Anna Goldstein: Instant Payment System Secured at Different Levels

26 June 2019

The Instant Payment System (IPS) has an entire toolkit to ensure security of all its participants. The service is secured at different levels. This topic was covered by Anna Goldstein, a representative of National Payment Card System (NSPK) at the International Cybersecurity Congress (ICC). The Bank of Russia is the IPS operator and settlement center, while NSPK is the operations, payment and clearing center (OPCC).

“From the very beginning, when developing a payment processing technology, we adhered to the following principle: the more risks are covered from the very beginning, the more secure the service is. This is a general approach of the Bank of Russia to the national payment system: not only information security measures and anti-fraud measures should be taken for its protection, but technological security measures as well. These include digital signature, several control loops, additional data elements used to check the integrity of message details, control over duplicates, etc. Eventually, we implemented a lot of measures. Another challenge was the fact that the highest requirements for performance and reliability were imposed on IPS OPCC, which obviously must be followed by the implemented security methods. In terms of performance, architecture flexibility and reliability, it was decided to implement information security controls to sign and encrypt messages at the application layer. However, as at that time the market did not have best operating practices of a round-the-clock support for a transfer service that was previously used only by the Bank of Russia, it was necessary to arrange its support for the entire financial sector, because any technology in the payment terms must have a 24/7 support. In general, many issues had to be worked out to implement the required security level of IPS. This was made possible, first and foremost, due to the joint work of the Bank of Russia, NSPK and banks participating in the FinTech Association, which were the first to start testing IPS,” Goldstein shared her experience gained in NSPK.      

She noted that a number of issues related to the anti-fraud were successfully settled.

“Most of them were related to performance: the choice of points – where, in what message flow points data should be taken during the transfer in order to have time to process it and give answers within the proper time period, what measures to use for this purpose. Finally, we solved this problem in a hybrid way, i.e. using a proprietary module and practices of an external vendor,” noted Goldstein.       

According to her, security-wise, one of the main differences of interbank p2p transfers from intrabank transfers is that a payer’s bank even having the most advanced anti-fraud systems does not have information about a recipient of the transfer.

“This task is common for all interbank transfers, and one may cope with it only by combining anti-fraud information of both parties, i.e. a payer’s bank and a recipient’s bank. This requires a possibility to exchange information, and we technologically laid the basis for it when building the Instant Payment System. Protection of a particular bank customer is not a direct task for NSPK as an operations and clearing center: we are talking about a layered anti-fraud, when each participant of IPS covers its own set of risks at its level, while OPCC covers its own one. For example, a bank protects its customers, and this is its direct responsibility. For the bank to do this efficiently, we added a possibility to exchange information on risk assessment. This is an indirect participation of the Bank of Russia and NSPK in this process,” explained Goldstein.  

She also noted that the main task of general anti-fraud processes in IPS set by the Bank of Russia to National Payment Card System as OPCC was protection of banks participating in IPS, including countering of large withdrawals of funds and ensuring data security of their customers that used IPS.

In response to a question about potential risks associated with attacks aimed at obtaining information about customer accounts, Anna Goldstein noted: “Such attacks are not unique for interbank transfer services. Almost any retail bank that supports remote service facilities has a service that allows to send money to a phone number. Malicious attackers may try to use this facility to obtain information about a particular customer bank account with a given phone number. As a countermeasure, a layered mechanism was implemented in the Instant Payment System. This means that banks continue to detect attempts by their customers to scan information about other customers’ accounts within their proprietary anti-fraud processes regardless of the channel used: intrabank or interbank, including IPS. This is the first line of defense. The second line is OPCC, where on-line mechanisms revealing scanning attempts are used, i.e.   non-typical transactions whose purpose is not a money transfer, but an attempt to find out information about a customer’s account. Such transactions are suspended in accordance with the powers granted by the Bank of Russia to NSPK. In general, it appears that anti-fraud solutions of banks are effective, only isolated cases reach us.”