DE202007018769U1 - Fraud detection system for point-of-sale terminals - Google Patents

Abstract

A point-of-sale terminal for performing electronic payment transactions, wherein the terminal is associated with at least one terminal identifier and the terminal has a housing and a plurality of external interfaces, the terminal further comprising:
At least one detector adapted to detect an event taking place on the housing or at least one external interface of the terminal,
A processor adapted to generate, based on the detected event, an event message having an event code associated with the event, a time stamp indicating the time at which the event took place, and at least one terminal identifier of the terminal;
- A message interface that is set up to output the event message, where the message interface is one of the external interfaces.

Description

Field of the invention

The This invention relates generally to fraud detection techniques for systems, that handle secure electronic transactions, such as: B. a electronic payment system. The invention particularly relates to techniques to detect fraud by detecting tampering be done at a terminal that is in such a secure system is used, such as a cashier or service terminal.

Background of the invention

Sale (POS; Point-of-sale terminals are considered a convenient means to Processing of electronic payment transactions of companies of all Type and size, before all used by retail traders. To execute a Electronic payment transaction by means of a POS terminal is usually used a payment card. The payment card can be a credit card, a debit or debit card and the like. Be. Financial and / or personal Information is usually on the card in the form of a magnetic stripe, one embedded chips, an embossed digit string or a Combination of the above possibilities coded. The imprinted in the map number sequence can, for. B. give the account number of the legal cardholder; this number is almost always used for payment transactions.

With simplicity and comfort in the execution of payments by means of However, a card raises serious concerns about card fraud associated. Try using various illegal means cheat, the information encoded or embedded in the card and sometimes even the personal one Identification number (PIN) used by the Map is assigned to obtain. Enable such information the cheaters, a fake, to make copied or manipulated cards that are exactly the same financial and / or personal Carries information like the real card. The cheaters can then the fake one Card for all possible fraudulent activities like purchases, electronic Money transfer, identity feign etc. use. Sometimes you can Unbelievably high losses have accumulated before the actual Cardholder noticed the scam.

A Possibility, like cheaters To obtain information from payment cards is related to POS terminals. There daily a big number Payment cards can be used at a POS terminal, fraudsters could provide information steal from payment cards by using certain hardware and / or Software - im Following as "spyware" (spy: spy) - installed in the POS terminal. This spyware can be payment related information on the cards when used at the POS terminal.

Around Of course, the scammers need to install the spyware in the POS terminal manipulate physical components of the terminal in any way z. B. the housing of the terminal, disconnect the data interface, etc. A typical manipulation scenario is as follows: a cheater breaks at night, z. B. order 02:30, in a shop one that is closed. At 02:35, he disconnects the terminal from Network and opens the housing; at 02:37 clock is the case successfully opened Service. The cheater includes then turn the terminal back on to see if it's still normal can be. If so, it disconnects the terminal again from the network, for example at 02:38, and installs the spyware in the terminal. At 02:48 Clock is completed the installation and the cheater connects the terminal again. After that leads the cheater at 02:51 clock a test card in the card reader interface of the terminal to check whether the spyware installed reads information from the test card and record. Before this card reading test is performed, can the cheater disconnect the data interface of the terminal so that no payment transaction over the Transfer data interface to a payment service provider can be. When the test is completed, the fraudster takes the test card, includes the data interface again, closes the housing and leaves the Business. A few days later, After the spyware has collected enough data from a large number of payment cards has, the cheat seeks the business Recover and get the data collected by the spyware. The collected data is then used to make forged Cards.

Of course there it fraud detection techniques to identify counterfeit Cards. A general example is the analysis of card transaction records to suspicious events. However, these techniques are usually measures after the fraud, the fraud only after the production of a fake Card that is already in circulation.

However, this means that the data of the real card has already been stolen. Of course, this data loss represents a significant financial risk for the legal cardholder, the payment service provider and / or the issuing bank. Additionally, after determining that a fake card is in circulation, the card number must be blacklisted and the real card will be replaced; These measures will result in administrative burden for the issuer of the card as well as additional inconvenience to the legal cardholder.

It Consequently, it is important to provide new techniques for card fraud in connection with POS terminals as early as possible, preferably in front of one real loss of map information, to be able to recognize.

Outline of the invention

The present invention provides solutions card fraud related to POS or POS terminals in the early to be able to recognize. By the detection of events or occurrences, which at one POS terminal, in particular on the housing and external interfaces, it is possible to determine if a potential fraudulent Manipulation is done.

Of the Term "event" is within the scope of this invention to understand that he has any incident on a component of the terminal, says. The event may be physical or not physical, by an external force or by the terminal itself can be caused, manually or without intervention take place through people, run by hardware or software, through direct contact or contact from outside be effected, etc. Examples of Events are u. a. Events such as removing, attaching or refitting, disconnecting, connecting or reconnecting, opening or closing, etc. of the housing or one of the external interfaces of the terminal.

Of the Term "card" or "payment card" is under this Invention as a synonym for to understand every machine-readable part, device or object that of a card reading terminal as a means of authorizing the Cardholder and to verify his eligibility, electronic Make payments, is accepted. However, the invention can also on other secure systems than electric payment systems Applicable: Automatic Teller Machines (Automated Teller Machines; ATMs) are an example of building security systems like access / exit via door cards another. In short, the invention is applicable to any security system applicable, the use of a "card" - a machine-readable part, device or object that accepted by a card reader - as a means of authorization the cardholder and / or to verify his entitlement, to perform certain security-related actions.

