JP2010244250A - Server system, authentication processing program, and authentication method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To prevent spoofing and illegal use of a system. <P>SOLUTION: When transition request information is received form terminal equipment, registration information corresponding to terminal equipment is acquired. When predetermined conditions are satisfied by the registration information, predetermined stage screen information is transmitted to terminal equipment. When the predetermined conditions are not satisfied, address input screen information is transmitted to the terminal equipment. When a portable address is received from the terminal equipment, electronic mail including the location information of password screen information is transmitted to a portable address destination. When password screen information request information is received from portable communication terminal equipment, identification information uniquely assigned to the portable communication terminal equipment is acquired. When the identification information is not registered, the password display screen information is transmitted to the portable communication terminal equipment. When the identification information is registered, the transition is inhibited. When the same password as the password to be displayed based on the password display screen information is received from the terminal equipment, the transition is permitted. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to a technical field of a server system, an authentication processing program, and an authentication method for transmitting screen information to a terminal device via a network and performing authentication related to a system used by a user through a screen displayed based on the screen information. .

  2. Description of the Related Art Conventionally, a system in which various services are provided through a Web page provided from a server device by connecting to a network such as the Internet using a terminal device such as a personal computer. In such a system, by performing user authentication, it is determined whether a person who can receive the service is a user who can use the system, and also identifies who the user is. Yes. This user authentication is generally performed by causing a user to input an ID (identification information) and a password.

  In addition, in order to strengthen this user authentication, after authenticating a certain terminal by ID and password, a one-time password is notified to a terminal different from this terminal, and this one-time password is sent to the user. There has been proposed a method for performing authentication by inputting (for example, Patent Documents 1 and 2).

JP 2004-240806 A JP 2007-328381 A

  By the way, in the net auction performed on the Internet, the user can be an exhibitor or a bidder. Further, in such an online auction, one user can acquire a plurality of IDs. Then, it is also possible for one user to sell a product using a certain ID and to use the other ID to impersonate the seller and bid the product illegally. . As a result, the bid price of the product is unreasonably raised.

  However, the techniques described in Patent Documents 1 and 2 described above cannot deal with such impersonation of others.

  The present invention has been made in view of the above points, and an object thereof is to provide a server system, an authentication processing program, and an authentication method that can prevent a user from impersonating another person and using the system.

  In order to solve the above-described problem, the invention according to claim 1 is directed to a case where when a transition request information indicating a transition request transmitted from the terminal device is received by an operation of shifting to a predetermined stage, the terminal Registration information acquisition means for acquiring registration information corresponding to the device, and whether or not the acquired registration information satisfies a predetermined condition, and if the predetermined condition is satisfied, the process proceeds to the predetermined stage When the predetermined stage screen information constituting the screen displayed by the transmission is transmitted to the terminal device and the predetermined condition is not satisfied, the mobile address that is the electronic mail address of the mobile communication terminal device is input. When the mobile address is received from the terminal device, the transition request control means for transmitting the address input screen information constituting the screen to the terminal device, and addressed to the mobile address A mail transmitting means for transmitting an e-mail in which location information indicating the location of password screen information constituting a screen for displaying a password is described, and a request for the password screen information corresponding to the location information from the portable communication terminal device When the password screen information request information shown is received, identification information acquisition means for acquiring identification information uniquely assigned to the mobile communication terminal device, and identification information identical to the acquired identification information is registered. If it is not registered, the password display screen information is transmitted to the portable communication terminal device, and if registered, the transition to the predetermined stage is permitted. Password screen information request control means, identification information registration means for registering the acquired identification information, and the transmitted password display screen information. Password and the same password to be displayed when received from the terminal device, characterized in that it comprises, a permitting means for permitting the shift to the predetermined stage based on.

  According to this invention, in order to shift to a predetermined stage, the password is displayed by the mobile communication terminal device. At that time, identification information of the mobile communication terminal device is acquired. Since the identification information is information uniquely assigned to the mobile communication terminal device, the user can be uniquely recognized by this identification information. The state that the identification information has already been registered means that the user has attempted to move to a predetermined stage using the same mobile communication terminal device in the past. Therefore, it can be determined that the user who has attempted to move to the predetermined stage in the past is impersonating another person and is about to move to the predetermined stage this time. In this case, since the transition to the predetermined stage is rejected, it is possible to prevent the user from impersonating another person and using the system.

  According to a second aspect of the present invention, in the server system according to the first aspect, the registration information is information registered by the server system on condition that the predetermined stage is completed, and the registration information is the terminal. The predetermined condition is that registration is performed in association with a device.

  According to the present invention, since the predetermined condition is satisfied when the predetermined stage is completed, it is possible to omit the authentication using the mobile communication terminal device for the user once permitted to move to the predetermined stage. And can smoothly shift to a predetermined stage.

