian Federation. Then from there they will come to the recipient's bank and there, most likely, they are already waiting and standing near the ATM to immediately withdraw. The owner of the card will then declare that he has lost the card, and he does not know who took it. In this case, SMS can also be saved. Take 50 rubles a month and let these SMS come to you, which one day they will throw you into a cold sweat, and then they will allow you to relax in the evening with a cold beer.
Another way to get your money back is to insure your card. The cost of insurance, for example, in my bank is from 300 to 500 rubles per year (the refund amount is up to 30 thousand rubles). When performing transactions over the Internet and in ordinary stores - this is a very simple way to get rid of a headache. In addition to returning funds to the account, the insurance company will pay up to 2,000 rubles for the restoration of documents in case of their loss. So find out in their banks about this service. Be careful you know who saves.
At this point I finish the story about systems for individuals. I specifically do not consider ways to combat the theft of your information, because about this is written in detail on the website of each bank, Sberbank employees here have also written about this in detail.
After reading some comments about the banking system in our country, I would like to clarify some issues. Our banks, fortunately, are not Swiss banks (which are also not the same as before). The banking system in Russia is transparent. Everybody knows everything and everyone sees everything, where and where the funds go. At the request of the internal affairs bodies, they are given all the information about the operations of a person or organization. Nobody deals with the destruction of payments in the RCC either. The attackers do not need to destroy the traces of their disgusting activity, and they do not and will not do it. The theft system works simply. The funds are transferred to the card accounts of individuals, after withdrawal their card is either “lost” or withdrawn and is not returned. It is possible to force someone to return the money if his guilt is proved. If a person is innocent, then it is considered that he was simply “lucky” when manna from heaven fell into the account. Proving the guilt is very difficult. Draw your own conclusions. Why so - read a little below when discussing the issue regarding legal entities. In any case, if a client of the bank finds himself in a strange situation — someone else's money comes to him, then the bank will no longer want to work with such a client. The second time the attackers will not transfer money to the same account for themselves - in the face of the Ministry of Internal Affairs, they will no longer look like “lucky ones”. Therefore, theft of funds in the information security systems for individuals is not very common - a lot of trouble, and little money. In my memory there was only one case when the client suddenly for no reason asked for a four-digit PIN-1 (when authenticating in IB systems, a 16-digit PIN-2 is used).
"Attack"
And now we go to our sheep, or rather legal entities. How does computer infection occur? Much to the dismay of detective lovers, no insiders are needed. Why share with someone when 90% of users, sitting at the computer, are no different from felt boots, except that the boots themselves cannot press the keys? Links to third-party sites, letters, the absence of a normal antivirus and firewall, the carelessness of administrators who are too lazy to set up at least a proxy, and in some cases the lack of such employees in the staff, do their dirty work. And it is difficult to imagine how a person sitting in Ryazan, Saratov or Moscow has insiders in several dozens of organizations throughout Russia.
Active attacks on our system and customers and the system began in late 2009. During this time, no more than 10 cases of infection were recorded in our region , unfortunately 3 of them were fatal - funds were irretrievably lost, 2 cases - with a happy ending - funds were not written off due to an error in the payment order or did not reach the bank recipient and returned from the RCC CBR. The remaining cases of infection were identified in the early stages and the customers were presented with the "good news" that the computer was Kaka and the admin was a sucker.
“Where to look in the bank !? Don't they see that my money is pi ...!? ”Mine
The total cost of the damage did not exceed 900 thousand rubles (100 + 300 + 2500 (they managed to return one payment)).
As you can see, the amounts are not astronomical. What is a hundred thousand rubles for an organization that has such payments - 90%, and in the bank there are payments and 10 and 100 times large? Such amounts of banks are not even obliged to control! Control begins with amounts exceeding 600 thousand rubles.
Therefore, the probability of success of such payments is much higher than those mentioned in article 1 and 6 million. In general, I do not understand the process of control and execution of payment by the bank for such an amount. In this case, the controller is obliged to contact the organization and not just ask by phone whether they sent them, but ask for documents confirming the fact of legal transfer of funds. These are the requirements of the law on combating money laundering and legalization of funds.
In our case, the Trojan only sent the “master” a secret key and password to log on to the system. The attacker already registered himself in the system, checked the account balance and, if he had had enough, filled out a payment order and sent the funds to the account (not to his own!), But to nominees who, of course, didn’t see it in his eyes, but when receiving so nice gift, these funds were withdrawn from the account. Here, many can tell me: “Well, here it is! All clear! Here they are - scoundrels and thieves! Catch them! ”To which I, comrades, calmly answer,“ Thermorectal cryptanalysis in the internal affairs bodies of the Russian Federation is not a legitimate way to extract evidence, therefore it cannot be used, and no crime has been detected in the actions of citizens during operations with their bank account. "
That is, in principle, everything is clear who, where and to whom the money was transferred, no one hides it, everyone knows everything, but cannot do anything, since they do not bear any responsibility when they receive money on the account and withdrawing them. Forcing a citizen to return the amount can only conscience, otherwise there is no reason for this, the fault is not proven. Proving his involvement with questions and pleas is impossible at all, he's not a fool :) It’s also not possible to track an intruder by IP-addresses - they don’t work from their home and use unsaved users for their dirty work, who have virtual machine already logged in, etc. For two years, no one was dragged to court anywhere, and not dragged. Therefore, we turn to the third part of our narration ...
Salvation of drowning ...
In 99.99% of banks, RBS clients give valuable instructions on how and what to do to avoid such situations ... As you understand, 99.99% of clients wanted to give a damn about valuable instructions from banks
And the ways of counteraction are really simple and very cheap:
- Work from one workplace. It is advisable not to use the workplace for trips to the Internet, shopping and to girlfriends in social networks. The ideal option - one desktop shortcut - is your Client-Bank. :) Expensive? 100 thousand more expensive.
- Work from a single IP address. If Client-Bank settings allow, tightly tie this IP to the system so that it is not possible to log in from other addresses. Do you like to travel? Then go to the next item.
- Be sure to purchase the email ID Rutoken or eToken. It is better to purchase Rutoken EDS or eToken GOST. This is a personal means of generating an EDS with a non-recoverable private key, i.e. for each subsequent operation, a new EDS is generated. With such a key information will be impossible to extract. The cost of one key is about 1 thousand rubles.
- Antiviruses, firewalls, security ... In general, the classics of the genre. But if you do not comply with paragraphs 1-3, it will not help you.
Conclusion
I would like most customers to stop hoping for "maybe" and assume that if the money is in the bank, then nothing will happen to them, and if anything happens, the bank will return everything. As part of the RBS, banks fully fulfill their part of the contract - they provide the means and ways for the client to quickly solve their problems, take care of its security, advise how to behave in the Internet society. Unfortunately, many customers do not know that the responsibility for the safety of keys and the cleanliness of the discs lies primarily with them, and not with the bank. The presence of signs of infection on the hard drive automatically makes the client guilty (although it is in fact) and the further struggle for his hard-earned money in court (if it reaches him) will not be crowned with success. And is it worth condemning someone if you left the door wide open and went to work?
Source: https://habr.com/ru/post/113836/
All Articles