CN101448001B - System for realizing WAP mobile banking transaction security control and method thereof - Google Patents
System for realizing WAP mobile banking transaction security control and method thereof Download PDFInfo
- Publication number
- CN101448001B CN101448001B CN2008102266822A CN200810226682A CN101448001B CN 101448001 B CN101448001 B CN 101448001B CN 2008102266822 A CN2008102266822 A CN 2008102266822A CN 200810226682 A CN200810226682 A CN 200810226682A CN 101448001 B CN101448001 B CN 101448001B
- Authority
- CN
- China
- Prior art keywords
- wap
- phone number
- client terminal
- token
- operator
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses a system for realizing WAP mobile banking transaction security control and a method thereof. The system comprises a user terminal, a WEB server, a WAP portal server, a WAP transaction server and mobile communication operator system equipment, wherein, the WEB server is used for providing domain name address service and transferring a transaction request received from the user terminal to the WAP portal server; the WAP portal server is used for acquiring the mobile phone number of the user terminal, generating a mobile token according to operator mobile phone binding relations and sending the mobile token and the transaction request to the WAP transaction server; the WAP transaction server is used for verifying validity of the mobile token and checking whether user operator binding information is consistent with token information; the mobile communication operator system equipment is used for providing an interface to the WAP portal server and the WAP portal server acquires the mobile phone number by communicating with the mobile communication operator system equipment. By adopting the invention, the user can be prevented from visiting the WAP mobile banking by the internet, thereby effectively improving security of visiting the mobile banking.
Description
Technical field
The present invention relates to Mobile banking's technical field, relate in particular to the system and method for a kind of WAP of realization mobile banking transaction security control.
Background technology
Present WAP Mobile banking, its implementation procedure is generally following: bank provides WAP website access address, and the client utilizes mobile phone to pass through GPRS or WAP according to this access address and inserts WAP Mobile banking website, the information that browses web sites or carry out relationship trading.
Whether general WAP Mobile banking website is real mobile phone for access side, not strict control, and a lot of browsers are arranged at present, support the user through internet access WAP Mobile banking website, for example: Opera.
The target customer of WAP Mobile banking is the cellphone subscriber, is limited to the diversity of cell phone manufacturer, model, the complexity of mobile phone operation and the limitation of existing cell phone network, and the safety measure of existing WAP Mobile banking website requires lower.Such as: the password input frame on the page does not have control to encrypt, and in the packet that the page is submitted to up, password is to exist with mode expressly.
If the visit for through the Internet does not limit, the convenience of computation and the popularization of the Internet, it is very big by the possibility of unauthorized theft (sending means such as package informatin on the intercept page) to cause the important safety information of WAP Mobile banking website to exist.
So pressing for provides a kind of method of controlling security, shielding is through the visit WAP Mobile banking website of the Internet, and the restriction client can only pass through mobile phone access WAP Mobile banking, thereby guarantees the safety of client's personal asset information.
Summary of the invention
The technical problem that (one) will solve
In view of this, main purpose of the present invention is to provide the system and method for a kind of WAP of realization mobile banking transaction security control, to prevent the client through internet access WAP Mobile banking, effectively improves the fail safe of visit Mobile banking.
(2) technical scheme
For achieving the above object, the technical scheme that the present invention adopts is following:
A kind of system that realizes the security control of WAP mobile banking transaction, this system comprises:
Client terminal;
The WEB server is used to provide the domain name addresses service, and the transaction request that is received from client terminal is forwarded to the WAP portal server;
The WAP portal server; Be used for after the transaction request that receives the WEB server forwards, obtaining the phone number of client terminal; And, then this handset token and transaction request are sent to the WAP trading server according to operator's cell-phone number binding relationship generation handset token;
The WAP trading server; Be used for after receiving handset token and transaction request; The legitimacy of checking handset token verifies promptly whether the checking string of handset token is correct, checks if checking string is correct whether the client is consistent with binding information and token information between the operator; Consistent continuous business, inconsistent refusal transaction; The refusal transaction if the checking string is incorrect;
Mobile communications operator's system equipment is used to provide interface to the WAP portal server, the WAP portal server through with the communication of mobile communications operator's system equipment, obtain the phone number of client terminal.
In the such scheme, said client terminal is the carrier of client access WAP Mobile banking.The carrier of said client access WAP Mobile banking is a mobile phone.
In the such scheme, for the client terminal of direct input domain name access WAP Mobile banking, said WAP portal server offers client terminal and selects operator's page; According to operator's cell-phone number binding relationship parameter; Through with the communication interface of operator agreement, obtain the phone number of client terminal from mobile communications operator's system equipment, according to binding relationship with whether obtain cell-phone number information; According to corresponding algorithm, generate handset token.For the client terminal through page link visit WAP Mobile banking of operator, said WAP portal server obtains phone number and operator's informaiton from transaction request, and generates handset token according to operator's cell-phone number binding relationship parameter.
In the such scheme; Said WAP trading server is after the legitimacy of checking handset token; If legal, then whether basis is bound phone number and to client terminal different login pages is provided, after the client terminal login; The phone number information of reserving when registering according to client terminal, whether the inspection client is consistent with binding information and token information between the operator; If WAP trading server checking handset token is illegal, then refusal transaction.
In the such scheme, the binding information between WAP trading server inspection client and operator is when token information is inconsistent or checking handset token illegal and refusal are concluded the business, and client terminal can be browsed simple information page, can't conclude the business.
