Voice assistant Siri installed on the gadgets Apple, can be used for fraud, pleaded the bankers. It can be used to withdraw funds from the account even when the screen is locked
Program Siri, which helps to control some models of the iPhone with your voice, can be a assistant and for fraud. It allows you to send messages from the lock screen and to make transfers if the Bank user can conduct them with the help of SMS-messages by phone number. About it told RBC employee of the savings Bank, where such translations are available via SMS in the mobile Bank.
In that case if the phone was in the hands of a fraudster, it is enough to enter a sequence of commands to transfer money from the account tied to the phone number. RBC tested this possibility and found that it works. “Siri, send a message to the number nine, zero, zero” — so begins a sequence of voice commands. 900 is the number of mobile Bank of the savings Bank. In the message it is necessary to dictate to the assistant, the word “transfer” and the recipient’s phone number is also one digit at a time.
The savings Bank requires evidence of a transfer by SMS message. After the Bank sent the code, it is necessary to ask Siri to read the last message and send the five digit code to the number 900 also use Siri. The transfer went through, the whole operation took about two minutes.
For the attacker, such operations must match several factors: it needs to access to another Apple device installed with the voice assistant Siri, which has the ability to transfer a phone number via SMS messages. Sberbank does not comment on information about possible cases of theft of money their clients using Siri, although the problem know. “We are working with Apple to the operating system level was not possible the manipulation of the device functionality Siri and functionality of SMS-banks,” said RBC in the press service of Sberbank.
The Bank also added that track all client transactions, and suspicious — are automatically blocked. “The security system stops the transaction if they are abnormal, for example by time or amount, or if payment occurs to the number from the blacklist”, — said the official representative of the credit institution.
Sberbank is not the only credit institution, which provides customers the ability to transfer money or pay for other services through SMS. A similar service in your mobile Bank offers, in particular, Alfa-Bank, SMS-Bank “Alfa-Check”. In the credit organizations say they do not know about cases where this type of fraud would hurt their clients. “It is unlikely they will be massive, yet not so often we leave your phone unattended,” — said the head of management of monitoring of electronic business of alpha Bank Vladimir Bakulin.
At the same time, he admitted that customer accounts may be vulnerable to fraud when sending voice commands. “We at the Bank have tested the possibility of dialogue with Siri. In our opinion, the only limitation for fraud may be the complexity of the TEXT that you want to send,” says Bakulin. Send money to another cell phone it did not work, although he admits that short of the team assistant performs.
To reduce the risk of fraud in Alfa-Bank introduced a limit on the maximum transfer amount via SMS in the amount of 500 RUB per day. “To make the transfer via SMS to a large sum, the client must create a template in the Internet Bank, but still limit transfers — no more than 25 thousand rubles”, — said representative of Alfa-Bank. He also added that if any non-standard transactions connected monitoring service that calls the customer.
In the savings Bank, according to the current tariffs, the limit is 8 thousand rubles, while the transfer into the Bank account, when you pay with your mobile client will not be able to spend more than 3 thousand rubles per day, and transfer to third-party telephone can be no more than 1,5 thousand rubles a day. Services for instant transfer of funds using SMS messages is also in Gazprombank, “AK BARS” (they are to a request to RBC did not answer).
In Tinkoff Bank is a function of customer service via SMS, but these services are only a notification and consultative in nature. For example, using SMS you can query the card balance or to block it, and get information about accounts and deposits of the client. However, to manage their accounts “Tinkoff” offers with the help of a Telegram bot. “Instant messaging with Siri is not directly interact, i.e., command the messenger, not unlocking the device using Siri will not work”, — says a representative of TCS Bank Daria Ermolina.
In addition, said the Tinkoff Bank, in some cases, the Bank may require customer verification. “We can send SMS-code to ask to log in personal account or even to call for verification of the vote,” — said Ermolina. According to her, the Bank has a system of recognition of clients ‘ voice casts, into which several tens of parameters of voices that each person is unique.
Despite the security measures undertaken by banks, the most effective protection against scammers is a ban on transactions in mobile banking through voice assistants. “Now the ban on this kind of manipulation is exposed at the level of the operating system settings: in the settings for Siri can disallow access to Siri when the screen is locked,” advises the savings Bank. The same advises and Alfa-Bank. In case of loss of control over the phone bankers are advised to immediately contact the operator to block the phone numbers, and also to the Bank to block payment instruments.
“In the case of theft or loss of iPhone it should in any case force the block through the site, this will cut off access to Siri. And the most important guideline is to decide if you need this application how often you use its services. If the answer is “not very”, then it is better not to use it,” — said the head of “audit and consulting” Group-IB’s Andrei Bryzgin.
He warns of a possible upsurge of cases of fraud using Siri. In the latest version of Apple’s operating system gave voice assistant access to mobile applications, he explains, and developers of mobile banking will probably use this opportunity allowed through the voice assistant to send payments.
As previously wrote RBC, the number of crimes related to theft of funds via mobile devices in recent years is growing at a record pace. According to the estimates of Group-IB, the total amount of funds stolen by hackers from the Russian banks since July, 2015 and July 2016 amounted to RUB 5.5 billion, the Bankers are also seeing an increase in the number of cyber crimes and the increasing cost of information security. As previously said Deputy Chairman of Sberbank, Stanislav Kuznetsov, the number of incidents in the field of information security over the past two years has increased 12 times. In 2015, the country’s largest Bank spent on information security of about 1.5 billion rubles, or 0.7% of net profit under IFRS.