Promising Journey for Security of Smart POS2017-10-27 关键词：
October 24, 2017 was a dark day for the whole smart POS industry. In the GeekPwn 2017 Contest for International Security in Shanghai, two hackers hacked into the smart POS of LANDI A8 in just 21 minutes, copied the bank card information and then successfully spent the money. This incident, like an explosion of the space shuttle “Challenger” in the smart POS industry, dented the confidence of the general public in the smart POS industry.
The demonstration shows that magnetic stripe cards were used in the process of trading. As the magnetic stripe information has a fixed format, technical professionals who are familiar with credit card production process can easily copy the magnetic stripe information according to the format by means of card numbers, service life, etc. In addition, on June 13, 2016, the PBOC, China’s central bank, issued the Notice of the People’s Bank of China on Further Strengthening Bank Card Risk Management, stipulating that all magnetic stripe transactions of chip magnetic composite cards should be fully stopped from May 1, 2017 .
However, even if magnetic stripe cards are used, we cannot shuffle off our responsibility. In this incident, smart POS of LANDI A8 had bugs and thus were hacked into.
An incident befell the smart POS!
In this case, should smart POS not be used? Is it unsafe? Not necessarily.
The dream of smart POS
Foreign media reported recently that China’s mobile payment market has developed rapidly, achieving $9 trillion of market size last year, nearly90 times of the mobile payment market size ($112 billion) of the United States. China has deservedly become No.1 in the global mobile payment.
However, the mobile payment based on QR code payment did not proceed smoothly in the early stage, as merchants’ traditional POS could only support cards swiping, instead of QR code scanning. The lack of support for POS system also means that merchants had trouble in reimbursing their accounts so that many of them were reluctant to support QR code payment. Smart POS emerged at this moment, It can support both cards swiping and QR code scanning, as well as Internet application, making it easier for merchants to satisfy their need for take-out orders. Smart POS leads merchants to support for mobile payment, and QR code payment to be the national mode of payment in China in a short period of two or three years.
Compared with traditional POS, smart POS can support various modes of payment, including QR code scanning, magnetic stripes, chips, non-contact, and even some smart POS support biological recognition. In addition, with the development of mobile Internet, smart POS also takes on another mission, namely, commercial Internet application, such as take-out order processing, Internet queuing, merchant back-stage management, SaaS system, material management, staff management and so on, which are all far beyond the capacity of traditional POS. Smart POS, just like merchants’ edge tool in mobile Internet, triggers the future of the big data era.
Regarding the development of smart POS, a set of data announced by UnionPay in August 2017 showed that the ratio of smart terminals (i.e. smart POS) certified in recent years grew significantly, with more than 1 million smart terminal shipments in 2016, up nearly 10 times that in 2015. The figure was expected to top 2 million in 2017. In the future, smart terminals will gradually replace traditional ones and become the trend.
Besides, in accordance with the Notice on Speeding up Key Food & Beverage Merchants to Accept Cloud Quick Pass within the Jurisdiction issued by UnionPay recently, one important message is that smart POS will be set up in UnionPay’s key F&B merchants, granting subsidies of up to RMB 400 / set to each acquirer. This is of great benefit to the whole smart POS industry. It has become obvious that smart POS will replace traditional POS as businesses’ must-have payment terminal.
As for the development of smart POS, Li Yan, founder and CEO of Beijing Wiseasy Technology Co., Ltd. , said that smart POS has been applied in many scenarios and fields such as payment, e-commerce, banking service, logistics, warehousing, as evidenced in market performance, application expansion, and overseas market demand. It has become an irreversible trend. At present, the whole smart POS industry is booming. In the future, smart POS will be integrated into various scenarios and exist in various forms, but what will remain unchanged is the financial-class security mechanism of smart POS and the financial-class processing of sensitive data.
It is no exaggeration to say that, there would be no present and future of mobile payment without smart POS. Then, is smart POS really unsafe?
Journey of security for smart POS
“Smart POS, like a space shuttle in the payment industry, is likely to suffer a serious accident due to any security problem, either hardware or software. Meanwhile, it calls for real-time maintenance and mending of security bugs,” said Li Yan. Compared with traditional POS, smart POS is very strict about security check as it has introduced an open Android system. The domestic UnionPay certification needs to undertake more than 8,000 tests. In terms of security, the production and maintenance of smart POS cannot be made possible without the following five efforts.
1. Hardware security. In terms of hardware, smart POS is required to meet certification requirements to prevent any possible physical security attack.
2. OS system security. With the adoption of Android system, Internet App can be run on smart POS. However, due to the requirements for security, OS system needs to conduct functional reduction, and in-depth customization, removing phone calls, short messages, web browser, multimedia app and other non-payment applications and system services, especially external browsers, through which we may download various applications from external network, equal to the largest back door, posing a serious risk to system protection and data security.
3. App security. Security detection and selection is necessary, so is good management of signature and authorization, for smart POS is not an all-purpose one, otherwise, it is apt to be used by hackers.
4. Division of authorities. It is necessary to control the access to terminals in different scenarios, for not all applications, either payment or non-payment, can have access to them at will.
5. Real-time maintenance. Real-time maintenance is necessary for terminal manufacturers, order receiving agencies, and clearing houses, etc., to work together to fix the security holes that may appear from time to time in smart POS, qualified though when it leaves the factory.
As for this incident, Li Yan, as a practitioner, believed it an opportunity for the whole industry to calm down and think about the security of smart POS and its opportunity for future development. In terms of regulation, due to the greater cross-industry extent of smart POS which is used by both payment and non-payment sectors, it is necessary for competent regulators to carry out more specific supervision. In terms of industrial cooperation, security mechanism shall be improved through cooperation in the whole industry to establish security database and share holes information. In addition, a reasonable and timely work mechanism should be put in place for those responsible for major safety accidents.
There is no absolute security in the world, and any security plan is a tradeoff between attack costs and benefits. In addition, the operating system which was hacked in this incident was that of smart POS. Any open system has certain security risks, this is a big warning to the industry.
The journey of smart POS is promising. Without the failure of “Challenger”, there would be no discovery of “Pluto Heart” or gravitational wave. For smart POS, the day being hacked was perhaps the darkest day, but offered a beacon for a bright future. The prevalent trend of mobile Internet creates limitless potentials for the development of smart POS. At the moment of crisis, this was not merely a problem of gain or loss for the enterprise involved in the incident. Rather, it poses a challenge to the whole industry. It is the responsibility of the whole industry to ponder over and meet the challenge.
POS to end like digital cameras and be eventually replaced by the business intelligence terminals POS Is Being Replaced By Business Intelligence Terminals Like Digital Cameras Replaced By Smart Phone.