Banks may oblige money to return money using viruses

The Bank of Russia proposes to assign responsibility for credit organizations for the refund of stolen funds from banking applications of customers if the money was stolen using the virus. However, experts indicate that in this case the bank’s application is not hacked, but is opened with a password received by links sent using phishing letters or SMS. Modern antiviruses against such malicious software are ineffective.

On Meetings The President of Russia Vladimir Putin with the government, the head of the Bank of Russia, Elvira Nabiullina, drew attention to one “anxious trend” – the spread of viruses, with which scammers first secretly receive control over the victim’s phone, see all passwords there, and then receive control over the bank’s application. According to her, with the consent of the client, the bank must take on and provide antivirus protection of its application. “If the client agreed, and the bank was not able to protect his application from hacking, he must compensate for the stolen,” says Elvira Nabiullina.

In February, at the Urals forum for cybersecurity, the head of the Central Bank noted that scammers are actively distributing a malicious program of the Spynote type, with which they open bank applications and steal money from the accounts of Russians.

According to the Central Bank, over the past six months, about 40-50% of theft from citizens' accounts have been committed just like that.

Lawyers believe that in order to introduce such material liability of banks, regulatory documents are enough. According to the senior lawyer of Atlegal, Ilya Pasenko, amendments to the Law “On the National Payment System”, which entered into force in mid -2024, the banks were responsible for performing operations with customer funds without verification, which the client is performed by such operations, and not fraudsters.

Thus, in his opinion, the Bank of Russia can by its order to establish the criteria for fraudulent transfers using virus programs, the responsibility of banks, including the return of the client’s funds, will occur under the current law.

At the same time, lawyers note that fraudsters can send links to download the virus using phishing letters or SMS, which are disguised as a legitimate application. In this case, the load will not occur from official applications. The director of the St. Petersburg office of the Law Firm « Mitra » Alina Laktionova notes: « Such an action can be challenged by banks as unreasonable if it is proved that the client showed gross negligence, for example, downloading the application from an unofficial store or by clicking on a phishing link. » In her opinion, most likely, banks will prescribe one of the conditions for exemption from liability in relations with clients in such situations of downloading only from official applications.

Experts believe that in the case when a citizen downloaded a virus on a smartphone, which sets the attacker’s control over the device and reads his passwords and codes from SMS, it is incorrectly talking about breaking the bank’s application.

The MVA-Professor of the Business Practice for Digital Finance of the RANEPA Aleksey Voylukov notes that in this case the application of the bank itself was not hasty, and there is no correctly and there is nothing to punish it for. “Perhaps it is worth demanding from the bank so that its mobile application works only with the simultaneously working antivirus from the manufacturer approved by the Central Bank, and if it works with the antivirus disconnected, the bank’s responsibility may occur here,” he says. But if the money is abducted with an antivirus, then, in his opinion, the responsibility of the antivirus developer, and not the bank, should come here.

At the same time, Safetech Technical Director Pavel Melnichenko notes that “antiviruses are useful as a means of digital hygiene, but are ineffective against modern viruses for mobile platforms and a mobile money management application should not only rely on it.” In particular, at present, two types of viruses are dangerous for banking applications: remote control (such as Spynote) and interception of SMS/Push messages. As Mr. Melnichenko explains, Spynote allows you to control the phone remotely and any service, the entrance to which or confirmation of operations is based on SMS/Push messages can be hacked with its help: “State Services”, mobile bank or investment applications. Therefore, scammers do not need to break the banking application itself.

In any case, the possible requirements of the regulator will require banks of serious improvements to their mobile applications, the costs of which will be transferred to customers. At the same time, according to Alexei Voyulukov, it may be easier to refuse the use of a mobile application at all, it may be easier for small and medium -sized banks, but then it is not clear how to ensure that “all Russian banks in the future work with a digital ruble”.

Maxim Builov