Directory of RSS feeds
Statistics

RSS feeds in the directory: 2819

Added today: 0

Added yesterday: 0

Business / Finance

The voice assistant of savings can prompt the crooks

Banki.ru: themes of the day 30.06.2019 at 21:01

Banking and financial news on the website Banki.ru

Information about the status of customer accounts can be obtained not only from the insider-banker who sells them on the black market. "Punch" the data, you can use useful services like voice assistant of the savings Bank.

To the editor Banks.ru turned employee of the operator and said that he had discovered a loophole that can be used by attackers. To check the card balance and recent transactions the victim, you can use the voice assistant of the savings Bank — just call the Bank on behalf of a potential client-target.

"Punch" without data "plum"

"Hello, Olga! Sberbank, I am your voice assistant. I can solve most of your problems. Just tell me how I can help," says helpful virtual employee of the savings Bank. I'm not Olga, but by saying the word "balance" and recognize that the map is stored more than 40 thousand rubles, and after the requirements of the "last operation" — the list of the last transaction of his cousin. Even though the call was not from the phone client, the amounts are called up to the penny and coincide with a fresh account statement. This demonstration part of the experiment ends, and my companion goes to the explanation how this is possible.

"We're investigating a suspicious incident on our network and found that people wanted through us to do it, stopped, and then thought," — says an employee of the company, which provides telephony services. According to him, the fraudsters often use the "cloud PBX", to replace the phone number and call their victims, posing as business partners, suppliers or employees of banks. Telephoning Bank customers are particularly popular in January, "Kommersant" reported the surge of cases of such fraud. Often the victims were clients of Sberbank, which is Russia's leader in number of issued cards. Recent stories about the hacking can be explained by including the vulnerabilities of remote services of Sberbank, says the source Banks.ru.

the Scammer with the help of special software can make a call to one of the rooms of the savings Bank — he will go with the phone of the attacker, but to the credit institution will act as the victim's room. In this case, it includes a voice assistant of Sberbank. The service calls the person by name and patronymic and promises to execute commands after logging in. For this purpose it is enough to call the last digits of the customer card. Pre - "punched" the end of the card number, the attacker using the voice assistant can check the card balance and last five transactions on the account of the person. The presence of these Luggage significantly simplifies "treatment" of the victim using social engineering methods. Latest fraud schemes described in the media just assumed that an attacker convincing tells the customer about the account status and transactions. In many cases, the man himself unknowingly transferred money to the fraudsters or compromised card.

IT-specialist showed how the circuit operates, for example, three cards of the savings Bank belonging to different clients. Only in one case, the voice assistant for authorization, asked to not call the last digits of the card, and code client — it was a snapshot of the map, released yesterday.

the Vulnerability or not?

Sberbank refused to comment on the situation. There also did not answer what percentage of cardholders may be identified in the voice assistant only in the personal code. Thus, it is impossible to accurately estimate how many clients of the credit institution can be considered more vulnerable to such fraud. Deputy Chairman of Sberbank, Stanislav Kuznetsov, said that specialists of the credit organizations know that the identity is the last four digits of the card may carry risks for the users of the service. "We are closely monitoring these risks and can see that there are certain kinds of risks is not something that the leakage of information and obtain information about the balance of the card. Currently, there is a deep analysis how to tighten up this situation in order to have more protection on the client side," Kuznetsov said at a press conference during the International Congress on cyber security, organized by Sberbank.

Identifying in the services RBS for the last four digits of the card are categorically unsafe, the head of a group of security analysis of Solar JSOC "Rostelecom-solar" Alexander Kolesov. According to him, the crooks have several ways to get this information. "The easiest way is to slip (proof of payment of the purchase with a Bank card), which is usually provided and the name of the owner, and the last digits of the card. People are rarely aware that these data can be valuable, and not to show any caution when handling them. The last digits of the card you can also learn by making the potential victim a penny to phone. Finally, the data cards and the associated phone numbers EN masse and fairly inexpensive sold on specialized forums on the Darknet" — lists the expert. He, however, believes that in the case of a voice assistant of Sberbank is not the identity for the remote banking service, and identification for a call to tech support.

