JP6689917B2 - Personal authentication method at financial institutions - Google Patents

Description

  The present invention is a personal authentication method for a financial institution to determine the presence or absence of the independence of a trader in a specific transaction with a financial institution, and in particular, an unfair transaction without impairing the speed of the transaction. Regarding how to prevent.

  As for the recent transaction form with financial institutions, instead of window transactions, mechanical devices such as ATMs (Automatic Teller Machines) installed at financial institutions and other places are often selected, and IT such as the Internet is used. Along with the rapid spread of infrastructure and changes in the social and living environment, Internet banking, which does not require direct visits to financial institutions and ATM installation sites, is rapidly spreading and expanding. On the other hand, the crimes of illegally withdrawing deposits due to the forgery of cash cards used as personal authentication items to confirm the presence or absence of the trader's independence in these transactions and the stealing of IDs and passwords for Internet banking have been postponed. The methods are constantly becoming more complex and sophisticated.

  "Phishing fraud" and "illegal remittance virus" are known as typical methods of illegal remittance in Internet banking. For example, the phishing scam tricks fraudulent criminals by sending fraudulent emails masquerading to a financial institution to a contractor as a fraudulent criminal, pretending to be a financial institution listed in the fake email. You can access the "home page", enter information such as "ID / password, random number table data" according to the instructions, steal the information, access the "real home page" of the financial institution, and carry out illegal money transfer. is there.

  As a security measure against unauthorized remittances in Internet banking as described above, the "Phishing Countermeasures Council" said, "Watch out for suspicious emails." "Watch out for unusual login screens." "Always keep your OS and software up to date." The guidelines are established to keep users alert, such as: "Always update the virus definition database." "Check your account regularly." "Install software to prevent fraudulent money transfers." .

  According to a statement by the National Police Agency, the damage caused by illegal remittance in internet banking was 64 cases in 2012, which was about 48 million yen, and 1313 cases in 2013, about 1.4 billion 600 yen. The amount of damage was 10,000 yen, and by 2015, it was 1,495 cases, about 3,073 million yen, more than double the amount of the previous year's damage, which is a big threat to the existence of Internet banking. ing.

  On the other hand, the financial institution side can also send a one-time password to the user by e-mail or generate it using the smartphone application to confirm the transaction confirmation password when confirming the transfer to a place other than the registration destination. I am taking measures to use it. Furthermore, recently, a confirmation key for identity verification in a predetermined transaction request via the Internet is generated from transaction history information when the ATM is used and transmitted to the ATM, and the user receives the confirmation key via the ATM. Thus, there is also provided means for use as an auxiliary personal identification means in internet banking (Patent Document 1).

The damage caused by illegal transactions is not limited to Internet banking, and many cases have been reported in transactions involving more familiar cash cards. The typical method is as follows.
[Method 1: Method to attach skimming device to ATM card insertion slot]
A skimming device is attached to the ATM card insertion slot to skim data on magnetic stripes such as cash cards, and a small camera installed near the ATM illegally acquires the personal identification number entered by the depositor and forged the cash. Unauthorized withdrawal of deposits from overseas ATMs using cards.

[Method 2: Method of forging a cash card from a personal identification number type locker and forging it]
When a user of a security code locker or security box at a golf course or the like enters the security code, he / she can peek from behind or use the security code of a locker or the like obtained by peeping with a small camera. Unknowingly, open the locker and skim the data on the magnetic stripe of the cash card with the skimming device. Since the personal identification number of the cash card is often used also for the personal identification number of a locker or the like, the deposit is illegally withdrawn using the personal identification number.

[Method 3: vacant nest, vandalism on the car, holding, picking, picking, snatching]
At the time of the crime, steal the cash card, and withdraw the deposit from the ATM by guessing the personal identification number from the stolen article together with the cash card.

[Method 4: Method of making fraudulent transactions "pretending to be kind" to the elderly and care recipient]
Transactions other than the requested bank transaction after trusting the other person through the care of the elderly living alone and the person requiring nursing care, depositing the bankbook and seal or cash card on behalf of the person, and listening to the password Run to withdraw cash.

  On the other hand, financial institutions also add a skimming prevention function to the cash card reading part or write a special symbol on the magnetic stripe to take in the cash card to the ATM in order to prevent unauthorized withdrawal by the counterfeit cash card. In doing so, a special operation is implemented and a mechanism that makes skimming difficult is built into the ATM, or a different special symbol is written on the magnetic stripe of the cash card each time the transaction is completed, and whether it is traded with a valid cash card Measures are taken to enable the judgment of.

  Furthermore, in order to prevent unauthorized withdrawal by a stolen cash card, it is easy for a third party to guess the personal identification number, such as making it impossible to set a personal identification number that has a close relationship with the contractor such as the date of birth. It calls for cautions such as not using numbers.

  In counter transactions, which are the basics of transactions with financial institutions, in principle, passbooks and seals are used to perform personal authentication. The passbook and the seal are always exposed to the risk of theft or forgery, and as long as the passbook exists and the seal imprints match, there is no means to prevent this even if the transaction is substantially fraudulent. At best, it limits the withdrawal amount per day. That is, if the seal and the passbook are stolen, unfair transactions will be repeated within the limit amount unless the trader notifies the financial institution, and there is no means for preventing this.

JP, 2008-123461, A

  In order to carry out social life and carry out economic activities, transactions with financial institutions are indispensable, and are widely used for economic activities such as depositing, borrowing, and settlement of various payments, regardless of individuals, corporations, or groups. There is. Financial institutions are truly partners in social life and economic activities. In dealing with financial institutions, in order to establish the security of transactions, it is required to eliminate illegal transactions. For that purpose, various authentication items must ensure the security of the personal authentication system that prevents illegal transactions by confirming the presence or absence of the trader's independent ability on an account-by-account basis. At the same time, the effectiveness of transactions must not be impaired by measures to prevent illegal transactions. Therefore, in transactions, both security and promptness must be established at the same time.

  However, regarding measures to prevent illegal transactions in Internet banking and ATM transactions as described above, every time a financial institution develops a new authentication item and takes a new illegal transaction prevention measure, there is a new means of defeating the authentication item. The actual situation is provided by. For example, the provision of one-time passwords using e-mail etc., which is currently adopted by many financial institutions as a measure to prevent illegal transactions in Internet banking, means that the PC used by the user is infected with malware (malicious malicious software). If so, there is a risk of leakage to a third party, and it cannot be a complete safety measure. In fact, there is no way to prevent illegal transactions if you do not know that you have been stolen in window transactions using passbooks and seals.

