Bankers will hand over digital fingerprints – Newspaper Kommersant No. 63 (7508) dated 04/12/2023

The published standard of the Central Bank for ensuring the security of financial services using digital fingerprints of devices can turn into difficulties and additional expenses for banks. According to experts, the effectiveness of the developed rules also raises doubts. However, banks are determined to implement the standard to attract new customers, despite its advisory nature.

The Bank of Russia has published a standard for ensuring the security of financial services using digital fingerprint technology. It establishes for banks uniform rules for the formation, storage and use of unique digital fingerprints of devices – a set of parameters that allow you to uniquely identify a user’s device with which banking and other financial transactions are performed, the Central Bank explained. By standardizing the algorithm for collecting digital fingerprints of devices, financial institutions will be able to more effectively counteract transactions without the consent of customers, the regulator believes. However, the standard is advisory in nature.

It is assumed that the digital fingerprint of the device is formed from hardware identifiers, OS version, version of the browser installed on the device, and “other system and hardware parameters of the device,” follows from the document. The Central Bank recommends that credit institutions maintain a database of reference digital fingerprints of the device along with the initial values ​​of the device parameters, as well as digital fingerprints obtained when the user performs financial transactions along with data on these transactions.

According to the leading information security consultant at Aktiv.Consulting Alexander Moiseev, the standard has several goals: to use “fingerprints” as an additional authentication factor, as an artifact in investigating incidents and tracking transactions, and also as a conditional indicator of compromise, that is, a device from which computer attacks have been attempted.

VTB calls the decision of the Central Bank to publish the standard timely and promises to follow it. Alfa-Bank agrees that a single digital fingerprint standard will benefit the market. At the same time, Vyacheslav Kasimov, director of the information security department of the MKB, notes that the bank will use the standard, “but after the necessary discussions and understanding that honest customers will not be affected in any way and will not cause them any inconvenience.”

Experts openly doubt the effectiveness of the standard. The bulk of attackers use social engineering, that is, in fact, through the device of the victim. There may be an indirect benefit from accounting for droppers (“cashers”), but it will affect the costs of fraudsters rather than the safety of citizens, explains Fedor Muzalevsky, director of the RTM Group technical department.

Using such a standard, it will be impossible to protect yourself and recognize fraudulent activities in the event of the theft of the device itself or using it remotely by obtaining direct access to it remotely with administrator rights, said Alexei Voylukov, vice president of the Association of Banks of Russia. Also, attackers often use targeted disguise – now stolen “digital identities” are being sold on marketplaces on the dark web, adds Mr. Moiseev.

At the same time, banks may experience difficulties in meeting the requirements of the standard. According to Alexei Voylukov, it is difficult to obtain a full-fledged fingerprint on the device according to the proposed parameters, since, for example, the automatic installation of any updates to the system, browser and other modules will immediately lead to the need to adjust or change this profile. And updates on phones come out regularly and quite often.

Costs may add to implementation difficulties, experts warn. According to Fedor Muzalevsky, the implementation costs, depending on the bank, can amount to tens and even hundreds of millions of rubles. However, this will not significantly affect the cost of services, since this expense will be “smeared” evenly across all customers, as is done in such cases, and the increase will be in fractions of a percent, he notes.

Julia Poslavskaya