How to protect your Sberbank card from fraudsters. Owners of a mobile bank on Android may have caught a virus from an advertisement

Sberbank really made the right choice with the choice of the developers of its mobile client. However, either the programmers got too carried away, or Sberbank’s requirements were so perverted, but the once good application also one day became a victim of the endless increase in functionality. And this led to the fact that I had to remove the Sberbank online application from most of my devices, and use it on the remaining ones special techniques to reduce its harmful effects on the system to a minimum.

What is the problem with the Sberbank online application?

First problem mobile Sberbank- this is its size. The APK file with the application weighs no less than 41 MB. For comparison: the Smash Hit game with excellent 3D graphics weighs 80 MB, the Geometry Dash game with a bunch of levels and music tracks weighs 48 MB, and Google Chrome weighs the same 41 MB. Note that in this case we are comparing complex, complex software with a client application whose sole task is to receive data from the server and send it back in response to user actions.

OK, I agree that with current amounts of internal memory and Internet speeds, the size of the application does not really matter, but its weight also affects the amount of RAM consumed by the application. On different devices with different amounts of RAM and different Low Memory Killer settings, the size of the application in RAM can vary from 40 to 80 MB. Again, for comparison: one of the most RAM-hungry Google Chrome applications with one open tab consumes ~90 MB. And the saddest thing is that, unlike Chrome, which will be forced out of memory some time after closing, Sberbank will remain in it as a service for the entire time the smartphone is running. If you kill it, it will restart; if you reboot your smartphone, it will start at boot; if you use a task killer, you will get ping-pong called “Goodbye Battery”: the task killer kills the service, the system starts it, and so on endlessly.

In twelve hours, Sberbank woke up the smartphone 27 times. If the power saving mode in Android 6.0 had not interfered with it, it would have done this even more often

Well, okay, it hangs and hangs, maybe this is some kind of optimization for speeding up
launch or something else, on modern smartphones with three gigs of memory, 80 MB is nonsense. But no, the service doesn’t just hang in the memory, it regularly wakes up the smartphone to update information about the device’s location and perform some other business. Once again: the application that you use once a week to put money on your phone or check your balance constantly hangs in the background and regularly wakes up your smartphone! If you think this is strange, then read on and you will find out what truly “weird” is.

“THE BANK CARE ABOUT YOUR FINANCIAL SECURITY”

This is exactly the response I received from @sberbank on Twitter when I showed them the screenshot below. What is it? This is a message from the Kaspersky antivirus built into Sberbank. Yes, dear reader, Sberbank not only hangs in the background and constantly wakes up your smartphone, it also wakes up every time you install a new application, and it also has a specific checking routine. You are sitting, reading a book - and suddenly Sberbank wakes up and starts scanning the system. I think there is no need to explain how this affects the battery.

The most paradoxical feature of Sberbank is that, while blaming other applications for the ability to send SMS (as in the above screenshot), Sberbank itself can not only send them, but also read and even change them. It can also read contacts, take pictures, control Bluetooth, make calls, change smartphone settings, Wi-Fi settings, find out location, kill background processes, read and change browser history, change APN settings, monitor running applications, track installation and removal of applications , read and write call logs.

This is only part of the powers that the Sberbank online application requests

Not bad, isn't it? Not every Trojan has such an impressive list of powers. And don’t say that the antivirus needs all this - it’s hard for me to think of why it might need the ability to make calls, make calls, manage Wi-Fi, or read call logs. I don’t mention contact lists; Sberbank uses access to them to make quick money transfers. You don’t mind your contact book being merged into Sberbank, do you?

WHAT TO DO?

Sberbank is not the only application that has fallen victim to the desire to cram everything possible into the application. There are a huge number of them on the market, and the methods of “fighting” them are almost always the same. The first thing you need to do is revoke the app's permissions. If you have Android 6.0, then you can do this by opening “Sberbank Application Settings” and disabling everything except “Memory” in the “Permissions” menu. The next time you launch the application, you will be asked for permissions again, and they must be denied.