  In addition, biometric authentication using fingerprints, palm prints, voice prints, faces, irises, and other biometrics is beginning to spread as a personalized authentication item. If the theft is stolen, it may be analyzed, duplicated and breached. Furthermore, since biometric information cannot be arbitrarily updated like a password, there is a fatal problem that once it is broken through by copying, the safety cannot be restored for life. In addition, there are people who cannot use biometric authentication depending on the circumstances. Therefore, even though the current personal authentication system has dramatically improved safety due to the construction of various security measures, there is always the possibility that the security measures will be violated, and improper transactions will be completely eliminated. The reality is that it cannot be prevented and security cannot be guaranteed.

  Therefore, in order to enable anyone to smoothly and smoothly perform transactions with financial institutions without impairing the speed of transactions, the present invention provides a quick transaction from a viewpoint different from the security enhancement of the conventional identity authentication system. It is an object of the present invention to provide a new personal identification method in a financial institution that prevents illegal transactions in the financial institution and secures the security of transactions without impairing the security.

  As a result of earnest research on securing transaction security in financial institutions, the present inventor has stolen an authentication item as a protective measure in the conventional personal authentication system as a preventive measure against illegal transactions, no matter how the protective measure is taken. We have come up with new knowledge that it is necessary to prevent illegal transactions on the premise that there is a possibility of breakage, that is, on the premise that security measures will be broken. Based on this knowledge, it is possible to provide a new personal authentication method in a financial institution that ensures both transaction safety and promptness even if the personal identification system is broken through by an unauthorized means.

That is, the present invention is a personal authentication method for a financial institution to determine the presence or absence of the independence of a trader in a specific transaction with a financial institution, and an authentication item registered in advance in a server of the financial institution, This authentication is completed by the main authentication that the server of the financial institution collates and judges the contract with the authentication item presented by the trader to the financial institution and the contractor number of the trader detected from the authentication item of this authentication as a key. After pre-authentication is completed, it consists of pre-processing to obtain information on presence / absence, specific transaction details, and main authentication completion date and time, and additional authentication that is separate and independent of main authentication and sequentially performs steps 1 to 5 below. Basically, a personal authentication method in a financial institution, which is characterized by requiring additional authentication.
Procedure 1: A procedure in which a transactor calls a server of a financial institution from a mobile phone through a telephone network of a communication carrier and transmits a caller number.
Step 2: The procedure of financial institutions server collation and judgment of the engage of the transmitted caller ID registered in advance caller ID of the transaction who has registered with the server of the financial institutions in Step 1.
Step 3: A step in which the server of the financial institution acquires the contractor number of the trader using the registered caller number entered in step 2 as a key.
Step 4: The server of the financial institution collates the contractor number acquired in step 3 with the contractor number acquired in the preprocessing to verify whether the verification items 1 to 3 below are satisfied from the information acquired in the preprocessing. Procedure to judge.
Verification item 1: The transaction details are specified and confirmed.
Verification item 2: This authentication has been completed.
Matching item 3: Within the predetermined time from the completion of this authentication.
Step 5: A step of completing additional authentication when the server of the financial institution determines that the collation items 1 to 3 shown in step 4 are satisfied.

Then, the server of the financial institution collates / determines whether or not the incoming number dialed from the trader to the server of the financial institution matches the telephone number set in advance by the financial institution in addition to step 1, and the The server disconnects the line that was called after acquiring the caller number, and after a certain period of time has passed after the completion of additional authentication, discards the information acquired in the preprocessing and leaves the verification items 1 to 3 blank. At the same time, the additional authentication is not completed, and the main authentication and the additional authentication are always in the unauthenticated state.

In addition, a smartphone is used as a mobile phone to call the server of the financial institution via the additional authentication application on the Web, and the telephone number of the financial institution is displayed on the additional authentication application in a callable manner. . Further, the telephone number of the financial institution is randomly selected from a plurality of telephone numbers and displayed on the additional authentication application on the Web, and the transaction with the financial institution is an ATM transaction, an internet banking transaction, or a window transaction, and Transactions are withdrawals, deposits, inquiries, changes in personal matters, or changes in authentication means.

The first feature of the present invention described above is a conventional personal identification means as a personal identification method for a financial institution to determine whether or not a transactor has the independent ability in a specific transaction with a financial institution. In the method (the main authentication in the present invention) in which the server of the financial institution collates and judges the contract between the authentication item registered in advance in the server of the financial institution and the authentication item presented by the trader to the financial institution , It is separate and independent, combined with additional authentication using the sender number of the mobile phone, which is information that can be transmitted and cannot be counterfeited, and requires additional authentication after the completion of this authentication. . Therefore, even if the authentication item of the main authentication, which is the conventional personal authentication method, is stolen or forged, the existence of the additional authentication can surely prevent the illegal transaction, and the vulnerability of the conventional personal authentication system. Can be surely covered to ensure the security of transactions. In addition, since additional transaction requires the trader to call the server of the financial institution from the mobile phone through the telephone network of the telecommunications carrier, the speed of the transaction is not impaired, and anyone can feel secure and smoothly with the financial institution. It becomes possible to trade.

  The second feature of the present invention is that, by using the caller number of the mobile phone of the transactor, which is the information that can be transmitted and cannot be forged, as a key for determining whether or not additional authentication is possible, the conventional authentication item can be used. It is possible to eliminate the risk of being counterfeited, and to ensure double security from both aspects of things (mobile phone) and information (caller ID).

  The third feature of the present invention is that, in the additional authentication, in addition to the verification / judgment of the sender number, it is necessary to satisfy the three verification items as a condition for completing the additional authentication. As the verification item 1 requires that "the transaction details have been specified and confirmed.", It is performed on an account-by-account basis. Unlike the above, since only the specific transactions that have completed this authentication are targeted, it is possible to ensure the security of the transactions for each specific transaction.

  As the verification item 2 requires “The main authentication has been completed.” Therefore, the additional authentication is performed after the main authentication separately from the main authentication. Therefore, it is assumed that the main authentication is broken through by an unauthorized means. In addition, it is possible to prevent illegal transactions by additional authentication and realize fail-safe.

