How to bypass session antifraud and why protection should be comprehensive
Cyber fraud continues to be one of the most sensitive topics for the banking sector. Using the RBS channel to steal money is a favorite area for cybercriminals. Banks and vendors are making every effort to combat fraud, including the introduction and improvement of antifraud systems.
Viktor Gulevich, director of the security systems department, BSS, speaks about modern means of protecting the RBS applications from cybercriminals in his speech. The speaker offered the participants of the session a small impromptu Capture the flag (CTF) — a game to intercept an account — to show how easy the imperfection of antifraud for fraudulent purposes can be used.
The expert explained how session antifraud programs analyzing user action patterns work. They track all the actions of the owner and remember their characteristics and features. If a fraudster tries to use the owner’s bank account to take possession of money, antifraud will determine this and block the transaction.
Victor Gulevich stressed that attackers can easily trick the application if only one identification factor is used, and for clarity suggested the audience to "hack" their own bank account.
It was possible to deceive the session antifraud using a photograph. This was done by one of the event participants. To confirm the transaction, it was only necessary to show a photo of the account owner from the second phone, and the transaction was approved. This demonstrates how easy it is to bypass one enabled factor.
"But in fact, there are a lot of behavioral factors. Where you are, how you hold the phone, which hand, and how you navigate the application. All owner’s patterns, as well as characteristic patterns of fraudsters, are recorded and this makes it possible to resist crimes," Victor Gulevich said. "Given this, we provide comprehensive information security services, including a defense-in-depth fraud protection system, both external and internal."
The complex is based on in-house anti-fraud platform "FRAUD-Analysis", where additional technical and biometric methods for identifying the payer and his/her device can be introduced. This makes it possible not only to protect yourself from frauds with high probability, but also to provide easy user authentication in the RBS application, even without entering a password, fingerprint, or Face ID (the so-called frictionless authentication), which greatly increases the frequency of using the bank’s RBS application to receive additional services.
How it all happened — watch the video of Victor Gulevich’s speech.