Back to Home

Information security of bank cashless payments. Part 2 - Typical IT infrastructure of a bank

information security · banks · CIPF · cryptography · electronic signature · AWS KBR · UTA · Signature · infrastructure

Information security of bank cashless payments. Part 2 - Typical IT infrastructure of a bank



    Fig. 1.

    What is the study about

    In the first part of our study, we examined the operation of the system of bank cashless payments from an economic point of view. Now it’s time to look at the internal structure of the bank’s IT infrastructure, through which these payments are made.

    Disclaimer This
    article does not contain confidential information. All materials used are publicly available on the Internet, including on the Bank of Russia website.

    Chapter 1. General description of IT infrastructure


    Key Terms


    In the 90s of the last century, in the GOSTs and regulatory documents of the FSTEC of Russia (then the State Technical Commission under the President of the Russian Federation) the term is often used - an automated system . “GOST 34.003-90 Information Technology (IT). Set of standards for automated systems. Automated systems. Terms and definitions ” gives the following definition of this term:
    automated system ; AC: A system consisting of personnel and a set of automation tools for its activities that implements information technology for performing established functions.

    After some time, a new term came into use - an information system . In paragraph 3 of Art. 2 of the Federal Law of July 27, 2006 N 149-ФЗ “On Information, Information Technologies and Information Protection”, this term is defined as follows:
    information system - a set of information contained in databases and the information technology and technical means that ensure its processing;

    For the purposes of this study, both terms will be used synonymously.

    The validity of such an approach can be proved by the fact that in the Order of the FSTEC of Russia dated February 11, 2013 N 17 “On the Approval of the Requirements for the Protection of Information Not Composing State Secrets Contained in State Information Systems” for the protection of information systems, the state regulator orders to be guided by GOSTs for automated systems .

    In addition to information systems , one more type of elements can be distinguished in the bank’s IT infrastructure - information services , or, as they are often called, robots.

    Define the concept of information servicequite complicated, so just list its main differences from the information system :

    1. An information service is much simpler than an information system , but at the same time it cannot be called a component of the latter, since several information systems can use the results of its work simultaneously .
    2. Information services are designed to automate simple, routine tasks.
    3. Information services do not contain databases.
    4. Information services operate automatically without the participation (or with minimal participation) of a person.

    Automated banking system


    The core of the information infrastructure of any bank is an automated banking system or abbreviated as ABS .

    Bank of Russia Standard STO BR IBBS-1.0-2014 “Ensuring Information Security of Organizations of the Banking System of the Russian Federation. General Provisions ” defines ABS as follows:
    an automated system that implements a banking technological process.

    This definition allows you to summarize almost any IT system in a bank. At the same time, ordinary bank employees call the ABS the system that takes into account bank accounts, transactions between them (cash flow) and balances. The second definition does not contradict the first and details it more clearly, and we will use it further.

    In modern Russian banks, the most common are the following ABS :


    Some, especially large banks use not circulation, but specially designed for them ABS . But such cases are rare, in fact, as are especially large banks.

    Sometimes banks simultaneously use several ABS from different manufacturers. This often happens when a bank tries to switch from one ABS to another, but less trivial reasons are possible.

    Applied Information Systems


    Despite the fact that the ABS automates a fairly large number of tasks, it does not cover all the needs of the bank. There are tasks that the ABS does not do at all or does not do what the bank wants. Therefore, other information systems that automate individual business processes are connected (integrated) to the ABS . In the future, such information systems will be called applied information systems .

    Examples of applied information systems include:



    Depending on the size of the bank and the services it provides, the number of applied information systems can be measured in quantities from units to hundreds.

    Infrastructure Information Systems


    In addition to the ABS and applied information systems that automate the main business processes, banks also have a decent number of supporting infrastructure information systems . Examples of such systems can be:

    • Active Directory
    • Domain Name Service (DNS)
    • corporate email
    • Internet access services for employees;
    • access control and management systems (ACS) in the premises;
    • IP video surveillance;
    • IP telephony;
    • and much more.

    Information Services


    Banks use a huge number of different information services that perform simple, routine functions, for example, downloading BIK and FIAS directories , publishing currency rates on the official website, etc.

