KR101195027B1 - System and method for service security - Google Patents

Abstract

A service security system and method thereof are disclosed. The service security system includes a terminal location determining module for determining a location of a service terminal requesting a specific service when a service terminal logged into a web service requests a specific service, and a position of a political user of an account logged in by the service terminal. A user location determining module for determining a value, and a first location determined by the terminal location determining module and a second location determined by the user location determining module, and controlling whether to use the specific service requested based on a comparison result It includes a control module for.

Description

System and method for service security

The present invention relates to a service security system and a method thereof. More specifically, when a user wants to use an important function or service in a web service, the present invention determines whether the user requesting the use is a legitimate user. It relates to a system and a method for making it available.

With the development of the Internet, many people have been provided with various services by accessing a web site or a predetermined application for a specific web service. At this time, the web site or web service performs a procedure called log-in to identify the user. In order to log in, a user must input identification information (eg, ID, password, or public certificate) that corresponds to an account assigned to each user. In addition, when a user wants to use an important function or service even after logging in, there may be a case where a user needs to pass through a certain security protocol (eg, an accredited certificate or one time password (OTP)). Of course, the same authentication procedure (eg, accredited certificate) can be used not only during the login procedure, but also when providing some security protocol after login.

However, the conventional security protocol is inconvenient to have a separate physical security device, such as a public certificate or OTP generator in order to use the security protocol. Therefore, a technical idea that can provide a separate security protocol by using a mobile terminal that is always (or likely to be) the user may be required.

In addition, a method using ID / PWD among conventional security protocols has a problem in that when the ID / PWD is accidentally leaked or leaked by a malicious attack, it can no longer function as a security protocol. A security protocol using an accredited certificate or OTP can also cause serious problems if the storage medium or OTP generator that stores the accredited certificate is lost, or if it is stolen by a legitimate user's acquaintance or coworker.

Therefore, the security protocol according to the technical idea of the present invention may be additionally used while using the conventional security protocol, or may be used instead of any of the conventional security protocols, and when the legitimate user possesses the mobile terminal, It can provide a technical idea that can solve the problem of the security protocol. In addition, the security protocol according to the technical concept of the present invention may be used as an authentication protocol for login as well as when using a specific service after login.

Accordingly, the technical problem to be achieved by the present invention is to provide a security protocol that can authenticate a user on a location basis in order not to allow unauthorized users to use the service.

In addition, in the case of providing a security protocol based on location, it is to provide a system and method for preventing a problem that may occur due to an error in location recognition, that is, illegal use that may occur by a person located near a party user. .

In addition, when a party user does not carry a mobile terminal, it provides a system and method that can solve the problem of not using a service despite being a party user.

The service security system according to an embodiment of the present invention for solving the technical problem is a terminal location determination module for determining the location of the service terminal requesting the specific service, when the service terminal logged in the web service requests a specific service, A user location determining module for determining a location of a political user of an account to which the service terminal is logged in, and a first location determined by the terminal location determining module and a second location determined by the user location determining module, and comparing And a control module for controlling whether to use the specific service requested based on the request.

The control module satisfies a predetermined condition as a result of the comparison, and the authentication information generated by the control module and transmitted to the service terminal or the mobile terminal is received from the mobile terminal of the party user, or identification information from the mobile terminal. When is received or the confirmation is performed from the mobile terminal, the use of the specific service can be allowed.

The control module satisfies a predetermined condition as a result of the comparison, and when the authentication information generated by the control module and transmitted to the mobile terminal is received from the service terminal or identity information is received from the service terminal, the specific service. Can be used.

The identity verification information includes at least one of predetermined identification information, public certificate information, or OTP (One Time Password) information to confirm that the user of the political party, wherein the verification is a predetermined key provided in the mobile terminal, It may include at least one action of selecting a button or a UI.

The predetermined condition may include at least one of a case where a distance difference between the first position and the second position is within a predetermined range or when there is an area where the first position and the second position overlap.

When the control module does not satisfy the predetermined condition as a result of the comparison, the control module may transmit notification information indicating that there is a request for using the specific service to the mobile terminal of the party user.

When the control module does not satisfy the predetermined condition as a result of the comparison, the identification information is received from the service terminal, the verification operation is performed from the mobile terminal, or the authentication information transmitted to the mobile terminal is received from the service terminal. Or when the authentication information transmitted to the service terminal is received from the mobile terminal, the use of the specific service may be allowed.

The terminal location determining module determines the location of the service terminal based on the IP address of the service terminal, or receives information corresponding to the location of the service terminal from at least one of a telecommunication company system or a location based service (LBS) system. The location of the service terminal may be determined based on the received information.

The user location determination module may receive information on the location of the mobile terminal of the party user from a communication company system or an LBS system.

The service security system for solving the technical problem is a terminal location determination module for determining the location of the service terminal to request a login to the web service, a user for determining the location of the party user of the account requested to log in from the service terminal And a position determination module, and a control module, wherein the control module satisfies a predetermined condition by comparing the first position determined by the terminal position determination module and the second position determined by the user position determination module, and by the control module. When the authentication information generated and transmitted to the service terminal or the mobile terminal is received from the mobile terminal of the political party user, identity information is received from the mobile terminal, or a verification operation is performed from the mobile terminal, or the control Module determines the terminal location Comparing the first position determined by the module with the second position determined by the user position determining module, satisfying a predetermined condition, and authentication information generated by the control module and transmitted to the mobile terminal is received from the service terminal, or When the identification information is received from the service terminal, it is determined that the login request of the service terminal is a political login request.

If the control module determines that the login request of the service terminal is not a legitimate login request, the control module does not allow login of the service terminal, restricts at least one of the types of services available to the service terminal, or logs in the service. You can log out of the terminal.

If the control module determines that the login request is not a legitimate login request, the identification information is received from the service terminal, a verification operation is performed from the mobile terminal, or the authentication information transmitted to the mobile terminal is received from the service terminal. When the authentication information transmitted to the service terminal is received from the mobile terminal, the login request may be determined as a political login request.

If the control module determines that the login request is not a valid login request, the control module may transmit information on the login request to the mobile terminal.

The service security method for solving the technical problem is that when a service terminal logged in a web service requests a specific service, the service security system is a party user of the location of the service terminal that requested the specific service and the account in which the service terminal logs in. Determining the location of the service terminal; and determining whether to allow the use of the specific service requested by the service security system based on the determined location of the service terminal and the location of the party user.

The service security method includes determining whether the location of the service terminal determined by the service security system and the location of the party user satisfy a predetermined condition, and performing a predetermined additional authentication process when the predetermined condition is satisfied. It further includes, and determines whether to use the specific service according to the result of the additional authentication process.

