MOSCOW, March 9 – RIA Novosti. Fraudsters in Russia have learned to penetrate the mobile applications of customer banks, finding vulnerabilities in the software of credit institutions, but such cases are not common, it is easier for attackers to steal funds from citizens using social engineering, information security experts told RIA Novosti.
In February, Artem Sychev, the first deputy head of the information security department of the Central Bank of the Russian Federation, said in an interview with RIA Novosti that the regulator last year recorded cases when attackers groped for weaknesses in the software “located between the bank and the client.”
According to Sergey Golovanov, a leading expert at Kaspersky Lab, we are talking about applications or personal accounts on sites for using Internet banking, as well as services for transferring funds from card to card. Vulnerabilities can be very diverse, but the most dangerous are those associated with insufficient authorization or authentication, the expert said.
Yaroslav Babin, Head of Web Applications Security Analysis Department, Yaroslav Babin, agreed with his colleague. This vulnerability leads to the fact that attackers can easily find out some information from personal accounts in online banking: the amount of deposits, spending, passport data, he said.
“The second most popular problem is the possibility of attacks on clients (36%), which can allow you to gain access to your personal account, and with a combination of different vulnerabilities, even withdraw money,” the expert said.
The reasons for the emergence of such vulnerabilities are haste, lack of secure development principles, and the lack of professional and high-quality audit of applications and communication protocols before putting it into operation, says Sergey Nikitin, Deputy Head of the Group-IB Computer Forensics Laboratory.
At the same time, Golovanov from Kaspersky Lab added that there are few real incidents when cybercriminals exploited such “weaknesses” in software. “It is often easier for cybercriminals to lure information necessary for translation using social engineering,” the expert concluded.