A kind of method that realizes the security control of WAP mobile banking transaction, this method comprises:
Client terminal proposes transaction request to the WEB server, and the WEB server is forwarded to the WAP portal server with this transaction request;
The WAP portal server obtains the phone number of client terminal after the transaction request that receives the WEB server forwards, and generates handset token according to operator's cell-phone number binding relationship, then this handset token and transaction request is sent to the WAP trading server;
The WAP trading server is after receiving handset token and transaction request; The legitimacy of checking handset token; Whether the checking string of promptly verifying handset token is correct; Check if checking string is correct whether the client is consistent with binding information and token information between the operator, consistent continuous business, inconsistent refusal is concluded the business; The refusal transaction if the checking string is incorrect.
In the such scheme, said client terminal proposes transaction request to the WEB server, realizes through following dual mode:
Mode one, client terminal are linked to WAP Mobile banking service interface through mobile communications operator's service page, propose transaction request to the WEB server;
Mode two, client terminal are directly imported domain name access WAP Mobile banking, propose transaction request to the WEB server.
In the such scheme; The situation of visiting WAP Mobile banking through first kind of mode for client terminal; If Carrier Requirements is bound phone number, then operator passes to the WAP portal server with phone number with the form of parameter in the lump when being linked to WAP Mobile banking; Perhaps require not bind if bind no requirement (NR), do not require that then operator provides phone number when chain is taken over for cell-phone number; Wherein, said binding is meant that a phone number can only visit the WAP Mobile banking of a client terminal;
For the situation of client terminal through second way visit WAP Mobile banking, if the Carrier Requirements binding, then when client terminal visit WAP Mobile banking; Offer the client terminal mobile communications operator and select the page; Client terminal needs bank and mobile communications operator interface by appointment to carry out the backstage communication, to obtain the phone number information of client terminal after selecting; As can not obtain phone number; Then limit the access rights of client terminal, can only browsing page, can not login WAP Mobile banking; If do not require binding, then need not obtain client's phone number, the access rights of client terminal are not done control yet; If do not do requirement for whether binding, then attempt going to obtain the phone number of client terminal, can obtain then to go processing according to the flow process of normally obtaining phone number, can not obtain then and go processing according to the requirement of not binding.
In the such scheme; Said WAP portal server is after the transaction request that receives the WEB server forwards; Obtain the phone number of client terminal; And, then this handset token and transaction request are sent to the WAP trading server according to operator's cell-phone number binding relationship generation handset token, specifically comprise:
Step 1:WAP portal server offers client terminal operator and selects the page after the transaction request that receives the WEB server forwards;
Step 2: client terminal is selected operator;
Step 3:WAP portal server inspection operator cell-phone number binding relationship if require to bind or no requirement (NR) continuation execution in step 4, if require not bind, jumps to step 6; Wherein, said binding is meant that a phone number can only visit the WAP Mobile banking of a client terminal;
Step 4:WAP portal server is obtained mobile communications operator's system equipment address, sends the phone number of acquisition request client terminal, if normally obtain the phone number of client terminal; Then continue step 5; Otherwise, if binding no requirement (NR) to phone number, operator jumps to step 6, requirement is bound and can not be obtained phone number; The unusual token of phone number is obtained in generation, jumps to step 7;
The consistency of step 5:WAP portal server inspection phone number and operator's informaiton, the consistent generation normally obtained the phone number token, and the unusual token of phone number is obtained in inconsistent generation, jumps to step 7;
Step 6: do not bind cell-phone number for Carrier Requirements, and do not require the situation of binding cell-phone number and can't obtain cell-phone number, the WAP portal server generates no cell-phone number token;
Step 7:WAP portal server is forwarded to the WAP trading server with transaction request and handset token.
In the such scheme, said WAP trading server further comprises after receiving handset token and transaction request: the WAP trading server obtains customer information.Said WAP trading server obtains customer information; Specifically comprise: the WAP trading server is after receiving handset token and transaction request; If normally obtain the phone number token; Offering the client terminal input login password page, is the condition login with phone number and login password, obtains customer information; If obtain the unusual token of phone number, be shown to client terminal WAP bank information browsing pages, the restriction client terminal can not be logined WAP Mobile banking, finishes; If there is not the cell-phone number token, offer the login page of client terminal input card number, login password, login as condition with card number and login password and obtain customer information.
In the such scheme; The legitimacy of said checking handset token also checks that whether consistent the legitimacy of checking handset token in binding information and token information between client and the operator the step comprise: the WAP portal server is submitted the token parameter to the WAP trading server; WAP trading server token form is according to a preconcerted arrangement got phone number, exchange hour information, and whether the review time is effective; According to whether getting phone number coupling token type; Whether proof of algorithm checking string according to a preconcerted arrangement is correct, if illegal, the refusal transaction; Whether consistent the legitimacy of said checking handset token also check in binding information and token information between client and the operator the step binding information between the inspection client and operator and token information consistent comprising whether: check client's operator's informaiton according to the registration phone number; If it is inconsistent; The prompting mistake; The request of refusal client trading, unanimity then allows client's continuous business.
(3) beneficial effect
Can find out that from technique scheme the present invention has following beneficial effect:
1, the system and method for realization WAP mobile banking transaction provided by the invention security control can prevent the client through internet access WAP Mobile banking, improves the fail safe of visit Mobile banking effectively.
2, the system and method for realization WAP mobile banking transaction provided by the invention security control; Can effectively control problem through internet access WAP Mobile banking; Reduced through more maneuverable computer and the Internet; Brute Force WAP Mobile banking, the particularly possibility of Mobile banking's password.