The performing of the additional authentication process includes receiving authentication information generated by the service security system and transmitted to the service terminal or the mobile terminal from the mobile terminal of the party user, and receiving identification information from the mobile terminal. And confirming that the verification is performed from the mobile terminal, receiving authentication information generated by the service security system and transmitted to the mobile terminal from the service terminal, or authenticating information from the service terminal. It may include at least one of the steps received.

The service security method for solving the technical problem is the location of the service terminal that the service security system has made the login request and the location of the party user of the account logged in the service terminal when the service terminal requests a login to the web service Determining whether the determined location of the service terminal and the location of the party user satisfy a predetermined condition, and when the determination result satisfies the predetermined condition, which of the mobile terminal or the service terminal of the party user is determined. And transmitting the authentication information as one, and determining the login request of the service terminal as a political login request when receiving the authentication information through a terminal corresponding to the terminal which transmitted the authentication information.

The service security method for solving the technical problem is the location of the service terminal that the service security system has made the login request and the location of the party user of the account logged in the service terminal when the service terminal requests a login to the web service Determining whether the determined location of the service terminal and the location of the party user satisfy a predetermined condition, and as a result of the determination, satisfying the predetermined condition and using either the mobile terminal of the party user or the service terminal. Transmitting authentication information, requesting identification information, or requesting verification, and the transmitted authentication information is received from a terminal corresponding to the terminal to which the authentication information is transmitted, or identification information from the service terminal or the mobile terminal. Is received or above If the above Moines, carried out through the mobile terminal, it is determined that the party login request a login request of the service terminal.

The service security method may be stored in a computer-readable recording medium recording a program.

The service security system and method according to the present invention can determine whether a user who wants to use the service is a legitimate user, based on the location of the legitimate user and the location of the current login request, and thus is unfair to a specific website or web service. Even if a user logs in in an illegal manner, there is an effect that the damage caused by login can be reduced even if the login information is leaked by restricting the use of a predetermined important service or function.

In addition, even if the authentication conditions are satisfied by location comparison, the mobile terminal of the party user is subjected to the authentication process once more, so that illegal use may occur due to an error that may occur when determining the location-that is, the error of the party user. There is an effect that can prevent fraudulent user use of illegal service within range.

In addition, even a legitimate user can recover the authentication failure based on location by using predetermined identification information that can prove that the user is a legitimate user to avoid the problem of not being able to use normal services due to leaving the mobile terminal elsewhere. This has the effect of ensuring the legitimate use of legitimate users.

In addition, when the service security system and the method according to the present invention are used for authenticating login, there may be a case where it is necessary to allow the login of another person even if the user is not a legitimate user. By doing so, legitimate users can operate a website or service autonomously according to their will and need.

BRIEF DESCRIPTION OF THE DRAWINGS In order to better understand the drawings cited in the detailed description of the invention, a brief description of each drawing is provided.
1 is a schematic diagram illustrating a function of a service security system according to an exemplary embodiment of the present invention.
2 shows a schematic configuration of a service security system according to another embodiment of the present invention.
3 is a view for explaining a method of determining whether a service security system is a service request from a party user by performing a location comparison according to an embodiment of the present invention.
4 illustrates an example of a screen displayed on a service terminal or a mobile terminal by a service security method according to an exemplary embodiment of the present invention.
5 shows an example of a screen displayed on the service terminal by the service security method according to an embodiment of the present invention.
6 illustrates an example of a screen displayed on a mobile terminal of a party user by a service security method according to an exemplary embodiment of the present invention.

In order to fully understand the present invention, operational advantages of the present invention, and objects achieved by the practice of the present invention, reference should be made to the accompanying drawings and the accompanying drawings which illustrate preferred embodiments of the present invention.

Also, in this specification, when any one element 'transmits' data to another element, the element may transmit the data directly to the other element, or may be transmitted through at least one other element And may transmit the data to the other component.

Conversely, when one element 'directly transmits' data to another element, it means that the data is transmitted to the other element without passing through another element in the element.

BEST MODE FOR CARRYING OUT THE INVENTION Hereinafter, the present invention will be described in detail with reference to the preferred embodiments of the present invention with reference to the accompanying drawings. Like reference symbols in the drawings denote like elements.

1 is a schematic diagram illustrating a function of a service security system according to an exemplary embodiment of the present invention.

Referring to FIG. 1, the service security system 100 according to an embodiment of the present invention includes a control module 110, a terminal location determining module 120, and a user location determining module 130.

The service security system 100 is a predetermined information through the wired / wireless network and the service terminal (200, 210, etc.) requesting a specific service while logged in to a predetermined web service (for example, a website or a web application). Can transmit and receive. The service terminals 200 and 210 may log in to the web service using an ID and / or password, or may log in to the web service using a predetermined security or authentication protocol such as a public certificate. The service terminals 200 and 210 logged in to the web service may select a predetermined UI provided by the web service to use a specific service. By selecting the predetermined UI, the specific service may be requested to a system (eg, a web server) that provides the web service. Then, the service security system 100 may receive the specific service request. To this end, the service security system 100 may be included in a system (for example, a web server) for providing the web service or installed as a separate system.

In addition, the service security system 100 may be connected to the mobile terminal 300 and / or the carrier system 400 of the party user through a wired / wireless network, if necessary, to transmit and receive predetermined information.

The service security system 100 may include hardware resources and / or software necessary to implement the technical idea of the present invention, and necessarily means one physical component or one device. no. That is, the service security system 100 may mean a logical combination of hardware and / or software provided to implement the technical idea of the present invention. If necessary, the service security system 100 may be installed in devices spaced apart from each other. It may be implemented as a set of logical configurations for implementing the technical idea of the present invention by performing. In addition, the service security system 100 may refer to a set of components separately implemented for each function or role for implementing the technical idea of the present invention.

In addition, the term "module" in the present specification may mean a functional and structural combination of hardware for performing the technical idea of the present invention and software for driving the hardware. For example, the module may refer to a logical unit of a predetermined code and a hardware resource for executing the predetermined code, and does not necessarily mean a physically connected code or a kind of hardware. Can be easily deduced to the average expert in the field of the present invention.

The control module 110 may control other components (eg, the terminal position determining module 120 and / or the user position determining module 130, etc.) to implement the technical idea of the present invention.

The control module 110 receives a request for a specific service (eg, transfer, payment, item exchange, etc.) received from the service terminal 200, 210, and the service terminal 200, 210 receives the specific service. It can be controlled whether or not it is available. That is, the control module 110 may determine whether the service terminals 200 and 210 are to use or not to use the specific service.

The specific service may mean a predetermined service or function set in advance according to the type of the web service. For example, when the web service means a web site of a financial institution or services provided by the web site, the specific service may be a predetermined service set in advance by determining that security or authentication is further required at the financial institution. For example, the specific service may be a service or function related to the disposal of financial assets (cash or stocks, futures, etc.) such as transfers, settlements, and currency exchange.

The control module 110 stores information about the location of the service terminals 200 and 210 determined by the terminal location determining module 120 and positions of political parties determined by the user location determining module 130. On the basis of the information on whether or not to use the specific service can be determined and controlled.

The terminal location determining module 120 may determine the location of the service terminals 200 and 210 based on the IP addresses of the service terminals 200 and 210. For example, when the service terminal 200 or 210 is a fixed data processing apparatus 200 or a portable terminal 210 such as a desktop computer, the terminal location determining module 120 may request a login request. 200 or an IP (Internet Protocol) address of the portable terminal 210, and the location of the data processing apparatus 200 may be known based on the obtained IP address.

An IP address may be matched with actual address information. In general, an IP address may be assigned, registered, and / or managed by an Internet service provider (ISP). Accordingly, the terminal location determining module 120 may obtain an IP address corresponding to the login terminals 200 and 210 and obtain actual address information corresponding to the IP address from the ISP system (not shown). . The service security system 100 previously stores information on an actual address corresponding to the IP address in a predetermined DB (not shown), or receives information on the actual address corresponding to the IP address periodically or in real time. You may.

When the service terminals 200 and 210 are portable terminals 210, the portable terminals 210 may access the wireless Internet through a wireless internet network. In this case, a communication company providing the wireless Internet service may be connected to the portable terminal. The IP address assigned to 210 and / or the location of the access point AP connected to the portable terminal 210 may be known. In this case, the terminal location determination module 120 may receive information on the location of the access point from a communication company system 400 that provides a wireless Internet service. In addition, the location of the portable terminal 210 may be grasped by various conventional location tracking methods (eg, triangulation, GPS, etc.), and the terminal location determining module 120 may transmit such information to the communication company system 400. Can also be received from. Of course, when the portable terminal 210 uses various location based services (LBS), information about the location of the portable terminal 210 may be received from an LBS system (not shown) that provides the LBS service. It may be. Alternatively, according to an embodiment, when the portable terminal 210 is equipped with a GPS module, the terminal position determining module 120 receives GPS information from the portable terminal 210 to determine the position of the portable terminal 210. You can also judge. In addition, the terminal location determining module 120 may determine the location of the service terminals 200 and 210 in various ways.

The user location determining module 130 may determine the location of the party user. To this end, the user location determination module 130 may determine the location of the mobile terminal 300 of the party user. That is, the user location determining module 130 may determine the location of the party user based on the location of the mobile terminal 300 of the party user. The method of determining the location of the mobile terminal 300 of the political party user is similar to the method of determining the location information of the mobile terminal 210 requesting a specific service by the terminal location determination module 120, and thus, a detailed description thereof is omitted. do. The mobile phone number of the party user may be stored in advance in the service security system 100 or a predetermined system connected to the service security system 100, and may correspond to the mobile phone number based on the stored mobile phone number. The mobile terminal 300 can be identified.

The control module 110 compares the positions of the service terminals 200 and 210 determined by the terminal position determining module 120 with the positions of the party users determined by the user position determining module 130, thereby providing the service terminal. It is possible to control whether to use a specific service from (200, 210).

If the first position determined by the terminal position determining module 120 and the second position determined by the user position determining module 130 satisfy certain conditions, the control module 110 requests the specific service. It can be judged as a legitimate request requested by the political party user and allowed to use the specific service. In this case, a method of determining that the control module 110 satisfies a predetermined condition is illustrated in FIG. 3.

3 is a view for explaining a method of determining whether a service security system is a service request from a party user by performing a location comparison according to an embodiment of the present invention.

3A to 3C, the control module 110 determines a distance between a first position determined by the terminal position determining module 120 and a second position determined by the user position determining module 130. It can be determined that the case where the specific service is requested by the party user is within a predetermined range. Even if the determined position is the same, it can be determined that the predetermined condition is satisfied. The location determination method performed by the terminal location determination module 120 and / or the user location determination module 130 may be different from each other, and thus the location information and / or the determined location information of the service terminals 200 and 210 may be different. This is because the position of the user may have a certain error.

That is, the first location and the second location may be represented by information indicating a specific location (eg, an actual address or coordinate information corresponding to an IP address). Alternatively, at least one of the first position or the second position may be expressed as information indicating a specific range, not information indicating a specific position. For example, the position of the portable terminal 210 or the mobile terminal 300 may be represented as a predetermined region as shown in FIG. 3B or 3C according to the estimated position according to the triangulation and the error range from the estimated position. Alternatively, the portable terminal 210 or the mobile terminal 300 may be represented by an area range of a specific access point.

Therefore, when the first position and the second position can be designated as a specific position as shown in FIG. 3A, the control module 110 provides the service terminal when the difference between the first position and the second position is within a predetermined range. It may be determined that the specific service request of 200 and 210 satisfies the predetermined condition. Then, the use of the specific service can be allowed. Of course, the range may include a case in which the same location, that is, the same address or coordinates.

In addition, as shown in FIG. 3B, when one of the first position and the second position is designated as a specific position, and the other is determined as a predetermined range, the control module (if the specific position is included in the predetermined range) 110 may determine that the specific service request satisfies a predetermined condition.

In addition, when both the first position and the second position are represented by a predetermined range as shown in FIG. 3C, when at least some regions of the range overlap, the control module 110 satisfies a certain condition of the specific service request. You might decide that.

Of course, in addition to the method illustrated in FIG. 3, the control module 110 may determine that a specific service request of the service terminal 200 or 210 satisfies a predetermined condition and is a legitimate request. In any case, the control module 110 may determine whether the request for the specific service is a legitimate request by comparing the first location with the second location.

As such, the control module 110 may determine whether a specific service request of the service terminal 200 or 210 is a legitimate request by comparing only the first position and the second position, but according to an embodiment of the present invention. The service security system 100 and the method may determine whether the request is more clearly legitimate by further passing an additional authentication process together with the authentication process of whether the request is a legitimate request as described above.

As shown in FIG. 3, the error of the location of the service terminals 200 and 210 and / or the location of the user determined by the terminal location determining module 120 and / or the user location determining module 130 may be constant. It is intended to eliminate the possibility of fraudulent use due to such errors.

For example, when an unauthorized user who is not a political party user requests the specific service by logging in from a far distance from the political party user, the user cannot control the specific service by comparing the first location and the second location as described above. can do. For example, when the login information such as the ID and / or password (PWD) through the hacking in the other country to log in to the web service, the location of the service terminal (200, 210) and the party user located in the other country is shown in FIG. It may be determined that the service request is not a legitimate service because it does not satisfy the described condition. Therefore, there is an effect to prevent the use of a specific service by a fraudulent user. That is, according to the service security system 100 and the method according to an embodiment of the present invention, even if login information is leaked through hacking or invading a web service without a legitimate login procedure, each time a specific service is requested, By judging whether the request is a political party, it is possible not only to leak the login information but also to use the service through hacking. This is because the fraudster cannot know the location of the political user.

As such, when the location of the illegal user (or the service terminals 200 and 210) and the party user is relatively far, the specific service request of the illegal user may be rejected by the location comparison. However, fraudulent use may not only be so far, but also more likely to occur in the vicinity of a party user. For example, if a party user is acquainted with a party user, such as a co-worker, friend, or lover, they may have certain information (eg, ID, PWD, password of a public certificate, and / or) used in conventional security / authentication protocols. The location of the OTP generator, etc.) may be obtained easily or in a variety of ways and then attempt to use the particular service against the will of the party user. If a co-worker, for example, a co-worker located right next to a party user's position intends to use the device illegally, the use of the location comparison as described above may not prevent the illegal use. In other words, an illegal service request that is made in the vicinity of a location where a party user is actually located may not prevent the illegal use only by the location comparison as described above.

As such, the service security system 100 and the method according to an exemplary embodiment of the present invention provide a technical idea for blocking an illegal service request within an error range generated at the time of determining the location.

To this end, the control module 110 transmits predetermined authentication information to any one of the service terminal 200 or 210 or the mobile terminal 300 even when a certain condition is satisfied through the position comparison. The authentication may be determined to be successful only when the authentication information is received from the terminal corresponding to the transmitted terminal. The authentication information may be a number generated by the service security system 100 to confirm that the user is a political party.

Herein, the terminal corresponding to the terminal that transmits the authentication information means that when the authentication information is transmitted to the service terminals 200 and 210, the mobile terminal 300 becomes the corresponding terminal, and the authentication information is referred to as the terminal. In the case of transmission to the mobile terminal 300, the service terminals 200 and 210 become the corresponding terminals.

For example, the control module 110 may transmit predetermined authentication information to the mobile terminal 300. The authentication information may be composed of numbers, letters, and / or symbols. That is, the control module 110 may transmit the authentication information to the mobile terminal 300 to allow the use of the specific service only when the transmitted authentication information is received from the service terminals 200 and 210. have.

On the contrary, the control module 110 may transmit predetermined authentication information to the service terminals 200 and 210 even when a certain condition is satisfied through position comparison. Then, the control module 110 may allow the use of the specific service only when the transmitted authentication information is received from the mobile terminal 300. In this case, the control module 100 and / or the service security system 100 may be set to correspond to a specific mobile number. For example, the control module 100 and / or the service security system 100 may use a MO (Mobile Oriented) service, and when the user receives the authentication information to the service terminal (200, 210), The user may transmit the authentication information to the MO number set in the control module 110 and / or the service security system 100 using the mobile terminal 300. Alternatively, the mobile terminal 300 may be connected to the control module 110 and / or the service security system 100 through a wireless network, and may transmit the authentication information through the wireless network.

Of course, the control module 110 may transmit predetermined notification information together with the authentication information to the mobile terminal 300 to know that the specific service is requested. Alternatively, the control module 110 may transmit only predetermined notification information to the mobile terminal 300 to know that the specific service is requested.

That is, if at least the party user's mobile terminal 300 assumes that the party user possesses and the authentication information is transmitted to the mobile terminal 300, if there is an illegal service request in the vicinity of the party user, The party user can know that there is an illegal service request, and can not block the illegal use since the authenticated authentication information is not inputted through the service terminal 200 or 210 that has made the illegal authentication request.

Alternatively, if the party user's mobile terminal 300 is owned by the party user and the authentication information is transmitted to the service terminals 200 and 210, the illegal user transmits the authentication information transmitted through the mobile terminal 300. Since the user cannot input the data, the illegal user who attempts to use the service through the service terminals 200 and 210 may not use the specific service.

According to the embodiment, since the mobile terminal 300 is assumed to be owned by the political party user, the control module 110 uses the mobile terminal 300 again to transmit the authentication information transmitted to the mobile terminal 300. You can also send This is because if the political party user does not request a specific service using the service terminals 200 and 210, the authentication information will not be transmitted to the mobile terminal 300 again.

In addition, if the authentication information is transmitted to the mobile terminal 300, and if the information that the request for the use of the specific service has been transmitted to the mobile terminal 300 along with the authentication information, the political party user requests the specific service In case of notifying the service security system 100 or the system providing the web service that the service security system 100 is not provided, the location of the fraudulent user can be determined. This is because the unauthorized user has passed the authentication process through the location comparison as described above, at least confirm that the illegal user requested the service using the service terminals 200 and 210 within a predetermined condition used for the location comparison Because you can give.

As described above, in the case where an additional authentication process is performed along with the location comparison according to the technical idea of the present invention, it is possible to reject an unjust service request occurring in the vicinity of a party user, thereby preventing damage due to unfair service use, and also unfairly nearby. When attempting to use it, it is possible to specify the location where an attempt to use an illegal service exists, thereby preventing the use of an illegal service.

The additional authentication process used in conjunction with the location comparison is not only a case of transmitting authentication information to the mobile terminal 300 as described above, but also a predetermined confirmation to the mobile terminal 300 or the service terminal (200, 210). It may be implemented by requesting an action. For example, the control module 110 may inform the mobile terminal 300 or the service terminals 200 and 210 that the specific service is requested by the political user through the mobile terminal 300. By transmitting information or a message for performing, it can be confirmed that the request of the specific service was a request by a party user. For example, the control module 110 when the political user presses a predetermined button (eg, 'confirmation') through the call back URL (call back URL) to the mobile terminal 300, the pressed information is returned to the service security system. 100 or the system that provides the web service. Then, the control module 110 may allow the use of the specific service. The checking may include an operation of selecting a specific button, key, or UI using the mobile terminal 300, inputting specific information, or transmitting a specific message.

In other words, the confirmation may include not only selecting a specific button but also various actions that may be performed by a party user. In this case, the mobile terminal 300 transmits information indicating that the verification is performed by using a wireless application protocol (WAP), or the service security system indicates that the verification is performed by using a callback UL as described above. 100).

Under the premise that the mobile terminal 300 has a party user, if such confirmation is received, even if the requester who requested the specific service using the service terminal 200 or 210 is not the party user, the user can allow the use of the specific service. This is because the party user confirmed the use of the specific service requested through the mobile terminal 300. In other words, when a party user allows a user to use a specific service, the user may allow the use of the specific service through this confirmation.

That is, an additional authentication process performed along with the location comparison is performed when the predetermined authentication information required for authentication is transmitted to the mobile terminal 300 or the service terminal 200, 210, to a terminal corresponding to the terminal where the authentication information is transmitted. If the authentication information is input, authentication can be successful. Alternatively, authentication may be successful when the authentication information is transmitted to the mobile terminal 300 and the transmitted authentication information is transmitted back to the mobile terminal 300.

Alternatively, when at least one of the service terminal 200 or 210 or the mobile terminal 300 has a predetermined confirmation request, and the requested confirmation is performed by the mobile terminal 300, authentication may be successful. .

In addition, the additional authentication process used together with the position comparison may be possible not only when the authentication information or the verification is performed as described above, but also when inputting certain identification information.

The identity verification information may refer to predetermined information that can identify the identity. For example, information unique to each user in advance (eg, social security number or unique information automatically assigned to each user) to the service security system 100 or predetermined information input by the user in advance (for example, a song of his / her favorite) Na city, etc.) may be stored. Such information may be stored in advance encrypted in the service security system 100 or a predetermined web service system connected to the service security system 100. In addition, the service security system 100 may request the mobile terminal 300 or the service terminals 200 and 210 for at least some of the predetermined information in an additional authentication process. Then, the control module 110 may go through an additional authentication process by checking whether the information transmitted from the mobile terminal 300 or the service terminals 200 and 210 matches the previously stored information.

The identity verification information may include predetermined authentication information that has been used for identity verification in addition to the predetermined information. For example, official authentication information (certified certificate and password) or OTP may be included in the identity verification information. Therefore, through such identity verification information, even if the primary authentication through the position comparison can be performed more reliable authentication. That is, even if the user near the party user who knows the login information by any means, the user may not know the information previously set by the political party user, the authentication information, or the OTP information, so that the secondary authentication can be performed through the identity verification information. .

4 illustrates an example of a screen displayed on a service terminal or a mobile terminal by a service security method according to an exemplary embodiment of the present invention.

First, referring to FIG. 4A, the service terminals 200 and 210 may be logged in to a predetermined web service (for example, a web site of a financial institution). Some of the web services may require a relatively low security level, and other services may require a relatively high security level. In this case, the service security method according to an embodiment of the present invention may be applied to a specific service requiring a high security level (eg, a transfer service). Of course, depending on the implementation, the service security method according to an embodiment of the present invention may be applied to a specific service requiring a low security level.

For example, when the service terminals 200 and 210 want to search for a specific financial account, the predetermined UI 10 may be selected. At this time, the service security method according to an embodiment of the present invention may not be applied and the service may be immediately available. If the service terminals 200 and 210 want to transfer financial assets existing in a specific financial account, the predetermined UI 20 may be selected. In this case, a service security method according to an embodiment of the present invention may be applied. When the service security method according to an embodiment of the present invention is applied to perform authentication through location comparison, and as a result, the authentication is not successful, as shown in FIG. 4A, the transfer service is not used together with the information that the authentication failed. Information indicating the inability to do so may be displayed on the service terminals 200 and 210.

According to an embodiment of the present invention, when the authentication fails through the position comparison, the control module 110 inputs predetermined identification information or receives authentication again through the predetermined authentication information, or confirms the action with the mobile terminal 300. If performed, it may be possible to recover from the authentication failure.

Or information about a request for the specific service (for example, a site for which a specific service is requested, information about a specific service or application, information about a time when a specific service is requested, or a specific service request) to the mobile terminal 300 of the political party user. Information about a given location (or IP address), etc.). The information on the specific service request may be transmitted to the mobile terminal 300 through a messaging service such as SMS or MMS, but is not limited thereto.

In addition, even a party user may not necessarily have his mobile terminal 300. In this case, the control module 110 may input predetermined identification information to confirm that the user who requested the transfer service is a legitimate user, and then control to use the transfer service. As described above, the identification information may be information that can be known only by the political party user (for example, the digit after the social security number, information on the taste of the political party user, etc.). Such identity verification information may be stored in the service security system 100 or the system providing the web service encrypted in a predetermined manner. In addition, as described above, the identification information may include predetermined identification information provided by a conventional security protocol (for example, a public certificate and a password of the public certificate, or an OTP) to be used for recovering an authentication failure through location comparison. It may be. Such identity verification information can be used to recover authentication failure through location comparison, assuming that only the party user knows.

Alternatively, the authentication information may be transmitted to any one of the mobile terminal 300 or the service terminals 200 and 210, and the authentication failure may be recovered when the transmitted authentication information is received from the corresponding terminal. This may indicate that a specific service requester and a party user are located at a location apart from each other when the party user is carrying the mobile terminal 300. This may be the case where a fraudulent user requests a specific service or a user authorized by a political user requests a specific service. In the latter case, the authentication failure may be recovered through such authentication information.

4B illustrates a process of undergoing an authentication process through additional authentication information when authentication is successful through location comparison. When a predetermined UI 20 is selected by the service terminals 200 and 210, the control module 110 is illustrated. Performs authentication process through location comparison. Even if the result of the authentication is successful, the control module 110 generates predetermined authentication information to prevent the unauthorized use that may occur in the vicinity of the party user as described above, so that the service terminal 200 or 210 or the It may be transmitted to the mobile terminal 300. 4b illustrates a case in which authentication information is transmitted to the mobile terminal 300, but vice versa may be easily deduced by an average expert in the art. Then, the political party user may input the transmitted authentication information into the predetermined input UI 30 using the corresponding terminal (eg, the service terminals 200 and 210), and select the UI 40. Then, the information input to the input UI 30 may be transmitted to the control module 110, and the additional authentication process may be performed by comparing the transmitted information with the generated authentication information. If the additional authentication process is successful, the control module 110 may allow the service terminals 200 and 210 to use the transfer service.

4C illustrates a case where an additional authentication process is performed through a mobile terminal. The control module 110 shows information on a specific service requested by the mobile terminal 300 even when authentication is successful through location comparison. It can transmit as shown in 4c. In addition, in order to confirm whether the request of the specific service is a request by a party user, the party user may be requested to perform a predetermined verification. The control module 110 may request the confirmation action to the mobile terminal 300, but as described above, the confirmation action transmitted by transmitting the confirmation action to the service terminals 200 and 210 is determined by the mobile terminal ( 300 may be required to be performed. In FIG. 4C, the control module 110 shows a case where the request for the confirmation action is made to the mobile terminal 300. The control module 110 confirms that a user of a political party selects a predetermined confirmation UI 50. In the case of acting, it can be judged that the additional authentication process is successful. If the party user selects the cancellation UI 60, the specific user (eg, transfer service) may be controlled to prevent the user from using the specific service. In addition, as described above, the confirming action may be used as a meaning including not only the selection of a specific UI, but also all kinds of actions that can confirm that the user is a party user through the mobile terminal 300.

In FIG. 4, the service security method according to an embodiment of the present invention is applied to a specific service (for example, a transfer service) of a financial institution as an example. However, all web services (eg, public institutions, The service security method may be applied to at least some of the various services provided in the electronic commerce, game service, etc. (eg, certificate application, payment, disposal of game money or items, etc.).

On the other hand, the service security system 100 and the method according to an embodiment of the present invention is the same or not only when a particular service terminal 200, 210 requests a login as well as selecting a specific service in the logged-in state. Similarly it can be applied.

That is, when there is a login request from the service terminals 200 and 210, the control module 110 may determine whether the login request is a legitimate login request through location comparison. In addition, it may be determined whether the login request is legitimate only if the additional authentication process is performed.

A login request may mean a predetermined action for a user to authenticate that he or she is a legitimate user to use a particular website or application, wherein the login request may be performed by entering an ID and / or password and selecting a login button. Can be. Alternatively, a login request may be performed by selecting specific authentication information that can identify a user, such as an authorized certificate, and inputting a password corresponding to the authentication information.

In addition, a party login request refers to a login request when there is no need to restrict access and / or use of a web site or application, such as a login request by a party user or a user's login request permitted by the party user. Can mean.

Accordingly, the control module 110 determines whether the login request performed by the service terminals 200 and 210 is a political login request. This may mean determining whether to allow login or limiting at least some of the services that can be used even if the login is allowed. According to the exemplary embodiment, when the login request is temporarily permitted to log in the service terminals 200 and 210 that have requested the login, the user is forced to log out of the service terminals 200 and 210 when it is determined that the login request is not a political login. You can also log out. If it takes some time to determine the party login request, if only the identification information of the existing user such as ID or password is corrected once, and then it is determined that it is not a party login request according to an embodiment of the present invention. The service terminals 200 and 210 may be forcibly logged out. Of course, the type of service to be restricted may be determined or the allowed services may be determined in advance.

For example, when the service terminal 200 or 210 wants to access a specific web site, the login information (eg, an ID and a password, etc.) used by the service terminal 200 or 210 in the login request is stored in the web site. It can match all of the information registered in. In this case, the service security system 100 according to an embodiment of the present invention may not determine that the login request is a political login request based on whether ID and password match. If it is determined that the request is not a political login request, the control module 110 may not allow the service terminal 200 or 210 to log in or may provide only a limited service even if the login is allowed. Alternatively, as described above, after allowing the login, it may be forcibly logged out when it is determined that it is not a political login request. For example, if the ID and password match but it is determined by the control module 110 that it is not a legitimate login request, various services provided by the web site (eg, viewing of information, generating of information, changing of information, etc.). Only some of them can be controlled. Of course, if it is determined that the login request is a political party, it is possible to use all services that match the usage rights granted to the ID and password.

The control module 110 stores information about the location of the service terminals 200 and 210 determined by the terminal location determining module 120 and positions of political parties determined by the user location determining module 130. As described above, it is possible to perform authentication through location comparison based on the information on the information, and as a result, it is possible to determine whether the login request is a political login request.

5 is a diagram illustrating a process of authenticating a login request by the service security system 100 and a method thereof.

5 shows an example of a screen displayed on the service terminal by the service security method according to an embodiment of the present invention.

Referring to FIG. 5, a user may try to log in to a specific web site or web application through the service terminals 200 and 210. The user can then enter a predetermined ID and password, and perform the login request by selecting the login button 1. Alternatively, you can try logging in by selecting a certificate and choosing a password for the certificate.

If the ID and password match the pre-registered information, or if the official certificate and password are correct, the control module 110 may determine whether the login request is a political login request through location comparison as described above. . It may be determined whether or not it is a party login request only through location comparison. However, as described above, it may be determined that the login request is a party login request only after further authentication.

For example, even if authentication is successful through location comparison, after transmitting predetermined authentication information to the mobile terminal 300, when the authentication information transmitted from the service terminals 200 and 210 is input, the mobile terminal ( 300 or when the authentication information is transmitted to the service terminals 200 and 210 and the authentication information is input from the mobile terminal 300, the control module 110 may determine that the login request is a political login request. have. Or, even if authentication is successful through the location comparison, after the request for a predetermined confirmation to the mobile terminal 300 or the service terminal (200, 210), if the confirmation is performed by the mobile terminal 300 The control module 110 may determine that the login request is a political login request. Alternatively, when the identification information is input from the service terminal 200 or 210 or the mobile terminal 300, the login request may be determined as a political login request.

In addition, if it is determined that it is not a political login request through the position comparison, the control module 110 may be to recover the authentication failure through the position comparison by going through a separate process. This is because even as a party user, even if the party does not have the mobile terminal 300, or a person who is allowed to use the party user may request a login. In this case, even if the authentication fails through the location comparison, if the predetermined authentication process is again performed, the login request may be determined as a political login request again. To this end, the control module 110 may request the service terminal 200 or 210 to input predetermined identification information. Alternatively, when a predetermined confirmation action is input through the mobile terminal 300, it may be determined as a political login request again. Alternatively, the authentication information may be transmitted, and if the authentication information is received from the corresponding terminal, the authentication information may be determined as a political login request.

For example, as illustrated in FIG. 5A, the control module 110 may request the service terminals 200 and 210 to input information that only a political party user can know, such as a resident number of a political party user.

The service terminals 200 and 210 that have been requested to input the identification information may input the requested information through a predetermined UI 2. Thereafter, when the user selects a predetermined button 3, the information input through the UI 2 may be transmitted to the control module 110. The control module 110 may check whether the received information is correct information by comparing it with previously stored information. If the previously stored information is encrypted, a separate decryption process may be performed. When the inputted information matches the requested identity information, the control module 110 may determine the login request as a political login request again.

The identity verification information may be information used in a conventional security protocol, such as a public certificate and a password of the public certificate. For example, if authentication fails as a result of the location comparison, the user may select the UI 70 and attempt to log in with an authorized certificate.

That is, even when the login control system 100 determines that the login request is not a political login request through location comparison, the login control system 100 may provide a protocol that may modify or reverse the determination again with the political login request by going through a separate authentication process. Can be. This is because even though the user performing the login request is a party user, it may be determined that the user is not a party login request through location comparison. For example, this may be the case when a political party user does not have his or her portable terminal. Or it may be the case that the login request is made by an authorized user who is away from the party user. Alternatively, as described above, authentication failure may be recovered through location comparison using the authentication information. Of course, if the authentication fails through the location comparison and / or additional authentication process may not be determined as a political login request.

Meanwhile, referring to FIG. 5B, as described above, the control module 110 may allow the login even when it is determined that the request is not a political login request. In this case, the currently logged-in user may be restricted from using at least one of the services available to the party user. In this case, the type of the service whose use is restricted may be determined in advance or in real time, and the type of the service whose use is restricted may be displayed on the service terminals 200 and 210 as illustrated in FIG. 4B. Of course, at this time as well, as described in FIG. 4A, if the user passes through the authentication process, the user may be restored to use all the services by being recognized as a login of the political party user.

6 illustrates an example of a screen displayed on a mobile terminal of a party user by a service security method according to an exemplary embodiment of the present invention.

First, referring to FIG. 6A, if the service security system 100 determines that the login request is not a party login request, the service security system 100 may notify the party user that the login request has been made. To this end, when the control module 110 determines that the login request is not a political login request, the control module 110 sends the information about the login request to the mobile terminal 300 of the political party user (for example, information about a login request site or application, Information about the time of login request, information about the location (or IP address) requested for login, etc. may be transmitted. Information about the login request may be transmitted to the mobile terminal 300 through a messaging service such as SMS or MMS, but is not limited thereto.

In addition, the party user may recover the login request back to the party login request by performing a predetermined verification using his mobile terminal 300. For example, even when a political party user determines that the user is not a party login request through location comparison, such as when a user allows login of another user, the party user permits a login request from the service terminal 200 or 210 as a party login request. There may be a case. Then, the control module 110 may transmit a method for requesting a confirmation action to allow the login request as a political login request to the mobile terminal 300. For example, as shown in FIG. 6A, when a specific button of the mobile terminal 300 is input, the user may inform the political party that a login permission request may be transmitted to the service security system 100. In this case, a callback URL may be used, but is not limited thereto.

When the party user performs the verification, the service security system 100 may determine the login request from the service terminals 200 and 210 as the party login request again.

Meanwhile, as shown in FIG. 6B, the control module 110 may transmit predetermined authentication information to the mobile terminal 300 of the party user. Then, the political party user may inform the authentication information to the person who logs in to the service terminal 200 or 210. The authentication information may be input through the service terminals 200 and 210, and in this case, the control module 110 may determine the login request as a political login request. In some cases, even when a political party user attempts to log in using the service terminals 200 and 210 while directly possessing his mobile terminal 300, the political party login request is performed due to the case where the location comparison is not performed correctly. May not be determined. In this case, the login request may be restored to a political login request using the authentication information. The authentication information may be information consisting of numbers and / or letters.

The service security system 100 may be installed and implemented in a web service system to use the service security method according to an embodiment of the present invention as shown in FIG.

Alternatively, the service security system 100 may be implemented as a system separate from a system for providing a web service, which is illustrated in FIG. 2.

2 shows a schematic configuration of a service security system according to another embodiment of the present invention.

Referring to FIG. 2, the service security system 100 may be connected to a predetermined web system 500 through a wired / wireless network to transmit and receive predetermined information for implementing the technical idea of the present invention. The web system 500 may be a system for providing a specific web service.

The web system 500 may receive a specific service request or a login request from the service terminals 200 and 210. Then, the web system 500 may transmit predetermined information (for example, an IP address) to determine the location of the service terminals 200 and 210 to the service security system 100. In addition, predetermined information (eg, identification information and / or a mobile phone number of a party user) for identifying a party user's location may be transmitted to the service security system 100. Then, the service security system 100 determines the location of the service terminals 200 and 210 and the location of the party user based on the transmitted information, and accordingly, whether the specific service request is a legitimate request or the login request. You can determine if this is a legitimate login request. In addition, it may be determined that the additional authentication process together with the location comparison result is a valid service request or a political login request. Then, the service security system 100 may transmit the determination result to the web system 500.

In addition, the information as shown in FIG. 5 may be transmitted directly from the service security system 100 to the service terminals 200 and 210 or to the service terminals 200 and 210 through the web system 500. Can be. Therefore, in the present specification, that the service security system 100 requests specific information to the service terminals 200 and 210 means that the web system 500 requests the specific information to the service terminals 200 and 210. The service security system 100 may be used to mean that the service system 100 controls the web system 500.

In addition, the fact that the service security system 100 receives specific information from the service terminals 200 and 210 is not only when receiving the specific information directly from the service terminals 200 and 210, but also by the web system ( 500 may be used as a meaning including the case of receiving the specific information.

The service security method according to an embodiment of the present invention is particularly useful for web services that can be seriously damaged when the ID and password are leaked or the authentication information and password of the authentication method that can prove the identity such as a public certificate or OTP are leaked. Can be applied. In addition, the conventional security / authentication protocol is a pure information based authentication protocol (e.g., ID / PWD, etc.) or a hardware dependent authentication protocol (e.g., public certificate or OTP generator, etc.) Since the service security method according to the embodiment is a location-based authentication method, it may be used or replaced with a conventional protocol. For example, even if a public certificate (or a medium storing the public certificate) or an OTP generator is lost or stolen, a security mechanism may be provided using a service security method according to an embodiment of the present invention.

The service security method according to an embodiment of the present invention may be applied to a web site of a financial institution, a public institution, or various service companies, or a web service provided by them.

The service security method according to an embodiment of the present invention can be embodied as computer readable codes on a computer readable recording medium. A computer-readable recording medium includes all kinds of recording apparatuses in which data that can be read by a computer system is stored. Examples of computer-readable recording media include ROM, RAM, CD-ROM, magnetic tape, hard disk, floppy disk, optical data storage, and the like, and also in the form of carrier waves (e.g., transmission over the Internet). It also includes implementations. The computer readable recording medium may also be distributed over a networked computer system so that computer readable code can be stored and executed in a distributed manner. And functional programs, codes, and code segments for implementing the present invention can be easily inferred by programmers skilled in the art to which the present invention pertains.

Although the present invention has been described with reference to one embodiment shown in the drawings, this is merely exemplary, and those skilled in the art will understand that various modifications and equivalent other embodiments are possible therefrom. Therefore, the true technical protection scope of the present invention will be defined by the technical spirit of the appended claims.

Claims (19)

A terminal location determining module for determining a location of a service terminal requesting a specific service when a service terminal logged in to a web service requests a specific service;
A user location determining module for determining a location of a party user of an account to which the service terminal is logged in; And
And a control module for comparing a first position determined by the terminal position determining module with a second position determined by the user position determining module, and controlling whether to use the requested specific service based on a comparison result.
The control module includes:
As a result of the comparison, certain conditions are satisfied,
Authentication information generated by the control module and transmitted to the service terminal or the mobile terminal of the party user is received from the mobile terminal,
Identity identification information including at least one of predetermined identification information, public certificate information, or OTP (One Time Password) information that can confirm that the party user is received from the mobile terminal,
When the information is received from the mobile terminal to confirm that the confirmation including at least one of the action of selecting a predetermined key, button, or UI provided on the mobile terminal has been performed,
A service security system allowing use of the specific service. delete A terminal location determining module for determining a location of a service terminal requesting a specific service when a service terminal logged in to a web service requests a specific service;
A user location determining module for determining a location of a party user of an account to which the service terminal is logged in; And
And a control module for comparing a first position determined by the terminal position determining module with a second position determined by the user position determining module, and controlling whether to use the requested specific service based on a comparison result.
The control module includes:
As a result of the comparison, certain conditions are satisfied,
The authentication information generated by the control module and transmitted to the mobile terminal of the party user is received from the service terminal,
When the identification information including at least one of predetermined identification information, public certificate information, or OTP (One Time Password) information that can confirm that the party user is received from the service terminal,
A service security system allowing use of the specific service. delete The method according to claim 1 or 3, wherein the predetermined condition is
And at least one of a case where a distance difference between the first position and the second position is within a predetermined range or when there is an area where the first position and the second position overlap. A terminal location determining module for determining a location of a service terminal requesting a specific service when a service terminal logged in a web service requests a specific service;
A user location determining module for determining a location of a party user of an account to which the service terminal is logged in; And
And a control module for comparing a first position determined by the terminal position determining module with a second position determined by the user position determining module, and controlling whether to use the requested specific service based on a comparison result.
The control module includes:
If the comparison result does not satisfy certain conditions,
Identity verification information is received from the service terminal,
A confirmation operation including at least one of selecting a predetermined key, button, or UI provided in the mobile terminal from the mobile terminal of the political party user is performed, or
When the authentication information sent to the mobile terminal is received from the service terminal or the authentication information sent to the service terminal is received from the mobile terminal,
Service security system, characterized in that to allow the use of the particular service. The method of claim 6, wherein the control module,
If the comparison does not meet the above conditions,
Service security system for transmitting the notification information to know that the request to use the specific service to the mobile terminal of the party user.
The terminal position determining module of claim 1, wherein the terminal position determining module comprises:
Determine the location of the service terminal based on the IP address of the service terminal, receive information corresponding to the location of the service terminal from at least one of a communication company system or a location based service (LBS) system, and based on the received information Service security system for determining the location of the service terminal. The method of claim 1, wherein the user position determination module,
And a service security system for receiving information on the location of the mobile terminal of the party user from a communication company system or an LBS system. A terminal location determining module for determining a location of a service terminal requesting a login to a web service;
A user location determining module for determining a location of a party user of an account for which login is requested from the service terminal; And
It includes a control module,
The control module satisfies a predetermined condition by comparing the first position determined by the terminal position determining module with the second position determined by the user position determining module, and is generated by the control module and generated by the service terminal or a party user. At least one of receiving authentication information transmitted from the mobile terminal, receiving identification information from the mobile terminal, or selecting a predetermined key, button, or UI provided in the mobile terminal from the mobile terminal. A confirming act involving an act is performed, or
The control module satisfies a predetermined condition by comparing the first position determined by the terminal position determining module with the second position determined by the user position determining module, and the authentication information generated by the control module and transmitted to the mobile terminal is When received from the service terminal, or when the identification information is received from the service terminal,
A service security system for determining the login request of the service terminal as a political login request. The method of claim 10, wherein the control module,
If it is determined that the login request of the service terminal is not a political login request,
A service security system that does not allow a login of the service terminal, restricts at least one of the types of services available to the service terminal, or logs out the logged-in service terminal. A terminal location determining module for determining a location of a service terminal requesting a login to a web service;
A user location determining module for determining a location of a party user of an account for which login is requested from the service terminal; And
It includes a control module,
The control module includes:
If it is determined that the login request is not a political login request,
Identity verification information is received from the service terminal,
A confirmation operation including at least one of selecting a predetermined key, button, or UI provided in the mobile terminal from the mobile terminal of the political party user is performed, or
When the authentication information sent to the mobile terminal is received from the service terminal or the authentication information sent to the service terminal is received from the mobile terminal,
And determining the login request as a political login request. The method of claim 12, wherein the control module,
If it is determined that the login request is not a political login request,
Service security system for transmitting the information on the login request to the mobile terminal. When the service terminal logged into the web service requests a specific service, determining, by the service security system, the location of the service terminal requesting the specific service and the location of a political user of an account to which the service terminal logs in;
And determining, by the service security system, whether to use the requested specific service based on the determined location of the service terminal and the location of the party user.
Determining whether the service security system permits the use of the specific service requested based on the determined location of the service terminal and the location of the party user,
Determining, by the service security system, whether the location of the service terminal and the location of the party user satisfy a predetermined condition;
Performing a predetermined additional authentication process when the predetermined condition is satisfied; And
And determining whether to allow the use of the specific service according to a result of the additional authentication process. delete The method of claim 14, wherein performing the additional authentication process comprises:
Receiving authentication information generated by the service security system and transmitted to the service terminal or the mobile terminal of the party user, from the mobile terminal of the party user;
Receiving identification information from the mobile terminal;
Confirming, from the mobile terminal, a confirmation action including at least one of selecting a predetermined key, button, or UI provided in the mobile terminal;
Receiving authentication information generated by the service security system and transmitted to the mobile terminal, from the service terminal; or
Service security method comprising at least one of the steps of receiving the identity information from the service terminal. delete delete A computer-readable recording medium having recorded thereon a program for performing the method of claim 14.

Images