Information security of electronic payment systems
The security surveys of electronic payment systems are challenging for the financial sector and regulators. There are two serious problems - unauthorized debiting of funds from bank cards or accounts of legal entities and a general guarantee of the safety of payments made through non-bank payment transfer systems. Measures taken in recent years have made wire transfers more secure.
How does EPS work
The term "electronic payment system" (EPS) is understood as a settlement system in which payments are made via Internet channels, there is no traditional processing of payment orders.
This definition includes:
- payments by bank cards of traditional systems Visa, MasterCard, Mir. Here, with an absolute guarantee of the protection of transactions, the problem of unauthorized write-offs arises as a result of intercepting traffic or obtaining card numbers;
- programs for interbank settlements via electronic communication channels, including fast payments made by banks by phone numbers;
- payments via electronic wallets (Yandex.Money and others);
- settlements through the infrastructure of mobile operators and other modern solutions.
The Bank of Russia has several models of Internet payments. This is a program for intraregional settlements via the Internet (VER) and interregional electronic settlements (MED). For large urgent payments in Russia in 2007, the ideology of bank urgent payments (BESP) was created. It is analogous to the European RTGS program. The banks connected to it transfer large sums to each other for the purpose of transferring them to clients within one operating day.
Information security of electronic payment systems is ensured by the requirements for participating banks:
- availability of a correspondent account with the Central Bank of the Russian Federation;
- a valid banking license;
- no overdue debts to the Central Bank of the Russian Federation;
- exchange of messages using the established communication mechanism with the Bank of Russia on the basis of an agreement;
- compliance of the bank's IS with the technical requirements and IS requirements of credit institutions set by the Central Bank of the Russian Federation.
The requirements are formulated in the Regulations of the Bank of Russia and are binding. Refusal to comply with the requirements may lead to complete or partial disconnection of the bank from the BESP technology.
General information security principles of remote transfer mechanisms
If we talk about protection against unauthorized transfers of EPS in general, then, regardless of the level of each specific model, uniform requirements apply to them.
Among the most vulnerable spots:
- Internet traffic between participants in the exchange of electronic messages about financial transactions (banks, operators of payment wallets, ATMs, customers);
- processing information within a bank or operator (for example, Yandex.Money), when the data may be available to employees;
- constant availability of payment systems for customers, no disruptions in their work and on the communication line.
The presence of these vulnerabilities forces banks and operators to ensure the protection of traffic when it is sent using available methods (transmission over secure channels, encryption) and to develop models for authenticating the sender and recipient of funds.
At the same time, problems arise in the work of a bank or a payment operator:
- determination of the mutual authenticity of the participants in the transaction when establishing the connection;
- ensuring the confidentiality and authenticity of payment orders sent over the Internet and other documents;
- protection of the sending process, formation of evidence of sending and receiving documents;
- ensuring the execution of the document (for example, the permanent presence of the balance on the correspondent account of the bank, which allows organizing the payment).
The bank and the EPS operator are obliged to implement mechanisms to protect customers from unauthorized write-offs of funds, the specific requirements for which are determined by the policies of the operators and the regulations of the Central Bank of the Russian Federation:
- access control of the client, operator's and recipient's employees, creation of an authentication mechanism;
- control over the authenticity and integrity of information in a message;
- ensuring the confidentiality of information during the transfer;
- the inability to refuse the authorship of the order to send funds or messages;
- guarantees of access to resources and non-loss of messages in transit, its delivery;
- the inability of the operator or the bank to refuse to execute the order for the transfer or payment;
- saving data on orders and messages.
To make payments by bank cards, international transfer systems apply their own IS measures for inter-card transfers, which correspond to the requirements of the Bank of Russia. For other operators of paperless payments, making more than 6 million transfers per year, there is a Qualified Security Assessor (QSA) certification program.
