In recent years, the cases of electronic attacks from hackers have become increasingly common to the public. This is a typical manifestation of cybercrime.
“White-collar” criminal activity leads to significant losses of legal entities and individuals affected by the theft of funds from their bank accounts, as well as users of electronic payment systems. We will try to understand whether the Internet can become a safe transactional environment, and if so, what is needed for this.
What are the risks in the field of electronic payments?
In known classifications, the risk of loss of liquidity (ie, the risk of the issuer’s failure to fulfill its obligations as a result of the insufficiency of its assets) is identified among the risks of electronic payments, 1 the credit risk (the risk of receiving losses due to default by third parties – participating banks, settlement banks and other), legal risk (as a result of legal actions or events), operational risk (the risk of loss as a result of deficiencies in the organization of the system or abuse of persons having access to n to the system), the risk of loss of control as a result of loss of control over the direction of one of the above risks. Experts of the Bank for International Settlements also have reputational, interest and market risks.
However, increasingly (not always justified) in the category of “operational risk” (sometimes as an independent object) postulates the presence of specific risks that are of an independent nature and do not fit into any of the above categories. This is, for example, the risk of loss of personal data of an electronic money user, the risk of breaking an electronic wallet, the risk of losing data or money due to a system failure, the risk of theft of customer data carried out through hacker attacks on a customer, bank, store or servicing processing center , the risk of chargebacks (customer requirements, including unfair, to the store for the return of funds placed through the servicing bank), etc.
It is time to talk about the emergence of a new separate category of risks of electronic money and electronic payments – the risks associated with the security of transactions.
An effective electronic payment system (EDS), according to the classic definition of R. Siefers (1997), is an EPS that can instantly confirm a transaction, allows counterparties to directly exchange information and values without involving a third party while inside a secure transaction environment .
Safety EPS has six basic levels
- identification – representation of all participants in the transaction, who have rights and obligations arising from it;
- authentication – the verification process to ensure that both parties to the transaction are those for whom they issue themselves;
- authorization – indication of the initiator of the transaction;
- trust – the belief that no one has access to data that is not functionally necessary;
- confidence in the integrity and completeness of the transmitted data during the transaction;
- the guarantee of the client’s non-refund from the payment and solvency of the client.
Some experts highlight the group of requirements for privacy.
Let’s analyze whether there is currently adequate security for electronic transactions.
As the security risk of payments became their main problem
According to the VTsIOM poll (fall 2011), Internet users account for 49% of Russians, but only 29% of them have shopping experience on the Web. The most demanded goods are clothes and footwear (9% of those polled bought such goods). In the top five most popular online purchases were also items of electronics, books (along with magazines, video and audio discs, computer games), rail and air tickets and vouchers (7% each), as well as small household appliances (6%).
In this case, according to the report of Symantec (summer 2011), the losses from cybercrime in the world are $ 114 billion per year. In 2010, from the actions of hackers and Internet scammers suffered 431 million people. The number of victims of cybercriminals on the Internet exceeded the number of victims from criminals in real life by three times.
Only in the first half of 2011, such companies as Google, Sony, EMC were attacked by hackers. In our country, a lot of noise has been done by DDoS-attack on the popular Internet resource “LiveJournal”.
According to a study by Trusteer (Fall 2009), worldwide 0.47% of bank customers are victims of phishing attacks every year that is $ 2.4-9.4 million in annual losses for every million online banking customers. According to the author, for our country the percentage of victims of cybercrime is 4-5 times higher than this figure.
According to ESET, today 95% of Trojan programs are directed to bank accounts. And in 2010, cybercriminals earned about 2.5 billion euros in Russia, 36% of the world’s earnings of cyber-frauds for the year.
The scale of the phenomenon brings to the fore the problem of developing a risk management system related to remote banking, with electronic payments, including those carried out using the Internet.
What “weak spots” most often uses cybercrime
A typical problem with payment on the Internet is an attempt to intercept data during a transaction or to steal information from a database. At the same time, there were practically no hacking of databases of processing companies. This is largely due to the fact that all these companies necessarily use one of four PCI DSS1 levels. But DDoS-attacks, interruption of service due to attacks on the networks of financial institutions and large corporations have repeatedly occurred.
The most common form of fraud – phishing – is aimed at gaining access to confidential user data – logins and passwords. This is achieved through mass mailings of emails and personal messages on behalf of popular brands, banks or social networks. Fishers are trying to fraudulently make a user visit a fake site and enter on it their confidential data, which allows fraudsters to access his accounts. We also practice wishing (phishing phishing) – then instead of a fake site, an allegedly bank-based phone number is used.
The very term “phishing” is known since 1996. The first known attempt to capture EPS accounts in order to gain access to financial data of customers was the attack on the e-gold payment system in June 2001. And by 2004, phishing had become the main cyber threat for legal persons. Today, the target of phishers is the customers of banks and EPS. By 2008, the number of victims of phishing in the US increased to 5 million.
According to the statistics of Group-IB, the schemes of attacks from Internet fraudsters are presented in several standard versions of the attack on the key of the electronic digital signature (hereinafter – the user’s EDS) (the key is copied from the unprotected storage (flash drive, hard disk, etc. – 70% (5%), the attack on the cryptographic capabilities of the token (15%), the actions of the internal malefactor on the client’s side (the insider is 10%), the substitution of the document at the time of signing the EDS (less than 1% of the thefts ).
There is a serious risk to the use of bank cards on the Web, for example when you are getting 30 free spins no deposit but still need to give your bank details to get the winnings to your account. If the gaming platform you use is not trustworthy, your bank account can be charged a lot more than you expect. Also, it is possible even in offline world in the form of operations like MOTO (mail order telephone order). Anyone who has learned the number of your card can pay with your money in almost any Internet service. The details of your card can be stolen when and wherever. They are stolen directly in banks or shops (hacking databases hacking, firing a store employee or bank or his direct collusion with intruders). The waiter of the restaurant or bar, who took a couple of minutes to rent your card, can rewrite its requisites. Finally, in order to steal props, it is enough to spy on them, standing next to the owner of a credit card near the ATM or in the store.