How one flaw in the IT system led to the disclosure of bank secrets at Sberbank

We analyze the facts of disclosing bank secrets in Sberbank in connection with the mistakes made in the design of the information security system.



Sberbank today is one of the most mentioned brands in connection with the newfangled "transformation": digital, banking, universal. I remember how 10 years ago this company began to lure a huge number of highly qualified IT specialists into its state. Since then, a lot has changed, IT specialists have become more selective in choosing an employer. New services come out of Sberbank's laboratories one by one. And in the pursuit of "convenience" of the user, not just pitfalls are often hidden, but icebergs, which at a certain moment can legally sink any company. Especially if she keeps your money.



Today we will analyze 3 examples of fatal IT errors that seem to lie on the surface and it was simply impossible to make them. But Sberbank managed to do it, stumbling out of the blue.



Example 1. Email banking notifications



Many of us have such an email, which we use for various registrations and other spam. I usually go into such a box every 2-3 months (the box itself has been living since 1999), clean and close until better times. But then one day I noticed letters that fell into the spam folder on behalf of Sberbank. The subject of the letter read the meaningful "Report on Visa card * 0612 for the period from xx.xx.xx to yy.yy.yy". It is clear that recently there have been a lot of scammers (we will talk about this in a separate article a little later), profiting from the name of a large bank. But this letter interested me.



The sender was Sberbank of Russia newreport_card@sberbank.ru. After examining the headers, I realized that the letter is not phishing - the sender is indeed Sberbank. Since I never had a * 0612 card, I got to see what kind of report Sberbank sent me.



Return-path: <newreport_card@sberbank.ru>
Received-SPF: pass (mx268.i.mail.ru: domain of sberbank.ru designates 194.186.207.37 as permitted sender) client-ip=194.186.207.37; envelope-from=newreport_card@sberbank.ru; helo=email1.sberbank.ru;
Received: from email1.sberbank.ru ([194.186.207.37]:59268)
	by mx268.i.mail.ru with esmtp (envelope-from <newreport_card@sberbank.ru>)
	id 1jlnqp-0002hE-LG
	for @MAIL.RU; Thu, 18 Jun 2020 09:16:40 +0300
Received: from ceroklis8.smtp.sbrf.ru (10.34.224.1) by
 CAB-VSP-EDG1002.sigma.sbrf.ru (10.44.254.2) with Microsoft SMTP Server id
 15.0.1497.2; Thu, 18 Jun 2020 09:16:39 +0300
Received: from smtp.sberbank.ru (localhost [127.0.0.1])
	by ceroklis8.smtp.sbrf.ru (Postfix) with ESMTP id 40501480
	for <@MAIL.RU>; Thu, 18 Jun 2020 09:16:39 +0300 (MSK)
Received: from ceroklis8.smtp.sbrf.ru
    by 127.0.0.1
    for <@MAIL.RU>;
    Thu Jun 18 09:16:39 2020


If to say that I was surprised by what I saw, to say nothing. I'm o ***** l. Sberbank in all seriousness sent me a report on someone else's bank card indicating the name, patronymic and first letter of the surname with all debit / credit transactions, amounts on them, cash balances at the beginning and end of the period, division into cash and non-cash and other statistics.



In short, Sberbank sent me information constituting banking secrecy. Article 26 of the Federal Law of 02.12.1990 N 395-1 (as amended on 27.12.2019) "On banks and banking activity" states:



, , , , , . , , , , .

…

, , , - , , , , 9 12 1995 N 144- Β« - Β», , , , , , .

(I will not say anything about the spelling of "operational and investigative" activities in the text of the Federal Law - those who wish can find the full text of the law themselves and see it).



For the last 2 years we have been engaged in telecom audit for various companies and identify strengths / weaknesses within the business, check the correctness of relationships with counterparties, find and eliminate various violations, so we have a fairly strong staff of lawyers who understand the intricacies of IT and telecom relations. In particular, the boundaries of legal responsibility in the field of information security. The first thing I did was go to them for clarification.



We began to analyze why and how this could happen, whether the bank is to blame for this situation. First of all, we paid attention to the name and patronymic of the account holder (Sberbank itself discloses this information in the report). And we discovered a possible similarity of the name of my email account with the email of the real owner of the bank account. The difference is in one letter: r and n. They are really similar when hand-written.



