Payment licence issuance, financial information security in the field of unified standard call out

As a result of the issuance of payment licences, all parties have their own theory of technology in the area of security, so that in the area of financial information security, a unified safety standard remains to be seen.

Our correspondent

Sun Jiankun

CSDN's password leaks are causing waves in the industry, and all sites with passwords and large amounts of data are being questioned. Although the Qing Qingzhuo from the turbid, but still make the public on the Internet industry's security status has been suspected, many sites suffered bubaizhiyuan. But the real need to focus on security is in the Internet sector more involved in the deeper banks, but also to the security issue more attention.

A third instalment of payment licences was issued, and operators joined the army in addition to the original Third-party payments. All walks of life, has brought the thousand think million as empty, the information field of security issues still need to unify the standard, in order to avoid the current state of the co-ordination, so that the illegal people have the opportunity.

The spy image of Internet security

Shanghai Jiading Tang MoU posted a post on the internet, said that his ICBC Peony smart card in the end of 2011 found himself in the card less than 8300 yuan, to the local ICBC inquiries, found because through the Guangzhou Silver Network on the two transactions paid in Jingdong Mall. Because the card is not stolen in Tang, also did not open online payment, so asked ICBC to return money. After consulting the police, it is also considered to be a bank problem. After complaining to ICBC, there was no reply.

After the rapid infiltration of electronic commerce into public life, the security problem in the field of electronic payment has not been fully solved, which is the most difficult problem in the application of the informationization of the banking industry. Although the major banks have been struggling to solve this problem, but also a long time in the field of security efforts as a basis, but as consumers, this is the key to their choice. In fact, before full access to the Internet, banking as the foundation of the nation's livelihood, in the information security is fully prepared, but after the internet, because of docking with the external network, the banking industry as a small castle of the internal network security has to face the impact of the outside world, How to meet the challenge of security in the Internet age is an unavoidable problem for the banking industry.

And as in the Internet business is increasingly far away from the financial industry, has been because of security problems have hindered the vast number of enterprises and individuals involved. However, as the information technology of data processing intensive development, it is necessary to provide more reliable guarantee for the information security of the banking industry, and it is the best way to solve the problem when safety becomes the object of people's concern.

Mr. Zhangxing, general manager of the application Development Department of China Financial Certification Center (CFCA), introduced to reporters, as the financial industry in the field of information security, there are four main security problems: the first is to steal accounts, this is the most common security problems, once the account is stolen by outlaws, resulting in Bubaizhiyuan transactions, Causing the loss of funds will have a significant impact on the interests of users and the reputation of the bank; the second is to destroy the integrity of the data, where the need is to prevent the transaction information was tampered with, to buy one thing to spend three of money, which is often unbearable for others; third, to break the confidentiality of financial data, What needs to be done here is to prevent sensitive data from leaking, otherwise it will be to the user; the other is the repudiation of the transaction, for example: Online banking has authorized a transaction to be maliciously denied. These four types of problems are the financial industry in the field of information security must be resolved. But in the actual transaction, the fraudulent behavior has become the user most often encounters the security question.

For example, in the case of a Trojan horse in the user, as a result of the banks in order to deal with the convenience of the application, in the face of some small payments, such as hundreds of block of transactions, the bank will take a certain degree of security in the backward, no longer strict identity certification, so that the number of thieves to bring opportunities, as well as the decision of the public Petty fraud does not make a case for a case, and this is a more illegal opportunity to get rich. Hundreds of dollars, although for any one of the rich and strong bank is no more than 900 cattle hair, but for most ordinary users, is a noteworthy loss, the serious asymmetry of capital is also between the bank and the user caused great contradictions between the root. After all, for the bank, if the user from the ATM error to take more than hundreds of yuan, will still be considered theft. This serious imbalance is the root cause of the loss of bank reputation.

Large companies and governments, especially those with large financial flows, have become more of a hacker's hobby, and foreign media have recently reported that Japanese government departments have been attacked, even if the day-to-day office has not caused serious problems, but such attacks in financial institutions are somewhat unthinkable.

Who's going to protect network security?

Faced with the problems caused by Internet intrusion in electronic payment, the vast number of paid providers and managers of the soldiers to the enemy water to Earth Weir, adopted including policy, technology and banking, and other aspects of the measures, here is also eight recount, have come up with their own set of uneven and poor program.

First of all, at the policy level, mainly the People's Bank and other financial regulatory agencies for the security field issued by the executive order, here is the most important for the confidentiality of the work of legal protection. For example, every bank has an obligation to protect the user's information, which is also the right of every bank. However, although the publication of executive Order has a coercive significance, can strictly delimit the scope of rights and obligations, but because of the strict nature of the order itself, it will bring some inconvenience in the actual work, such as the adverse operation, because the data confidentiality of the People's Bank of the legal protection, Often caused by the public security departments and the bank itself in the criminal investigation of the layers of defense suddenly difficult to continue, to be completed through the assistance of the administrative organ at the top level. In this connection, Mr. Zhangxing introduced a similar alliance-like organization between banks, which enables cross-border data transfer through legal agreements, opening the door to a collaborative investigation into financial crime.

Second, in terms of technology. This is also the security sector, including banks, all aspects of the industry can do the most can also be more proactive aspects. As Mr Zhangxing, the bank's business of paying is dominated by accepted companies, and the bank's more effort is technical security support.

The banking sector has been the most important in terms of security protection. Because financial relations and the livelihood of the nation, if security is not guaranteed, the impact on the country and society is very large. And after entering the internet business, the banks have adopted the way they are good at.

Bank of China (601988, shares bar) use dynamic password, according to the special algorithm of random number combination, so that the generated password only once, so that the two parties can more determine the existence of each other, so that the beginning of the article that the bank can not determine the user authenticity caused by the tragedy of the user.

ICBC (601398, share bar) and China Merchants Bank (600036, share bar) and most of the banks, the main use of USB to protect their own users of legitimate transactions, two USB producers are professional manufacturers Czech Republic, but this use of technical means to solve technical risks, Although it can play an important role in guaranteeing the security of the client's funds, it does not prevent hackers from risking tampering with the client's name or information. But for the business level of risk, especially for the client's business risk, these tools are not caught.

The China Financial Certification Center, a security solutions provider, has developed a trading monitoring and anti-fraud system to address business risks through technical means. The system utilizes the means of transaction monitoring, collect the characteristic information of each transaction in real time, match the characteristic information of the transaction with the user's custom transaction characteristic, the common user's group transaction characteristic and the fraud characteristic of the fraudulent transaction, then use the evaluation of the risk evaluation model system to determine the risk level of the current transaction. According to the different risk levels, the current transaction to release, strengthen the message authentication, voice outbound authentication, and blocking the different treatment, so as to effectively prevent the occurrence of fraudulent transactions. The system is a set of data collection, machine self-learning, data mining, transaction risk assessment and intelligent control in one set of advanced intelligent decision-making system, the current system in Beijing Bank (601169, shares bar), Shanghai Nong Shang Bank successfully launched the implementation, and achieved good monitoring effect, not only effectively reduce the user transaction risk, and improve the user satisfaction, Hangzhou Bank, Huizhou Merchants Bank, Hebei Bank and other CFCA signed a cooperation agreement to carry out the implementation of the system. The discovery of abnormal transactions to the user to remind, so as to bring the customer confidence level.

As for third-party payment and security software manufacturers, are born in the data field, can be in the financial industry in the Internet business opportunities.

360 as a representative of free security software, China occupies a large part of the market in a country that does not attach much importance to intellectual property. Following a partnership with China's anti-fishing coalition, Qihoo 360 signed a strategic cooperation agreement with Yeepay to establish deep cooperation between third party payment and security software, by virtue of the 360 "cloud security" malicious Web site and the docking of yeepay payment, to achieve real-time attention to the Web site, at any time to the user security warning, Users can face all kinds of fraud traps to curb the ability to prevent the risk of control greatly improved. And Kaspersky also with CORERO-NETWORK.S

Ecurity signed a technical cooperation agreement, using ANTI-MALWARE data stream scanning technology to establish a constantly updated malware feature library, further helping to provide rapid response to its customers, through the enterprise-class security protection new products for the payment area of enterprises to solve difficult security problems also provides a security solution, Protect business users from all kinds of latest threats. New products tightly integrate feature-based anti-virus technology, active defense technology, and cloud protection technology to provide near real-time composite defenses.