3, the system and method for realization WAP mobile banking transaction provided by the invention security control; Uniqueness through the access of restriction WAP Mobile banking; With the phone number binding scheme; Guarantee that the client can only be greatly improved the fail safe of WAP Mobile banking through the mobile phone access WAP Mobile banking of oneself.
4, the system and method for realization WAP mobile banking transaction provided by the invention security control equally also is applicable to the B2C of WAP Mobile banking shopping.
Description of drawings
Fig. 1 is the structural representation of realization WAP mobile banking transaction safety control system provided by the invention;
Fig. 2 is the method flow diagram of realization WAP mobile banking transaction provided by the invention security control;
Fig. 3 is the sketch map of the realization WAP mobile banking transaction security control that provides according to the embodiment of the invention;
Fig. 4 is that client terminal of the present invention is visited the method flow diagram that WAP Mobile banking generates handset token;
Fig. 5 is the present invention verifies processing to handset token a method flow diagram.
Embodiment
For making the object of the invention, technical scheme and advantage clearer, below in conjunction with specific embodiment, and with reference to accompanying drawing, to further explain of the present invention.
In order to control the restriction client through internet access WAP Mobile banking; At first must control the uniqueness of WAP Mobile banking access address; For Mobile banking; Through the inspection control that WAP Mobile banking is inserted, guarantee that all requests must be submitted to the WAP trading server through the WAP portal server, thereby refusal is through the client of internet access.
Control the client and can only pass through mobile phone access WAP Mobile banking, the phone number that obtains the client is crucial, because be the phone number that can't obtain the client through internet access WAP Mobile banking.Obtain the real phone number of client, can only through with the cooperation of mobile communication carrier, when the client used mobile phone access WAP Mobile banking, operator passed to WAP Mobile banking website with client's information such as cell-phone number.
Client access WAP Mobile banking mainly is divided into dual mode:
First kind is the service page through the mobile communications operator, is linked to the WAP Mobile banking service interface of bank.
Second kind is that the client directly imports domain name access WAP Mobile banking.
In order to obtain client's phone number; At first; Bank side and mobile communications operator reach an agreement; Whether clear and definite WAP Mobile banking needs the restriction that phone number binds (promptly phone number can only be visited a client's WAP Mobile banking), and pre-sets the security parameter whether operator requires to bind phone number, and parameter value comprises: bind, do not bind, no requirement (NR).
The situation of visiting WAP Mobile banking through first kind of mode for the client if Carrier Requirements is bound phone number, then requires operator when being linked to WAP bank website, and phone number is passed to the WAP portal server in the lump with the form of parameter.Perhaps require not bind if bind no requirement (NR), do not require that then operator provides phone number when chain is taken over for cell-phone number.
For the situation of client through second way visit WAP Mobile banking, if the Carrier Requirements binding, then in client access WAP Mobile banking; Offer the client mobile communications operator and select the page, after the customer selecting, need bank and mobile communications operator interface by appointment to carry out the backstage communication; To obtain client's cell-phone number information; As can not obtain cell-phone number, with restriction client's access rights (can only browsing page, can not login WAP Mobile banking); If do not bind, then need not obtain client's phone number, client's access rights are not done control yet; If do not do requirement for whether binding, then attempt going to obtain client's phone number, can obtain then to go processing according to the flow process of normally obtaining phone number, can not obtain then and go processing according to the requirement of not binding.
In banking system, set up simultaneously the corresponding relation tabulation of WAP gateway IP address list, cell-phone number section and operator;
Through " WAP gateway IP address list ", can judge the target address information that obtains client's phone number from operator, whether be the address information of appointing with operator, the information source address of limiting handset number.
Through " the corresponding relation tabulation of cell-phone number section and operator ", can know client's operator's informaiton through phone number.
After operator has returned client's information such as phone number, through the corresponding relation of the cell-phone number section and the operator " tabulation ", judge whether client's mobile communications operator is consistent with its operator's informaiton of on the page, selecting, inconsistently then report an error.According to the return address of information, check whether this address is consistent with the address in " WAP gateway IP address list ", the inconsistent refusal transaction that then reports an error.
The uniqueness control of the transaction inlet that top the present invention mentions; Obtain the control of client's phone number; All be to accomplish at the portal server of WAP Mobile banking; The WAP portal server mainly provides the browsing information to some static page Noodles of client, and the All Activity of WAP Mobile banking is all accomplished at WAP mobile banking transaction server.Accomplish to guarantee that all transaction all are under the control of security limitations, just must guarantee that all transaction all are through the WAP portal server, be forwarded to the WAP trading server.
In order to achieve this end, the present invention has increased the design of handset token, in the time of client terminal visit WAP Mobile banking; At the WAP portal server; According to the requirement of whether binding cell-phone number of client's operator with whether obtained client's phone number, according to certain algorithm; Generate dissimilar tokens, be forwarded to the WAP trading server together with client's transaction request.The WAP trading server is at first checked token information after receiving transaction request, inspection is through proceeding transaction, not through then directly refusing continuous business.
Token designs as follows:
The handset token form can be token type | phone number | and timestamp | the checking string
Token type: 2 bit digital characters, do not comprise phone number in the 00 expression token, include phone number in the 01 expression token; 70~99 are used for expression unusually.
Phone number: when in the token phone number being arranged, insert phone number through encrypting.The mode of encrypting can be to be subject string with phone number+server current time, uses AES (for example 3Des algorithm), uses and encrypts at WAP door and WAP transaction platform configuring cipher key, obtains to encrypt and goes here and there.