There the determination of possible fraudulently Manipulations can take place as soon as the events take place have, d. H. does not need to wait until card data lost and fake Cards are already in circulation, the invention can be an early prevention to simplify data loss. If z. B. it is determined that the probability of manipulation is high, the function may be immediately be suspended from the POS terminal concerned it in the future does not make any payment transactions. Thus, a potential Information leakage of the card from this POS terminal effectively prevented become.

According to one The first aspect of the invention is a point of sale terminal for electronic Payment transactions provided. The terminal is one or assigned several identifiers that uniquely identify the terminal. The terminal has a housing and several external interfaces. The terminal also points at least one detector capable of detecting an event, that takes place at the terminal. Furthermore the terminal has a processor in response to the detected event generate or generate an event message can, which reports the occurred event. The event message has an event code associated with the event, a timestamp, indicating the time at which the event took place, and at least a terminal identifier. After generation, the event message is sent via a Message interface issued by the terminal. Alternatively, the Event message locally in the terminal for later output via the Message interface are saved. The message interface is one of the external interfaces of the terminal.

• – Detektieren eines an einem Gehäuse des Kassenterminals oder an mindestens einer von mehreren externen Schnittstellen des Kassenterminals stattfindenden Ereignisses,
• – Erzeugen und vorzugsweise Speichern einer Ereignismeldung auf Basis des detektierten Ereignisses, wobei eine Ereignismeldung einen dem Ereignis zugeordneten Ereigniscode, einen Zeitstempel, der die Uhrzeit angibt, zu der das Ereignis stattfand, und mindestens eine dem Kassenterminal zugeordnete Terminalkennung enthält, und
• – Ausgeben der Ereignismeldung über eine der externen Schnittstellen des Terminals.

According to a second aspect of the invention, there is provided a computer readable recording medium having stored thereon a computer program, the computer program containing program code which, upon execution of the computer program in a terminal computer, effects the following steps to detect hardware manipulation at the point of sale terminal:

• Detecting an event taking place on a housing of the point-of-sale terminal or on at least one of several external interfaces of the point-of-sale terminal,
• Generating and preferably storing an event message based on the detected event, wherein an event message includes an event code associated with the event, a timestamp indicating the time at which the event occurred, and at least one terminal identifier associated with the terminal;
• - Output of the event message via one of the external interfaces of the terminal.

According to one Third aspect of the invention is an apparatus for processing provided by event messages. The event message is one Message that has an event code associated with an event is that on the case or an external interface of a point-of-sale terminal has a timestamp indicating the time to which the event occurred took place, hereinafter referred to as event occurrence time, and at least one terminal identifier of a point-of-sale terminal. The device has a first interface that is used to receive one or more such event messages is set up. In addition, the device a processor that can perform the following activities: select one Set of event messages with the same terminal identifier; Organize the event codes in the set of event messages to a sequence in accordance with the timestamp in the event messages; Reading one or more Patterns, each pattern having a sequence of event codes; Determine if the ordered sequence of event codes is at least matches one of the patterns; and generating a notification message when a match is found becomes. The device also has a second interface, which is set up to output the notification message.

• – Empfangen einer oder mehrerer Ereignismeldungen,
• – Wählen eines Satzes von Ereignismeldungen mit derselben Terminalkennung,
• – Ordnen der Ereigniscodes in dem gewählten Satz von Ereignismeldungen zu einer Folge nach Maßgabe der Zeitstempel in dem gewählten Satz von Ereignismeldungen,
• – Lesen mindestens eines Musters, wobei das Muster eine Folge von Ereigniscodes aufweist,
• – Ermitteln, ob die geordnete Folge der Ereigniscodes mit dem mindestens einen Muster übereinstimmt, und
• – Erzeugen einer Benachrichtigungsmeldung, falls eine Übereinstimmung gefunden wird.

According to a fourth aspect of the invention, there is provided a computer readable recording medium having stored thereon a computer program, the computer program containing program code which, when the computer program is executed in a computer, effects the following steps for processing event messages, the event messages comprising an event code comprising a is assigned to an event occurring on an external interface or housing of a point-of-sale terminal, a timestamp indicating the time at which the event took place, and at least one terminal identifier:

• Receiving one or more event messages,
• Choosing a set of event messages with the same terminal identifier,
• Order the event codes in the selected set of event messages into a sequence according to the timestamps in the selected set of event messages;
• Reading at least one pattern, the pattern having a sequence of event codes,
• Determining whether the ordered sequence of the event codes matches the at least one pattern, and
• - Generate a notification message if a match is found.

Brief description of the drawings

following the invention will be described by means of exemplary embodiments, which are shown in the drawings. They show:

1 a schematic block diagram of an embodiment of a terminal according to the invention;

2 an example of event messages and examples of event code sequences according to the invention;

3 a flowchart of one embodiment of a first method for detecting hardware manipulation of a POS terminal according to the invention;

4 a schematic block diagram of an embodiment of an apparatus for processing event messages according to the invention;

5 two patterns according to the invention; and

6 a flowchart of an embodiment of a second method for processing event messages according to the invention.

Detailed description the drawings

In The following description is for the purpose of explanation and not the restriction Details given, such as specific step sequences, special Interfaces and configurations to get a thorough understanding of To ensure invention. For It is obvious to the person skilled in the art that the invention is different from others embodiments can be achieved by these specific details differ. The skilled person will further recognize that the invention though mainly however, it is described in the form of methods and devices also in computer program products as well as in systems that have a computer processor and a memory coupled to the processor can be, taking the memory with one or more programs is encoded when running by the processor can perform the functions contained herein.