  Since the verification item 3 requires "being within the predetermined time from the completion of main authentication.", The time for personal authentication can be set arbitrarily, and the main authentication and additional authentication work together to function as one unit. As a result, it is possible to add a security measure such as time setting to the additional authentication using the caller number, which is information that cannot be forged and can be transmitted.

The fourth feature of the present invention is that the caller number is used as a key to be transmitted to the server of the financial institution using the telephone network, and the transaction can be used anytime and anywhere, and a transaction requiring promptness is required. Does not impair the effectiveness of. Moreover, since the application on the Web is used, there is no need to install the application on a mobile phone such as a smartphone, and even if the mobile phone is replaced, the same phone number can be used as it is, and Communication charges are not incurred because both the trader and the financial institution need only receive the incoming call. Further, even if the mobile phone is lost, if the mobile phone itself is locked, security of transaction security can be maintained by additional authentication.

  Furthermore, even if the certified item of this certification is entrusted to a third party, the additional certification can be carried out by the trader himself. Even when requesting a financial transaction from a person, the safety of the transaction can be controlled by oneself or by the family.

The basic conceptual diagram of the personal authentication method in the financial institution concerning this invention. The basic block diagram of this invention. The basic block diagram of this invention. The basic block diagram of this authentication in this invention. The basic block diagram of the additional authentication in this invention. The detailed block diagram of the additional authentication of this invention. Basic configuration diagram of Internet banking transaction. Basic configuration diagram of ATM transaction. Basic configuration diagram of counter transaction. Explanatory drawing of the transmission method of a calling number. The conceptual diagram which shows the idea of this invention.

  An embodiment of a personal identification method in a financial institution according to the present invention will be described below with reference to the drawings. Transactions with a financial institution subject to the present invention include deposit business, loan business, foreign exchange business, securities business, insurance business, etc., in which the financial institution is required to confirm the presence or absence of the independence of the transactor in the transaction. This refers to financial transactions in general, and typical transactions are withdrawals, deposits, inquiries, changes in personal matters, changes in authentication methods, and others. Therefore, account transfers that automatically deduct utility charges, taxes, credit card usage charges, etc. are excluded. The transaction targeted by the present invention is not a comprehensive transaction between a financial institution and a trader, but is an individual transaction that is specifically executed. Therefore, the present invention does not confirm the independent ability of the trader on an account-by-account basis as in the past, but on a transaction-by-transaction basis.

  In addition, as financial institutions, not only credit unions, banks, agricultural cooperatives, securities companies, etc., but also non-banks such as credit companies, credit companies, leasing companies, etc. are widely covered by organizations that are engaged in the provision of financial services. I am trying. It should be noted that although the deposit does not currently require confirmation of the trader's independence, it can be included in the transaction subject to the present invention. Further, the transaction means is not limited, and may be ATM transaction, internet banking transaction, window transaction, or other transaction means.

  FIG. 11 is a conceptual diagram showing the idea of the present invention. In the past, strengthening measures to prevent illegal transactions in the main authentication R, which is the personal authentication method, is to prevent various kinds of authentication items such as "ID, password, cash card, PIN, passbook, seal" from being stolen. It is always trying to strengthen its defense measures, that is, how to prevent authentication items from being stolen. For example, "Countermeasure 1: How to deal with the system so that the ID / password for Internet banking cannot be stolen", "Countermeasure 2: How to deal with the forgery of cash card", and so on. Specific examples of the measures 1 and 2 are as described above as the conventional technique. However, even if Measure 1 and Measure 2 are newly constructed, a new method to break them is further developed, and the mechanism becomes more sophisticated and complicated, and eventually, the Certified R that built Measure 1 and Measure 2. Will also be torn. In this case, it becomes "playing pretend" between the defense method of the authentication item and the attack method for illegal transaction, and not only "the measures are inseparable" but also a drastic solution, and the rapid spread of the current IT infrastructure. It is impossible to establish the security of financial transactions in line with changes in the social and living environment. In other words, it is not guaranteed that anyone can safely deposit money in financial institutions and conduct transactions. Therefore, as shown by the statistics of illegal transactions, the damage caused by illegal transactions is rapidly increasing.

  Therefore, the present inventor changes the basic idea, and no matter how the defensive measures are taken, it is assumed that the defensive measures will be exceeded and various authentication items may be stolen. I got the idea that it is necessary to prevent it. Based on this idea, assuming that there is a case where unauthorized transactions may not be prevented with this authentication R, that is, "Assumption 1: Internet banking ID / password may be stolen" "Assumption 2: Cache To prevent unauthorized transactions, assuming that the security measures of this certification R are violated, such as "the card may be forged" "Premise 3: the personal identification number may be stolen" etc. As a result of various studies on this personal authentication method, the safety measures of this authentication R are strengthened and improved, and in addition to this authentication R, personal authentication by additional authentication A, which is separate and independent from this authentication R, is essential. The present inventors have conceived a personal authentication P according to the present invention in which the authentication R and the additional authentication A are associated with each other.

  1 is a basic conceptual diagram of a personal authentication method in a financial institution according to the present invention, FIGS. 2 and 3 are basic configuration diagrams thereof, FIG. 4 is a basic configuration diagram of main authentication, FIG. 5 is a basic configuration diagram of additional authentication, and FIG. 6 is a detailed configuration diagram of additional authentication. As shown in FIG. 1 and FIG. 3, the trader 1 makes a specific transaction application 65 such as withdrawal or transfer from the state before the specific transaction application 60, ATM transaction 66 (Automatic teller machine transaction), IB transaction 67. (Internet banking transaction), window transaction 68, etc. are performed to the financial institution U, and the authentication item 70 of the final authentication R is presented to the financial institution U, whereby the final authentication R is performed.

The authentication method of this authentication R is the same as the authentication method that has been conventionally performed. The authentication item registered by the trader 1 in advance at the financial institution U and the authentication item 70 presented by the trader 1 to the financial institution U 70 The server of the financial institution U collates and judges the contract with. The authentication item 70 is a conventionally used ID, password, cash card, passbook, seal, fingerprint or other living body. The server of the financial institution U performs the verification / judgment of the presented authentication item 70 and the authentication item registered in the server of the financial institution U as in the conventional case, and if they match, the main authentication R is completed. If they are different, a predetermined error process is performed, the main authentication R is not completed and the process ends, and the process of the applied transaction is disabled as in the conventional case.

