KR101494838B1 - Account transfer method and system using transaction related otp - Google Patents

Abstract

The present invention relates to a method for making an account transfer using a transaction-interworked one time password (OTP). The method includes the steps of: transmitting an account transfer request and electronic signature information from a user device to a financial institution server; verifying the electronic signature information by the financial institution server; requesting, by the financial institution server, a transaction-interworked OTP to a user mobile terminal after the electronic signature information is verified; generating the transaction interworked OTP by using a trusted application which is driven in the mobile terminal; inputting the generated transaction-interworked OTP by using the user device and transmitting an verification request of the transaction-interworked OTP to the financial institution server; performing, by the financial institution server, transaction-interworked OTP verification in response to the verification request through an OTP verification server; and making a transfer in response to the account transfer request by the financial institution server if the transaction-interworked OTP verification is completed.

Description

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a transaction transfer method and system using transaction-

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a method and system for transferring money using a One Time Password (OTP), and more particularly, And to a system and a system for performing account transfer.

With the increasing use of digital devices such as computers and smart phones, electronic commerce using such digital devices has been widely used in various fields. In particular, mobile terminals such as smart phones have advantages that users always carry around, and various financial related applications are released to facilitate users' convenience.

In financial transactions (for example, bank transfer) using such a smart phone, an OTP input method has been commercialized as a function of security and authentication in place of an existing security card. However, existing OTPs have the disadvantages of having a separate OTP generation terminal and there is a risk of loss of the OTP. In recent years, there is a risk of hacking.

Among these problems, an OTP generation / authentication system using a mobile phone having an OTP generation program is disclosed in Korean Patent Registration No. 10-0883154 in order to solve the inconvenience of owning an OTP generation terminal. However, the above-mentioned registered patent has a disadvantage in that it is easy to hack and poor security because the OTP generation program is built in the invisible chip.

In addition, OTP numbers are leaked or hacked at the input / output stage of the OTP number recently, and financial damage is continuing. Therefore, in the conventional method of generating an OTP using a random number, it is necessary to introduce a new method to prevent such a risk of hacking.

Korean Registered Patent No. 10-0883154 (registered on Feb. 4, 2009)

In order to solve the above problems, it is an object of the present invention to provide a method and system for transferring money using transaction-linked OTP.

According to a first aspect of the present invention, there is provided a bank transfer method using a transaction-based OTP (OTP), the method comprising: transmitting a bank transfer request and electronic signature information to a financial institution server; Verifying the electronic signature information at the financial institution server; Requesting a transaction-linked OTP from the financial institution server to the user portable terminal after completing verification of the digital signature information; Generating a transaction-linked OTP using a security application (Trusted Application) running on the portable terminal; Inputting the generated transaction-linked OTP using the user device, and transmitting a verification request of the transaction-linked OTP to the financial institution server; Performing transaction-based OTP verification of the verification request through the OTP verification server of the financial institution server; And when the transaction-linked OTP verification is completed, the financial institution server performs a transfer for the account transfer request.

According to a second aspect of the present invention, there is provided a bank transfer system using transaction-linked OTP, the system comprising: a user apparatus for transmitting a bank transfer request and electronic signature information and executing account transfer; A financial institution server for receiving the account transfer request and the digital signature information, verifying the digital signature information, and requesting a transaction-linked OTP to the user portable terminal; A user portable terminal which receives a request for the transaction-linked OTP from a financial institution server and generates a transaction-linked OTP by driving a security application; And an OTP verification server for receiving a verification request of the transaction-linked OTP from the financial institution server and performing an OTP verification based on the transaction, wherein the user apparatus receives the transaction-linked OTP generated in the user portable terminal, Requesting the server for verification, and the financial institution server processes the account transfer after completing the transaction-linked OTP verification through the OTP verification server.