In Russia, there are representative offices of several organizations entitled to issue a certificate, and it will be provided if the operator meets the following requirements:
- its activities comply with the international standard Payment Card Industry Data Security Standard (PCI DSS);
- the payment service operator received a certificate for compliance with international requirements for information security management of credit institutions in the development, implementation and maintenance of software ISO / IEC 27001: 2005;
- the operator works using an electronic digital signature (ES);
- encryption is carried out by authorized means of cryptographic protection, developed by organizations licensed to carry out activities for the provision, maintenance of cryptographic means.
PCI DSS payment card industry information security standard was developed by international payment card operators Visa and MasterCard. It includes 12 detailed requirements, according to which payment systems must be protected.
Recommendations of the Central Bank of the Russian Federation
In recent years, the Central Bank of the Russian Federation has moved from making recommendations to organizations in the financial sector to ensure the protection of the monetary system to indisputable requirements that are mandatory and accompanied by amendments to laws and by-laws. Now he should receive information about each recorded hacker attack and that it is being prepared within three hours.
Information must be submitted to FinCERT (Center for Monitoring and Responding to Computer Attacks in the Financial Sector, a division of the Central Bank of Russia). All data related to an attempt to commit an unauthorized transfer of funds from the accounts of companies and individuals is transmitted. Most banks and financial sector organizations are already connected to the FinCERT hot response system, if this has not happened, information is sent by e-mail, without a guarantee of its timely reading and registration. There are difficulties associated with this: such a message must necessarily be signed with an electronic signature, but if cybercriminals managed to destroy an important sector of the bank's multi-layered defense, it will be difficult to verify the message with an electronic signature.
In the standard for ensuring information security of electronic payment systems, the Central Bank of the Russian Federation has enshrined several mandatory requirements:
- the computer connected to the system must not be accessible from the local network of the bank (clause 5 of the Resolution of the Central Bank of the Russian Federation No. 672-P);
- the computer sending payments to the correspondent account of the Central Bank of the Russian Federation for processing must be constantly monitored in order to detect unauthorized interference with the software or connection to third-party servers.
Interestingly, the regulator does not require the bank to obligatory report DDoS attacks and other situations related to the protection of the payment processing system of the financial institution itself. But all recommendations related to protection against unauthorized transfers and interference in the operation of EPS of any level, both national and international, must be strictly followed. Banks announced after the release of recommendations on a global change in the rules of the game, they had not previously reported on hacker attacks for two reasons:
- for fear of reputational risks;
- for fear of being fined for non-compliance with information security requirements and corporate conduct rules.
Now the measures of influence on banks for refusing to comply with the requirements of the regulator are more severe than just fines. One of them is the disconnection of the offending financial organization from the system of bank urgent payments (BESP). The amount of the fine, according to Art. 74 of the Law "On the Central Bank", can be up to 1% of the authorized capital of the bank. For example, the size of the fine for a financial institution like Sberbank could be 670 million rubles.
As part of the regulation of banks' activities to ensure security for customers of electronic payment systems, the Bank of Russia in April 2019 issued Regulation No. 672-P “On Requirements for Information Protection in the Bank of Russia Payment System”. The main message of the message was the obligation of banks to fully comply with the requirements of GOST R 57580.1-2017 "Security of financial (banking) transactions" by mid-2021. Verification of the fulfillment of the actions of this and the previous Resolution No. 552-P takes place during the annual audits and inspections of the CBR, and an additional guarantee of compliance with the requirements is their inclusion as obligations of the credit institution in its agreement with the Bank of Russia.
In addition to the requirements for ensuring the information security of electronic payment systems, the Standard contains requirements for ensuring the protection of data sent as part of the financial messaging program (FMS).
GOST requirements relate to the protection of two payment mechanisms:
- urgent translation service and non-urgent translation service (SSNP);
- fast payment service (FPS).
Requirements for the placement of information infrastructure objects when making money transfers have been formulated. It is necessary to use different network segments and AWPs to organize the generation of electronic messages about the transfer of funds and to control the details of these messages. In addition, you need the following:
- ensure the use of high-level cryptographic means of protecting information;
- two-way information authentication must be provided at the level of requirements of GOST R ISO / IEC 7498-1-99;
- organize the registration of data on all actions of clients with their funds in order to timely inform the Bank of Russia about cases of unauthorized write-offs;
- to exchange information with the Bank of Russia on payments, it is necessary to use a separate workstation equipped in accordance with the requirements of the Standard.
