Font size: A A A
Login | Registration

Who downed Erdogan? Terrorists gave a command to the Turkish pilot More


“The historical truth” of Beria and Suvorov about cryptography and radio intelligence.


Revelation. On my “Encryptors and Radio Intelligence” book More


How mobile technologies will change the world in 2015



Can national security be private?



The speech of MTT’s General director Anatoly Klepov’s at Business Security Forum (18 March 2015, CeBIT 2015, Hannover).



MTT press-release for participation in the international exhibition IFSEC 2014 in India, New Delhi on 11-13 December


How your phone is revealing your location, regardless of privacy settings More

U.S. Scurries to Shore Up Spying on Russia More

Government urges people to be more 'cyber streetwise' More

Internet banks in the hacking era: Dozens of questions with a single answer

By Anatoly Klepov

According to press reports, an Israeli IT-company has developed a device that can hack any smartphone. It seems there’s nothing special about the news. In recent years start-ups have produced one after another all kinds of software or devices to collect and process Internet users’ information, along with information in their mobile gadgets and computers. This time the “new development", according to the announced specs, can get access to all electronic media contents: e-mail, SMS, social networks, contacts, IMEI device identifiers, MAC-addresses, photos stored in the memory of a mobile phone, PIN codes, account numbers, financial statements, etc.

There’s also nothing unusual about it. More than a dozen electronic spy analogues used both by government agencies and hackers have similar functions. Another fact is very interesting in this respect. The authors of the article state that the Israeli development doesn’t leave any traces of its activities in a user's device and it’s impossible to detect that his data has been read (read: stolen). The nuance requires taking a closer look at the new development and considering the possible consequences of using such software.

Although the start-up worked for Israeli state organizations, designing software and devices to fight against criminals, they may be available for hackers soon.

In fact, it’s very difficult to detect hackers committing crimes in the digital world, so does it mean they’ll be absolutely invincible if new technologies are integrated into practice?! Moreover, potential users of such software or devices will be able to do anything and go unpunished! The entire information world of mobile phones will be virtually defenseless against them. We can say without exaggeration that such software will turn into a mass destruction weapon for information in the hands of criminals.

Google analysts say that more than 90% of mobile phone users keep the numbers of PIN-codes, safes, credit cards, bank accounts, confidential, personal and financial information in their mobile phones. Do you know how many transactions go through Visa and MasterCard? According to Network Computing, around 200 billion and tens of trillions of dollars are processed every year along with payments over smartphones and tablets. According to Criteo’s Q1 State of Mobile Commerce Report 2015, 1.6 billion transactions are made every year totaling $ And every year the number of mobile payments significantly increases around the world.

What security means do ordinary mobile device users have to execute mobile payments? - Almost none. It’s 99% software protection amenable to hacking.

It’s a well-known fact that using data theft resources available around the world hackers can easily breach any existing mobile phone security software. By the way, President of Google confirmed the fact and warned the users not to keep PIN-codes in mobile phones.

Another question is how much hackers earn stealing users’ money and using rapidly developing e-commerce services? According to the expert opinion of John MacGregor, one of the OSCE leaders, cybercrime is the most urgent problem of our time; and information security company Symantec estimates that the annual cost to global economy from cyber-crime is $ 400 billion. You must agree, it’s a huge amount, comparable to a state budget (for example, Russia's budget for 2016 is US$ 247.4 billion). Besides criminals do not have to allocate funds for social spending, health care and education...

All in all hackers, criminals and terrorists own today the second largest military budget. Let me remind you, as of year-end 2014 the largest expenditures on armaments could be afforded by the United States - $610 bn, China - $ 216 bn, Russia - $ 85 bn, Saudi Arabia - $ 80 bn, France - $ 62 bn, etc.

According to Sberbank, Russia’s losses from cyber scammers were estimated at $ 70 billion rubles in 2015. However, Lev Khasis, the First Deputy Chairman of Sberbank stated at the press-conference on the results of the year in the cyber world, there are no grounds for reducing the impact of such crimes in future.

Eugene Kaspersky, the founder of “Kaspersky Lab” stated that the annual cost of cyber fraud in Russia was even more - nearly $ 100 billion.

Whether we like it or not, there’s a clear sign of an unknown phenomenon that may be called “a financial anti-pyramid”, and, unfortunately, banks are involved in it today. It is not meant to bring profit to the participants of the structure, constantly attracting new investors, but rather to attract investments in order to “patch” holes resulting from ever-growing electronic thefts.

As we know - and financial experts agree - the number and scale of thefts is rapidly growing every year, but only few name the cause of the process. The volume of losses directly depends on fact that payments over standard insecure cell phones are made more frequently. The more active banks are in implementing public (in all senses of the word) mobile banking, the more money hackers are stealing. So isn’t it a financial anti-pyramid? Naturally, hackers gain fantastic profits and won’t stop. Internet connections expand and their incomes keep growing fast.

Thus, according to the forecasts of Gartner, the leading international marketing company, 80 percent (!) of all existing smart phones will be connected to the Internet in 2016. The world is facing a global catastrophe taking into consideration that 99 percent of mobile payments are secured with software means.

Who compensates all thefts committed by hackers around the world?

Reports are published in the media now and then about a gang or a lone hacker engaged in cyber fraud and caught somewhere. However, I don’t recall any report saying that cybercriminals returned the owners all the stolen money. Sometimes they return only small sums. Much of the stolen money is most likely immediately transferred from the country, hidden on secret offshore accounts or cashed in different countries through figureheads.

Why don’t states and banks spread the news far and wide? Why don’t cybercriminals’ victims - banks and credit companies - go bankrupt despite the miserly compensations? Why does it seem at first glance that there’s peace and quiet in financial data security field worldwide? Banks follow the simplest way, hedging losses and sometimes returning part of the money to users through insurance companies. In other words, banks add fantastic financial losses from cyber attacks to their inevitable costs! Naturally, financial institutions increase the credit card service and mobile banking expenses to cover the incurred shortfalls. Clients don’t notice it at the first stage, but obligatory queue payments form huge amounts. There’s another problem: while Internet banking is developing with Internet applications for mobile phones, no one cares about their security level. Total cost-cutting on information security is obvious.

Despite security experts’ warnings, banks are seek to get super profits and press unsophisticated but poorly protected software solutions upon users. The point is that, according to marketing services, users prefer to have simple and, most importantly, convenient payment solutions and they don’t care a lot about the security of the procedure. They think the bank will anyway reimburse the losses.

It’s a vicious circle: banks are on the bit of users, providing convenient payments for them and, of course, voluntarily or not, reducing the security level. But due to the growing number of cyber attacks they increase the cost financial payment services forcing users to pay a huge annual tribute to the underworld.

It turns out that all Internet banking systems are designed on the basis of standard cell phones primarily to please customers, but they don’t protect their money from hackers. The solution is very convenient for customers and at the same time cheap. They can download software and let them manage their payments from their accounts over mobile phones any time anywhere in the world. Virtual software worth several megabytes is not that heavy as a bank safe or a CIT vehicle. It’s impossible to carry them around but they are necessary to protect money from criminals. The use of such security measures doesn’t surprise anyone in everyday life. But money is stored in our phones without any protection because competition among banks in the electronic services market initially provides lower security standards. For example if an application of some company provides a higher security level but it is more difficult to use it than the application of the competitor, the company has less chances for mass adoption of its product.

The paradox is that sophisticated financial protection is less competitive compared to more simple but ineffectively protected applications. You may agree that even at this stage, when tools are being selected to work with clients, a wrong message is formed for the whole concept and structure of Internet banking data security. The next question may be put here: how many trillions of dollars hackers must steal to ruin banks and make them realize the risk of bankruptcy threatening them and their customers?

Such an outcome is logic with the existing data security trends available for mobile payments. It will be similar to the 1992 crisis when 3 trillion rubles were stolen from the Central Bank of the Russian Federation with the help of fake letters of advice. The Central Bank completely revised information security methods after the incident.

Apparently, few financiers remember today the consequences of the massive information attack on the powerful financial institution and how the financial crisis affected the people. Here is an example from my own life. I had 12,000 rubles on my savings book in 1991. It was the price is a good two-bedroom apartment in Moscow those days. An apartment like this costs more than one million dollars. At the end of 2015 Sberbank returned me 24,000 rubles as a contribution – slightly more than $ 300 according to the currency rate today! Those were the results of the largest robbery of the state bank.

Is there a way out of the situation? Of course, there is. Recollect history. When financial payments over the Internet only started, special electronic USB-keys, smart cards, Rutoken and eToken were created. The devices operated independently from computers, were connected to it via USB and encrypted financial information. And a computer was used only data transmission means. Hackers didn’t have any chance to steal information encrypted outside of a computer.