If you don’t have Android 6.0, but have CyanogenMod, the same can be done in the “Settings - Privacy - Protected Mode - Sberbank” menu (however, in this case the application may crash). If there is neither Android 6.0 nor CyanogenMod, but there is Greenify. We install the application, agree to grant it root rights, press the + button in the toolbar and see a list of applications that wake up the smartphone. Surely Sberbank will be somewhere at the beginning. Tap on it and press the round button at the bottom of the screen. Now the application will freeze immediately after the screen turns off and will no longer start on its own.

INSTEAD OF CONCLUSIONS

In fact, I, of course, understand where such functionality came from in the Sberbank client. Whatever one may say, it’s easier to build an antivirus into an application than to deal with thousands of users who have had their money stolen. And many users love hyperfunctional applications that can make coffee. The same ES File Explorer is very popular, despite its fantastic overload with all sorts of functions. But as an argument in the heated debate “applications vs bots”, I increasingly hear the words: “Bots are simple, fast and do not require installation, but modern applications are cumbersome and drain the battery.” That's all, good luck.

Using bank cards is safe, but only on the condition that the user himself takes a number of measures to protect his funds, although there are currently several fraudulent schemes that allow you to withdraw funds from bank cards without the consent and direct participation of its owner. But the user can protect his funds stored on the card; to do this, he just needs to know what kind of funds the scammers are using. Let's look at how to protect bank card from scammers.

Skimming

This scheme has long been known to criminals, law enforcement officers, and cardholders. However, it still works to this day. The scheme involves fraudsters equipping self-service devices with an overhead keyboard and a reading device that is installed in the ATM card reader. Thus, when trying to withdraw funds from the card, fraudsters receive the PIN code of the card and its information, which is read from the magnetic strip of the plastic. With this data you can withdraw other people's money.

How to protect a Sberbank card from fraudsters in this case? Here you need to remember basic security measures - withdraw money only from ATMs installed in bank branches or in places that are guarded or equipped with a video surveillance system.

Calls and SMS from bank employees

This is the most primitive method of fraud, which, oddly enough, works flawlessly. What is the essence of the method? An SMS message about blocking the card is sent to the victim’s phone number, or the attacker calls a mobile phone and introduces himself as a bank employee. Actually, it doesn’t really matter how the fraudster contacts the cardholder; by the way, in most cases the fraudster doesn’t even know whether you have a card or which bank services you. The attacker’s goal is to find out the plastic card details and withdraw cash.

Example of an overlay keyboard

For example, you received an SMS from an unknown number with the text that your card is blocked or funds were debited from it, and you are asked to call back to the specified number. In such a situation, the user begins to panic and fulfills all the requests of the “bank employee,” and he, in turn, tries to find out information about your card, including its balance number, CVC2 / CVV2 code, and other information.

The protection of funds on bank cards depends largely on how correctly you keep all its data, secret and under no circumstances will you disclose secret data to anyone. In addition, bank employees inform their clients about card blocking via SMS only from official numbers; Sberbank, in particular, sends messages only from number 900. The same applies to calls.

Please note that bank employees do not ask the client for a PIN code, and other data they identify the client by the last digits, card number and code word or passport data.

Internet banking

Most of the bank's card clients use remote access to their account through their personal account in Internet banking. This is not only a convenient way to send payments and transfers, as well as track your balance and use other bank services, but also a huge risk.

How the fraudulent scheme works: you do not go to the official resource, but to a copy of the site created by scammers to gain access to the personal account of the bank card owner. The design of the trap site is not much different from the original, but you can still find differences, although not all users are so attentive that they may suspect a trap. Typically, the user accesses these sites from third-party resources using the provided links. Next, he tries to enter his personal account, enters his login and password, then the code from the SMS message, thus the attacker gains access to his personal account.

This method of fraud is called “phishing”; in most cases, scammers send emails potential victims on behalf of the bank and are asked to follow a link to carry out any transactions.

How to protect yourself in this case - log into your personal account only from the bank’s official website. Then pay attention to the site design, pay attention to every little detail. If you are not sure that you have visited the bank’s website, and you have suspicions that third parties may have access to your account, dial the hotline number and block your card, then change your identification data to access your personal account.

