Russian banks must register customers' smartphones and computers

The new requirements of the Central Bank to the banks, aimed at combating fraud, entered into force on March 16, 2015. The full text of the Directive of the Central Bank of Russia No. 3361-U can be read by everyone, but we are interested in a specific paragraph from clause 2.8.3:

The operator for money transfer on the basis of the client's application, transferred by the method defined by the operator of the transfer of funds with the client, determines the parameters of operations that can be performed by the client using the Internet banking system, including:
...
the list of devices with the use of which access to the Internet banking system can be carried out for the purpose of making money transfers, based on the identifiers of these devices;

')
Naturally, the text does not indicate what this “device ID” is and how it can be obtained. As a result, this procedure became dependent on the adequacy of specific banks.

What can serve as an identifier for the device from which you entered the Internet bank? MAC address? IP? IMEI, in the case of a mobile device? Parameter set compiled from PC components?

SMP Bank specialist Pavel Golovlyov told Izvestia that they use the IP address as an identifier:
- In order to register the device through which the client plans to enter the Internet bank, he needs to come to the bank office and write a corresponding application. If the customer changes the device, then he needs to contact the bank and update the information on the device identifier. If it loses, then the algorithm of actions in this case should be the same as in case of loss of a bank card: inform the bank about the loss of the device and about blocking operations that will be performed from this IP address. The bank, of course, will take into account identifiers, since without this it is impossible to implement a lock on this basis.

Alexander Novikov from Binbank announced the replacement of SMS notifications with push notifications:
- These notifications are sent by the bank to the client directly, unlike SMS, which increases security. All mobile devices (phones, tablets) to which push notifications are connected are displayed in the browser version of the Internet bank. If the mobile device is lost, the client can quickly access the Internet bank through any computer and remove it from the list. Accordingly, fraudsters will not be able to use it to get a password.

Elena Degteva from VTB24:
- The best way to identify the client device when working via the Internet is to determine the system footprint - a set of parameters that are unique to a particular device. If the bank does not match, the bank may request additional confirmation of the transaction by contacting, for example, a customer by phone, or refuse to conduct it if the additional identification was not successful. In the same way, the device database can be updated if the client device is changed.

The text of the Instruction also mentions the need to suspend the sending of notifications when receiving information “on replacing a customer’s SIM card, terminating a service or changing the phone number specified in the agreement with the customer”.

In pursuit of increasing the security of clients of banks, the Central Bank took measures that the clients themselves might not be particularly happy about. Now another criterion will be added to the criteria for choosing a suitable bank - adequacy in the approach to servicing “online banking”. Who would like, while on vacation abroad, to lose their smartphone and remain without the opportunity to go to the Internet bank from another device.

Update: a refutation of the material has been received, details on the link .