CN101448001A - System for realizing WAP mobile banking transaction security control and method thereof - Google Patents
System for realizing WAP mobile banking transaction security control and method thereof Download PDFInfo
- Publication number
- CN101448001A CN101448001A CNA2008102266822A CN200810226682A CN101448001A CN 101448001 A CN101448001 A CN 101448001A CN A2008102266822 A CNA2008102266822 A CN A2008102266822A CN 200810226682 A CN200810226682 A CN 200810226682A CN 101448001 A CN101448001 A CN 101448001A
- Authority
- CN
- China
- Prior art keywords
- wap
- phone number
- client terminal
- operator
- mobile banking
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention discloses a system for realizing WAP mobile banking transaction security control and a method thereof. The system comprises a user terminal, a WEB server, a WAP portal server, a WAP transaction server and mobile communication operator system equipment, wherein, the WEB server is used for providing domain name address service and transferring a transaction request received from the user terminal to the WAP portal server; the WAP portal server is used for acquiring the mobile phone number of the user terminal, generating a mobile token according to operator mobile phone binding relations and sending the mobile token and the transaction request to the WAP transaction server; the WAP transaction server is used for verifying validity of the mobile token and checking whether user operator binding information is consistent with token information; the mobile communication operator system equipment is used for providing an interface to the WAP portal server and the WAP portal server acquires the mobile phone number by communicating with the mobile communication operator system equipment. By adopting the invention, the user can be prevented from visiting the WAP mobile banking by the internet, thereby effectively improving security of visiting the mobile banking.
Description
Technical field
The present invention relates to Mobile banking's technical field, relate in particular to the system and method for a kind of WAP of realization mobile banking transaction security control.
Background technology
Present WAP Mobile banking, its implementation procedure is generally as follows: bank provides WAP website access address, and the client utilizes mobile phone to pass through GPRS or WAP according to this access address and inserts WAP Mobile banking website, the information that browses web sites or carry out relationship trading.
Whether general WAP Mobile banking website is real mobile phone for access side, not strict control, and a lot of browsers are arranged at present, support the user by internet access WAP Mobile banking website, for example: Opera.
The target customer of WAP Mobile banking is the cellphone subscriber, is limited to the diversity of cell phone manufacturer, model, the complexity of mobile phone operation and the limitation of existing cell phone network, and the safety measure of existing WAP Mobile banking website requires lower.Such as: the password input frame on the page does not have control to encrypt, and in the packet that the page is submitted to up, password is to exist in mode expressly.
If do not limit for visit by the Internet, the convenience of computation and the popularization of the Internet, it is very big by the possibility of unauthorized theft (sending means such as package informatin on the intercept page) to cause the important safety information of WAP Mobile banking website to exist.
So pressing for provides a kind of method of controlling security, shielding is by the visit WAP Mobile banking website of the Internet, and the restriction client can only pass through mobile phone access WAP Mobile banking, thereby guarantees the safety of client's personal asset information.
Summary of the invention
(1) technical problem that will solve
In view of this, main purpose of the present invention is to provide the system and method for a kind of WAP of realization mobile banking transaction security control, to prevent the client by internet access WAP Mobile banking, effectively improves the fail safe of visit Mobile banking.
(2) technical scheme
For achieving the above object, the technical solution used in the present invention is as follows:
A kind of system that realizes the security control of WAP mobile banking transaction, this system comprises:
Client terminal;
The WEB server is used to provide the domain name addresses service, and the transaction request that is received from client terminal is forwarded to the WAP portal server;
The WAP portal server, be used for after the transaction request that receives the WEB server forwards, obtaining the phone number of client terminal, and, then this handset token and transaction request are sent to the WAP trading server according to operator's cell-phone number binding relationship generation handset token;
The WAP trading server is used for after receiving handset token and transaction request, the legitimacy of checking handset token, and check whether the binding information of client operator is consistent with token information, and unanimity is continuous business then; Inconsistent refusal transaction;
Mobile communications operator's system equipment is used to provide interface to the WAP portal server, the WAP portal server by with the communication of mobile communications operator's system equipment, obtain client terminal phone number.
In the such scheme, described client terminal is the carrier of client access WAP Mobile banking.The carrier of described client access WAP Mobile banking is a mobile phone.
In the such scheme, client terminal for direct input domain name access WAP Mobile banking, described WAP portal server offers client terminal and selects operator's page, according to operator's cell-phone number binding relationship parameter, by with the communication interface of operator agreement, obtain the phone number of client terminal from mobile communications operator's system equipment, according to binding relationship with whether obtain cell-phone number information, according to corresponding algorithm, generate handset token.For the client terminal by page link visit WAP Mobile banking of operator, described WAP portal server obtains phone number and operator's informaiton from transaction request, and generates handset token according to operator's cell-phone number binding relationship parameter.
In the such scheme, described WAP trading server is after the legitimacy of checking handset token, if it is legal, then whether basis is bound phone number and is provided different login pages to client terminal, after the client terminal login, the phone number information of reserving when registering according to client terminal checks whether the binding information of client operator is consistent with token information; If WAP trading server checking handset token is illegal, then refusal transaction.
In the such scheme, the binding information of checking client operator at the WAP trading server is when token information is inconsistent or checking handset token illegal and refusal are concluded the business, and client terminal can be browsed simple information page, can't conclude the business.
A kind of method that realizes the security control of WAP mobile banking transaction, this method comprises:
Client terminal proposes transaction request to the WEB server, and the WEB server is forwarded to the WAP portal server with this transaction request;
The WAP portal server obtains the phone number of client terminal after the transaction request that receives the WEB server forwards, and generates handset token according to operator's cell-phone number binding relationship, then this handset token and transaction request is sent to the WAP trading server;
The WAP trading server is verified the legitimacy of handset token after receiving handset token and transaction request, and checks whether the binding information of client operator is consistent with token information, if consistent, then continuous business; If inconsistent, then refusal transaction.
