Beware, SMS: a hole in the law threatens to minimize the amount of return of stolen funds to Russians

Scammers do not disdain much less significant amounts. What the official data of the Bank of Russia tells us: in 2023, the “average bill” for so-called transactions without the client’s consent was about 14–15 thousand rubles. In total, in the first 6 months of 2023, fraudsters stole money from bank cards, accounts, and deposits of citizens about 250 thousand times, totaling more than 3.5 billion rubles. The victims managed to return only a small part of the stolen money – 7.2% of the amounts stolen by the attackers – 252 million rubles.

Obviously, in such a situation, a law is vitally needed to protect citizens from cyber fraud, obliging banks to reimburse clients for stolen funds in transactions “without voluntary consent.” And now the long-awaited document was adopted by the State Duma and will come into force in the summer of 2024.

Hooray?! Unfortunately no. Legislators forgot to clarify an important detail in the law – how exactly the bank should obtain the client’s “voluntary consent” to carry out the operation. This small omission may ultimately lead to the fact that the percentage of return of stolen money for transactions without the client’s consent will be as meager after the law comes into force as it is now.

The law stipulates that the bank must check all money transfers of citizens and suspend suspicious transactions for two days. During this time, the credit institution must contact the client and make sure that he really wants to transfer money.

Can a bank refuse to make a transfer even after receiving confirmation? Of course, if the money is transferred to the accounts of so-called droppers, that is, those who have already been detected in receiving funds through fraudulent and other illegal transactions. Maintains a “black list” of Central Bank droppers.

At the same time, in any case, the bank is not relieved of the obligation to verify all transfers, regardless of who the recipient is – a dropper, an ordinary person or a company. And credit institutions will process suspicious payments in full, so as not to be found guilty when the money goes to scammers outside the “black lists.”

Are the amendments to the document a benefit for citizens – clients of credit institutions? At first glance, it is clear: the banks publicly supported the document. But in fact, what is a plus for banks is not always good for ordinary citizens. Credit institutions are quite happy that their liability is limited by law to the Central Bank’s “black list”. That is, if a person’s money was stolen, then essentially the Bank of Russia will be to blame for not adding the fraudster – the recipient of the funds – to the “black list”. And no one will return money lost to scammers outside the list.

Another unresolved issue: the law requires obtaining confirmation from the client that he is transferring money voluntarily and consciously. But the document does not say exactly how this “voluntary consent” should be obtained, and this is a dangerous point. Before the law was adopted, banks sometimes called customers in case of suspicious transactions, but this method is expensive for the bank. When such calls are rare, banks can still afford to spend money on cellular communications and on paying for additional work of a call center employee. When it is necessary to check each transfer, it is unlikely that banks will want to use this method of obtaining “voluntary consent”.

An alternative is calls from a robotic assistant. Here the bank spends money on paying for cellular communications, but saves on the operator’s salary. It turns out to be a little cheaper, but most people do not like to communicate with robots, and therefore this method is also unlikely to work.

Therefore, SMS, which is cheaper and more common, will most likely be used to confirm transactions. And this is precisely a very dangerous aspect of the law, which significantly reduces the “protective functions” of an overall positive and correct document.

To many, SMS messages still seem to be a very reliable payment confirmation tool. But actually it is not. Problem number one is that the number of printed characters in an SMS message is limited. Therefore, it is impossible to cram all the information about a payment transaction into one message. Credit institutions will not send 3-4 SMS to a client, since it is very expensive: an SMS to a bank costs up to 4 rubles per message (the cost depends on the size of the bank). Can a message that contains no information about the transaction, when the client, in principle, does not see what he is signing, be considered sufficient confirmation of the client’s voluntary consent to make a payment? In my opinion, the answer here is clear: no.

Problem number two: SMS is quite easy to intercept – such attacks have existed for several years and are successfully implemented. Thus, back in 2019, six of the largest German banks refused to use SMS to confirm transactions due to their vulnerability (it has not yet been fixed), which allows cyber fraudsters to create a virtual SIM card and redirect all transactions from the client’s real SIM card to it. One can only guess what “voluntary consents” the attackers will give to banks using this vulnerability and acting on behalf of the client.

There is a third problem. According to the Bank of Russia, now about half of all cyber attacks on citizens are carried out using social engineering. That is, scammers, posing as employees of banks, law enforcement agencies, government services and other competent organizations, call citizens and fraudulently lure them out of SMS codes. At the same time, scammers often explain to their victims that their funds are transferred to a “safe account” in the bank itself just to protect them from scammers. As a result, a person led by “social engineers” can confirm an operation that is completely different from the one he actually wanted to carry out, and the funds go to a stranger’s bank card. I am sure that half of all thefts from citizens using social engineering are committed precisely because they do not understand the confirmation code for which operation they call the “bank security service.”

Is there an alternative to SMS that is safe and clearly confirms that the person really wanted to transfer money? Yes, there are solutions, including Russian ones, that allow you to confirm payments and transfers, providing all the information about the operation being carried out without the possibility of it being intercepted by hackers. One option (but not the only one) is a mobile electronic signature. When used in remote banking channels, unlike SMS, the client has all the information about the operation on the smartphone screen – to whom, how much and to which bank the money goes, and the credit institution has concrete confirmation that voluntary consent has been received. That is, when using it, situations where a client transfers funds to a certain “Mikhail L.”, thinking that the funds are sent to a “safe account” in the credit institution itself, are simply impossible.

Some Russian banks have already abandoned SMS and are using alternative solutions that allow customers to clearly see what transaction they are agreeing to. Some, but, alas, not all.

And since in the law the deputies forgot or did not consider it necessary to clarify the procedure for confirming receipt of the client’s “voluntary consent,” there is a risk that the most conservative players in the financial market will continue to use outdated SMS, endangering clients’ funds. And therefore, citizens have only one way to protect themselves – to vote with rubles, that is, to keep money in those banks that have abandoned obsolete and unsafe SMS in favor of more advanced technologies.