Businesses in Tatarstan face a surge in thefts of digital signatures

I am not me, and the signature is not mine

Leonid Borisov, a businessman from Kazan, told Realnoe Vremya how he turned out to be among the victims of thieves of electronic digital signatures (EDS). He received an e-mail notification from the tax service about the issuance of a digital signature in his name.

“This coincided with the introduction of a number of changes to the constituent documents of my company, and I took this information as a nice bonus, I thought the Federal Tax Service took care of my convenience, and I, as soon as there was time, would go there and get a digital signature. I bought a token, but only the other day I went to my inspection with it. There I was stunned: it turns out that on January 21 a resident of Irkutsk received my signature, and they gave him the digital signature in the Interdistrict Federal Tax Service of Russia No. 24 in Sverdlovsk Oblast — in Yekaterinburg!”

When asked how this could have happened, the Federal Taxation Service (FTS) staff only shrugged their shoulders in surprise and said that, in fact, when issuing a digital signature they ask for a passport and check the photo on it with the original, and in general, the whole process of obtaining a digital signature is recorded on video.

The entrepreneur immediately withdrew the digital signature and wrote a statement to the police about the theft of the digital signature. He also started investigating and found out through online services that a 32-year-old entrepreneur from Irkutsk became the owner of the signature without his knowledge. Now this citizen will be dealt with by law enforcement agencies.

But the Kazan businessman will have even more hassle: who knows under what obligations have his company and him have become “thanks to” the clever Irkutsk citizen over six months of using his electronic digital signature?

A surge in thefts of digital signatures

The case of the Tatarstan citizen is far from unique. According to the Ministry of Internal Affairs of the Republic of Tatarstan, one of the problems over the past 3 years has been a surge in criminal cases initiated under the Article 173.1 of the Criminal Code of the Russian Federation “Illegal formation (creation, reorganisation) of a legal entity” and the Article 173.2 of the Criminal Code “Illegal use of documents for the formation (creation, reorganisation) of a legal entity”. At the same time, the main reason for the sharp increase in the number of crimes, according to law enforcement officers, was the illegal registration of legal entities for citizens using an electronic digital signature (EDS).

“This is not fraud, but another article," the Ministry of Internal Affairs of the Republic of Tatarstan clarified and added that now the negative trend has been reversed. “According to the results of the first half of 2022, 145 crimes were detected in Tatarstan under Article 173, notes 1, 2 of the Criminal Code of the Russian Federation. Including under Article 173.1 of the Criminal Code of the Russian Federation “Illegal formation (creation, reorganization) of a legal entity” — 125 crimes; under Article 173.2 of the Criminal Code “Illegal use of documents for the formation (creation, reorganisation) of a legal entity”) — 20 crimes. For the same period last year — 362, including under Article 173.1 of the Criminal Code of the Russian Federation — 341, under Article 173.2 of the Criminal Code of the Russian Federation — 21. Fifteen criminal cases on 42 crimes were forwarded to court. During the same period last year, 12 criminal cases on 25 crimes went to court.”

Police ask to tighten the law

Frauds involving the use of EDSs — electronic digital signatures — was expected to begin from the moment of their appearance. Back in 2018-2019, according to the Federal Tax Service, more than 43 thousand violations were committed in Russia using a digital signature, the most common of them — the receipt of EDS using forged documents.

The most notorious scandal about the theft of EDS at that time was the criminal case of the injured Muscovite Roman Saltovsky, on whose behalf in 2018 the scammers concluded an apartment donation agreement. The rightful owner of the property had to prove for a long time that he did not even receive a digital signature, and only a year later, by the decision of the Babushkinsky district Court of Moscow, he returned his living space.

The digital signature allows you to buy-sell-donate a citizen's property at a distance without his knowledge, open an IE or PLC in his name, take out a loan, conclude a bonded contract. The Federal Tax Service, informing a citizen about the issuance of an EDS in his name by e-mail, immediately warns: if you have not received a signature, immediately block its use. But someone does not have an e-mail, someone did not realise, like Leonid Borisov, that the EDS in his name was not just made, but also given to an outsider.

With the coronavirus pandemic and the switch to remote, scams of this kind have predictably become more frequent. And in May 2021, the Ministry of Internal Affairs of Russia took the initiative — proposed to introduce criminal liability for fraud with a digital signature. At an off-site meeting of the inter-factional working group of the State Duma, the head of the Contract and Legal Department of the Ministry of Internal Affairs of Russia, Alexander Avdeiko, said that in some cases an enhanced electronic signature is used to commit a crime and said that the agency is working on a bill aimed at toughening penalties for illegal possession of a digital signature key or a digital signature verification key certificate. The bill proposed to introduce liability in the form of a fine of 100 to 300 thousand rubles or imprisonment for up to 3 years, and for employees of certification centres who intentionally did not verify the authenticity of documents when issuing an enhanced electronic signature, to provide a fine of up to 300 thousand rubles or imprisonment for 3-4 years.

