An improvised CTF from BSS showed how easy it is to "crack" one security factor.
Cyber fraud continues to be one of the most painful topics for the banking sector. Using the RBS channel to steal funds is a favorite destination for cybercriminals. Banks and vendors make every effort to counteract fraud, including by implementing and improving anti-fraud systems.
Viktor Gulevich, Director of the Security Systems Department at BSS, speaks about modern means of protecting RBS applications from cybercriminals in his speech. To show how easy it is to use the imperfection of anti-fraud for fraudulent purposes, the speaker offered the session participants a small improvised Capture the flag (CTF) - an account interception game.
The expert explained how session anti-fraud programs that analyze user action patterns work. They track all actions of the owner and remember their characteristics and features. If a fraudster tries to use their bank account to get hold of funds, the fraudster will detect this and block the transaction.
Viktor Gulevich stressed that attackers can easily deceive the application if only one identification factor is used — and for clarity, he suggested that the audience "hack" their own bank account.
You managed to trick session antifraud by using a photo. This was done by one of the participants of the event. To confirm the transaction, all you had to do was show the account owner's photo from the second phone number and the transaction was approved. This clearly demonstrates how easy it is to bypass a single included factor.
"But in reality, there are a lot of behavioral factors. Where you are, how you hold your phone, which hand you use, and how you navigate the app. All the patterns of the owner, as well as the characteristic patterns of fraudsters, are recorded and this allows you to resist crimes, " said Viktor Gulevich – With this in mind, we provide comprehensive information security services, including a layered fraud protection system, both external and internal."
The complex is based on its own anti-fraud platform "FRAUD-Analysis" where technical and biometric methods of identification of the payer and his device can be additionally implemented. This makes it possible not only to protect yourself from fraudsters with a high probability, but also to provide easy user authentication in the RBS application, even without entering a password, fingerprint, or Face ID (the so-called frictionless authentication), which greatly increases the frequency of using the bank's RBS application to receive additional services.
How it all happened-watch the video of Viktor Gulevich's speech:
Cyber fraud continues to be one of the most painful topics for the banking sector. Using the RBS channel to steal funds is a favorite destination for cybercriminals. Banks and vendors make every effort to counteract fraud, including by implementing and improving anti-fraud systems.
Viktor Gulevich, Director of the Security Systems Department at BSS, speaks about modern means of protecting RBS applications from cybercriminals in his speech. To show how easy it is to use the imperfection of anti-fraud for fraudulent purposes, the speaker offered the session participants a small improvised Capture the flag (CTF) - an account interception game.
The expert explained how session anti-fraud programs that analyze user action patterns work. They track all actions of the owner and remember their characteristics and features. If a fraudster tries to use their bank account to get hold of funds, the fraudster will detect this and block the transaction.
Viktor Gulevich stressed that attackers can easily deceive the application if only one identification factor is used — and for clarity, he suggested that the audience "hack" their own bank account.
You managed to trick session antifraud by using a photo. This was done by one of the participants of the event. To confirm the transaction, all you had to do was show the account owner's photo from the second phone number and the transaction was approved. This clearly demonstrates how easy it is to bypass a single included factor.
"But in reality, there are a lot of behavioral factors. Where you are, how you hold your phone, which hand you use, and how you navigate the app. All the patterns of the owner, as well as the characteristic patterns of fraudsters, are recorded and this allows you to resist crimes, " said Viktor Gulevich – With this in mind, we provide comprehensive information security services, including a layered fraud protection system, both external and internal."
The complex is based on its own anti-fraud platform "FRAUD-Analysis" where technical and biometric methods of identification of the payer and his device can be additionally implemented. This makes it possible not only to protect yourself from fraudsters with a high probability, but also to provide easy user authentication in the RBS application, even without entering a password, fingerprint, or Face ID (the so-called frictionless authentication), which greatly increases the frequency of using the bank's RBS application to receive additional services.
How it all happened-watch the video of Viktor Gulevich's speech:
