The homepage of Sberbank of Russia’s online banking service looks reassuring at first glance, although a warning in the bottom right-hand corner reads, “Safety rules: If you are asked to enter your Sberbank Online password to cancel a transaction, don’t do it. These are con men.” Screenshot by the Russian Reader
January 30, 2019
Watch for the sleight of hands.
1. On January 25, the long-forgotten and abandoned Registry of Information Distributors or the ORI, a list of websites obliged to supply information about the activities and correspondence of their users to the FSB via SORM, suddenly added a few sites. From the perspective of the laws governing the ORI, the new additions were odd, ranging from stihi.ru, a poetry website, to such major services as Sberbank Online.
2. On January 29, Kommersant newspaper published a story, corroborated by many other media outlets, about a new, large-scale cyber confidence scheme targeting Sberbank clients. The criminals telephone clients from what appears to be Sberbank’s number (an easy enough spoof). They mislead them by providing them with loads of detailed information about their accounts, including their correct current balance. This last bit would very much appear to be a leak from Sberbank Online or an intercept of the SMS messages the banks sends to its clients.
Is it a coincidence?
But it’s definitely a vital occasion to reflect on the actual consequences of all the laws on internet surveillance. Not about the virtual fight against virtual terrorism, but the very real transfer of huge amounts of sensitive data to the FSB, whose officers are corrupt and subject to absolutely no oversight.
Translated by the Russian Reader