Account gosuslugi.ru and FZ-152

A short story about how to lose an account on gosuslugi.ru , if you do not use the second factor.

The story is not mine, but I participated in it and talked with tech support gosuslugi.ru. And now the site gosuslugi.ru only with the second factor.



He volunteered to help clarify the arrears of taxes and other payments to the state to one good person, retired from computers and not for the first year.
')
It seemed that the registration on gosuslugi.ru , the subsequent trip to the Multifunctional center to confirm the account was the simplest solution, which was advised.

Then he created a mailbox, registered with this mailbox on the website of public services, a good person confirmed the account by personally visiting the MFC. Pay debt, there were not many. It turned out that the tax inspectorate needs up to 14 days to note that there is no debt.

I wanted to know the fate of payments in a week. But it was not possible to enter the website of public services - “there is no record”, the technical support answered and offered to make an appeal. Made up. At the same time, a specially created (and therefore rarely checked) mailbox was checked earlier - it turned out that on the day of account deletion there were two letters with a difference of 25 minutes. The first is with the theme “Restore Account Access” and related content. The second with the theme “Account deleted” and content:

Hello, XXXXXXX XXXXXXXXXXXXXXXXXX!

Your account in the Unified System for Identification and Authentication of the E-Government Infrastructure has been deleted.
If you have not initiated the process of deleting your account, your account may have been hacked.
Please contact the support service of the Unified Identification and Authentication System.

I very much doubt that the username and password could be known to the attacker. Pick up a password (and it was like this / 71fge6HaRNP3ng ) to the site is unlikely. A pair of login / password was written on a piece of paper in "square" letters. The login / password pair from the site does not match the login / password pair from the mail (also written down on a piece of paper). Log in was carried out through the regime "Incognito" without any plug-ins under the supervision of a good person - although he does not really understand what I am doing, but it disciplines.

I can not imagine who could need to delete an account on the website of public services.

When contacting the support service, as already mentioned earlier, it turned out that the record was deleted. Two days later they called on the appeal and referred to F3-152 about PD said:

• that record is deleted
• can not be restored
• You cannot find out any details about the removal process (who, where, how, etc.) - they do not store information according to F3-152 about PD.
• all you need to do is delete your mail and password, i.e. access to the mail itself is not necessary, the confirmation email is not sent and access to the mailbox itself is not checked
• The question why the access to the e-mail is not checked for which the record is registered has remained unanswered - it is not supposed to know about this technical support.

The record is created on a new basis, later it will be confirmed by a visit to the MFC, after which it will be possible to clarify the fate of the payments.

I made conclusions for myself:

• to delete an account, it is enough to know the login / password, although from where the attacker knew the password remains a mystery;
• on the website of public services it is necessary to use the second factor without fail - the first is not checked;
• something is not completed in the context of security on the website of public services.

I use the site of public services as needed, the impressions up to this point were purely positive.
Update



Update2