How money is stolen through Sberbank mobile banking

Another way to steal money from a card is Sberbank’s mobile banking; almost all of the bank’s clients use it. In fact, Sberbank card protection from fraud is quite high level, here the bank took care of its customers. However, attackers are inventing quite sophisticated methods of theft.

How money is stolen from cards using SMS messages. There are not many options here, the first of them is changing your mobile phone number. If you change your phone number, then it is not enough for you to simply link the service to the new number, because notification is carried out to two numbers. Mobile operators sell re-blocked numbers to new customers. Thus, the information can be sent to the fraudster, who, with its help, can easily withdraw all the money from the card, or rather, transfer it to his account. Another method is mobile phone theft, here the scammer simply steals the phone, sends a balance request to the 900 number, then makes a transfer.

How to protect your funds. Firstly, if you change your phone number, then immediately contact the bank to not only link the new number, but also disconnect the old one. Secondly, do not leave your mobile phone unattended; if the device’s functions allow it, set a password to lock it, that is, without entering the code, a third party cannot remove the lock. And if you discover that your phone has been stolen, immediately call the operator and block the card.

Instructions for working with Internet banking on Sberbank Online

Payments on the Internet

Many active Internet users prefer to make purchases in online stores and, accordingly, pay for them immediately. You can make a payment directly from a bank card, which is convenient for both the seller and the buyer. For scammers, this is another reason to profit from inattentive buyers.

The fraudulent scheme is quite sophisticated; they create a copy of the online store’s website and take full prepayment for the order. It is quite difficult to distinguish such a resource, especially for those who have never used its services before. However, it is worth paying attention first of all to pricing policy resource, if they seem unrealistically low to you, then this is the first reason to think about the fact of fraud. As a rule, you can find links to such third-party online stores on forums, social networks and many other sources.

The protection of bank cards, or more precisely, the funds on them, depends only on the owner, because in this case it will be impossible to return the funds, for the reason that the owner himself voluntarily transferred them to the attackers. Therefore, be careful when shopping online, try to use the same resources. If possible, do not leave 100% prepayment, order goods by cash on delivery or courier delivery so that you have the opportunity to look at the product on the spot, evaluate its quality, and only then pay money for it.

Please note that to pay for purchases in the online store you will only need the card number, CVC2/CVV2 code, owner's name, expiration date, other information will not be required.

Protecting cards with NFC chip

Today, banks often offer clients cards with PayWave and PayPass contactless payment technology. These cards are equipped with an NFC chip, thanks to which the card can transfer data to POS terminals with one touch. In simple words, if your card supports such instant payment technology, then you can pay for goods and services in one touch, and if the transaction amount does not exceed 1000 rubles, then you will not need to enter a PIN code.

Today, a new fraudulent scheme is successfully operating and it looks like this: attackers in public places, using a POS terminal, look for cards with an NFC chip. For example, such a scheme can be carried out in the subway, an attacker just needs to take the device and infiltrate the crowd, the device looks for a card with an NFC chip, when the device gives a characteristic signal, the fraudster enters an amount of up to 1000 rubles and presses the payment button. Finding the attacker will be extremely difficult in the crowd.

In this case, it makes sense for owners to purchase a bank card case with protection. Thanks to RFID technology, the case completely blocks the card, that is, it becomes impossible to read information from it, and you won’t even be able to pay with the card in a store until you remove the card from the case.

The cost of such a protective case with RFID technology starts from 100 rubles.

General methods of protection

Indeed, it is almost impossible to describe all scams, because attackers are improving and honing their skills. It is quite easy to fall into the network of attackers, and none of us is immune from this. For example, a fraudster can disable an ATM by simply covering the hole for dispensing money with tape; when trying to withdraw cash, the user does not receive the money, and walks away from the ATM trying to attract someone to help, and the fraudster peels off the tape and leaves the crime scene. There are many similar ways to take possession of other people’s funds.

However, the user must be extremely vigilant because this is his own funds. Firstly, use those ATMs that are located in protected areas or directly in banks. Secondly, if your card is stuck in an ATM, block it immediately. Thirdly, never to anyone Do not share your PIN, write it down on paper, or store it in your wallet next to your cards.

