Classifications

• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
  • G06F21/55—Detecting local intrusion or implementing counter-measures
  • G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
  • G06F21/88—Detecting or preventing theft or loss
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
  • G06F2221/034—Test or assess a computer or a system

Definitions

• the field of the invention is that of electronic terminals, and in particular electronic terminals intended for handling sensitive data, for example electronic payment terminals or terminals intended to read and / or update electronic cards containing personal medical data (such as a vital card in France) and / or to declare medical acts with a health organization.
• electronic terminals and in particular electronic terminals intended for handling sensitive data, for example electronic payment terminals or terminals intended to read and / or update electronic cards containing personal medical data (such as a vital card in France) and / or to declare medical acts with a health organization.
• the field of the invention relates more particularly to the fight against theft or embezzlement for malicious purposes of such terminals.
• terminals handling sensitive data are preferred targets of computer attacks.
• such a component may be intended to limit the availability or operation of this terminal, or to use the information provided by a user and intercepted by the component, for example by conventional "sniffing” techniques.
• Data sniffing or “data sniffing” to perform fraudulent payment transactions.
• a support such as a base, a wall or a shelf
• payment terminals are often mobile. This is the case for example in restaurants to avoid a customer to move at the time of payment by credit card.
• the small size and the autonomy of such terminals make their monitoring difficult (by human means for example, or video surveillance means).
• a disadvantage of these mobile terminals is that they are thus highly exposed to theft.
• Logical protection means such as the implementation of countermeasures in a microprocessor of a payment terminal, have also been implemented.
• a disadvantage of these techniques of the prior art lies in the fact that such techniques are not always sufficient to detect an attempted theft or diversion of an electronic terminal or sometimes only detect them late, a moment after the attack.
• the invention particularly aims to overcome these disadvantages of the prior art.
• an object of the invention in at least one of its embodiments, is to provide an electronic terminal more robust to attacks, and in particular for detecting a theft or an attempt to divert the terminal more reliably. by highlighting symptoms still unknown.
• a non-objective of the invention is, at least one embodiment, to propose a discrete solution, not detectable by the third party responsible for the attack on the terminal, in particular to help the monitoring and surveillance services. / or the police to confuse it.
• a further object of the invention is, according to the invention, to provide a solution for immediate detection of the attack.
• Another object of the invention is, according to at least one embodiment, to provide an easy solution to implement payment system manufacturers.
• an attempt to attack an electronic terminal can be caused by the fact that there is a manipulation performed on the terminal.
• the terminals intended to handle sensitive data are often installed in closed places, such as medical offices, secretariats, shops, restaurants or bank branches, with predefined opening hours (typically 7am-9pm) or meetings. de sutu re definable in advance (weekends, holidays, holidays or works). Also, they are normally usable only during periods of accessibility of these closed places. As a result, an action on the terminal in a closing period of a store or a secretariat (for example in the middle of the night) can therefore be considered as suspicious.
• the invention relates to a method for protecting an electronic terminal, comprising the following steps:
• the ad ite stage reaction of said terminal comprising a step of updating an alert level representative of a probability of attempted fraudulent use of said terminal, and a step of implementing a reactive action function said alert level.
• the method of the invention makes it possible to detect fraudulent attempts to use which would not have been detected by the solutions of the prior art (detection of intrusion into the terminal, detection of the opening of the terminal, substitution of of the terminal %), for example because it is a discrete manipulation, classic for a payment terminal but unusual for the terminal concerned, because outside its usual hours of use ha or because the manipulation causes an unauthorized movement of the terminal, or not compatible with its installation.
• said activation step is implemented when the current value of at least one characterization information of a context of said terminal is in a predefined range of values of said characterization information.
• Such a model offers the possibility of guiding all the operations performed on the terminal only when such monitoring is useful (ie likely to lead to the confirmation of an attempt. fraudulent use), so as to save the resources of the terminal, and in particular, in the case of use of the method of the invention for a portable terminal, the terminal battery.
• the monitoring can be carried out in a non-automatic manner, particularly periodically, for example at the closing time of the store, the secretariat or the bank branch where the terminal is located.
• the characterization information is a time stamp type of information, making it possible to define time slots during which it is desired to detect manipulations of the terminal, it being sensible during these time slots not to be manipulated.
• time slots can in particular take into account closing days (weekends, holidays, holidays .%) or contrary to scheduled periods of maintenance of the terminal.
• said step of detecting a manipulation of said terminal comprises a substep of comparing the current value of at least one characterization information of a context of said terminal with a predefined range of values of said characterization information.
• One embodiment has the advantage of systematically detecting certain manipulations, then deciding whether they are unusual or not according to certain predefined parameters (for example, in the case of a terminal continuously fixed on a support, by comparing the orientation or location of the terminal, during a movement of the terminal, with a predefined value range, corresponding to the degree of freedom of the terminal on a support).
• said manipulation belongs to the group of events comprising:
• the invention makes it possible to detect an attempt at fraudulent use by detecting a key on the keyboard of the terminal, or simply handling of the terminal, exerting pressure on the housing, or a more frank manipulation of the terminal by a displacement, reversal or rotation thereof ...
• the invention makes it possible to detect an attempt to fraudulent use of the terminal only when one or more of the aforementioned events occur (for example, a flipping of the terminal and a pressure on the housing).
• said characterization information belongs to the group comprising:
• the method further comprises a step of deactivating said monitoring state.
• the monitoring of the terminal can be deactivated automatically, for example because the context characterization information is more in the range of predefined values, or by third parties (locally via means for controlling the interface of the component, either remotely, by means of communication means of the terminal, for example remote control taking or the reception of a particular code).
• said reactive action belongs to the group comprising:
• reaction of the terminal comprises the generation of falsified data
