What's happening?
The topic of fraudulent actions performed with the help of an electronic signature certificate has received a wide public response recently. The federal media have made it a rule to periodically tell scary stories about cases of misuse of an electronic signature. The most common crime in this area is the registration of legal entities. person or individual entrepreneur in the name of an unsuspecting citizen of the Russian Federation. Also a popular way of fraud is a deal with a change in ownership of real estate (this is when someone sells your apartment on your behalf to someone else, but you donβt know it).
But let's not get carried away with the description of possible illegal actions with EDS, so as not to give creative ideas to scammers. Let's better try to figure out why this problem has become so widespread, and what really needs to be done to eradicate it. And for this, we need to clearly understand what certification centers are, how exactly they work, and whether they are as scary as they are painted to us in the media and statements of interested parties.
Where do signatures come from?
So you are a user. You need an electronic signature certificate. It does not matter for what tasks, and in what status you are (company, individual, individual entrepreneur) - the algorithm for obtaining a certificate is standard. And you apply to the certification center in order to purchase an ES certificate.
A certification center is a company to which Russian legislation imposes a number of strict requirements.
In order to have the right to issue an enhanced qualified electronic signature, the certification center must undergo a special accreditation procedure with the Ministry of Communications. The accreditation procedure involves the implementation of a number of strict rules that not every company is able to comply with.
In particular, the CA is required to have a license that gives it the right to develop, manufacture, distribute encryption (cryptographic) means, information and telecommunication systems. This license is issued by the FSB after the applicant has passed a series of stringent checks.
CA employees must have a higher professional education in the field of information technology or information security.
The law also obliges the CA to insure its liability for "losses caused to third parties as a result of their trust in the information specified in the certificate of the electronic signature verification key issued by such CA, or the information contained in the register of certificates maintained by such CA" in the amount of at least 30 million rubles.
As you can see, not everything is so simple.
In total, there are currently about 500 CAs in the country that have the right to issue UKES (enhanced qualified electronic signature certificate). This includes not only private certifying centers, but also CAs at various government agencies (including the Federal Tax Service, the PRF, etc.), banks, trading floors, including state ones.
An electronic signature certificate is created using encryption algorithms certified by the Federal Security Service of the Russian Federation. It allows legal entities and individuals to exchange legally significant documents electronically. According to the official data of the CA, most (95%) of the CEP is issued by legal entities. persons, the rest - physical. persons.
After you contact the CA, the following happens:
- The CA certifies the identity of the person who applied for the electronic signature certificate;
Only after confirming the identity and verifying all documents, the CA produces and issues a certificate, which includes data on the certificate owner and his public verification key; - The CA manages the life cycle of the certificate: ensures its issuance, suspension (including at the request of the owner), renewal, expiration.
- Another function of the CA is service. It is not enough just to issue a certificate. Users regularly need all sorts of consultations on the procedure for issuing and using a signature, consultations on the application and choice of the type of certificate. Large CAs, such as the CAs of the Delovaya Set company, provide technical support services, create various software, improve business processes, monitor changes in the areas of application of certificates, etc. Competing with each other, CAs work on the quality of IT services, developing this area.
Cossack mishandled!
Consider item 1 of the above algorithm for obtaining EP. What does it mean to "verify the identity" of the person who applied for the certificate? This means that the person in whose name the certificate is issued must personally appear either at the office of the CA or at the point of issue that has a partnership agreement with the CA, and present the originals of their documents there. In particular, the passport of a citizen of the Russian Federation. In some cases, when it comes to signatures for legal entities. persons and individual entrepreneurs, the certification procedure is even more complicated and requires the presentation of additional documents.
It is at this stage, that is, at the very beginning, when the matter has not even reached the issuance of a signing certificate, and the main problem lies. And the key word here is "passport".
The leakage of personal data in the country has acquired a truly industrial scale. There are Internet resources where you can get scanned copies of valid passports of citizens of the Russian Federation for little money or for free. But scans of passports in our country, weighed down by the post-Soviet heritage in the style of βshow documentsβ, can be collected from citizens everywhere - not only in banks or other financial institutions, but also in hotels, schools, universities, air and railway ticket offices, children's centers, service points for cellular subscribers - wherever they require to present a passport for service, that is, almost everywhere. With the development of digital technologies, this wide channel of access to personal data was taken into circulation by workers in the criminal sphere.
βServicesβ of stealing personal data of specific people are also very common.
In addition, there is a whole army of so-called. "nominals" - people, as a rule, very young, or very poor and poorly educated, or simply lowered, to whom the attackers promise a modest reward so that they come with their passport to the CA or to the point of issue and order a signature there in their name in as a director of a company. Needless to say, such a person then has nothing to do with the activities of the company and cannot provide any real help to the investigation when the scam is revealed.
So, a scan of the passport is not a problem. But you need the original passport for the certificate, how is it, the attentive reader will ask? And to get around this problem, there are unscrupulous issuance points in the world. Despite the strict selection procedure, the status of the issuance point is periodically received by criminal characters and then they begin to commit illegal actions with the personal data of citizens.
These two factors combined give us all the problems with the criminalization of the use of electronic signatures that we now have.
There is safety in numbers?
All this, without exaggeration, the army of scammers is now filtered only by certification centers. Each CA has its own security services. All who apply for a signature are carefully checked at the stage of identification. Everyone who wants to cooperate in the status of a point of issue for a particular CA is also carefully checked both at the stage of concluding a partnership agreement, and subsequently, in the process of business interaction.
It cannot be otherwise, because an unscrupulous certification threatens the CA with closure - the legislation in this area is tough.
But it is impossible to embrace the immensity, and some of the unscrupulous distribution points still βleakβ into partners to the CA. And the βnominal valueβ may not have any reason to refuse to issue a certificate at all - after all, he applies to the CA completely legally.
Also, if a scam with a signature in the name of a specific person is revealed, only a certification center will help solve the problem. Since the certification center in this case revokes the signature certificate, conducts an internal investigation, tracking the entire certificate issuance chain, and can provide the court with the necessary documents about fraudulent actions when issuing an electronic signature key. Only materials from the certification center will help to decide the case in court in favor of the really injured party: the person in whose name the signature was fraudulently issued.
However, the general digital illiteracy here does not work to the benefit of the victims. Not everyone goes to the end, protecting their interests. But illegal actions with EDS must be challenged in court. And certification centers in this are the main help.
Kill all UCs?
And so, in our state, it was decided to make changes to the procedure for the work of the CA and the requirements for them. A group of deputies and senators developed an appropriate bill, which was even adopted by the State Duma in the first reading on November 7, 2019.
The document provides for a large-scale reform of the electronic signature certificate system. In particular, he assumes that legal entities and individual entrepreneurs (IP) will be able to receive an enhanced qualified electronic signature (ECES) only at the Federal Tax Service, and financial organizations - at the Central Bank. Certification centers (CAs) accredited by the Ministry of Telecom and Mass Communications that issue ES now will be able to issue them only to individuals.
At the same time, the requirements for such CAs are planned to be greatly tightened. The minimum amount of net assets of an accredited certification center should be increased from 7 million rubles. up to 1 billion rubles, and the minimum amount of financial security - from 30 million rubles. up to 200 million rubles If the certification authority has branches in at least two-thirds of the Russian regions, then the minimum net assets can be reduced to 500 million rubles.
The term for accreditation of certification centers is reduced from five to three years. For violations in the work of certification centers of a technical nature, administrative liability is introduced.
All this should reduce the number of electronic signature fraud, the authors of the bill believe.
What's the result?
As you can easily see, the new bill in no way addresses the problem of the criminal use of documents of citizens of the Russian Federation and theft of personal data. It does not matter who will issue the signature of the CA or the Federal Tax Service, the identity of the signature holder will still have to be certified, and the bill does not provide for any innovations on this issue. If an unscrupulous issuing point worked according to criminal schemes for an ordinary CA, then what will prevent doing the same for a state one?
The current version of the bill does not currently specify who and what will be responsible for issuing the UKEP if this signature was used in fraudulent activities. Moreover, even the Criminal Code does not have a suitable article that would allow criminal liability for issuing an electronic signature certificate for stolen personal data.
A separate problem is the overload of state CAs, which will certainly arise under the new rules and will make the provision of services to citizens and legal entities very slow and difficult.
The service function of the CA is not considered at all in the bill. Whether customer service departments will be created at the proposed state large CAs, how long it will take and what material investments it will require, who will be in charge of customer service while such an infrastructure is being created is not clear. Obviously, the disappearance of competition in this area can easily lead to stagnation in the industry.
That is, as a result, we get a monopolization of the CA market by government agencies, an overload of these structures with a slowdown in all EDI activities, a lack of end-user support in case of fraud, and a complete destruction of the current CA market along with the existing infrastructure (this is about 15 jobs in the whole country ).
Who will suffer? Those who suffer now, that is, end users and certification centers, will suffer as a result of the adoption of such a bill.
And a business that thrives on identity theft will continue to thrive. Isn't it time for law enforcement agencies and legislators to turn their attention to this problem and really seriously respond to the challenges of the digital age? Opportunities for identity theft and their subsequent criminal use have increased many times over the past 10-15 years. The level of training of criminals has also increased. It is necessary to respond to this by introducing strict liability measures for any illegal actions with other people's personal data, both for companies and their employees, and for individuals. And in order to really solve the problem of the criminal use of electronic signature certificates, it is necessary to create a bill that would provide for liability, including criminal liability, for such actions. And not a bill that simply redistributes financial flows, complicates the procedure for the end user and does not give anyone any protection in the end.
Source: habr.com