- Статьи
- Internet and technology
- Server of Changes: how the new anti-fraud package will change the lives of Russians
Server of Changes: how the new anti-fraud package will change the lives of Russians
In the second half of 2026, Russians will receive new measures to protect themselves from cyberbullying. In particular, a limit will be introduced on the number of bank cards that one person can own, a single database of IMEI numbers of mobile devices will appear, and a special "red button" will be launched on the Gosuslugi portal to promptly respond to fraudulent actions. In addition, citizens will be able to set a self-lock for international calls. Another important innovation will be the financial responsibility of banks and telecom operators in cases where their failure to comply with security requirements leads to damage to the customer. According to experts, some of the innovations will increase the level of protection of citizens, but some measures may create additional inconvenience for users. How the second package of measures to combat cyberbullying will affect the lives of Russians is described in the Izvestia article.
Authorization without foreign mail
On June 9, the State Duma adopted in the second and third readings a package of amendments to the legislation, known as "Antifraud 2.0", aimed at countering cyberbullying. Different terms of entry into force are provided for different provisions of the document: most of the innovations will become effective on September 1, 2026.
One of the most notable changes may be restrictions on the use of foreign mail services during registration and authorization on Russian digital platforms. According to experts interviewed by Izvestia, the new requirements will primarily affect government services, financial organizations and other resources working with personal data.In practice, this means phasing out authorization through foreign accounts, including Google. As an alternative, users will be offered domestic identification methods — a phone number, a verified account on the Gosuslugi portal, or Russian postal services. Experts note that the measure is related not only to combating fraud, but also to reducing the dependence of critical services on foreign platforms.
— It is necessary to clearly separate authorization through a Google account and regular login with a username and password. Nobody forbids using Gmail as an e—mail," said Igor Bederov, Chairman of the Coordinating Council of the non-governmental security sector of the Russian Federation, founder of the Internet Search company. — For users who previously logged into Gosuslugi or EMIAS using an account with the address gmail.com Everything will remain unchanged, except for new registrations, which are now banned.
At the same time, according to him, the ban on authorization through Google does not mean abandoning the use of Gmail. Users will still be able to specify an email address as a login on Gosuslugi, banks and other services.
—Switching to domestic authentication methods is a necessary measure to protect citizens' personal data and ensure the sustainability of digital infrastructure in the face of modern threats," explained Vadim Ivankov, Head of Product at Gazprom ID.
Mikhail Shurygin, Chairman of the ROCIT Commission on Cloud Technologies and Information Security, noted that in this case it is necessary to distinguish between existing and new legislative initiatives. According to him, restrictions on the use of certain foreign authorization services on Russian Internet resources were previously established by Law No. 406-FZ dated July 31, 2023. These rules regulate the ways users register and log in on certain categories of domestic platforms and do not relate directly to the package of measures commonly referred to as "Anti-fraud 2.0".
In his opinion, one of the key consequences will be the gradual reduction of the market for "gray" SIM cards, which are actively used by fraudsters and spammers. He admits that this may create certain inconveniences for users, but in the long run it can reduce the level of telephone fraud.
Bank cards and damage compensation mechanism
Major changes will also affect the banking sector. For citizens, a limit is imposed on the total number of payment cards — no more than 20 per person in all financial institutions. The new regulations also apply to credit and virtual cards. The new rules will come into force on September 1, 2027.
— The deputies ruled out the initial idea of setting an additional limit of five cards in one bank in the final version of the law, — said Vasily Kutyin, Director of analytics at Ingo Bank.
A unified card accounting system will be created to monitor compliance with the new rules. All credit institutions will transfer data on issued cards to it, and before issuing a new one, they will be able to check how many payment instruments have already been registered with the client. If the total limit exceeds 20 after the card is issued, the bank will be obliged to refuse to issue it.
The measure is primarily aimed at combating droppers, Vasily Kutyin explained. According to him, it is through such persons that fraudsters withdraw and cash out the stolen funds. In practice, there have been cases when hundreds and sometimes about a thousand bank cards were issued for one person, he added.
According to the financial advisor and founder of Rodin.According to Alexey Rodin, over the past two years alone, more than 10 million people may have been involved in various fraudulent schemes using droppers. That is why the authorities plan to limit the possibility of mass registration of cards for one person.
For most Russians, the innovation will not change much. Currently, there are about 525-530 million bank cards in circulation in the country, and taking into account the population, there are about 3.5 cards per person on average, he noted. This is confirmed by the survey results. About 45% of Russians use three to five cards, another 38% have two, and 11% manage with one, the expert added. Only about 5% of respondents have more than 10, and their number does not exceed 20. Less than 1% of survey participants reported having more than 20 payment instruments.