anyway, the scheme allows you to learn sensitive information, and that is dangerous, says technical Director Qrator Labs Artem Gavrichenkov. "This is unacceptable, because the data about the transactions as well as information about the account balance — this information is highly confidential. In fact, anyone with access to a minimum and fairly simple instrumentation for the fake mobile phone numbers, has the ability to monitor the financial operations of those whose phone numbers are known to him. If there are no set restrictions on the frequency of calls, of course," — said the expert. He emphasizes that this method of collecting data about customers can apply widely — all the processes of this chain is easy avtomatiziruete.

the Numbers are not in favor of the customers

According to the study of Positive Technologies, in the first quarter of 2019, 54% of cyber attacks were committed with the purpose of obtaining information. Payment cards continue to preserve the value for hackers and fraudsters — they account for 16% of all stolen data. Earlier studies of the IT companies have shown serious vulnerabilities in the financial applications and services. So, in 2017, 56% of financial applications contain vulnerabilities of high risk level. For example, allows you to access the information constituting a banking secret customer. Then in 48% of mobile banking have been identified at least one critical vulnerability. More than half of the financial client applications (65%) had deficiencies related to unsafe storage of data, or inadequate protection of the user authentication process. The security of the services is growing, but still cannot be considered high enough to recognize IT-specialists. This is due to the ingenuity of fraudsters and concessions that are forced to go the banks.

"Banks are actively trying to meet users, to introduce new things, sometimes, unfortunately, they are not coordinated with the security Department. Sometimes this happens deliberately: in other words, the product development division and the additional services having been refused by the security Department three times, the fourth time I will try to get around them, explains Gavrichenkov. — We are not saying that it happened in a specific case, but quite often there are situations when the introduction of innovative technologies such as speech recognition, actively "cut corners", including safety suffers. A number of organizations, the introduction of such innovations should just have managers KPI".

the Risk of using Bank information for fraud is considered high. According to the savings Bank, social engineering remains the main method of stealing money from private individuals. In 2018 in Russia, 80% of attacks on clients of banks was done with it. In 79% of cases, victims fall for the trick and transferred money to the attackers, the report says Treat Zone'19.

Legal risks

the Fraud using social engineering techniques do not actually offer the customers the chance to return the money to your Bank account. If man commits the transaction, or discloses information that enables it to carry out, the card is considered compromised. In this case, the credit institution will not be responsible for loss of funds — similar item is considered to be the standard for Bank contracts.

According to the user agreement, the app "Sberbank Online" is available to clients as is ("as is"). The Bank is not responsible for almost any loss obtained with the use of the service, "even if Bank has been advised of the possibility of such damage."

This is a common formulation, said partner law office "Zamoskvorechye" Dmitry Shevchenko.

"Notifying that the voice assistant is a technical tool, do not have consciousness and mind, the Bank actually States that the concept of "guilt" to situations use this helper legally not applicable," — says the lawyer. He doubts that in such cases the injured client can prove that he received the damage because of the vulnerability of the voice assistant or cell.

Against hacking, only bad techniques

"If the Bank applies biometric identification by voice, such attack will be meaningless," — said Kolesov, answering the question of whether the scammers to use the vulnerabilities of the voice assistant of the savings Bank. While this service does not provide recognition of the client's voice. The savings Bank works in the other direction, said the Chairman of a credit institution Stanislav Kuznetsov.

"along with other methods, additional, on the side of voice recognition, study of attempts by fraudsters, we further set of measures adopted to hedge this risk at the level of our systems, when we realize that likely the scammer asks for the data," said a top Manager. He said that we are talking about collecting samples of voices of the attackers.

This approach can be used as one tool in the fight against repeat offenders, agrees Artem Gavrichenkov. The expert, however, doubts that this is easy to do. "I'm not sure it's such a simple story from the point of view of legislation, because it is also subject to the provisions about the storage and processing of personal data. The law, which would allow to collect biometric information on criminals without their knowledge and transfer them to commercial banks, I do not remember," says technical Director of Qrator Labs.

Reverse protection mechanism is to compare the voice of the customer previously delivered to the sample is also not perfect. There is a risk that under the guise of a telephone survey, the attacker will ask the person to name the correct set of phrases and numbers and then uses a voice print.

so far, the best that there is written from the point of view of safety, is a code — word, said Gavrichenkov. But the main drawback of this approach is the risk that the client will forget the code. Options with SMS confirmation or clarification of other data, information security experts also do not consider ideal. "There are generally good solutions there. There are bad and "so-so" — sums up one of the sides of the jar.ru.

Yulia KOSHKINA, Banki.ru

Article is for informational purposes only and is published with the purpose of fraud prevention in the financial sector.