Friend
Professional
- Messages
- 2,669
- Reaction score
- 942
- Points
- 113
The Central Bank is updating the rules for the protection of banking information.
The Central Bank of Russia has published a draft regulation on mandatory requirements for the protection of information by Russian banks and branches of foreign credit institutions to counter transactions without the client's consent (OBS). This provision will replace the current 683-P.
One of the key innovations, according to experts, will be the ability for clients of systemically important banks and credit institutions to file complaints about crimes with the Ministry of Internal Affairs through the bank. Electronic document management between the Ministry of Internal Affairs, the Central Bank and credit institutions has already been established and is functioning, and now this process is planned to be expanded to customers. In the mobile applications of banks, there will be an option that allows you to send a crime report to the Ministry of Internal Affairs. This will create a chain of interaction between the client, the bank, the Central Bank and the Ministry of Internal Affairs.
It is also assumed that banks will be required to record the parameters and metadata of financial transactions with each application received from the client. Among such data will be accounts, details of electronic wallets and phone numbers. This approach not only saves the client's time, but also ensures that all necessary information is passed on to the police, eliminating the need for the victim to provide additional account statements. Local police often face difficulties in investigating such cases due to a lack of competence and problems with interacting with banks, which slows down the process.
One of the significant problems in fraud investigation is the loss of time, and the new approach will partially solve this problem, according to information security experts.
However, the point of the draft, which assumes that cryptographic keys can be produced not only by the client, but also by the bank on his behalf, remains controversial. This may lead to the risk of the client challenging transactions confirmed by such a key, which will require banks to implement additional mechanisms for protection and registration of transactions.
At the moment, most banks use SMS confirmation to authorize transactions. The SMS code is generated on the bank's side, sent through the mobile operator and only then sent to the client. This scheme has long allowed customers to dispute money transfers.
The new version of the document introduces additional concepts aimed at eliminating vulnerabilities, including the mention of cryptographic keys. However, the current project does not specify exactly where these keys should be stored or how to use them. According to experts, the most secure option would be to explicitly indicate the need to store cryptographic keys on the client side. Otherwise, there will be a situation in which some credit institutions, interpreting the provisions of the document, implement protective mechanisms only on their side, leaving customers only SMS or push codes, which creates additional risks.
Source
The Central Bank of Russia has published a draft regulation on mandatory requirements for the protection of information by Russian banks and branches of foreign credit institutions to counter transactions without the client's consent (OBS). This provision will replace the current 683-P.
One of the key innovations, according to experts, will be the ability for clients of systemically important banks and credit institutions to file complaints about crimes with the Ministry of Internal Affairs through the bank. Electronic document management between the Ministry of Internal Affairs, the Central Bank and credit institutions has already been established and is functioning, and now this process is planned to be expanded to customers. In the mobile applications of banks, there will be an option that allows you to send a crime report to the Ministry of Internal Affairs. This will create a chain of interaction between the client, the bank, the Central Bank and the Ministry of Internal Affairs.
It is also assumed that banks will be required to record the parameters and metadata of financial transactions with each application received from the client. Among such data will be accounts, details of electronic wallets and phone numbers. This approach not only saves the client's time, but also ensures that all necessary information is passed on to the police, eliminating the need for the victim to provide additional account statements. Local police often face difficulties in investigating such cases due to a lack of competence and problems with interacting with banks, which slows down the process.
One of the significant problems in fraud investigation is the loss of time, and the new approach will partially solve this problem, according to information security experts.
However, the point of the draft, which assumes that cryptographic keys can be produced not only by the client, but also by the bank on his behalf, remains controversial. This may lead to the risk of the client challenging transactions confirmed by such a key, which will require banks to implement additional mechanisms for protection and registration of transactions.
At the moment, most banks use SMS confirmation to authorize transactions. The SMS code is generated on the bank's side, sent through the mobile operator and only then sent to the client. This scheme has long allowed customers to dispute money transfers.
The new version of the document introduces additional concepts aimed at eliminating vulnerabilities, including the mention of cryptographic keys. However, the current project does not specify exactly where these keys should be stored or how to use them. According to experts, the most secure option would be to explicitly indicate the need to store cryptographic keys on the client side. Otherwise, there will be a situation in which some credit institutions, interpreting the provisions of the document, implement protective mechanisms only on their side, leaving customers only SMS or push codes, which creates additional risks.
Source