  In the present invention, upon receipt of this main authentication completion 3, additional authentication A is further added to perform the authentication. Upon completion of the additional authentication 40, the personal authentication P (see FIG. 2) by both the main authentication R and the additional authentication A is completed, and the trader 1 is authenticated with the person and the specific transaction execution 200 becomes possible.

As described above, the personal authentication P in the present invention is performed by a combination of the same main authentication R as the conventional one and the additional authentication A newly added by the present invention, and the additional authentication A includes the pre-processing 10 and the additional authentication processing. It is carried out in two stages of 20. The server of the financial institution U stores various information regarding completion / non-completion of the main authentication R and additional authentication A in a predetermined storage device such as the user management database 100 (see FIG. 6), specifically, the authentication information 110, the contractor. The number information 120, the transaction information 130, the transaction setting date information 140, the transaction setting time information 150, and other necessary information are stored as additional authentication data C, and based on these various information, the completion / non-completion and identification of the additional authentication A are identified. Judgment as to whether or not the transaction can be executed.

  The authentication information 110 is information about completion / non-completion of each of the main authentication R and the additional authentication A, and is “uncompleted 115” indicating that both the main authentication R and the additional authentication A before the specific transaction application 60 are uncompleted. And information indicating one of “main authentication completion 3” indicating that the additional authentication A has not been completed and “additional authentication completion 40” indicating the completion of both the main authentication R and the additional authentication A after the completion of the main authentication R. Is.

  The contractor number information 120 is a contractor number 15 assigned and assigned to each contractor through all the stores, regardless of the actual store / branch of the actual store of the financial institution U or a branch on the Internet. Contractor number 15 = 1: 1]. In the present invention, the contractor number information 120 is used to identify the trader 1 who performs the personal authentication P including the main authentication R and the additional authentication A.

  The transaction information 130 is specific transaction information requested by the trader 1 by a predetermined procedure such as ATM transaction 66, IB transaction 67, window transaction 68, etc. Specifically, the application transmitted from the trader 1 to the financial institution U. The transaction content 131. The transaction setting date information 140 is information related to the date when the main authentication R is completed, and is the “today 141” or a specific date. The transaction setting time information 150 is information about the time when the main authentication R is completed, and is the “main authentication completion time 151”. The information displayed on the additional authentication data C can be appropriately selected by the financial institution U according to the content of the transaction.

As for the information of the additional authentication data C, before the completion of the main authentication R based on the collation / judgment of the authentication item 70, the authentication information 110 indicates that both the main authentication R and the additional authentication A are incomplete as shown below. In addition to 115, the other information is blank 125, 135, 145, 155, and no information is input.
Authentication information 110: Incomplete 115
Contractor number information 120: Blank 125
Transaction information 130: Blank 135
Transaction setting date information 140: Blank 145
Transaction set time information 150: Blank 155

The server of the financial institution U that has made the specific transaction application 65 and completed the main authentication R is linked to the authentication item 70 of the main authentication R such as the ID, password, cash card, and passbook presented by the trader 1. The contractor number 15 of the trader 1 is searched, and the preprocessing 10 necessary for acquiring various information in the additional authentication data C is performed. After the completion of the main authentication, the pre-processing 10 updates the data of the additional authentication data C before the additional authentication, and the authentication information 110 indicates that the main authentication R is completed and the additional authentication A is not completed as described below. The transaction information 130 is recorded as the final authentication completion 3, and the specific contractor number 15 as the contractor number information 120 and the application transaction content 131 transmitted to the server of the financial institution U as the transaction information 130 are the transaction setting date information 140. The current day 141 is recorded as, and the main authentication completion time 151 is recorded as the transaction setting time information 150. At the same time, the trader 1 is notified through the various means such as the Internet, ATM, window staff or the like corresponding to the trading means to carry out the additional authentication A.
Authentication information 110: Completed authentication 3
Contractor number information 120: Contractor number 15
Transaction information 130: Application transaction content 131
Transaction setting date information 140: Today's 141
Transaction setting time information 150: Time of completion of main authentication 151

Next, as shown in FIGS. 2 to 6, the server of the financial institution U performs the additional authentication process 20 by the method shown in the following procedures 1 to 5.

[Procedure 1: Procedure in which the transactor 1 calls the server of the financial institution U from the mobile phone 5 through the telephone network 77 of the communication carrier 75 and transmits the caller number 25. ]
Upon receipt of the notification of completion of the final authentication R and the notification of additional authentication A from the server of the financial institution U, the transactor 1 has the mobile phone 5 having the caller number 25 (telephone number) registered in the server of the financial institution U in advance. Then, through the telephone network 77 of the appropriate communication carrier 75, the call is sent to the server of the financial institution U to make a transaction, and the caller number 25 of the mobile phone 5 is transmitted to the server of the financial institution U as information.

At the time of calling, as shown in FIG. 10, the additional authentication application 6 on the Web is activated from the smartphone 5a, and the telephone number 7 randomly selected from the telephone number group of the financial institution U is displayed on the additional authentication application 6. Is displayed so that it can be called so that the trader 1 can call the server of the financial institution U by selecting it. In this way, the transactor 1 does not need to store or record the telephone number 7 of the financial institution U, and does not need to download the additional authentication application 6 to the smartphone 5a. Further, if the toll-free number is selected as the telephone number 7 of the financial institution U, it can be clearly indicated that the trader 1 does not have to bear the communication fee.

The telephone number 7 of the financial institution U displayed in the additional authentication application 6 on the Web is shuffled and displayed each time the additional authentication application 6 on the Web is activated from a plurality of telephone number groups. More secure. As the mobile phone 5 to be used, but the use of the mobile phone 5 of the Treasury is the basic, caller ID 25 (phone to the server of the pre-financial institutions U be a mobile phone 5 of the family name, such as another person name Any mobile phone 5 having a registered number can be used. The mobile phone 5 occupied by the trader 1 is preferable regardless of the name of the self or the name of another person. By occupying it, the key sender number 25 can be physically protected from a third party. In addition, since the mobile phone 5 is often carried at all times, even if it is lost or stolen, the mobile phone 5 itself can be locked. It is possible to secure double security from both sides of the person number 25). The fixed telephone can also notify the caller number like the mobile telephone 5, but it is not used in the present invention because it cannot be carried, occupied, or locked. It is convenient to use the smartphone 5a as the mobile phone 5.