In the such scheme, described client terminal proposes transaction request to the WEB server, realizes by following dual mode:
Mode one, client terminal are linked to WAP Mobile banking service interface by mobile communications operator's service page, propose transaction request to the WEB server;
Mode two, client terminal are directly imported domain name access WAP Mobile banking, propose transaction request to the WEB server.
In the such scheme, the situation of visiting WAP Mobile banking by first kind of mode for client terminal, if Carrier Requirements binding phone number, then operator passes to WAP Mobile banking portal server with phone number with the form of parameter in the lump when being linked to WAP Mobile banking; If do not bind for cell-phone number binding no requirement (NR) or requirement, do not require that then operator provides phone number when chain is taken over; Wherein, described binding is meant that a phone number can only visit the WAP Mobile banking of a client terminal;
For the situation of client terminal by second way visit WAP Mobile banking, if Carrier Requirements binding, then when client terminal visit WAP Mobile banking, offer the client terminal mobile communications operator and select the page, after client terminal is selected, need bank and mobile communications operator interface by appointment to carry out the backstage communication, to obtain the phone number information of client terminal, as not obtaining phone number, then limit the access rights of client terminal, can only browsing page, can not login WAP Mobile banking; If do not require binding, then need not obtain client's phone number, the access rights of client terminal are not done control yet; If do not do requirement for whether binding, then attempt going to obtain the phone number of client terminal, can obtain then to go processing according to the flow process of normally obtaining phone number, can not obtain then and go processing according to the requirement of not binding.
In the such scheme, described WAP portal server is after the transaction request that receives the WEB server forwards, obtain the phone number of client terminal, and according to operator's cell-phone number binding relationship generation handset token, then this handset token and transaction request are sent to the WAP trading server, specifically comprise:
Step 1:WAP portal server offers client terminal operator and selects the page in the transaction request that receives the WEB server forwards;
Step 2: client terminal is selected operator;
Step 3:WAP portal server is checked operator's cell-phone number binding information, if binding or no requirement (NR) continue execution in step 4, if do not bind, jumps to step 6;
Step 4:WAP portal server is obtained mobile communications operator's system equipment address, send the phone number of acquisition request client terminal, if normally obtain the phone number of client terminal, then continue step 5, otherwise if operator jumps to step 6 to phone number binding no requirement (NR), requirement is bound and can not be obtained phone number, the unusual token of phone number is obtained in generation, jumps to step 7;
Step 5:WAP portal server is checked the consistency of phone number and operator's informaiton, and consistent the generation normally obtained the phone number token, and the unusual token of phone number is obtained in inconsistent generation, jumps to step 7;
Step 6: do not bind cell-phone number for operator, and do not require the situation of binding cell-phone number and can't obtain cell-phone number, the WAP portal server generates no cell-phone number token;
Step 7:WAP portal server is forwarded to the WAP trading server with transaction request and handset token information.
In the such scheme, described WAP trading server further comprises after receiving handset token and transaction request: the WAP trading server obtains customer information.Described WAP trading server obtains customer information, specifically comprise: the WAP trading server is after receiving handset token and transaction request, if normally obtain handset token, offer the client terminal input login password page, with phone number and login password is the condition login, obtains customer information; If obtain the unusual token of phone number, be shown to client terminal WAP bank information browsing pages, the restriction client terminal can not be logined WAP Mobile banking, finishes; If there is not the cell-phone number token, offer the login page of client terminal input card number, login password, login as condition with card number and login password and obtain customer information.
In the such scheme, the legitimacy of described checking handset token, and whether the binding information of checking client operator is consistent with token information, specifically comprise: the WAP trading server is after obtaining customer information, and the phone number information of reserving when checking client enrollment Mobile banking is checked the operator's informaiton and the binding information of this phone number correspondence, whether consistent with information in the token, if consistent, then client terminal is logined successfully, continuous business; If inconsistent, prompting client login failure, the refusal transaction, the restriction client can only visit the WAP Mobile banking information browse page.
(3) beneficial effect
From technique scheme as can be seen, the present invention has following beneficial effect:
1, the system and method for realization WAP mobile banking transaction provided by the invention security control can prevent the client by internet access WAP Mobile banking, improves the fail safe of visit Mobile banking effectively.
2, the system and method for realization WAP mobile banking transaction provided by the invention security control, can effectively control problem by internet access WAP Mobile banking, reduced by more maneuverable computer and the Internet, Brute Force WAP Mobile banking, the particularly possibility of Mobile banking's password.
3, the system and method for realization WAP mobile banking transaction provided by the invention security control, uniqueness by the access of restriction WAP Mobile banking, with the phone number binding scheme, guarantee that the client can only be greatly improved the fail safe of WAP Mobile banking by the mobile phone access WAP Mobile banking of oneself.
4, the system and method for realization WAP mobile banking transaction provided by the invention security control equally also is applicable to the B2C of WAP Mobile banking shopping.
Description of drawings
Fig. 1 is the structural representation of realization WAP mobile banking transaction safety control system provided by the invention;
Fig. 2 is the method flow diagram of realization WAP mobile banking transaction provided by the invention security control;
Fig. 3 is the schematic diagram of the realization WAP mobile banking transaction security control that provides according to the embodiment of the invention;
Fig. 4 is that client terminal of the present invention is visited the method flow diagram that WAP Mobile banking generates handset token;
Fig. 5 is the present invention verifies processing to handset token a method flow diagram.
Embodiment
For making the purpose, technical solutions and advantages of the present invention clearer, below in conjunction with specific embodiment, and with reference to accompanying drawing, the present invention is described in more detail.