According to the method and system for transferring money using transaction-linked OTP of the present invention, it is not necessary to possess a hardware OTP device, and as the user uses the portable terminal, it is possible to promptly recognize and report the lost OTP. In addition, the hardware OTP device needs to be replaced and replaced at the expense of the battery, while the present invention is economical because the battery replacement cost can be reduced.

According to the bank transfer method and system using transaction-linked OTP of the present invention, OTP generation and financial transactions are performed using a separate security operating system on a user portable terminal, thereby improving safety and security, Even if the OTP number is leaked from the OTP server, it can be verified using the transaction information at the time of verification, and can be prevented from being used for other transactions or abused by others. In other words, in the past, the user checks the transfer history at the time of transfer of the account, but there is a problem that the account number or the like is changed by hacking at the time of actual transaction. However, the transaction-linked OTP proposed in the present invention is a transaction By creating an interworking OTP, it is possible to prevent damage due to data value change in the middle.

Furthermore, the transaction-linked OTP of the present invention can replace a security card or a public certificate (electronic signature), and further authentication is unnecessary, thereby facilitating the convenience of the user.

FIG. 1 illustrates a money transfer system 100 using a transaction-linked OTP according to an embodiment of the present invention.
FIG. 2 illustrates an operating system of a user portable terminal 20 used for creating a transaction-linked OTP according to an embodiment of the present invention.
FIG. 3 (a) shows a general operation of a user portable terminal according to an embodiment of the present invention, and FIG. 3 (b) It is.
FIG. 4 is a block diagram illustrating a TA registration and installation method for using transaction-linked OTP according to an embodiment of the present invention.
FIG. 5 is a flowchart illustrating a TA registration and installation method for using a transaction-linked OTP according to an embodiment of the present invention.
FIG. 6 illustrates a method of transferring money using transaction-linked OTP according to an embodiment of the present invention.
FIG. 7 illustrates a display screen on a user portable terminal when transferring money using a transaction-linked OTP according to an embodiment of the present invention.
In the various drawings, the same reference numerals and symbols denote the same elements.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings. It should be noted that, in adding reference numerals to the constituent elements of the drawings, the same constituent elements are denoted by the same reference numerals even though they are shown in different drawings. In the following description of the embodiments of the present invention, a detailed description of known functions and configurations incorporated herein will be omitted when it may make the difference that the embodiments of the present invention are not conclusive. In this specification, when it is mentioned that a certain element includes an element, it means that it may further include other elements.

FIG. 1 illustrates a money transfer system 100 using a transaction-linked OTP according to an embodiment of the present invention. The system 100 includes a user device 10, a portable terminal 20, a financial institution server 30 and an OTP verification server 40. The components 10, 20, 30 and 40 are connected to a wired / 50). Although the components 30 and 40 are shown separately in this figure, the financial institution server 30 and the OTP verification server 40 may be partially or wholly combined with each other. Although the user device 10 and the portable terminal 20 are shown in FIG. 1, both the account transfer and transaction-linked OTP generation processes may be performed on the portable terminal 20 or the user device 10. [

The user device 10 may include a user computer, a cellular phone, a smart phone, or the like. For example, the user device 10 may include various digital computers such as laptops, desktops, workstations, or other suitable computers capable of performing the account transfer process proposed in the present invention, as well as IPTV ≪ / RTI > capable digital devices. On the other hand, the portable terminal 20 is a communication device that can be connected to the financial institution server 30 for online financial transaction, and is a computing device equipped with hardware and software capable of financial transactions and commerce. The user's portable terminal 20 may be a mobile device in various mobile forms, such as a computing device, such as a personal digital assistant (PDA), a cellular phone, a smart phone, and the like. In the description of the present invention, the portable terminal 20 is mainly composed of a smartphone having both performance and mobility comparable to those of a computer, but is not limited thereto.