    Client parts of third-party information systems


    Separate mention are the client parts of information systems external to the bank . As examples, I will cite:


    Typical ways to integrate information systems


    The following mechanisms are usually used to integrate information systems :

    1. Integration via API (for example, Web services).
    2. Integration through DBMS:
      • by providing access only to stored procedures;
      • by providing access to stored procedures and database tables.
    3. File Sharing:
      • through a computer network;
      • through alienated computer storage media (OMNI, for example, flash drives).
    4. Implement Service Oriented Architecture (SoA) .

    Integration modules


    By integration module, we mean the virtual element of the IT infrastructure that implements the integration of other elements of the IT infrastructure.

    We called this element virtual, because its functionality can be implemented both as a separate specialized element of IT infrastructure (for example, an information service ), and as components of integrated information systems . Moreover, even a person who “manually” transfers information between integrable information systems can act as an integration module .

    Bank IT infrastructure example


    In Fig. 1, you can see a fragment of a typical bank information infrastructure containing the types of elements discussed above.

    Chapter 2. The infrastructure of cashless payments


    If you look at this scheme ( Fig. 1 ) from the point of view of non-cash payments, you can see that the bank implements them using:

    • direct correspondent relations with a partner bank,
    • international payment system (MPS) (for example, VISA , MasterCard ).
    • correspondent relations with the Bank of Russia.

    Technically direct correspondent relations with partner banks can be organized using:

    • Conventional RBS ICB systems used by banks to service legal entities (in this example ( Fig. 1 ) this method is used);
    • interbank payment systems (for example, SWIFT );
    • specialized payment messaging systems (for example, REX400 , TELEX );
    • specialized software developed by one of the interacting banks.

    Connection to payment systems serving plastic cards is carried out through standard modules that are part of processing systems.

    For the successful functioning of the bank must ensure the information security of all of the above payment methods. It is very problematic to consider them in the framework of one, even a large study, and therefore we will concentrate on only one of the most critical, from the point of view of possible losses, direction - the payment interaction of the bank with the Bank of Russia.

    Infrastructure for ensuring payment interaction with the Bank of Russia




    Fig. 2.
    We will consider the IT infrastructure of the bank’s payment interaction with the Bank of Russia by the example of the execution of a payment sent to the client’s address of another bank.

    As we remember from the first part , first the client must transfer the payment order to the bank. He can do this in two ways:

    1. To appear in person at a bank branch and transmit the certified payment order in paper form.
    2. Send a payment order through the RB RBM system .

    It is important to note here that the RBS IKB systems are only systems that provide legally significant electronic document flow between a client and a bank; they do not make payments on their own. That is why, when a client opens a bank account, he usually concludes two contracts. The first is a bank account servicing agreement, the second is an agreement on the implementation of electronic document management using the RB RBM system . If the second contract is not concluded, the client will still be able to use his account, but only with a personal visit to the bank branch.

    If the client has transmitted the payment order on paper, then the bank employee based on it makes an electronic payment order in the ABS . If the order was submitted throughRBS IKB , then through the integration module it gets into the ABS automatically.

    The proof that it was the client who made the order on the transfer of funds, in the first case is a paper document personally signed by him, and in the second, an electronic document in the RB RB IKB certified in accordance with the contract.

    Usually, a cryptographic electronic signature is used to certify electronic documents of clients - legal entities in the RB ICB , and SMS confirmation codes are used for documents of clients - individuals. From a legal point of view, in both cases, banks usually apply the legal regime of a handwritten signature analogue (TSA) to certify electronic documents .

    Once in the ABS, a payment order in accordance with the bank’s internal regulations passes control and is transferred for execution to the Bank of Russia payment system.

    Technical means of interaction with the Bank of Russia payment system


    The hardware (software) used to interact with the Bank of Russia payment system may vary depending on the Bank of Russia regional branch serving the correspondent. bank account.

    For banks serviced in the Moscow region, the following software is used :

    • AWP KBR - an automated workplace of a client of the Bank of Russia;
    • UTA - special file interaction software for a Bank of Russia client (universal transport adapter);
    • SCAD Signature - means of cryptographic information protection (CIP): “Signature-client hardware and software complex” version 5, certificates of the Federal Security Service of Russia - SF / 114-2680 (level of cryptographic protection KS1), for level of cryptographic protection KC2 - SF / 124-2681 (level of cryptographic protection KC2). SCAD stands for cryptographic document authentication system.

    AWP CBD


    AWP KBR is a software with the help of which authorized bank employees encrypt and electronically sign outgoing payment documents, as well as decrypt and verify the electronic signature of payment documents received from the Bank of Russia. But, to be more precise, the AWS of the CBD in its work does not operate with payment documents, but with electronic messages (ES), which are of two types:

    • electronic payment messages (EPS), for example, ED101 “Payment order”;
    • electronic service information messages (ESIS), for example, ED201 "Notification of the results of ES control".

    The list and formats of electronic messages is established by the Bank of Russia by issuing the Album of Unified Formats of Electronic Bank Messages (UFEBS) .

    In order for AWS of the CBD to process the payment, it must be converted into a file containing an electronic payment message in UFEBS format. For such a transformation, the ABS integration module with the Bank of Russia payment system is responsible . From a technical point of view, such transformations are quite simple, since the UFBS format is based on XML .

    Electronic message files leave the ABS integration module in clear form and are placed in a special file system folder (usually a network folder), which is configured inWorkstation of the CBD for electronic messages with the status “Entered”. In the previously presented diagram ( Fig. 2. ), this folder is designated as “Folder 1”.

    Then, in the process of processing, electronic messages change their statuses to “Controlled”, “Sent”, etc., which is technically implemented by moving the file with the electronic message to the appropriate folders that are configured in the KBR workstation . In the diagram ( Fig. 2. ), these folders are designated as “Folder 2”.

    At a certain point in the technological processing (established by the bank’s internal regulations) of outgoing electronic messages, they are encrypted and signed by electronic signature using the SCAD Signature and private cryptographic keys of responsible employees.

    SCAD Signature


    SCAD The signature is a cryptographic information protection tool developed by Validata LLC by order of the Bank of Russia and designed to protect information in the Bank of Russia payment system. This CIPF is not publicly available (except for the documentation posted on the CBR website), and it is distributed by the Bank of Russia only among participants in its payment system. The distinctive features of this cryptographic information protection system include:

    1. This cryptographic information protection system, unlike other cryptographic information protection systems common in Russian business circles (for example, like Crypto-PRO CSP , VIPNET CSP , etc.), implements its own public key infrastructure (PKI) isolated from the operating system. This is manifested in the fact that the public key directory containing certificates, a list of trusted certificates, a list of revoked certificates, etc. is cryptographically protected on the user's private key, which does not allow an attacker to make changes to it, for example, install a trusted certificate without the user's knowledge .
      Note. SKZI Verba-OW implements a similar key model.
    2. The next feature follows from the previous one. In CIPF, in order to make working keys, you must first create a directory of certificates using special registration keys. After the expiration of the validity of the working keys, new ones are generated, but in order to generate them, you must have valid previous working keys. Keys are created according to a decentralized scheme with the participation of the Bank of Russia as a Certification Center .
    3. CIPF supports working with functionally-key carriers ( vdToken ) that perform electronic signature and encryption functions on board, without transferring private keys to the computer's memory.
    4. Cryptographic keys used to interact with the Bank of Russia payment system are of two types:
      • "Only encryption" - allow you to encrypt / decrypt electronic messages.
      • “Encryption and signature” - do the same as in the first case, and also allow you to sign electronic messages.

    UTA


    Encrypted and signed e-mail messages are placed in a special folder, in the diagram ( Fig. 2. ) this is “Folder 3”. UTA continuously monitors this folder and, if it sees new files there, transfers them to the Central Bank of the Russian Federation in one of the following ways:

    • "On the Internet", although in reality this is not entirely true. Instead of the Internet, a specialized communication operator is used , which provides dedicated communication channels to the Central Bank of the Russian Federation, but since the IP-addressable network, they say that sending is via the Internet.
    • «По модему». На случай аварии первого вида связи есть резерв в виде модемного соединения по телефонной сети общего пользования.
    • На случай выхода из строя всех каналов связи предусмотрена доставка электронных сообщений на ОМНИ (отчуждаемый машинный носитель информации) с помощью курьера. Кстати говоря, это один из способов, с помощью которого банки с отозванной лицензией проводят платежи во время своей ликвидации.

