Fund e-commerce suffered a new type of crime

Xu Hao by reporter Lu Hui Jing from Shanghai

Recently, some fund companies quietly conducted a system upgrade, have raised the safety standards. Some companies have suspended the ability to move in and out of the card, and some companies have turned off some of the additional service scenarios. "The company is recently grappling with network system security issues." A fund company told the Daily Economic News reporter.

It is reported that in Beijing and Shanghai recently there have been many cases of new types of financial criminal cases stolen funds from other people's bank cards through direct fund accounts. The loopholes borne by suspects are the added features of fund companies in recent years to enhance the experience of direct sales customers. This makes fund companies have been emphasizing "user experience first", began to reflect on whether the simplified registration fund account and associated bank account is really safe enough.

On the other hand, as the fund website continues to increase in addition to fund transactions other applications and various types of mobile phone applications have been on the line, the network system is also exposed risk points are also increasing.

At the same time, there are many disagreements within the fund company about how to strike a balance between "how to attract customers" and "how to protect customers." E-commerce department and audit department because of their different locations, difficult to unify on this issue.

Case: easy to open an account, different card redemption was drilled "loopholes"

Recently, a criminal case involving a suspect in Beijing that stealthily steal funds inside other's bankcards through fund direct accounts "crossing the bridge" has aroused the concern of fund industry insiders.

According to the Beijing Haidian Procuratorate Bulletin, December 5 last year, the victim Zhang reported that her son Mr. Chen's bank card was transferred away 130,800 yuan. Inquiries, Mr. Chan learned that the original Cary 130887 yuan has been transferred to a fund account in two. After Mr. Chen to the banks and fund companies, both customer service confirmed these two transactions. Mr. Chen was told by the fund company that it had previously opened a fund account, purchased the fund twice and eventually redeemed the ABC card tied to the fund opened in the name of Mr. Chen.

After being arrested, four suspects such as Zhu confessed the entire crime. First of all, Zhu and others purchased in the QQ group card owner name and reserve phone number, ID card number, bank card number, bank card password card master information. After that, to find someone ID card number to find the victim's ID card front photo, according to the scan photo to find someone to make a temporary ID card, and go to the Agricultural Bank of China in the name of Mr. Chen successfully card. The third step, with Mr. Chen original bank card in the money to buy the fund, and then repeatedly redeemed the fund points to the newly opened ABC card, the last transfer cash.

Fund account is simple, under the account can add the same name card, criminals choose one of the reasons for this crime. In addition, the fund verification method is to verify online banking, that is, enter the name, ID number, bank card number, online banking login password, you can open a successful account, do not need U Shield and mobile phone verification code. In addition, the fund can add other my name card, just enter another card number, name, ID number, withdrawal password, you can bind the success, and then opened the same name card transfer money.

"This is a relatively new modus operandi." Procurator Li Hui told the "Daily Economic News" reporter interviewed. Coincidentally, the recent Shanghai outbreak of the industry a few similar cases broke out. In fact, this way of crime in the suspect circle has been more mature, they often exchange QQ group. Four cases of suspects in this case there is division of labor, even when they want to provide information and card help, just know the QQ group post, there is echo, the money you can buy.

Prosecutors believe there are loopholes in the online trading process of fund companies. From the suspects' confession, they mainly learned the advantages of convenient account opening and card redemption. Both are features that fund companies have added in recent years to enhance their direct-sales customer experience.

Source: Quick online fund account opening mode

The "fund-share theft" case, the suspect from the account opening to the share redemption multiple links one by one breakthrough, but also lead the industry on the Fund online transaction safety review.

It is understood that at present, the official website of the fund company is mainly divided into three modes: quick account, gateway mode and U shield account.

Express account means direct online trading system to buy funds, bank cards do not need to open online banking payment and other functions, simply apply for a fund account to provide my debit card number, customer name, ID type, ID number and bank reserve Mobile phone number and other information, fund companies through bank verification of the aforementioned information and investors in the banking system, the same information can be completed after the signing of the agreement with the fund company's business and the opening of the Fund Account.

Gateway mode gateway to jump need to jump to the bank, enter the bank card password, sent to the bank background verification; U Shield account is the earliest one of the most stringent.

"The process of fund account opening has been criticized for a long time.After opening the fund account through the gateway mode, 30% ~ 60% of customers will appear to be unsuccessful due to various reasons such as communication signals, which will affect some customers' account opening . Therefore, some fund companies later opened a quick account, risk appetite and other aspects of account opening was moved to the fund after the account. "South China General Manager of a fund company Internet Finance pointed out that" the more convenient, the higher the security vulnerability will be higher "

A slap in the wings, the fund company direct account rules are not unilaterally decided by the fund company, but also with the banks negotiated agreement results, due to bank requirements vary.

"Daily Economic News" reporter randomly selected banks to operate and found that the process of opening accounts in China Fund, when you choose to use Industrial and Commercial Bank of Card account, to the second step of identity verification, immediately asked to fill in the bank pre-stored phone number. Shanghai Pudong Development Bank card account is taken to jump gateway mode, the whole did not use U shield or SMS verification code prompts.

Appears in the fund industry, the fund account is not the most important part of the risk control section.

"In fact, the opening of fund accounts is not a big problem, and it is not the first important thing to open an account without using U-Shields. The point is actually the latter part, which emphasizes the general principle that money should come from where and go back." Inspector of a fund company in Shenzhen pointed out.

The fund company's chief inspector referred to "Where does the money come from and where to go back", which is usually the capital closed-loop business rules.

However, the identification of safety closed-loop, the different standards of fund companies, the industry's redemption of funds under the same user's funds are not across the board.

Huaxia Fund stressed in its official website "account real name authentication, capital account with the same name access, digital certificate encryption." According to the introduction of Huaxia Fund customer service, in addition to ICBC, China Construction Bank, Huaxia Bank, other bank card subscription fund shares, can be redeemed across the board, but the amount of funds varies from bank to bank. Therefore, Huaxia Fund understands the "safe closed-loop" access to the bank card of the same customer.

Similar to Huaxia Fund's business rules, there are Huitianfu Fund and Wanhua Fund. Huitianfu Fund said Huitianfu cash treasure has always been in accordance with the principle of "closed-loop funds" to run, the user can only bind their own name bank card, can not transfer, can not do payment, but the same name more cards Can be different card redemption. Boshi Fund, China Merchants Fund, GF Fund is clear that the customer subscription redemption fund only with the card out.

"We understand that only with the card out of funds called closed-loop." A fund manager in South China said. "With the same user under a different bank card's share of redemption, out of funds may also be called 'closed-loop', but with the card out of the safety factor is very high." The South China fund company Internet Finance said.

In the above case, the second card bound to the same person name has essentially been out of control of the card owner and held in the hands of the criminal suspect, creating a loophole that could be diverted by the money.

Dispute: sacrificing user experience or security?

Innovations can not survive, but innovation risks, how to balance the user experience and risk control, which became a problem for fund companies.

"The internet security problem that this case reflects is the inability to verify the identity of a customer.E-commerce has also been a problem with theft of goods, but the combination of the Internet and finance has to take into account the particularities of the financial industry: large amounts of intangible goods and therefore More need to pay attention. "A fund company audit department think.

This represents the idea of ​​most audit and oversight units - safety is top priority.

"If you do not manage your risk, you should not develop it." An inspector general of a South China fund company said frankly: "Now it is a case of two three two hundred twenty-two. If you say that the risk has exploded, even if the fund does not sell, you can not provide such service. There is a responsibility to keep the risks under control. "

However, there are disagreements within the fund company. Business units generally believe that it can not be overkill due to over-emphasis on risk control and user distress.

"I do not think these cases are a small probability event and can not lose the convenience of most people because of this." According to a director of e-commerce at a fund company in Shanghai, "users need to have the most basic awareness of information security and hope to rely on institutions to completely isolate For example, in this case, even the most crucial information has been stolen, how can we expect the fund company to identify whether the account has been opened or not?

Balance treasure is precisely because the user streamlined the operation of the process quickly swept the market, but also makes the fund companies are greatly shaken. Since then, the fund company e-commerce business must say "user experience."

In fact, the fund companies provide other value-added features of innovative businesses even if they stipulate that the fund shares only go in and out of the card. There are also potential risk points such as free transfer, credit cards and shopping.

"Free transfer and inter-bank redemption risk exposure is similar, there is no particularly big difference in essence." A fund manager in Beijing said the same credit card payments.

Bank card replacement, but also by the industry as a possible breakthrough with the card out of a means. "For example, to go to different places and other reasons, the customer does have the demand for card replacement by card, fund shares can also be redeemed across the card." Inspector of the above Shenzhen fund company disclosed.

At present, there are generally two standards for the card changing process stipulated by the fund company: if the card is empty, the user can replace it by himself; if there is still a fund share in the card, you need to submit a variety of document materials and can only be carried out under the same bank replace.

"After taking control of the same card in and out, there is also a need for a rigorous review of the card change process so that a higher safety factor can be guaranteed." The Inspector-General said.

Industry: High-risk loopholes in the Internet financial system recur

In addition to process loopholes may be loopholes loopholes in the system, the loopholes in the system vulnerabilities caused by the losses will be more difficult to measure. With the in-depth integration of the financial industry and the Internet, the number of direct website clients of fund companies has seen a leapfrog growth. Last year, the fund direct selling platform surpassed the banking channel for the first time and became the first major channel for fund purchase with a turnover of up to 2.33 trillion yuan. As a result, the online transaction network security problem of the fund has drawn more and more attention from all parties.

According to statistics from the National Internet Emergency Response Center (CNCERT), government websites and financial industry websites have always been the key targets of criminals attacking security vulnerabilities, which is the main reason for the attacks on important networked information systems.

Fan Zhenhua, general manager of Celestica Fund Innovation Support Department believes that the requirements of the overall security level protection of the website of the fund company is relatively high. "The protection requirements of regulatory agencies must be graded. Fund companies generally comply with this code and regulatory agencies will also conduct inspections. "

However, in a privately founded network vulnerability reporting platform "cloud network", the reporter found a lot of information on the vulnerability of the fund company website system report, many of them in recent years in the field of Internet finance, large companies, involving The vulnerability level is also medium to high.

For example, some high-risk vulnerabilities include "multiple serious loopholes in XX cash treasure (which can preempt other accounts)," "XX fund user account security risks can be obtained such as fund transactions and other sensitive information", "XX Fund, an account management system command execution and XSS Loopholes "and so on.

Some of them have been confirmed and repaired by the fund company, but some of the loopholes have not yet been confirmed by the fund company. However, there are related funds to respond to this issue, "Daily News" reporter said that long before the release of the post, there has been a systematic upgrade, there is no post mentioned in the loopholes.

The latest issue of CNCERT's Internet Security Threat Report shows that most security incidents are vulnerabilities in web applications such as SQL injection, weak passwords and permission bypassing. Some of them are vulnerabilities in application software used by information systems and may lead to the gain of administrative background authority , Information disclosure, malicious file upload and other hazards, and even lead to the host there is the risk of remote control of criminals.

Such Internet companies operate online trading information system, master a large number of user funds, real identity, economic conditions, spending habits and other information, the system security problems, the risk is then linked to the associated banks, securities, e-commerce and other Industry, produce a chain reaction.

In addition, the Internet and mobile technologies have lowered the threshold for use, introducing new security risks along with convenience. In December 2013, the Alipay wallet client iOS was disclosed as having a password vulnerability. Continuing to enter the password five times in a row caused the password to expire, allowing the attacker to enter the mobile Alipay account without any password.

Fan Zhenhua, general manager of Celestica Fund Innovation Support Department, said, "Yu-Po's user exports and imports are mainly on the Alipay side, and our side is mainly responsible for clearing, settlement, distribution and other back-end functions.I think Alipay online Security measures in the domestic website should be considered first-class, and our side of the security measures should also be more in place, all of the core business system is completely in an isolated network segment, can be interpreted as not exposed outside. There are also regular vulnerabilities Scanning and other security measures so far we have not seen the user information leaked, stolen these phenomena.

A fund company E-commerce department said that in 2007,2008 when the fund company's network system is more fragile, but also some problems. In recent years, fund companies have generally invested a lot in IT and system security has improved a lot compared to the earlier.

Relative to the internal control of a relatively standard fund company, some P2P and third-party financial management website in the system construction is even more weak, more likely to be the object of hacker attacks.

Insiders said that nowadays to do a very low threshold of Internet finance, related website construction has ready-made template, just a few thousand dollars on Taobao to buy a set of templates, to be a P2P site, including hidden risks self-evident.

In March of this year, several P2P industry portals and forums represented by "Home Loans and Loans" once again became targets of hackers and were attacked by hackers for many days in a malicious and malicious manner. Earlier, there have been some platforms due to hackers attack system paralyzed, and run the case.

Trend: fund mobile terminal into a new "hardest hit"

It is noteworthy that the fund company mobile client has also become one of the stricken areas of vulnerability exposure. Example images provided by Black Hat's White Hat (a white hat that identifies a security vulnerability in a computer system or network but does not maliciously exploit it, but exposes its vulnerabilities) show that on a fund company, the Apple iOS version In the client, knowing the user ID number case, by some means you can reset the user's fund account password. For professional hackers, obtaining user ID numbers by attacking scripts is no problem.

A major fund company electricity trader also told the "Daily Economic News" reporter said that in recent years, fund companies vigorously develop e-commerce business, in addition to the basic transaction inquiry function, also have on-line shopping payment, transfer functions, there have been some Risk events.

In addition to system security issues, "phishing attacks" are also becoming more mobile on mobile phones.

Phishing website is a kind of network fraud, refers to criminals using various means to counterfeit the URL of the real site address and page content, or use the real site server program loopholes in the site of some pages insert dangerous HTML code, In order to cheat user bank or credit card account, password and other private data.

From the case of China Anti-Phishing Web Alliance, a subsidiary of China Internet Network Information Center (CNNIC), which deals with phishing websites in May this year, the phishing websites cover the top three in the industry, namely payment transactions, financial securities, media dissemination, The total amount of 99.41%. Of them, the number of phishing websites paying for transactions accounted for the highest total amount handled in May, accounting for 81.34% of the total amount processed in May.

In 2013, in addition to the traditional phishing websites on the Internet, hackers also used a combination of mobile Internet, phishing mobile applications, mobile Internet malware, pseudo-base stations, and the like Means to implement cross-platform phishing fraud attacks, endangering the user's economic interests.

In 2013, hackers used Android's "signature verification" to bypass high-risk vulnerabilities and made mobile applications that spread large numbers of financial institutions such as mainstream domestic banks to induce users to install and steal user bank account information. Some phishing websites steal user's bank account number and password and other information, but also massively spread malicious programs that counterfeit the corresponding mobile banking security plug-in, and hijack the SMS verification code received by the user so as to enable the hacker to further complete the transaction operations such as online banking payment and transfer.

A fund company's e-commerce activist said that with the popularity of mobile applications and payments, flooding in the mobile Internet flooding, such as some fake apps, WeChat public account, an endless stream of investors should raise their awareness of prevention.