Timestamp: yyyyMMddHHmmss, the current server time that produces token, this token is effective in the special time segment limit.
Checking string: the front parameter is pieced together string do cryptographic calculation, generate the checking character string,, generate MD5 digest as the checking string like the MD5 computing
(explain: the situation for obtaining cell-phone number from operator, comprise phone number information in the token, other can only generate the token that does not have phone number.)
After the token verification succeeds,,, require the client to import login password and identifying code completion login with the login ID of phone number as the client for the operator that requires phone number to bind.For the client's who does not require binding operator, require the client to input login card number, password, identifying code completion login.After the login WAP Mobile banking; Trading server gets access to the phone number of being reserved when the client opens Mobile banking; Judge its operator's informaiton again and whether require binding according to this phone number; Whether consistent in the Transaction Information and the token information of door selection with this client, verify successfully, get into the mobile phone trading function again.(explanation; Generally speaking, binding cell-phone number is the requirement of bank side from secure context, but communication operator can not require the binding cell-phone number, in this case, can not limit the WAP Mobile banking of the user of this operator through internet access bank.)
Do further to specify below in conjunction with the accompanying drawing specific embodiments of the invention.
As shown in Figure 1, Fig. 1 is the structural representation of realization WAP mobile banking transaction safety control system provided by the invention, and this system comprises client terminal, WEB server, WAP portal server, WAP trading server and mobile communications operator's system equipment.Wherein, client terminal is the carrier of client access WAP Mobile banking, generally is meant mobile phone.The WEB server is used to provide the domain name addresses service, and the transaction request that is received from client terminal is forwarded to the WAP portal server.The WAP portal server; Be used for after the transaction request that receives the WEB server forwards, obtaining the phone number of client terminal; And, then this handset token and transaction request are sent to the WAP trading server according to operator's cell-phone number binding relationship generation handset token.The WAP trading server is used for after receiving handset token and transaction request, the legitimacy of checking handset token, and whether the inspection client is consistent with binding information and token information between the operator, unanimity is continuous business then; Inconsistent refusal transaction.Mobile communications operator's system equipment is used to provide interface to the WAP portal server, the WAP portal server through with the communication of mobile communications operator's system equipment, obtain the phone number of client terminal.
Client terminal for direct input domain name access WAP Mobile banking; Said WAP portal server offers client terminal and selects operator's page, according to operator's cell-phone number binding relationship parameter, through with the communication interface of operator's agreement; Obtain the phone number of client terminal from mobile communications operator's system equipment; According to binding relationship with whether obtain cell-phone number information,, generate handset token according to corresponding algorithm.
For the client terminal through page link visit WAP Mobile banking of operator, said WAP portal server obtains phone number and operator's informaiton from transaction request, and generates handset token according to operator's cell-phone number binding relationship parameter.
Said WAP trading server is after the legitimacy of checking handset token; If it is legal; Then whether basis is bound phone number and to client terminal different login pages is provided; After the client terminal login, the phone number information of reserving when register according to client terminal checks whether the client is consistent with binding information and token information between the operator; If WAP trading server checking handset token is illegal, then refusal transaction.Binding information between WAP trading server inspection client and operator is when token information is inconsistent or checking handset token illegal and refusal are concluded the business, and client terminal can be browsed simple information page, can't conclude the business.
Based on the system of the realization WAP mobile banking transaction security control shown in Fig. 1, Fig. 2 shows the method flow diagram of realization WAP mobile banking transaction provided by the invention security control, and this method may further comprise the steps:
Step 201: client terminal proposes transaction request to the WEB server, and the WEB server is forwarded to the WAP portal server with this transaction request;
Step 202:WAP portal server is after the transaction request that receives the WEB server forwards; Obtain the phone number of client terminal; And, then this handset token and transaction request are sent to the WAP trading server according to operator's cell-phone number binding relationship generation handset token;
Step 203:WAP trading server after receiving handset token and transaction request, the legitimacy of checking handset token, and whether the inspection client consistent with binding information and token information between the operator, if unanimity, then continuous business; If inconsistent, then refusal transaction.
Client terminal described in the step 201 proposes transaction request to the WEB server, realizes through following dual mode:
Mode one, client terminal are linked to WAP Mobile banking service interface through mobile communications operator's service page, propose transaction request to the WEB server;
Mode two, client terminal are directly imported domain name access WAP Mobile banking, propose transaction request to the WEB server.
The situation of visiting WAP Mobile banking through first kind of mode for client terminal, if Carrier Requirements is bound phone number, then operator passes to the WAP portal server with phone number with the form of parameter in the lump when being linked to WAP Mobile banking; Perhaps require not bind if bind no requirement (NR), do not require that then operator provides phone number when chain is taken over for cell-phone number; Wherein, said binding is meant that a phone number can only visit the WAP Mobile banking of a client terminal.
For the situation of client terminal through second way visit WAP Mobile banking, if the Carrier Requirements binding, then when client terminal visit WAP Mobile banking; Offer the client terminal mobile communications operator and select the page; Client terminal needs bank and mobile communications operator interface by appointment to carry out the backstage communication, to obtain the phone number information of client terminal after selecting; As can not obtain phone number; Then limit the access rights of client terminal, can only browsing page, can not login WAP Mobile banking; If do not require binding, then need not obtain client's phone number, the access rights of client terminal are not done control yet; If do not do requirement for whether binding, then attempt going to obtain the phone number of client terminal, can obtain then to go processing according to the flow process of normally obtaining phone number, can not obtain then and go processing according to the requirement of not binding.
