Online payment security and cloud identity authentication Keypasco

Source: Internet
Author: User
Keywords Online payment through security

Objectively speaking, the online payment certification Keypasco This solution raises a question that deserves deep thinking, namely whether we need to continuously upgrade and invest in hardware for security, can we realize online identity security authentication through the new way of cloud service and low cost?

Online payment security issues have been a lot of attention, a brief summary, the following three aspects can be seen online payment security in the next few years may become increasingly headaches.

One is the growing number of online payment users. CNNIC released the 30th China Internet Development Statistics report shows that up to the end of June 2012, the number of Chinese Internet users reached 538 million, mobile phone users reached 388 million, of which the network of shopping users reached 210 million, the user rate of 39%, Four Internet users have been using online shopping and electronic payment methods, networks, smartphones, pad and other network terminals have become a popular daily life and shopping payment of important tools. With so many users, there is no guarantee that everyone will be able to apply a secure payment tool, have strong enough security awareness, and can pay in a secure environment.

Second, the transfer trend of chip card is speeding up. In addition to the United States, the global chip transfer has been the payment Card industry basic consensus and action. In China, in March 2011, the People's Bank issued the 64th document, proposed the Financial IC card migration timetable, the requirements of the 2011 Open the situation, 2012 years to expand the application of the 2013 scale, the full realization of 2015, the official launch of the chip transfer. In the future, in the case of chip card and field transaction, the security of payment is basically guaranteed, then, the traditional fraud and risk of magnetic stripe card will be transferred to the network directly with the development of online payment, the transfer of financial IC card also means the migration of risk.

Third, online payment fraud means of the impossible and constantly renovated. The virtual nature of cyberspace, indirection, universality, rapidity and other characteristics, on the one hand make fraud difficult to be found, on the other hand, even if found, the cost of finding is very high, timeliness is poor. Moreover, a lot of fraudsters once succeed, change a vest again come out, become the little strong to kill.

According to statistics, in the past year, in the Internet shopping experience of netizens, 31.8% of netizens have been directly encounter fraud sites, online shopping fraud risk of internet users reached 61.69 million. Conservative estimates, the annual fraud site for netizens caused by the loss of not less than 30.8 billion yuan, compared to the 2011 China's online shopping market turnover of 756.6 billion yuan, online payment fraud loss rate of 4.07%, which is under the traditional magnetic stripe payment card line payment industry, is the overall risk to reach the level of high-risk businesses (4%).

All sorts of tricks that don't leave the pope.

We also hear daily that there are a number of payment cases that have a big impact on the online payment business and individual users. Online payment of various forms, many links, including clients, e-commerce sites, electronic payment platform, to the bank, from the present situation, security issues more or focus on the customer level or trading interface, resulting in the user payment information was leaked and fraud. Common fraudulent practices currently include:

1, the production of phishing website or false electric Dealer website, through the winning mail, access to jump, color temptation and other means to lure customers to visit the phishing website to steal customer information, the user name and password to the real bank to transfer or payment.

2, through the Trojan virus to steal file certificates or to steal online bank accounts and passwords, so as to carry out fake transfer, copy cards and other misappropriation of customer funds.

3, cracked the user "weak password" to steal funds, the use of some users covet convenience, set a "weak password" loophole, random sweep, resulting in a simple password user account stolen.

4, kill "ripe". After you know someone's card number, birthday, mobile phone number and other information, an imposter attempt to land.

In addition, there are other types of fraud, the purpose is not to obtain card number, password and other payment information. According to the CNNIC "China Network payment security Status Report 2012", the proportion of online payment users who suffer from payment of unsafe incidents is 3.2%, and the previous 4% online fraud loss rate is not very different. Among them, phishing scams are the first to be paid. 3.2% of online-paying users said they had encountered payment-insecure incidents in the last six months. The most important problem that users encounter is the false web site fraud after a hasty payment, there are 64.4% of the proportion of the second is the payment account or password stolen, there are 19.2% of the proportion. 40% of the users who have paid an unsafe event have actual financial losses.

In order to prevent online payment risk, June 2011, Alipay teamed up with hundreds of companies to set up a security payment alliance to protect the rights of users. Security alliance members include banks, security companies, browsers, Third-party payments, electric business enterprises, such as horizontal industry chain members. The purpose of the security alliance is to achieve closer cooperation through sharing of technology, data and intelligence among members, to protect the payment security closely in all sectors of the industrial chain, to reassure the public and to help push forward the development of China's e-commerce industry. However, this kind of loose alliance, of course, through 22 or a one-to-many cooperation to achieve a certain degree of risk control, but from the industry point of view, there is no substantial risk prevention means or technological innovation.

Identity authentication remains the key

To be truly secure, whether online or offline, it is important to ensure protection on two core issues.

First, the identification of the trader's identity, this point, the line under the transaction there is a fundamental difference. Offline trading on the basis of cards, whether by secret trading, or signed transactions, holding card trading, complete the password or signature on behalf of himself, so that the definition of security responsibility is not a problem. Of course, the magnetic stripe card because the information exists by the possibility of being recorded, resulting in a greater threat to identity authentication, so the chip card will enhance the identity of the offline trading trader authentication. In contrast, online trading without a card without magnetic chip, identity authentication is more important, the most traditional way of authentication, including bank counter contract + password payment, single password verification payment has become a more vulnerable way of verification.

Second, the confirmation of the transaction participation from the merchant and the terminal, ensure the integrity, confidentiality and non-repudiation of the transaction information, ensure the information is not tampered with, not be leaked, and the source is lawful. In this regard, the payment card industry has formed a better encryption processing technology standards and practices, layered key system, SSL encryption, 3DES encryption, PCI certification, UnionPay account information security standards. Online payment, mainly through the digital certificate to achieve confirmation, or the bank, payment agencies to issue digital certificates, or the authority of Third-party certification authority to issue digital certificates. The encryption technology based on digital certificate can encrypt and decrypt the information transmitted on the network, digital signature and signature verification, and ensure the confidentiality and integrality of the information transmitted on the Internet. From the actual point of view, there has not been a large scale due to the payment mechanism caused by the card holders of the transaction information disclosure events.

At present, the basic idea of improving online payment security and strengthening identity authentication is to determine the identity of the trader and deal with the transaction information. The most commonly used in China is dynamic password and digital certificate of two multifactor authentication methods. Dynamic or dynamic passwords can be made via tokens (mostly banks) or mobile phones (such as Alipay's phone me order, UnionPay online mobile phone short message dynamic code) provided, at present it is still relatively safe, the main risk is lost mobile phone, digital certificate is to give users a unique digital certificate as the user's credentials, and the basic realization of Mobile digital certificate (USB Key,u shield, etc.), certification means that the inconvenience is required to carry, and need to be installed in the terminal use of the certificate, and there is a certain cost, the U shield itself is not invulnerable security, but also need to constantly upgrade. A large number of users could lead to a costly bottomless pit for replacing u shields.

Keypasco, a multi-factor mechanism based on cloud

Today and future Internet services need to address the user's identity authentication, that is, who you are the key. There is no good online security solution, do not solve the cloud computing services in the era of user security issues, known as the third change in the Internet cloud computing can not really take off, there is no good online security solutions, users of the Internet is a worry, and the network real-name system and the need for personal privacy protection are continuing to grow.

Keypasco Security Certification Solution by the founder of the Internet Bank security certification well-known enterprises Todos founders Lin Mao-cong, in his words, to leather their own lives, in the past he used hardware token as identity authentication, now to the pure cloud architecture, to serve as the theme to achieve the same goal. He thinks, in recent years cloud concept service gradually formed, the concept of mobile device is also more mature, only then may appear this kind of commercial operation mode, in order to get rid of some todos in the past, such as high cost, difficult to popularize, need to change equipment quickly when being cracked, and more importantly, The concept of hardware identity authentication will be difficult to use in the cloud environment.

Briefly, Keypasco wants to solve the problem is very simple, the first is to ensure that the user's payment card only in the place where they can use, then there will be no credit card stolen the possibility of the brush, and the second only users can log on their own terminals on their own account. This means that of the world's 7 billion people, including the user himself, no one can log in to the user's account in more than 10 billion of the world's devices, except for the user's own terminal equipment.

In this way, Keypasco provides the authentication method is: In the user name and the password Double Factor Foundation, has increased the binding personal terminal Equipment ID, the geographical location, even the on-line time, coupled with the consumer behavior analysis related risk assessment mechanism (may analyze other users to attempt to access the user account through other terminals) ), the adoption of multiple factor authentication method to enhance security.

In order to protect the privacy of customers, Keypasco uses cloud resources to store user registration information through encrypted and decentralized storage. Users only through the binding of one or more terminals, in their own set ahead of the geographical area, as their own identity landing, all access and attempt log will remain in the system, users can facilitate inquiries. Because this certification approach is based on software and cloud services implementation, the cost is very low, without large-scale increase in costs on the premise of improving the entire industry security level.

User operation is also more convenient, the first time to use a simple registration of a terminal login, the user is given a unique Keypasco ID, the login device is also given a unique device ID, two ID and the device itself in the future login will be associated, and then enter the system can be set to bind other devices, Use area, etc. The payment institution or network service provider that provides the service can set its own risk rules to determine the risk thresholds and usage requirements in some cases. It should be said that Keypasco basic in not too much change the user's existing habits on the basis of the cloud to authenticate the single point of landing to ensure the legitimacy of the user identity.

In addition to electronic payments, e-commerce companies, online games, online banking, e-government and other operating agencies can use this identity authentication method to determine and manage their customer identity, Taiwan has a game company in the use of this program, the effect is good. Objectively speaking, this proposal raises a question that deserves deep thinking, namely whether we need to continuously upgrade and invest in hardware in order to be safe, can we realize online identity security authentication through the new way of cloud service and low cost?

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.