Preventive areas: critical vulnerabilities are found in every second banking application

Solar Group experts have discovered critical vulnerabilities in every second banking application. More than half of the services have vulnerabilities of high or medium criticality, that is, they allow hackers to cause significant damage to the company's information assets in a successful attack. Izvestia investigated whether banks' liability for a bad anti-fraud system could be tightened and what rules should be followed to avoid becoming a victim of fraud.

Mutual work

There is a clear tendency in the regulatory environment to tighten requirements in the field of financial transactions and personal data protection, Alexey Kolodka, head of RAMAX Group's information security practice, noted in an interview with Izvestia.

— The regulator is actively promoting legislative initiatives aimed at expanding the responsibility of both banking organizations and telecom operators for the consequences of cybercrimes. Mobile operators are forced to implement advanced artificial intelligence—based technologies to identify potentially fraudulent calls," he said. — This is due to new requirements, according to which operators can be financially responsible for customer losses resulting from telephone fraud.

Photo: TASS/IMAGO/Fleig/Eibner-Pressefoto

The banking sector, he said, is also facing increased demands on fraud control and prevention systems. In particular, strict procedures are being introduced for large-scale monetary transactions. Banks are required to conduct additional customer verification before issuing significant amounts of cash in order to avoid the risk of money transfer to intruders. In case of subsequent detection of fraud, the bank may be involved in compensation for damages to the client.

— To protect yourself from fraudsters, it is necessary to enable two-factor authentication in all critical services, especially in online banking. Use antivirus software and caller ID from telecom operators or banks. Block unfamiliar incoming numbers," the expert reminded.

He also noted that other security rules should be followed: never follow links from unverified sources, be suspicious of messages from long-inactive contacts, and never tell anyone one-time codes from SMS and push notifications.

Photo: IZVESTIA/Mikhail Tereshchenko

There are other precautions as well. In particular, Maxim Bolshakov, Director of cybersecurity Development at Edgecenter, advised Izvestia to avoid public Wi-Fi networks and connect to banking applications only through secure networks. In addition, for security reasons, the expert recommends disabling automatic password filling in browsers and applications.

The work on ensuring the security of the use of applications should be mutual — on the part of the bank and on the part of the client, Arsen Hakobyan, founder of the anti-fraudulent Piera call centers project, told Izvestia.

— It should be understood that the share of hacking banking applications among other fraud cases is not so high, as it requires serious resources and the intellectual costs of highly qualified specialists. Banks' security systems can handle most attacks. But gaps are the focus of attention in the case of data leaks," he explained.

Legislative framework

Responsibility for non-compliance with information protection requirements for financial organizations is already provided, Alexey Lukatsky, a business consultant on information security at Positive Technologies, told Izvestia.

is a requirement of the law on Critical information infrastructure and, accordingly, Article 13.12 of the Administrative Code for failure to comply with the requirements for mandatory information protection — the elimination of vulnerabilities is included in the mandatory requirements established by regulators. There is also a rule on the part of the Central Bank that if a client loses money due to poor anti-fraud work and when the bank did not track the appearance of new information about a particular fraudulent scheme or about a particular fraudster in time and still gave money to this fraudster, the bank is obliged to compensate all losses towards the client, - he reminded expert.

Photo: IZVESTIA/Eduard Kornienko

This in itself, in his opinion, should motivate banks to better deal with fraud.

— Therefore, the question today is not to strengthen any responsibility of banks, but simply in the normal enforcement of existing norms, — Alexey Lukatsky believes.

The cause of the problems

The requirements for the security of information systems, both general, established by the Federal Service for Technical and Export Control (FSTEC) of Russia, and special, prescribed for credit institutions by the Bank of Russia, are generally quite effective, provided they are followed, Alexey Yefremov, a leading researcher at the Center for Public Administration Technologies at the Presidential Academy, told Izvestia.

— Most of the problems occur on the user's side of the banking application. The fate of his financial assets often depends on his level of understanding of information security," the expert noted. — This applies to basic things, such as opening messages from strangers in instant messengers or clicking on questionable links in such messages or emails. As well as often storing data about bank cards in applications of various services, such as marketplaces, delivery services, ticket reservations and hotels, or in browsers on a smartphone or other computer.

Photo: IZVESTIA/Dmitry Korotaev

The solution to this problem, according to him, is to increase the financial and information literacy of the population, including through appropriate information materials and instructions in the applications themselves, which the user should carefully study before installing or activating the corresponding application.

A thousand-point storm: bots have been taught to steal loyalty program bonuses

Discounts and points received in a dubious way are monetized through messengers

— In 2024, administrative and criminal liability for illegal processing of personal data was significantly tightened, and the State Duma is considering a draft federal law on criminal liability for the use of deepfake technologies to commit fraud," Alexey Yefremov recalled.

Photo: IZVESTIA/Anna Selina

However, in his opinion, measures of responsibility alone are not enough without effective law enforcement and, most importantly, improving the level of financial and information literacy of a significant part of the population.

Highlights

The discovered weaknesses in the protection of banking applications, especially critical ones, emphasize the importance of strengthening banks' control and responsibility for cybersecurity, Mikhail Polyakov, Associate professor of the Department of State and Municipal Administration at the State University of Economics, noted in an interview with Izvestia. With cybercrimes on the rise and data leaks becoming more frequent, especially in the financial sector, the Central Bank is likely to tighten requirements for credit institutions.

— This may result in stricter information security standards, mandatory penetration testing, regular application security audits, as well as financial penalties for non-compliance with established standards, especially in terms of access control and protection against attacks aimed at hacking employee accounts. — the expert noted.

Photo: IZVESTIA/Sergey Lantyukhov

Vigilance and awareness are the key to protecting against fraud, as cybercriminals are constantly improving their methods. It is important to recall that from March 1, 2025, the law on self-prohibition on issuing loans comes into force, allowing bank customers to protect themselves from unauthorized loan processing by intruders, the expert recalled.

Izvestia sent requests to the Central Bank and the Ministry of Finance, but no responses had been received at the time of publication.