Bank of Russia records first case of funds theft via the Faster Payments System

The Center for Monitoring and Responding to Cyber Attacks in the Banking and Financial Sector (FinCERT) of the Bank of Russia has identified a new method of funds theft via the Faster Payments System (SBP). This is the first known theft of funds using the system, according to Kommersant.

Attackers exploited a vulnerability in one of the bank’s systems, the name of which is not disclosed. They managed to obtain client account data by brute-force enumeration, using undocumented API capabilities.

Having authenticated as clients, the attackers launched the bank’s app in debug mode and sent a request to transfer funds to an account at another bank.

Before executing the transfer, instead of the sender’s account, they specified the account number of another customer of that bank. The system did not verify who owned the account and issued the SBP instruction to transfer funds.

The Bank of Russia confirmed the existence of the problem and said that the vulnerability has been fixed. Official representatives stressed that it did not affect the system software and that the SBP itself remains reliable.

The central bank remains confident that the SBP will meet the demand for fast payments.

Precisely the ability to conduct fast payments was cited by Bank of Russia head Elvira Nabiullina as explaining the popularity and growth of cryptocurrencies.

According to some ForkLog experts interviewed, SBP and digital assets are intended for entirely different purposes and therefore cannot compete with each other.

Subscribe to ForkLog news on Telegram: ForkLog Feed — full news feed, ForkLog — the most important news and polls.