  According to a third aspect of the present invention, in the server system according to the first or second aspect, the password screen information request control means includes the password screen information after a predetermined time has elapsed since the e-mail was transmitted. When request information is received, transmission of the password screen information is prohibited.

  According to the present invention, even if there is a request for password screen information after a predetermined time has elapsed since the e-mail containing the location information is transmitted, the password is not displayed by the mobile communication terminal device. Unauthorized use of the system can be prevented.

  According to a fourth aspect of the present invention, in the server system according to any one of the first to third aspects, the permission unit receives a password after a predetermined time has elapsed since the password screen information was transmitted. In such a case, the shift to the predetermined stage is permitted.

  According to the present invention, even if a password is input after a predetermined time has elapsed since the password screen information was transmitted, the transition to a predetermined stage is rejected, thereby preventing unauthorized use of the system by a third party. be able to.

  According to the fifth aspect of the present invention, the transition request transmitted from the terminal device by an operation of causing the computer to shift to a predetermined stage when a screen corresponding to the predetermined stage is displayed on the terminal device is received. Registration information acquisition means for acquiring registration information corresponding to the terminal device when determining that the acquired registration information satisfies a predetermined condition when the migration request information is received. When satisfying the above condition, the predetermined stage screen information constituting the screen displayed by the transition to the predetermined stage is transmitted to the terminal device, and when the predetermined condition is not satisfied, the mobile communication terminal device Transition request control means for transmitting address input screen information constituting a screen for inputting a mobile address, which is an e-mail address, to the terminal device; When an address is received, a mail transmitting means for transmitting an e-mail in which location information indicating the location of password screen information constituting a screen for displaying a password is addressed to the mobile address, from the mobile communication terminal device Identification information acquisition means for acquiring identification information uniquely assigned to the mobile communication terminal device when password screen information request information indicating a request for the password screen information corresponding to the location information is received; It is determined whether or not the same identification information as the acquired identification information is registered. If the identification information is not registered, the password display screen information is transmitted to the mobile communication terminal device and registered. Includes password screen information request control means for permitting the transition to the predetermined stage, identification information for registering the acquired identification information Function as a recording unit, and a permission unit that permits a transition to the predetermined stage when the same password as the password displayed based on the transmitted password display screen information is received from the terminal device It is characterized by making it.

  According to a sixth aspect of the present invention, a transition request indicating a transition request transmitted from the terminal device by an operation of shifting to a predetermined step when a screen corresponding to the predetermined step is displayed on the terminal device. When information is received, a registration information acquisition step of acquiring registration information corresponding to the terminal device, and determining whether or not the acquired registration information satisfies a predetermined condition, and satisfying the predetermined condition In such a case, predetermined stage screen information constituting a screen displayed by transitioning to the predetermined stage is transmitted to the terminal device, and if the predetermined condition is not satisfied, the e-mail of the mobile communication terminal device A transition request control step of transmitting address input screen information constituting a screen for inputting a mobile address as an address to the terminal device, and the mobile address from the terminal device. A mail transmission step of transmitting an e-mail in which location information indicating the location of password screen information constituting a screen for displaying a password is sent to the mobile address when the mobile communication terminal device receives the information from the mobile communication terminal device; An identification information acquisition step of acquiring identification information uniquely assigned to the mobile communication terminal device when password screen information request information indicating a request for the password screen information corresponding to the location information is received; It is determined whether or not the same identification information as the acquired identification information is registered. If the identification information is not registered, the password display screen information is transmitted to the mobile communication terminal device and registered. Includes a password screen information request control process for permitting the transition to the predetermined stage, and an identification information registration process for registering the acquired identification information. And a permission step for permitting the transition to the predetermined stage when the same password as the password displayed based on the transmitted password display screen information is received from the terminal device. Features.

  According to the present invention, the password is displayed by the mobile communication terminal device in order to shift to the predetermined stage. At that time, identification information of the mobile communication terminal device is acquired. Since the identification information is information uniquely assigned to the mobile communication terminal device, the user can be uniquely recognized by this identification information. The state that the identification information has already been registered means that the user has attempted to move to a predetermined stage using the same mobile communication terminal device in the past. Therefore, it can be determined that the user who has attempted to move to the predetermined stage in the past is impersonating another person and is about to move to the predetermined stage this time. In this case, since the transition to the predetermined stage is rejected, it is possible to prevent the user from impersonating another person and using the system.

It is a figure showing an example of outline composition of auction system S concerning one embodiment. It is a block diagram which shows an example of schematic structure of EC server 1 which concerns on one Embodiment. It is a figure which shows an example of the content of the information registered into member information DB101. It is a figure which shows an example of the content of the information registered into auction DB102. It is a flowchart which shows the process example of EC server 1 and PC terminal 2-i which concern on one Embodiment. It is a flowchart which shows the process example of EC server 1 and PC terminal 2-i which concern on one Embodiment. It is a flowchart which shows the process example of EC server 1, PC terminal 2-i, and mobile telephone 3-i which concerns on one Embodiment. It is a flowchart which shows the process example of EC server 1, PC terminal 2-i, and mobile telephone 3-i which concerns on one Embodiment. It is a flowchart which shows the process example of EC server 1 and PC terminal 2-i which concern on one Embodiment. It is a figure which shows the example of a screen display of a mobile mail address input page.