The biggest feature of the smartphone is that it can install, add or delete hundreds of various applications (applications, applications) as user wants, unlike the existing mobile phones which were released as finished products and used only the functions . In addition, smartphone users can directly access the Internet using wireless Internet, and can access Internet contents in various ways using various browsing programs. Furthermore, smartphones are now being applied to real life applications, such as mobile internet banking, mobile credit card, mobile social networking, and mobile shopping. For this purpose, banks, securities companies, credit card companies, social commerce companies, Shopping mall companies develop their own smartphone applications for their smartphone operating systems and distribute them to users for a fee or free of charge. As described above, according to the emergence of a mobile communication terminal having strong performance comparable to a computer and mobility due to a network function, the present invention is centered on a case where the user portable terminal 20 is a smart phone.

For reference, an application is a kind of software operating on an operating system (OS), and is a program designed to directly perform a specific function with respect to a user or another application program. A security application used in a user portable terminal such as a smart phone according to an embodiment of the present invention may be a mobile application that is adapted to be applied to a mobile device. The mobile application may be a browser-based application that accesses the web, A native application manufactured in accordance with the present invention, or a hybrid application combining the applications. Application data, system data, and the like are recorded and stored in a predetermined programming language (for example, C language or Java (JAVA)) on a computer-readable recording medium. The application data is data having various program functions (for example, screen switching by recognizing a user's touch through a display screen) implemented so as to enable interaction with a user, and is also referred to as full mode data. System data refers to data including application management information, start-up information, and the like, and attribute and operation information for reproducing application data. And information for implementing other additional functions can be stored in the recording medium.

The portable terminal 20 according to the present invention includes hardware and software capable of operating various applications on a terminal. In particular, the present invention provides a security OS (hereinafter referred to as " An operating system).

The user portable terminal 20 of the present invention performs a financial transaction using a security OS that operates independently of a general OS used for executing general applications of the portable terminal 20 during a financial transaction. The environment in which the security OS and the security application operate in the portable terminal 20 is referred to as a trust zone. The present invention relates to a trust zone-based financial transaction. The operation of the trust zone based will be described in more detail with reference to FIGS. 2 and 3. FIG.

The user device 10 and the portable terminal 20 can be utilized in general financial transactions such as banking and commerce using a merchant site or an online shopping mall. The user device 10 and the portable terminal 20 access the financial institution server 30 via the network 50 and proceed with the transaction process according to the guidance. In the present embodiment, the user terminal 10 performs the account transfer and generates the transaction-linked OTP in the portable terminal 20. However, the present invention is not limited to this, and a security application may be installed on the user device 10 To perform account transfer and transaction-linked OTP generation, or to generate and use a transaction-linked OTP at the same time as proceeding the account transfer process in the portable terminal 10. [ At this time, the network 20 may be implemented as digital data communication (e.g., a communication network) of any form or medium. Examples of the communication network include a local area network (LAN), a wide area network (WAN) It can be used in various mobile networks including various forms of wireless communication such as 3G, WiFi, and LTE.

The financial institution server 30 may be a server operated by a bank or financial institution for financial transactions, or an online payment server for commerce transactions. After receiving the account transfer request and the digital signature information from the user device 10, the financial institution server 30 performs a procedure such as authentication and verification using the transaction-linked OTP, and then transmits the transfer result to the user device 10 To indicate whether the transaction is proceeding and / or terminated. At this time, the financial institution server 30 can perform verification in conjunction with the OTP verification server 40 when verifying the transaction-linked OTP. The OTP verification server 40 may be driven by the same entity as the financial institution server 30 operating entity and may be driven by a separate verification authority.

The present invention uses these components 10, 20, 30, 40, 50 to transmit a request for transfer of accounts to the user equipment 10 to the financial institution server 30 at the time of account transfer, 30) requests and receives a transaction-linked OTP to the portable terminal (20) and performs verification through the OTP verification server.