Be careful when making online payments, and do not send anyone information about your card, its details, or the secret code from SMS messages. If possible, log into your personal online banking account only from your own computer, because some browsers save passwords.

What to do if funds are missing from your card

To begin with, it must be said that you should not save on SMS messages; usually SMS information is carried out on on a paid basis. Some people don't think it's necessary to pay to be informed about every transaction; in fact, it is necessary. For example, if you received an SMS about funds being written off from your card, you can return them and identify the attacker “hot on their heels.”

Protective case for Sberbank card

So, your money has been debited, you have received an SMS notification, immediately block the card and contact the bank to refuse the last transaction. Then ask for a report indicating the recipient's account number, then write a statement to the police, law enforcement officials should initiate a criminal case for fraud.

By the way, you should really think about how to protect your credit card, because in this case you will have to pay the loan to the bank in full, because it was you who entered into the agreement with it. The investigation and trial may drag on for a long period, during which you will have to pay interest and principal. Only then will you have to collect the entire amount from the scammer.
Thus, you can protect your money yourself if you follow basic security measures. If you suspect any fraudulent activity, block the card; by the way, if you use a mobile bank, this can be done in a few seconds using an SMS command. And never give plastic into the hands of people you don’t know, and don’t give out your details.

Imagine the situation: you left your phone unattended for 5 minutes (for example, on a charger). You come back and see an SMS about transferring a large amount of money to a third party. Introduced? But this could easily be reality... The article will talk about a not very secure login system mobile application Sberbank in order to warn users about the possibility of financial losses.

After my phone became dull, I had to reset it to factory settings. Having installed the Sberbank Online application from the Play Store and waited a significant amount of time while the application scans the phone for viruses, you get the full feeling that everything is fine with security. But imagine my surprise when, after entering my login and being ready to enter my password, I was asked to enter an SMS code instead, which was immediately sent to the same phone!

At first I thought that perhaps some kind of session identifier was saved somewhere on the memory card, because of which there is no need to go through the password entry procedure, but just go through a simplified confirmation procedure via SMS. But that was not the case.

Then my colleague and I decided to check on his phone if I could log into his application. We take his phone, open the application, select “Change user” in the menu, enter his login (which is not secret and is used by him on different services). And, bingo, we enter the SMS code again and find myself inside the application with full access to all finances! The whole thing took a couple of minutes.

What about locking your phone using a password/secret key/fingerprint, you ask? Well, first of all, it’s not the device, but the SIM card. And a full factory reset can also negate all protection, it will just take a little longer.

In addition, there are a lot of applications in the OS that ask for permission to read SMS. I wouldn’t be surprised if a virus appears that can simulate logging into an application by reading and then logging in a code from an SMS.

What about Sberbank?

Do not combine access devices to the Sberbank Online system and devices for receiving SMS messages with a confirming one-time password (for example, a mobile phone, smartphone or tablet). Specialized versions of the system have been created for mobile devices.
If you lose your mobile phone to which you receive messages with an SMS password, immediately contact your operator cellular communications and block the SIM card.

Conclusions

The rapidly growing popularity of online and mobile banking has reverse side. As experts note, recently it has become less and less common to encounter skimming – the installation of reading devices on ATMs. But attempts to hack remote banking systems, steal passwords in mobile banking applications and various schemes"social deception"

According to statistics from the Bank of Russia, the number of unauthorized transactions carried out through ATMs or payment terminals in 2014 decreased by half compared to the previous year. Skimmers attacked ATMs in 21% of cases, and the share of illegal transactions on the Internet reached 65.8%. Total in the Central Bank for last year recorded almost 5 thousand attempts to withdraw or transfer other people's money via the Internet, and the total cost of transactions was 1.64 billion rubles. However, the vast majority of scammers' attempts were successful.

“The increase in the number of crimes in the field of online banking is primarily associated with the degree of penetration of remote banking systems: for example, now 40% of our bank’s clients are users of mobile and Internet banking, and this figure is growing every month,” says Head of the Mobile Services Development Department at MDM Bank Pavel Mikhalev.