1 shows a POS terminal 10 according to the invention. The POS terminal 10 consists of several internal modules or components: an application processor. 14 , a power supply module 16 , a communication module (modem) 18 , a card reading module 20 and a hardware security module (HSM) 22 , Other modules or components (in 1 not shown) such as a so-called PIN pad, a display and a printer - which are input / output devices to facilitate the human / Maschinenin The action between the terminal and the user - can also be included. For physical protection, these modules are housed in one housing 24 (or a cover, a frame, a shell, etc.) of the terminal. Some of these modules come with interfaces 26 . 28 . 30 coupled, interacting with the external environment. The housing normally has holes or openings for these external interfaces. For example, the power supply module 16 , which provides the power to the terminal, with a power supply interface 26 connected. The power supply interface may be a wire or cable for powering the terminal from an external power source (in 1 not shown). The communication module 18 is with a communication interface or a data interface 28 coupled via the data in connection with electronic payment between the terminal and the payment service provider. In an embodiment, the data interface may be a data cable or a data wire; a wireless data interface can also be used. The card reading module 20 is with a card reader interface 30 coupled, which is normally in the form of a narrow opening like a slot, and which comes into contact with the payment card when an electronic payment transaction is to be executed. The contact may be physical, electrical, magnetic and / or optical. Some of the internal modules of the terminal do not need to be interfaced with external interfaces. So z. B. the application processor 14 and the HSM 22 safe from the housing 24 are included and not in direct contact with an external interface. The HSM includes hardware and / or software components for performing authorization and encryption functions. The PIN pad is typically integral with the HSM. In some cases, the application processor is integrated with the HSM.

A payment transaction via the POS terminal typically begins with the entry of the payment amount, which is either manually or automatically from the electronic cash register. Thereafter, a payment card becomes fast through the card reading 30 pulled or inserted into the terminal. (In some cases, the payment card will be enforced before entering the payment amount). The card reading module 20 then reads or retrieves payment-related information from the card. The PIN pad of the terminal allows entry of the personal identification number (PIN) on a numeric keypad or keypad if required. Based on the payment-related data being read from the card, the PIN entered and perhaps additional relevant transaction information, the terminal processes the transaction online or offline.

In the online scenario, the terminal or, more precisely, the application processor, initiates 14 the transfer of an electronic payment transaction to a processing system, which is normally the payment processor of the payment service provider. The transmission of the payment transaction data is carried out by the communication module 18 and the data interface 28 executed. The payment processor receives the payment transaction, processes it, and eventually returns either a "Transaction OK" or "Transaction Not Executed" message to the terminal.

In the offline case, the terminal can locally authorize the transaction and later transfer the payment transaction data, e.g. At the end of the day, to the payment service provider. The transmission of the payment transaction data is carried out by the communication module 18 and the data interface 28 settled.

In addition to the above components and features is the POS terminal 10 associated with at least one identifier for identifying the terminal. The identifier may be of a physical nature, ie, a unique identifier for the terminal, such as a serial number or a running code. Another identifier type is a logical identifier that is normally assigned to the merchant who owns (or leases) the terminal and uses it to communicate with its payment service provider to perform electronic payment transactions. A payment service provider normally services a large number of merchants; to distinguish them from each other, the payment service provider generally assigns each merchant an identifier. This identifier is the so-called "logical identifier" for POS terminals. Of course, it is possible to use any other type of terminal identifier with which an active terminal can be clearly distinguished from another active terminal. In addition, any combination of the above terminal identifiers may be used.

The POS terminal 10 also has a message processor 32 which can generate an event message based on a detected event occurring at the POS terminal. Details of the event messages and the relevant operation of the message processor 32 are described below. The message processor 32 can be a special processor or with the application processor 14 be integrated.

The terminal 10 also has one or more detectors 36 . 38 . 40 . 42 . 44 on, the min at least one type of event on the case 24 or at least one of the external interfaces 26 . 28 . 30 . 34 of the terminal, can recognize.

Among the detectors may be a voltage detector 36 be the changes in the supply voltage at the power supply interface 26 can recognize. The detector 36 can z. B. detect whether a continuous supply voltage is suddenly interrupted, or in the opposite case, whether the power supply has started again. That is, the voltage detector can detect a change of the supply voltage from "on" to "off" as well as from "off" to "on". An example of a voltage detector may be an electronic circuit that triggers when the voltage of the power supply drops below a certain threshold. Other mechanisms are also possible. The voltage detector may also be configured to provide removal of the power supply interface 26 from the terminal and / or attaching (or reattaching) the power supply interface on the terminal. So z. B. a mechanical switching device to detect the removal of the power supply interface. With this capability, the voltage detector can respond to events such as disconnecting the power supply interface from an external power source, connecting the power interface to an external power source, cutting through, for example, the power supply interface. A wire or cable of the power supply interface, reconnecting the severed power supply interface, removing the power supply interface from the terminal, and attaching (or reattaching) the power supply interface to the terminal and the like. When a person, e.g. For example, if a fraudster manipulates the POS terminal by improperly engaging the power supply interface, such interference will be detected.

A data link detector 38 may be provided to detect events occurring at the data interface 28 occur. The data link detector 38 can the status of a data transfer via the data interface 28 recognize as follows: Is there a sudden end or an interruption in a current data transfer? Is there a start or a restart of a data transfer? Is the data interface 28 been removed from the terminal? Has the data interface been attached (or re-attached) to the terminal? The above detection functions may be accomplished by hardware (eg, electronic circuitry) and / or software implemented in the data link detector to detect the interruption of a lower level data communication protocol. Special techniques could include the detection of heartbeat signals, the control of current loops, or the detection of a particular voltage that must be applied to a stylus. In addition, the data link detector could also include a mechanical type switching device that can detect the removal of the data interface from the terminal. If the terminal 10 equipped with such a detection functionality, it can detect any manipulation of the terminal in the form of an improper engagement on the data interface.

