February 15, 2011 at 19:25"Attack on the client bank ...". View from the bank employee
I was very interested in the article Attack on a client bank or Hunt for a million due to the fact that I will be a direct participant in the process of remote banking services (hereinafter - RBS) from the bank. An article appeared a little later. Who needs me? , therefore, a lot of thoughts on this topic have accumulated and I want to share with everyone (and I also wanted to register for a long time, but there was no suitable moment). Whenever possible I will be brief and I will not pour in scientific terms.
Let's first separate the flies from cutlets.
There are two main areas of remote (and not only) banking services (hereinafter - RBS) - services to individuals (Internet banking (hereinafter - IB)) and legal entities (systems such as Internet client-bank (hereinafter - ICB)). The article “ Attacking a Bank-Client or Hunting for a Million” deals with the issue of servicing legal entities, and the article Who needs me? , written under the influence of the first and comments on it, relates to RBS systems for individuals.
What's the Difference? In the volume of production and production! The daily turnover of a medium-sized enterprise sending payments to a bank is approximately equal to the sum of operations of an ordinary individual for half a year-year. From here we get the need for completely different systems to perform operations there and there.
I think I will not be mistaken if I say that 99% of information security systems are built in Java. They are required to perform a small number of operations per second ..., excuse me, a day. The second requirement is not to blow the brain to the client and potential buyer of any other products of the bank in the future (well, who will give him a loan with a hole in the head !? Hence the ready-made forms of payment for various services, a simple and simple interface, transactions without using systems All that a client needs is a browser that supports SSL, Java Script and Java RE installed on a PC. Additional authentication factors, such as a mobile phone, PIN code entry, and one-time analogs of sobs, can be used as security tools. handwritten signatures (HSA codes).
Client-Bank programs, and in our case , Client-Bank Internet(hereinafter - IKB) on the market there are a couple of dozen, I think. Some of them are software installed on the client’s PC, some are web clients, and the second is their future, and the former are obsolete, since using and maintaining them is terribly inconvenient and slow (this is about installing the software on the spot, setting, etc.). If you want to connect about 100-200 clients per month, and your employees have as many as 1 person (as in my case), then you can not do without a web client.
The main difference between ICB systems and information security is the use of encryption systems (necessarily certified FSB!). This, for example, paid CryptoPro or free and open IPRIV. I haven’t encountered others, I won’t lie.
The second nuance - several types of payment transactions in various currencies, file, message exchange with the bank, interaction with accounting programs, the possibility of multi-level signing of documents and an interface - not for blondes.
As you can see, the differences in the RB systems are fundamental, and therefore the methods of unauthorized access to customer accounts are different for each system. They are briefly and clearly described in the articles mentioned above, for which many thanks to the authors.
Getting access to an account is half the battle. To get money is the goal of attackers. Let’s not call them hackers and other “beautiful” words. In Russian, for such people there are simple notations - a thief and a scammer. Unsightly, but true.
So, the thief got access to the client’s account. When stealing the data of individuals, he can go in two ways - use the data of a credit card to buy in online stores (pay for services) or transfer money to another card (or account). When buying in a store, funds are not immediately debited from the account. They arereserved for subsequent transfer to the recipient. In this state, they can hang out for up to 30 days, if payment has not occurred and funds have not been requested, they will be returned from the reserve to the available balance on the account (they have been on the account all this time!). Therefore, SMS-informing, which is neglected by some short-sighted comrades, can save here. The first step is to call your bank and block the card. In parallel with the first step, you must write a statement to the bank about your disagreement with the transaction, in most information security systems you can do this directly on the site. In the event that understanding, law-abiding and responsible employees work in your bank (starting with the management!), The transaction will be canceled and you will return the money.
When transferring funds to another account (card), not everything is bad either. Funds also do not go away instantly. First, the payment should be controlled by the operating employee (plus or minus 15-30 minutes). Then the money goes to the cash settlement center of the Central Bank of the Russian Federation. Then from there they will come to the bank of the recipient and there, most likely, they are already waiting for them and are standing near the ATM to immediately withdraw. The owner of the card will then declare that he lost the card, and who does not use it, he does not know. In this case, SMS messaging can also be saved. Do not spare 50 rubles a month and let you receive these SMSs that one day will throw you in a cold sweat and then allow you to relax in the evening with a cold beer.