We assume 2 options why all this could happen:



  • - the owner of the account filled out some kind of electronic questionnaire, where he himself made a mistake when entering his name;
  • - the account owner filled out some kind of paper questionnaire, where he illegibly indicated his email address - and the bank employee entered the data into the system with an error.


And in this situation, we see weaknesses in the designers of Sberbank's information systems. When it comes to such a sensitive area as money, the bank should be doubly careful. When designing most authorization / notification systems, the developer proceeds from the user's "mistake". So Sberbank, in my opinion, was obliged to provide for the need to verify the entered email (even if the client indicated it himself) by sending an email notification with a proposal to confirm the specified email. This is a common practice not only with email, but with phone numbers. Moreover, this must be done in conjunction with the account (so that no one else could accidentally carry out this activation).



And if in the first case, when the user himself made a mistake when entering his email, Sberbank can only be blamed for a flaw in the system, then in the second case everything that happened should be thoroughly investigated. After all, the bank as a credit organization in this situation bears responsibility not only administrative, but also criminal.



But the fact remains - Sberbank regularly sends me other people's data, protected by bank secrecy... Someone may say that now I myself will be held accountable (as often happened in such situations with "high-profile" investigations in the banking sector). But I hasten to reassure everyone: in this situation nothing was done on my part, which led to the disclosure of banking secrets. The bank itself voluntarily sends me such reports. I think that Sberbank should rather have questions from supervisory authorities, if such a problem can be massive. Unfortunately, we are unlikely to find out about this.



The main conclusion from this case:



As a client of Sberbank, you may not even be aware that your banking information "looks" outward, if suddenly someone from Sberbank employees could make a mistake when manually entering your contact information.



If someone thinks that after this material, the Sberbank security service will rush to check everything, eliminate all the shortcomings, find the culprit (maybe even punish), then here I can disappoint the readers. With a high degree of probability, none of this will happen. Because from personal experience I came across the fact that Sberbank simply does not keep logs of operations of changes in the state of your data.



And here we come to the second case.



Example 2. Someone else's phone number without your knowledge



Many people know that at Sberbank, almost everything is built around an ecosystem with a mobile phone number. I have been working in telecom for almost 20 years. And, since 2007, when we actively began to introduce VoIP communications, we warn all customers about telephone security and it is necessary to have protection when authorizing by phone number. All these games with caller ID recognition and tight integration with CRM and ERP systems led to what I talked about many years ago - the shaft of telephone fraud. In particular, it was on the pages of Habr that I was able to draw the attention of the community of telecom specialists and telecom operators to the fraud with the "drain" of 8-800 traffic .



But today we will talk about the fact that in October 2019, when looking at the personal data settings during the next update of the Sberbank mobile application, I found that I had an additional phone number in my contact information. Which obviously has nothing to do with me - I never indicated it. Recently in the press, many drew attention to this, but I can say that this whole story with the addition of "foreign" numbers has been going on since 2019. And maybe even earlier.



Let's go back to the account. Essentially, someone took and added someone else's phone number to my credentials without my knowledge. I have long since withdrawn all my savings from Sberbank (including for security reasons and so many IT failures), so I was not particularly worried about the safety of my finances. But it became important for me to understand this situation to the end.



Spoiler: Sberbank did not admit the error and said that it does not store any logs of changes in customer credentials.



So. I call the personal manager of Sberbank-Premier with a notification about the presence of a vulnerability in my account. The manager completely ignored my message (this is to the question of the "premium" service) and recommended making a written request.



On November 10, 2019, I am writing an appeal in support of Sberbank:



ID Β« Β» +7 *** *** **-**. .

, . .

, , .

. , .

- ( ) ID.

I repeat once again: I demand clarification of who, when, under what circumstances, entered the "someone else's" number in my contact details.




Please note that in my appeal, I prohibit Sberbank employees from making any changes to my account.



On November 27, 2019, that is, 17 (!) Days after the appeal regarding the SECURITY of the account, such an answer is received. And the appeal is closed.



… β„– xxxx-yyyy-xxx 10.11.2019 . , +7****** -**-** 2012 . , , , . , . . .




That is, until 2019, I did not see this number in any settings, but it turns out that it has been there since 2012. Amazing. And the cherry on top: despite my ban on changing my data in Sberbank without my knowledge, Sberbank REMOVES the "controversial" number from my account without any notification or approval. Although for this operation I was advised to apply to the department with a passport.



Once again, I repeat: Sberbank employees simply EDIT your contact information related to the security of your account (login to manage all your finances), WITHOUT any NOTIFICATION to the client.



