Two-Factor Authentication and Evolving Fraud Targeting State Services
Reporters observed that even with the introduction of two-factor authentication, scammers found ways to pressure Russians and steal access to Government Services accounts. A notable account of this risk appeared in the publication Izvestia, which noted that criminals quickly adapted to the new security layer and continued to devise schemes to exploit users. (Izvestia reports, 2023)
Two-factor authentication for Civil Services was rolled out toward the end of October 2023. This addition created a stronger barrier against unauthorized access, making it harder for attackers to break into accounts. Yet, cybercriminals responded with fresh tactics designed to bypass the new protections and still seize control of user identities. (Ministry of Digital Development of the Russian Federation)
In the initial phase of these scams, a user might receive a notification claiming that an account in State Services has been hacked or blocked. The alert could arrive via SMS, email, or instant messaging, and would include a phone number to call to regain access or to unblock the profile. (Public warnings from the Ministry)
When the target calls the number, criminals request information necessary to unlock the account. These requests sometimes include the short two-factor authentication code or other login details. In some cases, victims are asked to install a purportedly helpful program that allegedly restores access. There are also malicious apps that pose as useful tools but, in reality, allow attackers to take remote control of another person’s device. (Security advisories, 2023)
The Ministry of Digital Development of the Russian Federation acknowledged that such fraud schemes are possible and issued clear guidance. Officials warned that State Services employees should never initiate contact with citizens by phone or SMS without a formal request from the user first. This policy helps reduce the chance that someone impersonates a government representative to harvest credentials. (Ministry of Digital Development of the Russian Federation)
Experts emphasize that an attacker can obtain access to a Government Services account only if the user willingly provides all required information to log in. This includes the username, password, details related to the second factor of protection, and any specifics about whether the data has been compromised. The reminder serves as a caution that the human factor remains the most common vulnerability in otherwise strong security systems. (Ministry of Digital Development of the Russian Federation)
Beyond the security specifics, industry observers note that the online advertising market in the Russian Federation had previously been valued at around 400 billion rubles, illustrating the scale of digital activity where such fraud can have broad consequences for individuals and institutions alike. This context underscores the importance of robust authentication practices and user education as part of a resilient digital economy. (Economic analyses, 2022)