Security of transfers and payment for goods via SBP. Part 1

06.06.2022

| Слушать на Google Podcasts | Слушать на Mave | Слушать на Яндекс Музыке |

Ruslan Rakhmetov, Secutiy Vision

I gave a small commentary on QR code payments for the programme ‘Good Morning’ on Channel One https://www.1tv.ru/shows/dobroe-utro/pro-dengi/platim-po-qr-kodu-dobroe-utro-fragment-vypuska-ot-25-05-2022. And after that I decided to cover the topic of payments via SBP in more detail.

Nowadays the population and even specialists have a lot of questions to transfers and payment for goods by means of the Bank of Russia's Quick Payment System, both to the mechanics of the process and to the information security.

Initially, the FPS was announced in terms of money transfers between individuals - clients of different banks, using only the recipient's phone number as identifiers. This service is labelled as an alternative to transfers by card number between banks, especially popular (before the introduction of SBP) in the Russian Federation. At the same time, international card payment systems in 2020 realised the threat to their business and began to actively demand the introduction of the possibility of transfer by phone number within the payment system within a year. It also brings to mind a number of banks that have entered into agreements among themselves, carried out integration of IT systems and provide the service of transfer by phone number, but only to their clients. Thus, the system of the Bank of Russia, which is mandatory for connection, due to its scale and coverage of all residents of the country has unconditional competitive advantages.

Fig. 1. Volume of transfers through the BPS

Judging by the resistance of the largest banks and further actions to change the tariff policy, this system has hit hard the income of a number of banks with a large customer base. However, the BPS has created a common competitive space and, in effect, reduced costs for banks' customers and provided additional opportunities for smaller banks. Due to the fact that transfers are carried out online between banks and changes in their correspondent accounts are reflected instantly, banks' costs for reserving funds for operations have been reduced, and transfers have been accelerated.

Fig. 2. Number of transactions and users of the BPS

Let's consider the basic process - namely, transfer between users of the BPS (C2C transfer).

The BPS is a multilevel system:

Settlement Centre of the Bank of Russia Payment System

It acts as a custodian of banks' money and carries out online settlements between banks when transferring funds through the SBP. A separate sub-counter is allocated to a participating bank of the SBP at the PS DB level to provide liquidity for SBP transfers. The requirements for operation are determined by subsections of the Bank of Russia's regulation No. 732-P ‘On the Bank of Russia Payment System’ dated 24.09.2020. In fact, any transfer of 100 roubles by phone number in the SBP generates an instant decrease by 100 roubles of the correspondent account of the sender's bank and an increase by the same amount of the account of the recipient's bank. The Settlement Centre interacts only with the OPCC when making a transfer to the SBP. However, in terms of liquidity management for the SBP, banks use the main infrastructure of interaction with the PS DB (receiving/sending messages via the PC ARM CBD-N).

Operational payment and clearing centre

Performs the role of an ‘intermediary’ between banks and relieves the Central Bank, performing the task of interaction with banks, their connection to the SBP (which is also a separate complex process, during which technical support is built, connection to the exchange point is made and information security tasks are solved), as well as provides accumulation and exchange point of information on banks' clients.

Banks and their clients

Directly involved in the transfer. They use the already existing reliable and secure RBS channel. In this case, there is the so-called OPCC Standard, which at the OPCC-Banks-Users section sets requirements for interaction, cryptography, etc., up to the requirements for the design of the bank's mobile application. Also for this section of interaction there are general requirements to information protection defined by the Bank of Russia Regulation No. 719-P dated 04.06.2020 ‘On Requirements to Information Protection in the Process of Money Transfers and on the Procedure of Control by the Bank of Russia over Compliance with Requirements to Information Protection in the Process of Money Transfers’.

Fig. 3. Simplified scheme of a transfer to the BPS between individuals.

A whole range of measures, including cryptography, risk assessment, etc., described in the detailed standards of the OPCC and in the requirements of the Bank of Russia's regulations, are used to protect electronic messages of SBP during transmission from banks to the PS DB settlement centre. The requirements of a number of regulations are limited to infrastructure security, absence of vulnerabilities in application software, and technology security. Let us consider the specifics of technology security, since the requirements to infrastructure and software analysis are in principle uniform (universal) and do not differ much from the requirements that banks implement in their core activities. Building technology security is inseparable from the technology itself and the implementation of the process.

All C2C transfers (physical-to-physical transfer process) can be conventionally divided into 3 types:

C2C push - ‘traditional transfer’ between bank clients
Me2Me - transfer to itself, even in different banks
C2C pull - essentially a request to the sender to send money (now works for own accounts, allows from one bank to collect funds from their accounts in other banks).

Separately, we can mention the process of a customer setting their bank as their default bank. When attempting to transfer funds to such a client, OPCC immediately replies to the sender's bank that there is a beneficiary bank where it is ready to accept the funds.

The mechanics are essentially the same, the detailed steps of the process can be seen in Figure 4.

Figure 4. Steps of the C2C process of SBP transfer.

Also, we can distinguish 2 stages in the process - coordination of the transfer within steps 1-5 (receiving identifiers, checking readiness for transfer) and the transfer itself with changes in the banks' correspondent accounts (steps 6-10).

We will not consider this process in detail and will only touch upon those points that relate to the security of transfers, as well as questions that often arise among ordinary consumers of banking services:

Spoofing or transfer (e.g., sold a pretty number or fraudsters reissued a SIM card) of a phone number
Finding a namesake to push a transfer (e.g. Me2Me push and pull) or changing the default bank
Changes of details when transferring within SBP
Searching banks of phone number holders

Risk minimisation is ensured by:

Displaying a PAM phrase (first name, middle name and first letter of the recipient's surname) to the sender.
Strict identification of the recipient by his/her bank, i.e. the bank checks the customer's data and his/her possession of the phone number.
Use of the account numbers of the sender and the recipient rather than the phone number for transfers within the BPS - even if the SIM card is reissued by fraudsters, the money will be transferred to the recipient's account, which was entered in the bank at the time of possession of the number, and the fraudsters will not gain access to the account.
Application of anti-fraud mechanisms, in particular the so-called scor-vectors of transaction evaluation, which are formed by banks and OPCS and shared by all participants of the transfer process (e.g. geolocation of the sender, whether the transfer amount is typical for the participants of the transaction, etc.).
Multiple reconciliations at each step of the process - full names, account numbers, phone numbers, payment session control, etc. are checked. Cryptographic methods of information protection are also applied at each step to ensure data integrity and confidentiality.
Mechanisms for controlling overruns - in case of multiple requests (even from 5-7 requests) without carrying out the operation itself, a certain sender is blocked until the moment of proceedings.
Notification/confirmation from users about changing bank by default, messages are sent directly from OPCC.
Anomaly monitoring at the DICC level, both at the infrastructure and business level, which allows for early detection of malicious activity and untypical fraud attempts.
To summarise, the following mechanisms can be identified to ensure information security in C2C to SBP transfers:
Infrastructure security - is ensured through the use of the existing secure RBS channels of the Banks and fulfilment of the Central Bank's requirements for new interaction sites (Central Bank - NSPC - Banks). These include requirements of GOST R 57580, industry-specific STO BR and business requirements.
Application software security - assessment of application software for errors and vulnerabilities. It is also defined by regulations of the Bank of Russia (including 747-P, 683-P, 719-P). Special attention is paid to the front available to attackers from the outside.
The security of the technology is anti-fraud mechanisms and the use of cryptography, as well as the overall organisation of the transfer process.

The combination of these measures has made it possible to realise a common secure transfer system across the country using simple easy-to-use identifiers. And on the basis of this C2C backbone process, the Bank of Russia is developing other services - various combinations of transfers between C (individuals), B (business) and G (government).