  Hereinafter, the best embodiment of the present invention will be described in detail with reference to the drawings. The embodiment described below is an embodiment when the present invention is applied to an auction system.

[1. Overview of auction system configuration and functions]
First, the configuration and outline function of the auction system S according to the present embodiment will be described with reference to FIG.

  FIG. 1 is a diagram illustrating an example of a schematic configuration of an auction system S according to the present embodiment.

  As shown in FIG. 1, an auction system S includes an EC (Electronic Commerce) server 1 as an example of a server system including a member information DB (Data Base) 101 and an auction DB 102, and a plurality of PC terminals as an example of a terminal device. 2-i (i = 1, 2,... N) and a plurality of mobile phones 3-i as an example of a mobile communication terminal device.

  The EC server 1, the PC terminal 2-i, and the mobile phone 3-i can exchange data with each other using, for example, TCP / IP as a communication protocol via the network NW. The network NW is constructed by, for example, the Internet, a dedicated communication line (for example, a CATV (Community Antenna Television) line), a mobile communication network (including a base station), a gateway, and the like.

  In the auction system S having such a configuration, the EC server 1 is a server device installed to provide an auction service by, for example, a service provider that provides various services through the network NW. In addition to auctions, service providers provide services such as online shopping, accommodation facility reservation, and golf course reservation.

  The user of the PC terminal 2-i performs a member registration procedure in order to use these services. (Hereinafter, users who can use the service are also referred to as “members”). A member ID is given to a user who becomes a member. The user can use various services including an auction using the member ID. Member information regarding the registered member is registered in the member information DB 101. In addition, information related to exhibition in the auction service, information related to bids, information related to successful bids, and the like are registered in the auction DB 102.

  Then, in response to a request from the PC terminal 2-i, the EC server 1 performs processing for establishing an auction between the users of the PC terminal 2-i while accessing the auction DB 102 and the member information database 101. It has become.

  The PC terminal 2-i accesses the EC server 1, acquires a Web page, and displays it on the screen. Thereby, the user can exhibit goods and bid for goods through the Web page. The personal computer is applied to the PC terminal 2-i in this embodiment, but it may be a terminal device other than a mobile phone such as a PDA (Personal Digital Assistant) or STB (Set Top Box).

  The mobile phone 3-i is a mobile phone owned by the user of the PC terminal 2-i. For example, a certain user owns the PC terminal 2-1 and the mobile phone 3-1, and a certain user owns the PC terminal 2-2 and the mobile phone 3-2. As described above, in the auction system S, the user can bid using the PC terminal 2-i. However, since the user can obtain a plurality of member IDs, the user can use a certain member ID to exhibit, and use a member ID different from this to pretend to be someone else. It is possible to do. Therefore, in the auction system S, the impersonation of this other person is prevented by performing authentication using the mobile phone 3-i when shifting to the bidding step.

  A predetermined operating system, a web browser application, an e-mail application, and the like are installed in the PC terminal 2-i and the mobile phone 3-i, respectively.

[2. Configuration and function of EC server]
Next, the configuration and function of the EC server 1 will be described with reference to FIGS.

  FIG. 2 is a block diagram illustrating an example of a schematic configuration of the EC server 1 according to the present embodiment. FIG. 3 is a diagram illustrating an example of the content of information registered in the member information DB 101. FIG. 4 is a diagram showing an example of the contents of information registered in the auction DB 102.

  As shown in FIG. 2, the EC server 1 includes an operation unit 11, a display unit 12, a communication unit 13, a drive unit 14, a storage unit 15, an input / output interface unit 16, a system control unit 20, It has. The system control unit 20 and the input / output interface unit 16 are connected via a system bus 21.

  The EC server 1 may be a server system including a plurality of server devices such as a server that manages a database and a WWW server that provides various types of information.

  The operation unit 11 includes, for example, a keyboard, a mouse, and the like. The operation unit 11 receives an operation instruction from an operator or the like, and outputs the instruction content to the system control unit 20 as an instruction signal. The display unit 12 includes, for example, a CRT (Cathode Ray Tube) display, a liquid crystal display, and the like, and displays information such as characters and images. The communication unit 13 is connected to a network NW or the like and controls the communication state with other server devices, the PC terminal 2-i, the mobile phone 3-i, and the like. For example, the drive unit 14 reads data from a disk DK such as a flexible disk, a CD (Compact Disc), a DVD (Digital Versatile Disc), and the like, and records data on the disk DK. The storage unit 15 is configured by, for example, a hard disk drive or the like, and stores various programs, data, and the like. The input / output interface unit 16 performs interface processing between the operation unit 11 to the storage unit 15 and the system control unit 20. The system control unit 20 includes a CPU (Central Processing Unit) 17, a ROM (Read Only Memory) 18, a RAM (Random Access Memory) 19, and the like.

  In the storage unit 15, a member information DB 101 and an auction DB 102 are constructed.

  As shown in FIG. 3, member information relating to a member is registered in the member information DB 101 in association with a member ID for identifying the member. Specifically, the member information includes, for example, a member ID, a password for logging in, a member rank, a UID (user ID), a member name, a postal code, an address, a telephone number, an e-mail address, a date of birth, a gender, Membership points, credit card numbers and expiration dates are set.

  Here, there are four member ranks (an example of registration information): regular, silver, gold, and platinum. The lowest member rank is regular. The member rank increases in the order of silver and gold, and the highest member rank is platinum. This member rank is determined by the number of points acquired by the user, the number of acquisitions, etc., according to the monthly usage status of various services provided by the service provider. The user can receive more benefits as the member rank is higher.

  The UID is identification information of the mobile phone 3-i or identification information of a contractor of the mobile phone 3-i. This UID is uniquely assigned by the mobile carrier. For the member information, the UID of the mobile phone 3-i used by the user when the user is once permitted to move to the bidding step is registered. The UID is added to the request header when a request is made from the mobile phone 3-i to the EC server 1. The addition of the UID to the request header may be performed by, for example, the mobile phone 3-i itself, or may be performed when the gateway server of the mobile communication carrier relays a request from the mobile phone 3-i. . As the UID, for example, in addition to the subscriber ID given to the contractor, the phone number (subscriber number) of the mobile phone 3-i, the card number of the ID card attached to the mobile phone 3-i, the mobile phone The machine number of the telephone 3-i may be used.

  As shown in FIG. 4, information related to the auction is registered in the auction DB 102 in association with the member ID for each member. Specifically, a member ID, a member nickname, an exhibition history, a bid history (an example of registration information), a successful bid history, and the like are registered in the auction DB 102.

  Here, the bidding history is information relating to bidding by a member, and is registered in association with a member ID and an auction ID which is identification information of an auction for each bid item. Specifically, a member ID, an auction ID, a bid number given by bidding, a bid date and time, the number of bids, a bid price, etc. are set in the bid history.

  In addition, the storage unit 15 stores HTML data, image data, audio data, text data, and the like constituting the Web page.

  Furthermore, in addition to a predetermined operating system, the storage unit 15 stores the memory in response to a request transmitted from the PC terminal 2-i, the cellular phone 3-i, or the like using an HTTP (Hyper Text Transfer Protocol) protocol. A WWW (World Wide Web) server program for generating a Web page based on various data stored in the unit 15 and transmitting the Web page to the PC terminal 2-i, the mobile phone 3-i, etc., SMTP ( A simple mail transfer protocol (Simple Mail Transfer Protocol) protocol is used to receive e-mails sent from other mail servers, while sending mail created by the server itself to other mail servers. A database management program to be managed is stored.

  In addition, the storage unit 15 includes a member information management program for managing various information registered in the member information DB 101, an auction information management program for managing various information registered in the auction DB 102, and listing and bidding on an auction site. In addition, an auction processing program and the like for performing processing related to successful bids, communication between exhibitors and successful bidders, and the like are stored.

  Various programs may be acquired from, for example, another server device via the network NW, or may be recorded on a disk DK such as a CD-ROM and read via the drive unit 14. Anyway.

  The system control unit 20 constitutes an example of registration information acquisition means, migration request control means, mail transmission means, identification information acquisition means, password screen information request control means, identification information registration means, and permission means.

  The control unit 20 controls each unit of the shopping server 1-1 by the CPU 17 reading and executing various programs stored in the ROM 18 and the storage unit 15, and functions as the above-described units and the like. ing.

  For example, the system control unit 20 receives a bid request transmitted from the PC terminal 2-i when the user performs a bid operation. And the system control part 20 as a registration information acquisition means acquires the member rank and bid history corresponding to PC terminal 2-i which transmitted the bid request. The system control unit 20 identifies which member the user is based on prior user authentication using the member ID and password, and associates the PC terminal 2-i with the member ID by this user authentication. Therefore, the system control unit 20 can associate the PC terminal 2-i with the member rank and the bid history based on the member ID.

  The system control unit 20 as the migration request control unit determines whether or not a predetermined condition is satisfied. Specifically, the system control unit 20 determines whether or not a bid history corresponding to the PC terminal 2-i is registered. In addition, the system control unit 20 determines whether the member rank corresponding to the PC terminal 2-i is platinum, gold, or silver. Then, when the bid history is registered or when the member rank is platinum, gold or silver, the system control unit 20 permits the user to proceed to the bidding step, and the bidding page (predetermined stage) An example of screen information) is transmitted to the PC terminal 2-i. On the other hand, if the bid history is not registered and the member rank is regular, the system control unit 20 displays a mobile mail address input page (an example of address input screen information) for further authentication. Transmit to PC terminal 2-i.

