Experts have identified a flaw that allows criminals to steal money from accounts of clients of banks through the Faster Payments System (FPS),  which is often opposed to the idea of a crypto-ruble.

The experts found out that when the function of transfers via the FPS in the mobile bank was activated, one of the credit institutions was left vulnerable. Fraudsters were able to take advantage of this error and get customer account data.

Then the attackers launched the mobile bank in debug mode,  logged in as real clients, and sent a request to transfer funds to another bank, only instead of their account they indicated the account number of another client for debiting. Since the system does not verify the ownership of the account, it debited the money and transferred it to the fraudsters.

According to market participants, this is the first case of theft of funds using the FPS. The vulnerability could only be known by someone familiar with the application: an employee or developer.

The Central Bank noted that the problem was found in the mobile app of only one credit institution and promptly eliminated. 

Yaroslav Babin, head of web application security analysis at Positive Technologies, said that using the FPS is safe, but there may be problems in the applications of individual banks.

According to him, if hackers found a vulnerability in the application of a credit institution, the client will not be able to influence the safety of their funds in any way. All responsibility lies with the Bank that developed and released the app.

Babin recommends that banks pay more attention to system security analysis, implement secure development methods, and analyze the source code of all public applications or their updates before publishing them.

It is worth noting that the Faster Payments System is a service that allows individuals to instantly transfer money by mobile phone number to themselves or others. At the moment, all the largest credit organizations in Russia and more than 70 banks are connected to the FPS.



Source link