home / Reviews / Methods for protecting electronic payment systems. Information protection in electronic payment systems. Technical security of transactions
22.10.2021

Methods for protecting electronic payment systems. Information protection in electronic payment systems. Technical security of transactions

Today it is difficult to imagine a serious - and not necessarily large - business without Internet support in the form of its own resource, selling pages or online store. It allows you to turn an ordinary electronic catalog into a functioning virtual store with the ability to select a product on the seller's website and pay for it. It is not surprising that the issue of effective organization of the security of electronic payments is important for the owner of any Internet service specializing in financial settlements.

Information protection in electronic payment systems implies the fulfillment of the following conditions:

  • confidentiality - in the process of online settlements, the buyer's data (number of a plastic credit card or other payment means) should remain known only to institutions and structures that have a legal right to do so;
  • authentication - most often a PIN code or a message, thanks to which the client (or the seller) can make sure that the second party to the transaction is exactly who he claims to be;
  • authorization - makes it possible, before the start of the transfer of money, to determine whether the buyer has a sufficient amount in order to pay for the order.

All of this is aimed at providing a secure payment algorithm that can minimize the risks of electronic financial settlements for both the buyer and the seller.

Modern methods of protecting information of electronic payment systems

Today, the protection of information of electronic payment systems is carried out mainly with the help of:

  • instant authorization of the payer;
  • encryption of financial information on the Internet;
  • special certificates.

Providing for the simultaneous interaction with thousands of users, modern applications of a purely commercial nature cannot work with classical "unambiguous" systems - both with operating exclusively on public keys and with functioning only on private keys. Interception by malefactors of at least one key of a completely "closed" system automatically leads to a complete opening of its entire protection chain. In turn, encryption with only public keys requires significant computing resources.

In this regard, today the security of payment systems in e-commerce is ensured by the simultaneous use of protocols with private and public keys. Information that travels over networks is encrypted using a private key. In this case, its generation is carried out dynamically, and it is transferred to the second party to the transaction with a cipher based on the public key. As a rule, encryption is carried out using the Secure Sockets Layer (SSL) protocol, as well as Secure Electronic Transaction (SET) - it was developed by the financial giants MasterCard, VISA. The first protocol performs channel-level encryption, while the second encrypts financial data directly. In the process of using applications with the SET protocol, a double electronic signature algorithm is used.

One part of it is sent to the seller, and the other to the bank. Thanks to this scheme, the buyer has access to all data on orders, but he does not have access to the settlement details of the selling party, and the bank, in turn, has all the financial data of both parties to the transaction in the absence of information about the composition of the order. To improve the protection of virtual transactions, virtual certification authorities are also called upon to issue e-commerce representatives unique "certificates" in electronic format with a signed personal public key. An electronic certificate is issued by the center based on the identification documents of the parties to the transaction and is valid for a certain period of time. With such a certificate, a participant in a commercial transaction can perform financial transactions, checking the validity of the public keys of other participants.

Basic rules that the buyer should follow

  1. Never share your password with anyone, including employees of payment systems.
  2. Check that the connection is indeed in SSL secured mode - the closed padlock icon should be visible in the lower right corner of your browser;
  3. Check that the connection is established exactly with the address of the payment system or Internet bank;
  4. Never save your password information on any media, including a computer. If you suspect that someone has gained access to your personal account, change your password or block your account / account;
  5. After finishing work, be sure to press the Exit button;
  6. Make sure your computer is not infected with any viruses. Install and activate antivirus software. Try to keep them up to date, as the action of viruses can be aimed at transferring information about your password to third parties;
  7. Use software from trusted and trusted sources and update regularly.

Statistics
According to statistics, the following systems are most often attacked: terminals (32%), database servers (30%), application servers (12%), web servers (10%). Workstations, authentication servers, backup servers, file storages and so on account for only 10%. From these statistics, the relevance of security is clearly visible. sites and applications, since through their vulnerabilities it often becomes possible to gain access to data.

What ensures the security of payment systems

Secure / encrypted internet connections

  • Currently, the presence of an SSL certificate on the site is not a sufficient condition for the safe conduct of online payments. Only an integrated approach, certified according to modern international standards, allows us to say that the security of processing Internet payments is ensured at the highest level.

Client protection

  • Login / password for accessing the system, which is being tested for complexity;
  • A combination of bank card number, expiration date, cardholder name, CVV / CVC codes;
  • The ability to create a duplicate of the main one for making Internet payments;

Technical protection

  • Linking a payment service to a fixed IP address and customer phone number;
  • Implementation of client access to the system via the encrypted HTTPS / SSL protocol;
  • The ability to use a virtual keyboard for typing identification data (countering the interception of personal data);
  • Separation of the channels for generating transactions and the channel for authorizing transactions:
    • authorization of transactions is carried out through a special code, which, when making a payment, the client receives from the system to his mobile phone via SMS (a random combination of letters and numbers, valid only for several minutes).

Protection of plastic cards
Attackers most often try to get. The research reports of experts in the field of payment security - Verizon and Trustwave companies indicate statistics: in 85 and 98 cases out of 100, respectively, the target of the attack was exactly.

Payment systems certification
Certification of service providers and business owners (merchants) with more than 6 million transactions per year is subject to Qualified Security Assessor (QSA) certification, which are issued in Russia by IBM, NVision Group, Deiteriy, Digital Security, TrustWave, EVRAAS IT, Informzashita, Jet Infosystems, Croc Inc.

  1. Certificate of Compliance Payment Card Industry Data Security Standard(PCI DSS);
  2. Security certificate for compliance with international requirements for information security management in the development, implementation and maintenance of software ISO / IEC 27001: 2005;
  3. Use of an electronic digital signature (EDS);
  4. Licenses for the right to carry out activities for the provision, maintenance, distribution of encryption (cryptographic) means.

Starting July 1, 2012, the use of uncertified applications by companies subject to the PCI DSS standard will be prohibited.
PCI DSS information security standard in the payment card industry was developed by the international payment systems Visa and MasterCard and is a set of 12 detailed requirements for ensuring the security of data about payment cardholders that are transmitted, stored and processed in the information infrastructures of organizations. Taking appropriate measures to ensure compliance with the requirements of the standard implies an integrated approach to ensuring information security of payment card data.

Vulnerabilities and remedies
From the point of view of information security, the following vulnerabilities exist in electronic payment systems:

  1. Transfer of payment and other messages between the bank and the client and between banks;
  2. Information processing within the organizations of the sender and recipient of messages;
  3. Client access to funds accumulated on accounts.
  4. One of the most vulnerable places in the electronic payment system is the transfer of payment and other messages between banks, between a bank and an ATM, between a bank and a client.

Protection when forwarding payment messages:

  1. The internal systems of the sender and recipient organizations must be adapted for sending and receiving electronic documents and provide the necessary protection during their processing within the organization (protection of end systems);
  2. The interaction between the sender and the recipient of an electronic document is carried out indirectly - through a communication channel.

Problems to be solved when organizing payment protection:

  • mutual identification of subscribers (the problem of establishing mutual authentication when establishing a connection);
  • protection of electronic documents transmitted through communication channels (problems of ensuring the confidentiality and integrity of documents);
  • protection of the process of exchange of electronic documents (the problem of proof of departure and delivery of a document);
  • ensuring the execution of the document (the problem of mutual distrust between the sender and the recipient due to their belonging to different organizations and mutual independence).

Ensuring the security of payment systems
To ensure the functions of protecting information on individual nodes of the electronic payment system, the following protection mechanisms must be implemented:

  • endpoint access control;
  • control of message integrity;
  • ensuring the confidentiality of the message;
  • mutual authentication of subscribers;
  • the impossibility of rejecting the authorship of the message;
  • guarantees of message delivery;
  • impossibility of refusal to take action on the message;
  • registration of a sequence of messages;
  • monitoring the integrity of the message sequence.

The quality of the solution to the above problems is largely determined by the rational choice of cryptographic means when implementing protection mechanisms.

Payment system is a system of interaction between participants
From an organizational point of view, the core of the payment system is an association of banks, united by contractual obligations. In addition, the electronic payment system includes trade and service enterprises that form a network of service points. For the successful functioning of the payment system, specialized organizations are also needed that provide technical support for servicing cards: processing and communication centers, technical service centers, etc.

Chapter 4 examined the features of the approach to protecting electronic banking systems. A specific feature of these systems is a special form of electronic data exchange - electronic payments, without which no modern bank can exist.

