Mass registration of devices for online banking is canceled
After the publication of an article on registration of devices from which bank customers use online banking, the head of the information technology security department of SMP Bank JSC Golovlev Pavel Mikhailovich contacted me. He reads GeekTimes and he was annoyed that the journalists of Izvestia (whose material I wrote the article) distorted the meaning of what is happening.
Golovlyov hastens to reassure the public. According to him, the Central Bank does not oblige banks to forcibly register all customer devices. On the contrary, the client now has the right to request the bank to limit access to its online banking by certain devices. And already the bank is obliged, on the basis of the client’s application, to think about how he will do it.
Golovlev wrote that “the Central Bank requires banks to provide customers with the ability to manage their own risks and independently establish personally acceptable and reasonable restrictions on their own operations. Naturally, at the moment, each bank will offer those options for identifying devices that can be technically and economically feasible to implement on an existing platform.
And then the question arises of what will be offered on the market and what the consumer will choose, and whether he will demand it at all from banks. ”
The ip-address identification statement concerned only corporate customers using stationary equipment (not mobile devices) who wished to link their access to online banking to their permanent ip address. It already looks quite logical and even reasonable.
')
Golovlev noted that there are still questions about the obligation of banks to suspend sending SMS notifications when a SIM card is changed by a client, because the bank cannot find out about such a change. And the mobile operators of the Central Bank do not comply and notify banks of such operations. In this regard, the indication of the Central Bank so far looks pretty strange. But some critical problems from this direction are not expected.
Golovlyov hastens to reassure the public. According to him, the Central Bank does not oblige banks to forcibly register all customer devices. On the contrary, the client now has the right to request the bank to limit access to its online banking by certain devices. And already the bank is obliged, on the basis of the client’s application, to think about how he will do it.
Golovlev wrote that “the Central Bank requires banks to provide customers with the ability to manage their own risks and independently establish personally acceptable and reasonable restrictions on their own operations. Naturally, at the moment, each bank will offer those options for identifying devices that can be technically and economically feasible to implement on an existing platform.
And then the question arises of what will be offered on the market and what the consumer will choose, and whether he will demand it at all from banks. ”
The ip-address identification statement concerned only corporate customers using stationary equipment (not mobile devices) who wished to link their access to online banking to their permanent ip address. It already looks quite logical and even reasonable.
')
Golovlev noted that there are still questions about the obligation of banks to suspend sending SMS notifications when a SIM card is changed by a client, because the bank cannot find out about such a change. And the mobile operators of the Central Bank do not comply and notify banks of such operations. In this regard, the indication of the Central Bank so far looks pretty strange. But some critical problems from this direction are not expected.
Source: https://habr.com/ru/post/356694/
All Articles