Another detector 40 , a card reading detector, may be provided to detect whether information has been read from or retrieved from a payment card from the card reader interface or card reader module. For example, if cards with magnetic stripes are to be processed, the read head of the card reader interface can be set to a passive mode but remain on; as soon as a card is pulled through, the read head delivers the signals read out from the card. In the case of chip cards, the card reading interface may be provided with a microswitch that can detect the insertion of a card. The information retrieved from the card, such as the card number, is usually payment related.

When payment-related data is read from the card during normal online operation, the data is passed to the application processor 14 which causes a corresponding payment transaction to be transmitted to the payment service provider. The payment transaction data is transmitted via the data interface 28 output. However, if a person, for. For example, if a fraudster wishes to make a test reading of the cards on the terminal that is in online mode without causing a transfer of payment transaction data, he must perform the data transfer function of the data interface 28 disable before pulling the test card through the card reader interface. As a result, retrieving payment related data from a payment card can NOT result in the issuance of payment transaction data from the data interface 28 follows. The card reading detector 40 can work together with the data link detector 38 detect such "card test" events.

In another situation, ie in the offline scenario, in which the terminal itself does not have to initiate transmission of the payment transaction data after the payment transaction data has been read from the card, such "card check" events can be detected by the fact that the card reading activity and the absence of a card reader other normal activities are taken into account. These normal activities can be the input ei PIN code, entering a payment amount, confirming the payment amount entered by pressing the OK key, etc. For some terminals, POS transactions can be: B. only by entering a payment amount before reading a payment card are triggered. So if a "card reading" activity by the card reading detector 40 is detected, but no payment amount has been previously entered, this could be interpreted as a "Card Test" event by a fraudster.

The card reading detector 40 may also be configured to detect the removal and / or attachment (or reassembly) of the card reader interface from or to the terminal. To perform such a detection, a mechanical switching device may be suitable.

According to the invention, the POS terminal 10 except the power supply interface 26 , the data interface 28 and the card reader interface 30 yet another external interface 34 which is referred to as the message interface to that of the message processor 32 output generated event messages. The functionality of the message interface 34 is in many ways the data interface 28 similar. Although the message interface 34 It can also be a special interface with the data interface 28 be integrated.

Analog can be a message detector 42 provided to detect events occurring at the message interface 34 occur. These events are similar to those at the data interface 28 took place.

The terminal 10 may further include a housing detector 44 to any on the housing 24 detect events that occurred at the terminal. In particular, when the housing or a part thereof is opened or closed, or when a part of the housing is removed or attached (or reattached), this may be the housing detector 44 detect. In this way, any improper intervention on the housing can be detected. In addition, the terminal can be executed to store the secure information e.g. For example, cryptographic keys contained in the HSM are immediately cleared when the detector 44 detects an improper engagement with the housing.

Now the message processor 32 in detail by means of 2 describing an exemplary event message received from the message processor 32 can be generated.

After one of the detectors has detected a specific event, the message processor reacts according to the invention 32 to this detection by generating a corresponding event message to document the occurrence of this event. As examples, let's say a set of event messages 50 . 52 . 54 . 56 . 58 serve with the same structure that in 2 are shown. The basic structure of an event message has three fields 60 . 62 and 64 on. The first field 60 contains a terminal identifier, eg. Example, the serial number SN12345678 of the terminal as shown in the figure. Of course, the field can 60 contain another identifier associated with the terminal, such as the logical identifier, a combination of the serial number and the logical identifier, etc. The second field 62 The event message contains a timestamp indicating the time when the event occurred. The generation of time stamps is a known technology in the art. The third field 64 contains a so-called "event code". The event code is a code associated with the event and indicates which type of event it is. For example, in the event messages 50 and 54 the event code 1601, which can be used to specify the voltage off event. In the event messages 52 and 56 event code 1602 is what can mean "voltage on" and in the event message 58 it is 2001, which may indicate the retrieval of information from a card, but without subsequent issuance of payment transaction data via the data interface of a POS terminal. In short, each type of event that can be detected by the terminal (s) detectors is assigned a unique event code. If the message processor generates an event message based on a particular detected event, the associated event code is included in the message.

The Event notification may be additional Fields for documentation of other information related to the detected event and / or the terminal. For example can be the power consumption of the terminal, the duration of the dead Period etc. in the event message.

The event message may be issued as soon as it has been generated or in a memory or buffer 46 of the terminal for a predefined period of time before it is output. The memory or buffer 46 can also store a plurality of event messages coming from the message interface 34 can be issued.

As mentioned above, the message processor 32 a specific processor or with the application processor 14 be integrated. In the latter case, the processor 32 and an electronic payment transaction based on the payment related to the payment card Initiate data.

Now be on 3 referenced by which an embodiment of a first method 70 for a POS terminal. For a better understanding, the procedure 70 by way of example with reference to the POS terminal 10 from 1 and the event messages from 2 described. However, it should be noted that the procedure 70 in combination with a POS terminal with a different configuration than that of 1 as well as in combination with event messages with a different structure than that of 2 can be realized.

The procedure 70 aims to detect hardware manipulation at the POS terminal 10 with at least one terminal identifier assigned to the terminal and a housing 24 as well as several external interfaces 26 . 28 . 30 and 34 having.