Another way to return funds is to insure your card. The cost of insurance, for example, in my bank is from 300 to 500 rubles per year (the return amount is up to 30 thousand rubles). When making transactions via the Internet and in ordinary stores - this is a very simple way to get rid of a headache. In addition to returning funds to the account, the insurance company will pay up to 2000 rubles to restore documents in case of loss. So find out in your banks about this service. You yourself know who cares.
This is where I end the story about systems for individuals. I specifically do not consider ways to combat the theft of your information, because it is written in detail on each bank’s website, Sberbank employees wrote about this in detail here too.
After reading some comments about the banking system in our country, I would like to clarify some issues. Our banks, fortunately, are not Swiss banks (which are also not the same as before). The banking system in Russia is transparent. Everyone knows everything and everyone sees everything, where and where the funds are coming from. At the request of the internal affairs bodies, they are given all the information about the operations of a person or organization. Destruction of paychecks in the RCC is also no one does. Attackers do not need to destroy the traces of their nasty activities, and they do not and will not do this. The theft system works simply. Funds are transferred to the card accounts of individuals, after withdrawing their card is either "lost" or they are withdrawn and not returned. You can force someone to return the money if his guilt is proved. If a person is innocent, it is considered that he was just “lucky" when the manna of heaven fell on the bill. Proving guilt is very difficult. Draw your own conclusions. Why so - read a little below when discussing the issue regarding legal entities. In any case, if a client of a bank finds himself in a strange situation - someone else’s money comes to him, then the bank will no longer want to work with such a client. The second time the attackers will not transfer money to this account themselves - in the face of the Ministry of Internal Affairs they will no longer look just like “lucky ones”. Therefore, theft of funds in information security systems for individuals is not widespread - a lot of trouble, but little money. In my memory, there was only one case when a client suddenly for no reason requested a four-digit PIN-1 (for authentication in information security systems, a 16-digit PIN-2 is used). Draw your own conclusions. Why so - read a little below when discussing the issue regarding legal entities. In any case, if a client of a bank finds himself in a strange situation - someone else’s money comes to him, then the bank will no longer want to work with such a client. The second time the attackers will not transfer money to this account themselves - in the face of the Ministry of Internal Affairs they will no longer look just like “lucky ones”. Therefore, theft of funds in information security systems for individuals is not widespread - a lot of trouble, but little money. In my memory, there was only one case when a client suddenly for no reason requested a four-digit PIN-1 (for authentication in information security systems, a 16-digit PIN-2 is used). Draw your own conclusions. Why so - read a little below when discussing the issue regarding legal entities. In any case, if a client of a bank finds himself in a strange situation - someone else’s money comes to him, then the bank will no longer want to work with such a client. The second time the attackers will not transfer money to this account themselves - in the face of the Ministry of Internal Affairs they will no longer look just like “lucky ones”. Therefore, theft of funds in information security systems for individuals is not widespread - a lot of trouble, but little money. In my memory, there was only one case when a client suddenly for no reason requested a four-digit PIN-1 (for authentication in information security systems, a 16-digit PIN-2 is used). if a client of a bank finds himself in a strange situation - someone else’s money comes to him, then the bank will no longer want to work with such a client. The second time the attackers will not transfer money to this account themselves - in the face of the Ministry of Internal Affairs they will no longer look just like “lucky ones”. Therefore, theft of funds in information security systems for individuals is not widespread - a lot of trouble, but little money. In my memory, there was only one case when a client suddenly for no reason requested a four-digit PIN-1 (for authentication in information security systems, a 16-digit PIN-2 is used). if a client of a bank finds himself in a strange situation - someone else’s money comes to him, then the bank will no longer want to work with such a client. The second time the attackers will not transfer money to this account themselves - in the face of the Ministry of Internal Affairs they will no longer look just like “lucky ones”. Therefore, theft of funds in information security systems for individuals is not widespread - a lot of trouble, but little money. In my memory, there was only one case when a client suddenly for no reason requested a four-digit PIN-1 (for authentication in information security systems, a 16-digit PIN-2 is used).
