TWI789972B - Transaction verification system and method capable of suspending connection - Google Patents
Transaction verification system and method capable of suspending connection Download PDFInfo
- Publication number
- TWI789972B TWI789972B TW110140904A TW110140904A TWI789972B TW I789972 B TWI789972 B TW I789972B TW 110140904 A TW110140904 A TW 110140904A TW 110140904 A TW110140904 A TW 110140904A TW I789972 B TWI789972 B TW I789972B
- Authority
- TW
- Taiwan
- Prior art keywords
- verification
- transaction
- bank server
- message
- mobile device
- Prior art date
Links
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
- Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
- Telephonic Communication Services (AREA)
- Computer And Data Communications (AREA)
Abstract
Description
本發明係關於一種可中斷連接之交易驗證系統及方法,特別係關於一種行動裝置及銀行伺服器可以彼此驗證合法性的可中斷連接之交易驗證系統及方法。The present invention relates to an interruptible connection transaction verification system and method, in particular to an interruptible connection transaction verification system and method in which a mobile device and a bank server can verify each other's legitimacy.
為了提供使用者便利及安全的網路交易機制,現行許多銀行機構都藉由簡訊傳送驗證密碼以進行驗證,讓使用者不須另外準備其他硬體設備,僅須透過與銀行約定之行動裝置門號,即可於提出交易或進行身份驗證請求時,及時獲取驗證密碼以完成交易或身份驗證。In order to provide users with a convenient and secure online transaction mechanism, many banking institutions currently send verification passwords through SMS for verification, so that users do not need to prepare other hardware devices, and only need to pass through the mobile device door agreed with the bank number, you can obtain the verification password in time to complete the transaction or identity verification when making a transaction or making an identity verification request.
然而,以簡訊傳送驗證密碼僅能供銀行伺服器判斷行動裝置的合法性,而行動裝置無法判斷銀行伺服器的合法性,且當訊息在傳送行動裝置與銀行伺服器之間傳送的過程中,若遭發動中間人攻擊(Man-in-the-middle attack,MITM),行動裝置及銀行伺服器更無法及時發現,增加了用戶於收到訊息時誤將驗證訊息輸入至釣魚網站的風險。However, the verification password sent by SMS can only be used by the bank server to judge the legitimacy of the mobile device, and the mobile device cannot judge the legitimacy of the bank server, and when the message is transmitted between the mobile device and the bank server, If a Man-in-the-middle attack (MITM) is launched, mobile devices and bank servers will not be able to detect it in time, which increases the risk of users mistakenly entering verification information into phishing websites when receiving messages.
鑒於上述,本發明提供一種以滿足上述需求的可中斷連接之交易驗證系統及方法。In view of the above, the present invention provides a transaction verification system and method that can interrupt the connection to meet the above requirements.
依據本發明一實施例的可中斷連接之交易驗證系統,包含:一銀行伺服器,用以於收到一交易請求時隨機產生及輸出一編碼訊息;以及一行動裝置,連接於該銀行伺服器,該行動裝置具有一使用者介面以接收一交易指令,並於收到該交易指令時輸出該交易請求至該銀行伺服器,該行動裝置接收該編碼訊息,並依據該編碼訊息產生一驗證訊息,該行動裝置更將該驗證訊息輸入至該使用者介面的一驗證欄位,以透過該使用者介面將該驗證訊息輸出至該銀行伺服器,其中該銀行伺服器於接收到該驗證訊息後更基於該驗證訊息執行一驗證程序,該銀行伺服器係於該驗證訊息通過該驗證程序時執行該交易請求,其中該編碼訊息包含關聯於該交易請求的一關鍵字以及一驗證代碼,該關鍵字包含一轉出帳戶、一交易金額及一交易類型,該行動裝置更判斷該關鍵字是否為該交易請求的一部份,該行動裝置係於判斷該關鍵字係該交易請求的一部份時將該驗證代碼解碼為一驗證字串,並以該驗證字串做為該驗證訊息,該行動裝置於判斷該關鍵字非該交易請求的一部份時,中斷該使用者介面與該銀行伺服器的連接。According to an embodiment of the present invention, the transaction verification system with interruptible connection includes: a bank server, which is used to randomly generate and output a coded message when receiving a transaction request; and a mobile device, connected to the bank server , the mobile device has a user interface to receive a transaction instruction, and output the transaction request to the bank server when receiving the transaction instruction, the mobile device receives the coded message, and generates a verification message according to the coded message , the mobile device further inputs the verification message into a verification field of the user interface, so as to output the verification message to the bank server through the user interface, wherein the bank server receives the verification message Further executing a verification procedure based on the verification message, the bank server executes the transaction request when the verification message passes the verification procedure, wherein the coded message includes a keyword associated with the transaction request and a verification code, the key The words include a transfer account, a transaction amount and a transaction type, and the mobile device further judges whether the keyword is a part of the transaction request, and the mobile device judges that the keyword is a part of the transaction request When decoding the verification code into a verification string, and using the verification string as the verification message, when the mobile device determines that the keyword is not part of the transaction request, it interrupts the user interface and the bank Server connection.
依據本發明一實施例的可中斷連接之交易驗證方法,包含:以一行動裝置的一使用者介面接收一交易指令;以該行動裝置於收到該交易指令時輸出一交易請求至一銀行伺服器;以該銀行伺服器於收到該交易請求時隨機產生及輸出一編碼訊息至該行動裝置;以該行動裝置依據該編碼訊息產生一驗證訊息;以該行動裝置將該驗證訊息輸入至該使用者介面的一驗證欄位,以透過該使用者介面將該驗證訊息輸出至該銀行伺服器;以該銀行伺服器基於該驗證訊息執行一驗證程序;以及當該驗證訊息通過該驗證程序時,以該銀行伺服器執行該交易請求,其中該編碼訊息包含關聯於該交易請求的一關鍵字以及一驗證代碼,該關鍵字包含一轉出帳戶、一交易金額及一交易類型,以該行動裝置依據該編碼訊息產生該驗證訊息係:以該行動裝置判斷該關鍵字是否為該交易請求的一部份;當該行動裝置判斷該關鍵字為該交易請求的一部份時,以該行動裝置將該驗證代碼解碼為一驗證字串,並以該驗證字串做為該驗證訊息;以及當該行動裝置判斷該關鍵字非該交易請求的一部份時,以該行動裝置中斷該使用者介面與該銀行伺服器的連接。According to an embodiment of the present invention, a transaction verification method that can interrupt connection includes: receiving a transaction instruction with a user interface of a mobile device; outputting a transaction request to a bank server when receiving the transaction instruction with the mobile device device; the bank server randomly generates and outputs a coded message to the mobile device when receiving the transaction request; the mobile device generates a verification message based on the coded message; and the mobile device inputs the verification message to the mobile device a verification field of the user interface, so as to output the verification message to the bank server through the user interface; execute a verification procedure based on the verification message with the bank server; and when the verification message passes the verification procedure , execute the transaction request with the bank server, wherein the encoded message includes a keyword associated with the transaction request and a verification code, the keyword includes a transfer-out account, a transaction amount and a transaction type, and the action The device generates the verification message based on the coded message: the mobile device determines whether the keyword is part of the transaction request; when the mobile device determines that the keyword is a part of the transaction request, the action The device decodes the verification code into a verification string, and uses the verification string as the verification message; and when the mobile device determines that the keyword is not part of the transaction request, the mobile device terminates the use The connection between the operator interface and the bank's server.
綜上所述,依據本發明一或多個實施例所示的可中斷連接之交易驗證系統及方法,可以讓行動裝置及銀行伺服器交互判斷彼此的合法性,以避免產生資安漏洞。此外,依據本發明一或多個實施例所示的交易驗證系統及方法,更可以讓行動裝置及銀行伺服器及時發現訊息傳輸的過程中是否遭到攔截或被發動中間人攻擊,並據以執行應對方案,且更可以避免用戶於收到訊息時誤將驗證訊息輸入至釣魚網站的風險。To sum up, according to the transaction verification system and method with interruptible connection shown in one or more embodiments of the present invention, the mobile device and the bank server can interactively determine each other's legitimacy, so as to avoid information security loopholes. In addition, according to the transaction verification system and method shown in one or more embodiments of the present invention, the mobile device and the bank server can find out in time whether the message is intercepted or attacked by a man-in-the-middle, and based on this Implement countermeasures, and avoid the risk of users mistakenly entering verification information into phishing websites when receiving messages.
以上之關於本揭露內容之說明及以下之實施方式之說明係用以示範與解釋本發明之精神與原理,並且提供本發明之專利申請範圍更進一步之解釋。The above description of the disclosure and the following description of the implementation are used to demonstrate and explain the spirit and principle of the present invention, and provide a further explanation of the patent application scope of the present invention.