In addition, the expert associates the decrease in the level of skimming attacks with the recent introduction of criminal liability for such crimes. “In June of this year, amendments to the Criminal Code of the Russian Federation came into force, providing for up to 6 years of liability for skimming, while criminals who steal money from bank clients via digital often receive a suspended sentence,” notes Pavel Mikhalev.

Experts and law enforcement officials attribute this to several other factors. Firstly, the level of security of bank cards has increased: from July 1 of this year, banks are required to equip all issued cards with a chip. Unlike “simple” cards equipped with a magnetic stripe, cards with chips require entering a PIN code for each payment transaction. And this has made life more difficult for skimmers who, in addition to intercepting card data at ATMs, now need to obtain a PIN code.

Calculating weak points With modern banking technologies, fraudsters are inventing new ways of deception.

“Fraudsters use various technical tricks, and most of them boil down to defrauding the user of personal information necessary to carry out transactions with his accounts,” says Head of Remote Banking Department at VTB24 Elena Degteva. – The calculation is made on inattention and gullibility - in particular, this is phishing (a link to a fake bank page that asks for a login and password to enter the Internet bank, one-time codes, bank card details, etc.) or Trojan horse, which plants a fake Internet page and sends the data entered by the client to attackers.”

The analytical agency Markswebb Rank & Report conducted a study of the security of Internet and mobile banks. The study examined the reliability of the protection of remote banking systems of 20 banks with the largest number of users of the bank’s online version. In all banks, agency employees first acted as clients and then as fraudsters. That is, they started it first debit cards, registered in the relevant online banks and tried to make purchases. And then they tried to guess the password, re-issued the SIM card linked to the account, and so on.

As the study showed, in general, Russian banks do not have very strict security requirements. For example, five banks do not use one-time passwords at all to authenticate (log in to the Internet bank) the user, in two banks the SMS password from one operation can be used to confirm another, and only four banks require confirmation of the phone number after re-issuing the SIM card, the rest continue to send passwords to the new number, says Alexey Skobelev, CEO of Markswebb Rank & Report.

The highest number of points was received by Citibank, Alfa-Bank, Tinkoff Bank, VTB24 and Russian Standard. The last places in the ranking went to Raiffeisenbank, MTS Bank and B&N Bank.

Meanwhile, as he said Head of Internet Bank Development Department individuals"B&N Bank" Evgeniy Loktev, the protection system of the Binbank online bank is thought out to the smallest detail. “To log in to the system, a username and password are used, for quick login (when the application is already installed and the first login has been made) a code or fingerprint is used (for some phone models that support this function), when logging into the system, the client receives a message about logging in mobile phone number registered by the client; when performing critical financial transactions, one-time passwords are used, which are also sent to the mobile phone number registered by the client,” he listed.

Experts agree: the most vulnerable part of a mobile bank is the user himself. “An attacker can simply spy on the login and password to enter a mobile bank - for example, in a cafe or transport,” says Pavel Mikhalev. “Often, users are also subject to attacks through so-called social engineering, when attackers, under the guise of friends or relatives, trick gullible people into giving them personal data.”

“Fraudsters are amazingly inventive and excellent at ingratiating themselves with trust,” agrees Evgeniy Loktev, and therefore recommends that under no circumstances should anyone give information about themselves that can be used to log into an online or mobile bank. “And this is not always directly the username and password, but also personal data, knowledge of which can be used by fraudsters to change the password through the bank’s call center.”

And in order to make the task of hacking a mobile bank as difficult as possible in the event of a lost or stolen smartphone or tablet, banking security experts recommend thinking carefully about your password. “If we talk about technical methods of penetrating a system, the main one is “brute force” - a simple search of combinations of logins and passwords. We use a special method to protect against such attacks,” says Pavel Mikhalev. “Even with the login and password to the “victim’s” mobile bank, the attacker will not be able to carry out unauthorized transactions, because the transactions are confirmed by one-time SMS passwords.”

An obvious rule: the password must consist of different characters - upper and lowercase letters, numbers, icons (for example, % or $). You should avoid obvious numeric (12345) and alphabetic (qwerty, “password”) combinations. Passwords that are easily associated with you: last name, date of birth or city are also unsafe. Pavel Mikhalev also recommends using biometric authentication in mobile banking using Touch ID technology on iPhone and a pattern key on Android smartphones.

And for those who carry out transactions for large amounts in online and mobile banking, and also want to ensure maximum security for payments, Elena Degteva recommends using a password generator. “It can be used for several years, which will allow you to visit the bank office less often,” she reminds.

“Fraudsters can call or send SMS messages on behalf of the bank to obtain confidential data: login, password, one-time payment confirmation code, data credit card", warns Head of the Economic Security Department of Raiffeisenbank JSC Vadim Budaev.

As a rule, a bank client receives an SMS on his mobile phone stating that his bank card is allegedly blocked or suspicious transactions are being carried out on it. The message urges you to contact “bank security” or “Visa security department.” A telephone number for communication is also indicated here - usually a mobile one, but with an area code. When calling such a number, the scam develops according to several scenarios: most often, a fraudster posing as a “bank security officer” forces a gullible client to provide his passport data and bank card details, after which he withdraws money from his account. Sometimes the card is used to directly pay a mobile phone bill, after which the money is cashed out through the telecom operator. In another case, following the instructions of the “bank employee”, the client binds to mobile phone the fraudster uses his online bank, and he empties his account. Another option: the victim, at the direction of the fraudster, inserts his card into the ATM and enters a series of commands “to unlock the card.” In reality, these commands ensure the transfer of money from the victim’s account to the fraudster’s account. Sometimes, but much less frequently, notes Vadim Budaev, attackers use a less “technological” method of fraud, the essence of which is to obtain, under a fake power of attorney, a SIM card linked to the victim’s mobile phone number.

Experts warn: not a single Russian bank, much less the Visa and Master Card payment systems, ever sends out SMS messages about blocking a card, much less about “suspicious transactions.” Therefore, when receiving a suspicious message, the owner of a bank card should under no circumstances call the specified phone number, but should immediately contact the bank using the phone number that is on the bank card itself.

It is extremely difficult to return money stolen by scammers. First of all, the victim will have to prove that he himself did not “help” the scammers gain access to his account. “Unfortunately, Russian legislation in this area is imperfect, but every case of fraud is investigated,” says Pavel Mikhalev. “In cases where the client has not violated the terms of the banking agreement, we always meet halfway.”

So, no matter how advanced the security technologies used by the bank are, they are meaningless if you neglect basic Internet security rules.

How to protect online banking:
– never download the bank’s mobile application from unofficial resources or from third-party sites, as they may be infected with viruses, install programs only through official stores: Google Play, Apple Store, Windows Store;
– for owners of mobile devices based on Android, we recommend that in the “Settings” - “Security” section, uncheck the “Unknown sources” column, this will protect the gadget from installing applications from third-party sites;
– install an antivirus and regularly scan your gadget; in the antivirus settings, activate scanning of applications during installation;
– do not resort to hacking the device’s security system: Root (on the Android platform) and Jailbreak (on the iOS platform), this significantly increases the vulnerability of the smartphone to malware;
– enable the auto-lock function on your device and protect it with a password;
– do not store logins and passwords, card numbers, passport data and other confidential information on the device so that it does not become available to strangers if the gadget is lost.
– do not open suspicious links on the Internet received by mail, message or from social networks.
– be careful, and in case of non-standard device behavior when using a mobile bank, a request to provide additional information about payment cards or refusal to register the device in the operator’s network (the SIM card is invalid), contact the bank to block the system.

There is a downside to the rapidly growing popularity of online and mobile banking. As experts note, recently it has become less and less common to encounter skimming – the installation of reading devices on ATMs. But attempts to hack into remote banking systems, steal passwords in mobile banking applications, and various “social deception” schemes have increased significantly.