And now we turn to our sheep, or rather legal entities. How does a computer get infected? To the great disappointment of fans of the detective genre, no insiders are needed. Why share with someone when 90% of users sitting at a computer are no different from felt boots, except that boots cannot push the keys themselves? Links to third-party sites, letters, the lack of a normal antivirus and firewall, the carelessness of administrators who are too lazy to configure at least a proxy, and in some cases the absence of such employees in the state, do their dirty work. And it’s hard to imagine how a person sitting in Ryazan, Saratov or Moscow has insiders in dozens of organizations throughout Russia.
Active attacks on our system and clients and the system began in late 2009. During this timein our region , no more than 10 cases of infection were recorded, unfortunately 3 of them were fatal - the funds were irretrievably lost, 2 cases - with a happy ending - the funds were not written off due to an error in the payment order or did not reach the recipient bank and returned from the RCC of the Central Bank of the Russian Federation. The remaining cases of infection were identified in the early stages and the customers were presented with "good" news that the computer is cocoa and the admin is a sucker.
The total cost of damage did not exceed 900 thousand rubles (100 + 300 + 2x500 (they managed to return one payment)).
As you can see, the amounts are not astronomical. What is one hundred thousand rubles for an organization that has 90% of such payments, and the bank passes payments that are 10 and 100 times large? Banks are not even obliged to control such amounts! Control begins with amounts in excess of 600 thousand rubles.
Therefore, the probability of success in making such payments is much higher than those mentioned in Article 1 and 6 million. In general, I do not understand the process of control and execution of a bank payment for such an amount. In this case, the controller is obliged to contact the organization and not just ask by phone whether they sent them, but to require the provision of documents confirming the fact of legal sending of funds. These are the requirements of the law on combating money laundering and money laundering.
In our case, the trojan only sent the “master” a secret key and password to enter the system. The attacker himself registered in the system, checked the account balance and, if he had enough, filled out the payment order and sent the funds to the account (not to his own!), But to the dummies, who, naturally, didn’t see him, but upon receipt such a nice gift, these funds were withdrawn from the account. Here, many can tell me: “Well, here! All clear! Here they are - villains and thieves! Catch them! ” To which I, comrades, I will calmly answer: " Thermorectal cryptanalysis in the internal affairs bodies of the Russian Federation is not a legal way of obtaining evidence, therefore it cannot be used, and there has been no evidence of a crime in the actions of citizens in transactions with their bank account."
That is, in principle, everything is clear who, where and to whom the money was transferred, no one hides it, everyone knows everything, but they can’t do anything, because when the money is credited to the account and withdrawn, it does not bear any responsibility. Only a conscience can force a citizen to return the amount, otherwise there is no reason for this, the guilt has not been proved. It’s impossible to prove his involvement by asking and pleading, he’s not a fool :) It’s also not possible to track down an attacker by IP address - they work outside their home and use hacked computers of unsuspecting users who have a virtual machine, it is already logged in, etc. For two years, nobody has been dragged to court, and will not. Therefore, we move on to the third part of our story ...
In 99.99% of banks, clients of RBS are given valuable instructions on how and what to do in order to avoid such situations ... As you know, 99.99% of customers wanted to give a damn about valuable instructions from banks.
And the ways to counter it are actually simple and very cheap:
I would like most customers to stop hoping for a chance and assume that if the money is in the bank, then nothing will happen to them, but if that happens, the bank will return everything. In terms of RBS, banks fully fulfill their part of the contract - they provide funds and ways for the client to quickly solve their problems, take care of his safety, advise on how to behave in the Internet society. Unfortunately, many customers do not know that the responsibility for the preservation of keys and the cleanliness of disks lies primarily with them, and not with the bank. The presence of signs of infection on the hard drive automatically makes the client guilty (although it really is) and further struggle for their hard-earned money in court (if it comes to him) will not succeed. And is it worth it to condemn someone if you left the door wide open and went to work?
Types of client banks
Let's first separate the flies from cutlets.
There are two main areas of remote (and not only) banking services (hereinafter - RBS) - services to individuals (Internet banking (hereinafter - IB)) and legal entities (systems such as Internet client-bank (hereinafter - ICB)). The article “ Attacking a Bank-Client or Hunting for a Million” deals with the issue of servicing legal entities, and the article Who needs me? , written under the influence of the first and comments on it, relates to RBS systems for individuals.
