Reverse token: Banks have started freezing transfers to virtual cards
Banks began to block transfers to virtual "plastic". We are talking about the recently released so-called tokenized cards on a smartphone (for example, in the Mir Pay application). Now they are used in one of the most common ways to withdraw stolen money: fraudsters issue a victim's virtual card on their smartphone and withdraw money from it through an ATM. To combat this scheme, the NSPK launched a service to freeze transfers to such new cards for two days. The cooling-off period will help the victim get out from under the influence of criminals, experts say. What operations are already being blocked by banks and how else the authorities are fighting fraud can be found in the Izvestia article.
Which operations are blocked by banks
To combat fraudsters, the National Payment Card System (NSPK, the Mir card operator) launched a service to freeze payments to tokenized cards, Georgy Dorofeev, deputy director of the organization's operations and technology department, told Izvestia.
We are talking about cards that are generated in a banking application or in a separate special utility (for example, Mir Pay) and stored on the mobile device where they are issued. It is possible to issue several tokens on different devices to one physical "plastic".
Banks can already connect to the NSPK service at will. It works as follows: operations to replenish tokenized cards with a life span of less than two days will be stopped. Moreover, this will affect not only suspicious transactions, but all of them, Georgy Dorofeev clarified.
He explained: Such operations are initially considered risky — they are often committed by people under the influence of fraudsters. Depositing money into a bank account using a tokenized card through ATMs and terminals is one of the channels for transferring funds to intruders, the Central Bank's press service confirmed.
The VTB press service gave an example of a similar scheme. Using social engineering techniques, the attackers convince the victim to activate a tokenized card on his smartphone under their control and transfer funds to it through an ATM. Thus, the victim transfers the money ostensibly to his account, but in fact it goes to the fraudster.
According to estimates by Sber, at the beginning of the year, about half of the stolen funds were withdrawn according to the scheme when criminals convince the victim to install a mobile payment system application on a smartphone and link a bank card belonging to the fraudsters to the device, Izvestia wrote.
After activation, the payment freezing service will be triggered automatically for all cash deposit operations during the first two days, and the bank will inform the client about the blocking, added Georgy Dorofeev from NSPK. At the same time, the funds themselves are not frozen: the person will be refused to perform the operation, but it can be repeated after the cooling period has expired, said the Vice president for information security at Dom Bank.Russian Federation" Dmitry Nikishov.
The scammers' scenario provides for a short time of interaction with the victim. Therefore, the cooling-off period will be an effective tool to combat this type of deception, VTB explained.
Credit institutions have already begun to restrict deposits to tokenized cards. In the Dom bank.The Russian Federation"stops operations if there are additional risk factors," Dmitry Nikishov said. VTB restricts the replenishment of tokenized cards when transferring any amount from 30 thousand rubles, the bank's press service noted. They stressed that they support the NSPK service.
The BBR Bank has also introduced measures to protect against fraud with tokenized cards. They made it difficult to conduct illegitimate transactions, while it is still convenient for bona fide clients to use them, the press service added. Upon confirmation of a fraudulent transfer, the bank promptly blocks the cards and the tokens issued to them forever, the BBR Bank added. More than 200 numbers involved in the issuance of suspicious tokenized cards have already been identified there, and the data has been transferred to the Central Bank.
Novikom and Postbank also previously announced that they would consider connecting to the NSPK service to freeze payments to such cards.
How to protect yourself from cybercriminals
Starting from September 1, 2025, according to the law, all banks will have to limit the deposit of cash in excess of 50 thousand rubles to tokenized cards in the first 48 hours of their operation, Georgy Dorofeev from the NSPK recalled. Banks can do this on their own side. However, not all market participants have such a system, as its development requires significant investments. Credit institutions will also be able to stop transactions for new tokens using the NSPK system.
Roman Agabaev, deputy head of the anti-fraud department at Paygine fintech company, believes that fairly large banks with high transaction activity and constant work in mobile channels may show the greatest interest in connecting. According to him, using the ready-made NSPK service will allow credit institutions to significantly accelerate the implementation of necessary security measures and optimize development costs.
The massive introduction of measures to freeze transfers to new tokenized cards will lead to a reduction in fraudulent schemes involving their use, Dmitry Nikishov from Dom.RF Bank is confident.
Such restrictions can increase the security of funds, agreed Vladimir Ulyanov, head of the Zecurion analytical center. He explained that since the token is separate from the card itself and can be used independently (including on an attacker's device), this creates increased risks for the account holder.
At the same time, you can only revoke previously issued tokens. But this is not enough, because the owner may simply not have time to do this before stealing the money, Vladimir Ulyanov added.
In order not to be affected by the actions of scammers, the Bank of Russia recommends that you do not follow unknown links at the request of strangers, do not download any mobile applications and programs, and do not perform actions in applications on the advice of such persons.
In addition, it is forbidden to share personal and financial data with unauthorized persons, including codes from SMS messages and push notifications. If you receive a suspicious phone call (especially through messengers), you should immediately interrupt the conversation, and if you have doubts about the safety of money in your account, call the bank yourself using the phone number indicated on the back of the card or on the official website, the Central Bank added.
Measures to freeze transfers to such cards are part of a broader effort to strengthen customer protection in the digital environment, said Roman Agabaev from Paygine. According to him, there are dozens of attack scenarios in the arsenal of hackers today, ranging from traditional social engineering methods to complex data theft schemes and the use of fake digital identifiers.
Last year, fraudsters stole more than 27 billion rubles from citizens, said the head of the Central Bank, Elvira Nabiullina.
The authorities have now stepped up efforts to combat such crimes. In April, Vladimir Putin signed a large-scale law aimed at protecting citizens from telephone and Internet fraud — it contains many measures. Now people will be able to opt out of promotional calls and messages, and all calls from companies will be marked. The law also allows Russians to ban the issuance of a SIM card without personal presence. And banks will be required to check ATM withdrawals for signs of transactions without the customer's consent.
Переведено сервисом «Яндекс Переводчик»