以下在實施方式中詳細敘述本發明之詳細特徵以及優點,其內容足以使任何熟習相關技藝者了解本發明之技術內容並據以實施,且根據本說明書所揭露之內容、申請專利範圍及圖式,任何熟習相關技藝者可輕易地理解本發明相關之目的及優點。以下之實施例係進一步詳細說明本發明之觀點,但非以任何觀點限制本發明之範疇。The detailed features and advantages of the present invention are described in detail below in the implementation mode, and its content is enough to make any person familiar with the related art understand the technical content of the present invention and implement it accordingly, and according to the content disclosed in this specification, the scope of the patent application and the drawings , anyone skilled in the art can easily understand the purpose and advantages of the present invention. The following examples are to further describe the concept of the present invention in detail, but not to limit the scope of the present invention in any way.
請參考圖1,圖1係依據本發明一實施例所繪示的可中斷連接之交易驗證系統的方塊圖。本發明所示的可中斷連接之交易驗證系統較佳包含一行動裝置10以及一銀行伺服器20,且行動裝置10通訊連接於銀行伺服器20。Please refer to FIG. 1 . FIG. 1 is a block diagram of a transaction verification system that can interrupt connections according to an embodiment of the present invention. The transaction verification system with interruptible connection shown in the present invention preferably includes a
本發明所示的行動裝置10例如是手機、筆記型電腦、平板型電腦等;銀行伺服器20較佳係銀行內部的伺服器或是銀行內部其他具有運算能力及訊號傳輸能力的運算裝置等。此外,本發明所示的行動裝置10較佳可以用以呈現一使用者介面,且使用者介面係透過行動裝置10連接於銀行伺服器20,以將資料傳輸至銀行伺服器20,或是從銀行伺服器20接收資料。The
為了更詳細說明本發明所揭示的可中斷連接之交易驗證系統及方法,請一併參考圖1及圖2,其中圖2係依據本發明一實施例所繪示的可中斷連接之交易驗證方法的流程圖。In order to explain in detail the transaction verification system and method with interruptible connection disclosed in the present invention, please refer to Fig. 1 and Fig. 2 together, wherein Fig. 2 is a transaction verification method with interruptible connection according to an embodiment of the present invention flow chart.
步驟S10:接收交易指令。Step S10: Receive a transaction instruction.
行動裝置10可以呈現如上述的使用者介面,以接收一交易指令。舉例而言,行動裝置10呈現的使用者介面可以具有一指令輸入欄位,以供使用者於該指令輸入欄位輸入交易指令,其中指令輸入欄位可以是一空白欄位,以供使用者自行輸入交易指令,指令輸入欄位亦可以是由一或多個指令鍵所組成,使用者即可點選其中一個指令健做為交易指令。The
步驟S20:輸出交易請求至銀行伺服器。Step S20: Output the transaction request to the bank server.
行動裝置10的使用者介面在接收到交易指令後,即將交易指令轉換為交易請求,並將交易請求輸出至銀行伺服器20。詳言之,因交易指令係由使用者輸入,故行動裝置10的使用者介面在接收到交易指令後,較佳係將交易指令轉換為對應的交易請求,並將交易請求輸出至銀行伺服器20。After receiving the transaction instruction, the user interface of the
舉例而言,行動裝置10經使用者介面接收的交易指令可以為「從本行A帳戶轉帳5000元至B帳戶」,在收到交易指令後,使用者介面即可將「從本行A帳戶轉帳5000元至B帳戶」轉換為對應的交易請求,且交易請求包含「A帳戶的帳號」、「B帳戶的帳號」以及「轉帳5000元」,並透過行動裝置10將交易請求輸出至銀行伺服器20。For example, the transaction instruction received by the
步驟S30:輸出編碼訊息至行動裝置。Step S30: Output the coded message to the mobile device.
銀行伺服器20於收到交易請求後,即基於交易請求輸出對應的編碼訊息至行動裝置10。亦即,銀行伺服器20的記憶體可以預存有一對應表,且該對應表係記錄每一交易請求所對應的編碼訊息。此外,銀行伺服器20亦可以是於收到交易請求後,隨機產生編碼訊息,再將產生的編碼訊息及對應的交易請求儲存至記憶體以供日後存取。換言之,編碼訊息的內容可以是由英文字母、數字、中文字、符號等的其中之一或多個的組合而成的內容,本發明不對編碼訊息的內容予以限制。After receiving the transaction request, the
舉例而言,銀行伺服器20產生的編碼訊息例如係包含一驗證代碼的訊息,銀行伺服器20在將包含驗證代碼的編碼訊息輸出至行動裝置10的同時,更可以將驗證代碼、交易請求及行動裝置10的基本資料(例如,電話號碼、定位位置、用以進入使用者介面的帳號密碼等)等一併儲存至記憶體。銀行伺服器20產生包含驗證代碼的編碼訊息的實施樣態將於下圖3詳述。For example, the coded message generated by the
步驟S40:依據編碼訊息產生驗證訊息。Step S40: Generate a verification message according to the coded message.
行動裝置10於收到編碼訊息後,即可依據編碼訊息產生對應的驗證訊息。亦即,行動裝置10接收到的編碼訊息可以僅包含上述的驗證代碼,或是包含驗證代碼以及關於交易請求的文字敘述。當編碼訊息僅包含驗證代碼時,則驗證訊息可以即為所述的驗證代碼;當編碼訊息包含驗證代碼以及關於交易請求的文字敘述時,則驗證訊息可以包含驗證代碼以及關於交易請求的關鍵字等。步驟S40的細部流程請參照以下圖3的說明。After receiving the coded message, the
請先接續參考步驟S50:將驗證訊息輸入至使用者介面的驗證欄位。Please continue to refer to step S50: inputting the verification information into the verification field of the user interface.
行動裝置10將其產生的驗證訊息輸入至使用者介面的驗證欄位,以供使用者於確認驗證訊息已填入驗證欄位時,在使用者介面輸入確認指令(例如,確認鍵),當行動裝置10以使用者介面接收到確認指令時,便透過使用者介面將驗證訊息輸出至銀行伺服器20。The
步驟S60:基於驗證訊息執行驗證程序。Step S60: Execute a verification procedure based on the verification message.
銀行伺服器20可以基於收到的驗證訊息執行驗證程序,以藉由驗證訊息判斷行動裝置10是否為通過驗證的裝置。此述的驗證程序將於以下圖4及圖5詳細說明。The
步驟S70:執行交易請求。Step S70: Execute the transaction request.
當銀行伺服器20判斷驗證訊息通過驗證程序時,表示行動裝置10為通過驗證的裝置。因此,銀行伺服器20於判斷證訊息通過驗證程序時,即可執行其收到的交易請求。亦即,以上述包含「A帳戶的帳號」、「B帳戶的帳號」以及「轉帳5000元」的交易請求為例,銀行伺服器20可以於判斷驗證訊息通過驗證程序時,執行轉帳程序,以將5000元的金額從A帳戶轉帳至B帳戶。When the
據此,當使用者輸入交易指令時,銀行伺服器20可以係於確認行動裝置10為通過驗證的裝置時執行對應交易指令的交易請求,以避免在銀行伺服器20將驗證訊息輸出至行動裝置10的過程中,驗證訊息遭有心人士攔截,造成資安漏洞。Accordingly, when the user inputs a transaction instruction, the
請一併參考圖1及圖3,其中圖3係繪示圖2所示的步驟S40的細部流程圖。在銀行伺服器20於步驟S20輸出編碼訊息至行動裝置10後,行動裝置10即可於步驟S40依據編碼訊息產生驗證訊息。Please refer to FIG. 1 and FIG. 3 together, wherein FIG. 3 is a detailed flow chart of step S40 shown in FIG. 2 . After the
請先參考圖3的步驟S401:判斷關鍵字是否為交易請求的一部份。Please refer to step S401 in FIG. 3 : determine whether the keyword is part of the transaction request.
詳細而言,行動裝置10收到的編碼訊息可以包含關聯於交易請求的一關鍵字以及上述的驗證代碼。行動裝置10係於判斷編碼訊息中所含的關鍵字為交易請求的一部份時,判斷銀行伺服器20係收到正確的交易請求,故行動裝置10可以執行下述的步驟S403。Specifically, the coded message received by the
以上述包含「A帳戶的帳號」、「B帳戶的帳號」以及「轉帳5000元」的交易請求為例,當行動裝置10收到的編碼訊息包含「轉帳」及/或「5000元」等的關鍵字時,行動裝置10即可判斷「A帳戶的帳號」、「B帳戶的帳號」以及「轉帳5000元」的交易請求是否包含「轉帳」及/或「5000元」等的關鍵字。需特別說明的是,此述的「轉帳」及/或「5000元」關鍵字僅為示例,關鍵字亦可以是「A帳戶的帳號」及/或「B帳戶的帳號」等,本發明不對關鍵字的類型予以限制。Taking the above-mentioned transaction request including "account number of account A", "account number of account B" and "transfer 5000 yuan" as an example, when the coded message received by
當行動裝置10判斷交易請求不包含關鍵字時,則可以執行步驟S402:控制使用者介面中斷與銀行伺服器之間的連接。When the
亦即,行動裝置10可以控制使用者介面登出,以中斷與銀行伺服器20之間的連接。由於當行動裝置10判斷交易請求不包含關鍵字時,表示其於步驟S20輸出至銀行伺服器20的交易請求可能遭到攔截竄改,或是其於步驟S30從銀行伺服器20收到的編碼訊息遭到攔截竄改。因此,行動裝置10可以控制使用者介面中斷與銀行伺服器20之間的連接,以避免後續行動裝置10與銀行伺服器20之間的訊息/訊號傳遞再次遭到攔截竄改。That is, the
此外,行動裝置10亦可以於判斷交易請求不包含關鍵字時,再次由使用者介面呈現指令輸入欄位,以供使用者再次於使用者介面輸入交易指令。In addition, when the
請繼續參考步驟S401,當行動裝置10判斷關鍵字為交易請求的一部份時,行動裝置10即可執行步驟S403:將驗證代碼解碼為驗證字串。Please continue to refer to step S401. When the
詳言之,銀行伺服器20產生的驗證代碼例如為一次性密碼(One Time Password,OTP),且每一則一次性密碼在一次的驗證結束後即會被刪除,銀行伺服器20於下一次驗證時再生成另一則一次性密碼,不僅可以節省銀行伺服器20的記憶體空間,更可以必免因重覆使用一次性密碼而造成資安漏洞的問題。In detail, the verification code generated by the
舉例而言,一次性密碼形式的驗證代碼可以係銀行伺服器20隨機生成的驗證代碼,且驗證代碼可以係由英文字母、數字、符號等的一或多個組合而成,本發明不對驗證代碼的形式予以限制。For example, the verification code in the form of a one-time password can be a verification code randomly generated by the
此外,行動裝置10可以係依據一預存解碼規則將驗證代碼解碼為驗證字串。舉例而言,預存解碼規則例如是「0」對應英文字母「A」;「1」對應英文字母「B」;「2」對應英文字母「C」;「25」對應英文字母「Z」等等以此類推。因此,當驗證代碼為「2.14.3.4」時,行動裝置10即可將驗證代碼解碼為「CODE」的驗證字串。又或者,當驗證代碼為「13.0.12.4」行動裝置10即可將驗證代碼解碼為「NAME」,並以「NAME」做為驗證字串,行動裝置10亦可依據「NAME」判斷銀行伺服器20係請求使用者的姓名做為驗證字串,故行動裝置10將驗證代碼解碼所產生的驗證字串例如為使用者的姓名「王小明」。In addition, the
前述的預存解碼規則僅為示例,數字對應英文字母亦可以是「25」對應英文字母「A」;「24」對應英文字母「B」;「23」對應英文字母「C」;「0」對應英文字母「Z」等等以此類推,或是將驗證代碼以英文字母呈現,並將驗證字串以數字呈現。The aforementioned pre-stored decoding rules are just examples. Numbers can also correspond to English letters. "25" corresponds to the English letter "A"; "24" corresponds to the English letter "B"; "23" corresponds to the English letter "C"; "0" corresponds to The English letter "Z" and so on, or the verification code is presented in English letters, and the verification string is presented in numbers.
行動裝置10在產生驗證字串後,執行步驟S405:以驗證字串做為驗證訊息。After generating the verification string, the
以上述的驗證字串為例,行動裝置10即可將「CODE」、「王小明」等的驗證字串做為驗證訊息,或是當行動裝置10判斷驗證代碼係來自銀行伺服器20時,直接將「2.14.3.4」的驗證代碼做為驗證訊息。Taking the above verification string as an example, the
據此,行動裝置10即可於步驟S50將驗證訊息輸入至使用者介面的驗證欄位,以將驗證訊息輸出至銀行伺服器20。Accordingly, the
請一併參考圖1及圖4,圖4係依據本發明一實施例所繪示的驗證程序的流程圖。Please refer to FIG. 1 and FIG. 4 together. FIG. 4 is a flowchart of a verification procedure according to an embodiment of the present invention.
在銀行伺服器20收到來自行動裝置10的驗證訊息後(步驟S50),銀行伺服器20即可基於驗證訊息執行驗證程序。After the
步驟S601a:判斷驗證字串是否對應於驗證代碼。Step S601a: Determine whether the verification character string corresponds to the verification code.
以上述的驗證字串為例,銀行伺服器20可以判斷驗證字串「CODE」是否對應於驗證代碼「2.14.3.4」;驗證字串「NAME」是否對應於驗證代碼「13.0.12.4」;驗證字串「王小明」是否對應於驗證代碼「13.0.12.4」等,以判斷驗證字串是否對應於驗證代碼。Taking the above verification string as an example, the
當銀行伺服器20判斷驗證字串不對應於驗證代碼時,銀行伺服器20執行步驟S602a:產生關聯於行動裝置的異常記錄。When the
亦即,當銀行伺服器20判斷驗證字串不對應於驗證代碼時,表示銀行伺服器20在輸出編碼訊息至行動裝置10的過程,及/或行動裝置10在輸出驗證訊息至銀行伺服器20的過程中,訊息可能遭到中間人攻擊(Man-in-the-middle attack,MITM),例如係訊息在傳輸的過程中遭攔截,或是訊息在傳輸的過程中遭到竄改。因此,銀行伺服器20即可產生關聯於行動裝置10的異常記錄,並將異常記錄儲存至銀行資料庫,且異常記錄例如包含從行動裝置10收到驗證訊息的時間、從行動裝置10得到用以接收交易請求的帳號密碼等。此外,銀行伺服器20亦可以在判斷驗證字串不對應於驗證代碼時,中斷銀行伺服器20與行動裝置10之間的連線。That is, when the
在銀行伺服器20執行步驟S601a之前,銀行伺服器20更可以先判斷是否在一預設時間內收到驗證訊息,其中預設時間例如為5分鐘等,然本發明不對預設時間的實際長度予以限制。當銀行伺服器20判斷未在預設時間內收到驗證訊息時,則執行步驟S602a,或中斷銀行伺服器20與行動裝置10之間的連線,以避免訊息再度遭到攔截;並且當銀行伺服器20判斷係在預設時間內收到驗證訊息時,則進一步執行步驟S601a判斷驗證字串是否對應於驗證代碼。Before the
請再回到步驟S601a,當銀行伺服器20判斷驗證字串對應於驗證代碼時,銀行伺服器20即可執行步驟S603a:判斷驗證訊息通過驗證程序。亦即,當銀行伺服器20判斷驗證字串對應於驗證代碼時,表示銀行伺服器20判斷行動裝置10係為認證裝置,且來自行動裝置10的交易請求係為可執行的交易請求,故銀行伺服器20可以執行如圖2所示的步驟S70:執行交易請求。Please return to step S601a. When the
請一併參考圖1及圖5,圖5係依據本發明另一實施例所繪示的驗證程序的流程圖。Please refer to FIG. 1 and FIG. 5 together. FIG. 5 is a flowchart of a verification procedure according to another embodiment of the present invention.
步驟S601b:判斷驗證訊息是否符合編碼訊息,且交易金額是否未達異常金額。Step S601b: Determine whether the verification message matches the coded message, and whether the transaction amount has not reached the abnormal amount.
銀行伺服器20判斷驗證訊息是否符合編碼訊息可以是相同於上述圖4步驟S601a的判斷方式,且當銀行伺服器20判斷驗證訊息不符合編碼訊息時,則銀行伺服器20可以執行步驟S602b:產生關聯於行動裝置的異常記錄,其中此述的異常記錄可以係相同於圖4步驟S602a的異常記錄,故關於驗證訊息的判斷方式及判斷為「否」時所執行的步驟S602a不再於此贅述。Whether the
而所述的異常金額係一常態交易金額加上一異常額度。常態交易金額例如是由使用者平常執行該項交易時的金額所構成的範圍,而異常額度例如是常態交易金額的範圍上限值的50%,然本發明不對異常額度的設定予以限制。The abnormal amount is a normal transaction amount plus an abnormal amount. The normal transaction amount is, for example, the range formed by the amount when the user usually executes the transaction, and the abnormal amount is, for example, 50% of the upper limit of the normal transaction amount range, but the present invention does not limit the setting of the abnormal amount.
舉例而言,使用者通常輸入轉帳指令時係要求從本行A帳戶轉帳3000元至B帳戶,而異常額度例如為1500元時,異常金額即為4500元,則當交易指令例如為「從本行A帳戶轉帳5000元至B帳戶」時,銀行伺服器20可以判斷5000元的交易金額是否超過4500元的異常金額。For example, when a user usually inputs a transfer instruction, he requests to transfer 3,000 yuan from account A of the bank to account B, and when the abnormal amount is, for example, 1,500 yuan, the abnormal amount is 4,500 yuan. When bank A transfers 5,000 yuan to account B", the
當銀行伺服器20判斷交易金額達異常金額時,則銀行伺服器20可以執行步驟S602b:產生關聯於行動裝置的異常記錄。且此述的異常記錄可以更包含此次交易的記錄,例如是交易金額、從行動裝置10收到交易請求的時間等。據此,若銀行伺服器20收到的交易請求是有心人士盜用所提出的交易請求時,銀行伺服器20可以將異常記錄留存以供日後存取,銀行伺服器20亦可以將異常記錄輸出至銀行的終端裝置以通知銀行行員,或是將異常記錄輸出至檢調單位以通知供查閱。When the
請繼續參考步驟S601b,當銀行伺服器20判斷驗證訊息符合編碼訊息,且交易金額未達異常金額時,則銀行伺服器20執行步驟S603b:判斷驗證訊息及交易金額通過驗證程序。Please continue to refer to step S601b. When the
亦即,當驗證訊息符合編碼訊息,且交易金額未達異常金額時,表示銀行伺服器20判斷其收到的交易請求是可執行的交易請求,故銀行伺服器20可以執行如圖2所示的步驟S70。That is, when the verification message matches the encoded message, and the transaction amount does not reach the abnormal amount, it means that the
綜上所述,依據本發明一或多個實施例所示的可中斷連接之交易驗證系統及方法,可以讓行動裝置及銀行伺服器交互判斷彼此的合法性,以避免產生資安漏洞。此外,依據本發明一或多個實施例所示的可中斷連接之交易驗證系統及方法,更可以讓行動裝置及銀行伺服器及時發現訊息傳輸的過程中是否遭到攔截或被發動中間人攻擊,並據以執行應對方案,且更可以避免用戶於收到訊息時誤將驗證訊息輸入至釣魚網站的風險。To sum up, according to the transaction verification system and method with interruptible connection shown in one or more embodiments of the present invention, the mobile device and the bank server can interactively determine each other's legitimacy, so as to avoid information security loopholes. In addition, according to the transaction verification system and method that can interrupt the connection shown in one or more embodiments of the present invention, it is also possible for the mobile device and the bank server to discover in time whether the message is being intercepted or attacked by a man-in-the-middle , and implement the countermeasure accordingly, and can avoid the risk of the user mistakenly inputting the verification information into the phishing website when receiving the message.
雖然本發明以前述之實施例揭露如上,然其並非用以限定本發明。在不脫離本發明之精神和範圍內,所為之更動與潤飾,均屬本發明之專利保護範圍。關於本發明所界定之保護範圍請參考所附之申請專利範圍。Although the present invention is disclosed by the aforementioned embodiments, they are not intended to limit the present invention. Without departing from the spirit and scope of the present invention, all changes and modifications are within the scope of patent protection of the present invention. For the scope of protection defined by the present invention, please refer to the appended scope of patent application.
10:行動裝置 20:銀行伺服器10:Mobile device 20: Bank server
圖1係依據本發明一實施例所繪示的可中斷連接之交易驗證系統的方塊圖。 圖2係依據本發明一實施例所繪示的可中斷連接之交易驗證方法的流程圖。 圖3係繪示圖2所示的步驟S40的細部流程圖。 圖4係依據本發明一實施例所繪示的驗證程序的流程圖。 圖5係依據本發明另一實施例所繪示的驗證程序的流程圖。FIG. 1 is a block diagram of a transaction verification system that can interrupt connections according to an embodiment of the present invention. FIG. 2 is a flowchart of a transaction verification method that can interrupt a connection according to an embodiment of the present invention. FIG. 3 is a detailed flowchart of step S40 shown in FIG. 2 . FIG. 4 is a flowchart of a verification procedure according to an embodiment of the present invention. FIG. 5 is a flowchart of a verification procedure according to another embodiment of the present invention.
10:行動裝置 10:Mobile device
20:銀行伺服器 20: Bank server
Claims (8)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW110140904A TWI789972B (en) | 2020-05-15 | 2020-05-15 | Transaction verification system and method capable of suspending connection |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW110140904A TWI789972B (en) | 2020-05-15 | 2020-05-15 | Transaction verification system and method capable of suspending connection |
Publications (2)
Publication Number | Publication Date |
---|---|
TW202209228A TW202209228A (en) | 2022-03-01 |
TWI789972B true TWI789972B (en) | 2023-01-11 |
Family
ID=81747145
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
TW110140904A TWI789972B (en) | 2020-05-15 | 2020-05-15 | Transaction verification system and method capable of suspending connection |
Country Status (1)
Country | Link |
---|---|
TW (1) | TWI789972B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
TWI832344B (en) * | 2022-07-20 | 2024-02-11 | 第一商業銀行股份有限公司 | Review trading system |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103765861A (en) * | 2011-06-27 | 2014-04-30 | 亚马逊技术股份有限公司 | Payment selection and authorization by a mobile device |
WO2015101273A1 (en) * | 2013-12-30 | 2015-07-09 | 腾讯科技(深圳)有限公司 | Security verification method, and related device and system |
US20150254662A1 (en) * | 2014-03-05 | 2015-09-10 | Mastercard International Incorporated | Verifying transaction context data at wallet service provider |
CN107851254A (en) * | 2015-07-20 | 2018-03-27 | 维萨国际服务协会 | At utmost reduce the seamless transaction of user's input |
TW201812666A (en) * | 2016-09-26 | 2018-04-01 | 李謙牧 | Commercial communication method and integrated platform thereof using real experience of members to facilitate commercial exchanges |
TWI633507B (en) * | 2017-06-13 | 2018-08-21 | 財金資訊股份有限公司 | System for mobile payment, payment method thereof, computer program product |
CN109949111A (en) * | 2019-03-06 | 2019-06-28 | 深圳市智税链科技有限公司 | Electronic bill mark distributing method, electronic bill generation method, apparatus and system |
-
2020
- 2020-05-15 TW TW110140904A patent/TWI789972B/en active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103765861A (en) * | 2011-06-27 | 2014-04-30 | 亚马逊技术股份有限公司 | Payment selection and authorization by a mobile device |
WO2015101273A1 (en) * | 2013-12-30 | 2015-07-09 | 腾讯科技(深圳)有限公司 | Security verification method, and related device and system |
US20150254662A1 (en) * | 2014-03-05 | 2015-09-10 | Mastercard International Incorporated | Verifying transaction context data at wallet service provider |
CN107851254A (en) * | 2015-07-20 | 2018-03-27 | 维萨国际服务协会 | At utmost reduce the seamless transaction of user's input |
TW201812666A (en) * | 2016-09-26 | 2018-04-01 | 李謙牧 | Commercial communication method and integrated platform thereof using real experience of members to facilitate commercial exchanges |
TWI633507B (en) * | 2017-06-13 | 2018-08-21 | 財金資訊股份有限公司 | System for mobile payment, payment method thereof, computer program product |
CN109949111A (en) * | 2019-03-06 | 2019-06-28 | 深圳市智税链科技有限公司 | Electronic bill mark distributing method, electronic bill generation method, apparatus and system |
Also Published As
Publication number | Publication date |
---|---|
TW202209228A (en) | 2022-03-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10187211B2 (en) | Verification of password using a keyboard with a secure password entry mode | |
EP1946514B1 (en) | System and method for conducting secure transactions | |
TWI522836B (en) | Network authentication method and system for secure electronic transaction | |
CN109922035B (en) | Password resetting method, request terminal and verification terminal | |
CN112425114B (en) | Password manager protected by public key-private key pair | |
JP6804696B1 (en) | User selection key authentication | |
US10063538B2 (en) | System for secure login, and method and apparatus for same | |
JP6034995B2 (en) | Method and system for authenticating services | |
US20190377863A1 (en) | Password input method, computer device and storage medium | |
CN111783049A (en) | User information processing method and system based on block chain | |
JP6378870B2 (en) | Authentication system, authentication method, and authentication program | |
TWI789972B (en) | Transaction verification system and method capable of suspending connection | |
TWM602250U (en) | Transaction certification system | |
WO2024044045A1 (en) | Passkey integration techniques for identity management | |
JP2010237741A (en) | Authentication system and authentication method | |
KR101537564B1 (en) | Biometrics used relay authorization system and its method | |
TWI789971B (en) | Transaction verification system and method for cross validation | |
WO2019114784A1 (en) | Method for resetting password, request terminal and check terminal | |
TWI747287B (en) | Transaction verification system and method | |
KR101308152B1 (en) | Registration method for mobile otp device by smart device | |
KR20150133938A (en) | One click log-in method using anonymous ID and system thereof | |
TWM599939U (en) | System for identity verification | |
KR20150104667A (en) | Authentication method | |
KR102281580B1 (en) | Authentication system and method of performing authentication in authentication system | |
JP2014164672A (en) | Authentication device and authentication method |