And then, in order to reduce the cost of additional hardware, customers made a serious mistake and also followed the simplest way. There was no keyboard identification on eToken and later it opened the way for fraud. The devices are very cheap, and low prices had to be compensated.

When new technology only started to be implemented in information security products for costs reasons an identifier confirmation code wasn’t installed in keyboards to operate with reliable Rutokens - and they coped with their task very well.  As a result there were many cases of fraud related with their use.

I am asking once again – and the question has become rhetorical: why doesn’t the financial world use the accumulated experience promoting mobile banking? After all, it’s clear that there should be a security payment scheme according to which an encryption device must operate independently of a mobile phone.

The company I lead demonstrated the sample of the approach in the early 2000s. We were the first in the world to design a crypto smartphone in Russia and some time later - a completely new information security system – a mobile hardware encoder. By the level of technology used in them, we were ahead of all the IT- giants - Apple, Samsung and Microsoft... Even now there are no competitors to Russian cryptographic products.

Indeed, any cryptotelephone which hackers can’t break and any professional security system costs more than software solutions. But as a person who created the world's first cryptosmartphone, I can confidently say that making a financial tool out of an ordinary smartphone is the road to nowhere.

For the first time ever security of financial information was provided separately by software and hardware means in the Russian cryptosmartphone. It operated as a standard mobile phone for reception and transmission of information, but information was encrypted in a special separate part of the device. The main point was that encryption keys were absolutely out of reach for hackers and were beyond the smartphone operating system.

Hardware security is the only way out of the impasse for e-banking. Here’s an example that will make the explanation easier for an average user. It’s impossible to make a tank out of a passenger car no matter what armor is installed on it. Even a “Mercedes” with a presidential security system won’t turn not only into a tank but even into an infantry combat vehicle. Naturally, a tank cannot be convenient for a driver or passenger like a luxury car. A tank is used for other purposes, so not only armor but also missiles protect it against enemy attacks. Thus no matter what software is added to a standard mobile phone designed primarily for talking and browsing information in the network, it cannot be converted into a hardware encoder and forced to secure users from hackers.

Any standard operating system has dozens, if not hundreds, of different “doors” that cannot be closed. Even if computer experts polish it up hackers will manage to break it and find the keys to the encryption systems, for example, using Trojans. And banks contradict themselves creating software for mobile phones and advising clients never to store bank credit cards and passwords to them in the same place.

What happens in E-banking services? Getting access to any mobile phone a hacker can see not only a user’s credit card but also its PIN-code in the installed E-banking software... In other words, Internet economy is impossible without information security - and information security is impossible without the mass production of special equipment for secure mobile financial payments. Unfortunately, it’s not used today.

We make hackers’ annual revenues grow fast expanding the Internet economy with software security systems.

The burden of all thefts worth hundreds of billions of dollars falls on the users’ shoulders. At some point an artificially created financial bubble can burst because hackers keep improving their technical capabilities to multiply criminal proceeds. At some point banks won’t be able to repay their losses at the clients’ expense. Bank customers will finally came to senses and ask a simple question: why should we pay so much for the maintenance of our electronic payments?

Unfortunately, all attempts to restrict hackers’ activities are so far at a declaration level. In fact, major companies, dazed from the profits that financial mobile technology can give in the near future play an all-or-nothing game.

Sometimes expenses at stake exceed even revenues from the sales of their main products. So, for example, one of the leading smartphone manufacturers, a company, that has never produced data encryption devices, decided to add a credit card function to its gadgets and compete for billions of transactions processed by credit card companies around the world…

Financial losses are growing all over the world, but, as we can see, we are forced to use software security. Russian citizens have already paid a huge price for it. If nothing changes, the same fate may very soon befall other countries, leading to global financial collapses and it will inevitably provoke armed conflicts.

Today we just state the fact: hackers are stealing hundreds of billions of dollars. But can declarations help to avoid global financial losses worth trillions of dollars in the near future? Or maybe it’s time to inquire: are the losses “scheduled”? Maybe a great international cash system is hiding behind hackers. Such a possibility cannot be excluded, too. But no prohibitive measures are applied for security software. It seems everything is quite in the world, but average Internet banking users cannot feel secure. They should know: their money is at risk.


© 2011 All rights reserved. Klepov A.V.