The procedure 70 starts with step 72 in which the POS terminal is on the housing 24 or one of the external interfaces 26 . 28 . 30 and 34 of the terminal by means of one or more of the detectors 36 . 38 . 40 . 42 or 44 recognizes. As described above, the event may include any of the following: removal of one of the external interfaces or part of the housing from the terminal; Attaching (or reattaching) one of the external interfaces or part of the housing to the terminal; Change of the supply voltage via the power supply interface 26 from on to off, ie an event "tension off"; Change of the supply voltage via the power supply interface 26 from off to on, ie an event "tension on"; Termination or interruption of data transmission via the data interface 28 ; Start (or restart) of the data transfer via the data interface 28 ; Termination or interruption of the message transmission via the message interface 34 ; Start (or restart) of the message transmission via the message interface 34 ; Retrieve payment-related data from a payment card through the card-reading interface 30 or the card reading module 20 but without subsequent issuance of the payment transaction data via the data interface 28 ; Opening a part of the housing 24 ; Close part of the housing 24 ; Increase in power consumption of the terminal by a first predetermined amount (eg 500 mW); Decreasing the power consumption of the terminal by a second predetermined amount (eg, 300 mW), wherein the first and second predefined amounts may be the same or different. It should be emphasized in this regard that fluctuations in the terminal's power consumption can be an indication that additional hardware / software, eg. Spyware is running.

In the next step 74 the terminal generates an event message 50 according to or based on the detected event. The event message 50 contains an event code 1601 associated with the event, ie the event code identifies or designates the type, nature or nature of the event; the event message 50 also contains a timestamp of 02:35 indicating the time when the event took place. Furthermore, the event message indicates 50 at least one terminal ID SN12345678. The event message defines the event code, the timestamp, and the terminal identifier 50 the event unique.

Finally, in step 76 the generated event message is output via one of the external interfaces of the terminal. This interface can be the specific interface 34 which is specifically for the transmission of event messages, but also the data interface 28 that the POS terminal uses to issue payment transaction data to the payment service provider.

Although the event message can be issued once it has been generated, the procedure may 70 include a step of storing or caching the event message for a predetermined amount of time before it is output from the terminal. In addition, a plurality of stored or cached event messages can be issued either serially or simultaneously.

The procedure 70 can be done in hardware, software or a combination of hardware and software. The software aspect provides a computer program product. The computer program product includes program code sections for carrying out the steps of the method 70 when the computer program product runs on one or more computing devices. Preferably, the computer program product runs on the message processor 32 of the terminal 10 from. The computer program product may be from a remote device such. From a payment processing server of a payment service provider via one of the external interfaces of the terminal, e.g. B. the data interface 28 or the message interface 34 to be downloaded. Especially if a terminal does not work with the message processor 32 equipped, it is helpful that the computer program product on the application processor 14 downloaded and run there. With such a download function, conventional terminals for carrying out the method 70 without any replacement, upgrade or reconfiguration of the terminal, especially the processor 14 , be enabled.

The description of the POS terminal 10 and the corresponding procedure 70 In summary, it can be concluded that the detection and documentation of the events taking place on the housing and the several external interfaces of the terminal, any possible manipulation, which almost always means an improper intervention on the housing and / or one of the external interfaces recognized can be. The POS terminal 10 as well as the procedure 70 Thus, according to the invention, early detection can facilitate potential hardware manipulation of the terminal.

4 shows an embodiment of a device 80 for processing event messages according to the invention. One from the device 80 Processible event message contains information pertaining to an event that has occurred at a POS terminal, in particular at one of the external interfaces or the housing of the terminal. The information includes at least the following: an event code associated with the event, the event code indicating the type, type and nature of the event; a timestamp indicating the time at which the event took place, hereinafter referred to as event occurrence time; and at least one terminal identifier associated with the terminal. The above information uniquely identifies an event. Of course, further information concerning the event and / or terminal where the event occurred may also be included in the event message.

The device 80 has a first interface 82 which is set up to receive event messages. The event messages may come from one or more POS terminals 84 and 86 or come from other event reporting sources. The device also has a processor 88 on which is set up to process the received event messages. Furthermore, the device has a second interface 90 for issuing a notification message generated according to the result of processing the event message.

In one embodiment, the notification message is output as an audible and / or visual alert to alert a person. In another embodiment, the device 80 a memory arrangement 92 which are those of the first interface 82 can save received event messages. In a further embodiment, the device can be a computing device z. A computer; in a specific embodiment, the device is 80 a server.

The details of the processor 88 executed processing will now be with reference to 2 described that shows a set of event messages, and 5 , which shows a so-called "pattern" according to the invention.

The processor 88 receives event messages generated by one or more POS terminals. The processor selects from the received messages 88 a set of event messages 50 . 52 . 54 . 56 and 58 ( 2 ), all of which have the same terminal ID SN12345678. The number of event messages to be selected can be predefined. Alternatively, the choice may be based on a predefined time frame, ie only the event messages whose event occurrence time is within the predefined time frame are selected.

The processor 88 then assigns the event messages in the sentence 50 . 52 . 54 . 56 and 58 contained event codes corresponding to the timestamps in the event messages to a sequence. This means that the event codes are extracted from the event messages and ordered according to their event occurrence time. The order result is an ordered sequence 66 as in 2 shown; the arrow in the direction from top to bottom indicates the order. In particular, the event code of an event message having an earlier event occurrence time in the sequence is positioned before the event code of another event message having a later event occurrence time. Subsequently 66 heard z. For example, the first event code in the order from top to bottom of the event message 50 which contains a timestamp with the event occurrence time 02:35. All other event codes correspond to event messages with timestamps indicating event occurrence times after 02:35; thus the event code becomes the event message 50 positioned at the first (top) position in the sequence.