Meanwhile, the Minister of Internal Affairs of Tatarstan, Artem Khokhorin, proposed 2 years ago to introduce criminal liability for the illegal provision of an electronic digital signature if these actions were committed to enter information about front persons into the Unified State Register of Legal Entities. Is the year 2022 a turning point?

Everything became bad when the EDS “fell in price”

The Republican Ministry of Internal Affairs stressed that three years earlier a growth of crimes was restrained by the fact that the reception of documents was carried out only on paper (submission in person, through a proxy or by mail), and told how the floodgates “opened” for those wishing to sign documents on behalf of unsuspecting citizens:

“Since January 1, 2019, the state fee in the amount of 4,000 rubles for the registration of the company has been cancelled, in connection with which documents for a front person to the registering tax authority in 80 percent of cases began to be sent through electronic communication channels signed with an electronic digital signature.

Further, Tatarstan law enforcement officers explained, there was an increase in the number of legal entities that provide services for the production of EDS, and the procedure for obtaining a signature turned out to be so “digitised” that it became not just easy for fraudsters to get hold of it, but incredibly easy:

“These centres, in addition to independent activities, had the right to conclude agency agreements with any individual entrepreneurs or legal entities for the right to accept applications and issue electronic signatures on behalf of the licensee. The number of agents was unlimited and their activities were not controlled by anyone. To receive an EDS, documents were simply sent to the agency point by courier delivery (communication with the courier was maintained via e-mail, payment was made by cashless method with an impersonal wallet), or from an electronic mailbox with the extension *.gmail.com . After receiving the EDS, the documents were sent to the Federal Tax Service using programmes masking the sender's IP address (so-called “anonymisers”). And to receive ready-made documents, an electronic mailbox registered to a non-existent person was indicated. The subscriber number specified during the registration of this mailbox was registered either to a dummy person or to a legal entity.

The situation should have been changed by the amendments to the federal law “On Electronic Digital Signature” issued in December 2019, according to which, from 1 July, 2020, only tax authorities, the Central Bank of the Russian Federation and the Federal Treasury were authorised to issue electronic digital signatures for legal entities and individual entrepreneurs. The certifying centres authorised to issue an electronic digital signature to individuals had to have an authorised capital of at least 1 billion rubles or 500 million rubles if there were at least one or more branches or representative offices in at least three-quarters of the subjects of the Russian Federation, and it was necessary to confirm the identity upon receipt of the signature by visiting the certifying centre in person, or with the help of a valid EDS, or biometric data contained in the passport or in the Unified Biometric System (EBS).

But the coronavirus postponed the entry into force of two of the three amendments: the powers to issue an electronic digital signature were transferred to the tax authorities, the Central Bank of the Russian Federation and the Federal Treasury only from January 1, 2022, and the powers of existing certification centers to issue EDS were extended until December 31, 2021. Since July 1, 2020, only changes in the mandatory confirmation of identity upon receipt of EDS have entered into force. But this barrier, as confirmed by the case of Kazan businessman Leonid Borisov, scammers are able to bypass.

“These changes before January 1, 2022 did not affect the situation in any way," they say in the Ministry of Internal Affairs of the Republic of Tatarstan. “There were facts of illegal registration with the help of EDS received after 1 July, 2020, when the applicants explained that they had not personally applied for EDS. Only since January 1, 2022, after the entry into force of legislative changes in terms of granting powers to issue EDS to legal entities and individual entrepreneurs of tax authorities, the Central Bank of the Russian Federation and the Federal Treasury, as well as stricter requirements for commercial certification centres, the number of suspended crimes of this category has decreased significantly.

Now, they say in the Ministry of Internal Affairs of the Republic of Tatarstan, citizens are less likely to submit applications that someone used their passport data for the purpose of forming a legal entity:

“The main reason for the decrease was that the tax authority issues EDS only on condition of a personal visit to the person who applied for EDS. No warranty is accepted. The Federal Tax Service of Russia for the Republic of Tatarstan issues EDS only through territorial tax inspections and branches of Sberbank and VTB banks. Authorised Representative Office of Analytical Centre JSC (Moscow) has no branches in Tatarstan. In Russia, starting from 1 January, 2022 to 6 June, 2022 (according to the website of the Ministry of Finance of Russia), 42 commercial certification centres were accredited. There are no centres in Tatarstan.”