According to statistics from the Bank of Russia, the number of unauthorized transactions carried out through ATMs or payment terminals in 2014 decreased by half compared to the previous year. Skimmers attacked ATMs in 21% of cases, and the share of illegal transactions on the Internet reached 65.8%. In total, the Central Bank recorded almost 5 thousand attempts to withdraw or transfer other people’s money via the Internet last year, and the total cost of operations was 1.64 billion rubles. However, the vast majority of scammers' attempts were successful.

“The increase in the number of crimes in the field of online banking is primarily associated with the degree of penetration of remote banking systems: for example, now 40% of our bank’s clients are users of mobile and Internet banking, and this figure is growing every month,” says Head of the Mobile Services Development Department at MDM Bank Pavel Mikhalev.

In addition, the expert associates the decrease in the level of skimming attacks with the recent introduction of criminal liability for such crimes. “In June of this year, amendments to the Criminal Code of the Russian Federation came into force, providing for up to 6 years of liability for skimming, while criminals who steal money from bank clients via digital often receive a suspended sentence,” notes Pavel Mikhalev.

Experts and law enforcement officials attribute this to several other factors. Firstly, the level of security of bank cards has increased: from July 1 of this year, banks are required to equip all issued cards with a chip. Unlike “simple” cards equipped with a magnetic stripe, cards with chips require entering a PIN code for each payment transaction. And this has made life more difficult for skimmers who, in addition to intercepting card data at ATMs, now need to obtain a PIN code.

Calculating the weaknesses of modern banking technologies, fraudsters are inventing new ways of deception.

“Fraudsters use various technical tricks, and most of them boil down to defrauding the user of personal information necessary to carry out transactions with his accounts,” says Head of Remote Banking Department at VTB24 Elena Degteva. – The calculation is made on inattention and gullibility - in particular, this is phishing (a link to a fake bank page that asks for a login and password to enter the Internet bank, one-time codes, bank card details, etc.) or a Trojan program that plants a fake Internet page and directing the data entered by the client to attackers.”

The analytical agency Markswebb Rank & Report conducted a study on the security of Internet and mobile banks. The study examined the reliability of the protection of remote banking systems of 20 banks with the largest number of users of the bank’s online version. In all banks, agency employees first acted as clients and then as fraudsters. That is, first they created debit cards, registered in the appropriate online banks and tried to make purchases. And then they tried to guess the password, reissued the SIM card linked to the account, and so on.

As the study showed, in general, Russian banks do not have very strict security requirements. For example, five banks do not use one-time passwords at all to authenticate (log in to the Internet bank) the user, in two banks the SMS password from one operation can be used to confirm another, and only four banks require confirmation of the phone number after re-issuing the SIM card, the rest continue to send passwords to the new number, says Alexey Skobelev, CEO of Markswebb Rank & Report.

The highest number of points was received by Citibank, Alfa-Bank, Tinkoff Bank, VTB24 and Russian Standard. The last places in the ranking went to Raiffeisenbank, MTS Bank and B&N Bank.

Meanwhile, as he said Head of the development department of Internet banking for individuals "Binbank" Evgeniy Loktev, the protection system of the Binbank online bank is thought out to the smallest detail. “To log in to the system, a username and password are used, for quick login (when the application is already installed and the first login has been made) a code or fingerprint is used (for some phone models that support this function), when logging into the system, the client receives a message about logging in mobile phone number registered by the client; when performing critical financial transactions, one-time passwords are used, which are also sent to the mobile phone number registered by the client,” he listed.

Experts agree: the most vulnerable part of a mobile bank is the user himself. “An attacker can simply spy on the login and password to enter a mobile bank - for example, in a cafe or transport,” says Pavel Mikhalev. “Often, users are also subject to attacks through so-called social engineering, when attackers, under the guise of friends or relatives, trick gullible people into giving them personal data.”

“Fraudsters are amazingly inventive and excellent at ingratiating themselves with trust,” agrees Evgeniy Loktev, and therefore recommends that under no circumstances should anyone give information about themselves that can be used to log into an online or mobile bank. “And this is not always directly the username and password, but also personal data, knowledge of which can be used by fraudsters to change the password through the bank’s call center.”

And in order to make the task of hacking a mobile bank as difficult as possible in the event of a lost or stolen smartphone or tablet, banking security experts recommend thinking carefully about your password. “If we talk about technical methods of penetrating a system, the main one is “brute force” - a simple search of combinations of logins and passwords. We use a special method to protect against such attacks,” says Pavel Mikhalev. “Even with the login and password to the “victim’s” mobile bank, the attacker will not be able to carry out unauthorized transactions, because the transactions are confirmed by one-time SMS passwords.”

An obvious rule: the password must consist of different characters - upper and lowercase letters, numbers, icons (for example, % or $). You should avoid obvious numeric (12345) and alphabetic (qwerty, “password”) combinations. Passwords that are easily associated with you: last name, date of birth or city are also unsafe. Pavel Mikhalev also recommends using biometric authentication in mobile banking using Touch ID technology on iPhone and a pattern key on Android smartphones.

And for those who carry out transactions for large amounts in online and mobile banking, and also want to ensure maximum security for payments, Elena Degteva recommends using a password generator. “It can be used for several years, which will allow you to visit the bank office less often,” she reminds.

“Fraudsters can call or send SMS messages on behalf of the bank to obtain confidential data: login, password, one-time payment confirmation code, credit card data,” warns Head of the Economic Security Department of Raiffeisenbank JSC Vadim Budaev.

As a rule, a bank client receives an SMS on his mobile phone stating that his bank card is allegedly blocked or suspicious transactions are being carried out on it. The message urges you to contact “bank security” or “Visa security department.” A telephone number for communication is also indicated here - usually a mobile one, but with an area code. When calling such a number, the scam develops according to several scenarios: most often, a fraudster posing as a “bank security officer” forces a gullible client to provide his passport data and bank card details, after which he withdraws money from his account. Sometimes the card is used to directly pay a mobile phone bill, after which the money is cashed out through the telecom operator. In another case, following the instructions of the “bank employee,” the client links his online bank to the fraudster’s mobile phone, and the fraudster empties his account. Another option: the victim, at the direction of the fraudster, inserts his card into the ATM and enters a series of commands “to unlock the card.” In reality, these commands ensure the transfer of money from the victim’s account to the fraudster’s account. Sometimes, but much less frequently, notes Vadim Budaev, attackers use a less “technological” method of fraud, the essence of which is to obtain, under a fake power of attorney, a SIM card linked to the victim’s mobile phone number.

Experts warn: not a single Russian bank, much less the Visa and Master Card payment systems, ever sends out SMS messages about blocking a card, much less about “suspicious transactions.” Therefore, when receiving a suspicious message, the owner of a bank card should under no circumstances call the specified phone number, but should immediately contact the bank using the phone number that is on the bank card itself.

It is extremely difficult to return money stolen by scammers. First of all, the victim will have to prove that he himself did not “help” the scammers gain access to his account. “Unfortunately, Russian legislation in this area is imperfect, but every case of fraud is investigated,” says Pavel Mikhalev. “In cases where the client has not violated the terms of the banking agreement, we always meet halfway.”

So, no matter how advanced the security technologies used by the bank are, they are meaningless if you neglect basic Internet security rules.

How to protect online banking:
– never download the bank’s mobile application from unofficial resources or from third-party sites, as they may be infected with viruses, install programs only through official stores: Google Play, Apple Store, Windows Store;
– for owners of mobile devices based on Android, we recommend that in the “Settings” - “Security” section, uncheck the “Unknown sources” column, this will protect the gadget from installing applications from third-party sites;
– install an antivirus and regularly scan your gadget; in the antivirus settings, activate scanning of applications during installation;
– do not resort to hacking the device’s security system: Root (on the Android platform) and Jailbreak (on the iOS platform), this significantly increases the vulnerability of the smartphone to malware;
– enable the auto-lock function on your device and protect it with a password;
– do not store logins and passwords, card numbers, passport data and other confidential information on the device so that it does not become available to strangers if the gadget is lost.
– do not open suspicious links on the Internet received by mail, message or from social networks.
– be careful, and in case of non-standard behavior of the device when using a mobile bank, a request for additional information about payment cards appears, or refusal to register the device in the operator’s network (the SIM card is invalid), contact the bank to block the system.