On unauthorised transactions implemented through mobile devices
The Bank of Russia witnesses more frequent remittances through mobile devices (smartphones, mobiles, tablets) without the consent of their owners (hereinafter, unauthorised transactions).
Particularly, these unauthorised transactions include:
payments for goods and services, including the use of payment card details, when the Internet is accessed through a mobile device;
transfers of funds paid to the service provider for communication services, including money transfers to short codes;
transactions implemented through remote banking applications provided by the credit institution (online banking) and installed by the client in the mobile device;
payments for goods and services through other applications installed in the mobile device.
Unauthorised transactions result from infecting mobile devices with malicious software (including viruses) through spam messages (SMS, emails) containing links to external resources or the mobile device user’s clicking through links to Internet resources. When the user clicks through such links the virus is installed in the mobile devices.
Malicious software may perform different functions, including:
generating and sending remittance orders, including in the form of SMS to short codes, on the mobile device user’s behalf;
generating and sending remittance orders through remote banking or other applications for payments for goods and services;
intercepting one-time confirmation codes received on the mobile device for additional confirmation of a transaction.
The greatest risk of such transactions is that in some cases malicious software conceals from the customer write-off notifications from the credit institution. Thus, unaware of unauthorised debiting of his/her bank account, the mobile device user is unable to timely inform the credit institution of unauthorised remittances.
The Bank of Russia additionally communicates that another type of implementation of unauthorised transactions is the use of social engineering when intruders fraudulently force the customer to provide data required to implement a transaction, including passwords, identification codes, etc.
The Bank of Russia advises that customers implementing remittances through mobile devices take the following measures to mitigate risks of theft of funds:
installing regularly updated antivirus software on the mobile device;
avoiding clicking through links received from unreliable sources, including links to unknown websites;
timely informing the credit institution when changing the mobile number the customer provided to the credit institution for mobile bank service, including the number to which notifications of customer account transactions are received;
avoiding downloading applications from unreliable sources to the mobile device;
avoiding sharing the mobile device and the payment card with third persons, including relatives;
avoiding informing third persons, including credit institution employees, of the payment card PIN-code and control code indicated on the reverse side of the payment card (СVV/CVC-code1), online bank passwords, one-time confirmation codes; if these information is suspected to become known to the third person, the customer shall inform the credit institution using the contacts indicated on its website.
In case the writing down of funds is revealed, the customer shall inform the credit institution or the service provider (in case funds paid to the service provider for communication services are written down, including transfer of funds to short codes) in terms stipulated by the Russian legislation.
In the framework of implementation of Clause 2.12.3 of Bank of Russia Regulation No.
1 Three-digit codes on the cardholder signature stripe used to verify the authenticity of Visa and MasterCard payment cards.
The reference to the Press Service is mandatory if you intend to use this material.
15.04.2015 00.00.00