It can be seen that the ordered sequence of event codes "tells" the events that took place at the relevant POS terminal in chronological order. For example, there is the episode 66 in 2 that the following events occurred at the POS terminal SN12345678: an event "voltage off" indicated with the event code 1601, followed by an event "voltage on" with the event code 1602, followed by another event "voltage off", indicated by the event code 1601, followed by another event "power-on" with the event code 1602, which is eventually followed by an event indicated by the event code 2001, which retrieves information from a card without subsequently issuing payment transaction data via a data interface of the card POS terminals SN12345678 means.

The processor 88 the device 80 is able to read one or more "patterns". The term "pattern" here means a predefined data structure which has a sequence of event codes with possibly some additional information. Patterns may be in the memory array 92 the device 80 be stored and the processor 88 to be provided. The memory arrangement 92 can be a memory, a database, etc. Patterns can be the processor 88 also from other sources (in 4 not shown). In 5 are two exemplary patterns 100 and 102 shown. The pattern 100 has the basic structure of a pattern and points in the arrow 104 a sequence of event codes 1601, 1602, 1601, 1602 and 2001. The pattern 100 Thus, specifies the following event sequence that may have occurred at a POS terminal: a Voltage Off event, followed by a Voltage On event followed by a second Voltage event followed by a second Voltage event followed by an event in which payment related data is retrieved from a payment card but no subsequent transfer of payment transaction data is detected via a data interface for transmitting payment transaction data. The pattern 100 So corresponds to the typical manipulation scenario described above under "Background of the Invention". Various patterns may be predefined that correspond to various hardware manipulation procedures that target POS terminals, e.g. For example, a significant increase in power consumption of the terminal, multiple consecutive events of voltage off, loss of data connectivity at the data interface along with event voltage, etc.

After reading the pattern 100 (and maybe more patterns) the processor compares 88 the ordered sequence 66 the event codes with the pattern 100 to determine whether the two match, that is, whether the ordered sequence is equal to or nearly equal to the pattern. If a match is detected, the processor generates 88 a notification message indicating the result of "match detected," informing a human administrator to delve deeper into the matter. The processor 88 can also be configured to generate a score (eg 0 to 100%) that indicates how well or how well the ordered sequence matches the pattern. The evaluation alternative helps to ensure that pattern matching is tolerant of small deviations in fraudulent manipulation. Since the notification message can be generated within a short time after the occurrence of an actual manipulation, the fraud can be identified immediately, ie with sufficient time interval before the loss of map information. Such rapid fraud detection can effectively prevent data loss due to manipulation of POS terminals.

Pattern with more information than the pattern 100 can be provided. The pattern 102 in 5 is an example. When comparing the patterns 100 and 102 shows that the two patterns have the same sequence of event codes 1601-1602-1601-1602-2001, the pattern 102 but additionally has a sequence of so-called "time duration codes" t1, t2, t3 and t4. As the term suggests, the time duration codes indicate time periods. In the specific example of the pattern 102 the time duration code t1 has a value of 2 minutes, the time duration code t2 has a value of 1 minute, etc. Each two consecutive event codes in the pattern belong to one time duration code. In the example of the figure, the first event code 1601 and the second event code 1602 belong to the time duration code t1; the second event code 1602 and the third event code 1601 belong to the time code t2; the third event code 1601 and the fourth event code 1602 belong to the time duration code t3; and the fourth event code 1602 and the fifth event code 2001 belong to the time duration code t4. The methods and ways of establishing a relationship between two consecutive event codes in a pattern and a time duration code are numerous and known in the data processing art.

In itself, the pattern represents 102 or one of its equivalents, a sequence of events with defined time periods between the events. Specifically, the pattern gives 102 an event "voltage off" followed by an event "voltage on" after two minutes; This is followed, after one minute, by a second "power off" event, followed by a second "power on" event after ten minutes, followed finally by a payment card retrieval after three minutes from a payment card, but without subsequent issuance of the payment transaction data via a data interface a POS terminal.

While a pattern like 102 may specify a refined indication of hardware manipulation procedures, the processor may 88 the device 80 on the other hand, be further configured to generate sequences of event codes to which further information is attached. Accordingly, the processor 88 when organizing the selected sentence event messages 50 . 52 . 54 . 56 and 58 to a sequence 68 (in the lower part of 2 shown) assign the orderly event codes so-called "time difference codes" d1, d2, d3 and d4, which indicate the time difference between the event occurrence times of the corresponding events. It It can be seen immediately that the values of the time difference codes are readily apparent from the timestamps in the event messages.

After generating the sequence 68 the processor determines from event codes with the associated time difference codes d1 to d4 88 whether the episode 68 matches an event code sequence of one of the provided patterns. Assuming that there is a match, the processor then determines whether the time difference codes d1 to d4 correspond to the consecutive event codes in the sequence 68 also with the time duration codes t1 to t4 corresponding to the corresponding consecutive event codes in the pattern 102 belong, agree. If this second-level compliance is confirmed, the processor generates 88 a second notification message.

The patterns of the invention are preferably adaptable in many ways. For the processor 88 new patterns can be provided and existing patterns can be deleted or changed. The change can be made in one of the following ways: First, the predefined sequence of event codes can be adjusted in a particular pattern, ie existing event codes can be removed from the sequence or replaced with other values; new event codes can be added to the sequence and the sequence of event codes can be changed. Secondly, the additional information attached to the sequence of the event code can also be adjusted. For example, the values of the time duration codes described above may be variable; a time duration code may have a defined value e.g. B. 2 minutes or a "vague" or "fuzzy" (fuzzy) value assume what a range of time periods z. For example, 2 to 5 minutes indicates what makes matches more flexible. Third, the event codes in the pattern may be associated with additional additional information. It can be seen that the patterns can be adapted in countless ways.