Electronic data exchange (EDI) is an intercomputer exchange of business, commercial, financial electronic documents. For example, orders, payment instructions, contract offers, invoices, receipts, etc.

EIA ensures the operational interaction of trading partners (customers, suppliers, resellers, etc.) at all stages of preparing a trade transaction, concluding a contract and implementing a delivery. At the stage of contract payment and transfer of funds, the EDI can lead to the electronic exchange of financial documents. This creates an effective environment for trade and payment transactions:

* It is possible to familiarize trading partners with offers of goods and services, select the required product / service, clarify commercial conditions (cost and delivery time, trade discounts, warranty and service obligations) in real time;

* Ordering goods / services or requesting a contract proposal in real time;

* Operational control of the delivery of goods, receipt by e-mail of accompanying documents (invoices, invoices, completing lists, etc.);

* Confirmation of completion of delivery of goods / services, billing and payment of invoices;

* Execution of bank credit and payment transactions. The advantages of the EOS include:

* Reducing the cost of operations due to the transition to paperless technology. Experts estimate the cost of processing and maintaining paper documentation at 3-8% of the total cost of commercial transactions and delivery of goods. The benefit from the use of the EIA is estimated, for example, in the US auto industry at more than $ 200 per vehicle manufactured;

* Increase the speed of calculation and money turnover;

* Improving the convenience of calculations.

There are two key strategies for the development of EIA:

1. EIA is used as an advantage in the competitive struggle, allowing for closer interaction with partners. This strategy is adopted in large organizations and is called the "Extended Enterprise Approach" (Extended Enterprise).

2. EIA is used in some specific industrial projects or in the initiatives of associations of commercial and other organizations to increase the efficiency of their interaction.

Banks in the United States and Western Europe have already recognized their key role in spreading EIA and the significant benefits of closer interaction with business and personal partners. CED assists banks in providing services to clients, especially small ones, those who previously could not afford to use them due to their high cost.

The main obstacle to the widespread use of EDL is the variety of document representations when exchanging them via communication channels. To overcome this obstacle, various organizations have developed standards for the presentation of documents in EIA systems for various industries:

QDTI - General Trade Interchange (Europe, international trade);

MDSND - National Automated Clearing House Association (USA, National Association of Automated Clearing House);

TDCC - Transportation Data Coordinating Committee;

VICS - Voluntary Interindustry Communication Standard (USA, Voluntary Interindustry Communication Standard);

WINS - Warehouse Information Network Standarts.

In October 1993, the international UN / ECE group published the first version of the EDIFACT standard. The developed set of syntax rules and commercial data elements was formalized in the form of two ISO standards:

ISO 7372 - Trade Data Element Directory

ISO 9735 - EDIFACT - Application level syntax rules.

A special case of EIA is electronic payments - the exchange of financial documents between clients and banks, between banks and other financial and commercial organizations.

The essence of the concept of electronic payments lies in the fact that messages sent through communication lines, properly executed and transmitted, are the basis for performing one or several banking operations. In principle, no paper documents are required to carry out these operations (although they can be issued). In other words, a message sent over communication lines carries information that the sender has performed some operations on his account, in particular, on the correspondent account of the receiving bank (which may be a clearing center), and that the recipient must perform the operations specified in the message. Based on such a message, you can send or receive money, open a loan, pay for a purchase or service, and perform any other banking operation. Such messages are called electronic money, and banking transactions based on the sending or receiving of such messages are called electronic payments. Naturally, the entire process of making electronic payments needs reliable protection. Otherwise, the bank and its clients will face serious troubles.

Electronic payments are used for interbank, trade and personal settlements.

Interbank and trade settlements are made between organizations (legal entities), therefore they are sometimes called corporate. Settlements with the participation of individual clients are called personal.

The majority of large thefts in banking systems are directly or indirectly related to electronic payment systems.

There are many obstacles to the creation of electronic payment systems, especially global ones, covering a large number of financial institutions and their clients in various countries. The main ones are:

1. Lack of uniform standards for operations and services, which significantly complicates the creation of unified banking systems. Each large bank strives to create its own EIA network, which increases the cost of its operation and maintenance. Duplicate systems make them difficult to use, interfering with each other and limiting customer options.

2. An increase in the mobility of the money supply, which leads to an increase in the possibility of financial speculation, expands the flows of "wandering capital". This money is capable of changing the situation on the market in a short time, destabilizing it.

3. Failures and failures of technical and software errors in the implementation of financial settlements, which can lead to serious complications for further settlements and loss of confidence in the bank on the part of clients, especially due to the close intertwining of banking ties (a kind of "multiplication of errors"). At the same time, the role and responsibility of the operators and the administration of the system, which directly control the processing of information, significantly increase.

Any organization that wants to become a client of any electronic payment system, or organize its own system, should be aware of this.

For reliable operation, the electronic payment system must be well protected.

Trade settlements are made between different trading organizations. Banks in these calculations participate as intermediaries when transferring money from the account of the paying organization to the account of the receiving organization.

Merchant settlement is extremely important to the overall success of an electronic payment program. The volume of financial transactions of various companies usually constitutes a significant part of the total volume of bank transactions.

The types of trade settlements vary greatly for different organizations, but always when they are carried out, two types of information are processed: payment messages and auxiliary (statistics, summaries, notifications). For financial institutions, of course, the information of payment messages is of the greatest interest - account numbers, amounts, balance, etc. For trade organizations, both types of information are equally important - the first provides a clue to the financial condition, the second helps in decision-making and policy making.

The most common trading calculations are of the following two types:

* Direct deposit.

The meaning of this type of payment is that the organization instructs the bank to make certain types of payments to its employees or customers automatically, using pre-prepared magnetic media or special messages. The conditions for making such calculations are negotiated in advance (source of funding, amount, etc.). They are used mainly for regular payments (payments of various kinds of insurance, loan repayments, salaries, etc.). Organizationally, direct deposit is more convenient than, for example, check payments.

Since 1989, the number of employees using direct deposit has doubled to 25% of the total. More than 7 million Americans today receive direct deposit wages. Direct deposit promises the following benefits for banks:

Reducing the volume of tasks associated with processing paper documents and, as a result, saving significant amounts;

Increase in the number of deposits, as 100% of the volume of payments must be made on the deposit.

In addition to the banks, both the owners and the employees are the winners; increased convenience and reduced costs.

* Calculations using the EOS.

The data here are invoices, invoices, component sheets, etc.

To implement EIA, it is necessary to implement the following set of basic services:

E-mail according to the X.400 standard;

File transfer;

Point-to-point communication;

Online access to databases;

Mailbox;

Conversion of presentation standards.

Examples of currently existing trade settlement systems using EIA are:

National Bank and Royal Bank (Canada) connect with their customers and partners through the IBM Information Network;

Bank of Scotland Transcontinental Automated Payment Service (TAPS), founded in 1986, connects Bank of Scotland with customers and partners in 15 countries through correspondent banks and automated clearinghouses.

Electronic interbank settlements are mainly of two types:

* Clearing settlements using a powerful computing system of an intermediary bank (clearing bank) and correspondent accounts of banks participating in settlements with this bank. The system is based on the offset of mutual monetary claims and liabilities of legal entities with the subsequent transfer of the balance. Clearing is also widely used on stock and commodity exchanges, where mutual claims of participants in transactions are offset through a clearing house or a special electronic clearing system.

Interbank clearing settlements are carried out through special clearing houses, commercial banks, between branches and branches of one bank - through the head office. In a number of countries, central banks act as clearing houses. Automated Clearing Houses (ACCs) provide services for the exchange of funds between financial institutions. Payment transactions are mainly limited to either debit or credit. The members of the AKP system are financial institutions that are members of the AKP association. The association is formed in order to develop rules, procedures and standards for the execution of electronic payments within a geographic region. It should be noted that the ACP is nothing more than a mechanism for the movement of funds and accompanying information. By themselves, they do not perform payment services. ACPs were created to complement paper-based financial document processing systems. The first automatic transmission appeared in California in 1972, at present there are 48 automatic transmissions in the USA. In 1978, the National Automated Clearing House Association (NACHA) was created, uniting all 48 AKP networks on a cooperative basis.

The volume and nature of transactions are constantly expanding. ACPs begin to carry out business settlements and electronic data exchange operations. After three years of efforts by various banks and companies, the CTP (Corporate Trade Payment) system was created to automate the processing of credits and debits. According to experts, in the near future, the trend of expanding the functions of the ACP will continue.