In order to control the restriction client by internet access WAP Mobile banking, at first must control the uniqueness of WAP Mobile banking access address, for Mobile banking, by the inspection control that WAP Mobile banking is inserted, guarantee that all requests must be submitted to the WAP trading server by the WAP portal server, thereby refusal is by the client of internet access.
Control the client and can only pass through mobile phone access WAP Mobile banking, the phone number that obtains the client is crucial, because be the phone number that can't obtain the client by internet access WAP Mobile banking.Obtain the real phone number of client, can only by and the cooperation of mobile communication carrier, when the client used mobile phone access WAP Mobile banking, operator passed to WAP Mobile banking website with client's information such as cell-phone number.
Client access WAP Mobile banking mainly is divided into dual mode:
First kind is the service page by the mobile communications operator, is linked to the WAP Mobile banking service interface of bank.
Second kind is that the client directly imports domain name access WAP Mobile banking.
In order to obtain client's phone number, at first, bank side and mobile communications operator reach an agreement, whether clear and definite WAP Mobile banking needs the restriction (promptly phone number can only be visited a client's WAP Mobile banking) of phone number binding, and pre-seting the security parameter whether operator requires to bind phone number, parameter value comprises: bind, do not bind, no requirement (NR).
The situation of visiting WAP Mobile banking by first kind of mode for the client, if Carrier Requirements binding phone number, then require operator when being linked to WAP bank website, phone number is passed to WAP Mobile banking portal server in the lump with the form of parameter.If do not bind for cell-phone number binding no requirement (NR) or requirement, do not require that then operator provides phone number when chain is taken over.
For the situation of client by second way visit WAP Mobile banking, if Carrier Requirements binding, then in client access WAP Mobile banking, offer the client mobile communications operator and select the page, after the customer selecting, need bank and mobile communications operator interface by appointment to carry out the backstage communication, to obtain client's cell-phone number information, as can not obtaining cell-phone number, with restriction client's access rights (can only browsing page, can not login WAP Mobile banking); If do not bind, then need not obtain client's phone number, client's access rights are not done control yet; If do not do requirement for whether binding, then attempt going to obtain client's phone number, can obtain then to go processing according to the flow process of normally obtaining phone number, can not obtain then and go processing according to the requirement of not binding.
In banking system, set up simultaneously the corresponding relation tabulation of WAP gateway IP address list, cell-phone number section and operator;
By " WAP gateway IP address list ", can judge the target address information that obtains client's phone number from operator, whether be the address information of appointing with operator, the information source address of limiting handset number.
By " the corresponding relation tabulation of cell-phone number section and operator ", can know client's operator's informaiton by phone number.
After operator has returned client's information such as phone number, by the corresponding relation of the cell-phone number section and the operator " tabulation ", judge whether client's mobile communications operator is consistent with its operator's informaiton of selecting on the page, inconsistently then report an error.According to the return address of information, check whether this address is consistent with the address in " WAP gateway IP address list ", the inconsistent refusal transaction that then reports an error.
The uniqueness control of the transaction inlet that top the present invention mentions, obtain the control of client's phone number, all be to finish at the portal server of WAP Mobile banking, the WAP portal server mainly provides the browsing information to some static page Noodles of client, and the All Activity of WAP Mobile banking is all finished at WAP mobile banking transaction server.Accomplish to guarantee that all transaction all are under the control of security limitations, just must guarantee that all transaction all are by the WAP portal server, be forwarded to the WAP trading server.
In order to achieve this end, the present invention has increased the design of handset token, in the time of client terminal visit WAP Mobile banking, at the WAP portal server, according to the requirement of whether binding cell-phone number of client's operator with whether obtained client's phone number, according to certain algorithm, generate dissimilar tokens, be forwarded to the WAP trading server together with client's transaction request.The WAP trading server is at first checked token information after receiving transaction request, check by proceeding transaction, not by then directly refusing continuous business.
The token design is as follows:
The handset token form can be token type | phone number | and timestamp | the checking string
Token type: 2 bit digital characters, do not comprise phone number in the 00 expression token, include phone number in the 01 expression token; 70~99 are used for expression unusually.
Phone number: when in the token phone number being arranged, insert phone number through encrypting.The mode of encrypting can be to be subject string with phone number+server current time, uses cryptographic algorithm (for example 3Des algorithm), uses and encrypts at WAP door and WAP transaction platform configuring cipher key, obtains to encrypt string.
Timestamp: yyyyMMddHHmmss, the current server time that produces token, this token is effective in the special time segment limit.
Checking string: the front parameter is pieced together string do cryptographic calculation, generate the checking character string,, generate MD5 digest as the checking string as the MD5 computing
(illustrate: the situation for obtaining cell-phone number from operator, comprise phone number information in the token, other can only generate the token that does not have phone number.)
After the token verification succeeds,,, require the client to import login password and identifying code is finished login with the login ID of phone number as the client for the operator that requires phone number binding.For the client's who does not require binding operator, require the client to input login card number, password, identifying code is finished login.After the login WAP Mobile banking, trading server gets access to the phone number of being reserved when the client opens Mobile banking, judge its operator's informaiton again and whether require binding according to this phone number, whether consistent in the Transaction Information and the token information of door selection with this client, be proved to be successful, enter the mobile phone trading function again.(illustrate: generally speaking, the binding cell-phone number is the requirement of bank side for secure context, but communication operator can not require the binding cell-phone number, in this case, can not limit the WAP Mobile banking of the user of this operator by internet access bank.)
Below in conjunction with accompanying drawing the specific embodiment of the present invention is described in further detail.