They can withdraw money, hang a loan or ruin a reputation

Realnoe Vremya sent a request to the press service of the Federal Tax Service of Russia with a request in which it asked to explain how, when issuing an EDS by the employees of the Federal Tax Service, the identity of the recipient is verified, the authenticity of the power of attorney and how the true owner of the EDS is guaranteed the impossibility of issuing it to a fraudster, what illegal actions can be committed by fraudsters, having received an EDS of an entrepreneur or an individual, what measures should be taken take a citizen who found out that his EDS was received by an unknown person. We also asked what measures the Federal Tax Service takes to prevent such illegal actions and how many cases of issuing EDS to entrepreneurs and individuals to third parties without the knowledge of the EDS holders themselves were revealed in 2021 and since the beginning of 2022. However, the Federal Tax Service did not respond to the publication's request.

On the website of the certification centre “SKB Kontur” there is a detailed description of the consequences of such a “theft” of a digital signature: “With such a signature, attackers can open fictitious firms or sole proprietors, issue a loan and sign any documents instead of the owner. Most often, fraudsters are interested in the EP of a manager, accountant or employee with a general power of attorney — they can be manipulated for large amounts: withdraw money from the company's account or sell its property, illegally refund VAT, issue a micro-loan to the company and withdraw this money, win the auction, but not conclude a contract and ruin the reputation, change the head of the company or add a new founder.”

“It is impossible to pull this off without help on the ground”

“In one case, during an on-site tax audit, someone filed “zero' clarified declarations for the taxpayer. The latter, of course, came to his senses in time. I wrote a letter to the inspection, filed declarations again. At the same time, he made a request to the inspectorate — he asked for information (documents) on the receipt of tax reports from an unauthorized person by the inspectorate: TIN, full name, information about the operator, IP address, and so on). But the tax authority turned on the “tax secrecy” mode and refused to disclose such information," the expert said.

We are talking, Valeeva explained, about Vladivostok PLC “Ipon-Logistics” — the Arbitration Court of the Far Eastern District put an end to the case of this company on June 29, recognising that the tax authorities are not obliged to provide such information.

“You can see which EDS are issued in your name on the public services website in the appropriate section," says Valeeva. “If you did not receive an EDS, but it was issued, you need to contact law enforcement agencies with a statement about fraudulent actions. Such an appeal will help in the future if illegal transactions and operations come to light.

“The owner is responsible for the safety of the signature”

“There is another way to verify an identity in order to obtain an electronic signature verification key certificate — using a valid CEP certificate, a new generation passport or a Unified biometric System, in accordance with articles 13 and 18 of the Federal Law “On Electronic Signature," the expert added.

Kazakov added that from January 1, 2022, the heads of legal entities and sole proprietors can issue signature certificates only in state certification centres — the Federal Tax Service, Treasury and the Central Bank, and stressed:

“If the applicant receives the CEP certificate for the first time, then a visit to the organisation that issues certificates is mandatory.

In response to the question of Realnoe Vremya, how can the owner of the EDS find out whether the scammers have concluded, having stolen a signature on behalf of the company or on his behalf, a loan agreement with a bank, or a delivery agreement with penalties for non-delivery within a specified time, or a guarantee agreement, Kazakov recalled that information about all issued CEP certificates can be found on the Public Services portal, and the certificate holder receives a notification on Public Services, where it says, which certificate, when and which organisation issued it.

“To find out about the loans issued, you can send a request to the Credit History Bureau," he said. “And we must remember that, according to Article 10 of the law 'On Electronic Signature', he himself is responsible for maintaining the confidentiality of electronic signature keys, including preventing the use of signatures without the consent of the owner. Therefore, if there is a suspicion that another person has taken possession of the signature, the certificate must be urgently revoked.

“Digitalisation cannot be stopped, it is necessary to increase responsibility”

Farrakhov recalled the wave of fraud associated with the appearance of bank cards, the surge of fraud caused by the appearance of online accounts, and noted that now “it's all gradually subsided.”

“We need to increase the responsibility for cyber fraud even more," he said. “We are still doomed to further digitalisation, to the fact that a digital signature will be required more and more often — when registering pensions, benefits, and so on. And it is necessary that the temptation of scammers does not arise.

However, as it turned out, the head of the Duma committee... knows nothing about the bill that the Russian Interior Ministry started promoting a year ago:

“As far as I know, such a draft bill has not been submitted to the State Duma yet. And I myself would like to see the dynamics in this area. I personally have not received appeals from victims of crimes with a digital signature, but if these offenses are massive in nature, and the dynamics of them increases, I will definitely support such law, because their activities discredit the entire work of the state, undermines its credibility.”