Here, the 'transaction-linked OTP' is an OTP generated using transaction information. The transaction-linked OTP prevents the OTP number from being used for other transactions because it can be verified using the transaction information at the time of verification even if the OTP number is leaked at the input / output stage of the OTP number, and has an advantage of improved security. The transaction-linked OTP proposed in the present invention is implemented to include transaction information of a bank identification code, an account number, and a transfer amount in a financial transaction. The input values (transaction information) for generating transaction-linked OTPs can be input as numeric or character data, and can be generated from 6 to 8 digits through a hash algorithm. In the present exemplary embodiment, the transaction information to be set to be unchangeable at the time of transaction is selectively selected as the input value. However, the present invention is not limited thereto, and additional transaction information may be further input to generate the transaction-linked OTP.

In addition, since the transaction-linked OTP is generated on a trusted application (hereinafter referred to as 'TA') using a security OS independently operated on a user portable terminal, security and security are ensured, It is possible to replace the certificate, and further authentication is unnecessary, so that the convenience of the user can be achieved. In addition, although the user checks the transfer details and the like at the time of financial transaction in the past, there has been a problem that the account number or the like is changed by hacking in the actual transaction. However, the OTP transaction- By creating an interworking OTP, it is possible to prevent damage due to data value change in the middle.

Specifically, the transaction-based OTP generation method of the present invention is based on a time-based OTP generation algorithm based on time and an OTP key (for example, an OTP generation algorithm based on the RFC 6238 standard), an internal counter value and time, Challenge-Response OTP Generation Algorithm Based on Event-based OTP Generation Algorithm (OTP Generation Algorithm Based on RFC 4226 and RFC 6238 Standard) or Time-to-Client / Server Random Value and OTP Key (An OTP generation algorithm according to the RFC 6287 standard) can be used.

FIG. 2 illustrates an operating system of a user portable terminal 20 used for creating a transaction-linked OTP according to an embodiment of the present invention. The portable terminal 20 of the present invention includes a normal environment 110 for driving the general OS 114 and the general application 112 and a security zone 130 operating independently of the normal environment 110 do. The Trust OS 134 and the Trusted App 132 operate independently of the normal OS 114 and the general application 112 in the Trust Zone 130 which is a security environment, May share some or all of the user interface 120, as shown. The user portable terminal 20 also includes an ARM processor 150 based on a trust zone technology capable of selectively operating the trust zone 130 and the general environment 110. [

The trust zone 130 includes a secure OS 134 supporting a secure environment and a secure application 132 operated by a secure OS. The trust zone 130 is logically separated from the general environment 110 and is implemented so as to be inaccessible to each other except for the interface 120 and the shared memory defined for communication.

In one embodiment, data stored using the secure application 132 in the trust zone 130 may be stored in the general environment 110 as an encrypted form, but it is not decryptable in a normal environment, It is implemented so that decoding is not possible in the application. As another embodiment, even if an application of the same kind as that of the security application 132 is used, it can not be decrypted by another device.

As such, since the trust zone 130 is completely logically separated and driven independently, it is possible to safely store and process information related to financial transactions using the user portable terminal 20 and financial information in commercial transactions. The trust zone-based security application 132 implements security authentication and secure login, generates a transaction-linked OTP proposed in the present invention, and can encrypt and store information requiring security such as a public certificate.

The security application 132 of the present invention can perform not only financial transactions but also login or authentication processing that requires security in general commercial transactions. Furthermore, the security application 132 of the present invention can generate a transaction-linked OTP using transaction information, and OTP can replace a security card, a general OTP, or an authorized certificate, thereby enabling a simple and safe transaction.

3 (a) shows a general operation in the user portable terminal 20 according to an embodiment of the present invention, and FIG. 3 (b) shows an operation in the trust zone 130 according to another embodiment of the present invention Are compared with each other.

2, the general environment 110 and the trust zone 130 are logically separated, and when the general application 112 is executed, the general OS 114 supports the operation, and the display unit 170 displays, (UI) 116 (FIG. 3 (a)).