In addition to determining by means of patterns, the processor 88 also access other information before the notification message is generated. The processor 88 can z. For example, check whether an event has occurred either at a certain actual time (preferably after the normal 24-hour clock system) or between a first actual and a second actual time. In 2 contains z. For example, the event message 50 the timestamp 02:35 and the event code 1601, indicating that an event voltage was off at 02:35. As a result, the processor checks 88 whether the event occurrence time, ie 02:35, is between 10:00 pm, the typical close of business hours, and 9:00 am, the typical opening time of a store. The comparison of an event occurrence time with one or more actual times may increase the accuracy of the detection of a hardware manipulation. For example, a sudden voltage-off event at 5:00 pm, usually during a busy business, is unlikely to indicate a fraudulent intrusion into the power supply interface by a fraudster, but rather a malfunction caused by the POS terminal user (e.g. B. accidental unplugging the power cord). In contrast, an event "Tension off" at 02:35 is likely to be the result of fraudulent manipulation. In short, evaluating further information prior to generating the notification message may increase the accuracy of fraud detection.

In some cases can in the control of event messages regarding a POS terminal for Determine if hardware manipulation may have occurred at this particular terminal Information from other POS terminals was helpful. For example could one while the night event "Tension off" followed immediately by an event "Tension On" as a hardware manipulation at the power supply interface of the terminal in question be interpreted, but this incident could also be the simple result a general power failure in the area in which the POS terminal is located, be. In such a case, a counter-check, whether in others POS terminals in the same area at the same time the same interruption the power supply occurred, make sense. If all POS terminals in the area the same episode "tension off - tension one at the same time Reporting time can be sure of a general power failure this area and not on a hardware manipulation on one certain POS terminal to be closed.

In order to benefit from the information from and / or to other POS terminals, certain information about these other POS terminals must be provided to the processor 88 to provide. If it is z. For example, if it is necessary to control all terminals in a geographic area, the identifiers of these terminals and their location information should be sent to the processor 88 to provide. The location information can z. For example, the physical addresses and / or postal codes of the physical location of the terminals may be included. User information of the terminals may also be useful. For each terminal, the user information includes an identifier of the user, a first actual time such as the usual business close of the user and / or a second actual time, which is generally the opening time of the business.

The above information concerning POS terminals may be provided to the processor 88 be provided in various ways. The information may be in the memory array 92 the device 80 stored, the processor 88 can access the contents of the memory array; or the information can be sent to an external source 94 delivered and then via a third interface 96 the device 80 to the processor 88 be handed over. A good candidate for this external source 94 is a POS terminal administration system that can be managed by the payment service provider serving a plurality of POS terminals.

A specific example will now be described of how information from a second POS terminal can be used while processing event messages of a first POS terminal. After determining a match with a particular pattern for the first terminal, the processor processes 88 a second set of event messages generated by the second POS terminal to check whether a match with the same pattern can be detected for the second terminal as well. In detail, the processor selects 88 a second set of event messages with a second terminal identifier; the event codes in the second set associate event messages corresponding to the timestamps in the second set with event messages to a second sequence; the second sequence compares event codes to this particular pattern to determine if there is also a match; if it is determined that the second sequence of event codes also matches the pattern, a second notification message is generated. Of course, the processor can 88 also be adapted to check event messages from a third, fourth, etc. terminal.

Furthermore, even additional techniques such as artificial intelligence, fuzzy algorithms and the like of the device 80 be used to increase the accuracy of fraud detection. As an example, as mentioned above, in addition to simply generating a binary type match result, ie, either match found or no match found, the processor may be configured to generate a score (FIG. eg 0 to 100%), which indicates how well or how exactly the ordered sequence corresponds to the pattern. The evaluation alternative helps to ensure that pattern matching is tolerant of small deviations in fraudulent manipulation.

Now, referring to 6 an embodiment of a second method 110 for an event message processing apparatus according to the invention. For a better understanding, the procedure 110 by way of example with reference to the device 80 from 4 , the event messages from 2 and the patterns of 5 described. However, it should be noted that the procedure 110 also in combination with a device with a different configuration than that of 4 , with event messages with a different structure than that of 1 and with patterns with a different structure than that of 5 can be realized.

The procedure 110 is used to process event messages, each of which contains an event code associated with an event occurring on the chassis or external interface of a POS terminal, a timestamp indicating the time the event took place, and at least one terminal ID. The procedure 110 begins receiving or capturing one or more such event messages as in step 112 shown. Then in step 114 from the received event messages a set of event messages with the same terminal identifier selected. Subsequently, in step 116 the event codes in the selected set event messages according to the timestamps in the selected set of event messages arranged in a sequence. At least one pattern having a sequence of event codes is provided or read; this is in step 118 shown. After that, in step 120 comparing the ordered sequence of event codes with the at least one pattern to determine if a match exists. If there is a match, a notification message is finally generated.

Even though embodiments the invention are illustrated in the accompanying drawings and in explained the above description It should be understood that the invention is not limited to those disclosed herein embodiments limited is. In particular, you can made to the invention numerous changes, modifications and replacement measures become.