As shown in Figure 1, Fig. 1 is the structural representation of realization WAP mobile banking transaction safety control system provided by the invention, and this system comprises client terminal, WEB server, WAP portal server, WAP trading server and mobile communications operator's system equipment.Wherein, client terminal is the carrier of client access WAP Mobile banking, generally is meant mobile phone.The WEB server is used to provide the domain name addresses service, and the transaction request that is received from client terminal is forwarded to the WAP portal server.The WAP portal server, be used for after the transaction request that receives the WEB server forwards, obtaining the phone number of client terminal, and, then this handset token and transaction request are sent to the WAP trading server according to operator's cell-phone number binding relationship generation handset token.The WAP trading server is used for after receiving handset token and transaction request, the legitimacy of checking handset token, and check whether the binding information of client operator is consistent with token information, and unanimity is continuous business then; Inconsistent refusal transaction.Mobile communications operator's system equipment is used to provide interface to the WAP portal server, the WAP portal server by with the communication of mobile communications operator's system equipment, obtain client terminal phone number.
Client terminal for direct input domain name access WAP Mobile banking, described WAP portal server offers client terminal and selects operator's page, according to operator's cell-phone number binding relationship parameter, by with the communication interface of operator agreement, obtain the phone number of client terminal from mobile communications operator's system equipment, according to binding relationship with whether obtain cell-phone number information,, generate handset token according to corresponding algorithm.
For the client terminal by page link visit WAP Mobile banking of operator, described WAP portal server obtains phone number and operator's informaiton from transaction request, and generates handset token according to operator's cell-phone number binding relationship parameter.
Described WAP trading server is after the legitimacy of checking handset token, if it is legal, then whether basis is bound phone number and is provided different login pages to client terminal, after the client terminal login, the phone number information of reserving when registering according to client terminal checks whether the binding information of client operator is consistent with token information; If WAP trading server checking handset token is illegal, then refusal transaction.The binding information of checking client operator at the WAP trading server is when token information is inconsistent or checking handset token illegal and refusal are concluded the business, and client terminal can be browsed simple information page, can't conclude the business.
Based on the system of the realization WAP mobile banking transaction security control shown in Fig. 1, Fig. 2 shows the method flow diagram of realization WAP mobile banking transaction provided by the invention security control, and this method may further comprise the steps:
Step 201: client terminal proposes transaction request to the WEB server, and the WEB server is forwarded to the WAP portal server with this transaction request;
Step 202:WAP portal server is after the transaction request that receives the WEB server forwards, obtain the phone number of client terminal, and, then this handset token and transaction request are sent to the WAP trading server according to operator's cell-phone number binding relationship generation handset token;
Step 203:WAP trading server is verified the legitimacy of handset token after receiving handset token and transaction request, and checks whether the binding information of client operator is consistent with token information, if consistent, then continuous business; If inconsistent, then refusal transaction.
Client terminal described in the step 201 proposes transaction request to the WEB server, realizes by following dual mode:
Mode one, client terminal are linked to WAP Mobile banking service interface by mobile communications operator's service page, propose transaction request to the WEB server;
Mode two, client terminal are directly imported domain name access WAP Mobile banking, propose transaction request to the WEB server.
The situation of visiting WAP Mobile banking by first kind of mode for client terminal, if Carrier Requirements binding phone number, then operator is when being linked to WAP Mobile banking, and phone number is passed to WAP Mobile banking portal server in the lump with the form of parameter; If do not bind for cell-phone number binding no requirement (NR) or requirement, do not require that then operator provides phone number when chain is taken over; Wherein, described binding is meant that a phone number can only visit the WAP Mobile banking of a client terminal.
For the situation of client terminal by second way visit WAP Mobile banking, if Carrier Requirements binding, then when client terminal visit WAP Mobile banking, offer the client terminal mobile communications operator and select the page, after client terminal is selected, need bank and mobile communications operator interface by appointment to carry out the backstage communication, to obtain the phone number information of client terminal, as not obtaining phone number, then limit the access rights of client terminal, can only browsing page, can not login WAP Mobile banking; If do not require binding, then need not obtain client's phone number, the access rights of client terminal are not done control yet; If do not do requirement for whether binding, then attempt going to obtain the phone number of client terminal, can obtain then to go processing according to the flow process of normally obtaining phone number, can not obtain then and go processing according to the requirement of not binding.
The portal server of WAP described in the step 202 is after the transaction request that receives the WEB server forwards, obtain the phone number of client terminal, and, then this handset token and transaction request are sent to the WAP trading server according to operator's cell-phone number binding relationship generation handset token, specifically comprise:
Step 1:WAP portal server offers client terminal operator and selects the page in the transaction request that receives the WEB server forwards;
Step 2: client terminal is selected operator;
Step 3:WAP portal server is checked operator's cell-phone number binding information, if binding or no requirement (NR) continue execution in step 4, if do not bind, jumps to step 6;
Step 4:WAP portal server is obtained mobile communications operator's system equipment address, send the phone number of acquisition request client terminal, if normally obtain the phone number of client terminal, then continue step 5, otherwise if operator jumps to step 6 to phone number binding no requirement (NR), requirement is bound and can not be obtained phone number, the unusual token of phone number is obtained in generation, jumps to step 7;
Step 5:WAP portal server is checked the consistency of phone number and operator's informaiton, and consistent the generation normally obtained the phone number token, and the unusual token of phone number is obtained in inconsistent generation, jumps to step 7;
Step 6: do not bind cell-phone number for operator, and do not require the situation of binding cell-phone number and can't obtain cell-phone number, the WAP portal server generates no cell-phone number token;
Step 7:WAP portal server is forwarded to the WAP trading server with transaction request and handset token information.
The trading server of WAP described in the step 203 is after receiving handset token and transaction request, further comprise: the WAP trading server obtains customer information, this step of obtaining customer information specifically comprises: the WAP trading server is after receiving handset token and transaction request, if normally obtain handset token, offer the client terminal input login password page, with phone number and login password is the condition login, obtains customer information; If obtain the unusual token of phone number, be shown to client terminal WAP bank information browsing pages, the restriction client terminal can not be logined WAP Mobile banking, finishes; If there is not the cell-phone number token, offer the login page of client terminal input card number, login password, login as condition with card number and login password and obtain customer information.