* Direct settlement, in which two banks communicate directly with each other using loro-nostro accounts, possibly with the participation of a third party playing an organizational or supporting role. Naturally, the volume of mutual transactions should be large enough to justify the costs of organizing such a settlement system. Typically, such a system unites several banks, while each pair can communicate directly with each other, bypassing intermediaries. However, in this case, there is a need for a management center that deals with the protection of interacting banks (distribution of keys, management, control of functioning and registration of events).

There are many such systems in the world - from small ones that connect several banks or branches to giant international ones that connect thousands of participants. The most famous system of this class is SWIFT.

Recently, a third type of electronic payments has appeared - electronic check truncation, the essence of which is to stop the way of sending a paper check in the financial institution in which it was presented. If necessary, its electronic analogue "travels" further in the form of a special message. Sending and redemption of an electronic check is carried out using the ACP.

In 1990, NACHA announced the first round of testing of the Electronic Check Truncation, a national experimental program. Its goal is to reduce the cost of processing the vast amount of paper checks.

Sending money using an electronic payment system includes the following steps (depending on the specific conditions and the system itself, the procedure may vary):

1. A certain account in the system of the first bank is reduced by the required amount.

2. The correspondent account of the second bank in the first is increased by the same amount.

3. A message is sent from the first bank to the second, containing information about the actions performed (account identifiers, amount, date, conditions, etc.); in this case, the forwarded message must be appropriately protected against forgery: encrypted, provided with a digital signature and control fields, etc.

4. The required amount is debited from the correspondent account of the first bank in the second.

5. The specified account in the second bank is increased by the required amount.

6. The second bank sends the first one a notification about the made adjustments to the account; this message must also be protected against counterfeiting in a manner similar to that of a payment message.

7. The exchange protocol is fixed at both subscribers and, possibly, at a third party (in the network control center) to prevent conflicts.

On the way of transmission of messages there may be intermediaries - clearing centers, intermediary banks in the transmission of information, etc. The main difficulty of such calculations is confidence in their partner, that is, each of the subscribers must be sure that his correspondent will perform all the necessary actions.

To expand the use of electronic payments, the standardization of the electronic submission of financial documents is being carried out. It was started in the 70s under two organizations:

1) ANSI (American National Standart Institute) has published ANSI X9.2-1080, (Interchange Message Specification for Debit and Credit Card Message Exchange Among Financial Institute). In 1988, a similar standard was adopted by ISO and was named ISO 8583 (Bank Card Originated Messages Interchange Message Specifications - Content for Financial Transactions);

2) SWIFT (Society for Worldwide Interbank Financial Telecommunications) has developed a series of standards for interbank communications.

In accordance with the ISO 8583 standard, a financial document contains a number of data elements (details) located in specific fields of a message or electronic document (electronic credit card, X.400 message or document in EDIFACT syntax). Each data element (ED) is assigned a unique number. The data element can be either required (that is, included in every message of this type), or optional (in some messages, it may be absent).

The bit scale determines the composition of the message (those EDs that are present in it). If some bit of the bit scale is set to one, it means that the corresponding DE is present in the message. Thanks to this method of encoding messages, the total length of a message is reduced, flexibility is achieved in the presentation of messages with many EDs, and it is possible to include new EDs and message types in an electronic document of a standard structure.

There are several ways of electronic interbank payments. Let's consider two of them: payment by check (payment after service) and payment by letter of credit (payment for the expected service). Other methods, such as payment by means of payment slips or payment orders, have a similar organization.

Payment by check is based on paper or other document containing the identification of the bearer. This document is the basis for transferring the amount specified in the check from the owner's account to the payee's account. Payment by check includes the following steps:

Receiving a check;

Submission of a check to the bank;

Request for transfer from the account of the owner of the check to the account of the bearer;

Money transfer;

Payment notification.

The main disadvantages of such payments are the necessity of the existence of an auxiliary document (check), which is easy to forge, as well as the significant time required to complete the payment (up to several days).

Therefore, recently such type of payments as payment by letter of credit has become more common. It includes the following steps:

Notification of the bank by the client about the provision of a loan;

Notifying the beneficiary's bank of a loan and transferring money;

Notifying the recipient of the loan.

This system allows you to make payments in a very short time. Credit notification can be sent by (e-mail), on floppy disks, magnetic tapes.

Each of the types of payments discussed above has its own advantages and disadvantages. Checks are most convenient for small payments and irregular payments. In these cases, the delay in payment is not very significant, and the use of the loan is impractical. Settlement by letter of credit is usually used for regular payments and for significant amounts. In these cases, the absence of a clearing delay allows you to save a lot of time and money by reducing the money turnover period. The common disadvantage of these two methods is the need for the costs of organizing a reliable electronic payment system.

It is difficult to surprise someone with the presence of electronic savings, because they have long entered the everyday life of every person and are used to make purchases on the Web, carry out transfers and convert funds. The popularity of such a currency is explained by the convenience of its use, as well as the minimum commission. The issue of money safety deserves special attention. Ensuring the proper functioning of standards and mechanisms for storing virtual assets, as a rule, is provided by payment services, but users are also required to observe elementary precautions when manipulating the latter.

With the advent of internet banking, there are even more opportunities. People gained access to make purchases or conduct other transactions from the comfort of their homes. To carry out any operation, a computer, smartphone or other device is enough, as well as a stable connection to the Network.

Despite a number of advantages, electronic money needs additional protection on the part of the user. This is due to the emergence of a large number of scammers who know how to hack personal accounts and obtain the necessary passwords. This is why it is important to take some steps to ensure the security of any transaction on the Web. After all, schemes of unauthorized access to other people's virtual savings are progressing, and very often online fraudsters are one step ahead of the developers of protective mechanisms.

Existing risks and main methods of protection

There are many types of fraud on the Internet that allow attackers to deftly deceive people, steal personal data, and subsequently money. The most popular varieties include:

  • Phishing is a sophisticated method of fraud, which involves the theft of personal data, namely passwords, bank accounts, logins, and plastic card numbers. The essence of the method is to send a letter by e-mail on behalf of any reputable organization, for example, a banking institution. In the text, employees of the pseudo-organization recommend updating or transmitting any information under various pretexts. The peculiarity of phishing lies in the detailed elaboration of a fraudulent scheme. For greater reliability, attackers create sites that exactly copy the Internet resource of the front organization. Consequently, a person is unaware of deception, gets hooked and loses money. To avoid such troubles, it is important to exercise the utmost vigilance and learn how to detect fake sites.
  • Skimming is a direction that implies the use of special devices that allow reading the necessary information from the magnetic tape of a plastic card. The algorithm of actions is as follows. First, the attacker fixes the skimmer on the ATM receiver. The peculiarity of this device is that it hardly differs from the factory connector. The device is based on a special circuit that provides data reading. At the same time, a video camera is attached to the ATM, the purpose of which is to fix the PIN code. At the last stage, the fraudster makes a copy of the card and uses the stolen code to withdraw all funds.

One of the advantages of electronic money is the impossibility of counterfeiting (in the classical sense). They cannot be printed, and then purchased with counterfeit banknotes. Virtual currency is in digital form and is used only on the Web, but even this guarantees one hundred percent protection. As noted above, many fraud options have been developed to trick gullible people.

But there are several main ways to protect money, allowing you to protect electronic savings from intruders:

  • Passwords. Almost every user of the global network is faced with the need to enter special codes to enter the personal account of a site on a daily basis. A similar system is implemented in electronic payment services, many of which use this method as the main method of ensuring security. In practice, not one, but several passwords can be used at once, which can be stationary or changing. In the latter case, the code is updated every time you visit the resource. The new combination is sent to your e-mail or mobile phone. The control password, as a rule, is entered during any financial transaction on the Internet. This measure allows you to additionally protect the user who made the transaction and temporarily left the computer. Another person, without specifying the control code, will not be able to carry out any financial manipulation and use other people's money. The considered system is in wide demand in many payment systems, including Yandex.Money, Qiwi and others (called "Payment Password"). The issue of money security is well thought out in another service - WebMoney. Here, one password to enter the wallet is not enough - you need a key file. The use of a PIN code as protection is also typical for bank cards, which were mentioned at the beginning of the article. As a rule, it consists of four digits that each user sets individually. As practice has shown, this method of protecting electronic money is not very reliable, and the security system itself is susceptible to hacking. If the attacker stole the card and tries to guess the password, the "plastic" is blocked after three consecutive mistakes. From the above, we can conclude that the password is a popular way to ensure the security of electronic currency, and it is present in almost all modern payment systems. The only drawback is the insufficient level of reliability, so it is recommended to combine it with other protection methods.
  • Key files. The considered method is used in WebMoney and provides additional reliability. Its essence is that after registration, the client is issued a special file containing the keys to the repository. To gain access to savings, the user must have a password at hand, as well as the document mentioned above. In addition, the wallet file has its own protection to ensure the safety of money. Here you also need to enter a specific combination of letters, numbers and symbols. For additional protection of personal savings, it is recommended to store the above file outside the computer's hard drive, for example, on a USB flash drive. In a different situation, after penetrating a PC, an attacker receives all the necessary data to hack a wallet. In case of loss of this file, it is advisable to make a copy of it and save it on a removable medium.
  • The set of symbols on the display. One of the ways to protect against various worms, trojans and viruses is the on-screen keyboard. This technique is used in one of the most popular EasyPay systems. Unlike other EPS, the required characters are entered not from a regular keyboard, but through a special image on the monitor screen. This protection technique has two sides. In the case of typing a password, another person can spy on the information, and then use it to hack. If you carefully approach this point and make a set when there are no strangers, you can protect almost all types of electronic money from keyloggers. The latter are programs that penetrate the user's computer and read a special log file (it is in it that information about the characters entered through the keyboard is stored). But there are other programs that record and subsequently reproduce any user actions, including moving with the mouse. Therefore, it is necessary to make a decision on the relevance of using a conventional or display keyboard individually, taking into account the current situation.
  • Special phrase. To increase the level of protection of their funds, each user must come up with one or more words. The use of this technique allows you to protect yourself from phishing, which was mentioned at the beginning of our story. After opening the operating page of the service, the person should see the set passphrase. If it does not match the original, or it does not exist at all, we can confidently speak of an attempted fraud.
  • Account blocking. You have to resort to this step in a situation when the methods discussed above did not work or cannot provide the required level of protection. This is possible when a person accidentally lost his password, became a victim of data theft from a PC, or cannot find a plastic card. So, if the main protection methods did not work, the user sends an SMS to a specific number or makes a call with the command to block the electronic account. This measure is suitable for extreme cases, but it is precisely this measure that provides the best protection for electronic money in an emergency.

The above methods individually do not guarantee complete safety and should be used exclusively in combination. The “weakest link” in this matter is the presence of the human factor, which makes even a reliable system vulnerable.

Simple Defense Techniques are a Powerful Complement to Basic Techniques

Each person should understand that the safety of electronic money directly depends on his attention and following some recommendations:

  • Never share passwords with other people, regardless of the explanation. The PIN-code of the card or the set of characters for entering the wallet of the electronic payment system is personal information that cannot be trusted by anyone. Any attempt to find out these facts should be alarming, even if a customer service representative asks for personal information. Ignoring this recommendation, you level out the main protection methods, which simply become ineffective. Efforts to defraud personal data via e-mail should be particularly suspicious. In this case, it is highly likely that we can talk about Internet fraud.
  • If online purchases are commonplace, it is advisable to issue a separate bank card and use it as a payment instrument to pay for services or goods on the Internet. You should not pay with different cards, because in this case their degree of confidentiality is reduced. In addition, it is advisable to set a limit in order to avoid losing a large amount in case of hacking "plastic" by an attacker.
  • Before withdrawing money from an ATM, it is advisable to carefully examine the device for the fact that there are no special devices for skimming. If you notice poorly attached elements, you should inform the bank representatives about the problem, and you yourself should look for another device for cashing out funds.
  • Do not use electronic payment system wallets through public computers in Internet cafes or other similar establishments. In this case, attackers can easily intercept confidential information, after which the main methods of protecting money are useless. The administrator of such an establishment can easily check the history of each user and remove the information he needs.
  • Do not follow the links that come to your e-mail if you are not sure about the accuracy of the data and you are not familiar with the sender. If you ignore the recommendations, you can "pick up" a virus or Trojan that will collect confidential information and send it to the creator. In addition, you should not 100% trust the users you know, because the mailbox could have been hacked. If the link is suspicious, it is better to separately find out its relevance.
  • When paying with a bank card in any institution, always keep the "plastic" in sight. If the waiter passes the magnetic tape through a separate reader, all the necessary data will be transferred to him.
  • Never use the same password on different services, because in the event of a hack, an attacker gains access to all the money. In addition, it is advisable to use a complex combination of symbols to make matching impossible.
  • When purchasing goods using EPS or a card on the Web, it is advisable to work only with reputable online stores. You should not transfer money to dubious persons, regardless of the benefits offered.
  • Periodically check the account of the card or payment system in order to quickly detect the loss and use the lock.
  • Install a reliable antivirus on your PC and update it regularly. In addition, enable a firewall, which will provide additional protection against intruders.

Any type of electronic money requires attention. It depends only on the user whether he will be able to keep the money he earned, or whether it will go to scammers.

Send your good work in the knowledge base is simple. Use the form below

Students, graduate students, young scientists who use the knowledge base in their studies and work will be very grateful to you.

Posted on http://www.allbest.ru/

electronic plastic card payment algorithm

List of abbreviations

Introduction

1. Statement of the problem

2. Implementation

3. Principles of functioning of electronic payment systems

4. Electronic plastic cards

5. Personal identification number

6. Securing POS Systems

7. Ensuring the security of electronic payments

8. Federal Law "On the National Payment System"

Conclusion

List of used literature

List of abbreviations

COS (Cards Operation System) - card operating system

DES (Data Encryption Standard) - the old American encryption standard, replaced in 2002 by the AES standard

ISO (International Organization for Standardization) - international organization for standardization

PIN (Personal Identification Number) - personal identification number

POS-terminals (Point-Of-Sale) - payment at the point of sale

SET (Secure Electronic Transactions) - Secure Electronic Transactions Protocol

SSL (Secure Socket Layer) - a protocol for securing transactions on the Internet

NSPK - national payment card system "Russian Payment Card"

RAM - random access memory

ROM - Read Only Memory

CPU - Central Processing Unit

Computer - electronic computing machine

EEPROM - Electrically Erasable Programmable ROM

Introduction

Simultaneously with the invention of money as an abstract representation of value, various payment systems were formed. However, over time, the number of ways to abstractly represent value has grown, and each round of economic development has brought new elements to this area, thereby ensuring the development of payment systems. Starting with barter, society went through the introduction of banknotes, payment orders, checks, and more recently credit cards, and finally entered the era of electronic payment systems. The rapid development of e-commerce has led to the development of many different electronic payment systems, the functionality of which is constantly expanding and becoming more complex. Experts predict that until the market stabilizes and obvious leaders are established on it, the trend of growth in the number of offers will continue.

Electronic payment systems present on the market today can be divided into a number of categories - both by suppliers and according to the specifics of implementation. Each category has its own leaders and outsiders, but it is still clear that there are no companies that dominate the entire market as a whole, and cash, checks and real credit cards are widely used alongside their electronic counterparts. Banks, on the other hand, are traditionally cautious about experimenting with various new solutions. However, financial institutions are expected to play a decisive role in the acceptance of these solutions by the electronic payment system market. In addition, for all these proposals, a rigid system of standards has not yet been developed that would also affect the development and adoption of electronic payment systems. While the organizational part of this industry is in its infancy, and its areas still need serious protection.

1. Formulation of the problem

To study the basic concepts, algorithms, methods of protecting information in electronic payment systems. Implement a method for generating a PIN code from a client's account number.

2. Implementation

The general process for generating an assigned PIN from a bank account number is shown in Fig. 3. First, the customer's account number is padded with zeros to 16 hexadecimal digits (8 bytes). Then a pseudo-random number is generated, which is also padded with zeros to 16 hexadecimal digits (8 bytes). The resulting numbers are converted into a binary number system and added modulo 2. From the received number of 8 bytes in length, 4-bit blocks are alternately selected, starting with the least significant byte. If the number formed by these bits is less than 10, then the resulting digit is included in the PIN, otherwise this value is not used. In this way, all 64 bits (8 bytes) are processed. If as a result of processing it was not possible to immediately obtain the required number of decimal digits, then they refer to the unused 4-bit blocks, from which the remainder of division by 10 is taken. The implementation of the algorithm can be seen in Appendix 6. For the functioning of the program is sufficient for the software to include the operating system. The program interface is easy to use (see fig. 6). The user must enter the bank card number and select the length of the PIN-code, and at the exit he will receive the PIN-code of the selected length.

3. Principles of functioning of electronic payment systems

An electronic payment system is a set of methods and subjects implementing them that ensure the use of bank plastic cards as a means of payment within the system.

A plastic card is a personalized payment instrument that provides the person using this card with the possibility of non-cash payment for goods and services, as well as receiving cash from ATMs and bank branches. Trade and service enterprises and bank branches that accept the card as a payment instrument form a receiving network of card service points.

When creating a payment system, one of the main tasks to be solved is the development and observance of general rules for servicing cards issued by issuers included in the payment system, for carrying out mutual settlements and payments. These rules cover both purely technical aspects of transactions with cards - data standards, authorization procedures, specifications for the equipment used and others, and financial aspects of servicing cards - procedures for settlements with trade and service enterprises that are part of the receiving network, rules for mutual settlements between banks and etc.

From an organizational point of view, the core of the payment system is an association of banks, united by contractual obligations. In addition, the electronic payment system includes trade and service enterprises that form a network of service points. For the successful functioning of the payment system, specialized organizations are also needed that provide technical support for servicing cards: processing and communication centers, technical service centers, etc.

The generalized scheme of the functioning of the electronic payment system is shown in Fig. 1. A bank that has entered into an agreement with a payment system and received a corresponding license can act in two capacities - as an issuing bank and as an acquiring bank. The issuing bank issues plastic cards and guarantees the fulfillment of financial obligations associated with the use of these cards as means of payment. The acquiring bank serves trade and service enterprises that accept cards for payment as means of payment, and also accepts these means of payment for cash in its branches and through its ATMs. The main inalienable functions of the acquiring bank are financial transactions related to settlements and payments by service points. The technical attributes of the acquiring bank's activities (processing authorization requests; transferring funds to the settlement accounts of points of funds for goods and services provided by cards; receiving, sorting and forwarding documents that record transactions using cards, etc.) can be delegated by the acquirer processing centers.

The non-automated procedure for accepting a payment with a card is relatively simple. First of all, the cashier of the company must make sure of the authenticity of the plastic card. When paying, the company must transfer the details of the client's plastic card to a special check using an imprinting copier, enter the amount for which the purchase or service was made, and receive the client's signature. A check drawn up in this way is called a slip.

In order to ensure the security of the payment system operations, it is recommended not to exceed the lower limits on the amounts for different regions and types of business, for which you can make settlements without authorization. If the limit is exceeded or if there is any doubt about the identity of the client, the company must conduct an authorization procedure. Upon authorization, the company actually gets access to information about the state of the client's account and can establish the card's ownership and payment capacity in the amount of the transaction. One copy of the slip remains at the enterprise, the second is handed over to the client, the third is delivered to the acquiring bank and serves as the basis for refunding the amount of the payment to the enterprise from the client's account.

In recent years, automated POS terminals (Point-Of-Sale) and ATMs have gained widespread popularity. When using POS terminals, there is no need to fill in the slips. The details of the j plastic card are read from its magnetic stripe on the reader built into the POS terminal. The client enters into the terminal his PIN-code (Personal Identification Number), known only to him. The elements of the PIN-code are included in the general encryption algorithm of the magnetic stripe record and serve as the electronic signature of the cardholder. The transaction amount is entered on the POS terminal keyboard.

If the transaction is carried out at a bank branch and in its process cash is issued to the client, in addition to bank POS terminals, an electronic cashier-ATM can be used. Structurally, it represents an automated safe with a built-in POS terminal. The terminal uses the built-in modem for authorization to the appropriate payment system. In this case, the capacities of the processing center are used, the services of which are provided to the merchant by the acquiring bank.

A processing center is a specialized service organization that processes incoming requests from acquiring banks or directly from service points for authorization requests and transaction protocols - recorded data on payments made by plastic cards and cash withdrawals. For this, the processing center maintains a database, which, in particular, contains data on member banks of the payment system and plastic card holders. The processing center stores information about the limits of cardholders and executes requests for authorization in the event that the issuing bank does not maintain its own database (off-line bank). Otherwise (on-line bank) the Processing Center forwards the received request to the issuing bank of the authorized card. It is obvious that the Processing Center also ensures that the response is sent to the acquiring bank.

The execution of its functions by the acquiring bank entails settlements with issuing banks. Each acquiring bank transfers funds to service points for payments of cardholders of issuing banks included in this payment system. Therefore, the respective funds must then be transferred to the acquiring bank by the issuing banks. Prompt settlement of settlements between acquirers and issuers is ensured by the presence in the payment system of a settlement bank (one or more), in which the member banks of the system open correspondent accounts. Based on the transaction protocols accumulated during the operating day, the processing center prepares and sends out final data for settlements between banks participating in the payment system, and also generates and sends to acquiring banks and directly to service points stop lists (lists of cards, transactions on which in different reasons suspended). The processing center can also meet the needs of issuing banks for new cards, carrying out their order at factories and subsequent personalization.

The peculiarity of sales and cash withdrawals by plastic cards is that these operations are carried out by shops and banks "on credit", i.e. goods and cash are provided to customers immediately, and funds for their reimbursement are credited to the accounts of service companies after a while (no more than a few days). The issuing bank that issued them is the guarantor of the fulfillment of payment obligations arising in the process of servicing plastic cards. The nature of the guarantees of the issuing bank depends on the payment authority provided to the client and fixed by the type of card.

By the type of calculations performed using plastic cards, credit and debit cards are distinguished.

Credit cards are the most common type of plastic cards. These include cards of the national systems of the USA Visa and MasterCard, American Express and a number of others. These cards are presented at trade and service enterprises to pay for goods and services. When paying with credit cards, the buyer's bank opens a loan for the purchase amount, and then after a while (usually 25 days) sends the invoice by mail. The buyer must return the paid check (invoice) back to the bank. Naturally, a bank can offer such a scheme only to the most wealthy and proven of its clients who have a good credit history with the bank or solid investments in the bank in the form of deposits, valuables or real estate.

The debit card holder must deposit a certain amount into his account with the issuing bank in advance. The amount of this amount determines the limit of available funds. When making payments using this card, the limit is reduced accordingly. Limit control is performed during authorization, which is mandatory when using a debit card. To renew or increase the limit, the cardholder must re-deposit funds into his account. To insure a temporary gap between the moment the payment is made and the moment the bank receives the relevant information, a minimum balance must be maintained on the client's account.

Both credit and debit cards can be personal as well as corporate. Corporate cards are provided by the company to its employees to pay for travel or other business expenses. The company's corporate cards are linked to one of its accounts. These cards can have split or non-split limits. In the first case, an individual limit is set for each of the corporate cardholders. The second option is more suitable for small companies and does not imply a delineation of the limit.

In recent years, more and more attention has been attracted to electronic payment systems using microprocessor cards. The fundamental difference between microprocessor cards from all of the above is that they directly carry information about the state of the client's account, since they are, in essence, a transit account. All transactions are made off-line in the process of the card-terminal dialogue or the client's card - the merchant's card. Such a system is almost completely secure due to the high degree of security of the chip with a microprocessor and a full debit settlement scheme. In addition, although a card with a microprocessor is more expensive than a conventional card, the payment system turns out to be cheaper to operate due to the fact that there is no load on telecommunications in the off-line mode.

To ensure reliable operation, an electronic payment system must be reliably protected. From the point of view of information security, the following vulnerabilities exist in electronic payment systems:

* transfer of payment and other messages between the bank and the client and between banks;

* processing of information within the organizations of the sender and recipient of messages;

* access of clients to funds accumulated on accounts.

One of the most vulnerable places in the electronic payment system is the transfer of payment and other messages between banks, between a bank and an ATM, between a bank and a client. The forwarding of payment and other messages is associated with the following features:

* the internal systems of the sender and recipient organizations must be adapted for sending and receiving electronic documents and provide the necessary protection during their processing within the organization (protection of end systems);

* the interaction between the sender and the recipient of an electronic document is carried out indirectly - through a communication channel. These features give rise to the following problems:

* mutual identification of subscribers (the problem of establishing mutual authenticity):

* protection of electronic documents transmitted through communication channels (problems of ensuring the confidentiality and integrity of documents);

* protection of the process of exchange of electronic documents (the problem of proof of departure and delivery of the document);

* Enforcement of the document (the problem of mutual distrust between the sender and the recipient due to their belonging to different organizations and mutual independence).

To ensure the functions of protecting information on individual nodes of the electronic payment system, the following protection mechanisms must be implemented:

* access control on end systems;

* control of the integrity of the message;

* ensuring the confidentiality of the message;

* mutual authentication of subscribers;

* guarantees of message delivery;

* impossibility of refusal to take action on the message;

* registration of a sequence of messages,

* control of the integrity of the sequence of messages.