According to Yulia Suvorova, Director of Legal Affairs and compliance at the Compare financial marketplace, cases where a bona fide client uses more than 20 cards from different banks remain rather an exception. These are usually users who actively participate in cashback programs, as well as those who hold separate cards for subscriptions, family expenses, or business activities.
At the same time, citizens who have already issued more than 20 cards at the time of the law's entry into force will not need to close some of them. As Vasily Kutyin explained, the restrictions apply only to the issuance of new cards in excess of the established limit. To verify compliance with the new requirements, credit institutions will turn to the Unified Payment Card Accounting System, which will be operated by the National Payment Card System (NSPK), Ingo Bank said.
However, some changes may also affect existing maps. According to economist Andrey Barkhota, if the established limit is exceeded, there is a possibility that banks will begin to review the functionality of some unused products. For example, cards with a zero balance that a customer does not use for a long time can theoretically be blocked on the initiative of the credit institution itself.
In addition, banks will be required to take additional measures to protect themselves from fraud and, in criminal cases, compensate for funds lost by customers if credit institutions fail to fulfill these obligations. However, the compensation mechanism is already working, said Andrey Emelin, head of the National Financial Market Council (NSFM). According to him, in about 10% of fraud cases, banks return lost funds to customers.
As the expert explained, when large sums of money are stolen, it is often necessary to establish whether the bank has followed the procedure for checking and suspending suspicious transactions. If the credit institution is not convinced that the client understands the consequences of the transfer and acts voluntarily, and the money was eventually sent to fraudsters, the victim can expect compensation. That is why banks carefully analyze questionable transactions and, if necessary, temporarily block their execution.
In general, experts believe that the law is able to strengthen the protection of citizens from fraud, but its full implementation will require serious technical training of the banking system. According to Vasily Kutin, the almost two-year transition period (until September 1, 2027) should give all market participants enough time to create the necessary infrastructure and set up the new accounting system.
International calls and "baby" SIM cards
Another change affects international calls: instead of completely banning incoming traffic from abroad, citizens will be able to independently connect protection against such calls. At the same time, it will be possible to remove the restriction later only by contacting the MFC in person.
A rapid response service to fraud will appear on the Gosuslugi portal — the so-called red button, through which users will be able to quickly report illegal actions and initiate a procedure to protect their data and funds.
Another important innovation is the appearance of "children's" SIM cards. Parents will be able to notify the telecom operator that the purchased SIM card is intended for use by minors. At the same time, the list of restrictions and additional features that will be applied to such SIM cards will have to be defined in subordinate regulations that will be developed later, said Karen Ghazaryan, Director of Analytics at ANO Digital Economy.
In addition, a database of unique IMEI mobile device identifiers will appear, which are necessary to identify a smartphone on the network and are stored in the firmware of the device. This tool has several application vectors, first of all, the fight against fraud: a unique mobile device number allows you to identify an attacker, for example, when swapping a SIM card and quickly lock his gadget. You can also use IMEI to identify SIM boxes, special servers for SIM cards that cybercriminals send out from, the expert said.
— The second vector is the identification of devices imported into the Russian Federation in violation of customs legislation. Illegally imported devices that are not included in the IMEI database simply will not work in Russian networks, this practice is already used, for example, in Turkey and Uzbekistan, another possibility is to block stolen gadgets,— explained Karen Ghazaryan.
The new rules will make the use of mobile communications and digital services more transparent, Igor Bederov believes. According to him, the state is actually building a system in which the phone number will be tightly linked to the owner and the device through reconciliation of passport data, SIM card and IMEI.
— The situation for the average person will change towards greater transparency, but also greater bureaucratization. The familiar model, when it was possible to use a lot of "gray" SIM cards, is becoming a thing of the past. When entering data, a triad will be compared: passport data, phone number, and device IMEI. If the phone is stolen or imported illegally, the system will see it," the expert explained.
Denis Kuskov, CEO of TelecomDaily, also considers the IMEI database to be an important innovation that will strengthen the fight against fraud.
— Legislative innovations once again raise the issue of developing a fundamentally new law on Communications. The document was adopted more than 20 years ago, and since then it has been repeatedly supplemented, new provisions and requirements have been introduced into it. The law, which was adopted in the technological era, certainly needs to be updated, brought to the current realities of the telecom market," Denis Kuskov believes.
Izvestia sent inquiries to the Ministry of Finance and to the largest Russian communications companies. According to the editorial staff, work on the next package of measures is already underway. More than 60 initiatives have been prepared for Antifraud 3.0, which may affect the turnover of personal data, the regulation of messengers and the mechanisms of digital identification of citizens.
"The main objective of the new measures is not to create additional restrictions for citizens, but to make fraud more costly, complex and risky for the attackers themselves. In my opinion, it is by this criterion that the effectiveness of Antifraud 2.0 should be evaluated in the future," Mikhail Shurygin added.
Переведено сервисом «Яндекс Переводчик»