What's the Difference? In the volume of production and production! The daily turnover of a medium-sized enterprise sending payments to a bank is approximately equal to the sum of operations of an ordinary individual for half a year-year. From here we get the need for completely different systems to perform operations there and there.
I think I will not be mistaken if I say that 99% of information security systems are built in Java. They are required to perform a small number of operations per second ..., excuse me, a day. The second requirement is not to blow the brain to the client and potential buyer of any other products of the bank in the future (well, who will give him a loan with a hole in the head !? Hence the ready-made forms of payment for various services, a simple and simple interface, transactions without using systems All that a client needs is a browser that supports SSL, Java Script and Java RE installed on a PC. Additional authentication factors, such as a mobile phone, PIN code entry, and one-time analogs of sobs, can be used as security tools. handwritten signatures (HSA codes).
Client-Bank programs, and in our case , Client-Bank Internet(hereinafter - IKB) on the market there are a couple of dozen, I think. Some of them are software installed on the client’s PC, some are web clients, and the second is their future, and the former are obsolete, since using and maintaining them is terribly inconvenient and slow (this is about installing the software on the spot, setting, etc.). If you want to connect about 100-200 clients per month, and your employees have as many as 1 person (as in my case), then you can not do without a web client.
The main difference between ICB systems and information security is the use of encryption systems (necessarily certified FSB!). This, for example, paid CryptoPro or free and open IPRIV. I haven’t encountered others, I won’t lie.
The second nuance - several types of payment transactions in various currencies, file, message exchange with the bank, interaction with accounting programs, the possibility of multi-level signing of documents and an interface - not for blondes.
The basics of banking and hacking, or rather theft
As you can see, the differences in the RB systems are fundamental, and therefore the methods of unauthorized access to customer accounts are different for each system. They are briefly and clearly described in the articles mentioned above, for which many thanks to the authors.
Getting access to an account is half the battle. To get money is the goal of attackers. Let’s not call them hackers and other “beautiful” words. In Russian, for such people there are simple notations - a thief and a scammer. Unsightly, but true.
So, the thief got access to the client’s account. When stealing the data of individuals, he can go in two ways - use the data of a credit card to buy in online stores (pay for services) or transfer money to another card (or account). When buying in a store, funds are not immediately debited from the account. They arereserved for subsequent transfer to the recipient. In this state, they can hang out for up to 30 days, if payment has not occurred and funds have not been requested, they will be returned from the reserve to the available balance on the account (they have been on the account all this time!). Therefore, SMS-informing, which is neglected by some short-sighted comrades, can save here. The first step is to call your bank and block the card. In parallel with the first step, you must write a statement to the bank about your disagreement with the transaction, in most information security systems you can do this directly on the site. In the event that understanding, law-abiding and responsible employees work in your bank (starting with the management!), The transaction will be canceled and you will return the money.
When transferring funds to another account (card), not everything is bad either. Funds also do not go away instantly. First, the payment should be controlled by the operating employee (plus or minus 15-30 minutes). Then the money goes to the cash settlement center of the Central Bank of the Russian Federation. Then from there they will come to the bank of the recipient and there, most likely, they are already waiting for them and are standing near the ATM to immediately withdraw. The owner of the card will then declare that he lost the card, and who does not use it, he does not know. In this case, SMS messaging can also be saved. Do not spare 50 rubles a month and let you receive these SMSs that one day will throw you in a cold sweat and then allow you to relax in the evening with a cold beer.
Another way to return funds is to insure your card. The cost of insurance, for example, in my bank is from 300 to 500 rubles per year (the return amount is up to 30 thousand rubles). When making transactions via the Internet and in ordinary stores - this is a very simple way to get rid of a headache. In addition to returning funds to the account, the insurance company will pay up to 2000 rubles to restore documents in case of loss. So find out in your banks about this service. You yourself know who cares.
This is where I end the story about systems for individuals. I specifically do not consider ways to combat the theft of your information, because it is written in detail on each bank’s website, Sberbank employees wrote about this in detail here too.
After reading some comments about the banking system in our country, I would like to clarify some issues. Our banks, fortunately, are not Swiss banks (which are also not the same as before). The banking system in Russia is transparent. Everyone knows everything and everyone sees everything, where and where the funds are coming from. At the request of the internal affairs bodies, they are given all the information about the operations of a person or organization. Destruction of paychecks in the RCC is also no one does. Attackers do not need to destroy the traces of their nasty activities, and they do not and will not do this. The theft system works simply. Funds are transferred to the card accounts of individuals, after withdrawing their card is either "lost" or they are withdrawn and not returned. You can force someone to return the money if his guilt is proved. If a person is innocent, it is considered that he was just “lucky" when the manna of heaven fell on the bill. Proving guilt is very difficult. Draw your own conclusions. Why so - read a little below when discussing the issue regarding legal entities. In any case, if a client of a bank finds himself in a strange situation - someone else’s money comes to him, then the bank will no longer want to work with such a client. The second time the attackers will not transfer money to this account themselves - in the face of the Ministry of Internal Affairs they will no longer look just like “lucky ones”. Therefore, theft of funds in information security systems for individuals is not widespread - a lot of trouble, but little money. In my memory, there was only one case when a client suddenly for no reason requested a four-digit PIN-1 (for authentication in information security systems, a 16-digit PIN-2 is used). Draw your own conclusions. Why so - read a little below when discussing the issue regarding legal entities. In any case, if a client of a bank finds himself in a strange situation - someone else’s money comes to him, then the bank will no longer want to work with such a client. The second time the attackers will not transfer money to this account themselves - in the face of the Ministry of Internal Affairs they will no longer look just like “lucky ones”. Therefore, theft of funds in information security systems for individuals is not widespread - a lot of trouble, but little money. In my memory, there was only one case when a client suddenly for no reason requested a four-digit PIN-1 (for authentication in information security systems, a 16-digit PIN-2 is used). Draw your own conclusions. Why so - read a little below when discussing the issue regarding legal entities. In any case, if a client of a bank finds himself in a strange situation - someone else’s money comes to him, then the bank will no longer want to work with such a client. The second time the attackers will not transfer money to this account themselves - in the face of the Ministry of Internal Affairs they will no longer look just like “lucky ones”. Therefore, theft of funds in information security systems for individuals is not widespread - a lot of trouble, but little money. In my memory, there was only one case when a client suddenly for no reason requested a four-digit PIN-1 (for authentication in information security systems, a 16-digit PIN-2 is used). if a client of a bank finds himself in a strange situation - someone else’s money comes to him, then the bank will no longer want to work with such a client. The second time the attackers will not transfer money to this account themselves - in the face of the Ministry of Internal Affairs they will no longer look just like “lucky ones”. Therefore, theft of funds in information security systems for individuals is not widespread - a lot of trouble, but little money. In my memory, there was only one case when a client suddenly for no reason requested a four-digit PIN-1 (for authentication in information security systems, a 16-digit PIN-2 is used). if a client of a bank finds himself in a strange situation - someone else’s money comes to him, then the bank will no longer want to work with such a client. The second time the attackers will not transfer money to this account themselves - in the face of the Ministry of Internal Affairs they will no longer look just like “lucky ones”. Therefore, theft of funds in information security systems for individuals is not widespread - a lot of trouble, but little money. In my memory, there was only one case when a client suddenly for no reason requested a four-digit PIN-1 (for authentication in information security systems, a 16-digit PIN-2 is used).
"Attack"
And now we turn to our sheep, or rather legal entities. How does a computer get infected? To the great disappointment of fans of the detective genre, no insiders are needed. Why share with someone when 90% of users sitting at a computer are no different from felt boots, except that boots cannot push the keys themselves? Links to third-party sites, letters, the lack of a normal antivirus and firewall, the carelessness of administrators who are too lazy to configure at least a proxy, and in some cases the absence of such employees in the state, do their dirty work. And it’s hard to imagine how a person sitting in Ryazan, Saratov or Moscow has insiders in dozens of organizations throughout Russia.
Active attacks on our system and clients and the system began in late 2009. During this timein our region , no more than 10 cases of infection were recorded, unfortunately 3 of them were fatal - the funds were irretrievably lost, 2 cases - with a happy ending - the funds were not written off due to an error in the payment order or did not reach the recipient bank and returned from the RCC of the Central Bank of the Russian Federation. The remaining cases of infection were identified in the early stages and the customers were presented with "good" news that the computer is cocoa and the admin is a sucker.
“Where are they looking at the bank !? Don't they see that my money is pi ...!? ” my
The total cost of damage did not exceed 900 thousand rubles (100 + 300 + 2x500 (they managed to return one payment)).
As you can see, the amounts are not astronomical. What is one hundred thousand rubles for an organization that has 90% of such payments, and the bank passes payments that are 10 and 100 times large? Banks are not even obliged to control such amounts! Control begins with amounts in excess of 600 thousand rubles.
Therefore, the probability of success in making such payments is much higher than those mentioned in Article 1 and 6 million. In general, I do not understand the process of control and execution of a bank payment for such an amount. In this case, the controller is obliged to contact the organization and not just ask by phone whether they sent them, but to require the provision of documents confirming the fact of legal sending of funds. These are the requirements of the law on combating money laundering and money laundering.
In our case, the trojan only sent the “master” a secret key and password to enter the system. The attacker himself registered in the system, checked the account balance and, if he had enough, filled out the payment order and sent the funds to the account (not to his own!), But to the dummies, who, naturally, didn’t see him, but upon receipt such a nice gift, these funds were withdrawn from the account. Here, many can tell me: “Well, here! All clear! Here they are - villains and thieves! Catch them! ” To which I, comrades, I will calmly answer: " Thermorectal cryptanalysis in the internal affairs bodies of the Russian Federation is not a legal way of obtaining evidence, therefore it cannot be used, and there has been no evidence of a crime in the actions of citizens in transactions with their bank account."
That is, in principle, everything is clear who, where and to whom the money was transferred, no one hides it, everyone knows everything, but they can’t do anything, because when the money is credited to the account and withdrawn, it does not bear any responsibility. Only a conscience can force a citizen to return the amount, otherwise there is no reason for this, the guilt has not been proved. It’s impossible to prove his involvement by asking and pleading, he’s not a fool :) It’s also not possible to track down an attacker by IP address - they work outside their home and use hacked computers of unsuspecting users who have a virtual machine, it is already logged in, etc. For two years, nobody has been dragged to court, and will not. Therefore, we move on to the third part of our story ...
Rescue of the drowning ...
In 99.99% of banks, clients of RBS are given valuable instructions on how and what to do in order to avoid such situations ... As you know, 99.99% of customers wanted to give a damn about valuable instructions from banks.
And the ways to counter it are actually simple and very cheap:
- Work from one workplace. It is advisable not to use the workplace for going to the Internet, shopping and to girlfriends on social networks. The ideal option - one shortcut on the desktop - this is your client-bank. :) Expensive? 100 thousand more.
- Work from one IP address. If the settings of the Client-Bank allow, firmly bind this IP to the system so that it is not possible to enter from other addresses. Do you like to travel? Then go to the next item.
- Be sure to purchase a Rutoken or eToken email id. It is better to purchase a Rutoken EDS or eToken GOST. This is a personal means of forming an electronic digital signature with a non-extractable private key, i.e. for each subsequent operation a new digital signature is formed. With such a key information will no longer be possible to extract. The cost of one key is about 1 thousand rubles.
- Antiviruses, firewalls, security ... In general, the classic of the genre. But if you do not follow paragraphs 1-3, it will not help you
Conclusion
I would like most customers to stop hoping for a chance and assume that if the money is in the bank, then nothing will happen to them, but if that happens, the bank will return everything. In terms of RBS, banks fully fulfill their part of the contract - they provide funds and ways for the client to quickly solve their problems, take care of his safety, advise on how to behave in the Internet society. Unfortunately, many customers do not know that the responsibility for the preservation of keys and the cleanliness of disks lies primarily with them, and not with the bank. The presence of signs of infection on the hard drive automatically makes the client guilty (although it really is) and further struggle for their hard-earned money in court (if it comes to him) will not succeed. And is it worth it to condemn someone if you left the door wide open and went to work?