JP2005339472A - Ic card system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an IC card system to prevent the unauthorized use of use terminals that are illegally acquired, such as stolen ones. <P>SOLUTION: A terminal management server 1a, a use terminal 3 and an IC card 4 share a terminal negation list, an operation stopped terminal list and an operation stopped terminal deletion list. The lists are always updated and managed so as to be the latest ones. The use terminal 3 determines whether or not its terminal identification information 3f is included in the received terminal negation list 3h. If included, the use terminal 3 abandons secret information 3g and stops its operations to prevent the following unauthorized use of the use terminal 3. Thereby, the leakage of secret information and the unauthorized use of IC cards can be prevented beforehand. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  The present invention relates to an IC card system that enjoys various products and services using an IC card having an electronic value such as electronic money, electronic tickets, and the like, and more specifically, fraudulent use terminals used when using an IC card. The present invention relates to an IC card system provided with means for preventing use.

In recent years, IC cards whose security and information processing capabilities are much higher than conventional magnetic cards are in widespread use, and various IC card systems using these IC cards have been put into practical use.
This type of IC card system is constructed, for example, as a cashless system. Normally, a user terminal that exchanges information with an IC card issues an electronic value such as electronic money and writes it to the IC card (charge). Largely between charge terminals and payment terminals that make payments by sending and receiving various information including electronic value and user personal information in contact or non-contact with IC cards when purchasing goods and services. Separately, each special machine and those equipped with both functions are provided.

By the way, the charge terminal and the payment terminal are installed at a plurality of stores and system operation bases where an unspecified number of people come and go, and are constantly exposed to dangers such as theft of terminals and unauthorized issuance of IC cards.
Therefore, various conventional techniques have been proposed as measures for preventing these frauds. For example, in Patent Document 1 described later, an electronic value issuing device (charge terminal) is provided with electronic value information (electronic data) on a user's IC card. Issuance manager IC card ID and issuance serial number (electronic value issuance order information) are embedded in the IC card, and the issuance manager IC card ID and issuance serial number are sent to the electronic value management apparatus. In addition, when the electronic value issuing device is lost, stolen, etc., the electronic value management device retrieves the maximum value of the issuance manager IC card ID and the issuing serial number and manages it as a black list (negative list). When the card is used by the electronic value receiving device (payment terminal), the issue manager IC card ID embedded in the IC card is blacklisted. If the recorded serial number is greater than the maximum value, the IC card is determined to have been issued after the electronic value issuing device has been lost or stolen, and fraud is detected. A value distribution management system is disclosed.

Japanese Patent Laid-Open No. 2003-150886 (claims 1, 2, paragraph [0006], FIG. 1, etc.)

According to the prior art described in Patent Document 1, it is possible to detect an illegally issued electronic value or IC card, but the subsequent electronic value of the electronic value issuing device that has been stolen, lost, etc. Unauthorized issuance and unauthorized use cannot be stopped.
In addition, the electronic value receiving device and the electronic value management device must always hold a large amount of information as a black list, and there are problems such as insufficient memory capacity and a long search time when using an IC card. There was also a risk that time payment could not be made.

  Accordingly, the problem to be solved by the present invention is to stop unauthorized issuance and unauthorized use of electronic value by a user terminal that has been illegally acquired due to theft or the like, and further reduce the amount of stored information such as a blacklist to reduce memory capacity and search time. It is to provide an IC card system that enables the above.

In order to solve the above-described problem, an IC card system according to claim 1 transfers data between an electronic value management server that manages the distribution of electronic value and the management server, and between the IC card and the IC card. In an IC card system comprising a use terminal for sending and receiving electronic value and the IC card,
The electronic value management server includes a means for storing a terminal negative list including identification information of a use terminal in which unauthorized use is detected, and a means for distributing the terminal negative list to the use terminal.
The using terminal discards the confidential information held by itself when the terminal negative list includes the terminal negative list received from the electronic value management server and the terminal negative list includes its own terminal identification information, and stops its own operation. Means.

The IC card system according to claim 2 is an electronic value management server that manages the distribution of electronic value, and uses that exchanges data with the management server and also exchanges electronic value with the IC card. In an IC card system comprising a terminal and the IC card,
The IC card includes means for storing a terminal negative list including identification information of a use terminal in which unauthorized use is detected, and means for transmitting the terminal negative list to the use terminal.
Means for storing the terminal negative list received from the IC card, means for discarding confidential information held by the terminal when the terminal negative list includes its own terminal identification information, and stopping its own operation; , With.

  An IC card system according to a third aspect is the IC card system according to the second aspect, wherein when the terminal negative list received by the user terminal from the IC card is stored, the terminal negative list is newer than the terminal negative list held by the user terminal. The terminal negative list held by the using terminal is updated with the terminal negative list received from the card.

  The IC card system according to claim 4 is the IC card system according to claim 2, wherein the terminal negative list received by the using terminal from the IC card is compared with its own terminal negative list, and its own terminal negative list is newer than the terminal negative list received from the IC card. In this case, the terminal negative list is distributed to the IC card.

  The IC card system according to claim 5 is the IC card system according to any one of claims 1 to 4, wherein the use terminal stores an operation stop terminal list indicating operation stop of the use terminal including itself, and the self operation The electronic value management server includes means for notifying the electronic value management server of the stop information, and the electronic value management server includes means for storing the operation stop information of the use terminal as an operation stop terminal list.

