The evolution of digital channel security, or why SMS and push notifications are dangerous
Posted on 29.04.2020 at 18:00
The security of remote banking systems (RBSs) remains a serious problem for the Russian market. According to FinCERT, the number of bank fraud attempts is growing each year. At the same time, banking systems continue to use confirmation methods that are inherently unsafe. SafeTech, a resident of the Skolkovo Foundation and winner of the Skolkovo Cybersecurity Challenge, an international competition for innovative projects, offered its solution for the industry: PayContol, a digital transaction authentication and confirmation platform.
Evolution of RBS security
Remote banking technologies have quickly developed from the very beginning, and security methods such as digital signatures and USB tokens appeared specifically for those systems. However with the increasing complexity of security methods, the mechanisms for bypassing them began to become more complicated. In response to banking trojans and fraud attacks, security systems adopted the OneTimePassword (OTP) technology as an additional factor. For individuals, the distribution of digital signature keys turned out to be definitively impossible, so they turned to scratch cards. And then, for reasons of customer convenience, they moved to OTP in SMS and push notifications.
Banks’ transition to SMS and push notifications, which began in the pursuit of improving user experience and increasing the number of customers, raises many questions. Some experts note that the transmission of one-time passwords via SMS and push and their confirmation of customer transactions were, of course, a step towards convenience and security for their time. Others argue that SMS and push are no longer able to protect against the most common attacks: social engineering and payment details spoofing, SMS interception, and modern malware. And the scenarios for using OTP themselves are no longer perceived as convenient: users want to authorize digital documents with one touch.
Now SMS and push notifications are being replaced by mobile authentication and digital signature technologies, which are integrated with various security systems, in particular with biometric authentication systems and anti-fraud systems.
In recent years, digital signatures have become the subject of interest and regular discussions among the expert community and ordinary users. According to the Federal Law of April 6, 2011 No. 63-FZ On Digital Signatures, a digital signature has full legal force, being a full replacement for a handwritten signature.
In the most general sense, a digital signature is the result of a cryptographic transformation of a digital document. Cryptographic algorithms and protocols, as well as software and hardware-software solutions based on them (experts call them “digital signature means”) provide the required properties of “signed” information: integrity, reliability, and authenticity. A service provider in digital service channels, having received a document signed with a digital signature from a user, checks its correctness, makes sure that the will of a particular customer has been received, and starts providing the requested service.
If a signature provides control of integrity and authorship, and is a product of cryptographic transformations, then this is the only correct, reliable, and economically viable way.
In 2019, the Bank of Russia released Regulation No. 683-P On Requirements Mandatory for Credit Institutions to Ensure Information Protection in the Carrying out of Banking Activities in Order to Counteract Money Transfers without the Client’s Consent. The regulation contains two important points related to signing and confirming transactions in digital channels.
First, it is necessary to implement control over the integrity and authorship of documents. To fulfill this point via SMS and push notifications, it is necessary to confirm that an SMS has reached the end client, then to collect the transaction hash, and based on this, make a confirmation code. At the same time, the confirmation code linked to transaction details with integrity control becomes much longer than the usual four digits. With push, you can also implement control of authorship, but this is fraught with issues. Second, the client should confirm the completion of each banking operation and, in the case of a mass payment, transfer all their payment details. The client needs to confirm their desire to make a specific payment with specific details, in a specific way with control of authorship and integrity, every single time.
In Europe, when the Revised Payment Service Directive (PSD2) came into force in September 2019, the financial sector began updating solutions for transaction authentication and confirmation. So, back in June 2018, the European Payments Union concluded that SMS is not a suitable delivery method. OTP should be replaced with safer methods.
Due to the high level of fraudulent attacks and social engineering, the regulator is tightening security measures. According to FinCERT, 97% of thefts are social engineering thefts. As an example, we can once again cite a call from alleged bank security services, where you need to read out an SMS in order to prevent the withdrawal of funds. A frightened customer tries to shift responsibility for the money away from themself and reads out what is required. This is a vicious practice, but unfortunately people are used to reacting like that.
We should say that cyber fraudsters very quickly adapt to changes in the external environment. As soon as the President gave an address to the people on the coronavirus and announces loan deferrals, the regulator already reported related fraud cases. The idea of social engineering is to obtain information using human weaknesses. And in order to find out the card number, you only need a trained voice and acting skills—the attackers don’t even need a cvv.
But there are even simpler ways. There are simple apps that run on the user’s phone in the background and they are not detected by any scanners. A person enters any online store, P2P transfer, etc., tries to make a payment, and all codes from SMS and push are sent directly to the attacker’s server. While you sleep, your money slips away.
RTM Group’s Forensic Science Center performed a well-known analysis on “the possibility of sending one-time codes in mobile and online banking systems, as well as for informing about transactions” in Russia. Without going into detail (the report is available on the Internet), we can conclude that SMS can be used with a number of limitations, but push notifications cannot be used. And given the negative court practices regarding SMS, the increased cost of telecom services, and, most importantly, the wave of fraud using social engineering methods, it is necessary to abandon btoh SMS and push.
In 2016, SafeTech participated in the Skolkovo Cybersecurity Challenge and received a grant of 5 million rubles for technological development. Funding allowed them to start development, which had been talked about for a long time, but for which they did not have enough resources. The project was PayControl, a mobile authentication and digital signature platform.
PayControl is a digital signature solution for smartphones that allows customers to confirm their transactions in any digital channel (online banking, mobile banking, CNP operations, private banking, and others) with a high level of security and convenience. It can work as a standalone application for smartphones, or can be integrated directly into a mobile banking application.
There is also a dispute analysis workstation, so that it is possible to prove in court whether the signature is true or not. This is quite difficult to do with symmetric OTPs, which are sent via SMS or push. In the case of the PayControl solution, a mobile digital signature is an asymmetric cryptography product, where a digital signature key is “generated”, “stored” and “dies” in the phone, tied to the device’s imprint, so it cannot be cloned and transferred to any other device. The client’s smartphone is a full-fledged USB token on a mobile device. What is displayed on the screen is signed with a digital signature. Consequently, we can comply with the requirement on control of authorship and integrity of the Regulation 683-P.
PayControl completely blocks common attacks on RBS clients, such as SIM card reissue, phishing, document spoofing, etc.
User can verify the correctness of the transaction data or electronic document and generate a signature regardless of the device used. No need for extra scratch cards or MAC tokens. No dependence on mobile connectivity and SMS delivery speed. Using PayControl is as easy as calling from a mobile phone. Users of the PayControl solution (not only individuals, but also organizations) note the ease of use, a shorter customer journey, and a reduced level of fraud.
Implementing the PayControl solution lets financial and insurance institutions introduce new digital services: register a new business online, open an account remotely without visiting a bank office, and eventually, authorize payments and documents anywhere and at any time.
Published on April 29, 2020 on the vc.ru portal