4. Electronic plastic cards

The use of POS terminals and ATMs is possible using some kind of storage medium that could identify the user and store certain credentials. Plastic cards are used as such information carriers.

The plastic card is a plate of standard dimensions (85.6x53.9x0.76 mm) made of special plastic, resistant to mechanical and thermal effects. One of the main functions of a plastic card is to ensure the identification of the person using it as a subject of the payment system. To do this, the logos of the issuing bank and the payment system serving this card, the name of the cardholder, his account number, the expiration date of the card, etc. are applied to the plastic card. In addition, the card may contain photographs of the holder and his signature. Alphanumeric data - name, account number, etc. - can be embossed, i.e. applied in embossed type. This makes it possible to quickly transfer the data to a check during manual processing of cards accepted for payment using a special device - an imprinter that "rolls" the card (similar to obtaining a second copy when using carbon paper).

According to the principle of operation, passive and active plastic cards are distinguished. Passive plastic cards only store information on a particular medium. These include plastic cards with a magnetic stripe.

Magnetic stripe cards are by far the most common, with over two billion cards of this type in circulation. The magnetic stripe is located on the back of the card and, in accordance with the ISO 7811 standard, consists of three tracks. Of these, the first two are for storing identification data, and the third track can be used to write information (for example, the current value of the debit card limit).

However, due to the low reliability of the repetitively repeated recording and reading process, writing to a magnetic stripe is usually not practiced, and such cards are used only in the information reading mode.

Magnetic stripe cards are relatively vulnerable to fraud. To increase the security of their cards, the Visa and MasterCard / Europay systems use additional graphic means of protection: holograms and non-standard fonts for embossing. Payment systems with such cards require on-line authorization in retail outlets and, as a result, the presence of branched, high-quality communication means (telephone lines). Therefore, from a technical point of view, such systems have serious restrictions on their use in countries with poorly developed communication systems.

A distinctive feature of active plastic cards is the presence of an electronic microcircuit built into it. The principle of a plastic card with an electronic microcircuit was patented in 1974 by the Frenchman Roland Moreno. The ISO 7816 standard defines the basic requirements for IC cards or Chep cards. In the not too distant future, IC cards will replace magnetic stripe cards. Therefore, let's dwell in more detail on the main types of cards with a microcircuit.

Chip cards can be classified according to several criteria. The first sign is the functionality of the card.

The following main types of cards can be distinguished here:

* card counters;

* cards with memory;

* cards with a microprocessor.

The second sign is the type of exchange with the reader:

* cards with induction reading.

Counter cards are used, as a rule, in cases where a particular payment operation requires a decrease in the balance on the cardholder's account by a certain fixed amount. Such cards are used in specialized prepaid applications (pay for using a pay phone, paying for parking, etc.) It is obvious that the use of cards with a counter is limited and does not have much prospects.

Memory cards are transitional between counter and processor cards. A memory card is essentially a rewritable counter card that has been designed to be more secure against malicious attacks. The simplest existing memory cards have a memory capacity of 32 bytes to 16 kilobytes. This memory can be implemented either as a programmable read-only memory (EPROM) that is write-once and read-many, or as an electrically erasable programmable read-only memory (EEPROM) that is write-and-read many times.

Memory cards can be categorized into two types, with unprotected (full access) and protected memory.

In cards of the first type, there are no restrictions on reading and writing data. They cannot be used as payment cards, since an average specialist can simply "hack" them.

The second type of cards have an identity area and one or more application areas. The identification area of ​​the cards can only be written once during personalization and is subsequently only readable. Access to application areas is regulated and is carried out only when performing certain operations, in particular when entering a secret PIN.

Memory cards are more secure than magnetic cards and can be used in applications where the financial risks associated with fraud are relatively low. As a means of payment, memory cards are used to pay for public payphones, travel in transport, in local payment systems (club cards). Memory cards are also used in systems for accessing premises and accessing resources of computer networks (identification cards). Memory cards are cheaper than microprocessor cards. Microprocessor cards are also called smart cards or smart cards. Microprocessor cards are essentially microcomputers and contain all of the underlying hardware components of a central processing unit (CPU), random access memory (RAM), read only memory (ROM), and electrically erasable programmable ROM (EEPROM) (Figure 2).

Currently, smart cards are installed:

* microprocessors with a text frequency of 5 MHz;

* operational memory with a capacity of up to 256 bytes,

* permanent memory with a capacity of up to 10 Kbytes;

* non-volatile memory with a capacity of up to 8 Kbytes.

The ROM contains a special set of programs called the Cards Operation System (COS). The operating system supports an EEPROM-based file system (the capacity of which is usually in the range of 1 ... 8 Kbytes, but can reach 64 Kbytes) and provides data access regulation. In this case, part of the data can only be accessed by the internal programs of the card.

The smart card provides a wide range of functions:

* differentiation of access rights to internal resources (thanks to work with a protected file system);

* data encryption using various algorithms;

* formation of an electronic digital signature;

* maintaining a key system;

* execution of all operations of interaction between the cardholder, the bank and the merchant.

Some cards provide a "self-locking" mode when attempting unauthorized access. Smart cards can significantly simplify the customer identification procedure. An algorithm implemented by a microprocessor on the card is used to check the PIN code. This eliminates the need for real-time POS and ATM operation and centralized PIN verification. The above-mentioned features make the smart card a highly secure payment tool that can be used in financial applications with increased requirements for information security. That is why microprocessor smart cards are currently considered the most promising type of plastic cards.

According to the principle of interaction with the reader, cards of two types are distinguished:

* cards with contact reading;

* cards with contactless reading.

A card with a contact reading has 8 ... 10 contact plates on its surface. The location of the contact plates, their number and the purpose of the pins are different for different manufacturers and it is natural that readers for cards of this type differ from each other.

In recent years, contactless cards have been widely used. In them, the exchange of data between the card and the reader is carried out inductively. Obviously, such cards are more reliable and durable.

Personalization of the card is carried out when the card is issued to the client. At the same time, data is entered on the card, which allows identifying the card and its holder, as well as checking the solvency of the card when accepting it for payment or issuing cash.

Authorization refers to the process of approving a sale or dispensing cash by card. For authorization, the service point makes a request to the payment system to confirm the powers of the card bearer and his financial capabilities. The authorization technology depends on the type of card, payment system scheme and technical equipment of the service point. Historically, the original way to personalize cards was through embossing.

Embossing is the process of embossing data on the plastic backing of a card. As a rule, the following data are embossed on the cards of issuing banks: card number; start and end dates of its validity; surname and name of the owner. Some payment systems, such as Visa, require embossing two special characters that uniquely identify the issuing bank to the payment system. Embossers (devices for embossing relief on the map) are produced by a limited number of manufacturers. In a number of Western countries, the free sale of embossers is prohibited by law. Special symbols confirming that the card belongs to a particular payment system are supplied to the owner of the Embossers only with the permission of the governing body of the payment system. An embossed card can serve as a means of payment when using an imprinter - a device for rolling a slip (check) confirming a completed payment transaction.

Card personalization also includes magnetic stripe coding or microchip programming.

As a rule, magnetic stripe coding is performed using the same equipment as embossing. In this case, part of the information about the card, containing the card number and the period of its validity, is the same both on the magnetic stripe and on the relief. However, there are situations when, after the primary encoding, it is required to additionally enter information on the magnetic track. In this case, special devices with the "read-write" function are used. This is possible, in particular, when the PIN-code for using the card is not generated by a special program, but can be chosen by the client at his own discretion.

Programming a microcircuit does not require special technological methods, but it has some organizational features. In particular, to improve security and eliminate possible abuse, programming operations in various areas of the microcircuit are geographically separated and delimited according to the rights of various employees participating in this process.

This procedure is usually broken down into three stages:

* at the first workplace, the card is activated (put into operation);

* at the second workplace, operations related to safety are performed;

* at the third workstation, the actual personalization of the card is performed.

Traditionally, the authorization process is carried out either "manually", when the seller or the cashier sends a request by phone to the operator (voice authorization), or automatically, when the card is placed in the POS terminal, the data is read from the card, the cashier enters the payment amount, and the cardholder from a special keyboard - secret PIN-code. After that, the terminal performs authorization, either by establishing connection with the payment system database (on-line mode), or by implementing additional data exchange with the card itself (off-line authorization). In the case of cash withdrawal, the process is similar, with the only peculiarity that money is automatically issued by a special device - an ATM, which performs authorization. Various methods and techniques are used to protect cards from counterfeiting and subsequent unauthorized use. For example, to personalize cards, a black-and-white or color photograph of the cardholder can be printed onto a plastic base using thermal printing. On any card there is always a special strip with a sample of the cardholder's signature. To protect the card as such, various payment communities use special three-dimensional images on the front and back of the card (holograms).