Claims (22)

A checkout terminal for performing electronic payment transactions, wherein the terminal is associated with at least one terminal identifier and the terminal comprises a housing and a plurality of external interfaces, the terminal further comprising: - at least one detector adapted thereto it is to detect an event taking place on the housing or at least one external interface of the terminal, - a processor, which is set up, on the basis of the detected event, an event message with an event code associated with the event, a time stamp indicating the time of day the event took place, and to generate at least one terminal identifier of the terminal, and - a message interface adapted to output the event message, the message interface being one of the external interfaces. The terminal of claim 1, wherein the event of a the following is: - one Remove one of the external interfaces or part of the housing from the terminal and - the Attach or reinstall one of the external interfaces or part of the housing at the terminal. Terminal according to one of the preceding claims, wherein the external interfaces an energy supply interface include, about the terminal is supplied with electrical energy, and the Event of one of the following further events is: - a change the power supply switched from on to off, - a change the power supply is switched from off to on. Terminal according to one of the preceding claims, wherein the external interfaces further comprise a data interface over which the terminal issues payment transaction data, and where the event one of the following events is: - a termination a data transmission via the data interface, - a start or restart a data transfer over the Data interface. Terminal according to one of the preceding claims, wherein the terminal further comprises a card reading interface adapted thereto is set up, payment related data from a payment card to read, and where the event is one of the following Events is: - one Reading payment-related data from the card without a subsequent issue from payment transaction data via a data interface over which the terminal issues payment transaction data. Terminal according to one of the preceding claims, wherein the event of any of the following events is: - opening one Part of the housing the terminal, - one Shut down a part of the housing the terminal, - one Increase of the energy consumption of the terminal by a first predefined Amount and - one Decrease of the energy consumption of the terminal by a second predefined Amount. Terminal according to one of the preceding claims, wherein the terminal further comprises a memory for storing a plurality Event messages and wherein the message interface further is set up to issue a plurality of event messages. Terminal according to one of the preceding claims, wherein the terminal identifier is one of the following identifiers or a combination the same is: - one Identifier assigned to the user of the terminal - a physical one Identification of the terminal. Terminal according to one of the preceding claims, wherein the physical identifier is a serial number or a serial code. Terminal according to one of the preceding claims, wherein the terminal further comprises a card reader interface having thereto is set up, payment related data from a payment card and the processor is further adapted to an electronic payment transaction based on the card to arrange for the payment data to be read. Computer-readable recording medium on which a Computer program is stored, wherein the computer program is program code contains which one at execution the computer program in a computer of a POS terminal the following steps to detect hardware manipulation the POS terminal causes: - Detecting one at one casing the POS terminal or at least one of several external ones Interfaces of the POS terminal event, - Produce and preferably storing an event message based on the detected one Event, with an event message associated with the event Event code, a timestamp that indicates the time to which the event took place and at least one terminal identifier associated with the POS terminal contains and - Output the event message over one of the external interfaces of the terminal. The recording medium of claim 11, wherein the Program code further causes the step of outputting Issue a plurality of stored event messages. Device for processing event messages, the event message indicating an event a time stamp indicating the time at which the event took place, hereinafter referred to as event occurrence time, and containing at least one terminal identifier, the apparatus comprising: - a first interface adapted to receive one or more of these event messages, - a processor adapted to: - select a first set of event messages with a first terminal identifier, - the event codes of the first set of event messages in accordance with the timestamps in the first set of event messages order a first sequence, - read at least one pattern, the pattern having a sequence of event codes, - determine if the first sequence of event codes matches the at least one pattern, and - generate a notification message, if an over instimmung is found, and - a second interface, which is set up to output the notification message. The device of claim 13, wherein the pattern is further contains a plurality of duration codes that indicate durations of time wherein each two consecutive event codes in the pattern associated with one of the time duration codes. The apparatus of claim 14, wherein the processor is further set up, each two consecutive Assign event codes to a time difference code in the first sequence, wherein the time difference code is the time difference between the event occurrence times indicates the respective two events. The device of claim 15, wherein the processor is also set up upon detection of a match the first sequence of event codes with at least one of the patterns to determine if the two consecutive event codes corresponding time difference code in the first sequence matches the time duration code, the the corresponding two consecutive event codes in the at least one pattern is assigned. Device according to one of claims 13 to 16, wherein the Processor is further configured to determine whether at least one of the timestamps in the selected one Set of event messages an event occurrence time between indicating a first actual time and a second actual time. Apparatus according to any one of claims 13 to 17, further comprising a third interface for additional information to receive a plurality of point-of-sale terminals, the additional ones Information contains at least one of the following information: - Location information at least one of the plurality of terminals, the location information a physical address and / or postal code of the terminal contain, - one Serial number or a serial code of the terminal, - a one Terminal assigned to terminal users and - User information of the terminal, wherein the user information is an identifier of a User of the terminal, a first actual time and / or a second Actual time, the are assigned to the user. Apparatus according to any of claims 13 to 18, wherein the processor is also set up to - a second set of event messages select with a second terminal identifier, - the event codes in the second Set of event messages according to the timestamp in the second set of event messages to arrange a second sequence - in the case the determination of a match determine the first sequence of event codes with the pattern whether the second sequence of event codes also matches the pattern, and - one generate second notification message if it is determined that the second sequence of event codes also matches the pattern. Apparatus according to any one of claims 13 to 19, further comprising a storage means for storing the one or more event messages that received from the first interface, and / or one or the multiple patterns. Apparatus according to any one of claims 18 to 20, further comprising a storage means for storing at least the additional ones information received from the third interface. A computer readable recording medium storing a computer program, the computer program containing program code which, when the computer program is executed in a computer, effects the following steps for processing event messages, the event messages comprising an event code resembling an external interface or housing of a point of sale terminal a timestamp indicating the time at which the event occurred and containing at least one terminal identifier: receiving one or more event messages - selecting a set of event messages with the same terminal identifier, - ordering the event codes in the selected set of event messages into a sequence according to the timestamps in the selected set of event messages, - reading at least one pattern, the pattern having a sequence of event codes Determining whether the ordered sequence of the event codes matches the at least one pattern, and generating a notification message if a match is found.