On November 15, the 2nd China Mobile Financial Security Conference held by Mobile Payment Network and Beijing Mobile Financial Industry Alliance was successfully held in Shenzhen. Weng Junfeng, head of the Security Technology Department of the Shenzhen Branch of the Bank Card Testing Center, delivered the keynote speech on "Common Security Issues and Design Requirements for Smart POS Terminals". For the common security problems of intelligent pos terminals, Weng Junfeng believes that to fundamentally prevent risks, it is necessary to work hard from standards and testing, and terminal equipment must meet different design requirements.
Status and safety assessment basis of intelligent terminals
With the development of the mobile Internet, mobile payment brings not only the mobilization of the consumer side, but also the shackles of the traditional terminal. Weng Junfeng believes that the future bank card acquiring service will develop in the direction of mobility, scene and intelligence. But how to make the terminal safe and open?
As an open source operating system, Android means that the risks it faces are ubiquitous, vulnerable to Trojans, viruses, malware, and exploits. In the past two years, the emergence of vulnerabilities in Android has exploded. The data shows that there were 125 vulnerabilities announced in cve in 2015, and reached 523 in 2016. By the end of this year, there have been 690.
Google is also aware of more and more security issues, so more or less security mechanisms have been added to each version. As the leading professional testing institution in China, the Bank Card Testing Center has corresponding requirements and specifications for the testing and certification of intelligent POS terminals.
mainly includes:
"Bank Card Acceptance Terminal Security Specification Part 1: Point of Sale (POS) Terminal"
"Civil Union Card Acceptance Terminal Security Specification - Volume 2: Product Volume - Part 6: Intelligent Point of Sale Terminal"
"China UnionPay Intelligent Point of Sale Terminal Technical Specification Safety Volume Part 1 Operating System Security Specification"
Common problems and design requirements of intelligent terminals
Common problems of intelligent POS terminals include physical hardware, logic design, and operating system. For the problem and design requirements, Weng Junfeng gave a detailed introduction.
The physical hardware includes touch screen + LCD. The specific requirements are as follows: 1. Since the intelligent terminal adopts the full touch screen solution and the protected lines are different, the hardware protection scheme of the traditional terminal cannot be simply adopted; 2. The architecture of the AP+SP dual chip is used. Both the security chip and the application processor need to be protected. The anti-attack score should be more than 26 points. 3. The display data line and the touch screen data line must have sufficient protection to prevent decoding of the PIN information. 4. The software virtual keyboard needs protection. The random number or implementation used in the random layout method cannot be vulnerable.
The logical design aspect includes the difference between transaction control and PIN input. Specifically, some intelligent terminals have both a software password keyboard and a physical password keyboard. There must be a default PIN input method. Switching from one mode to another requires display. Operation, after the transaction is completed, return to the default PIN input mode. Output no difference prompt characters such as * Intelligent terminal In order to increase the user experience, common instant highlights, bubbles and other friendly ways to feedback the user.
Operating system security specifications include system security, application security, communication security, key security, transaction security and many other aspects. The specific content involves the root trust chain, system partition self-test, security vulnerability check and update, mitigation buffer overflow, SElinux, unknown source, signature scheme, default public key private key, inter-process communication, communication security, transaction security, shift Machine and cutting machine and other aspects.
Finally, Weng Junfeng put forward suggestions for the use of mobile terminals and industry security: 1. Any security plan should not be modified, even if it is modified, it should undergo a systematic security assessment. 2. The application software download and installation is managed by the dedicated application management client, rejecting other application sources, and the legality verification scheme cannot be arbitrarily modified. 3, without leaving back door maintenance instructions and interfaces, creating opportunities for attackers.
Our Bakeware use high quality foreign specified cast iron materials, the raw materials are safe and health. Combination of traditional and modern technology, makes the products have many features like: heat transfer quickly, persistent heat resistance, sturdy and durable and so on. Cast iron products are very energy conservation and environmental protection. It can be quickly gathered all heat in a small amount of heat condition. At the same time it has excellent heat preservation ability.
From cornbread, to biscuits, bread loafs, scones and more, EF Homedeco`s cast iron bakeware produces crispy crusts in many fun shapes.
Cast Iron Bakeware,Cast Iron Bakeware Sets,Wax Finish Bakeware,Pre-Seasoned Bakeware
Shijiazhuang Ever Fresh Trading Co., Ltd. , https://www.efcookwares.com