5. Personal identification number.

A proven method of identifying a bank card holder is to use a secret personal identification number (PIN). The PIN value should only be known to the cardholder. The length of the PIN must be large enough so that the probability of an attacker guessing the correct value using a brute-force attack is reasonably small. On the other hand, the length of the PIN should be short enough to enable cardholders to remember its meaning. The recommended PIN length is 4 ... 8 decimal digits, but can be up to 12.

Suppose that the PIN has a length of four digits, then the adversary, trying to pick the PIN value for the bank card, is faced with the problem of choosing one of ten thousand possibilities. If the number of attempts to enter an incorrect PIN value is limited to five per card per day, this opponent has a chance of success less than 1 in 2000. But the next day the opponent can try again, and his chances increase to 1: 1000. Each next day increases the enemy's chance of success. Therefore, many banks impose an absolute limit on the number of incorrect attempts to enter a PIN on the card in order to exclude this kind of attack. If the limit is exceeded, the card is considered to be incorrect and is taken away.

The PIN value is unambiguously associated with the corresponding attributes of the bank card; therefore, the PIN can be interpreted as the cardholder's signature. To initiate a transaction, the cardholder who uses the POS terminal inserts his card into the special Reader Slot and enters his PIN using the special keyboard of the terminal. If the entered PIN value and the customer's account number recorded on the magnetic stripe of the card agree with each other, then a transaction is initiated.

The protection of a personal identification number PIN for a bank card is critical to the security of the entire payment system. Bank cards can be lost, stolen, or tampered with. In such cases, the only countermeasure against unauthorized access remains the secret PIN value. This is why the open PIN form should only be known to the legitimate cardholder. It is never stored or transmitted within the framework of an electronic payment system. Obviously, the PIN value must be kept secret during the entire validity period of the card.

The method for generating the PIN value has a significant impact on the security of an electronic payment system. In general, personal identification numbers can be generated either by the bank or by cardholders. In particular, the client distinguishes between two types of PIN:

* PIN assigned to him by the bank that issued the card;

* PIN chosen by the cardholder himself.

If a PIN is assigned by a bank, the bank usually uses one of two options for generating a PIN.

In the first variant, the PIN is generated cryptographically from the cardholder's account number. The process of generating the assigned PIN from the account number is shown in Fig. 3. First, the customer's account number is padded with zeros or another constant to 16 hexadecimal digits (8 bytes). The resulting 8 bytes are then DES encrypted using a secret key. From the received ciphertext with a length of 8 bytes, 4-bit blocks are alternately allocated, starting with the least significant byte. If the number formed by these bits is less than 10, then the resulting digit is included in the PIN, otherwise this value is not used. All 64 bits (8 bytes) are processed in this way.

The obvious advantage of this procedure is that the PIN value does not need to be stored inside the electronic payment system. The disadvantage of this approach is that if a PIN change is required, either a new customer account or a new cryptographic key must be selected. Banks prefer that the customer's account number remains fixed. On the other hand, since all PINs are calculated using the same cryptographic key, changing one PIN while maintaining the customer's account inevitably entails changing all personal identification numbers. In the second option, the bank selects the PIN value at random, storing the value of this PIN in the form of a corresponding cryptogram. The bank transfers the selected PIN values ​​to the cardholders using a secure channel.

Using the PIN assigned by the bank is inconvenient for the client, even if its length is small.Such PIN is difficult to keep in memory, and therefore the card holder can write it somewhere The main thing is not to write the PIN directly to the card or some other prominent place. Otherwise, it is the attacker's task will be greatly facilitated.

For greater convenience of the client, use the PIN value chosen by the client himself. This way of determining the PIN value allows the client to:

* use the same PIN for different purposes;

* set PIN as a combination of letters and numbers (for ease of memorization).

Once the PIN has been selected by the customer, it must be communicated to the bank. The PIN can be sent to the bank by registered mail or sent through a secure terminal located at the bank office, which immediately encrypts it. If the bank needs to use the PIN chosen by the client, then proceed as follows. Each digit of the PIN chosen by the client is added modulo 10 (excluding transfers) with the corresponding digit of the PIN, withdrawn by the bank from the client's account. The resulting decimal number is called the "offset." This offset is stored on the customer card. Since the displayed PIN is random, the PIN chosen by the client cannot be determined by its "offset".

The main security requirement is that the PIN value should be remembered by the cardholder and should never be stored in any readable form. But people are imperfect and very often forget their PIN values. Therefore, banks should prepare in advance special procedures for such cases. The bank can implement one of the following approaches. The first is based on restoring the PIN value forgotten by the client and sending it back to the cardholder. The second approach simply generates a new PIN value.

When identifying a client by the PIN value and the presented card, two main ways of checking the PIN are used. non-algorithmic and algorithmic. The non-algorithmic method of PIN verification does not require the use of special algorithms. PIN verification is performed by directly comparing the PIN entered by the customer with the values ​​stored in the database. Typically, the client PIN database is transparently encrypted to increase its security without complicating the comparison process. The algorithmic method for verifying PIN is that the PIN entered by the client is converted according to a certain algorithm using a secret key and then compared with the PIN value stored in a certain form on the card. Advantages of this verification method:

* the absence of a PIN copy on the main computer excludes its disclosure by the bank personnel;

* the absence of PIN transfer between the ATM or POS-terminal and the main computer of the bank excludes its interception by an intruder or the imposition of comparison results;

* simplification of the work on the creation of system software, since there is no longer the need for action in real time.

6. Securitysystems securityPOS

POS (Point-Of-Sale) systems, which provide settlements between the seller and the buyer at the point of sale, have become widespread in developed countries and, in particular, in the United States. POS systems verify and service customer debit and credit cards directly at the point of sale of goods and services within the framework of the electronic payment system. POS-terminals included in these systems are located at various trade enterprises - in supermarkets, at gas stations, etc.

POS terminals are designed to process transactions in financial settlements using plastic cards with a magnetic stripe and smart cards. The use of POS-terminals allows you to automate the operations of servicing these cards and significantly reduce the service time. The capabilities and equipment of POS terminals vary widely, but a typical modern POS terminal is equipped with readers for both magnetic stripe cards and smart cards; non-volatile memory; ports for connecting a PIN-keyboard (keyboard for a client to dial a PIN-code); printer; connections with a personal computer or electronic cash register.

Usually, a POS terminal is also equipped with a modem with auto-dialing capability. The POS terminal has "smart" capabilities - it can be programmed. Assembly language, as well as dialects of C and BASIC languages ​​are used as programming languages. All this makes it possible to authorize cards with a magnetic stripe in real time (on-line) and to use an offline mode (off-line) with the accumulation of transaction protocols when working with smart cards. These transaction protocols are transmitted to the processing center during communication sessions. During these sessions, the POS terminal can also receive and store information transmitted by the processing center's computer. Basically, these are stop lists.

A diagram of the POS system is shown in Fig. 4. To pay for the purchase, the buyer presents his debit or credit card and enters the PIN value to confirm his identity. The seller, in turn, enters the amount of money to be paid for the purchase or service. Then a money transfer request is sent to the acquiring bank (the seller's bank). The acquiring bank forwards this request to the issuing bank to verify the authenticity of the card presented by the buyer. If this card is genuine and the buyer has the right to use it to pay for products and services, the issuing bank transfers the money to the acquiring bank to the merchant's account. After the money is transferred to the merchant's account, the acquiring bank sends a notification to the POS terminal informing about the completion of the transaction. After that, the seller issues the goods and a notice to the buyer.

You should pay attention to the difficult path that the purchase information must go through before the transaction is carried out. During the passage of this path, distortion and loss of messages are possible. To protect the POS system, the following requirements must be met:

* Verification of the PIN entered by the customer must be done by the system of the issuing bank. When sent over communication channels, the PIN value must be encrypted.

* Messages containing a request for a money transfer (or confirmation of a transfer) must be authenticated to protect against substitution and alteration while passing through the communication lines and processing processors.

The most vulnerable point of a POS system is its POS terminals. Unlike ATMs, in this case, it is initially assumed that the POS terminal is not protected from external influences. Threats to the POS terminal are associated with the possibility of disclosing the secret key, which is located in the POS terminal and serves to encrypt information transmitted by this terminal to the acquiring bank. The threat of disclosing the terminal key is quite real, since these terminals are installed in such unguarded places as shops, gas stations, etc. Potential threats due to the disclosure of the key have received such names.