• the reaction of the terminal comprises the generation of falsified data
• it may be to replace the sensitive data with particular data, making tampering obvious to a third party control, and thus improve the traceability of the operations carried out by the malicious third party after the attack.
• the issuing of an alert message can also be done discreetly, without attracting the attention of the malicious third party, while permitting a subsequent intervention, for example from the owner of the terminal or a service provider. monitoring ...
• said step of reacting said terminal comprises a step of updating an alert level representative of a probability of attempted fraudulent use of said terminal, and a step of implementing a reactive action. function of said alert level.
• Such a sol utio n offers the opportunity to allow a progressive reaction of the terminal to the detected manipulations.
• the terminal can simply issue a message to a monitoring center.
• a second level of alert it can also falsify part of the sensitive data it contains.
• the invention relates to a computer program product comprising program code instructions for implementing the aforesaid method (in any one of its various embodiments), when said program is executed on a computer.
• a computer-readable and non-transitory storage medium storing a computer program comprising a set of instructions executable by a computer for implementing the aforementioned method (in which any of its different embodiments).
• the invention also relates to an electronic terminal comprising:
• means for detecting a manipulation of said terminal in said monitoring state, means for detecting a manipulation of said terminal, generating the passage of said terminal in a so-called suspect state, representative of a risk of attempted fraudulent use of said terminal;
• means for triggering a reaction by said terminal means for triggering a terminal response comprising means for updating a warning level representative of a probability of attempt to fraudulently use said terminal, and
• the electronic terminal consists of a payment terminal.
• Figure 1 shows a functional block diagram of the invention in one embodiment
• FIG. 2 illustrates the dynamic operation of the principle of the invention, based on the static block diagram of FIG. 1;
• FIG. 3 illustrates the dynamic operation of a first particular embodiment of the invention;
• FIG. 4 illustrates the dynamic operation of a second particular embodiment of the invention
• FIG. 5 illustrates the structure of a terminal according to the invention.
• the main feature of the invention is to detect any abnormal manipulation of an electronic terminal for handling sensitive data, for example a payment terminal, or a reading terminal. / or update electronic cards containing personal medical data and / or declaration of medical acts with a health organization. Unlike solutions of the prior art, it may be a manipulation whose nature in itself is not characteristic of an attack (for example, because it involves a manipulation commonly performed on the terminal) but is considered suspect depending on the particular context of use specific to the terminal.
• a payment terminal 100 allows a user to make payments and transmits information relating to these payments to a remote management system 160, for example a terminal management system ( or TMS, for "Terminal Management System” according to English terminology).
• a remote management system 160 for example a terminal management system ( or TMS, for "Terminal Management System” according to English terminology).
• One such terminal is one of interface control components, allowing an exchange of information with a user of the terminal. It includes for example a screen 110 for the return of information or the interrogation of a user, and a keyboard 120, allowing the data is issy by a user. It may be a hardware keyboard 120 (as shown in FIG. 1) or a virtual keyboard, appearing for example on the screen 110.
• the terminal also comprises means for determining (130, 140) the value of a characterization information of a context of the terminal, for example by means of electronic components implanted on the motherboard of the terminal 100 .
• the terminal may comprise determination means 130 of a current time, for example a clock. It may also be provided with means for synchronizing this clock with at least one time reference.
• the terminal furthermore comprises means 140 for determining a position or a position variation of the terminal. It may for example be terminal location means l, for example by G PS, and / or means for determining a movement or orientation of the terminal. It can thus be at least one accelerometer, for measuring linear accelerations, and / or at least one gyrometer, for measuring angular velocities, and / or at least one inertial unit (or 1RS, for Inertial Reference System, according to English terminology), for measuring both several accelerations and / or angular velocities or at least one inclinometer, for measuring an orientation of the terminal.
• 1RS for Inertial Reference System
• the terminal comprises an inertial unit 140.
• the same inertial unit can be used at the same time. times for the definition of rendering information about the screen and for the implementation of the method of the invention.
• the terminal may comprise several inertial units, some being dedicated to the definition of a rendering and others to the method of the invention.
• the terminal may comprise other means for detecting a manipulation of the terminal, for example means for detecting a pressure applied to a portion of the terminal.
• the method of the invention thus comprises a step 200 of activating the monitoring state of the terminal.
• the method When the terminal is in a monitoring state, the method then comprises a step 210 for detecting a manipulation performed on the terminal.
• a manipulation performed on the terminal According to the embodiments of the invention, it may be a particular manipulation detected by a particular detection means (for example an inertial unit the in the case of a displacement, a reversal or a partial rotation of the terminal) or any manipulation detected by any of the means for detecting manipulation of the terminal.
• it may be the simple use of an interface component of the terminal or a pressure applied to a wall of the terminal box, for example when handling the terminal.
• the detection of such a manipulation generates the passage 220 of the terminal in a so-called suspect state, representative of a risk of attempted fraudulent use of the terminal and is followed by a triggering step 230 of a terminal reaction.
• this reaction may to be local. This may be, for example, at least partial blocking of the terminal, and / or erasure and / or falsification and / or corruption of at least a portion of the sensitive data of the terminal, and / or recording information representative of the manipulation (in particular the date, the time, the nature of the manipulation and / or an identification of at least one detection means having allowed the detection).
• the reaction step can implement means of communication to a rs habilitated, co mmeunp ro r of the te rminal, a telesurveillance a police service or a private company, or a remote operational service as part of a terminal management system (or TMS for "Terminal Management System" in English terminology).
• This may include an audio call, when the terminal has voice synthesis means for example or the generation of a text message, SMS or email for example, or when the terminal has means acquisition of images or video, the transmission of a relative multimedia stream at the moment of manipulation, allowing the authorized third party to easily check whether an attempt to hit the terminal actually takes place or if This is a false alarm (for example, a manipulation attributed to an animal or a fall of an object).