On the other hand, when the security application 132 is executed, the security OS 134 supports the operation thereof and displays the security UI 136 through the display unit 170 (FIG. 3 (b)). Since the security UI 136 is displayed at a higher level than the general UI, the security UI 136 can not be accessed in the general environment 110 and the screen touch coordinates and the like can be realized in the general environment 110, The safety of financial transactions or commercial transactions can be promoted.

4 is a block diagram illustrating a TA installation method for using a transaction-linked OTP according to an embodiment of the present invention. In order to use the account transfer system using transaction-linked OTP proposed in the present invention, the TA must be installed in the portable terminal 20 first.

In order to install the TA, the portable terminal 20 can install an OTP client for TA operation in a store (for example, an Android market, an app store, etc.) providing an application. When the portable terminal 20 makes a request to install the OTP client in the application store 60, the application store 60 transmits the installation data to install the OTP client.

Next, the portable terminal 20 determines whether a TA container exists and sends a TA container installation request to the TEE directory 70 (step 42). The Trusted Execution Environment (TEE) directory 70 is a server that supports TA container installation for devices that can use the trust zone service. The TEE directory supports installing the TA container, which is an isolation area inside the security OS when TA is executed, and can be implemented to be linked with a financial institution server or a communication company server.

After the TA container is installed from the TEE directory 70 for the TA installation at the request of the portable terminal 20, the OTP TA is installed through the TSM (Trusted Service Manager) server (step 43). If the TA container is already installed, step 42 can be omitted and the OTP TA can be installed. The TSM server 80 is a server that installs, removes and updates an OTP TA, and may be linked with a communication company, or the TSM server 30 may be a communication company.

5 is a flowchart illustrating a TA installation method for using a transaction-linked OTP according to an embodiment of the present invention. The TA for creating the OTP can be installed using the portable terminal 20, the application store 60, the TEE directory 70, and the TSM server 80 as described in FIG.

First, the portable terminal 20 requests the application store 60 to install the OTP client, receives the installation data, and installs the OTP client on the portable terminal 20 (step 510). Thereafter, installation of an application TA ('OTP TA') for generating a transaction-linked OTP according to the present invention is performed (operation 520).

The portable terminal 20 determines whether the TA container is already installed (step 530). If the TA container is not installed, the install request is transmitted to the TEE directory (step 540). The TEE directory receiving the TA container installation request transmits data for the TA container installation to the portable terminal 20, and the portable terminal 20 receiving the TA container installation can install the TA container (operation 550).

If it is determined in step 530 that the TA container is installed, the portable terminal 20 requests the TSM server 80 to install the OTP TA in step 560. The TSM server receiving the installation request transmits the OTP TA data to the portable terminal 20, and the portable terminal 20 installing the OTP TA installs the OTP TA in step 570. The OTP TA can then be reinstalled, deleted, or updated via the TSM server.

4 and 5, in order to implement the transaction-linked OTP account transfer method of the present invention, the installation of the OTP TA that can be driven in the trust zone must be completed preferentially, and the application store 60, the TEE directory 70 ), The installation of the OTP TA through the TSM server 80 may be supported. In the above installation method, the OTP client, the TA container, and the OTP TA are installed through the application store 60, the TEE directory 70, and the TSM server 80, respectively. However, the present invention is not limited to this. Or at least one of an OTP client, a TA container and an OTP TA in a form in which two or more servers are integrated.

FIG. 6 illustrates a method of transferring money using transaction-linked OTP according to an embodiment of the present invention. 4 and 5, the TA is driven on the assumption that the TA is installed in the portable terminal 20, thereby carrying out the account transfer method of the present invention.

First, the user can start the account transfer process via the user device 10. It is generally possible to transfer money through online sites operated by financial institutions. When the user device 10 performs the account transfer, the information related to the transfer details is input from the user and the account transfer request is transmitted to the financial institution server 30 in step 610. At this time, the account transfer request may include at least one of a withdrawal account number, an account password, a transfer password, a deposit bank, and a deposit account number, and may further include a deposit message, a CMS code, and the like. On the other hand, an electronic signature such as a public certificate is used for identity confirmation at the time of online account transfer, and in step 610, the electronic signature information may be transmitted together with the account transfer request.