The legitimacy of the handset token of checking described in the step 203, and whether the binding information of checking client operator is consistent with token information, specifically comprise: the WAP trading server is after obtaining customer information, the phone number information of reserving when checking client enrollment Mobile banking, check the operator's informaiton and the binding information of this phone number correspondence, whether consistent with information in the token, if consistent, then client terminal is logined successfully, continuous business; If inconsistent, prompting client login failure, the refusal transaction, the restriction client can only visit the WAP Mobile banking information browse page.
Based on Fig. 1 and Fig. 2, below describe the schematic diagram of the realization WAP mobile banking transaction security control that provides according to the embodiment of the invention in detail with reference to Fig. 3, this method specifically may further comprise the steps:
Step 1: the client is by the mobile phone client terminal, and the input domain name is visited wap Mobile banking;
Step 2:wap Mobile banking Web server is forwarded to the wap portal server with transaction request;
Step 3:WAP portal server offers client terminal operator and selects the page in the transaction request that receives the WEB server forwards;
Step 4: client terminal is selected operator;
Step 5:WAP portal server is checked operator's cell-phone number binding information, if binding or no requirement (NR) continue execution in step 6, if do not bind, jumps to step 8;
Step 6:WAP portal server is obtained mobile communications operator's system equipment address, send the phone number of acquisition request client terminal, if normally obtain the phone number of client terminal, then continue step 7, otherwise if operator jumps to step 8 to phone number binding no requirement (NR), requirement is bound and can not be obtained phone number, the unusual token of phone number is obtained in generation, jumps to step 9;
Step 7:WAP portal server is checked the consistency of phone number and operator's informaiton, and consistent the generation normally obtained the phone number token, and the unusual token of phone number is obtained in inconsistent generation, jumps to step 9;
Step 8: do not bind cell-phone number for operator, and do not require the situation of binding cell-phone number and can't obtain cell-phone number, the WAP portal server generates no cell-phone number token;
Step 9:WAP portal server is forwarded to the WAP trading server with transaction request and handset token information;
Step 10:WAP trading server if normally obtain handset token, offers the client terminal input login password page after receiving handset token and transaction request, be the condition login with phone number and login password, obtains customer information; If obtain the unusual token of phone number, be shown to client terminal WAP bank information browsing pages, the restriction client terminal can not be logined WAP Mobile banking, finishes; If there is not the cell-phone number token, offer the login page of client terminal input card number, login password, login as condition with card number and login password and obtain customer information;
Step 11:WAP trading server is after obtaining customer information, the phone number information of reserving when checking client enrollment Mobile banking, check the operator's informaiton and the binding information of this phone number correspondence, whether consistent with information in the token, if it is consistent, then client terminal is logined successfully, continuous business; If inconsistent, prompting client login failure, the refusal transaction, the restriction client can only visit the WAP Mobile banking information browse page, finishes.
Below in conjunction with Fig. 4 and Fig. 5, introduce the generation and the using method of handset token.
With reference to Fig. 4, client terminal of the present invention is visited WAP Mobile banking, the method for the generation of handset token, and directly importing domain name access with the client is example, may further comprise the steps:
Step 401: the client directly imports domain name access WAP Mobile banking by mobile phone;
The WAP portal server prompting customer selecting mobile phone operators of step 402:WAP Mobile banking;
Step 403: customer selecting mobile phone operators, the WAP portal server is according to client's selection input, check Mobile banking of operator security parameter, if Carrier Requirements is not bound phone number, generate and do not bind the phone number token, request is forwarded to trading server, and WAP portal server flow process finishes; If Carrier Requirements binding or require for whether not binding sends request to operator, obtain client's phone number;
Step 404:WAP portal server is declared the inspection security parameter, if security parameter requires the binding cell-phone number, carry out step 405; Otherwise (binding does not require for phone number in operator) carry out step 406;
Step 405:WAP portal server is judged according to operator's feedback data, if successfully do not obtain phone number from the operator, then generates and obtains the unusual token of phone number, and the client can only browse the WAP gateway information page; If normally obtain phone number, check the consistency (for example coupling " WAP gateway IP address list " and " the corresponding relation tabulation of cell-phone number section and operator ") of phone number and operator, if it is inconsistent, the unusual token of phone number is obtained in generation, and the client can only browse the WAP gateway information page; If phone number is consistent with operator, generate binding phone number token, WAP portal server flow process finishes;
Step 406:WAP portal server is judged according to operator's feedback data, if do not obtain phone number from operator, generates no phone number token; If normally obtain phone number, check the consistency (coupling " WAP gateway IP address list " and " the corresponding relation tabulation of cell-phone number section and operator ") of phone number and operator, if inconsistent, generate no phone number token; If phone number is consistent with operator, generates and obtain the phone number token.
With reference to Fig. 5, the authentication processing method of handset token of the present invention may further comprise the steps:
Step 501:WAP portal server is submitted the token parameter to trading server, trading server token form according to a preconcerted arrangement, get information such as phone number, exchange hour, whether the review time is effective, according to whether getting phone number coupling token type, whether proof of algorithm checking string according to a preconcerted arrangement is correct, if illegal, the refusal transaction;
Step 502: trading server shows different login pages according to token type, and no phone number, the token of not binding show the login page of importing card number, login password; The token that phone number, binding are arranged shows the login page of importing login password;
Step 503: trading server is according to client's input item, and the customer information of registering in advance during the inquiry client enrollment is obtained the phone number of client enrollment Mobile banking;
Step 504: check client's operator's informaiton according to the registration phone number, if inconsistent, the prompting mistake, the request of refusal client trading, unanimity then allows client's continuous business.
