Token strike: Russians have been massively defrauded with virtual cards
Fraudsters have started deceiving Russians en masse by issuing virtual or tokenized cards for smartphone payments, the Central Bank told Izvestia. Attackers persuade the client to link in his electronic wallet, for example in Mir Pay, a certain card, and then through an ATM to transfer cash to it allegedly for the sake of their salvation, however, the owner will no longer see them. The person does not worry about security, as he uses his own phone. In the largest banks confirmed that this scenario of deception is widely used - the market is concerned about this problem. To protect Russians, the authorities propose for two days to prohibit the deposit of funds on newly created virtual cards, the Central Bank said.
How virtual cards work
The scheme of deception with virtual (or tokenized) cards is increasingly used in recent months, said "Izvestia" in the Central Bank. They explained that such a card can be issued on a smartphone using a banking application or a separate special utility, such as Pay services.
Now in Russia Google Pay and Apple Pay do not work, and through Samsung Pay it is impossible to make payments with "Mir" cards. However, Android users can still use Mir Pay and, for example, Sber Pay for one-touch payments.
The spread of the fraud scheme with tokenized cards is also of concern to the largest credit institutions - they confirmed to Izvestia that it is now massively used in Russia. OTP Bank described in detail how the scenario works.
First, the victim receives a phone call - either by conventional means or via messenger - and under various legends (for example, that the money needs to be urgently transferred to a "safe account") on behalf of a law enforcement officer or the Central Bank, the fraudsters convince the victim to perform a number of actions. First he needs to cash out all monetary funds, including credit funds, said the head of the banking security department of OTP Bank Sergey Lapikhin.
After that, if a person has an Android phone, he needs to download Mir Pay through the application store. If the victim has an iPhone, he can even be persuaded to buy any inexpensive Android phone, said Lapikhin. There they are asked to add a fraudulent virtual card according to the data dictated by the criminal.
- Then the person is persuaded to go to the ATM of any credit organization that supports contactless service (now in Russia they are most of them). After that - to put the phone to the NFC (Near Field Communication) tag and enter the PIN-code dictated by the fraudster, and then replenish the fraudulent card tied to Mir Pay with cash, - said Sergei Lapikhin.
Further, according to the expert, in most cases the criminal instructs the victim to delete the previously linked card in Mir Pay to hide the traces. In fact, access to the card have attackers, emphasized in "Sber". Criminals can withdraw these funds and use them.
Such a scheme of deception allows criminals to put a person's vigilance to sleep, as he does not see information about the recipient of money, summarized in the Bank of Russia. At the same time, in such schemes, most often a virtual card is issued immediately before depositing money in an ATM, the Central Bank said.
How to fight phone scammers
To combat the scheme with tokenized cards, the Bank of Russia proposes to tighten the requirements for depositing cash on them through ATMs, the regulator said. Credit organizations should be obliged to limit replenishment of the account in the amount of more than 50 thousand rubles within 48 hours from the date of issuance of a virtual card. Such a measure, among other things, is included in the bill on the "cooling off period" for loans, which the State Duma may consider as early as January 15.
The deputy bill on the "cooling off period" for loans was submitted to the State Duma at the end of December. The main novelty is that citizens are not given loans immediately after their registration: the bank will be able to transfer funds to the borrower in at least four hours for amounts from 50 thousand to 200 thousand rubles and at least 48 hours - for amounts over 200 thousand. This is necessary to protect people from the impact of social engineering - there will be time to think. Russia already has a similar "cooling-off period" for suspicious transfers.
- Setting limits and cooling off period for crediting funds to tokenized cards is a measure that will help to avoid situations when a person under the influence of a fraudster takes a cash loan in one bank, and then credits money to a so-called safe account in another, - said the head of the project of the "People's Front" "For the Rights of Borrowers", coordinator of the platform "Moshelovka" Evgenia Lazareva.
VTB, Novikom, Dom.RF and Renaissance Credit also agree that the authorities' proposals will be effective in the fight against tokenized cards, they told Izvestia.
To improve the effectiveness of the fight against fraud, starting in the spring of 2025, the NSPC (the developer of Mir Pay and the operator of the cards "Mir") will transmit to banks information about how many virtual cards were issued to one account. And also - how long ago they were issued, the company told Izvestia. In turn, financial institutions will be able to track and restrict cash deposits to the account through tokenized cards within 48 hours of their issuance.
In addition, to combat fraudsters NSPC in the spring plans to launch an optional service that will allow the company on behalf of the bank to limit the operations of depositing cash on the tokenized card, if it was issued less than two days ago, added the organization.
In the meantime, in order not to suffer from the actions of attackers, the Bank of Russia recommends citizens not to download any mobile applications or programs, not to perform any actions in banking and other applications, not to follow unknown links at the request of strangers, the Central Bank reminded. Personal and financial data should not be disclosed to strangers, no matter under what pretext or in whatever way they try to find out.