The financial institution server 30 receives the account transfer request and the digital signature information from the user device 10 and verifies whether the digital signature is true or false (step 620). When the electronic signature verification is completed, the financial institution server 30 transmits a transaction-linked OTP request to the portable terminal 20 of the user (step 630). The user of the portable terminal 20 is the same user as the user of the user terminal 10. The portable terminal information of the user is registered in advance in the financial institution server 30 or can be registered through the input procedure. For example, the user can register the mobile phone number assigned to his or her portable terminal 20 in advance in the financial institution server 30, and request a transaction interworking OTP from the mobile phone number registered in advance when requesting the account transfer from the user .

The portable terminal 20 receives the transaction-linked OTP request, and drives the TA to generate the transaction-linked OTP (operation 640). At this time, the user can confirm the transfer information (for example, withdrawal account information and deposit account information) through the portable terminal 20. When the user confirms the transfer information, the transaction-linked OTP is generated based on the transfer information. The transaction-linked OTP generation method of the present invention includes a time-based OTP generation algorithm based on time and an OTP key (for example, an OTP generation algorithm according to the RFC 6238 standard), an internal counter value and time, an OTP key Based OTP generation algorithm (OTP generation algorithm based on RFC 4226 and RFC 6238 standard), or challenge-response OTP based on time, client / server random value, and OTP key Algorithm (an OTP generation algorithm according to the RFC 6287 standard) may be used. By using such an algorithm and generating transaction-linked OTP based on transaction information (i.e., transfer information), it has an advantage that security is improved unlike the existing OTP random number.

When the portable terminal 20 generates a transaction-linked OTP, the user inputs a transaction-linked OTP value in the user device 10 (operation 650). In another embodiment, when the account transfer process is performed using the portable terminal 20, the transaction-linked OTP can be generated and confirmed on the portable terminal 20, and the created transaction-linked OTP can be transferred to the portable terminal 20 Can be input.

When the user device 10 receives the transaction-linked OTP, it transmits the transaction-linked OTP to the financial institution server 30 and requests verification of the transaction-linked OTP in operation 660. In step 670, the financial institution server 30 receives the verification request of the transaction-linked OTP and transmits it to the OTP verification server. The OTP verification server 40 generates a second transaction interlocked OTP using the same algorithm based on the transaction information (that is, the algorithm used when generating the transaction interlocked OTP in the portable terminal 20) And performs verification by comparing the self-generated second transaction-linked OTP. When the verification is completed, the OTP verification server 40 transmits the verification result to the financial institution server 30 (step 680).

If the verification is successful, the financial institution server 30 proceeds with the transfer process and transfers the transfer result to the user device 10 (steps 690 and 695). For example, when the verification fails, the financial institution server 30 can transmit a verification failure message to the user device 10 or the portable terminal 20, regenerate and revalidate the same through the portable terminal 20, Termination.

According to the transaction-linked OTP account transfer method of the present invention, there is no need to possess a hardware OTP device, and the use of the user portable terminal carried by the user has an advantage in that it can be quickly recognized and reported upon loss . In addition, the hardware OTP device needs to be replaced at an additional cost when the battery is exhausted, whereas the transaction-based OTP generation system according to the present invention has a cost saving effect in this respect.

In addition, OTP creation and account transfer transactions are performed using a separate security operating system on the user portable terminal, so that not only safety and security are secured, but even if an OTP number is leaked during input / output of the OTP number, verification using the transfer information And can be prevented from being abused by others. Furthermore, the transaction-linked OTP of the present invention can replace the security card or the public certificate, and the additional authentication is unnecessary, so that the convenience of the user can be improved, and the expansion is possible in various financial transaction fields including the account transfer.

FIG. 7 illustrates a display screen on a user portable terminal when transferring money using a transaction-linked OTP according to an embodiment of the present invention.