In order to ensure the protection of electronic payment systems, each participant in the transfer system is obliged to accept a package of internal organizational and administrative documents describing:
- data protection process while managing access to them;
- the procedure for ensuring physical and software protection of IP of any level;
- control of the integrity and security of the infrastructure, the network of the organization carrying out the transfers;
- the use of antivirus tools and methods of protection against the injection of malicious code;
- protection against data leaks;
- information security incident management;
- protection of the virtualization environment;
- information protection during remote logical access using mobile (portable) devices.
The provisions of the Resolution oblige banks to pay more attention to their own gaps in the protection system, abandon independently developed software and switch to a unified systemic concept of payment security.
Yandex.Money and other payment systems
Russian users of the Yandex.Money electronic wallet are often interested in how the payment protection measures are arranged in it. The payment service uses the following protection algorithms:
- encryption of transmitted data using RSA cryptoalgorithm with hashing. Encryption occurs on the side of the sender of funds, the key length is 1024 bits. The same encryption method is used by WebMoney and PayPal. For comparison, the less well-known E-Port program in Russia uses encryption via SSL-protocol version 3.0, which even with a 128-bit key leaves room for vulnerabilities;
- certification of transactions with the signature of the processing center;
- the use of a complex authentication mechanism. First, the user enters a password, then the wallet program verifies its authenticity, SMS passwords can be used to make payments;
- the connection is made via HTTPS protocols using a secure SSL certificate;
- storage of all information is organized on secure servers;
- the data is protected from writing by special software solutions;
- the program "Yandex.Wallet" is used, which increases the protection of transactions.
As one of the additional solutions, a protection code has been introduced, only if the recipient is aware of it can the recipient pick up the transfer made through the operator. This avoids the risk of phishing and sending payments to unverified recipients.
A separate issue in the security of electronic payment systems is the protection of payment applications such as Apple Pay and Samsung Pay. The Central Bank of the Russian Federation, when introducing regulatory rules for foreign operators, often comes into conflict with already developed and existing safety standards, which can make it difficult for Russian citizens to access these resources. But the timely response of the professional community helped to amend the new regulatory requirements, and the services remained accessible to Russian citizens.
The fast payment system (FPS) that is being created, which began operating on January 28, 2019, which allows you to send money to a phone number, also has its own security rules approved by the regulator. To connect to the SBP from credit and financial institutions you need:
- install software with the maximum degree of protection recommended by the regulator, or modify your own software in accordance with the requirements and technical specifications;
- test interactions.
Now more than 30 participants have already registered in the SBP, including the 10 largest banks in the country. For the delay in connecting to the SBP, Sberbank was fined 1 million rubles, which became an important indicator for other market participants. The central bank warned payment operators about the existence of attack risks in order to collect personal data from customers. In a letter sent to banks, it is reported that the main focus of the attack was “an automated or manual process of collecting information about clients of banks - members of the SBP. An attacker, using the existing data of the client's identifier (his mobile phone number), can now obtain additional information about this person, for example, first name, patronymic and the first letter of the last name, as well as the names of several banks where he has open accounts. Attackers can use the received phone numbers to organize massive calls to bank customers in order to obtain passwords from personal accounts and other data.
The Central Bank offers the following mechanism to combat the threat: The National Payment Card System, which is the operational and clearing center of the SBP, conducts round-the-clock monitoring of operations and blocks suspicious phone numbers in the system from which a massive brute-force attack is carried out. In addition to blocking numbers, the Central Bank will inform banks about the IP addresses from which the bulk search was attempted.
The methods of protection depend on the principle of operation of the payment system and the threat model. The implementation of the security measures recommended by the regulator should lead to an increase in the security of electronic payments, a decrease in the number of unauthorized financial transactions and debits from bank cards. The safety of citizens' funds entirely depends on the willingness of banks and operators to comply with the requirements of regulators.