First, after reading in the morning in “Kommersant” about the new and very wild on the ease of making a fool and an inability to save money, fraud in the ATM savings Bank, I thought that the article – customized intrigues of competitors and undermining Gref.
Really a new danger, which in those days got involved more and more victims, while at a round sum.
You want to withdraw money, to put, to translate, to pay via ATM, and instead not only get the absolute value without the Mac, but empty the account on the map.
Now it is a reality, after himself pressing just a couple of buttons.
Money as soon as you inserted the card and entered your pin, suddenly float away from under his nose to pay some (not your) phone number.
Next, you get back your card with a check, where there’s not pleasing information.
Particular case on the Banks.ru, but it is not isolated as six months ago, not rare, and in may of the model.
The expert says “for the scheme”.
On the screens of ATMs is advertising contactless cards, here the dog rummaged.
An attacker using such a card, gets access to the main ATM menu.
Further manipulation produces the desired starting, but not leading to the end of the required operation and moves away from the ATM, for example, for a corner.
Meanwhile, the next person inserts their card, enters the PIN, and then the op, the operation is completed, the money bye-bye, that is, debited from the account.
What can be done in advance to avoid.
To see what the status is ATM.
And press the “Reset” (it is often highlighted in red).
Then start your operation from scratch.
With excitement, tightening the chest ..
Frequent complaints of clients of Sberbank in the theft of funds through payment terminals. The algorithm fraud is simple: the attacker starts on the terminal operation without inserting the card, not completes it and walks away. The terminal provides for the completion of the transaction is 90 seconds and if during this period your card will insert the following customer and will be debited on the previous request. Security experts see a serious error in scenarios of self-service devices of Sberbank in the Bank just urge customers to be careful.
Last week the Internet began to appear reports of cases of embezzlement of funds from citizens with use of information-payment terminals (IPT) of the savings Bank. So one of the victims said they had come to the Bank branch, put the card in the terminal, enter a pin code and his account was immediately written off 11 thousand rubles at the expense of others in MTS. Another customer of the Bank, told “Kommersant” that has lost the same pattern even larger amount: “I wanted to use the terminal Sberbank. For me it is something infinitely introduced the girl in the veil. When she went, I normally see: “insert card, enter pin code…” and flew 15 thousand to pay someone else’s phone”. The victim has addressed in Sberbank.
There he explained that IPT in the Bank is configured in such a way that you can first choose the purpose of payment, amount and only at the very end method of payment — card or cash. And if the previous customer has selected “pay by card” and has not completed the operation, then the next, inserting a card, it completes.
As shown, for theft do not need to have any special knowledge and use of malware. “Kommersant” conducted an experiment: one reporter entered the room, chose the paid mobile phone card and walked away. A moment later, the colleague inserted the card terminal asked her to enter the pin code and the expense of another phone has been successfully recharged.
If you recheck timeout (time after which terminal aborts the transaction) was a minute and a half.
The interlocutor of Kommersant, close to law enforcement agencies, reported that isolated cases of such theft appeared six months ago. But in the last two weeks the number of citizens in the police on this occasion has dramatically increased. In all cases the theft was in the presence of the queue to the terminal, he added.
Respondents ‘ b ‘ experts noted that in this case the problem is on the side of a credit institution is in a scenario of operation of the terminal. For example, it is possible to configure the device so that the first selected payment method (card or cash), and then have the details— such a scenario is implemented in IPT of many banks.
So, in Gazprombank reported that their terminal to enter the pin-code is at the beginning of the operation in the terminals of PSB, the client first selects the means of payment. In “FC Opening” “b” noted that in scenarios of device ex-b & n has a choice of payment with the subsequent insertion of the card, however, the amount, telephone number and payment confirmation disappear after inserting the card and entering a pin-code that also eliminates the possibility of such errors. The model does not matter, only the settings.
The second problem, experts say, in too long a time-out. In the respondents ‘ b ‘ banks called “basic” timeout 30 seconds. “Software that banks use to IPT, ATM, allows you to independently adjust the duration of the timeout and client-side script,— noted in the Mail-the Bank.— Error in the scenario can be resolved by quickly updating software on IPT. Additional time is testing and rolling out the network.”
According to the expert RTM Group Eugene Tsarev, a time-out in fifteen minutes is a serious vulnerability, and not technical, but social: an inexperienced user may insert their card, without looking at the monitor. You must reconfigure the payment device, reducing the time of the session, believes Mr. Tsarev.
German Gref, President of Sberbank, July 6, 2018
So whether the protected customers of the savings Bank as we are? The honest answer is our customers are not protected
Sberbank in 2016, announced the introduction of a unified management of the network of ATMs and payment terminals, therefore the experts concluded that the correct scenario and to reduce the time-out will not be difficult.
However, the credit organizations do not see the problem. “All self-service of our Bank is well protected. For security purposes, we recommend our customers to carefully read the information on the ATM screen, but also pay attention to the presence of suspicious-looking persons indicated there.— In case of doubt, it is better to abandon the operation and to inform the Bank by telephone 900”. The question “Kommersant” about how many terminals work according to the threat scenario, the number of victims from these attacks customers, the reasons for such a long time out and plans to close vulnerabilities in the savings Bank have not answered. In General the Bank as at the end of 2018 was 77 thousand ATMs.
Veronica Goryacheva, Vadim Arapov