  The fact that the bid history is registered means that the user who is going to bid is a user who has already been permitted to bid. Therefore, once a bid is permitted, the user is permitted to bid without further authentication. In addition, a user whose member rank is platinum, gold, or silver is regarded as a reliable user who has a certain degree of use of the service provided by the service provider. Therefore, bidding is permitted for such users without further authentication. On the other hand, a user whose membership rank is regular is not regarded as a reliable user. Therefore, when such a user tries to bid for the first time, further authentication is performed. In addition, as a rank which permits the transfer to a bid step, for example, gold or higher may be used, or only platinum may be used.

  When the electronic mail address of the mobile phone 3-i (hereinafter referred to as “mobile mail address”) input by the user on the mobile mail address input page is transmitted from the PC terminal 2-i, the system control unit 20 Receive this. Then, the system control unit 20 generates a personal identification number as a one-time password, and stores it in the RAM 19 or the like in association with the member ID associated with the PC terminal 2-i. Further, the system control unit 20 as a mail transmission means transmits an e-mail (hereinafter referred to as “authentication mail”) in which an authentication URL (an example of location information) is described to the received mobile mail address. This authentication URL is a URL (Uniform Resource Locator) of a personal identification number display page (an example of password screen information) that displays the generated personal identification number. In this authentication URL, for example, the member ID associated with the PC terminal 2-i is encrypted and set. Further, the system control unit 20 transmits a personal identification number input page for inputting a personal identification number to the PC terminal 2-i.

  When the system control unit 20 as the identification information acquisition unit receives the password display page including the authentication URL from the mobile phone 3-i, the system control unit 20 acquires the UID from the header of the request.

  The system control unit 20 as the password screen information request control means determines whether or not the acquired UID has already been registered in any member information of the member information of all members. Then, when the acquired UID is already registered, the system control unit 20 transmits an error display page to the mobile phone 3-i. On the other hand, when the acquired UID is not registered, the system control unit 20 transmits a personal identification number display page to the mobile phone 3-i. At this time, the system control unit 20 restores the member ID from the authentication URL, and acquires the personal identification number corresponding to the member ID. And the system control part 20 produces | generates the PIN code display page which displays the acquired PIN code. Further, the system control unit 20 as the identification information registration unit registers the acquired UID in the member information corresponding to the restored member ID.

  The fact that the UID has already been registered means that the user has tried to bid with a different member ID in the past using the same mobile phone 3-i as the current authentication. In other words, the user is trying to bid this time using a member ID that is different from the member ID that attempted to bid in the past. In other words, the user is impersonating another person. Therefore, in this case, the transition to the bidding step is permitted and the personal identification number is not displayed on the mobile phone 3-i.

  The system control unit 20 receives the password entered by the user on the password entry page from the PC terminal 2-i. Then, the system control unit 20 as the permission means permits the user to proceed to the bidding step when the received personal identification number matches the personal identification number generated and stored, and displays the bidding page on the PC terminal. Send to 2-i.

[3. Operation of the auction system]
Next, the operation of the auction system S will be described with reference to FIGS.

  5 to 9 are flowcharts showing processing examples of the EC server 1, the PC terminal 2-i, and the mobile phone 3-i according to the present embodiment. FIG. 10 is a diagram showing a screen display example of the mobile mail address input page.

  As shown in FIG. 5, the PC terminal 2-i transmits a page request to the EC server 1 by a user operation in order to display an auction page (step S101). When receiving the page request (step S111), the system control unit 20 of the EC server 1 transmits a login page to the PC terminal 2-i (step S112). The PC terminal 2-i receives the login page and displays it on the screen (step S102).

  If the user is registered as a member, the user enters the member ID and password. If the user is not registered as a member, personal information (password, name, postal code, telephone number) Number, e-mail address, etc.) are input (step S103). Then, the PC terminal 2-i transmits the input member ID and password or personal information to the EC server 1 (step S104).

  When receiving the member ID and password or personal information (step S113), the system control unit 20 of the EC server 1 determines whether or not the received information is the member ID and password (step S114). At this time, if the received information is personal information (step S114: NO), the system control unit 20 issues a new member ID and associates the received personal information with the new member ID as member information. Register in the information DB 101 (step S115).

  On the other hand, when the received information is a member ID and a password, the system control unit 20 performs user authentication with the member ID and password, and determines whether the authentication is successful (step S116). At this time, if the user authentication is not successful (step S116: NO), the system control unit 20 transmits an error display page to the PC terminal 2-i (step S117), and ends the process.

  When the member information is registered (step S115) or when the user authentication is successful (step S116: YES), the system control unit 20 sends the issued or received member ID to the PC terminal 2-i by session management. The page after association and login is transmitted to the PC terminal 2-i for transmission (step S118). The PC terminal 2-i receives the page after login and displays it on the screen (step S105). The post-login page is, for example, the top page of an auction site.

  Thereafter, in response to a search operation or selection operation of a product by the user, the system control unit 20 of the EC server 1 transmits an auction product detail page of the selected product to the PC terminal 2-i as shown in FIG. Transmit (step S211). The PC terminal 2-i receives the auction product detail page and displays it on the screen (step S201). On the auction product detail page, the product name, detailed description, image and the like of the product selected by the user are displayed. In addition, a bid button for shifting to a bid for a product is displayed on the auction product detail page.

  When the user selects a bid button while the auction product detail page is displayed (step S202), the PC terminal 2-i transmits a bid request to the EC server 1 (step S203). When receiving a bid request (step S212), the system control unit 20 of the EC server 1 tries to obtain a bid history corresponding to the member ID associated with the PC terminal 2-i from the auction DB 102, and the bid history is It is determined whether it is registered (step S213). At this time, if a bid history is registered (step S213: YES), the system control unit 20 transmits a bid page to the PC terminal 2-i (step S214), which will be described later with reference to FIG. The process proceeds to step S514.

  On the other hand, when the bid history is not registered (step S213: NO), the system control unit 20 acquires the member rank from the member information corresponding to the member ID associated with the PC terminal 2-i, It is determined whether or not the member rank is platinum, gold or silver (step S215). At this time, if the member rank is platinum, gold, or silver (step S215: YES), the system control unit 20 transmits a bid page to the PC terminal 2-i (step S214).

  On the other hand, when the member ID is regular (step S215: NO), the system control unit 20 transmits a mobile mail address input page to the PC terminal 2-i (step S216). The PC terminal 2-i receives the mobile mail address input page and displays it on the screen (step 204).

  As shown in FIG. 10, an explanatory note 201, a user name input field 202, a domain selection menu 203, a next button 204, and the like are displayed on the mobile mail address input page. In the explanatory note 201, there is written an explanation such as the necessity of confirming the mobile phone 3-i owned by the user when bidding for the first time in an auction. The user name input field 202 is an input field for inputting the user name part of the mobile mail address. The domain selection menu 203 is a pull-down menu for selecting the domain name portion of the mobile mail address. Since the domain selection menu 203 exists, only the e-mail address assigned to the mobile phone 3-i can be input to the user.

  Here, when the user inputs the user name portion and selects the domain name portion to input the mobile mail address and selects the next button 204 (step S205), the PC terminal 2-i receives the input mobile phone. The mail address is transmitted to the EC server 1 (step S206).

  When the system control unit 20 of the EC server 1 receives the mobile mail address (step S217), as shown in FIG. 7, the system control unit 20 generates a personal identification number and assigns it to the member ID associated with the PC terminal 2-i. Corresponding data are stored in the RAM 19 (step S311). Next, the system control unit 20 generates an authentication URL (step S312). At this time, the system control unit 20 encrypts the member ID associated with the PC terminal 2-i, and includes the encrypted member ID in the authentication URL as a part of the character string of the authentication URL. Next, the system control unit 20 generates an authentication mail in which the generated authentication URL is embedded in the text, and transmits this authentication mail to the received mobile mail address (step S313). Next, the system control unit 20 transmits a password input page to the PC terminal 2-i (step S314).

  The PC terminal 2-i receives the password input page and displays it on the screen (step S301). On the other hand, the mobile phone 3-i receives an authentication mail from a predetermined server device based on a user operation (step S321). When the user selects the authentication URL described in the body of the authentication mail (step S322), the cellular phone 3-i sends a PIN number display page request including the selected authentication URL in the request header to the EC server 1. (Step S323).

  When receiving the password number display page request, the system control unit 20 of the EC server 1 restores the member ID from the authentication URL included therein, thereby specifying the transmission time of the authentication mail (step S316). Next, the system control unit 20 determines whether or not a personal identification number display page request has been received within a predetermined time from the transmission of the authentication mail (step S317). At this time, if the system control unit 20 receives a password number display page request after a predetermined time from the transmission of the authentication mail (step S317: NO), the system control unit 20 transmits an error display page to the mobile phone 3-i ( Step S318), the process is terminated. When a password display page is requested after a certain period of time, a third party may steal the authentication URL and use it. Therefore, in order to prevent unauthorized bidding by a third party, reception of the code number display page request is limited within a certain period of time.

  On the other hand, if the system control unit 20 receives a password number display page request within a certain time from the transmission of the authentication mail (step S317: YES), the request header of the password number display page request is shown in FIG. The UID of the mobile phone 3-i is acquired from (step S411). Next, the system control unit 20 determines whether or not the acquired UID is already registered in any member information of the member information of all members (step S412). At this time, if the acquired UID is already registered (step S412: YES), the system control unit 20 transmits an error display page to the mobile phone 3-i (step S413), and ends the process.

  On the other hand, if the acquired UID is not registered (step S412: NO), the system control unit 20 registers this UID in the member information corresponding to the restored member ID (step S414). Next, the system control unit 20 obtains a personal identification number corresponding to the restored member ID from the RAM 19, generates a personal identification number display page for displaying the personal identification number, and transmits it to the mobile phone 3-i (step S415). ). Note that the code number may be generated at this point. The cellular phone 3-i receives the password display page and displays it on the screen (step 421). Since the personal identification number input page is displayed on the screen of the PC terminal 2-i, when the user inputs the personal identification number displayed on the screen of the mobile phone 3-i into the personal identification number input page (step S401). The PC terminal 2-i transmits the input personal identification number to the EC server 1 (step S402).

  The system control unit 20 of the EC server 1 that has received the personal identification number determines whether or not the personal identification number has been received within a predetermined time from the transmission of the personal identification number display page (step S417). At this time, the system control unit 20 transmits an error display page to the PC terminal 2-i (step S417: NO) when the password is received over a predetermined time from the transmission of the password display page (step S417: NO). S418), the process is terminated. If the password is input after a certain period of time, a third party may steal the password and use it. Therefore, in order to prevent unauthorized bidding by a third party, the reception of the personal identification number is limited within a certain time.

  On the other hand, when the security code is received within a certain time from the transmission of the security code display page (step S417: YES), the system controller 20 receives the correct security code as shown in FIG. It is determined whether or not there is (step S511). That is, the system control unit 20 specifies the personal identification number stored in the RAM 19 based on the member ID associated with the PC terminal 2-i, and whether the received personal identification number matches the personal identification number stored. Determine whether or not. At this time, if the password is not correct (step S511: NO), the system control unit 20 transmits an error display page to the PC terminal 2-i (step S512), and ends the process.

  On the other hand, when the personal identification number is correct (step S512: YES), the system control unit 20 transmits a bid page to the PC terminal 2-i (step S513). The PC terminal 2-i receives the bid page and displays it on the screen (step S501). On the bid page, the current maximum bid amount, an input field for inputting the bid amount, a bid button, and the like are displayed.

  When the user inputs a bid amount and selects a bid button (step S502), the PC terminal 2-i transmits the input bid amount to the EC server 1 (step S503). When the system control unit 20 of the EC server 1 receives the bid price (step S514), the bid price, the member ID associated with the PC terminal 2-i, information such as the auction ID of the product selected by the user Based on the above, a bid history is generated, and this bid history is registered in the auction DB 102 (step S515). This completes the bidding step. The UID registration may be performed at this time.

  As described above, according to the present embodiment, when the system control unit 20 of the EC server 1 receives a bid request transmitted from the PC terminal 2-i due to selection of a bid button by the user. The member rank and the bid history associated with the PC terminal 2-i are acquired, and when the member rank or the bid history satisfies a predetermined condition, a bid page is transmitted to the PC terminal 2-i, When the predetermined condition is not satisfied, the mobile mail address input page is transmitted to the PC terminal 2-i, and when the mobile mail address is received from the PC terminal 2-i, the authentication is sent to the mobile mail address. When an authentication mail containing a URL is transmitted and a personal identification number display page request including an authentication URL is received from the mobile phone 3-i, the mobile phone 3-i When the assigned UID is acquired and the UID is not registered, the personal identification number display page is transmitted to the mobile phone 3-i. When the UID is registered, the error display page is displayed on the mobile phone. 3-i is transmitted, the acquired UID is registered, and when the same password as the generated password is received from the PC terminal 2-i, a bid page is transmitted to the PC terminal 2-i.

  Accordingly, since the user can be uniquely identified by the UID of the mobile phone 3-i, the user who has attempted to move to the bidding step in the past is impersonating another person and is about to move to the bidding step this time. Can be judged. Therefore, it is possible to prevent the user from bidding while impersonating the seller.

  Further, since the system control unit 20 of the EC server 1 permits a user who has already registered a bid history to proceed to the bidding step, authentication using the mobile phone 3-i is omitted. And can move smoothly to the bidding step.

  Further, even if the system control unit 20 of the EC server 1 receives the password number display page request after a predetermined time has passed since the authentication mail is transmitted, the password number display page request is not transmitted. Unauthorized bidding can be prevented.

  Further, even if a password is input after a certain period of time has passed since the system control unit 20 of the EC server 1 transmits the password display page, the bid page is not transmitted, thus preventing unauthorized bidding by a third party. can do.

  In the above embodiment, the present invention is applied when shifting to a bidding step in an online auction. However, the application of the present invention is not limited to this case. The present invention can be applied to various cases in which a user can impersonate another person and use the system.

1 EC server 2-i PC terminal 3-i mobile phone 11 operation unit 12 display unit 13 communication unit 14 drive unit 15 storage unit 16 input / output interface unit 17 CPU
18 ROM
19 RAM
20 System control unit 21 System bus 101 Member information DB
102 Auction DB
NW Network S Auction System

Claims (6)

Registration information acquisition means for acquiring registration information corresponding to the terminal device when the transfer request information indicating the transfer request transmitted from the terminal device is received by the operation of shifting to a predetermined stage;
It is determined whether or not the acquired registration information satisfies a predetermined condition. If the predetermined condition is satisfied, predetermined stage screen information constituting a screen displayed by shifting to the predetermined stage is displayed. When the predetermined condition is not satisfied, the address input screen information constituting the screen for inputting the mobile address, which is the e-mail address of the mobile communication terminal device, is transmitted to the terminal device. A transition request control means;
A mail transmitting means for transmitting, when the mobile address is received from the terminal device, an e-mail in which location information indicating a location of password screen information constituting a screen for displaying a password is written to the mobile address; ,
When password screen information request information indicating a request for the password screen information corresponding to the location information is received from the mobile communication terminal device, identification information uniquely assigned to the mobile communication terminal device is acquired. Identification information acquisition means;
When it is determined whether or not the same identification information as the acquired identification information is registered, and if it is not registered, the password display screen information is transmitted to the mobile communication terminal device and is registered Includes password screen information request control means for allowing or disallowing transition to the predetermined stage;
Identification information registration means for registering the acquired identification information;
Permission means for permitting the transition to the predetermined stage when the same password as the password displayed based on the transmitted password display screen information is received from the terminal device;
A server system comprising: The server system according to claim 1,
The registration information is information registered by the server system on condition that the predetermined stage is completed,
The server system characterized in that the predetermined condition is that the registration information is registered in association with the terminal device. In the server system according to claim 1 or 2,
The password screen information request control means prohibits transmission of the password screen information when the password screen information request information is received after a predetermined time has elapsed since the e-mail was transmitted. Server system. The server system according to any one of claims 1 to 3,
The server system according to claim 1, wherein when the password is received after a predetermined time has elapsed since the password screen information was transmitted, the permission unit permits or rejects the transition to the predetermined stage. Computer
In a state where a screen corresponding to a predetermined stage is being displayed by the terminal device, when transition request information indicating a transition request transmitted from the terminal device is received by an operation of shifting to a predetermined stage, Registration information acquisition means for acquiring registration information corresponding to the terminal device;
It is determined whether or not the acquired registration information satisfies a predetermined condition. If the predetermined condition is satisfied, predetermined stage screen information constituting a screen displayed by shifting to the predetermined stage is displayed. When the predetermined condition is not satisfied, the address input screen information constituting the screen for inputting the mobile address, which is the e-mail address of the mobile communication terminal device, is transmitted to the terminal device. Transition request control means,
When the mobile address is received from the terminal device, a mail transmission means for transmitting an e-mail in which location information indicating the location of password screen information constituting a screen for displaying a password is described to the mobile address;
When password screen information request information indicating a request for the password screen information corresponding to the location information is received from the mobile communication terminal device, identification information uniquely assigned to the mobile communication terminal device is acquired. Identification information acquisition means,
When it is determined whether or not the same identification information as the acquired identification information is registered, and if it is not registered, the password display screen information is transmitted to the mobile communication terminal device and is registered Includes password screen information request control means for allowing or disallowing the transition to the predetermined stage,
Identification information registration means for registering the acquired identification information; and
Permission means for permitting the transition to the predetermined stage when the same password as the password displayed based on the transmitted password display screen information is received from the terminal device;
An authentication processing program characterized by functioning as In a state where a screen corresponding to a predetermined stage is being displayed by the terminal device, when transition request information indicating a transition request transmitted from the terminal device is received by an operation of shifting to a predetermined stage, A registration information acquisition step of acquiring registration information corresponding to the terminal device;
It is determined whether or not the acquired registration information satisfies a predetermined condition. If the predetermined condition is satisfied, predetermined stage screen information constituting a screen displayed by shifting to the predetermined stage is displayed. When the predetermined condition is not satisfied, the address input screen information constituting the screen for inputting the mobile address, which is the e-mail address of the mobile communication terminal device, is transmitted to the terminal device. A transition request control process;
A mail transmission step of transmitting an e-mail in which location information indicating a location of password screen information constituting a screen for displaying a password is described to the mobile address when the mobile address is received from the terminal device; ,
When password screen information request information indicating a request for the password screen information corresponding to the location information is received from the mobile communication terminal device, identification information uniquely assigned to the mobile communication terminal device is acquired. An identification information acquisition step;
When it is determined whether or not the same identification information as the acquired identification information is registered, and if it is not registered, the password display screen information is transmitted to the mobile communication terminal device and is registered Includes a password screen information request control step for permitting the transition to the predetermined stage, and
An identification information registration step of registering the acquired identification information;
A permission step of permitting the transition to the predetermined stage when the same password as the password displayed based on the transmitted password display screen information is received from the terminal device;
An authentication method characterized by comprising:

Images