• a multimedia stream can further help to determine the identity of malicious third parties.
• the actions performed locally by the terminal can in particular be controlled remotely by the authorized third party.
• the terminal response 230 may also include a step of updating an alert level representative of a probability of attempted fraudulent use of said terminal, and a step of implementing less a reactive action of the terminal, following the detected manipulation, depending on the level of alert.
• the alert level of the terminal may be set to its minimum value (value "0"). example) and each manipulation can cause the level of alert to be incremented.
• a first value (1" for example)
• a local reactive action of the terminal for example a local record at the terminal of information representative of the manipulation, or a request to enter a maintenance code on the terminal.
• a second level of alert (value "2" for example)
• to a third level of alert can correspond a falsification or corruption of sensitive data.
• Such a reaction mode provides a response proportional to the probability of the threat, so as not to interfere with the operational operation of the terminal for a false alarm for example.
• the method may also include a step of restoring to its minimum value of the alert level, following a decision of the authorized third party (concluding a false alarm for example).
• the method may further include a step of disabling the terminal monitoring state. This step may in particular be implemented during a maintenance operation of the terminal.
• a first particular embodiment of the invention is presented, adapted for example to a monitoring of a portable payment terminal placed in a restaurant.
• the activation step 200 of the terminal monitoring is implemented automatically by the terminal, when the current value of at least one terminal context characterization information (for example the time current) is in a predefined range of values (for example, a closing time slot of the restaurant).
• the current value of at least one terminal context characterization information for example the time current
• a predefined range of values for example, a closing time slot of the restaurant.
• the method thus comprises a step 300 of determining the value routine of the characterization information, then a step of comparing 310 of this current value with a predefined range of values.
• This value range can in particular be defined by a parameterization of the terminal, realisé locally by an operator (the restau rateu r or the instal lateur of the terminal) using the interface control components of the terminal, or performed remote from a server dedicated to the management of the terminal park to which the terminal belongs.
• This setting can take into account the time zone in which the terminal is located, days of closure of the establishment (weekends, holidays or holidays) or maintenance of the terminal. It can also be done automatically, thanks to a synchronization with data contained in an electronic calendar and / or calendar, stored locally on the terminal or on the remote server.
• the method may in particular comprise a step of deactivating the waking state of the terminus, for example when the terminal context characterization information is again in the predefined range of values. .
• the invention thus allows automatic protection of the terminal, without daily action of an operator, activated only during the closing ranges of the place where the terminal is located.
• FIG. 4 presents a second particular embodiment of the invention, suitable for example for monitoring an electronic terminal subject to a support, in a fixed manner or so as to limit its movements, for example by the through a wired link.
• a terminal may for example be located in a store.
• the detection step 210 of a manipulation comprises a sub-step 410 of determining the current value of a characterization information of a context of the terminal and a comparison sub-step 420 of this current value with a predefined range of values.
• This sub-step of determination 410 can in particular follow any detected manipulation 400.
• l iée a position and / or a movement (displacement, rotation, acceleration) of the terminal.
• any movement of the terminal impossible in practice due to the l iaison of the terminal with its support, may be considered suspicious, it occurs during the opening hours or closing of the store. It could for example be an attempt to turn the terminal over, to replace it with a corrupt terminal, or an attempt to steal the terminal.
• the activation of the state of monitoring of the terminal will be done automatically by comparison of the current time and date with a range of predefined time-stamped values.
• the detection stage 210 of a machine will comprise the determination of a terminal orientation and its comparison with a predefined angular range, or the determination of a typical location of the terminal. 1 and its method with a predetermined geographical zone or the determination of a current acceleration of the terminal and its comparison with a predefined maximum value, the detection a strong acceleration, not compatible with a current use, which can translate the occurrence of a flight to the snatch.
• Such embodiments are for example also suitable for monitoring a portable terminal fixed on a support during the closing hours of a restaurant or a secretariat, in particular to recharge the terminal battery. They allow to react systematically to any movement of the terminal but only during the closing hours of the restaurant or the secretariat.
• such a terminal comprises a memory 500 comprising a buffer memory, a processing unit 510, equipped for example with a microprocessor ⁇ , and driven by a computer program 520, whose implementation implements a method of protection, according to one of the particular embodiments of the invention.
• the code instructions of the computer program 520 are for example loaded into a RAM before being executed by the processor of the processing unit 510.
• the processing unit 510 receives as input a header of a data stream.
• the microprocessor of the processing unit 510 implements the steps of the protection method described above, according to the instructions of the computer program 520.
• the electronic terminal comprises, in addition to the buffer memory 500:
• means for triggering a reaction by the terminal comprising means for detecting a warning message, representative of a probability of attempted fraudulent use of the terminal, and means for implementing at least one reactive action according to said alert level.
• the invention is implemented by means of software and / or hardware components.
• the term "means" may correspond in this document as well to a software component, a hardware component or a set of hardware and software components.
• a software component corresponds to one or more computer programs, one or more subroutines of a program, or more generally to any element of a program or software capable of implementing a program. function or a set of functions, as described below for the means concerned.
• Such a software component is executed by a data processor of a physical entity (terminal, server, gateway, set-top-box, router, etc.) and is able to access the hardware resources of this entity. physical (memories, recording media, communication buses, electronic I / O boards, user interfaces, etc.).
• a hardware component corresponds to any element of a hardware set (or hardware) able to implement a function or a set of functions, as described below for the module concerned. It may be a programmable hardware component or an integrated processor for running software, for example an integrated circuit, a smart card, a memory card, an electronic card for executing a software. firmware, etc.
• the terminal according to the invention may in particular comprise software or hardware components illustrated in FIG.