The portal server of WAP described in the step 202 is after the transaction request that receives the WEB server forwards; Obtain the phone number of client terminal; And, then this handset token and transaction request are sent to the WAP trading server according to operator's cell-phone number binding relationship generation handset token, specifically comprise:
Step 1:WAP portal server offers client terminal operator and selects the page in the transaction request that receives the WEB server forwards;
Step 2: client terminal is selected operator;
Step 3:WAP portal server inspection operator cell-phone number binding information if bind or no requirement (NR) continuation execution in step 4, if do not bind, jumps to step 6;
Step 4:WAP portal server is obtained mobile communications operator's system equipment address, sends the phone number of acquisition request client terminal, if normally obtain the phone number of client terminal; Then continue step 5; Otherwise, if binding no requirement (NR) to phone number, operator jumps to step 6, requirement is bound and can not be obtained phone number; The unusual token of phone number is obtained in generation, jumps to step 7;
The consistency of step 5:WAP portal server inspection phone number and operator's informaiton, the consistent generation normally obtained the phone number token, and the unusual token of phone number is obtained in inconsistent generation, jumps to step 7;
Step 6: do not bind cell-phone number for operator, and do not require the situation of binding cell-phone number and can't obtain cell-phone number, the WAP portal server generates no cell-phone number token;
Step 7:WAP portal server is forwarded to the WAP trading server with transaction request and handset token information.
The trading server of WAP described in the step 203 is after receiving handset token and transaction request; Further comprise: the WAP trading server obtains customer information; This step of obtaining customer information specifically comprises: the WAP trading server if normally obtain the phone number token, offers the client terminal input login password page after receiving handset token and transaction request; With phone number and login password is the condition login, obtains customer information; If obtain the unusual token of phone number, be shown to client terminal WAP bank information browsing pages, the restriction client terminal can not be logined WAP Mobile banking, finishes; If there is not the cell-phone number token, offer the login page of client terminal input card number, login password, login as condition with card number and login password and obtain customer information.
The legitimacy of the handset token of checking described in the step 203, and whether the inspection client is consistent with binding information and token information between the operator, specifically comprise: the WAP trading server is after obtaining customer information; The phone number information of reserving during inspection client enrollment Mobile banking; Check operator's informaiton and binding information that this phone number is corresponding, whether consistent with information in the token, if consistent; Then client terminal is logined successfully, continuous business; If inconsistent, prompting client login failure, the refusal transaction, the restriction client can only visit the WAP Mobile banking information browse page.
Based on Fig. 1 and Fig. 2, below describe the sketch map of the realization WAP mobile banking transaction security control that provides according to the embodiment of the invention in detail with reference to Fig. 3, this method specifically may further comprise the steps:
Step 1: the client is through the mobile phone client terminal, and the input domain name is visited wap Mobile banking;
Step 2:wap Mobile banking Web server is forwarded to the wap portal server with transaction request;
Step 3:WAP portal server offers client terminal operator and selects the page in the transaction request that receives the WEB server forwards;
Step 4: client terminal is selected operator;
Step 5:WAP portal server inspection operator cell-phone number binding information if bind or no requirement (NR) continuation execution in step 6, if do not bind, jumps to step 8;
Step 6:WAP portal server is obtained mobile communications operator's system equipment address, sends the phone number of acquisition request client terminal, if normally obtain the phone number of client terminal; Then continue step 7; Otherwise, if binding no requirement (NR) to phone number, operator jumps to step 8, requirement is bound and can not be obtained phone number; The unusual token of phone number is obtained in generation, jumps to step 9;
The consistency of step 7:WAP portal server inspection phone number and operator's informaiton, the consistent generation normally obtained the phone number token, and the unusual token of phone number is obtained in inconsistent generation, jumps to step 9;
Step 8: do not bind cell-phone number for operator, and do not require the situation of binding cell-phone number and can't obtain cell-phone number, the WAP portal server generates no cell-phone number token;
Step 9:WAP portal server is forwarded to the WAP trading server with transaction request and handset token;
Step 10:WAP trading server if normally obtain the phone number token, offers the client terminal input login password page after receiving handset token and transaction request, be the condition login with phone number and login password, obtains customer information; If obtain the unusual token of phone number, be shown to client terminal WAP bank information browsing pages, the restriction client terminal can not be logined WAP Mobile banking, finishes; If there is not the cell-phone number token, offer the login page of client terminal input card number, login password, login as condition with card number and login password and obtain customer information;
Step 11:WAP trading server is after obtaining customer information; The phone number information of reserving during inspection client enrollment Mobile banking; Check operator's informaiton and binding information that this phone number is corresponding, whether consistent with information in the token, if consistent; Then client terminal is logined successfully, continuous business; If inconsistent, prompting client login failure, the refusal transaction, the restriction client can only visit the WAP Mobile banking information browse page, finishes.
Below in conjunction with Fig. 4 and Fig. 5, introduce the generation and the method for using of handset token.