  The IC card system according to claim 6 is the IC card system according to any one of claims 1 to 5, wherein the use terminal stores an operation stop terminal list indicating operation stop of the use terminal including itself, and the self operation The IC card is provided with means for transmitting stop information to the IC card, and the IC card is provided with means for storing operation stop information of the use terminal as an operation stop terminal list.

  The IC card system according to claim 7 is characterized in that, in claim 6, the use terminal can transmit the operation stop terminal list to the IC card even after the operation stop of the use terminal.

  The IC card system according to claim 8 is the IC card system according to claim 6 or 7, wherein the use terminal has operation stop information that is not in the operation stop terminal list held by itself in the operation stop terminal list received from the IC card. In some cases, there is provided means for adding the operation stop information to the operation stop terminal list held by itself.

  The IC card system according to claim 9 is the IC card system according to claim 6, 7 or 8, wherein the use terminal is not in the operation stop terminal list received from the IC card, but is the operation stop terminal list held by itself. It is determined whether or not there is operation stop information in the case, and if there is, means for adding the operation stop information to the operation stop terminal list of the IC card is provided.

  The IC card system according to claim 10 is the IC card system according to claim 5, wherein the electronic value management server deletes information on the use terminal related to the operation stop terminal from the terminal negative list using the operation stop information received from the use terminal. Means are provided.

  The IC card system according to claim 11 is the IC card system according to any one of claims 5 to 10, wherein the electronic value management server includes means for distributing the operation stop terminal list to the use terminals.

The IC card system according to claim 12 is the IC card system according to any one of claims 5 to 11, wherein the electronic value management server deletes information related to the predetermined operation stop terminal from the operation stop terminal list collected from the use terminal. A means for distributing the operation suspension terminal deletion list to the use terminals,
The use terminal determines whether there is information related to the operation stop terminal in the operation stop terminal list held by itself in the received operation stop terminal deletion list and the received operation stop terminal deletion list, In some cases, there are provided means for deleting information related to the operation stop terminal from the operation stop terminal list held by itself and means for distributing the operation stop terminal deletion list of the self to the IC card.

The IC card system according to claim 13 is the IC card according to claim 12, wherein the IC card stores the operation stop terminal deletion list distributed from the use terminal and the operation stop terminal deletion list held by the IC card. And means for delivering to
When the received terminal deletion list is newer than the operation stop terminal deletion list held by the user terminal, a means for updating its own operation stop terminal deletion list, Means to distribute its own suspended terminal deletion list to the IC card when it is newer than the received suspended terminal deletion list, and to stop the suspended terminal list held by itself in the updated suspended terminal deletion list Means for determining whether or not there is information relating to the terminal, and in such a case, deleting the information relating to the operation stop terminal from the operation stop terminal list held by itself.

  The IC card system according to claim 14 is the IC card system according to any one of claims 1 to 13, wherein the electronic value management server detects an unauthorized use terminal based on information indicating that the use terminal has been stolen or lost. To do.

  The IC card system according to claim 15 is the IC card system according to any one of claims 1 to 13, wherein the electronic value management server has means for managing the charge and settlement status of the electronic value by the IC card and the use terminal as a detailed list. And detecting an unauthorized use terminal based on the specification list.

According to the present invention, since the terminal negative list indicating the user terminal illegally acquired due to theft, loss or the like is transmitted to the user terminal via the electronic value management server or the IC card, the user terminal identifies its own terminal. The information is compared with the terminal negative list to recognize that it is an unauthorized terminal. In this way, the use terminal that recognizes itself as an unauthorized use terminal discards the private secret information held by itself and stops its own operation, so that the IC card using the terminal thereafter is used. Unauthorized use can be prevented in advance.
Further, the use terminal can keep the operation stop information based on unauthorized use in the system always up-to-date by transmitting its own operation stop information to the electronic value management server and the IC card. At the same time, if the electronic value management server has a function of deleting information related to the suspended terminal from the terminal negative list using the suspended terminal list, the amount of stored information can be reduced to reduce the memory capacity, It is possible to shorten the processing time by shortening the search time at the time of settlement.
In addition, by distributing information such as terminal negative list, operation stop terminal list, operation stop terminal deletion list, etc. to the use terminal via the IC card, the stand-alone use terminal installed in an environment that cannot be connected to the network. Can also share the above various information.

Hereinafter, embodiments of the present invention will be described with reference to the drawings.
First, FIG. 1 is an overall configuration diagram of an IC card system according to this embodiment. This IC card system is configured across an electronic value management center 10 that manages the distribution of IC cards and a plurality of terminal installation bases 20 and 20 'such as stores where IC cards are used. The electronic value management server 1 installed in the network, the network 2, the use terminal 3 provided in the terminal installation bases 20 and 20 ', and the IC card 4 used by the user.
The terminal installation base 20 is a base where the use terminal 3 is connected to the network 2, and the terminal installation base 20 ′ is a stand-alone type base where the use terminal 3 is not connected to the network 2.

The electronic value management server 1 includes a terminal management server 1a and a detail list management server 1b, and is connected to the network 2 respectively.
The terminal management server 1a is suspected of unauthorized use due to reasons such as inconsistency in increase / decrease in electronic value as a result of scrutinizing the usage list that has been confirmed to have been lost or stolen, and the detailed list. Terminal negative lists (blacklists) for terminals that have been determined to be present (hereinafter, these terminals are collectively referred to as unauthorized terminals) and operation stops for terminals that have been suspended and included in this terminal negative list A computer system for creating and managing a terminal list, and further, an operation terminal deletion list that lists the use terminals to be deleted from the operation terminal list, and includes a database for storing these lists. .
Here, as will be described later, the operation stop terminal deletion list is a list of user terminals to be deleted from the operation stop terminal list via the IC card 4 to the use terminal 3 of the stand-alone type terminal installation base 20 ′. Acts as a notification.
The detail list management server 1b is a computer system that manages the usage history (date and time, amount, etc.) of charging and settlement of electronic value as a detail list, and includes a database that stores the detail list. The detail list management server 1b can have a function of managing the account balance of the user.

The network 2 includes various communication lines such as a public line and a dedicated line, and the Internet, LAN, WAN, or the like can be used.
Note that data may be exchanged between the electronic value management center 10 and the user terminal 3 using various electronic recording media instead of the communication via the network 2. For example, a so-called rootman may exchange information between the electronic value management center 10 and the user terminal 3 using a PDA or the like. In the following, description will be given assuming communication using the network 2 according to the illustrated example.

The usage terminal 3 is a terminal having either or both of an electronic value charging function and a payment function. In the embodiment of FIG. 1, the usage terminal 3 has both a charging function by the charging means 3d and a payment function by the electronic value payment means 3c. It is represented as a terminal.
As will be described in detail later, the usage terminal 3 includes a center communication unit 3a, an unauthorized use detection unit 3b, an electronic value settlement unit 3c that settles electronic value, a charging unit 3d that charges the IC card 4 with electronic value, and an IC card. 4 is provided with a card communication means 3e for communicating with 4. Further, terminal identification information 3f, secret information 3g, terminal negative list 3h, operation stop terminal list 3i, detail list 3j, and operation stop terminal deletion list 3k are stored and stored in a memory (not shown).

  In the case where the use terminal 3 is a charge terminal, the electronic value settlement means 3c among the means shown in FIG. 1 is not necessary, and in the case where the use terminal 3 is a settlement terminal, FIG. Of each means, the charging means 3d becomes unnecessary.

  The IC card 4 includes a CPU, a memory, and the like in an IC chip, and includes a card communication unit 4a, an unauthorized use detection unit 4b, an electronic value settlement unit 4c, and a charging unit 4d that are controlled or executed by the CPU. Also issued to the memory from card identification information 4e such as user ID, secret information 4f such as account information, terminal negative list 4g, operation stop terminal list 4h, detail list 4i, operation stop terminal deletion list 4k, use terminal 3 The electronic value 4j for storing the electronic money and the electronic ticket that have been stored is stored.

Next, each means which comprises the utilization terminal 3 and the IC card 4 is demonstrated. 2A shows the hardware configuration of the user terminal 3 in the terminal installation base 20 connected to the network 2, and FIG. 2B is a block diagram showing the hardware configuration of the IC card 4. Hereinafter, in FIG. The functions of the user terminal 3 and the IC card 4 in the terminal installation base 20 will be described as compared with FIGS. 2A and 2B as needed.
First, in FIG. 1, the center communication means 3a in the use terminal 3 performs encrypted communication of various data between the use terminal 3 and the electronic value management center 10 (terminal management server 1a and detail list management server 1b). Used when.
The card communication unit 3e is used when various types of data are encrypted and communicated with the card communication unit 4a of the IC card 4 in a wireless format.
In FIG. 2A, the control unit 301 includes a CPU, an MPU, a memory, and the like. The control unit 301 controls the network communication unit 309 and the cryptographic processing unit 310 for realizing the center communication unit 3a, and An IC card R / W (read / write) unit 313 (consisting of an R / W control unit 314 and an RF (wireless communication) unit 315), an encryption processing unit 310, and an authentication processing unit 311 for realizing the card communication means 3e. Control etc.

The unauthorized use detection means 3b in the use terminal 3 in FIG. 1 has a tamper resistant function and an encryption function.
Here, the tamper resistant function is stored in such a way that information stored in the memory of the user terminal 3 is erased / invalidated or cannot be used even if physical tampering (memory modification or the like) is applied. This is a function that keeps confidentiality. The encryption function is a function for performing encrypted communication of all data between the electronic value management center 10 and the use terminal 3 and between the use terminal 3 and the IC card 4. The unauthorized use detection unit 3b is realized by the tamper resistance detection unit 312, the encryption processing unit 311 and the control unit 301 in FIG. 2A.
The unauthorized use detection means 4b in the IC card 4 shown in FIG. 1 also has the same tamper resistance function and encryption function as described above, and this unauthorized use detection means 4b has the tamper resistance function in the IC chip 401 in FIG. 2B. This is realized by the detection unit 404, the encryption processing unit 403, the CPU 402, and the like.

The electronic value settlement means 3c in the use terminal 3 in FIG. 1 has a function of performing settlement of purchased products, services, etc. for the electronic value 4j in the IC card 4 and updating the history of the detail list 3j. The electronic value settlement means 4c in the card 4 has a function of rewriting the electronic value 4j or updating the history of the detail list 4i according to the amount paid.
Here, the electronic value settlement means 3c in the use terminal 3 also has a function of transmitting the updated detail list 3j to the detail list management server 1b of the electronic value management center 10 via the center communication means 3a at the time of settlement. Yes.
The settlement means 3c is realized by the control unit 301 and the IC card R / W unit 313 in FIG. 2A, and the settlement means 4c is realized by the RF unit 406, the CPU 402, the memory 405, etc. in FIG. 2B. .

The charging means 3d of the user terminal 3 in FIG. 1 operates to charge the user's desired amount to the electronic value 4j of the IC card 4 via the card communication means 3e. The charging means 4d of the IC card 4 is means for rewriting the electronic value 4j according to the amount charged from the use terminal 3.
That is, when the user instructs the electronic value to be charged by setting the IC card 4 in the use terminal 3 installed in the store or the like, the charging means 3d of the use terminal 3 receives the detailed list via the center communication means 3a. The management server 1b is requested to charge a predetermined electronic value, and the electronic value issued by the detailed list management server 1b is charged as the electronic value 4j of the IC card 4 via the card communication means 3e, 4a and the charging means 4d. .

The charging means 3d is realized by the deposit / withdrawal processing unit 303, the control unit 301, the IC card R / W unit 313, etc. in FIG. 2A, and the deposit / withdrawal processing unit 303 includes the banknote deposit / withdrawal port 304, the banknote withdrawal / withdrawal. A mouth 305, a bill discriminating unit 306, a bill safe 307, and a control unit 308 are provided. The deposit / withdrawal processing unit 303 is used when charging the IC card 4 using cash (banknotes), and is not necessary when charging the IC card 4 via the network 2. .
The charging unit 4d is realized by the RF unit 406, the CPU 402, the memory 405, and the like in FIG. 2B.
In FIG. 2A, reference numeral 302 denotes a display operation unit for performing various input operations when the IC card 4 is used or charged, a keyboard KB, a switch SW, and a liquid crystal display LCD, 316 is input / output data, etc. Data management unit 317 for printing a receipt / transaction statement 318 issued to the user, 319 for a maintenance unit for self-diagnosis for the purpose of maintenance of the user terminal 3, and 320 for each unit It is a power supply part which supplies.

Next, each information held in the use terminal 3 and the IC card 4 in FIG. 1 will be described with reference to the format examples in FIGS. 3A to 3H.
The terminal identification information 3f (FIG. 3A) of the use terminal 3 includes a terminal ID (terminal serial number, production date and time, manufacturer code) for identifying the use terminal 3, an operator code, a district code, a store code, and an in-store number The card identification information 4e (FIG. 3F) of the IC card 4 includes a card ID (card serial number, issue date / time, issuer code), manufacturing date / time for specifying the IC card 4. This is unique identification information consisting of a manufacturer code.
The secret information 3g, 4f of the use terminal 3 and the IC card 4 is non-public information for performing communication between the use terminal 3 and the IC card 4 at the time of charge or settlement, and the secret of the use terminal 3 The information 3g (FIG. 3B) includes a card access memory code indicating a memory to be accessed during communication with the IC card 4, an authentication key, and the number of blocks in the memory, and the secret information 4f (FIG. 3G) of the IC card 4 is In addition to the card access memory code, authentication key, and number of blocks, it consists of data such as account number and address, name, gender, age, and contact information, which are personal information of the user.

The terminal negative lists 3h and 4g (FIG. 3C) of the use terminal 3 and the IC card 4 store the illegal use terminals distributed from the terminal management server 1a of the electronic value management center 10 as a list. It consists of an ID and a negative list addition date. The operation stop terminal lists 3i and 4h (FIG. 3D) store operation stop terminals distributed from the terminal management server 1a as a list, and are composed of a terminal ID, a negative list addition date and time, and an operation stop date and time.
The detailed lists 3j and 4i (FIG. 3E) of the use terminal 3 and the IC card 4 are lists in which details of electronic value charging and settlement are recorded. For example, in the case of an electronic money system, terminal transactions It consists of serial number, type (increase: charge and subtraction: payment), transaction amount, usage date, card ID, card transaction serial number, pre-transaction card balance, and post-transaction card balance.
The use terminal 3 and IC card 4 operation stop terminal deletion lists 3k and 4k (FIG. 3H) are used from the operation stop terminal list by the terminal management server 1a among the use terminals managed as operation stop terminals by the terminal management server 1a. This is a list of terminals that are determined to be deleted. These operation stop terminal deletion lists 3k and 4k are composed of a deletion list version, a terminal ID, and a list addition date and time.

Next, an outline of a method for using the IC card system according to this embodiment will be described.
First, when the user sets the IC card 4 in the usage terminal 3 and performs a charging operation, the charging means 3d and 4d of the usage terminal 3 and the IC card 4 give a predetermined amount of electronic value to the electronic value 4j of the IC card 4. Issued against.
The electronic value charge history described above is recorded by updating the detail lists 3j and 4i in the use terminal 3 and the IC card 4.
Further, since the updated detail list 3j of the use terminal 3 is sent to the detail list management server 1b via the network 2 and stored in the database, the electronic value management center 10 charges the electronic value of the user. The situation can be grasped.
Note that the communication operations between the user terminal 3 and the IC card 4 and between the user terminal 3 and the electronic value management center 10 are mainly performed by the control unit 301, the IC card R / R in FIG. The W unit 313, the encryption processing unit 310, the authentication processing unit 311, the network communication unit 309, the RF unit 406, the CPU 402, the encryption processing unit 403, etc. in FIG. 2B are used. Further, a receipt / transaction statement 318 is issued to the user by the printing unit 317 of FIG.

Next, when a user purchases a product or service, the user terminal 3 having a settlement function is operated to input an amount equivalent to the price, and when the user holds the IC card 4 over the terminal 3, the equivalent amount is IC It is deducted from the electronic value 4j of the card 4, and the remaining amount is newly written in the electronic value 4j.
The payment history of the electronic value at that time is stored in the detail lists 3j and 4i of the use terminal 3 and the IC card 4, respectively, and the detail list 3j is sent to the detail list management server 1b via the network 2 and stored in the database. Since it is stored, the electronic value management center 10 can also grasp the payment status of the user's electronic value.
Further, a receipt / transaction statement 318 is issued to the user by the printing unit 317 of FIG.

  When charging or settlement is performed as described above, the detail list management server 1b checks whether there is a mismatch by examining the increase / decrease in electronic value from the information in the detail list 3j of the use terminal 3. At that time, as a general fraud detection, for example, an IC card 4 whose balance of electronic value does not match the contents of the database of the detail list management server 1b is detected, but the terminal management server 1a further detects fraudulent use described below. Perform terminal detection processing.

In this case, the unauthorized use terminal is the use terminal 3 that has been stolen or lost, as described above, even if the terminal has been reported to the electronic value management center 10, and even if the terminal has not been stolen or lost. 3 includes the use terminal 3 in which inconsistency is generated between the information managed by the detail list management server 1b and the information in the detail list 3j of the use terminal 3 by performing some fraud.
When it is determined that a certain use terminal 3 is an unauthorized use terminal, the terminal management server 1a of the electronic value management server 1 additionally updates the terminal identification information of the terminal 3 in its own terminal negative list. Since the terminal identification information itself requires a small amount of data, the storage capacity of the terminal negative list in the terminal management server 1a may be small.
Then, the terminal negative list is distributed to all the use terminals 3 via the network 2 and the network communication unit 309, and the use terminal 3 that has received the list updates its own terminal negative list 3h by the operation of the control unit 301.

  The control unit 301 of each user terminal 3 determines whether or not the terminal negative list 3h includes its own terminal identification information 3f. When the terminal identification information 3f is not included, that is, the terminal 3 that has not been stolen and is being used normally, the terminal negative list of the terminal is used when communicating with the IC card 4 at the time of charging or settlement. 3h is read and distributed to the IC card 4 via the IC card R / W unit 313. In this way, a terminal negative list listing unauthorized terminals is transmitted to the IC card 4, and the IC card 4 stores it in its own memory 405. Then, when this IC card 4 is used in another use terminal 3, a terminal negative list is transmitted and stored in the use terminal 3 via the RF unit 406 and the IC card R / W unit 313, so that the entire system can be stored. The latest terminal negative list is always distributed and updated.

  As described above, by providing the terminal negative lists 3h and 4g with version information, when the user terminal 3 receives the terminal negative list 4g from the IC card 4 when using the IC card 4, the user terminal 3 receives the terminal negative list. 3h and 4g are compared, and as a result, if the terminal negative list 4g of the IC card 4 is newer, the terminal negative list 3h is updated, or conversely, if the terminal negative list 3h is newer, the IC card 4 terminal negative lists 4g can be updated.

On the other hand, for example, when the control unit 301 of the usage terminal 3 illegally used due to theft confirms that the terminal negative list 3h transmitted from the terminal management server 1a or the IC card 4 includes the terminal identification information 3f of its own. By the operation of the control unit 301, the unauthorized use detecting means 3b discards the secret information 3g designated in advance, deletes its own terminal identification information 3f from the terminal negative list 3h, and at the same time the own operation stop information (self The information indicating that the terminal is a user terminal whose charge or settlement function has been stopped) is saved in the operation stop terminal list 3i, and its own operation is stopped. Further, at the time of charging or settlement, the operation stop information is transmitted in addition to the operation stop terminal list 3i by communication with the IC card 4 via the IC card R / W unit 313. The use terminal 3 whose operation has been stopped can operate the IC card R / W unit 313 and the network communication unit 309 even after the operation is stopped, and transmits the operation stop terminal list 3i to the IC card 4 and the terminal management server 1a. Is held.
As a result, since the unauthorized use terminal 3 stops operation thereafter, unauthorized use such as subsequent charging and settlement by the use terminal 3 is avoided. At the same time, since the secret information 3g that is not disclosed is discarded, there is no fear that the authentication key or the like will be leaked, and there is no fear that data will be tampered with the use terminal 3.

In addition, the use terminal 3 that has been illegally used and stopped operation also transmits the operation stop terminal list 3 i to the terminal management server 1 a via the control unit 301 and the network communication unit 309.
The terminal management server 1a updates its own terminal negative list and operation stop terminal list based on the operation stop information. That is, the terminal identification information related to the unauthorized use terminal whose operation has been stopped is deleted from its own terminal negative list, and the terminal identification information related to the unauthorized use terminal whose operation has been stopped is added to the operation stop terminal list. Then, the terminal management server 1a transmits the latest terminal negative list and operation stop terminal list to the using terminal 3 via the network 2 and the network communication unit 309.

The control unit 301 of all the use terminals 3 receives the terminal negative list and the operation stop terminal list from the terminal management server 1a via the network communication unit 309, updates its own terminal negative list 3h and the operation stop terminal list 3i, These terminal negative list and operation stop terminal list are transmitted to the IC card 4 via the IC card R / W unit 313 at the time of charging or settlement.
The IC card 4 set in the use terminal 3 at the time of charging or settlement receives the terminal negative list and the operation stop terminal list from the use terminal 3 via the RF unit 406, and the CPU 402 executes the own terminal negative list 4 g and the operation in the memory 405. The stop terminal list 4h is updated.

When the IC card 4 in which the operation stop terminal list 4h is updated is used in another use terminal 3, the operation stop information in the operation stop terminal list 4h is stored in the IC card R / W unit 313 of the use terminal 3 and the control. Is transmitted to the terminal management server 1a via the unit 301, the network communication unit 309, and the network 2, the terminal management server 1a can sequentially update the terminal negative list and the operation stop terminal list based on the received operation stop information. it can.
Here, when exchanging the operation stop terminal list between the use terminal 3 and the IC card 4, the use terminal 3 compares its own operation stop terminal list 3i with the operation stop terminal list 4h of the IC card 4, A use terminal that has operation stop information in its own operation stop terminal list 3i and does not exist in the operation stop terminal list 4h of the IC card 4 is added to the operation stop terminal list 4h of the IC card 4, or conversely, the IC card 4 It is also possible to adopt a method of adding a use terminal that is present in the operation stop terminal list 4h and that does not exist in the self operation stop terminal list 3i to the self operation stop terminal list 3i.

Further, between the use terminal 3 and the IC card 4, an operation stop terminal deletion list is also exchanged when the IC card 4 is used. As described above, this list is a list of use terminals that are determined to be deleted from the operation stop terminal list by the terminal management server 1a.
The use terminal 3 of the terminal installation base 20 connected to the network 2 can always keep the operation stop terminal list 3i up to date by transmitting and receiving the operation stop terminal list to and from the terminal management server 1a. However, this is not possible with the use terminal 3 of the stand-alone terminal installation base 20 ′.
The operation stop terminal list 3i possessed by the stand-alone type use terminal 3 can be updated to the latest when the IC card 4 having the latest operation stop terminal list 4h is used in the use terminal 3. However, information regarding a terminal that has been determined to be deleted from the operation stop terminal list by the terminal management server 1a (a terminal that can be used again as a result of canceling the operation stop) is used as a stand-alone user terminal 3 Will not be transmitted to. Therefore, the use terminals determined to be deleted from the operation stop terminal list are managed as the operation stop terminal deletion lists 3k and 4k by the use terminal 3 and the IC card 4 connected to the network 2, and the IC card 4 Is used in the stand-alone type user terminal 3, the information of the user terminal whose operation stop has been canceled is transmitted to the user terminal 3 by transmission and reception between the two.

  The use terminal 3 updates its own operation stop terminal deletion list when the operation stop terminal deletion list 4k received from the IC card 4 is newer than the operation stop terminal deletion list 3k held by itself. When the operation stop terminal deletion list 3k to be updated is newer than the operation stop terminal deletion list 4k received from the IC card 4, the self operation stop terminal deletion list 3k is distributed to the IC card 4, and the updated self operation stop It is determined whether or not the terminal deletion list 3k has information related to the operation stop terminal in the operation stop terminal list 3i held by the terminal deletion list 3k. Is deleted.

Next, FIG. 4 is a flowchart showing a series of processes when the terminal 3 receives the terminal negative list and the operation stop terminal deletion list from the terminal management server 1a. Here, only processing related to unauthorized use prevention is shown, and portions related to settlement processing and charge processing are excluded.
As described above, the user terminal 3 always updates its own terminal negative list 3h and operation stop terminal deletion list 3k to the latest by the terminal negative list and operation stop terminal deletion list received from the terminal management server 1a in step S1 of FIG. (Steps S1, S2). Then, when there is information in the suspended terminal list 3i held by itself in the updated suspended terminal deletion list 3k (that is, when there is used terminal information listed in common in both lists 3k and 3i) Since the terminal to be used is to be deleted from the operation stop terminal list 3i, this deletion process is performed to update its own operation stop terminal list 3i (S3 YES, S4). When that is not right (S3 NO), it transfers to step S5.

  When the terminal identification information 3f of its own is included in the terminal negative list 3h (S5 YES), the confidential information 3g is discarded, the process of adding its own operation stop information to the operation stop terminal list 3i, and the operation stop process The operation stop terminal list 3i is transmitted to the terminal management server 1a of the value management server 1 (S6, S7). Thereby, in the terminal management server 1a, the process which deletes the utilization terminal listed by the received operation stop terminal list from a terminal negative list will be performed. If not included (S5 NO), the operation stop terminal list 3i is transmitted to the terminal management server 1a without performing the process of step S6 (S7).

Next, FIG. 5 is a flowchart showing processing of the use terminal 3 that communicates with the IC card 4 when the IC card 4 is used.
First, the user terminal 3 receives a terminal negative list, an operation stop terminal list, and an operation stop terminal deletion list from the IC card 4 (S11). Next, it is determined whether or not there is information on a use terminal that is not in the operation stop terminal list 3i held by itself in the received operation stop terminal list, and if there is, this information is added to the operation stop terminal list 3i. (S12 YES, S13). If not, the process proceeds to step S14 without performing the process of step S13 (NO in S12).
Next, the operation stop terminal deletion list 4k received from the IC card 4 is compared with the operation stop terminal deletion list 3k held by itself. The operation stop terminal deletion list 3k is distributed (S14 NO, S15). Otherwise, the own operation stop terminal deletion list 3k is updated with the operation stop terminal deletion list 4k of the IC card 4 (S14 YES, S16). ).

Furthermore, when there is information in the operation stop terminal list 3i held by itself in the operation stop terminal deletion list 4k received from the IC card 4 (that is, use terminal information listed in common in both lists 4k and 3i) In the case where there is a terminal, the use terminal is to be deleted from the operation stop terminal list 3i. Therefore, this deletion process is performed to update the own operation stop terminal list 3i (S17 YES, S18). Otherwise (NO at S17), the process proceeds to step S19.
Next, the terminal negative list 4g received from the IC card 4 is compared with the terminal negative list 3h held by itself, and if its own terminal negative list 3h is newer, its own terminal negative list 3h is distributed to the IC card 4 (S19). NO, S20), otherwise, its own terminal negative list 3h is updated by the terminal negative list 4g of the IC card 4 (S19 YES, S21).

  If the terminal identification information 3f is included in the terminal negative list 3h (YES in S22), the process of discarding the secret information 3g, adding the own operation stop information to the operation stop terminal list 3i, and the operation stop process are performed. Then, the operation stop terminal list 3i is transmitted to the IC card 4 (S23, S24). If not included (NO in S22), the operation stop terminal list 3i is transmitted to the IC card 4 without performing the process of step S23, and the process is terminated (S24).

As described above, according to the IC card system according to the present embodiment, when a use terminal becomes an unauthorized use terminal due to theft or loss, the terminal management server 1a is used as a terminal negative list or operation stop terminal list (operation stop information). Since it is distributed between the use terminal 3 and the IC card 4 and the confidential information is discarded, it is possible to prevent unauthorized use such as charging or settlement to the IC card using the unauthorized use terminal thereafter. is there.
In addition, by making it possible to exchange use terminal information whose operation suspension has been canceled among the terminal management server 1a, the utilization terminal 3 and the IC card 4 with the operation suspension terminal deletion list, Also, the latest terminal information can be provided appropriately.
Further, each of the terminal management server 1a, the use terminal 3 and the IC card 4 has a function of deleting the identification information of the use terminal whose operation has been stopped from the terminal negative list. The search time during use can be shortened, which can contribute to speeding up the settlement.
In the above embodiment, the case where electronic money is exclusively used by an IC card has been described. However, the present invention can also be applied to the case where an electronic ticket is used. For the issue of a ticket, the purchase of a product or the like by electronic money may be applied in correspondence with the entrance by electronic ticket.

1 is an overall configuration diagram of an IC card system according to an embodiment of the present invention. It is a figure which shows the hardware constitutions of the utilization terminal in FIG. It is a figure which shows the hardware constitutions of the IC card in FIG. It is a figure which shows the example of a format of terminal identification information. It is a figure which shows the example of a format of the confidential information of a utilization terminal. It is a figure which shows the example of a format of a terminal negative list. It is a figure which shows the example of a format of an operation stop terminal list. It is a figure which shows the example of a format of a detailed list. It is a figure which shows the example of a format of card identification information. It is a figure which shows the example of a format of the confidential information of an IC card. It is a figure which shows the example of a format of an operation stop terminal deletion list. It is a flowchart which shows the process of a utilization terminal at the time of receiving a terminal negative list and an operation stop terminal deletion list from an electronic value management server. It is a flowchart which shows the process of a utilization terminal at the time of communication with an IC card.

Explanation of symbols

DESCRIPTION OF SYMBOLS 10: Electronic value management center 20, 20 ': Terminal installation base 1: Electronic value management server 1a: Terminal management server 1b: Detail list management server 2: Network 3: Use terminal 3a: Center communication means 3b, 4b: Unauthorized use detection Means 3c, 4c: Electronic value settlement means 3d, 4d: Charging means 3e, 4a: Card communication means 3f: Terminal identification information 3g, 4f: Secret information 3h, 4g: Terminal negative list 3i, 4h: Stopped terminal list 3j, 4i : Detail list 3k, 4k: Operation stop terminal deletion list 4: IC card 4e: Card identification information 4j: Electronic value 301: Control unit 302: Display operation unit 303: Deposit / withdrawal processing unit 304: Bill deposit / payout 305: Bill withdrawal / payment Mouth 306: Banknote discrimination unit 307: Banknote safe 308: Control unit 309: Network communication unit 310: Cryptographic processing unit 311: Authentication processing unit 312: Tamper resistant detection unit 313: IC card R / W unit 314: R / W control unit 315: RF unit 316: Data management unit 317: Printing unit 318: Receipt / transaction Description 319: Maintenance unit 320: Power supply unit 401: IC chip 402: CPU
403: Encryption processing unit 404: Tamper resistant detection unit 405: Memory 406: RF unit

Claims (15)

An electronic value management server that manages the distribution of electronic value, a user terminal that exchanges data with the management server, and exchanges electronic value with an IC card, and the IC card. In IC card system,
Electronic value management server
Means for storing a terminal negative list including identification information of a use terminal in which unauthorized use has been detected, and means for distributing the terminal negative list to the use terminal,
The terminal used is
Means for storing the terminal negative list received from the electronic value management server; and means for discarding confidential information held by the terminal negative list when the terminal negative list includes its own terminal identification information and stopping its own operation. An IC card system characterized by comprising. An electronic value management server that manages the distribution of electronic value, a user terminal that exchanges data with the management server, and exchanges electronic value with an IC card, and the IC card. In IC card system,
IC card
Means for storing a terminal negative list including identification information of a user terminal in which unauthorized use has been detected, and means for transmitting the terminal negative list to the user terminal,
The terminal used is
Means for storing the terminal negative list received from the IC card, and means for discarding confidential information held by the terminal negative list when the terminal negative list includes its own terminal identification information and stopping its own operation. An IC card system characterized by that. In the IC card system according to claim 2,
When the terminal negative list received from the IC card is stored by the user terminal, if the terminal negative list is newer than the terminal negative list held by the user terminal, the terminal negative list held by the user terminal is updated with the terminal negative list received from the IC card. An IC card system characterized by: In the IC card system according to claim 2,
The terminal is compared with the terminal negative list received from the IC card by the user terminal, and when the terminal negative list is newer than the terminal negative list received from the IC card, the terminal negative list is distributed to the IC card. IC card system. In the IC card system according to any one of claims 1 to 4,
The user terminal includes a means for storing an operation stop terminal list indicating operation stop of the user terminal including itself, and notifying the electronic value management server of its own operation stop information,
The electronic value management server comprises an IC card system comprising means for storing operation stop information of a use terminal as an operation stop terminal list. In the IC card system according to any one of claims 1 to 5,
The user terminal is provided with means for storing an operation stop terminal list indicating operation stop of the user terminal including itself, and transmitting the operation stop information of the user to the IC card.
An IC card system comprising means for storing operation stop information of a use terminal as an operation stop terminal list. In the IC card system according to claim 6,
The IC card system characterized in that the user terminal can transmit the operation stop terminal list to the IC card even after its own operation stop. In the IC card system according to claim 6 or 7,
The user terminal determines whether there is operation stop information that is not in the operation stop terminal list held by itself in the operation stop terminal list received from the IC card, and if so, the operation terminal holds the operation stop information. An IC card system comprising means for adding to an operation stop terminal list to be operated. In the IC card system according to claim 6, 7 or 8,
The user terminal determines whether there is operation stop information in the operation stop terminal list held by itself but not in the operation stop terminal list received from the IC card. If there is, the operation stop information is stored in the IC card. An IC card system comprising means for adding to an operation stop terminal list. In the IC card system according to claim 5,
The electronic value management server is provided with means for deleting information on a use terminal related to an operation stop terminal from a terminal negative list using operation stop information received from the use terminal. In the IC card system according to any one of claims 5 to 10,
The electronic value management server comprises an IC card system comprising means for distributing an operation stop terminal list to a use terminal. In the IC card system according to any one of claims 5 to 11,
The electronic value management server includes means for distributing an operation stop terminal deletion list obtained by deleting information related to a predetermined operation stop terminal from the operation stop terminal list collected from the use terminal to the use terminal,
The use terminal determines whether there is information related to the operation stop terminal in the operation stop terminal list held by itself in the received operation stop terminal deletion list and the received operation stop terminal deletion list, In some cases, there is provided means for deleting information related to the operation stop terminal from the operation stop terminal list held by itself, and means for distributing the self operation stop terminal deletion list to the IC card. IC card system. In the IC card system according to claim 12,
The IC card comprises means for storing the operation stop terminal deletion list distributed from the use terminal, and means for distributing the operation stop terminal deletion list held by itself to the use terminal,
When the received terminal deletion list is newer than the operation stop terminal deletion list held by the user terminal, a means for updating its own operation stop terminal deletion list, Means to distribute its own suspended terminal deletion list to the IC card when it is newer than the received suspended terminal deletion list, and to stop the suspended terminal list held by itself in the updated suspended terminal deletion list An IC card system comprising: means for determining whether or not there is information relating to a terminal, and in such a case, deleting information relating to the operation stop terminal from the operation stop terminal list held by itself . In the IC card system according to any one of claims 1 to 13,
An IC card system, wherein the electronic value management server detects an unauthorized use terminal based on information indicating that the use terminal has been stolen or lost. In the IC card system according to any one of claims 1 to 13,
The electronic value management server includes means for managing electronic value charging and settlement status as a detailed list by an IC card and a use terminal,
An IC card system, wherein an unauthorized use terminal is detected based on the detailed list.

Images