What they say affected customers
RBC has communicated with clients, said about the thefts. Withdrawals from accounts without their knowledge occurred from late March to early June. Most accounts tied to credit cards, there are also cases of withdrawal from debit cards and savings accounts. RBC said 11 clients in total, with their words, they stole more than 1.8 million rubles.
How to tell clients MTS-Bank, the most thefts occurred on the same scheme: the scammers have blocked the mobile number of the customer (mobile operator most affected is the MTS, there are also cases of blocked customers of MegaFon, Beeline and Tele2), then changed to Bank customer number in your received account access and online banking and transferred money. “Watching their stories in the personal accounts of MTS and MTS Bank, I learned that the service “Voluntary lock room” I was hooked 4.06.2020 at 22:55. And all fraudulent transactions were carried out with 5.06.2020 02:20 and 02:50″, — says one of the victims, Yuri, who asked not to mention his name.
The representative of MTS said that complaints about the service in the last month from clients have been received (affected customers in conversation with RBC said that addressed to MTS). Representatives of “VimpelCom” (brand “Beeline”) and “MegaFon” reported that the company did not record complaints from clients in a similar situation. Tele2 did not respond to a request RBC.
The CPS reported types of fraud during a pandemic
How the crooks could steal the money
- In these schemes, attackers can first call the call-center operator and ask to temporarily block the room (it is possible, for any operator, e.g. in case of theft of phone) — for this we need to know the passport details of the victim, says the employee of one of the operators. Then the scammer, knowing the passport data, can call the Bank’s call center and ask them to bind another phone number instead. This would allow him to get full access to one-time SMS passwords sent to the linked phone number to confirm the operation.
- RBC appealed the call-center MTS-Bank question, how to change number linked to the account. The call centre operator said that now this can only be done in person at the office, although a couple of days ago, there existed an opportunity to change the room through the call center, knowing only the passport data and a code word. In a press-service of the Bank representatives explained that the room can be changed only inside the MTS, the Bank branch or at an ATM.
- If the scammers were able to access phone number and then Bank account, knowing the passport data and a code word that could leak personal data of the customers, MTS-Bank, says founder and CTO of DeviceLock Oganesyan: “In the hands of fraudsters could get as a complete database with passport data and a code word, and just with the names of customers and their balance of the account. In the second case, the attackers could choose customers with the largest amounts in the accounts and order the service “punching” their data from the operator and the Bank. The cost of such services in banks can reach 15 thousand. cellular operators Have “piercing” room is 800 rubles. up to 4.5 thousand rubles, the lock number can be from 3.5 thousand rubles. and above (follows from the ads posted on the darknet. — RBC)”.
- To seize the code word can only Bank employees with a certain level of access continues, the head of directions “Compliance” and “Audit” of the security Department of the Softline group Ilya Tikhonov. “I can assume that this situation occurred either inside (special people in the Bank provides the service “punching”. — RBC) or target a well-organized attack on the servers of the Bank”. Banal leak of personal data just did not give criminals the opportunity to organize such a scheme of plunder of means, as in one database is usually not stored and passport details, and a code word, said Tikhonov. According to experts, blocking a phone number in this case was necessary, rather, to ensure that potential victims have not received the notification about change of data tied to the account.
- Forced change of passwords by the Bank (MTS Bank held it at the end of may), may indicate a strengthening of security measures in case of suspected compromise of client credentials that attackers are unable to use them, for example, go to the user’s personal account, says head of security analysis of web applications Positive Technologies Jaroslav Babin.
VTB warned about fraud via the job advertisement
In some cases, the Bank must return the money
The victims were applied in MTS-Bank, addressed to law enforcement and CPS. At the Bank they said that the review of the incident will take 60 days, said several interlocutors RBC. One of the victims, Mr Zonov, discovered the theft on March 31, a statement the Bank filed the next day, however, despite the fact that the period of examination of the appeal already happened, received no response. The term for consideration of such appeals established by the law “About national payment system” and is 30 days to verify the transactions made inside the country and 60 days for cross-border transactions: if the Bank has designated a period of 60 days, then the surgery could be performed abroad, explains partner of the bar Association Pen & Paper Anatoly Loginov.
The other victim, Valery Kokorin, applied to the Bank in early April. The answer from the credit institution (RBC got acquainted with him) came in early June, it says that the card was translated to the map individuals of another Bank through a third-party acquiring network using a Protocol processing online transactions 3D Secure (the SMS code to the phone number specified in the Bank). The Bank refused to return the money, as the operation was confirmed by the introduction of a one-time verification code sent to your Bank the phone number (client says that the number of scams).
This answer Bank looks questionable, said Loginov: “the Bank refers to the norm of the Federal law “On PS”, under which he is obliged to return the money or to prove to himself that the customer has violated the procedure for the use of electronic means of payment and that this violation led to the Commission of the disputed transaction. That is, the Bank in this case should return the money, but all the same writes that the reason for this is not.”
According to the lawyer, in this case, fraudsters gained access to the means of payment and monetary funds of the clients without their participation and, if the Bank can prove the contrary, the refusal to return funds to the customer is illegal.
“Analysis of incoming requests shows that users themselves often convey information about the card fraud, which in turn excludes the liability of the Bank”, — noted in Rospotrebnadzor. At the same time, the office believed that “the Bank is obliged to prove that on his part, in the provision of services had taken appropriate measures to ensure its security and prevent access to, for example, the one-time password by unauthorized persons, and controversial operation carried out solely because of the violation of consumer safety regulations when using the card”.