Above-described specific embodiment; purpose of the present invention, technical scheme and beneficial effect are further described; institute is understood that; the above only is specific embodiments of the invention; be not limited to the present invention; within the spirit and principles in the present invention all, any modification of being made, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (14)
1, a kind of system that realizes the security control of WAP mobile banking transaction is characterized in that, this system comprises:
Client terminal;
The WEB server is used to provide the domain name addresses service, and the transaction request that is received from client terminal is forwarded to the WAP portal server;
The WAP portal server, be used for after the transaction request that receives the WEB server forwards, obtaining the phone number of client terminal, and, then this handset token and transaction request are sent to the WAP trading server according to operator's cell-phone number binding relationship generation handset token;
The WAP trading server is used for after receiving handset token and transaction request, the legitimacy of checking handset token, and check whether the binding information of client operator is consistent with token information, and unanimity is continuous business then; Inconsistent refusal transaction;
Mobile communications operator's system equipment is used to provide interface to the WAP portal server, the WAP portal server by with the communication of mobile communications operator's system equipment, obtain client terminal phone number.
2, the system of realization WAP mobile banking transaction according to claim 1 security control is characterized in that described client terminal is the carrier of client access WAP Mobile banking.
3, the system of realization according to claim 2 WAP mobile banking transaction security control is characterized in that, the carrier of described client access WAP Mobile banking is a mobile phone.
4, the system of realization WAP mobile banking transaction according to claim 1 security control, it is characterized in that, client terminal for direct input domain name access WAP Mobile banking, described WAP portal server offers client terminal and selects operator's page, according to operator's cell-phone number binding relationship parameter, by with the communication interface of operator agreement, obtain the phone number of client terminal from mobile communications operator's system equipment, according to binding relationship with whether obtain cell-phone number information, according to corresponding algorithm, generate handset token.
5, the system of realization WAP mobile banking transaction according to claim 1 security control, it is characterized in that, for client terminal by page link visit WAP Mobile banking of operator, described WAP portal server obtains phone number and operator's informaiton from transaction request, and generates handset token according to operator's cell-phone number binding relationship parameter.
6, the system of realization WAP mobile banking transaction according to claim 1 security control, it is characterized in that, described WAP trading server is after the legitimacy of checking handset token, if it is legal, then whether basis is bound phone number and is provided different login pages to client terminal, after the client terminal login, the phone number information of reserving when registering according to client terminal checks whether the binding information of client operator is consistent with token information; If WAP trading server checking handset token is illegal, then refusal transaction.
7, the system of realization WAP mobile banking transaction according to claim 6 security control, it is characterized in that, the binding information of checking client operator at the WAP trading server is when token information is inconsistent or checking handset token illegal and refusal are concluded the business, client terminal can be browsed simple information page, can't conclude the business.
8, a kind of method that realizes the security control of WAP mobile banking transaction is applied to the described system of claim 1, it is characterized in that this method comprises:
Client terminal proposes transaction request to the WEB server, and the WEB server is forwarded to the WAP portal server with this transaction request;
The WAP portal server obtains the phone number of client terminal after the transaction request that receives the WEB server forwards, and generates handset token according to operator's cell-phone number binding relationship, then this handset token and transaction request is sent to the WAP trading server;
The WAP trading server is verified the legitimacy of handset token after receiving handset token and transaction request, and checks whether the binding information of client operator is consistent with token information, if consistent, then continuous business; If inconsistent, then refusal transaction.
9, the method for realization WAP mobile banking transaction according to claim 8 security control is characterized in that described client terminal proposes transaction request to the WEB server, realizes by following dual mode:
Mode one, client terminal are linked to WAP Mobile banking service interface by mobile communications operator's service page, propose transaction request to the WEB server;
Mode two, client terminal are directly imported domain name access WAP Mobile banking, propose transaction request to the WEB server.
10, the method for realization WAP mobile banking transaction according to claim 9 security control, it is characterized in that, the situation of visiting WAP Mobile banking by first kind of mode for client terminal, if Carrier Requirements binding phone number, then operator is when being linked to WAP Mobile banking, and phone number is passed to WAP Mobile banking portal server in the lump with the form of parameter; If do not bind for cell-phone number binding no requirement (NR) or requirement, do not require that then operator provides phone number when chain is taken over; Wherein, described binding is meant that a phone number can only visit the WAP Mobile banking of a client terminal;
For the situation of client terminal by second way visit WAP Mobile banking, if Carrier Requirements binding, then when client terminal visit WAP Mobile banking, offer the client terminal mobile communications operator and select the page, after client terminal is selected, need bank and mobile communications operator interface by appointment to carry out the backstage communication, to obtain the phone number information of client terminal, as not obtaining phone number, then limit the access rights of client terminal, can only browsing page, can not login WAP Mobile banking; If do not require binding, then need not obtain client's phone number, the access rights of client terminal are not done control yet; If do not do requirement for whether binding, then attempt going to obtain the phone number of client terminal, can obtain then to go processing according to the flow process of normally obtaining phone number, can not obtain then and go processing according to the requirement of not binding.
