According to the publication of the Center for monitoring and responding to computer attacks in the financial sphere of the General Directorate of protection and information security at Bank of Russia (FinCERT), the Central Bank reported a new type of fraud during the transfer of funds between cards through ATMs.
The document says, "previously expected TRF-attacks (transaction reversal fraud) did not occur, but a new method of such an attack was recorded based on the imperfection of the scenarios for processing transfers from card to card using ATMs."
The fraud method is connected with the imperfection of the p2p-transfer scenario (transfer between individuals). In particular, when the transaction is cancelled, the fraudster has the opportunity to withdraw the transferred amount from another card and at the same time keep the money in his account.
The algorithm is quite simple. First, a transfer operation between individuals is selected and the card number of the beneficiary is indicated. The terminal sends two authorization messages to the beneficiary's Bank and to the sending Bank. After two approvals have arrived, the actual translation is performed.
However, the ATM then asks the sender for confirmation of the debit fee, but he does not agree, and a message about the return is sent to both Banks. As a result, the temporary holding of funds is removed from the sender's account, he saves all the money, but the beneficiary during this time withdraws the transfer from his card.
The Central Bank advises Banks to check the correctness of ATM scenarios. So, the approval for the cancellation of the operation to the sender should come only after the message about the successful return of the transferred funds from the beneficiary's Bank.
Another measure to combat this type of fraud is to obtain consent to charge a transfer fee before sending authorization messages for the operation.
The sender bank is responsible for the success of such attacks, said Alexei Golenishchev, the Director of e-business monitoring at Alfa-Bank.
In May, Ehackingnews described another type of fraud with Sberbank ATMs. The attacker did not insert a Bankcard into the machine, chose any operation and did not complete it. When the next customer came to the machine, he saw on the screen of ATM a proposal to insert the card and enter the pin code. When he did all, the operation of the attacker was automatically completed, after which the money was debited from the cardholder's account. Later, Sberbank said that Bank solved this problem and the attackers could not withdraw money anymore.
