Gosuslugi Account Hacks Continue for Microloan Fraud
Online scammers are still gaining access to citizens’ accounts on the Gosuslugi government services portal and using them to take out loans and microloans, according to experts interviewed by RBC. Vladimir Ulyanov, head of the Zecurion analytics center, commented: “This is already a serious problem, and it will only get worse in the near future. Many people will face attempts to perform actions on their behalf. Account hacking, password guessing, or data leaks can lead to criminals gaining access to a Gosuslugi account and, of course, trying to monetize that access.”
The increased risks are the flip side of the convenience offered by the service, which allows users to perform many operations. “I hope the portal will introduce the ability to limit account usage, so people can choose their own risk level and set of available options,” Ulyanov suggested.
Currently, according to the expert, users can improve their account security by enabling two-factor authentication for logging into their personal account and by setting a strong, unique password. However, these measures do not provide complete protection from fraudsters.
First Reports and Ongoing Incidents
The first reports of such hacks appeared in the spring of this year. Several users complained that unknown individuals had gained access to their accounts and allowed their data to be used in one of United Russia’s services. Around the same time, people began sharing stories of loans being taken out in their names by unknown parties.
Later, the Ministry of Digital Development confirmed the hacking incidents and also recommended using two-factor authentication. Rostelecom, in turn, emphasized the importance of using strong passwords.
However, account thefts have not stopped. Recently, director Ivan Tsybin reported that he became a victim of a hack on the Gosuslugi portal. According to him, scammers managed to change his phone number and email address, and submitted applications for “microloans at outrageous interest rates” in his name.
In early July, a blogger from St. Petersburg reported a similar incident, as did Nadezhda Knyazeva, who was hacked in May and is still dealing with the consequences.
Can a Bank Loan Be Taken Out Through a Hacked Gosuslugi Account?
BFM investigated whether it’s possible to get a bank loan by hacking a Gosuslugi account. Is there direct access to banks through this government service? A year ago, the Ministry of Digital Development and the Central Bank announced a new feature—applying for loans through Gosuslugi without visiting a bank. The project involved 20 banks and several insurance companies. In practice, however, this feature has mainly been used by microfinance organizations, which advertise loans through Gosuslugi online. When visiting their websites, users can log in via Gosuslugi, but aside from their full name, the company receives no other data and does not gain access to the user’s account.
This is similar to logging into any website using a Facebook or Google account, explains Luka Safonov, CEO of Cyberpolygon: “The Gosuslugi website has a unified authentication portal called ESIA, designed for convenience. It allows you to log in to trusted sites within the system using your verified account. If your Gosuslugi account is verified, you can log in to Sberbank (if you don’t already have an account there), to Moscow government sites under the mos.ru domain, and so on. But this is equivalent to logging in with Facebook or VKontakte: it’s just an authorization mechanism that passes a key and confirms that this person has a certain account in Facebook or a verified account in Gosuslugi, and your name and so on are automatically provided. But confirming your creditworthiness or other financial details is a very different matter.”
Biometric Security and Future Prospects
Dmitry Morozov, Director of Development at 3DiVi Inc, told RBC that he is not aware of any confirmed cases of Gosuslugi profile hacks, but he does not rule out the possibility. He hopes that biometric authentication, such as FaceID or retina scans, will help improve account security in the future.