  In the present invention, by using the caller number 25 of the mobile phone 5 of the trader 1, which is the information that can be transmitted and cannot be forged, as a key for determining whether the additional authentication A is possible, the conventional authentication item 70 can be obtained. That is, it is possible to eliminate the risk of being forged, and to double secure the information (the mobile phone 5) and the information (the sender number 25). The sender number 25 corresponds to an authentication item 70 such as a cash card, a personal identification number, an ID, a password, a living body, or a seal stamp, which is the authentication item 70 in the existing main authentication R. The limitation of this authentication R is that the authentication item 70 remains stolen, forged or copied, no matter how the security measure is strengthened. In order to prevent illegal transactions and ensure the security of transactions, it is required that counterfeiting and copying be impossible. In the present invention, forgery, duplication and concepts similar to these are called forgery. Further, in order to ensure the effectiveness of preventing illegal transactions without impairing the speed of transactions, it is required that information can be smoothly transmitted. Therefore, as a result of further research by focusing on things that the present invention cannot forge, can be transmitted as information, and that most of the traders possess, as a thing that satisfies the condition, the caller at the time of calling. As the number notification, attention was paid to the caller number 25 notified to the called party.

Caller number notification is a service that notifies the telephone line number (telephone number) of the caller (that is, the transactor 1) to the called party (that is, the server of the financial institution U) as the caller number 25 when calling. The called party can obtain the notified caller number 25 as information. This caller number 25 was also disguised before 2005, specifically before 2005, and if you answer the call because you think it is a genuine caller, you may suffer fraud and other social problems. Was becoming. Therefore, the "General Incorporated Association Telecommunications Carriers Association" established the "Caller ID camouflage display guidelines" in 2005, and the telecommunications carriers (that is, telecommunications carriers 75 ) Has taken the necessary measures, there is no risk of forgery now. In addition, since information is automatically transmitted by a call, it is available to all without the need for complicated procedures for information transmission. The penetration rate of the mobile phone 5 has already exceeded 120% with respect to the population, and the smartphone 5a has also been rapidly spread from 50%, so it has been established as an IT infrastructure. In particular, the smartphone 5a has become the most familiar information tool for users of Internet banking and the like.

  Therefore, in the present invention, the caller number 25 of the mobile phone 5, particularly the caller number 25 of the smartphone 5a, is used as the key for the additional authentication A as the information that can be transmitted and cannot be forged. The information is not limited to the sender number 25, and other information that can be transmitted and cannot be forged can be used.

The server of the financial institution U that has received the call from the trader 1 via the additional authentication application 6 on the Web disconnects the line 23 after confirming the incoming call 21 (after one call). Thereby, caller ID 25 smartphone 5a used trader 1 as information via the telephone network 77 of the communications carrier 75 is transmitted to the server of the financial institution U, financial institutions U server caller number and The incoming call number acquisition 22 can be performed.

Step 2: Firms procedure U server collates and judgment the transmitted engaged Caller ID 25 and advance financial institutions U registered caller ID 161 traders 1 registered in the server in Step 1. ]
The server of the financial institution U , which has acquired the caller number 25 transmitted from the trader 1 as information, makes a collation judgment 26 with the registered caller number 161 in the registered caller number management information 160 registered in the user management database 100. The caller number inquiry 24 is carried out. If the caller number 25 and the registered caller number 161 are different, the additional authentication A is not completed and the process ends 27, and the transaction shown in the application transaction content 131 is prohibited.

[Procedure 3: A procedure for the server of the financial institution U to acquire the contractor number 15 of the trader 1 using the registered caller number 161 signed in step 2 as a key. ]
When the caller number 25 and the registered caller number 161 match, the contractor number 15 in the contractor management information 170 registered in the user management database 100 is acquired using the registered caller number 161 as a key. Carry out 16.

Further, the called number in the called number management information 180 registered in the user management database 100 in order to collate and determine that the telephone number 7 used by the trader 1 to call the server of the financial institution U is an authentic number. A called number inquiry 28 is carried out for making a collation judgment 29 with 181. The server of the financial institution U prepares a plurality of incoming call numbers 181 from the second incoming call number 182 to the n-th incoming call number 183, and periodically changes them to enhance security. . Further, in the called number management information 180, other called number information 184 can be registered if necessary. When using the additional authentication application 6 on the Web, it is preferable to change the additional authentication application 6 periodically or each time. If the incoming call numbers 181 match, the collation items 1 to 3 shown in step 4 are collated. On the other hand, when the telephone number 7 which the trader 1 has called differs from the genuine incoming number 181, the additional authentication A is not completed and the processing ends 30, and the transaction based on the applied transaction content 131 is not executed. .

[Procedure 4: When the server of the financial institution U receives the contractor number 15 acquired in step 3 and the contractor number 15 acquired in preprocessing 10 from the information acquired in preprocessing 10, Procedure to check and determine whether or not there is satisfaction. ]
The server of the financial institution U uses the contractor number 15 obtained in step 3 as a key, and makes a collation determination 32 to determine whether or not the collation items 1 to 3 are satisfied with respect to the various information obtained in the preprocessing 10 31.

Verification item 1: The transaction details are specified and confirmed.
Verification item 2: This authentication has been completed.
Matching item 3: Within the predetermined time from the completion of this authentication.

  First, the application transaction content 131 as a specific transaction that is subject to additional authentication A is specified, and the items (contractor, account name, account number, etc.) required to specify the transaction are confirmed. As a collation item 1, the collation judgment 32 is performed with respect to the applied transaction content 131 recorded as the transaction information 130 in the additional authentication data C. Next, since it is premised that the additional authentication A has completed the main authentication R, the verification determination 32 is made with the completion / non-completion of the main authentication R as the verification item 2. Furthermore, the fact that it is within the predetermined time set from the main authentication completion 3 as the matching item 3, the current day 141 recorded in the transaction setting date information 140 and the transaction setting time information 150 of the additional authentication data C1, the main authentication completion time The collation judgment 32 is made for 151. Note that other items may be added to the collation items 1 to 3 as collation items.

