Gray morning of sanctions

Gray morning of sanctions



Sberbank, which lost the ability to renew certificates for Internet encryption due to sanctions, on December 30 transferred the payment gateway (responsible for the form and page of payment by card in online stores) to Mintsifra certificates. The bank has been convincing users for many months to install certificates on their own PCs and phones, otherwise sites using the solution from the Ministry of Digital Development will give an error.

Customers of online stores that have not installed certificates will see the bank's payment page on one of the five "alternative domains", where the connection to it will be established using foreign certificates. The domains do not mention Sberbank, and they look so impersonal - securecardpayment.ru, secure-payment-way.ru, etc., that out of context they could easily pass for fraudulent ones. The documentation for the payment gateway of Alfa-Bank, which also fell under sanctions, does not describe such schemes; Multicard, after the withdrawal of the sub-sanctioned VTB from the T1 Group, managed to renew the foreign certificate.

The appearance of such domains in an official connection with Sberbank not only risks becoming a reason for a new surge of fraudulent schemes, but also violates the main rule of digital hygiene: “Check that you are entering card details on a genuine page.” But under the pressure of sanctions, this is not the first time the bank has taken steps that raise questions among cybersecurity specialists. For example, its mobile application (positioned as a third-party development) is put on the iPhone, in fact, by hacking.

All modern digital infrastructure is somehow built on the trust of the parties. For example, when I download an app from the Play Store, I assume that Google has verified its safety and compatibility with my phone. It is the same with encrypted connections on the Internet: I assume that the developer of the OS or browser has checked the certification authority, and that one has checked the clients to whom it issues certificates.

Sanctions and other restrictions are increasingly destroying this system in Russia. Networks of formally unrelated services are deployed around the blacklisted banks and companies, trust in which seems to be implied, but cannot be declared and officially confirmed, which means it creates risks.

From a practical point of view, this is probably better than just a complete loss of service performance. The problem with payment pages from Sberbank, for example, could affect such major retail players as Detsky Mir, Svyaznoy, Leroy Merlin (see Kommersant dated December 15, 2022). But the more such schemes around the sanctioned players, the stronger, apparently, will be the desire of their partners and clients to work with more transparent organizations.



Source link