11, the method for realization WAP mobile banking transaction according to claim 8 security control, it is characterized in that, described WAP portal server is after the transaction request that receives the WEB server forwards, obtain the phone number of client terminal, and according to operator's cell-phone number binding relationship generation handset token, then this handset token and transaction request are sent to the WAP trading server, specifically comprise:
Step 1:WAP portal server offers client terminal operator and selects the page in the transaction request that receives the WEB server forwards;
Step 2: client terminal is selected operator;
Step 3:WAP portal server is checked operator's cell-phone number binding information, if binding or no requirement (NR) continue execution in step 4, if do not bind, jumps to step 6;
Step 4:WAP portal server is obtained mobile communications operator's system equipment address, send the phone number of acquisition request client terminal, if normally obtain the phone number of client terminal, then continue step 5, otherwise if operator jumps to step 6 to phone number binding no requirement (NR), requirement is bound and can not be obtained phone number, the unusual token of phone number is obtained in generation, jumps to step 7;
Step 5:WAP portal server is checked the consistency of phone number and operator's informaiton, and consistent the generation normally obtained the phone number token, and the unusual token of phone number is obtained in inconsistent generation, jumps to step 7;
Step 6: do not bind cell-phone number for operator, and do not require the situation of binding cell-phone number and can't obtain cell-phone number, the WAP portal server generates no cell-phone number token;
Step 7:WAP portal server is forwarded to the WAP trading server with transaction request and handset token information.
12, the method for realization WAP mobile banking transaction according to claim 8 security control is characterized in that described WAP trading server further comprises: the WAP trading server obtains customer information after receiving handset token and transaction request.
13, the method for realization WAP mobile banking transaction according to claim 12 security control is characterized in that described WAP trading server obtains customer information, specifically comprises:
The WAP trading server if normally obtain handset token, offers the client terminal input login password page after receiving handset token and transaction request, be the condition login with phone number and login password, obtains customer information; If obtain the unusual token of phone number, be shown to client terminal WAP bank information browsing pages, the restriction client terminal can not be logined WAP Mobile banking, finishes; If there is not the cell-phone number token, offer the login page of client terminal input card number, login password, login as condition with card number and login password and obtain customer information.
14, the method for realization WAP mobile banking transaction according to claim 8 security control is characterized in that, the legitimacy of described checking handset token, and check whether the binding information of client operator is consistent with token information, specifically comprises:
The WAP trading server is after obtaining customer information, and the phone number information of reserving when checking client enrollment Mobile banking is checked the operator's informaiton and the binding information of this phone number correspondence, whether consistent with information in the token, if consistent, then client terminal is logined successfully, continuous business; If inconsistent, prompting client login failure, the refusal transaction, the restriction client can only visit the WAP Mobile banking information browse page.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008102266822A CN101448001B (en) | 2008-11-19 | 2008-11-19 | System for realizing WAP mobile banking transaction security control and method thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008102266822A CN101448001B (en) | 2008-11-19 | 2008-11-19 | System for realizing WAP mobile banking transaction security control and method thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101448001A true CN101448001A (en) | 2009-06-03 |
| CN101448001B CN101448001B (en) | 2012-03-21 |
Family
ID=40743398
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2008102266822A Active CN101448001B (en) | 2008-11-19 | 2008-11-19 | System for realizing WAP mobile banking transaction security control and method thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101448001B (en) |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101860824A (en) * | 2010-05-06 | 2010-10-13 | 上海海基业高科技有限公司 | Digital signature authentication system based on short message and digital signature method |
| CN102118743A (en) * | 2011-03-02 | 2011-07-06 | 中兴通讯股份有限公司 | Method and system for logging onto online bank with mobile phone, and bank server |
| CN102215227A (en) * | 2011-05-30 | 2011-10-12 | 中国联合网络通信集团有限公司 | Method and system for authenticating electronic commerce identity of mobile communication network |
| CN102404115A (en) * | 2010-09-16 | 2012-04-04 | 林新格 | Method for realizing bidirectional safety certification of mobile phone and server in WAP (Wireless Application Protocol) mobile phone banking system by using SD (Secure Digital Memory) card and system thereof |
| CN102457842A (en) * | 2010-10-22 | 2012-05-16 | 中国移动通信集团宁夏有限公司 | Method, device and system for transaction by mobile phone |
| CN103095659A (en) * | 2011-11-03 | 2013-05-08 | 北京神州泰岳软件股份有限公司 | Account login method and system in internet |
| CN103237096A (en) * | 2013-04-23 | 2013-08-07 | 长春吉联科技集团有限公司 | Method for registering website user name by using mobile phone number |
| CN103457733A (en) * | 2013-08-15 | 2013-12-18 | 中电长城网际系统应用有限公司 | Data sharing method and system under cloud computing environment |
| CN107070909A (en) * | 2017-04-01 | 2017-08-18 | 广东欧珀移动通信有限公司 | Method for sending information, message receiving method, apparatus and system |
| CN107210918A (en) * | 2015-02-17 | 2017-09-26 | 维萨国际服务协会 | Use the token and password of transaction-specific information |
| CN107864475A (en) * | 2017-12-20 | 2018-03-30 | 中电福富信息科技有限公司 | The quick authentication methods of WiFi based on Portal+ dynamic passwords |
| CN108737442A (en) * | 2018-06-12 | 2018-11-02 | 北京多采多宜网络科技有限公司 | A kind of cryptographic check processing method |
| CN112511510A (en) * | 2020-11-18 | 2021-03-16 | 建信金融科技有限责任公司 | Authorization authentication method, system, electronic equipment and readable storage medium |