The user can transfer the money through the banking website or the bank-dedicated application through the portable terminal 20 or the user device 10. [ When the account transfer proceeds, the user inputs the transfer details (51). The transfer details may include at least one of a withdrawal account number, an account password, a transfer password, a transfer amount, a deposit bank, a deposit account number, a deposit message, and a CMS code. When such transfer information is input, the transfer request is transmitted to the financial institution server 30. When requesting the transfer, the pages are switched and the transfer information can be confirmed (52).

When the user confirms the transfer information and presses the OK button, the TA of the present invention is automatically driven by the push system on the portable terminal 20 (53). At this time, the portable telephone number of the portable terminal 20 can be known to the financial institution server 30 by the user's input, or can be called from the USIM information in advance. In order to prevent theft by another person, it is possible to input a separately set OTP password. When inputting the OTP password, the OTP can be generated by pressing the OK button (54). When the OTP number for transfer (i.e. transaction-linked OTP) is created, the user can confirm the transfer details together with the OTP number for transfer once again (54a).

The user can confirm the generated OTP number and transfer details for transfer and input the OTP number for transfer to the user apparatus 10 that is in the process of transferring money. The user device 10 transmits the OTP number for transfer to the financial institution server 30 and performs verification through the OTP verification server 40. [ Since the verification method has been described with reference to FIG. 6, it is omitted in the description of this drawing.

After inputting the OTP number for transfer, press the OK or Transfer button to proceed to the authorized authentication step for electronic signature (55, 56). When an authorized certificate selection and an authorized certificate password are entered for digital signature, the password is transmitted to the financial institution server 30 for verification. As another example, the digital signature may be performed before OTP generation.

If such OTP verification for the transfer and verification of the digital signature are successful, the account transfer is performed and the transaction is completed (57).

While the present invention has been described in detail in the foregoing for the purpose of illustration, it is to be understood that the components, their connections and relationships, and their functions are merely exemplary. In the present invention, each component may be implemented as a physically separated form or as an integrated form of one or more components as needed.

The present invention is not necessarily limited to these embodiments, as all the constituent elements constituting the embodiment of the present invention are described as being combined or operated in one operation. That is, within the scope of the present invention, all of the components may be selectively coupled to one or more of them.

Furthermore, the terms "comprises", "comprising", or "having" described above mean that a component can be implanted unless otherwise specifically stated, But should be construed as including other elements. All terms, including technical and scientific terms, have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs, unless otherwise defined. Commonly used terms, such as predefined terms, should be interpreted to be consistent with the contextual meanings of the related art, and are not to be construed as ideal or overly formal, unless expressly defined to the contrary.

The foregoing description is merely illustrative of the technical idea of the present invention, and various changes and modifications may be made by those skilled in the art without departing from the essential characteristics of the present invention. Therefore, the embodiments disclosed in the present invention are intended to illustrate rather than limit the scope of the present invention, and the scope of the technical idea of the present invention is not limited by these embodiments. The scope of protection of the present invention should be construed according to the following claims, and all technical ideas within the scope of equivalents should be construed as falling within the scope of the present invention.

10: User device
20: Portable terminal
30: financial institution server
40: OTP verification server
50: Network

Claims (16)