At the same time, the development of cloud computing has also brought great impetus to the information security in the financial field. In addition to the central data server, where the user data is stored is difficult to know, so the identification of the theft target itself becomes a problem. In the collaboration of cloud computing, data processing is focused on more professional people, and cloud service providers can make more professional and larger investments in the security of physical servers, managed servers, and virtual servers. As a professional cloud services provider, its security technology will be more professional, at the same time more extensive and more capable of coping with disasters, this brings more safety factor than the internal data center, especially the small and medium-sized enterprises with less money. At the same time, because it is a professional cloud service provider, the division of labor in the security system will be more refined, which also enhances its ability to deal with vulnerabilities and problems. Cloud service providers can also create more efficient systems for identity management and landing programs.

As a bank itself, its secrecy measures are more of a server side. Whether it's a server certificate, a firewall, or network security, network measures, including the establishment of network banking customers, are from the basic security to extend service security, the deployment of server-side monitoring to identify each transaction, to achieve one-to-one service, for common landing sites, commonly used collections accounts, have found anomalies, to be reported, To achieve customer account security.

Leader in the field of security

Although the security protection measures of the payment enterprises are various, they have their own characteristics, but it is this kind of diversity that brings the safety standards difficult to unify for the electronic bank.

For a unified safety standard, a leader's potential should be a third-party institution detached from the major banks.

First of all, we can see that, as the bank itself, CMB began to expand its Internet business in 2006, in the area of payment, but because of the barriers brought about by the competition between the various banks, the bank's own development of payment business is difficult to expand, Also difficult to make their own payment system in the entire financial industry to establish their position. By the same token, the safety standards introduced by banks will be difficult to identify with other banks unless they have very obvious advantages. Mr Zhangxing that the banks themselves were unfairly supervised, and that there should be third-party oversight bodies.

At present, there are many commercial banks themselves for more attention to performance, ignoring security, quick success, just want to enlarge the volume of business, for the security area is the less the better, this brings the system security flaws. This means that more professional security services are needed to focus on security issues, which can also reduce the lack of expertise in the business sector.

Can be found that the site password leakage often lies in itself for more performance, ignore security, quick success, only hope to do business, as long as the flow of fast, the security area is less the better, this brings the site security flaws. This means that more professional security services are needed to focus on security issues, which can also reduce the lack of expertise in the business sector.

The bank as the business unit, although is in the important significance of the financial security, must have the attention to the security solution, but is not the specialized data processing organization after all. From the client to the server network of the overall solution, in the implementation process, the need for a third party to provide network banking security assessment, and regularly or commissioned to conduct security checks, and from the mainframe, system perspective to provide solutions, which are very necessary, in this regard, China Financial Certification Center, which has over ten years of experience, has done a lot of work in the transition from Third-party certification agencies to security solution providers. As a financial industry certification body can naturally be a leader with potential units.

As Third-party payment providers have already mixed up their own world in the network, and the new operators in the data business has a deep foundation in the security field of technology has its own theory. As for the security software vendors of Qihoo 360, Jinshan, Kaspersky, etc. naturally will not give up their identity as security experts, hoping to establish their own in the payment industry in the field of security to establish a leader position. So in the area of financial information security, the unified safety standard is still not out of breath, it is wait and see.

Safety software manufacturers, as professional manufacturers in the security field, are also potential regulators of safety standards. Like the third party payment platform, it is possible to find a check-and-balance point in the course of the senior banking game and realize the security platform between banks in order to realize the unification of the information security standard of the financial industry.

Let God be to God, and Caesar to Caesar.