| CN114390524A (en) * | 2021-12-22 | 2022-04-22 | 支付宝(杭州)信息技术有限公司 | Method and device for realizing one-key login service |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1661605A (en) * | 2004-02-26 | 2005-08-31 | 刘�英 | Mobile bank |
| CN1588954A (en) * | 2004-07-27 | 2005-03-02 | 中国工商银行 | Intelligent terminal, system including said intelligent terminal and data exchanging method |
| CN100382486C (en) * | 2004-10-26 | 2008-04-16 | 恒生电子股份有限公司 | Safety authentication method of cell phone bank system |
-
2008
- 2008-11-19 CN CN2008102266822A patent/CN101448001B/en active Active
Cited By (24)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101860824A (en) * | 2010-05-06 | 2010-10-13 | 上海海基业高科技有限公司 | Digital signature authentication system based on short message and digital signature method |
| CN101860824B (en) * | 2010-05-06 | 2013-06-12 | 上海海基业高科技有限公司 | Digital signature authentication system based on short message and digital signature method |
| CN102404115A (en) * | 2010-09-16 | 2012-04-04 | 林新格 | Method for realizing bidirectional safety certification of mobile phone and server in WAP (Wireless Application Protocol) mobile phone banking system by using SD (Secure Digital Memory) card and system thereof |
| CN102457842A (en) * | 2010-10-22 | 2012-05-16 | 中国移动通信集团宁夏有限公司 | Method, device and system for transaction by mobile phone |
| CN102457842B (en) * | 2010-10-22 | 2015-08-19 | 中国移动通信集团宁夏有限公司 | A kind of transaction by mobile phone, Apparatus and system |
| CN102118743A (en) * | 2011-03-02 | 2011-07-06 | 中兴通讯股份有限公司 | Method and system for logging onto online bank with mobile phone, and bank server |
| CN102215227A (en) * | 2011-05-30 | 2011-10-12 | 中国联合网络通信集团有限公司 | Method and system for authenticating electronic commerce identity of mobile communication network |
| CN103095659A (en) * | 2011-11-03 | 2013-05-08 | 北京神州泰岳软件股份有限公司 | Account login method and system in internet |
| CN103095659B (en) * | 2011-11-03 | 2016-01-20 | 北京神州泰岳软件股份有限公司 | Account logon method and system in a kind of the Internet |
| CN103237096A (en) * | 2013-04-23 | 2013-08-07 | 长春吉联科技集团有限公司 | Method for registering website user name by using mobile phone number |
| CN103457733A (en) * | 2013-08-15 | 2013-12-18 | 中电长城网际系统应用有限公司 | Data sharing method and system under cloud computing environment |
| CN103457733B (en) * | 2013-08-15 | 2016-12-07 | 中电长城网际系统应用有限公司 | A kind of cloud computing environment data sharing method and system |
| US11068895B2 (en) | 2015-02-17 | 2021-07-20 | Visa International Service Association | Token and cryptogram using transaction specific information |
| CN107210918A (en) * | 2015-02-17 | 2017-09-26 | 维萨国际服务协会 | Use the token and password of transaction-specific information |
| CN107210918B (en) * | 2015-02-17 | 2021-07-27 | 维萨国际服务协会 | Apparatus and method for transaction processing using token and password based on transaction specific information |
| US11943231B2 (en) | 2015-02-17 | 2024-03-26 | Visa International Service Association | Token and cryptogram using transaction specific information |
| CN107070909A (en) * | 2017-04-01 | 2017-08-18 | 广东欧珀移动通信有限公司 | Method for sending information, message receiving method, apparatus and system |
| CN107864475A (en) * | 2017-12-20 | 2018-03-30 | 中电福富信息科技有限公司 | The quick authentication methods of WiFi based on Portal+ dynamic passwords |
| CN108737442A (en) * | 2018-06-12 | 2018-11-02 | 北京多采多宜网络科技有限公司 | A kind of cryptographic check processing method |
| CN108737442B (en) * | 2018-06-12 | 2019-05-10 | 北京多采多宜网络科技有限公司 | A kind of cryptographic check processing method |
| CN112511510A (en) * | 2020-11-18 | 2021-03-16 | 建信金融科技有限责任公司 | Authorization authentication method, system, electronic equipment and readable storage medium |
| CN112511510B (en) * | 2020-11-18 | 2022-09-30 | 中国建设银行股份有限公司 | Authorization authentication method, system, electronic equipment and readable storage medium |
| CN114390524A (en) * | 2021-12-22 | 2022-04-22 | 支付宝(杭州)信息技术有限公司 | Method and device for realizing one-key login service |
| CN114390524B (en) * | 2021-12-22 | 2024-04-23 | 支付宝(杭州)信息技术有限公司 | Method and device for realizing one-key login service |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101448001B (en) | 2012-03-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101448001B (en) | System for realizing WAP mobile banking transaction security control and method thereof | |
| CN101222333B (en) | Data transaction processing method and apparatus | |
| CN101075875B (en) | Method and system for realizing monopoint login between gate and system | |
| JP5719871B2 (en) | Method and apparatus for preventing phishing attacks | |
| US7496751B2 (en) | Privacy and identification in a data communications network | |
| JP4996085B2 (en) | Service providing apparatus and program | |
| KR20010085380A (en) | System and method of associating devices to secure commercial transactions performed over the internet | |
| EP1440358A2 (en) | Portability and privacy with data communications network browsing | |
| US11403633B2 (en) | Method for sending digital information | |
| CN102209046A (en) | Network resource integration system and method | |
| KR102116587B1 (en) | Method and system using a cyber id to provide secure transactions | |
| EP3579495A1 (en) | Authentication server, authentication system, and authentication method | |
| CN109587683B (en) | Method and system for preventing short message from being monitored, application program and terminal information database | |
| CN1510899A (en) | Mobile communication platform based on dynamic random mobile telephone pin identifying system | |
| CN116915493A (en) | Secure login method, device, system, computer equipment and storage medium | |
| CN101969426B (en) | Distributed user authentication system and method | |
| KR20070076575A (en) | Method for processing user authentication | |
| KR20070076576A (en) | Processing method for approving payment | |
| KR20090006815A (en) | Method for processing user authentication | |
| CN112712402A (en) | Identity authentication system for issuing electronic invoice | |
| KR101061716B1 (en) | Method and system for operating carbon credit account | |
| KR20070077481A (en) | Process server for relaying user authentication | |
| KR20060112167A (en) | System and method for relaying user authentication, server and recording medium | |
| JP2007279775A (en) | Web server authentication system capable of performing web access point authentication (wapa) | |
| CN107979575A (en) | Certificate server and on-line identification method on line |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |