KR101541298B1 - Online payment method using integrated token based on voiceprint and OTP - Google Patents

Abstract

The present invention relates to a method for processing online payment by using a coupling token based on voiceprint information and a one-time password (OTP). A terminal extracts first voiceprint information from the voice input from a user, encrypts and couples the first voiceprint information with a first OTP and purchase information to generate first payment authentication information, and transmits the first payment authentication information to a payment server through an item purchase server to request the payment. The payment server encrypts and couples the second voiceprint information of the user stored in advance, a second OTP, and the purchase information received from the item purchase server to generate second payment authentication information. The payment server also compares the second payment authentication information and the first payment authentication information received from the terminal through the item purchase server to authenticate the user.

Description

[0001] The present invention relates to an online payment method using an integrated token based on voiceprint and OTP,

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a technology for processing online payment through the Internet, and more particularly, to a device and a method for implementing secure settlement on-line utilizing a voice and a one-time password (OTP) And a recording medium on which a method is recorded.

The demand for a more convenient and secure online payment system has been increased as it is possible to deal with desired goods and services without being restricted by time and distance by using a communication technology through wired / wireless terminals. In addition, with the growth of the online payment market, the use of credit cards has increased, and interest in easier and safer payment has also increased.

Most online payment systems require consumers to make multiple payment steps to purchase goods and services, and many additional programs are required. In this process, the consumer is requested to input payment information represented by a card number, expiration date, or a password, and the inputted information is transmitted to an authentication server or a payment server (payment relay server) to authenticate the card holder, .

As described above, since the payment information is transmitted to the authentication server or the payment server through the communication network, the payment information may be exposed to a malicious third party. For this reason, in recent online payment systems, a method of processing payment by providing payment information in advance and providing only partial information such as ID and password is used for convenience. For example, there is a simple payment service called ISP and secure payment service offered by card companies in Korea. However, these methods used in Korea are not only problematic in terms of safety due to some weaknesses, but also disadvantageous to user convenience because additional program installation is required.

To reduce this risk, OTP (One Time Password) payment method attracted much attention. In the prior art cited below, a credit card payment system for a mobile terminal using Internet OTP security is presented as an example of such OTP technology.

However, although the method using OTP is more secure, there is a risk that OTP information is taken out when the OTP generation is performed in a portable terminal, and it is somewhat insufficient to prove that it is the purchase requester only with OTP alone. This is because anyone who can access the OTP can obtain and use the information. Therefore, for safer authentication, it is necessary to use information that is difficult to steal and easy to steal for the payment process.

Furthermore, as in the case of inputting credit card information every time a payment is made, there is a problem that the payment information is frequently exposed because the user must input the credit card information (even if encryption is performed) every time the user uses the OTP. Retention of such information on the seller's side or relaying the information as it is is also accompanied by the risk of information disclosure.

Korean Patent Laid-Open Publication No. 10-2012-0075588, 2012.07.09 Released

SUMMARY OF THE INVENTION The present invention has been made in view of the above problems, and it is an object of the present invention to provide a method and system for providing OTP information to a user terminal, (OTP) technology, it is still a problem that there is a possibility of illegal settlement through MITM (Man-in-the-Middle) attack or MITB (Man-in-the-Browser) attack. I want to overcome.

According to an aspect of the present invention, there is provided a method for processing an online settlement by a terminal having at least one processor according to an embodiment of the present invention includes: Receiving a purchase authentication request, and inducing a user's voice input by displaying text included in the authentication request to the user; Receiving a voice for the text from a user through the voice input means and extracting first voiceprint information from the voice input; Generating a first OTP (one time password) through synchronization with the payment server by the terminal, generating first payment authentication information by encrypting and combining the first statement information, the first OTP, and the purchase information; And a step in which the terminal transmits the first payment authentication information to the payment server through the article purchasing server to request payment, wherein the first payment authentication information includes a first payment authentication information included in the first payment authentication information And authenticates the user using second voucher information for the user stored in advance in the payment server without separating the first voucher information.

In a method of processing an online settlement according to an exemplary embodiment, a settlement request transmitted from the terminal may include reading second glossary information about the user stored in advance in the payment server, Generates second payment authentication information by encrypting and combining the second OTP generated through the synchronization with the terminal and the purchase information transmitted from the article purchase server, and then compares the second payment authentication information with the first payment authentication information received from the terminal It is determined that the payment authentication is successful only when the two are matched. In addition, the first grammar information may be included in the first payment authentication information, which is matched with the second grammar information for the user stored in advance in the payment server, so that the payment authentication process using the comparison with the second payment authentication information Lt; RTI ID = 0.0 > user. ≪ / RTI >

In a method of processing an online settlement according to an embodiment, the first payment authentication information may be generated by combining the first statement information, the first OTP, and the purchase information through a predetermined operation, Thereby preventing leakage of the user's written information. Further, the encryption technique may be implemented based on any one of the AES (Advanced Encryption Standard), the hash function, and the tokenization technique according to the ANSI X9 standard.

In a method for processing an online settlement according to an embodiment, the terminal generates the first statement information, the first OTP, and the purchase information on a volatile memory provided in the terminal, And delete the first statement information, the first OTP, and the purchase information from the memory after generating the first payment authentication information.

According to an aspect of the present invention, there is provided a method for processing an online payment by an article purchasing server that includes at least one processor according to an embodiment of the present invention and connects a user terminal to a payment server, Transmitting, to the terminal, a purchase authorization request including a text for inducing voice input of a user in response to an article purchase request input from the terminal; The article purchase server receiving first payment authentication information from the terminal; And adding the purchase information to the first payment authentication information received by the article purchasing server and sending the payment information to the payment server to request payment, wherein the first payment authentication information includes a first payment authentication information, And the first OTP and the purchase information generated by the terminal in synchronization with the payment server by encrypting and combining the first GTP and the purchase information, And authenticates the user using second voucher information for the user stored in advance in the payment server without separation of information.

In a method of processing an online settlement according to an embodiment of the present invention, a settlement request transmitted from the terminal to the settlement server through the article purchase server may include a second statement information And generates second payment authentication information by encrypting and combining the read second written information, the second OTP generated through synchronization with the terminal, and the purchase information added to the payment request, And determines that the payment authentication is successful only when the two are matched with each other. In addition, the first grammar information may be included in the first payment authentication information, which is matched with the second grammar information for the user stored in advance in the payment server, so that the payment authentication process using the comparison with the second payment authentication information Lt; RTI ID = 0.0 > user. ≪ / RTI >

In the method for processing an online payment by an article purchasing server according to an embodiment, the first payment authentication information may combine the first statement information, the first OTP, and the purchase information through a predetermined operation, Thereby making it possible to prevent the outflow of the user's written information.

In the method for processing an online payment by an article purchasing server according to an embodiment, the article purchasing server transmits a payment request generated by adding at least a user identifier and a purchase article identifier to the first payment authentication information to the payment server So that the payment server can induce user authentication required for online settlement.

According to an aspect of the present invention, there is provided a method for processing an online payment by a payment server having at least one processor according to an embodiment of the present invention includes: Receiving a payment request including first payment authentication information and purchase information added thereto from the first payment authentication information; Generating second payment authentication information by encrypting and combining the second gateways information about the user stored in advance in the payment server, the second OTP generated through the synchronization with the terminal, and the purchase information; Comparing the first payment authentication information extracted from the received payment request with the generated second payment authentication information; And determining that the settlement authentication is successful only if the settlement server and the settlement server match the two according to the comparison result, wherein the first settlement authentication information includes a first The first payment information is generated by encrypting the first OTP and the purchase information generated by the terminal in synchronization with the payment server, And authenticates the user using second gateways information for the user stored in advance.

In a method of processing an online payment by a payment server according to an embodiment, the first payment authentication information may include a first payment authentication information, a second payment authentication information, and a second payment authentication information, And generates the first grammar information, the first OTP generated through the synchronization with the payment server by the terminal, and the purchase information by encrypting and combining the first OTP and the purchase information.

In a method of processing an online payment by a payment server according to an embodiment, the second voucher information matches with the first voucher information extracted from a voice input from the user, The user can be authenticated through the payment authentication process using the comparison with the second payment authentication information by being included in the authentication information.

The second payment authentication information is generated in the same manner as the first payment authentication information, and the second payment information, the second OTP, and the second payment information are generated by the payment server according to an embodiment of the present invention, The purchasing information is combined through a predetermined operation and then generated using an encryption technique. Further, the encryption technique may be implemented based on any one of the AES (Advanced Encryption Standard), the hash function, and the tokenization technique according to the ANSI X9 standard.

In a method of processing an online payment by a payment server according to an exemplary embodiment, when the payment server determines that the payment authentication is successful, the payment server processes a payment based on the payment request to a financial institution, And transmitting to the terminal through the purchase server.

The present invention also provides a computer-readable recording medium having recorded thereon a program for causing a computer to execute the methods of processing online payment described above.

Embodiments of the present invention enable a user to securely transmit a payment token to a user without using a complicated additional program at the time of purchasing the product online by utilizing a payment token generated through encryption combining of the gateways information, And the payment authentication for the purchase of the goods can be performed.

1 is a block diagram illustrating a structure of an online secure settlement system according to an embodiment of the present invention.
FIG. 2 is a conceptual diagram for explaining a process of performing user authentication by using together gatekeeper information and OTP adopted in embodiments of the present invention. FIG.
FIG. 3 is a flowchart illustrating an online settlement processing process using an OTP together with the gatekeeper information adopted by the embodiments of the present invention.
4 and 5 are flowcharts illustrating a method and an apparatus for processing an online settlement by a terminal according to an embodiment of the present invention, respectively.
6 and 7 are flowcharts illustrating a method and apparatus for an online purchase processing by an article purchase server according to an embodiment of the present invention, respectively.
8 and 9 are flowcharts showing a method and an apparatus for processing an online settlement by a settlement server according to an embodiment of the present invention, respectively.

Before describing the embodiments of the present invention, a brief description will be given of a payment system using OTP and its problems, and then, in order to solve the above-mentioned problems, the technical means employed by the embodiments of the present invention are sequentially presented do.

As described above, the payment system using the OTP reduces the leakage of confidential information for payment by generating and using a new password through a dedicated device for issuing an OTP or an application of a smart phone at each payment. By using the OTP, there is no need to input the payment information every time, and a different value (newly created OTP information) is input at the time of payment, which is a more secure method. However, in the conventional payment method, OTP is mostly used for settlement. In this case, if a slight restriction is imposed, a man-in-the-middle (MITM) attack or a man-in-the- There is a risk of illegal settlement.

As an example of the payment method using the conventional OTP, a payment system using a typical OTP that simultaneously provides authentication and settlement approval through ID, password, and OTP information at the time of on-line micropayment is widely used. This method has the advantage that the settlement phase is reduced and the card information is not exposed at the time of transaction. However, there is still insufficient evidence that users who view and enter OTP information on mobile phones are truly mobile phone owners and credit card holders. In addition, since OTP is used for authentication and payment, it is vulnerable to OTP attacks using MITM. In addition, there are settlement methods that can obtain convenience by directly using OTP for payment, but it is vulnerable to various OTP attacks by using OTP information for authentication and settlement as it is.

On the other hand, there is a method of using biometric information as a method for stronger authentication. Biometric information authentication is performed based on the fact that biological characteristics such as fingerprint, iris, voice, and vein are different from person to person. Among them, voiceprint information can be obtained relatively easily through a widely used smartphone microphone, and thus it can be seen that it is highly applicable to a payment system. According to a study on gating information, it is reported that individuals can be identified with an accuracy of 99% or more, and that individual identification results can be trusted even in a noisy environment. Using this information, it is possible to develop a payment system that provides stronger personal authentication.

Accordingly, it is an object of the present invention to provide a method and system for transmitting a buyer ' s GATE information and OTP information generated by a purchaser ' s mobile terminal to an authentication server at the time of payment for purchasing goods and services on the Internet (Credit card information, buyer information, and the like) for the article to be paid, as well as the payment information of the article to be paid, by using the changed value of the payment information, Thereby reducing the frequency of information disclosure and improving the reliability of settlement. This means that there are three factors that can be used for authentication: security that the user knows (eg password), what the user has (eg smart card) and the user himself (eg fingerprint) (Mobile) payment system that can be used in a mobile terminal.

Therefore, in the embodiments of the present invention described below, in order to avoid the threat described above, the buyer's gating information is added to the OTP information and the one-time payment token is generated and used through the encryption technique when the information is used for payment, We propose an online settlement system that can perform more authenticated buyer authentication and minimizes the problem of payment information leakage.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings. The same reference numerals used in the drawings should be construed to mean the same configurations, and these drawings are merely illustrative and do not limit the configuration of the invention.

1 is a block diagram illustrating a structure of an online secure settlement system according to an embodiment of the present invention.

The proposed system extracts the vocabulary information from the vocabulary extracted from the product payer and uses it to authenticate the payer. In addition, it is designed not to directly transmit settlement information such as credit card information and password at the time of settlement, thereby minimizing the point where personal information is exposed to the outside.

To this end, the system shown in FIG. 1 satisfies the following requirements.

(1) Strengthen authentication of payer (cardholder)

- Uses user biometric information to perform trusted identity verification.

- Use biometric information that is relatively easy to acquire by using widely used devices such as smart phones.

(2) Minimization of personal information leakage point

- Payment information (card number, expiration date, CVC, card password, etc.) is not stored in the buyer's terminal or the seller's server.

- The processing of payment information is handled only by the payment server (the entity related to the actual settlement such as settlement agent) and the credit card company server.

In accordance with the above requirements, the gateways-to-OTP combined token payment system includes a purchaser's terminal 10, an article purchasing server 20 operated by the seller, a payment server 30 for making payment, and optionally a financial institution / And a credit card company server (40). Figure 1 shows the overall components of the proposed system.

The purchaser requests purchase of an item (or service) to be purchased through the PC or the portable terminal 10 and provides voice for extracting the voucher information. The terminal 10 receives the voice of the purchaser, extracts the voiceprint information, generates OTP, and combines it with the voiceprint information to generate the payment information by encrypting it. At this time, the device (terminal) utilized by the purchaser may physically be one or two or more. That is, the purchaser can perform both online settlement and voice input through one device, but can also process through two physically separated devices. For example, in the former case, it may be implemented as a PC or a mobile phone equipped with a microphone so that voice input is possible. In the latter case, an online PC is used for the online payment, A method of processing voice information in the mobile phone after generating the authentication information required for payment after the mobile phone is performed and inputting the authentication information to the online payment page of the PC may be utilized.

On the other hand, the goods purchasing server 20 plays a role of receiving information from the purchaser and proceeding with settlement, and the payment server 30 and the financial institution / credit card company server 40 process the charging request and the result.

FIG. 2 is a conceptual diagram for explaining a process of performing user authentication by using together the voiceprint information and the OTP adopted by the embodiments of the present invention, and shows a subject and an operation performed by the terminal 10 and the server 30 . Here, the server 30 collectively refers to a remote processing device other than the user terminal 10, and may form a series of payment processing server groups, but physically, one May be implemented as hardware. Therefore, it may be understood as a concept corresponding to the payment server 30 described above with reference to FIG.

The embodiments of the present invention utilize voice, which is unique biometric information of the user, in user authentication, and transmit the encrypted biometric information from the user terminal 10 to the server 30, To verify whether the user requesting authentication is a real user.

To this end, the terminal 10 receives the user voice (S201) and extracts the first sentence information (S202). In addition, the terminal 10 generates a first OTP through synchronization with the server (S203) (S204). Then, the terminal 10 generates the first payment authentication information by encrypting the first statement information, the first OTP, and the purchase information (S205). At this time, the purchase information may be included in the online payment page received from the purchase server, and it may be a key value for identifying a specific details of the payment to be currently authenticated. That is, in the first payment authentication information, the OTP information and the purchase information together with the user's voiceprint information are included while maintaining the respective information characteristics, and at the same time, the respective pieces of information are prevented from being leaked. Therefore, the encrypted first payment authentication information can protect the authenticity of the user's voucher information even if another malicious user intercepts it, and can perform not only the function of the OTP having the authentication time limit but also the malicious The attacker has the advantage that the attacker can not change / modify the purchase details with the desired goods.

The generated first payment authentication information is included in the authentication request and is transmitted from the terminal 10 to the server 30 (more precisely, the payment server) 30 via a separate article purchase server (not shown) S206).

On the other hand, if the server 30 receives and stores the second statement information in advance for the same user and receives the authentication request from the terminal 10, the server 30 reads the second statement information of the corresponding user from the server's own database (S207). In addition, the server 30 generates a second OTP by synchronizing with the terminal (S208) (S209). In addition, the server 30 extracts the first payment authentication information and the purchase information added thereto from the payment request (S206) transmitted from the terminal 10 via a separate article purchasing server (not shown).

Then, the server 30 encrypts the second statement information, the second OTP, and the extracted purchase information to generate second payment authentication information (S210). Now, the server 30 performs authentication by comparing the first payment authentication information transmitted from the terminal 10 with the second payment authentication information generated by the server itself. If both are the same, it means that both the user authentication using the gate information and the authentication using OTP are successful. On the other hand, if they do not match, it means that there is a problem in at least one of the three element information (gating information, OTP, and purchase information) constituting the payment authentication information.

Therefore, the authentication structure of the present invention proposed in FIG. 2 has the effect of preventing leakage of individual authentication information while having the attribute unique to each authentication information, not the replacement of the written information and the OTP. Also, the purchasing information complements the uniqueness of the settlement, thereby preventing illegal use of the settlement authentication information.

FIG. 3 is a flowchart showing an online settlement processing process, which is adopted by embodiments of the present invention, in which online transaction processing using an OTP together with gatekeeper information is performed separately for each performer and includes a user terminal 10, an article purchase server 20 ), A payment server 30 and a credit card company server 40 are illustrated.

As described above with reference to FIG. 2, the purchaser using the payment system according to the embodiment of the present invention registers the personal information including his / her written information and payment information in the payment server 30 through a suitable process in advance, Assume that you are ready to receive. It is also assumed that the portable terminal 10 is provided with a program capable of generating information necessary for receiving the service and does not store the payment information in the devices excluding the payment server 30 and the credit card company server 40. [ Lastly, it is assumed that the payment server 30 and the credit card company server 40 are connected to a closed network managed by a financial institution, thereby enabling secure communication.

Also, the user terminal 10 may be physically implemented as one or two devices. As illustrated above, both online purchase processing and voice processing may be performed within a single device, or online purchase processing and voice processing may be handled by two separate devices.

The entire process as the purchaser proceeds through the purchase is shown in FIG.

First, in step S301, the payment server 30 stores the gender information for each user.

In step S302, the purchaser selects a commodity using the terminal 10 such as a PC, a smart phone, or a tablet, and transmits a commodity purchase request to the commodity purchasing server 20 by pressing a payment button. The purchase request includes purchase information and customer information for the purchased product.

In step S303, the article purchasing server 20 transmits a purchase request response for moving the purchaser to the payment progress page to request purchase authentication. At this time, the received purchase certification may include article information, and the article information serves to help the article purchasing server to identify what is the target article in the online settlement process.

In step S304, the purchaser automatically moves to the page for payment authentication through the user terminal 10 and provides the first payment authentication information. The first payment authentication information is generated from the mobile terminal 10 of the purchaser through the following process.

If the specific text included in the purchase authentication request received by the goods purchasing server 20 is extracted and displayed to the purchaser in step S304, the purchaser provides the voice by reading the text, and the terminal 10 And extracts first sentence information from the input voice.

In step S305, the mobile terminal 10 generates a first OTP in the same manner as the payment server 30 that is synchronized.

In step S306, the portable terminal 10 combines the first voucher information, the first OTP, and the purchase information, and generates the first payment authentication information by changing the information so that the information is not exposed using the encryption technology.

In step S307, the purchaser transmits the first payment authentication information to the goods purchasing server 20 through the terminal 10. Such a payment authentication request may include a customer ID, a purchase ID, and first payment authentication information. On the other hand, in terms of implementation, it has been outlined that the terminal 10 can be implemented as one or two devices.

As a first example, if the terminal 10 is implemented as a single device, the generated first payment authentication information may be implemented in a simple manner as it is transmitted to the article purchase server 20 as it is.

As a second example, if the terminal 10 is implemented with two devices, step S302 is implemented in a normal PC that can not process speech, and in step S303, a response to the purchase request is received by the PC The purchase authentication request is received in the cellular phone capable of voice processing in step S303, and the remaining steps S304 to S306 may be implemented in the cellular phone capable of voice processing. That is, if the purchase authentication request is received by the mobile phone through step S303, the user inputs voice through the mobile phone to process the steps after step S304, extracts the first voucher information, generates the first OPT, The first billing information, the first OTP, and the purchase information are encrypted and combined to generate first payment authentication information in a text form. Now, the user can enter the first payment authentication information generated through the mobile phone into the user PC waiting for purchase of goods, and proceed with the payment authentication request (S307).

In step S308, the article purchasing server 20 adds the purchase information stored in the article purchasing server 20 itself (including information on purchase requested by the user, such as a purchase amount) to the first payment authentication information And transmits a payment authentication request to the payment server 30. Therefore, it is impossible to separate the purchase information from the first payment authentication information included in the payment authentication request (S307) received from the terminal 10, while it is impossible to separate the purchase information from the goods payment server 30 The purchase information added in the request (S308) is separable. It goes without saying that they both include the same information for authentication processing (S310) in the payment server 30 thereafter.

In step S309, the payment server 30 extracts the second voucher information of the buyer from the prebuilt database, and synchronizes with the buyer's portable terminal 10 to create the second OTP and the article purchase server 20, And then generates second payment authentication information using the encryption method.

In step S310, the payment server 30 compares the second payment authentication information generated by the server itself with the first payment authentication information received via the article purchasing server 20 from the terminal 10, And performs verification.

If the authentication result of the first payment authentication information is successful, the payment server 30 transmits the payment request including the actual payment information (the name of the payer, the card number, etc.) corresponding to the first payment authentication information to the credit card company To the server (40).

In step S312, the credit card company server 40 performs billing using the payment information included in the payment request received from the payment server 30, and responds to the payment server 30 with the payment result including the result.

In step S313, the payment server 30 receiving the settlement result generates a settlement result response to which the corresponding buyer information is added, and transmits the settlement result response to the goods purchasing server 20.

Finally, in step S314, the article purchasing server 20 extracts the buyer information from the settlement result response and combines the purchase information (article ID, purchase quantity, price, etc.) To inform them that the purchase procedure has been completed.

In the above, the billing system proposed in FIG. 3 does not directly use the settlement information in the settlement process, but reduces the risk of exposing the settlement information by minimizing the portion of storing and maintaining the settlement information. First, by checking the contents of the messages exchanged in the payment system, it can be confirmed that the payment information is not exposed during the communication. The types of messages that occur during the settlement process and the minimum contents to include are as follows.

Messages marked with an asterisk (*) in the message items above are configured as follows.

As can be seen from the contents of each message, since the payment information is transmitted in the form of a one-time token in the communication between the purchaser and the purchase server, even if the message is exposed, damage to subsequent fraudulent use of the payment information can be prevented. Since the communication between the payment server and the credit card company server is composed of a closed network, the messages generated in this section are secure.

In addition, since it is stipulated that the card number, the expiration date, and the like, which are actual payment information used for settlement, are not stored in devices not related to actual settlement such as the purchaser system, the portable terminal, and the goods purchase server, . This minimizes the exposure point of the payment information and allows the management point of such information to be concentrated on relatively secure financial related servers.

Hereinafter, operations performed on physically separated hardware to be an object of an individual transaction will be sequentially described with reference to FIG. 3, which is an embodiment of the present invention.

4 and 5 are flowcharts illustrating a method and an apparatus for processing an online settlement by a terminal according to an embodiment of the present invention, respectively. The terminal is preferably provided with a voice input means and at least one processor. However, if the terminal is implemented by two physically separated devices, voice input means is provided only to the device which is responsible for voice processing .

First, the operation of the terminal will be described with reference to FIG.

In step S410, the terminal receives the purchase authentication request from the article purchasing server connecting the terminal and the payment server, and displays the text included in the authentication request to the user, thereby guiding the user's voice input.

In step S420, the terminal receives a voice for the text from a user and extracts first voiceprint information from the voice input.

In step S430, the terminal generates a first OTP (one time password) through synchronization with the payment server, generates first payment authentication information by encrypting and combining the first message information, the first OTP, and the purchase information do. Here, the first payment authentication information is used to authenticate the user using second voucher information for the user stored in the payment server without separation of the first voucher information included in the first payment authentication information.

In step S440, the terminal transmits the generated first payment authentication information to the payment server through the article purchasing server to request payment. In more detail, the payment request transmitted from the terminal may include: reading second voucher information about the user stored in advance in the payment server; and transmitting the second voucher information, the second voucher information, OTP and purchase authentication information received from the goods purchasing server to generate second payment authentication information by encrypting and combining purchase information obtained in the first payment authentication information, It is determined that the payment authentication is successful only when the two are matched. Therefore, the first statement information matches the second statement information about the user stored in advance in the payment server, and is included in the first payment authentication information, so that the payment authentication process using the comparison with the second payment authentication information To authenticate the user.

In particular, the first payment authentication information may be obtained by combining the first statement information, the first OTP, and the purchase information through a specific operation (for example, addition, subtraction or connection operation) So that the outflow of the user's written information can be prevented. As an example, the encryption technique may be implemented based on any of the tokenization techniques according to the Advanced Encryption Standard (AES), the hash function and the ANSI X9 standard.

Also, the terminal generates the first statement information, the first OTP, and the purchase information on a volatile memory provided in the terminal to improve settlement / authentication security, encrypts each of the information, It is preferable to delete the first statement information, the first OTP, and the purchase information from the memory after generating one payment authentication information.

5, the terminal 10 may include a voice input unit 11, a processing unit 12, a communication unit 13, and a display unit 14. The voice input unit 11 is means for processing voice input by a user who recognizes a specific text displayed on the display unit 14. [ The communication unit 13 may be implemented as a network interface card or any equivalent technical means responsible for all communications with the goods purchasing server or the payment server via the network. The processing unit 12 processes data obtained through input / output with these devices and controls and executes the series of operations shown in FIG. Accordingly, the processing unit 12 can be implemented as a data processor capable of processing such a series of operations, and a memory for storing and processing temporary data can be added as needed.

6 and 7 are flowcharts illustrating a method and apparatus for an online purchase processing by an article purchase server according to an embodiment of the present invention, respectively. The article purchase server may include at least one processor for performing a series of operations by its nature, and may naturally include a communication means for exchanging data.

First, the operation of the article purchase server will be described with reference to FIG.

In step S610, the article purchasing server transmits to the terminal a purchase authorization request including a text for inducing voice input of the user in response to the article purchase request input from the terminal.

In step S620, the article purchasing server receives the first payment authentication information from the terminal. Here, the first payment authentication information is generated by encrypting the first sentence information extracted from the voice of the user input through the terminal, the first OTP and the purchase information generated by the terminal in synchronization with the payment server And authenticates the user using the second voucher information for the user stored in advance in the payment server without separating the first voucher information included in the first payment authentication information. The first settlement authentication information may be generated by combining the first statement information, the first OTP, and the purchase information through a specific operation and then using an encryption technique to prevent leakage of the user's statement information.

In step S630, the article purchasing server adds purchase information to the received first payment authentication information, transmits the purchase information to the payment server, and requests payment. More specifically, a payment request transmitted from the terminal to the payment server via the article purchasing server may include reading out the second statement information about the user stored in advance in the payment server, A second OTP generated through synchronization with the terminal and purchase information added to the payment request received by the payment server to generate second payment authentication information, It is determined that the payment authentication is successful only when the two are matched. Accordingly, the first grammar information is identical to the second grammar information for the user stored in advance in the payment server, and is included in the first payment authentication information, so that the payment authentication process using the comparison with the second payment authentication information To authenticate the user.

In addition, the article purchasing server transmits the payment request generated by adding at least the user identifier and the purchase article identifier to the first payment authentication information to the payment server, thereby causing the payment server to induce user authentication required for online payment .

7, the article purchasing server 20 may be implemented by including a processing unit 21, a communication unit 22, and an article purchase database 23. As shown in FIG. The communication unit 22 may be implemented as a network interface card or a technical means equivalent to all communications with a terminal or a payment server via a network. The article purchase database 23 stores information (article information) about the user's purchase of the article based on the user identifier and the purchased article identifier. That is, the article purchasing server 20 inquires the article purchase database 23 to identify the user, reads the information about the article that the user currently wants to purchase, and obtains the first payment authentication information in the authentication request transmitted from the user terminal (Goods information) about the purchase of the goods to the payment server. In addition, the processing unit 21 processes data obtained through input / output with these devices, and controls and executes the series of operations shown in FIG. Thus, the processing unit 21 can be implemented as a data processor capable of processing such a series of operations, and if necessary, a memory for storing and processing temporary data can be added.

8 and 9 are flowcharts showing a method and an apparatus for processing an online settlement by a settlement server according to an embodiment of the present invention, respectively. The payment server has at least one processor for performing a series of operations by its nature and may naturally include communication means for exchanging data.

First, the operation of the payment server will be described with reference to FIG.

In step S810, the payment server receives the payment request including the first payment authentication information and the purchase information added thereto from the article purchasing server that connects the user terminal and the payment server. Here, the first payment authentication information is generated by encrypting the first sentence information extracted from the voice of the user input through the terminal, the first OTP and the purchase information generated by the terminal in synchronization with the payment server And authenticates the user using the second voucher information for the user stored in advance in the payment server without separating the first voucher information included in the first payment authentication information.

In particular, the first payment authentication information extracts first voucher information from a voice input from a user with respect to text included in a purchase authentication request transmitted from the article purchasing server to the terminal, Generating a first OTP through synchronization, and encrypting and combining the first statement information, the first OTP, and the purchase information.

In step S820, the payment server stores the second statement information about the user stored in advance in the payment server, the second OTP generated through synchronization with the terminal, and purchase information added in the payment request received from the article purchase server To generate second payment authentication information.

In step S830, the payment server compares the first payment authentication information extracted from the received payment request with the generated second payment authentication information. Herein, the second grammar information is identical to the first grammar information extracted from the voice input from the user, and the first grammar information is included in the first payment verification information, so that comparison with the second payment verification information It is preferable that the user is authenticated through a payment authentication process using the service.

Therefore, the second payment authentication information is generated in the same manner as the first payment authentication information, and after combining the second voucher information, the second OTP, and the purchase information through a specific operation, Can be generated. In particular, the encryption technique may be implemented based on any of the AES, the hash function and the tokenization technique according to the ANSI X9 standard.

In step S840, the payment server determines that payment authentication is successful only when the two match according to the comparison result. If it is determined that the settlement authentication is successful, the payment server processes the settlement according to the settlement request to the financial institution, and then transmits the settlement request result to the terminal through the article purchase server.

9, the payment server 30 may include a processing unit 31, a communication unit 32, and a grammar information database 33. The communication unit 32 may be implemented as a network interface card or any other equivalent technical means that is responsible for all communications with the terminal or the article purchasing server via the network. The grammar information database 33 receives grammar information for each user and stores the grammar information in advance. That is, the payment server 30 utilizes the voucher information as means for verifying the voice of the user inputted through the terminal in response to the authentication request transmitted from the user terminal through the article purchasing server, It is necessary to store the user's written information. In addition, the processing unit 31 processes the data obtained through input / output with these devices and controls and executes the series of operations shown in FIG. 8 previously. Thus, the processing unit 31 can be implemented as a data processor capable of processing such a series of operations, and if necessary, a memory for storing and processing temporary data can be added.

The embodiments of the present invention described above can securely transmit a payment token generated through encrypted combination of gateways information, OTP, and purchase information, which are user's own biometric information, It is possible to perform the payment authentication for the purchase of the goods together with the authentication for the user himself / herself. In other words, the embodiments of the present invention enable the user to easily perform settlement using his / her voice simply without having to input payment-sensitive information at each time of payment after first joining the service proposed by the embodiments of the present invention have. In particular, in the embodiments of the present invention, the risk of leakage of sensitive payment information such as a card number, a CVC, and a card password is reduced by reducing the frequency with which an original message is exposed through an original message modulation technique such as encryption of information exchanged for settlement .

That is, since the settlement authentication information can not separate the gating information, the OTP, and the purchase information constituting the settlement authentication information from the point in time at which the payment authentication information is generated, the attacker needs to additionally obtain the gatekeeper information and the OTP Lt; / RTI > The situation in which the elements of the gate information, the OTP, and the purchase information are all acquired at once is a considerable burden on the attacker, and the attacker needs a greater effort to succeed in the attack. . Most of all, the proposed system does not use the unencrypted OTP directly, so it is not exposed to the outside. As a result, the attacker has to physically obtain the buyer's terminal to obtain the OTP. In summary, in the system proposed by the embodiments of the present invention, in order for an attacker to make a fraudulent settlement, the buyer's voice, OTP generating terminal, and purchase information must be obtained.

In addition, in embodiments of the present invention, in the process of extracting the grammar information from the voice information, the portable terminal does not store the voiceprint information in the portable terminal but also stores the encrypted payment authentication information without storing the OTP information generated in the portable terminal The range of sensitive personal information that the portable terminal should protect is reduced. Similarly, the article purchasing server receives from the buyer the payment information and the payment authentication information generated by the OTP without the need to directly store the information such as the purchaser's credit card number, card password, etc., and transmits it to the payment server. It can be freed from the obligation of information security.

In this paper, we propose a system that provides stronger identity authentication and secure payment by using payment tokens that combine gateways, OTPs, and purchase information for online credit card payments. Since the proposed system uses voice, it can be implemented by using a microphone device of a smart phone, which is currently used by a majority of users, without the need for additional equipment. In the payment process, payment information including card information is modified, The privacy of information is minimized.

Meanwhile, the embodiments of the present invention can be embodied as computer readable codes on a computer readable recording medium. A computer-readable recording medium includes all kinds of recording apparatuses in which data that can be read by a computer system is stored.

Examples of the computer-readable recording medium include a ROM, a RAM, a CD-ROM, a magnetic tape, a floppy disk, an optical data storage device and the like, and also a carrier wave (for example, transmission via the Internet) . In addition, the computer-readable recording medium may be distributed over network-connected computer systems so that computer readable codes can be stored and executed in a distributed manner. In addition, functional programs, codes, and code segments for implementing the present invention can be easily deduced by programmers skilled in the art to which the present invention belongs.

The present invention has been described above with reference to various embodiments. It will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims. Therefore, the disclosed embodiments should be considered in an illustrative rather than a restrictive sense. The scope of the present invention is defined by the appended claims rather than by the foregoing description, and all differences within the scope of equivalents thereof should be construed as being included in the present invention.

10: Terminal
11: voice input unit 12:
13: communication unit 14: display unit
20: goods purchase server
21: processing section 22: communication section
23: goods purchase database
30: Payment server
31: processing section 32: communication section
33: Gate information database
40: Financial institution / credit card company server

Claims (18)

A method for processing an online settlement by a terminal having at least one processor,
Receiving a purchase authentication request from an article purchase server connecting the terminal and the payment server, and displaying a text included in the authentication request to the user, thereby inducing voice input of the user;
Receiving a voice for the text from a user through the voice input means and extracting first voiceprint information from the voice input;
Generating a first OTP (one time password) through synchronization with the payment server by the terminal, generating first payment authentication information by encrypting and combining the first statement information, the first OTP, and the purchase information; And
And transmitting the generated first payment authentication information to the payment server through the article purchasing server to request payment,
Wherein the first payment authentication information includes:
The first OTP and the purchase information are combined through a predetermined operation and then generated using an encryption technique to prevent tampering or fraudulent use of the outflow and purchasing history of the user's gating information,
The payment server transmits the same encryption combination method as the first payment authentication information using the second statement information for the user stored in advance in the payment server without separating the first statement information included in the first payment information And authenticates the user by comparing the second payment authentication information generated through the second payment authentication information with the first payment authentication information. The method according to claim 1,
The payment request transmitted from the terminal,
A second OTP generated through synchronization with the terminal, and purchasing information transmitted from the article purchasing server are encrypted by encrypting the second recorded message information stored in the payment server, And generates second payment authentication information, and compares the first payment authentication information with the first payment authentication information received from the terminal, and determines that the payment authentication is successful only when the two are identical. 3. The method of claim 2,
The first grammar information may include:
And a second gateways information for the user stored in advance in the payment server,
Wherein the user is authenticated through a payment authentication process using a comparison with the second payment authentication information by being included in the first payment authentication information. delete The method according to claim 1,
Wherein the encryption technique is one of an AES (Advanced Encryption Standard), a hash function, and a tokenization technique according to the ANSI X9 standard. The method according to claim 1,
The terminal comprises:
Generating the first payment information by generating the first payment information, the first payment information, the first OTP, and the purchase information on a volatile memory provided in the terminal, encrypting the first payment information, The first OTP and the purchase information are deleted from the memory. A method of processing an online payment by an article purchasing server having at least one processor and connecting a user terminal to a payment server,
Transmitting, to the terminal, a purchase authorization request including text for inducing voice input of a user in response to an article purchase request input from the terminal;
The article purchase server receiving first payment authentication information from the terminal; And
Adding the purchase information to the first payment authentication information received by the article purchasing server, and transmitting the payment information to the payment server to request payment;
Wherein the first payment authentication information includes:
The first message information extracted from the voice of the user input through the terminal, the first OTP and the purchase information generated by the terminal in synchronization with the payment server through a predetermined operation, and then generated using an encryption technique , Preventing tampering or fraudulent use of the outflow and purchasing history of the user's voucher information,
The payment server transmits the same encryption combination method as the first payment authentication information using the second statement information for the user stored in advance in the payment server without separating the first statement information included in the first payment information And authenticates the user by comparing the second payment authentication information generated through the second payment authentication information with the first payment authentication information. 8. The method of claim 7,
Wherein the payment request transmitted from the terminal to the payment server through the article purchasing server comprises:
Reading out the second grammar information for the user stored in advance in the payment server, encrypting the read second grammar information, the second OTP generated through synchronization with the terminal, and the purchase information added in the payment request, And generates second payment authentication information, and compares the first payment authentication information with the first payment authentication information received from the terminal, and determines that the payment authentication is successful only when the two are identical. 9. The method of claim 8,
The first grammar information may include:
And a second gateways information for the user stored in advance in the payment server,
Wherein the user is authenticated through a payment authentication process using a comparison with the second payment authentication information by being included in the first payment authentication information. delete 8. The method of claim 7,
The article purchase server comprises:
Wherein the settlement server transmits the settlement request generated by adding at least the user identifier and the purchased article identifier to the first settlement authentication information, thereby inducing the settlement server to authenticate the user required for the online settlement, Lt; / RTI > A method of processing an online settlement by a payment server having at least one processor,
Receiving a payment request including a first payment authentication information and purchase information added thereto from an article purchasing server connecting the user terminal and the payment server;
Generating second payment authentication information by encrypting and combining the second gateways information about the user stored in advance in the payment server, the second OTP generated through the synchronization with the terminal, and the purchase information;
Comparing the first payment authentication information extracted from the received payment request with the generated second payment authentication information; And
And determining that the settlement authentication is successful only when the payment server matches the two based on the comparison result,
Wherein the first payment authentication information includes:
The terminal generates encrypted first OTP and purchase information through synchronization with the payment server by encrypting and combining the user's voiceprint information extracted from the voice of the user input through the terminal, And prevent tampering or fraudulent use of the purchase history,
The payment server transmits the same encryption combination method as the first payment authentication information using the second statement information for the user stored in advance in the payment server without separating the first statement information included in the first payment information And authenticates the user by comparing the second payment authentication information generated through the second payment authentication information with the first payment authentication information. 13. The method of claim 12,
Wherein the first payment authentication information includes:
The method of claim 1, further comprising: extracting first voucher information from a voice input from a user with respect to text included in a purchase authorization request transmitted from the article purchasing server to the terminal; generating the first voucher information by synchronizing with the payment server And the first OTP and the purchase information are encrypted and combined. 13. The method of claim 12,
Wherein the second grammar information matches the first grammar information extracted from the voice input from the user,
Wherein the first authentication information is included in the first payment authentication information to authenticate the user through a payment authentication process using comparison with the second payment authentication information. 13. The method of claim 12,
Wherein the second payment authentication information includes:
The second OTP, and the purchase information are combined through a predetermined operation, and then generated using an encryption technique. 16. The method of claim 15,
Wherein the encryption technique is one of an AES (Advanced Encryption Standard), a hash function, and a tokenization technique according to the ANSI X9 standard. 13. The method of claim 12,
If it is determined that the payment authentication has succeeded,
And transmitting the payment request result to the terminal through the article purchasing server after the payment server processes payment according to the payment request to the financial institution. A computer-readable recording medium storing a program for causing a computer to execute the method of any one of claims 1 to 3, 5 to 9, and 11 to 17.

Images