In response to these actions, I compose another request:



.

**-**. , . , .

, ! , , , , .

, .




The answer is simply enchanting:



... your appeal No. xxx-yyy-zzz dated 11/27/2019 has been reviewed. You previously left an appeal No. xxx-yyy-zzz through Sberbank online regarding the reflection of the phone number +7 ********** in the Sberbank online mobile application. In the appeal, you indicated that this number does not belong to you. The bank took measures to exclude this number from your contact information. The answer to the appeal No. xxx-yyy-zzz has been sent to your email address ****@***.*** or contact the bank's office for a response. You can add a phone number in the Sberbank mobile application online. Sberbank.




The output of this example is very simple:



Sberbank can unilaterally not only change the terms of banking services (reduce the interest rate on the deposit, increase the interest rate on the loan - but not the other way around), but also unilaterally change the order of access to your money, add / remove mobile numbers for management account and do not store any logs. Accordingly, do not bear any responsibility for your finances. Well, or at least do not hesitate to tell clients about it.



And what all this leads to, we will talk in the next article, where we will analyze cases of telephone fraud. Why this especially affected Sberbank, I think, from the current material it became clear to many. Among other things, let's talk about Fraud 2.0 - a new version that no one has written about in the media yet. And there will be a lot of interesting things.



Example 3. Phone number changed user



As a consequence of the first two cases, a situation arises that thousands of Sberbank clients face. As mentioned above, the mobile number is the central part of the entire connection between Sberbank and the client. Formally, the client is responsible for which phone number he indicated. But what happens in practice.



The telephone number, as many people know, does not belong to either the subscriber or the telecom operator. Yes, this is a common myth - that if you have a number, there is a contract for it, then you are its owner. This is not true. A phone number is a limited resource owned by the government. And it instructs telecom operators to service this resource. Subscribers (users) receive at a temporary disposal a set of numbers for the duration of the contract. No more. At the same time, this set of numbers, by virtue of the Federal Law "On Communications", can be unilaterally replaced by a subscriber with one stroke of the pen of the head of the Federal Communications Agency. Now such stories happen less and less, but in my practice there were several campaigns to change the numbering of existing subscribers, including mobile ones. And the subscriber is not immune from these changes. They just change his number with a notification.Mobile number, which is the central core of many digital systems. Including inside the mobile bank.



And recently such a situation arose. We audited one company, which uses about 2,000 numbers for its employees: they reconciled expenses, carried out cost reduction and optimization, and returned money for "paid subscriptions" and other imposed services from mobile operators. And at some point, they discovered that some of the numbers were linked to the mobile banks of individuals. That is, employees used these numbers earlier, then quit. And now other employees are using it. We phoned former employees. It turned out that after the dismissal they allegedly changed the phone number to enter Sberbank online. And they were surprised that access to their finances is possible through the "old numbers". It turned out that when they went through the procedure of "changing" the number, the new number was not replaced by the old one, but only added.The old one was still active in Sberbank-online.



Now Sberbank has changed the procedure, but for old users this is still the same. And there are at least several tens of thousands of citizens (and maybe more) who do not even know that information about their finances is available to third parties. Having linked the phone number once, the bank expects it to be forever. Alas, practice shows that this is not the case.



It can, of course, be argued that this is the problem of the people themselves. But look at how people now relate to digital products, especially the older generation: for them it all becomes incomprehensible and not obvious. If earlier there were system administrators and helped with setting up a computer, now there may be a rebirth of this profession - a customizer of programs for smartphones. These are all jokes, but the problem is really important, because it affects a huge number of users. It is already impossible not to use these products. But there is also no proper description and delivery of information on how to use it.



I believe that here some regulations should rather be introduced that determine the procedure for using mobile numbers in banking products. No, I am not a supporter of universal regulation. But there are points that need to be studied very carefully. And here there should be joint work of banks, telecom operators, and supervisory authorities. But the solution should be convenient, functional and understandable for all participants. Otherwise, we will continue to observe the costs of the "convenience" of banking products in the growth of the number of fraudulent schemes and computer crimes.



UPD (16 July 13:20):

Sberbank decided to go even further. And just yesterday he sent me "congratulations" on my birthday. That is, it was not enough for him to violate bank secrecy - Sberbank also decided to violate the Federal Law "On Personal Data" of July 27, 2006 N 152-FZ. How far will Sberbank go?



All Articles