Landscapes

• Engineering & Computer Science (AREA)
• Theoretical Computer Science (AREA)
• Computer Hardware Design (AREA)
• Computer Security & Cryptography (AREA)
• Software Systems (AREA)
• Physics & Mathematics (AREA)
• General Engineering & Computer Science (AREA)
• General Physics & Mathematics (AREA)
• Burglar Alarm Systems (AREA)
• Alarm Systems (AREA)
• Storage Device Security (AREA)

Applications Claiming Priority (2)

Publications (1)

Family

ID=48468400

Family Applications (1)

Country Status (6)

Families Citing this family (3)

Citations (2)

Family Cites Families (2)

• 2012
  • 2012-12-14 FR FR1262038A patent/FR2999751B1/fr active Active
• 2013
  • 2013-12-10 BR BR112015013843-8A patent/BR112015013843B1/pt active IP Right Grant
  • 2013-12-10 CA CA2898364A patent/CA2898364C/en active Active
  • 2013-12-10 EP EP13818697.8A patent/EP2932432A1/de not_active Ceased
  • 2013-12-10 US US14/652,330 patent/US9805191B2/en active Active
  • 2013-12-10 WO PCT/EP2013/076137 patent/WO2014090829A1/fr active Application Filing

Patent Citations (2)

Non-Patent Citations (1)

Also Published As

Similar Documents

Legal Events