With reference to Fig. 4, client terminal of the present invention is visited WAP Mobile banking, the method for the generation of handset token, and directly importing domain name access with the client is example, may further comprise the steps:
Step 401: the client directly imports domain name access WAP Mobile banking through mobile phone;
The WAP portal server prompting customer selecting mobile phone operators of step 402:WAP Mobile banking;
Step 403: customer selecting mobile phone operators; The WAP portal server is according to client's selection input; Mobile banking of inspection operator security parameter if Carrier Requirements is not bound phone number, generates and does not bind the phone number token; Request is forwarded to trading server, and WAP portal server flow process finishes; If whether Carrier Requirements is bound or require for not binding, send request to operator, obtain client's phone number;
Step 404:WAP portal server inspection security parameter if security parameter requires to bind cell-phone number, carry out step 405; Otherwise (operator binds for phone number and do not require) carry out step 406;
Step 405:WAP portal server is judged according to operator's feedback data, if successfully do not obtain phone number from the operator, then generates and obtains the unusual token of phone number, and the client can only browse the WAP gateway information page; If normally obtain phone number; The consistency of inspection phone number and operator (for example coupling " WAP gateway IP address list " and " the corresponding relation tabulation of cell-phone number section and operator "); If it is inconsistent; The unusual token of phone number is obtained in generation, and the client can only browse the WAP gateway information page; If phone number is consistent with operator, generate and bind the phone number token, WAP portal server flow process finishes;
Step 406:WAP portal server is judged according to operator's feedback data, if do not obtain phone number from operator, generates no phone number token; If normally obtain phone number, the consistency of inspection phone number and operator (coupling " WAP gateway IP address list " and " the corresponding relation tabulation of cell-phone number section and operator ") if inconsistent, generates no phone number token; If phone number is consistent with operator, generates and obtain the phone number token.
With reference to Fig. 5, the authentication processing method of handset token of the present invention may further comprise the steps:
Step 501:WAP portal server is submitted the token parameter to trading server; Trading server token form is according to a preconcerted arrangement got information such as phone number, exchange hour, and whether the review time is effective; According to whether getting phone number coupling token type; Whether proof of algorithm checking string according to a preconcerted arrangement is correct, if illegal, the refusal transaction;
Step 502: trading server shows different login pages according to token type, and no phone number, the token of not binding show the login page of importing card number, login password; The token that phone number, binding are arranged shows the login page of importing login password;
Step 503: trading server is according to client's input item, and the customer information of registering in advance during the inquiry client enrollment is obtained the phone number of client enrollment Mobile banking;
Step 504: according to registration phone number inspection client operator's informaiton, if inconsistent, the prompting mistake, the request of refusal client trading, unanimity then allows client's continuous business.
Above-described specific embodiment; The object of the invention, technical scheme and beneficial effect have been carried out further explain, and institute it should be understood that the above is merely specific embodiment of the present invention; Be not limited to the present invention; All within spirit of the present invention and principle, any modification of being made, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (14)
1. a system that realizes the security control of WAP mobile banking transaction is characterized in that, this system comprises:
Client terminal;
The WEB server is used to provide the domain name addresses service, and the transaction request that is received from client terminal is forwarded to the WAP portal server;
The WAP portal server; Be used for after the transaction request that receives the WEB server forwards, obtaining the phone number of client terminal; And, then this handset token and transaction request are sent to the WAP trading server according to operator's cell-phone number binding relationship generation handset token;
The WAP trading server; Be used for after receiving handset token and transaction request; The legitimacy of checking handset token verifies promptly whether the checking string of handset token is correct, checks if checking string is correct whether the client is consistent with binding information and token information between the operator; Consistent continuous business, inconsistent refusal transaction; The refusal transaction if the checking string is incorrect;
Mobile communications operator's system equipment is used to provide interface to the WAP portal server, the WAP portal server through with the communication of mobile communications operator's system equipment, obtain the phone number of client terminal.
2. the system of realization WAP mobile banking transaction according to claim 1 security control is characterized in that said client terminal is the carrier of client access WAP Mobile banking.
3. the system of realization according to claim 2 WAP mobile banking transaction security control is characterized in that, the carrier of said client access WAP Mobile banking is a mobile phone.
4. the system of realization WAP mobile banking transaction according to claim 1 security control; It is characterized in that for the client terminal of direct input domain name access WAP Mobile banking, said WAP portal server offers client terminal and selects operator's page; According to operator's cell-phone number binding relationship parameter; Through with the communication interface of operator agreement, obtain the phone number of client terminal from mobile communications operator's system equipment, according to binding relationship with whether obtain cell-phone number information; According to corresponding algorithm, generate handset token.
5. the system of realization WAP mobile banking transaction according to claim 1 security control; It is characterized in that; For client terminal through page link visit WAP Mobile banking of operator; Said WAP portal server obtains phone number and operator's informaiton from transaction request, and generates handset token according to operator's cell-phone number binding relationship parameter.
6. the system of realization WAP mobile banking transaction according to claim 1 security control; It is characterized in that said WAP trading server is after the legitimacy of checking handset token, if legal; Then whether basis is bound phone number and to client terminal different login pages is provided; After the client terminal login, the phone number information of reserving when register according to client terminal checks whether the client is consistent with binding information and token information between the operator; If WAP trading server checking handset token is illegal, then refusal transaction.
7. the system of realization WAP mobile banking transaction according to claim 6 security control; It is characterized in that; Binding information between WAP trading server inspection client and operator is when token information is inconsistent or checking handset token illegal and refusal are concluded the business; Client terminal can be browsed simple information page, can't conclude the business.
8. a method that realizes the security control of WAP mobile banking transaction is applied to the described system of claim 1, it is characterized in that this method comprises:
Client terminal proposes transaction request to the WEB server, and the WEB server is forwarded to the WAP portal server with this transaction request;
The WAP portal server obtains the phone number of client terminal after the transaction request that receives the WEB server forwards, and generates handset token according to operator's cell-phone number binding relationship, then this handset token and transaction request is sent to the WAP trading server;
The WAP trading server is after receiving handset token and transaction request; The legitimacy of checking handset token; Whether the checking string of promptly verifying handset token is correct; Check if checking string is correct whether the client is consistent with binding information and token information between the operator, consistent continuous business, inconsistent refusal is concluded the business; The refusal transaction if the checking string is incorrect.
9. the method for realization WAP mobile banking transaction according to claim 8 security control is characterized in that said client terminal proposes transaction request to the WEB server, realizes through following dual mode:
Mode one, client terminal are linked to WAP Mobile banking service interface through mobile communications operator's service page, propose transaction request to the WEB server;
Mode two, client terminal are directly imported domain name access WAP Mobile banking, propose transaction request to the WEB server.
10. the method for realization WAP mobile banking transaction according to claim 9 security control; It is characterized in that; The situation of visiting WAP Mobile banking through first kind of mode for client terminal; If Carrier Requirements is bound phone number, then operator passes to the WAP portal server with phone number with the form of parameter in the lump when being linked to WAP Mobile banking; Perhaps require not bind if bind no requirement (NR), do not require that then operator provides phone number when chain is taken over for cell-phone number; Wherein, said binding is meant that a phone number can only visit the WAP Mobile banking of a client terminal;
For the situation of client terminal through second way visit WAP Mobile banking, if the Carrier Requirements binding, then when client terminal visit WAP Mobile banking; Offer the client terminal mobile communications operator and select the page; Client terminal needs bank and mobile communications operator interface by appointment to carry out the backstage communication, to obtain the phone number information of client terminal after selecting; As can not obtain phone number; Then limit the access rights of client terminal, can only browsing page, can not login WAP Mobile banking; If do not require binding, then need not obtain client's phone number, the access rights of client terminal are not done control yet; If do not do requirement for whether binding, then attempt going to obtain the phone number of client terminal, can obtain then to go processing according to the flow process of normally obtaining phone number, can not obtain then and go processing according to the requirement of not binding.
11. the method for realization WAP mobile banking transaction according to claim 8 security control; It is characterized in that; Said WAP portal server obtains the phone number of client terminal after the transaction request that receives the WEB server forwards, and generates handset token according to operator's cell-phone number binding relationship; Then this handset token and transaction request are sent to the WAP trading server, specifically comprise:
Step 1:WAP portal server offers client terminal operator and selects the page after the transaction request that receives the WEB server forwards;
Step 2: client terminal is selected operator;
Step 3:WAP portal server inspection operator cell-phone number binding relationship if require to bind or no requirement (NR) continuation execution in step 4, if require not bind, jumps to step 6; Wherein, said binding is meant that a phone number can only visit the WAP Mobile banking of a client terminal;
Step 4:WAP portal server is obtained mobile communications operator's system equipment address, sends the phone number of acquisition request client terminal, if normally obtain the phone number of client terminal; Then continue step 5; Otherwise, if binding no requirement (NR) to phone number, operator jumps to step 6, requirement is bound and can not be obtained phone number; The unusual token of phone number is obtained in generation, jumps to step 7;
The consistency of step 5:WAP portal server inspection phone number and operator's informaiton, the consistent generation normally obtained the phone number token, and the unusual token of phone number is obtained in inconsistent generation, jumps to step 7;
Step 6: do not bind cell-phone number for Carrier Requirements, and do not require the situation of binding cell-phone number and can't obtain cell-phone number, the WAP portal server generates no cell-phone number token;
Step 7:WAP portal server is forwarded to the WAP trading server with transaction request and handset token.
12. the method for realization WAP mobile banking transaction according to claim 8 security control is characterized in that said WAP trading server further comprises: the WAP trading server obtains customer information after receiving handset token and transaction request.
13. the method for realization WAP mobile banking transaction according to claim 12 security control is characterized in that said WAP trading server obtains customer information, specifically comprises:
The WAP trading server if normally obtain the phone number token, offers the client terminal input login password page after receiving handset token and transaction request, be the condition login with phone number and login password, obtains customer information; If obtain the unusual token of phone number, be shown to client terminal WAP bank information browsing pages, the restriction client terminal can not be logined WAP Mobile banking, finishes; If there is not the cell-phone number token, offer the login page of client terminal input card number, login password, login as condition with card number and login password and obtain customer information.
14. the method for realization WAP mobile banking transaction according to claim 8 security control is characterized in that,
The legitimacy of said checking handset token also checks that whether consistent the legitimacy of checking handset token in binding information and token information between client and the operator the step comprise: the WAP portal server is submitted the token parameter to the WAP trading server; WAP trading server token form according to a preconcerted arrangement; Get phone number, exchange hour information; Whether the review time is effective, and according to whether getting phone number coupling token type, whether proof of algorithm checking string according to a preconcerted arrangement is correct; If illegal, the refusal transaction;
Whether consistent the legitimacy of said checking handset token also check in binding information and token information between client and the operator the step binding information between the inspection client and operator and token information consistent comprising whether: check client's operator's informaiton according to the registration phone number; If it is inconsistent; The prompting mistake; The request of refusal client trading, unanimity then allows client's continuous business.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008102266822A CN101448001B (en) | 2008-11-19 | 2008-11-19 | System for realizing WAP mobile banking transaction security control and method thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008102266822A CN101448001B (en) | 2008-11-19 | 2008-11-19 | System for realizing WAP mobile banking transaction security control and method thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101448001A CN101448001A (en) | 2009-06-03 |
| CN101448001B true CN101448001B (en) | 2012-03-21 |
Family
ID=40743398
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2008102266822A Active CN101448001B (en) | 2008-11-19 | 2008-11-19 | System for realizing WAP mobile banking transaction security control and method thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101448001B (en) |
Families Citing this family (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101860824B (en) * | 2010-05-06 | 2013-06-12 | 上海海基业高科技有限公司 | Digital signature authentication system based on short message and digital signature method |
| CN102404115A (en) * | 2010-09-16 | 2012-04-04 | 林新格 | Method for realizing bidirectional safety certification of mobile phone and server in WAP (Wireless Application Protocol) mobile phone banking system by using SD (Secure Digital Memory) card and system thereof |
| CN102457842B (en) * | 2010-10-22 | 2015-08-19 | 中国移动通信集团宁夏有限公司 | A kind of transaction by mobile phone, Apparatus and system |
| CN102118743A (en) * | 2011-03-02 | 2011-07-06 | 中兴通讯股份有限公司 | Method and system for logging onto online bank with mobile phone, and bank server |
| CN102215227A (en) * | 2011-05-30 | 2011-10-12 | 中国联合网络通信集团有限公司 | Method and system for authenticating electronic commerce identity of mobile communication network |
| CN103095659B (en) * | 2011-11-03 | 2016-01-20 | 北京神州泰岳软件股份有限公司 | Account logon method and system in a kind of the Internet |
| CN103237096B (en) * | 2013-04-23 | 2017-08-29 | 长春吉联科技集团有限公司 | A kind of method of use cell-phone number registration of website user |
| CN103457733B (en) * | 2013-08-15 | 2016-12-07 | 中电长城网际系统应用有限公司 | A kind of cloud computing environment data sharing method and system |
| EP3767877B1 (en) | 2015-02-17 | 2022-05-11 | Visa International Service Association | Token and cryptogram using transaction specific information |
| CN107070909A (en) * | 2017-04-01 | 2017-08-18 | 广东欧珀移动通信有限公司 | Method for sending information, message receiving method, apparatus and system |
| CN107864475B (en) * | 2017-12-20 | 2021-05-28 | 中电福富信息科技有限公司 | WiFi (Wireless Fidelity) shortcut authentication method based on Portal + dynamic password |
| CN108737442B (en) * | 2018-06-12 | 2019-05-10 | 北京多采多宜网络科技有限公司 | A kind of cryptographic check processing method |
| CN112511510B (en) * | 2020-11-18 | 2022-09-30 | 中国建设银行股份有限公司 | Authorization authentication method, system, electronic equipment and readable storage medium |
| CN114390524B (en) * | 2021-12-22 | 2024-04-23 | 支付宝(杭州)信息技术有限公司 | Method and device for realizing one-key login service |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1588954A (en) * | 2004-07-27 | 2005-03-02 | 中国工商银行 | Intelligent terminal, system including said intelligent terminal and data exchanging method |
| CN1601960A (en) * | 2004-10-26 | 2005-03-30 | 杭州恒生电子股份有限公司 | Safety authentication method of cell phone bank system |
| CN1820280A (en) * | 2004-02-26 | 2006-08-16 | 黄华龙 | Mobile bank system |
-
2008
- 2008-11-19 CN CN2008102266822A patent/CN101448001B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1820280A (en) * | 2004-02-26 | 2006-08-16 | 黄华龙 | Mobile bank system |
| CN1588954A (en) * | 2004-07-27 | 2005-03-02 | 中国工商银行 | Intelligent terminal, system including said intelligent terminal and data exchanging method |
| CN1601960A (en) * | 2004-10-26 | 2005-03-30 | 杭州恒生电子股份有限公司 | Safety authentication method of cell phone bank system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101448001A (en) | 2009-06-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101448001B (en) | System for realizing WAP mobile banking transaction security control and method thereof | |
| US7496751B2 (en) | Privacy and identification in a data communications network | |
| US7085840B2 (en) | Enhanced quality of identification in a data communications network | |
| US7275260B2 (en) | Enhanced privacy protection in identification in a data communications network | |
| CN101075875B (en) | Method and system for realizing monopoint login between gate and system | |
| CN102834830B (en) | The program of reading attributes from ID token | |
| CN101222333B (en) | Data transaction processing method and apparatus | |
| JP4996085B2 (en) | Service providing apparatus and program | |
| US9530165B2 (en) | Financial transaction system | |
| US20030084302A1 (en) | Portability and privacy with data communications network browsing | |
| US20030084171A1 (en) | User access control to distributed resources on a data communications network | |
| KR20010085380A (en) | System and method of associating devices to secure commercial transactions performed over the internet | |
| US11403633B2 (en) | Method for sending digital information | |
| CN102209046A (en) | Network resource integration system and method | |
| CN105791259A (en) | Method for protecting personal information | |
| KR102116587B1 (en) | Method and system using a cyber id to provide secure transactions | |
| CN116915493A (en) | Secure login method, device, system, computer equipment and storage medium | |
| CN109587683B (en) | Method and system for preventing short message from being monitored, application program and terminal information database | |
| Sanyal et al. | A multifactor secure authentication system for wireless payment | |
| CN101969426B (en) | Distributed user authentication system and method | |
| KR100974496B1 (en) | Management system for certificate of authentication and method thereof | |
| KR20080087475A (en) | Method for authenticating website(or server) and program recording medium, server for providing website(or server) authenticating information | |
| KR20070076575A (en) | Method for processing user authentication | |
| CN112712402A (en) | Identity authentication system for issuing electronic invoice | |
| Liu et al. | Study and Analysis of the E-Commerce security Based on WPKI |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |