Head of the company ESET in Kazakhstan Zhanibek SHUTBAYEV:
ONLINE PAYMENT SECURITY WILL ALLOW KAZAKHSTANI CITIZENS TO BUY GOODS ON THE INTERNET MORE OFTEN
There are specific unsafe areas in the world of internet banking, e-commerce and virtual currencies. The list of financial threats is long: banking Trojans and other malware, phishing and its telephone prototype - vishing, the hack of payment card data, usernames, passwords and other confidential information. If earlier frausdters hunted for PC users then now they take interest in users of smart phones and I Pads, while banking Trojans are experiencing rebirth thanks to Android devices. The domain of online payment threats in Kazakhstan doesn't differ from the global one. With the internet banking spread the entire listing of financial cyber threats becomes relevant to us as well. Head of the antivirus firm ESET in Kazakhstan Zhanibek SHUTBAYEV talked in an interview with Interfax-Kazakhstan on the situation in the country and protection of online payments.
- In your opinion how is the online payment market developed in Kazakhstan?
- The Kaznet audience has almost every technical possibility for online payments, nearly 10% of users in Kazakhstan already shop online. The only restriction with regard to supply is a small choice of internet stores . There are more restrictions regarding demand. Firstly, many users don't yet trust the internet and intentionally use cash. Secondly, the volume of unofficial salaries play their part - they are given in pay envelopes and spent offline. I believe that security guarantees will provide the possibility for Kazakhstani citizens to buy goods more often on the Internet, ESET did research on this subject in Russia and found out that 67% of users would shop online more often if they were sure of payment security. IT-companies, banks, payment systems and internet stores should speak more about security and devote special sections to it on their websites, and explain rules to clients.
- What are online payment prospects on the Kaznet?
- Our market is attractive to producers and internet stores. There are both the potential for demand and opportunities for rapid growth and vacant niches. The online payment volume in Kazakhstan will rise from 20% to 30% in the next couple of years. Growth will be underpinned partly by rising incomes and partly by payment shifts from offline to online. The digital banking model will become profitable for financial institutions without being devided into sections and with all services being provided remotely - this helps cut office rental costs. Bankers would promote more actively remote services, including mobile and mobile online banking. With their help people would get used to online payments.
Online payment risks are available everywhere, and the situation in Kazakhstan is quite normal. If we have a look at ESET antivirus laboratory data statistics [this] would show a similarity between Kazakhstan and Russia in terms of security and their break-off from such troubled countries in this regard as China and Bangladesh. The computer virus contamination ratio in Kazakhstan is slightly higher than in Russia and amounts to 5.2%.
- What way-out for banks, businesses and Kazakhstani residents themselves do you see as the security issue solution when making online payments?
- Our financial institutions have a good IT level and are equipped with the comprehensive protection from all malware types, fraud, confidential data hacking and so on. Here there is just advice to pay more attention to staff training and educational initiatives for client security.
I have more advice for businesses operating in the e-commerce field. Think the comprehensive protection over, provide the protection for all circuits, implement the cutting-edge authentication technology and strictly comply with all the bankers' security requirements.
My advice is simple for online banking users - observe basic security rules. What are they? Don't share usernames, passwords, card numbers with anyone, don't write them down on any hardware, particularly on the cards themselves and stickers. Don't browse suspicious links on the e-mail, messengers and social media, particularly if an unknown person sent them out. Give up paying online when you work with public Wi-Fi without a password. Arrange complex no-repeat passwords for e-mail and social media outlets and change them regularly. Install a licensed antivirus with functions of protecting online payments and a safe browser and supervise the renewal of its base. Make sure that your version of the browser's operating system and applications are updated. Apply two-phase authentication to all servers where it is installed. Pay on the Internet mainly with a credit card or have handy for shopping a special debit card and transfer limited amounts to it. Don't think that your data are not of interest to anyone else.
- How does a Kazakhstani user identify fraudulent and phishing websites?
- Phishing websites are intended for stealing usernames, passwords, bank card numbers and codes from them and other valuable data. The majority of such websites are disguised as official resources of banks, payment and services systems. As a rule they replicate exactly logotypes and other visual signage, replicate texts word-for-word.
In order to identify a phishing website have a look at the browser address line. Firstly, it's necessary to check whether the website address corresponds with the official address, whether it is not placed within some strange domain different from *kz or *ru and so on. The fake website may differ from the true one just by one entry. Secondly , it's necessary to check out the availability of the sign of a protected section - the lock in the address line. If the section is coded, the website address will start with https. If the page address, where you are requested to enter an username (password) or bank card data, looks somehow suspicious, find a couple of minutes and check it using the abovementioned parameters.
In addition to technical nuances there are things that should alert you. For example, bankers never mail out messages with a request to clients to enter their business card data somewhere. If any resource asks you to complete a questionnaire in detail, including date births, names and surnames of your parents, nicknames for your pets and verification words, it might be worth your while to be on the alert. It's worth observing similar rules while dealing with e-payment systems, Internet store websites and chargeable personal user accounts.
All modern solutions for PC mobile device protection have modules for protection from phishing. I believe that the availability of this function is particularly relevant if older members of your family use the computer. It's more difficult for elderly people to identify fraud and so the technical measure to protect from phishing would be appropriate.
- Break down the online payment security payments for safeguarding monies.
- Let's examine separately an internet banking transaction and an online store payment. If you enter internet banking not from your computer, especially if you are abroad then use the virtual keyboard for entering the username (password) whenever possible. Confirm transfers, payments and other transactions with SMS-messages but not with codes from cards with access codes. When you receive SMS messages from the bank note from which number they come in. Before you finish work check the transaction status and always press the Exit key. Just in case run through transaction notices which come into your inbox or through SMS.
There are similar rules for Internet store payments: to check the page address, be attentive when receiving SMS confirmations, look through all notifications about the conducted transaction. Most importantly, resolve the main security issues before you make up your mind to shop online. For example, it's necessary to read feedback carefully about the internet store in Russian and if possible in English, to check whether phone numbers are available for communication and the postal address, but not only an e-mail address or a feedback link, if this sounds suspicious then check how long the website has been operating on the platforms such as reg.ru, ps.kz.
And a couple of words about buying from individuals using Avito, Vkontakte or Instagram with the relevant payment form. If you cannot but make a deal then you should make an appointment beforehand in person, ask for back-up contact details and check whether the seller's name attracts complaints on the Internet.
- How to get back monies if you realized that you made a payment through a fake internet resource?
- If you realized that you paid the fraudulent internet store or entered your data onto the phishing website call immediately the bank and block your card through which you paid or transferred the data. Then check out the status in Internet banking. If the payment is made call the bank and find out how to cancel it . Many banks allow clients to annul payments upon request.
- The e-digital signature used from the mobile phone SIM-card is introduced in Kazakhstan. In your opinion, how safe is it?
- The confirmation of action with the help of the e-digital signature is safe and reliable technology. It's widely used both in the banking and state services sector. But the devil, as ever, is in the details. Let's examine thoroughly the e-digital signature technology created with the help of the SIM card. Let's say, someone bought a SIM card with an e-digital signature app, installed it in his smartphone and began using it for obtaining state services and for internet banking. When may problems arise? Firstly, the mobile device may be lost or stolen together with the SIM card and access details. Secondly, a malicious code may intervene in the functioning of the e-digital signature transferred to the smartphone from the Internet through user's carelessness - he/she installed the wrong app, opened malicious script , browsed through the malicious link. It's not difficult to notice that these problems are mainly linked to the human factor rather than to this technology unprotectednеss.
In any case, the transfer of the e-digital signature under the malefactor's control will cause problems for its user but not for the bank or the state service portal. Legally all actions taken by the malefactor on behalf of the e-digital signature user will be deemed legally binding. So, undoubtedly internet service owners would profit the introduction of e-digital signature.
- How can Kazakhstani citizens safeguard themselves when paying with the e-digital signature?
- The e-digital signature is a replica of the human signature on a paper contract or bank transfer order so the complications of its use by a malefactor could be very grave. Naturally, the e-digital signature on the mobile device requires protection. What kind of protection?
Firstly, anti-virus software should be installed on an Android-based mobile phone. For example - ESET NOD32 Mobile Security. This protection [software] will stop malware from affecting the e-digital signature.
Secondly, the e-digital signature itself and signed data must be protected for sure by encryption solutions.
Thirdly, users' actions must be supervised via portal. Let me give an example. You transferred a big amount through Internet banking. Your transaction is classified by the bank as unusual and suspicious so a bank employer calls you straight away and asks whether you made a transfer or not. If you don't acknowledge the transaction by phone, the bank will suspend processing it.
Fourthly, it's important to eliminate the human factor and to explain on how correctly handle the e-digital signature and how to act in the event of losing a mobile phone.
- What is the current share of ESET products in Kazakhstan's market?
- In 2015 ESET occupied 30% of the antivirus software market for IC users working at home. This acknowledges the ESET position in the major retail networks, where the ESET NOD32 software box versions make up from 20% to 30% of antivirus sales depending on stores. The ESET personal solution sales rose by 15% compared to 2014. This is due to the fact that new products were launched on the market, the product line of the ESET NOD32 box versions is now better represented in the retail business. ESET is also within the top business antivirus software players in the market. ESET NOD32 is being used by Kazakhstan's every second bank and we also remain the second popular antivirus software vendor for small and medium sized businesses.
- Thank you for the interview!
© 2019 Interfax-Kazakhstan news agency
Copying and use of these materials without reference to the source is prohibited