* "Back tracing". The essence of this threat is that if an attacker obtains the encryption key, then he can try to recover the PIN values ​​used in previous transactions.

* "Direct tracing". The essence of this threat is that if an attacker obtains the encryption key, he will try to recover the PIN values ​​that will be used in subsequent transactions.

Three methods are proposed to protect against backtracking and forward tracing threats:

Derived key method;

Transaction Key Method;

Public key method.

The essence of the first two methods is that they provide a modification of the encryption key of the transmitted data for each transaction. The derived key method ensures that the key is changed with each transaction, regardless of its content. To generate an encryption key, a one-way function is used from the current key value and some random value. The process of obtaining (outputting) a key for encrypting the next transaction is a well-known "wandering" through the tree. The top of the fig tree. 5 is some initial value of the key I. To get the key with the number S, the number S is represented in binary form. Then, when calculating the value of the key, the structure of the binary representation of the number S is taken into account, starting with the most significant bit. If the L-th binary digit of the number S is equal to 1, then the unidirectional function FL (K) is applied to the current value of the key K, where L is the number of the binary digit in question. Otherwise, proceed to the consideration of the next digit of the number S, without applying the unidirectional function. The latter is implemented on the basis of the DES algorithm. To obtain sufficient performance, the number of ones in the binary representation of the number S is usually limited - there should be no more than 10. This method provides protection only against the threat of "backtracking".

The transaction key method allows you to encrypt information transmitted between POS terminals and the acquiring bank on a unique key that can vary from transaction to transaction. The following components are used to generate a new transaction key:

* one-way function from the value of the previous key;

* information received from the card.

This assumes that the previous transaction completed successfully. The transaction key method provides protection against both "backtrace" and "forward tracing". Disclosure of one key prevents an attacker from opening all previous and all subsequent transactions. The disadvantage of this scheme is the complexity of its implementation. The public key method allows you to reliably protect yourself from any kind of tracing and provide reliable encryption of the transmitted information. In this case, the POS terminal is supplied with a secret key to decrypt messages from the acquiring bank. This key is generated when the terminal is initialized. After generating the private key, the terminal sends the associated public key to the acquiring bank's computer. The exchange between the participants in the interaction is performed using the public key of each of them. Authentication of participants is carried out by a special key registration center using their own pair of public and private keys. The disadvantage of this method is its relatively low performance.

7. Ensuring the security of electronic paymentsvia the Internet

Electronic commerce is gaining in importance. The number of card purchases will grow as online ordering systems are built on the Internet. Today, the Internet can be seen as a huge market that can cover almost the entire population of the planet Earth.

The term "electronic commerce" refers to the provision of goods and paid services through global information networks. types of e-commerce:

* sale of information, for example, subscription to databases operating on-line.

* an electronic store, which is a Web-site.

* electronic banks.

Basic methods of information protection

The traditional and proven method of e-commerce, which dates back to conventional directory trading, is to pay for goods and services by credit card over the phone. In this case, the customer orders on the Web server a list of the items they would like to buy, and then calls their credit card number to the merchant of the commercial firm. Then the usual authorization of the card takes place, and the money is debited from the buyer's account only at the time of sending the goods by mail or by courier.

In order for the buyer - the owner of the credit card - to safely pay for the purchase through the network, it is necessary to have a more reliable, well-developed mechanism for protecting the transmission of electronic payments. This fundamentally new approach consists in immediate authorization and encryption of financial Information on the Internet using SSL and SET schemes.

SSL (Secure Socket Layer) protocol assumes data encryption at the data link layer.

Secure Electronic Transactions (SET), developed by Visa and MasterCard, encrypts financial information only.

Features of the SET protocol functioning

In order to ensure complete security and confidentiality of transactions, the SET protocol must ensure that the following conditions are met.

1. Absolute confidentiality of information. Cardholders must be sure that their payment information is reliably protected and available only to the specified addressee. This is a sine qua non for the development of e-commerce.

2. Complete safety of data. Participants in electronic commerce must ensure that the content of the message remains unchanged as it travels from sender to addressee. "Messages sent by cardholders to merchants contain order information, personal data and payment instructions. If at least one of the components changes during the transfer, the transaction will not be processed properly. Therefore, in order to avoid errors, the SET protocol must provide a means of guaranteeing safety and invariability of sent messages One of such means is the use of digital signatures.

3. Authentication (authentication) of the cardholder's account. The use of digital signatures and certificates of the cardholder guarantees the authentication of the cardholder's account and confirmation that the cardholder is the legal user of the given account number.

4. The cardholder must be sure that the merchant really has the right to conduct financial transactions with a financial institution. The use of digital signatures and merchant certificates assures the cardholder that it is safe to conduct electronic commerce.

Settlement system participants and cryptographic means of protecting transactions. The SET protocol changes the way the settlement system participants interact. In this case, the electronic transaction begins with the cardholder and not with the merchant or acquirer.

A merchant offers goods for sale or provides services for a fee. The SET protocol allows a merchant to offer electronic interactions that cardholders can safely use.

An acquirer (recipient) is a financial institution that opens an account for a merchant and processes authorizations and credit card payments. The acquirer processes payment messages transferred to the merchant through the payment gateway. At the same time, the SET protocol ensures that the information on the credit card account will remain confidential during the interactions between the cardholder and the merchant.

Credit card systems have established themselves in large part as a means of payment for purchasing goods directly from a merchant. The main difference between the use of credit cards on the Internet is that in accordance with the SET standard, encryption and digital signature procedures are used to protect e-commerce transactions.

The Internet is designed for the simultaneous operation of millions of users, so it is impossible to use only symmetric cryptosystems with secret keys in commercial Internet applications. In this regard, asymmetric public-key cryptosystems are also used. Encryption using public keys assumes that the merchant and the buyer each have two keys - one public, which can be known to third parties, and the other private (secret), known only to the recipient of the information.

SET rules provide for the initial encryption of the message using a randomly generated symmetric key, which, in turn, is encrypted with the public key of the recipient of the message. The result is a so-called electronic envelope. The recipient of the message decrypts the electronic envelope using his private (secret) key to obtain the sender's symmetric key. Next, the sender's symmetric key is used to decrypt the sent message.

Similar documents

    Principles of functioning of electronic payment systems. Basic concepts, algorithms and methods of information protection in electronic payment systems. Personal identification number. Implementation of the method for generating a PIN code from the client's account number.

    term paper, added 07/13/2012

    Security principles for electronic and personal payments of individuals in banks. Implementation of information transmission and protection technologies; a systematic approach to the development of a software and hardware environment: coding information and access; encryption, cryptography.

    abstract added on 05/18/2013

    The value and problems of protecting banking information. Methods for ensuring the security of automated systems for processing bank information. Advantages and methods of cryptographic protection of electronic payments. Personal identification means in banking.

    abstract, added 06/08/2013

    Ways of unauthorized access, classification of methods and means of protecting information. Analysis of methods for protecting information in a LAN. Identification and authentication, logging and auditing, access control. Security concepts of computer systems.

    thesis, added 04/19/2011

    The concept and essence of traditional and e-commerce, legal issues. Conditions for making payments via the Internet and the stages of their implementation. Security infrastructure and technological methods to reduce the risks of transactions in e-commerce systems.

    term paper, added 11/10/2011

    Information security problems in information and telecommunication networks. Study of information threats and ways of their impact on information protection objects. Enterprise information security concept. Cryptographic methods of information protection.

    thesis, added 03/08/2013

    Consideration of the basic concepts of information security in networks. Study of the types of existing threats, some of the security features of computer networks in the implementation of software abuse. Analysis of means and methods of software protection of information.

    thesis, added 06/19/2015

    Aspects of the application of modern information technologies in education. A systematic approach to the creation of electronic manuals. Tools and technology for designing an electronic textbook. Methods for protecting information and computer systems.

    thesis, added 04/15/2012

    Formation of a system of electronic libraries and relevant information infrastructures in modern Russia. Problems of creating electronic catalogs. Organization of the data array and development of the program code of the search engine in JavaScript.

    term paper added 09/03/2012

    The history of the emergence of electronic books, their types, characteristics. The use of e-books in libraries, their advantages and disadvantages. Formation of electronic libraries and collections. Criteria for the provision of e-books to users, storage of the fund.

Popular
Categories

2021
maccase.ru - Android. Brands. Iron. news