As a method of transferring money using OTP (OTP: One Time Password)
Transmitting a request for account transfer and electronic signature information from the user device to a financial institution server;
Verifying the electronic signature information at the financial institution server;
Requesting a transaction-linked OTP from the financial institution server to the user portable terminal after completing verification of the digital signature information;
Generating a transaction-linked OTP using a security application (Trusted Application) running on the portable terminal;
The generated transaction interlocked OTP is input to the user device and the verification request of the transaction interworking OTP is transmitted to the financial institution server;
Performing transaction-based OTP verification of the verification request through the OTP verification server of the financial institution server; And
When the transaction-linked OTP verification is completed, performing a transfer for the account transfer request by the financial institution server,
Wherein the security application is operated by a security operating system (Trust OS) independently operated from a general operating system running on the user portable terminal,
Wherein the security operating system is driven by an optional operation among the general operating system and the secure operating system using the ARM processor included in the user portable terminal and is displayed at a higher level than a user interface (UI) by the general operating system, However,
The data using the security application is stored in an encrypted form so that it can not be decrypted by the general operating system, another security application of the same terminal, or the same security application of another terminal,
The transaction-linked OTP is an OTP value generated by including transaction details as part or all of the input value,
Wherein the OTP verification server receives the transaction details information from the financial institution server and generates a second transaction interworking OTP based on the transaction detail information using the same algorithm as the algorithm for generating the transaction interworking OTP, Wherein the OTP value received from the user portable terminal is compared with a second OTP value generated by the OTP verification server and is verified and verified. The method according to claim 1,
The security application may be configured such that the algorithm for generating the transaction interworking OTP comprises a time-based OTP generation algorithm based on time and an OTP key, an internal counter value and time, an event-based OTP generation algorithm based on an OTP key, A client-server random value, and a challenge-response OTP generation algorithm based on the OTP key. The method according to claim 1,
Wherein the transaction details include a transfer amount and a deposit account. The method of claim 3,
Wherein the transaction details further include a withdrawal account, a deposit bank, and a payee name. The method according to claim 1,
Wherein the transaction-linked OTP is generated in a 6-digit to 8-digit value according to a predetermined algorithm. delete delete The method according to claim 1,
Wherein the user equipment comprises a user computer, a mobile phone or a smart phone. As an account transfer system using transaction-linked OTP,
A user apparatus that transmits a request for account transfer and electronic signature information and executes account transfer;
A financial institution server for receiving the account transfer request and the digital signature information, verifying the digital signature information, and requesting a transaction-linked OTP to the user portable terminal;
Receiving the request of the transaction-linked OTP from the financial institution server, and driving the security application to generate the transaction-linked OTP; And
And an OTP verification server for receiving a verification request of the transaction-linked OTP from the financial institution server and performing transaction-linked OTP verification,
The user device receives the transaction interworking OTP generated in the user portable terminal and requests verification from the financial institution server. The financial institution server completes the transaction interworking OTP verification through the OTP verification server, Processing the transfer,
Wherein the security application is operated by a security operating system (Trust OS) independently operated from a general operating system running on the user portable terminal,
Wherein the secure operating system is driven by an optional operation among the general operating system and the secure operating system using the ARM processor included in the user device and is displayed on a higher level than the user interface by the general operating system, Not available,
The data using the security application is stored in an encrypted form so that it can not be decrypted by the general operating system, another security application of the same terminal, or the same security application of another terminal,
The transaction-linked OTP is an OTP value generated by including transaction details as part or all of the input value,
Wherein the OTP verification server receives the transaction details information from the financial institution server and generates a second transaction interworking OTP based on the transaction detail information using the same algorithm as the algorithm for generating the transaction interworking OTP, Wherein the OTP value received from the user portable terminal is compared with a second OTP value generated by the OTP verification server and is verified by the OTP verification server. 10. The method of claim 9,
The algorithm for generating the transaction-linked OTP is a time-based OTP generation algorithm based on time and an OTP key, an internal counter value and time, an event-based OTP generation algorithm based on an OTP key, A challenge-response OTP generation algorithm based on a random value, an OTP key, and the like. 10. The method of claim 9,
Wherein the transaction details include a transfer amount and a deposit account. 12. The method of claim 11,
Wherein the transaction details further include a withdrawal account, a deposit bank, and a payee name. 10. The method of claim 9,
Wherein the transaction-linked OTP is generated as a 6-digit to 8-digit value according to a predetermined algorithm. delete delete 10. The method of claim 9,
Wherein the user equipment comprises a user computer, a mobile phone or a smart phone.

Images