[Procedure 5: A procedure for completing the additional authentication A when the server of the financial institution U determines that the collation items 1 to 3 shown in Procedure 4 are satisfied. ]
Then, when all of the collation items 1 to 3 match, the additional authentication A is completed and the authentication information 110 is updated to the additional authentication completion 40 as shown in step 5. As a result, both the main authentication R and the additional authentication A are completed, and the specific transaction execution 200 is performed. When the specific transaction execution 200 is completed, the post-processing 50 is performed, the additional authentication data C is reset 210 to the state before the specific transaction application 60, the authentication information 110 is incomplete 115, the contractor number information 120, the transaction information 130. , The transaction set date information 140 and the transaction set time information 150 are updated to be blanks 125, 135, 145, 155, respectively. On the other hand, if any one of the collation items 1 to 3 is different, the additional authentication A is not completed and the process ends 33, and the transaction based on the applied transaction content 131 is prohibited. Moreover, when the monitoring timer is started 35 after the completion of the additional authentication 40, and the specific transaction execution 200 is not performed within the set fixed time from the state in which the specific transaction execution 200 is possible, and the processing ends 27, 30, and 33 described above. Even when it is performed, the post-processing 50 is performed, and the additional authentication data C is reset 210 to the state before the specific transaction application 60 and updated.

[IB transaction]
An IB transaction 67 (Internet banking transaction) using the personal authentication method in the financial institution having the above-described configuration will be described based on the basic configuration diagram shown in FIG. 7. Web browser trader 1 internet terminal 250, performs IB access 251 via the Internet 270, by performing the security communication is established 230 between the financial institution U servers, financial institutions U server login screen The acquisition 231 is performed and the login screen 252 is displayed on the Internet terminal 250. In response to the request on the login screen 252, the trader 1 inputs the authentication item 70 (ID 253, login password 254) and logs in 255.

The server of the financial institution U sends the authentication item inquiry 232 to the user management database 100 as the main authentication R, which is an authentication item inquiry 232 for collating and judging 233 the correctness of the input authentication item 70 (ID 253, login password 254). If the authentication item 70 matches the authentication item registered in the user management database 100, a predetermined login process is performed, the login completion screen 258 is displayed on the Internet terminal 250, and then the transaction screen is displayed. 259 is displayed. On the other hand, if the authentication items 70 are different, error processing 234 is performed to display the information on the Internet terminal 250 to prompt re-input, or predetermined processing such as ending the transaction is performed.

Next, the trader 1 inputs the transaction information 130 and the transaction confirmation number 260 from the transaction screen 259, and the server of the financial institution U makes a transaction confirmation number inquiry 235. Transaction information 130 information for traders 1 identifies a specific transaction requests to the server of the financial institution U, in particular in the application transaction details 131 transmitted to the server of the financial institution U from transactor 1 is there. The transaction confirmation number 260 is a password at the time of transaction and is given separately from the login password 254 used for login. The server of the financial institution U makes a collation determination 236 of the input transaction confirmation number 260 based on the transaction confirmation number inquiry 235, and if they match, makes the main authentication R the main authentication completion 3. On the other hand, if the transaction confirmation numbers 260 are different, error processing 237 is performed to display the information on the Internet terminal 250 to prompt re-input, or a predetermined processing such as ending the transaction is performed. The processing method of the main authentication R up to this point is the same as the conventional IB transaction.

The server of the financial institution U that has completed the final authentication 3 obtains the contractor number 15 of the trader 1 associated with the authentication item 70 of the main authentication R input from the trader 1 from the user management database 100. , And performs pre-processing 10 necessary for acquiring various information in the additional authentication data C. As described above, the contents are the authentication information 110, the contractor number information 120, the transaction information 130, the transaction setting date information 140, the transaction setting time information 150, and other necessary information.

The server of the financial institution U that has completed the preprocessing 10 displays the additional authentication request screen 262 on the Internet terminal 250 via the Internet 270 and requests the trader 1 for the additional authentication A. The trader 1 who has received the request for the additional authentication process 20 from the server of the financial institution U activates the additional authentication application 6 on the Web on the smartphone 5a and makes a call via the telephone network 77 of the communication carrier 75 according to the display. 8 and call the server of the financial institution U. The server of the financial institution U obtains the caller number 25 (telephone number) of the smartphone 5a of the transactor 1 as information by receiving 21 the call from the transactor 1 and then disconnecting 23. In the procedure, the additional authentication processing 20 is performed, and the additional authentication completion 40 completes the personal authentication P (see FIG. 2) by both the main authentication R and the additional authentication A. Therefore, the transaction processing 38 is performed and the accounting system 190 is used. Transaction execution 191 is performed.

  At the same time, the transaction completion screen 263 is displayed on the Internet terminal 250 via the Internet 270, and the monitoring timer is activated 35 as shown in FIG. C is reset 210 and updated to the state before the specific transaction application 60. When the main authentication R is not completed and the additional authentication A is not completed, the additional authentication data C is similarly updated to the state before the specific transaction application 60.

[ATM transaction]
An ATM transaction 66 (a transaction using a cash card or passbook and a personal identification number) using the personal authentication method in the financial institution according to the present invention having the above configuration will be described based on the basic configuration diagram shown in FIG. The trader 1 inserts the authentication item 70 (cash card 301 or passbook 302) from the ATM 300, and inputs the transaction information 303 and the authentication item 70 (personal identification number 304) from the closed network 320 of the financial institution U. The server of the financial institution U performs an input message check 310 input from the ATM 300, and at the same time as the main authentication R, an authentication that verifies 312 whether the input authentication item 70 (cash card 301 or passbook 302 and the personal identification number 304) is correct. When the item inquiry 311 is performed on the user management database 100 and the authentication item 70 matches the authentication item registered in the user management database 100, the main authentication R is set to the main authentication completion 3. The processing method of the main authentication R up to this point is the same as the conventional ATM transaction. On the other hand, if the authentication items 70 are different, error processing 313 is performed and the information is displayed on the ATM 300 via the closed network 320 to prompt re-input, or a predetermined processing such as ending the transaction is performed. .

The server of the financial institution U that has completed the final authentication 3 obtains the contractor number 15 of the trader 1 associated with the authentication item 70 of the main authentication R input from the trader 1 from the user management database 100. , And performs pre-processing 10 necessary for acquiring various information in the additional authentication data C. As described above, the contents are the authentication information 110, the contractor number information 120, the transaction information 130, the transaction setting date information 140, the transaction setting time information 150, and other necessary information.

The server of the financial institution U that has completed the preprocessing 10 displays the additional authentication request screen 305 on the ATM 300 and requests the trader 1 for the additional authentication A. The trader 1 who has received the request for the additional authentication process 20 from the server of the financial institution U activates the additional authentication application 6 on the Web on the smartphone 5a and, according to the display, makes a call via the telephone network 77 of the communication carrier 75. 8 and call the server of the financial institution U. The server of the financial institution U obtains the caller number 25 (telephone number) of the smartphone 5a of the transactor 1 as information by receiving 21 the call from the transactor 1 and then disconnecting 23. In the procedure, the additional authentication processing 20 is performed, and the additional authentication completion 40 completes the personal authentication P (see FIG. 2) by both the main authentication R and the additional authentication A. Therefore, the transaction processing 38 is performed and the accounting system 190 is used. Transaction execution 191 is performed.

  At the same time, the transaction completion screen 306 is displayed on the ATM 300 via the closed network 320, the monitoring timer is started 35 as shown in FIG. 6, and the post-processing 50 is performed after a predetermined time has elapsed, and the additional authentication data C Is reset 210 to update the state before the specific transaction application 60. When the main authentication R is not completed and the additional authentication A is not completed, the additional authentication data C is similarly updated to the state before the specific transaction application 60.

[Counter transaction]
The counter transaction 68 using the personal authentication method in the financial institution having the above-described configuration will be described based on the basic configuration diagram shown in FIG. The transactor 1 submits the transaction slip 351 in which the transaction content is described at the window 350 and the passbook 352 and the imprint 353 as the authentication item 70 to the window staff of the financial institution U. The window staff member of the financial institution U receives these, performs the input message check 370, and as the main authentication R, the authentication item inquiry 371 that collates and determines 372 the correctness of the input authentication item 70 (passbook 352, seal 353). If the authentication item 70 matches with the authentication item registered in the user management database 100, the main authentication R is set to the main authentication completion 3. The processing method of the main authentication R up to this point is the same as the conventional counter transaction. On the other hand, when the authentication items 70 are different, an error process 373 is performed, and the information is transmitted from the window staff to the trader 1 to prompt re-submit, or a predetermined process such as ending the transaction is performed.

The server of the financial institution U that has completed the final authentication 3 obtains the contractor number 15 of the trader 1 associated with the authentication item 70 of the main authentication R input from the trader 1 from the user management database 100. , And performs pre-processing 10 necessary for acquiring various information in the additional authentication data C. As described above, the contents are the authentication information 110, the contractor number information 120, the transaction information 130, the transaction setting date information 140, the transaction setting time information 150, and other necessary information.

The server of the financial institution U that has completed the pre-processing 10 requests the trader 1 to perform the additional authentication 355, and requests the trader 1 to perform the additional authentication 20. The trader 1 who has received the request for the additional authentication process 20 from the server of the financial institution U activates the additional authentication application 6 on the Web on the smartphone 5a and makes a call via the telephone network 77 of the communication carrier 75 according to the display. 8 and call the server of the financial institution U. The server of the financial institution U obtains the caller number 25 (telephone number) of the smartphone 5a of the transactor 1 as information by receiving 21 the call from the transactor 1 and then disconnecting 23. In the procedure, the additional authentication processing 20 is performed, and the additional authentication completion 40 completes the personal authentication P (see FIG. 2) by both the main authentication R and the additional authentication A. Therefore, the transaction processing 38 is performed and the accounting system 190 is used. Transaction execution 191 is performed.

  At the same time, the window staff member transmits the transaction completion report 356 to the trader 1, activates the monitoring timer 35 as shown in FIG. 6, and performs post-processing 50 after a lapse of a predetermined time to obtain additional authentication data C. Reset 210 and update to the state before the specific transaction application 60. When the main authentication R is not completed and the additional authentication A is not completed, the additional authentication data C is similarly updated to the state before the specific transaction application 60.

The first feature of the present invention described above is a conventional personal identification means as a personal identification method for a financial institution to determine whether or not a transactor has the independent ability in a specific transaction with a financial institution. In the method (the main authentication in the present invention) in which the server of the financial institution collates and judges the contract between the authentication item registered in advance in the server of the financial institution and the authentication item presented by the trader to the financial institution , It is separate and independent, combined with additional authentication using the sender number of the mobile phone, which is information that can be transmitted and cannot be counterfeited, and requires additional authentication after the completion of this authentication. . Therefore, even if the authentication item of the main authentication, which is the conventional personal authentication method, is stolen or forged, the existence of the additional authentication can surely prevent the illegal transaction, and the vulnerability of the conventional personal authentication system. Can be surely covered to ensure the security of transactions. In addition, since additional transaction requires the trader to call the server of the financial institution from the mobile phone through the telephone network of the telecommunications carrier, the speed of the transaction is not impaired, and anyone can feel secure and smoothly with the financial institution. It becomes possible to trade.

  The second feature of the present invention is that, by using the caller number of the mobile phone of the transactor, which is the information that can be transmitted and cannot be forged, as a key for determining whether or not additional authentication is possible, the conventional authentication item can be used. It is possible to eliminate the risk of being counterfeited, and to ensure double security from both aspects of things (mobile phone) and information (caller ID).

  The third feature of the present invention is that, in the additional authentication, in addition to the verification / judgment of the sender number, it is necessary to satisfy the three verification items as a condition for completing the additional authentication. As the verification item 1 requires that "the transaction details have been specified and confirmed.", It is performed on an account-by-account basis. Unlike the above, since only the specific transactions that have completed this authentication are targeted, it is possible to ensure the security of the transactions for each specific transaction.

  As the verification item 2 requires “The main authentication has been completed.” Therefore, the additional authentication is performed after the main authentication separately from the main authentication. Therefore, it is assumed that the main authentication is broken through by an unauthorized means. In addition, it is possible to prevent illegal transactions by additional authentication and realize fail-safe.

  Since the verification item 3 requires "being within the predetermined time from the completion of main authentication.", The time for personal authentication can be set arbitrarily, and the main authentication and additional authentication work together to function as one unit. As a result, it is possible to add a security measure such as time setting to the additional authentication using the caller number, which is information that cannot be forged and can be transmitted.

The fourth feature of the present invention is that the caller number is used as a key to be transmitted to the server of the financial institution using the telephone network, and the transaction can be used anytime and anywhere, and a transaction requiring promptness is required. Does not impair the effectiveness of. Moreover, since the application on the Web is used, there is no need to install the application on a mobile phone such as a smartphone, and even if the mobile phone is replaced, the same phone number can be used as it is, and Communication charges are not incurred because both the trader and the financial institution need only receive the incoming call. Further, even if the mobile phone is lost, if the mobile phone itself is locked, security of transaction security can be maintained by additional authentication.

  Furthermore, even if the certified item of this certification is entrusted to a third party, the additional certification can be carried out by the trader himself. Even when requesting a financial transaction from a person, the safety of the transaction can be controlled by oneself or by the family.

U ... Financial institution P ... Authentication R ... Authentication A ... Additional authentication 10 ... Pre-processing 20 ... Additional authentication processing 50 ... Post-processing 1 ... Trader 3 ... Complete authentication 5 ... Mobile phone 5a ... Smartphone 6 ... Additional authentication application 7 ... Telephone number 8 ... Calling 15 ... Contractor number 16 ... Contractor number acquisition 21 ... Incoming call 23 ... Line disconnection 24 ... Caller number inquiry 25 ... Caller number 26,29,32,233,236,312,372 ... Matching judgment 27, 30, 33 ... Processing end 28 ... Called number inquiry 31 ... Matching item inquiry 35 ... Monitoring timer start 38 ... Transaction processing 40 ... Additional authentication completion 60 ... Before specific transaction application 65 ... Specific transaction application 66 ... ATM Transaction 67 ... IB transaction 68 ... Window transaction 70 ... Authentication item 75 ... Communication carrier 77 ... Telephone network 100 ... User management database 110 ... Authentication information 120 ... Contract Person number information 130, 303 ... Transaction information 131 ... Application transaction content 140 ... Transaction setting date information 141 ... Today's day 150 ... Transaction setting time information 151 ... Main authentication completion time 125, 135, 145, 155 ... Blank 160 ... Registration sender number Management information 161 ... Registered sender number 170 ... Contractor management information 180 ... Incoming number management information 181 ... Incoming number 190 ... Accounting system 191 ... Transaction execution 200 ... Specific transaction execution 210 ... Reset 230 ... Security communication establishment 231 ... Login Screen acquisition 232, 311, 371 ... Authentication item inquiry 235 ... Transaction confirmation number inquiry 234, 237, 313, 373 ... Error handling 250 ... Internet terminal 251, IB access 252 ... Login screen 253 ... ID
254 ... Login password 255 ... Login 258 ... Login completion screen 260 ... Transaction confirmation number 262, 305 ... Additional authentication request screen 263, 306 ... Transaction completion screen 300 ... ATM
301 ... Cash card 302 ... Passbook 304 ... PIN number 310, 370 ... Input message check 320 ... Closed network 350 ... Window 351 ... Transaction slip 352 ... Passbook 353 ... Imprint 355 ... Additional authentication request 356 ... Transaction completion report

Claims (11)

In a specific transaction with a financial institution, a personal authentication method for the financial institution to judge whether the trader has the independent ability,
A main authentication in which the server of the financial institution collates and judges the agreement between the authentication item registered in advance in the server of the financial institution and the authentication item presented by the trader to the financial institution,
Using the contractor number of the trader detected from the certified item of this certification as a key, the pre-processing to acquire the information of the completion of this certification, the content of the specific transaction, the date and time of this certification completion,
A personal authentication method in a financial institution, which is independent of the main authentication and comprises additional authentication in which the following steps 1 to 5 are sequentially performed, and authentication by the additional authentication is required after the completion of the main authentication.
Procedure 1: A procedure in which a transactor calls a server of a financial institution from a mobile phone through a telephone network of a communication carrier and transmits a caller number.
Step 2: The procedure of financial institutions server collation and judgment of the engage of the transmitted caller ID registered in advance caller ID of the transaction who has registered with the server of the financial institutions in Step 1.
Step 3: A step in which the server of the financial institution acquires the contractor number of the trader using the registered caller number entered in step 2 as a key.
Step 4: The server of the financial institution collates the contractor number acquired in step 3 with the contractor number acquired in the preprocessing to verify whether the verification items 1 to 3 below are satisfied from the information acquired in the preprocessing. Procedure to judge.
Verification item 1: The transaction details are specified and confirmed.
Verification item 2: This authentication has been completed.
Matching item 3: Within the predetermined time from the completion of this authentication.
Step 5: A step of completing additional authentication when the server of the financial institution determines that the collation items 1 to 3 shown in step 4 are satisfied. 2. The financial system according to claim 1, wherein the server of the financial institution , in addition to step 1, verifies / determines whether or not the incoming call number called from the trader to the server of the financial institution matches the telephone number previously determined by the financial institution. Personal authentication method at the institution. The personal authentication method in a financial institution according to claim 1 or 2, wherein the server of the financial institution disconnects the line that was called after acquiring the caller number.   The financial institution according to claim 1, 2 or 3, wherein after a certain period of time has passed after completion of the additional authentication, the information acquired in the preprocessing is discarded, the verification items 1 to 3 are blank, and the additional authentication is not completed. Authentication method in.   The personal authentication method in a financial institution according to claim 1, 2, 3 or 4, wherein the main authentication and the additional authentication are always in a non-authenticated state.   The personal authentication method in a financial institution according to claim 1, 2, 3, 4 or 5, wherein a smartphone is used as a mobile phone. The personal authentication method in a financial institution according to claim 1, 2, 3, 4, 5 or 6, wherein the call to the server of the financial institution is made via an additional authentication application on the Web. The call-in to a server of a financial institution, via an additional authentication application on the Web, according to claim 1, 2, 3, 4, carried out on the additional authentication application displays the telephone number of the financial institution call receiver to be able to Or the personal identification method in the financial institution described in 6.   9. The personal identification method in a financial institution according to claim 8, wherein the telephone number of the financial institution is randomly selected from a plurality of telephone numbers and displayed in the additional authentication application on the Web.   The personal authentication method in a financial institution according to claim 1, 2, 3, 4, 5, 6, 7, 8 or 9, wherein the transaction with the financial institution is an ATM transaction, an internet banking transaction or a window transaction.   The financial institution according to claim 1, 2, 3, 4, 5, 6, 7, 8, 9, or 10, wherein the transaction with the financial institution is withdrawal, deposit, inquiry, change of personal matters or change of authentication means. Personal authentication method.

Images