    Having reached the Central Bank (the first or second way), UTA transmits electronic messages through the API published by the Central Bank. During communication sessions, UTA also receives input electronic messages from the Central Bank .

    It should be noted that all electronic messages with which UTA works are encrypted and signed with an electronic signature.

    Upon receiving an encrypted email, UTA transfers it to the folder with incoming encrypted messages. An authorized employee with the help of his crypto keys and AWP KBR checks the electronic signature and decrypts the message.

    Further processing is carried out depending on the type of electronic message. If this is a payment message, then it is transmitted through the integration module to the ABS , where it is used to generate accounting entries that change account balances. It is important to note that the interaction of the ABS (integration module) and the AWS of the CBD uses standard format files in open form.

    In the process of functioning, the KBR AWS maintains a journal of its work, which can be implemented in the form of text files or with the help of databases operating under the control of a DBMS.

    Alternative processing schemes


    We examined the "classic" scheme of the system. In reality, there are many of its varieties. Let's consider some of them.

    Variety 1. Separation of the circuits for sending and receiving messages.
    A circuit is being implemented with two AWS KBR . The first one works with human participation and only sends messages, the second one works in automatic mode and only receives messages.

    Variety 2. A fully
    automated AWS KBR machine is configured to work fully automatically without human intervention.

    Variety 3. Isolated AWS KBR
    AWS KBR functions as a dedicated computer that is not connected to the bank network. Electronic messages are transmitted to him by a human operator using OMNI.

    Transfer of electronic signature from AWS of CBD to ABS


    The Bank of Russia plans to switch to a new technological scheme for processing payments, in which electronic messages will not be subscribed to AWP KBR , as it was before, but to ABS (more precisely, in the ABS integration module - AWP KBR ).

    To implement this approach, a new version of AWS KBR was released , which became known as AWS KBR-N (new). All the main changes can be seen if we compare the schemes of information flows passing through the workstation of the CBD old and new versions.

    Consider the flow of information in the classic AWS KBR. The source of the scheme is the official documentation on AWS of the CBD “AUTOMATED WORKPLACE OF THE CUSTOMER OF THE BANK OF RUSSIA. Programmer's Guide. CBRF.61209-04 33 01. "


    Fig. 3.
    Notes.

    • The designation “AS KBR” (an automated system of the Bank of Russia client) corresponds to the designation ABS on the previous diagrams.
    • The designation “SVO SVK” corresponds to the designation UTA in the previous diagrams.
    • KA - authentication code (electronic signature) of the electronic message.
    • ЗК – защитный код еще один вид электронной подписи, но в отличии от КА, который формируется исходным сообщением без изменений, ЗК формируется только под значащими данными без учета разметки. Более подробно о технических нюансах КА и ЗК можно почитать в документации УФЭБС «Защита электронных сообщений (Пакетов ЭС)». С юридической точки зрения ЗК – технологическая мера защиты информации, в то время как КА, согласно договорам и правилам платежной системы Банка России, признается электронной подписью.

    Now let's look at a similar scheme for the new AWB KBR-N. Source “AUTOMATED WORKPLACE OF THE CUSTOMER OF THE BANK OF RUSSIA NEW. Programmer's Guide. CBRF.61289-01 33 01 "


    Fig. 4.

    From the point of view of cryptography AWP KBR-N is responsible for encryption / decryption of electronic messages, as well as for verification of electronic signatures on them. The generation of electronic signatures has been transferred to the ABS integration module .

    It is logical to assume that this module will also have to check signatures for messages received from the KBR-N AWP . From a technical point of view, this is not mandatory, but from a security point of view, it is critical because it ensures the integrity of messages transmitted betweenABS and AWS KBR-N .

    In addition to the file interface for the interaction between ABS , AWS KBR-N and UTA , the IBM WebSphere MQ interface has been added , which allows you to build a service-oriented IT infrastructure of the bank and solve the problem of the old scheme with the organization of the simultaneous operation of several operators responsible for sending payments.

    Conclusion


    We examined the internal structure of the bank’s IT payment infrastructure. In the following parts, we consider the threats to information security that arise here.

    Read Next