WO2015188718A1 - Mobile terminal-based payment method and apparatus, and mobile terminal - Google Patents

Mobile terminal-based payment method and apparatus, and mobile terminal Download PDF

Info

Publication number
WO2015188718A1
WO2015188718A1 PCT/CN2015/080711 CN2015080711W WO2015188718A1 WO 2015188718 A1 WO2015188718 A1 WO 2015188718A1 CN 2015080711 W CN2015080711 W CN 2015080711W WO 2015188718 A1 WO2015188718 A1 WO 2015188718A1
Authority
WO
WIPO (PCT)
Prior art keywords
payment
mobile terminal
transmission channel
network
virtual private
Prior art date
Application number
PCT/CN2015/080711
Other languages
French (fr)
Chinese (zh)
Inventor
孟齐源
高祎玮
Original Assignee
北京奇虎科技有限公司
奇智软件(北京)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from CN201410256922.9A external-priority patent/CN104008482B/en
Priority claimed from CN201410645534.XA external-priority patent/CN104463569A/en
Application filed by 北京奇虎科技有限公司, 奇智软件(北京)有限公司 filed Critical 北京奇虎科技有限公司
Publication of WO2015188718A1 publication Critical patent/WO2015188718A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/326Payment applications installed on the mobile devices

Definitions

  • the present invention relates to the field of mobile communications, and in particular, to a mobile terminal-based payment method, apparatus, and mobile terminal.
  • Mobile payment combines terminal equipment, the Internet, application providers, and financial institutions to provide users with financial services such as money payment and payment.
  • financial services such as money payment and payment.
  • Third-party payment banking and other companies are rushing to launch mobile payment clients.
  • Shopping clients such as shopping, wealth management and life services are also emerging, which greatly enriches the market application environment of mobile payment.
  • the mobile payment uses the user's mobile phone number or other identification as an associated payment account, and the payment transaction activity is performed through identity confirmation.
  • the mobile payment access method may include a short message, a voice, a network connection, and the like.
  • the network connection method is the most widely used, and the user sends a transaction request to a merchant that provides a certain commodity or service by using a mobile network, and transmits the transaction data and completes the transaction payment by using the wireless network.
  • the security of mobile payments is a key factor affecting the development of payment services.
  • the security of mobile payment involves the confidentiality of user information, the security of user funds and the security of payment information.
  • the security risks are mainly from two aspects: network and system security, and terminal security.
  • malware When mobile payment data is transmitted in a wireless network, there are security risks such as interception of signals. For example, some malware can be disguised as a public WiFi network without encryption, and after the user connects, intercept the user to transmit mobile data.
  • Some Trojans and phishing websites on the terminal and network side will pretend to be payment websites and payment clients, defrauding the user's account password or directly conducting financial fraud.
  • the present invention has been made in order to provide a mobile terminal-based payment method, apparatus, and mobile terminal that overcome the above problems or at least partially solve the above problems.
  • a mobile terminal-based payment method including: determining that a mobile terminal enters a payment scenario; detecting a network connection type of the mobile terminal; and establishing a secure network transmission channel of the mobile terminal to the payment server according to the network connection type. Transfer the payment data using the secure network transmission channel until the payment is completed.
  • a mobile terminal-based payment device comprising: a payment scenario determining module configured to determine that the mobile terminal enters a payment scenario; and a network connection detecting module configured to Detecting a network connection type of the mobile terminal; the transmission channel establishing module is configured to establish a secure network transmission channel of the mobile terminal to the payment server according to the network connection type; the payment data transmission module is configured to transmit the payment data by using the secure network transmission channel until the payment is withdrawn Scenes.
  • a mobile terminal is also provided.
  • the mobile terminal includes the mobile terminal based payment device described above.
  • the mobile terminal-based payment method and device of the present invention establishes a secure network connection channel according to the network connection condition after entering the payment scenario, thereby avoiding network interception of payment data, and eliminating the security risk of mobile payment from the aspect of network transmission.
  • the payment method of the present invention adopts the reconnection and prompting manner to ensure the working reliability of the network channel, reduce the operation of the user, and improve the user experience.
  • the present invention specifically identifies the payment scenario to its active interface, that is, corresponding to its active component, enhances the intelligence of the recognition, eliminates unnecessary frame harassment of the user operation, and makes the service function of the application more Humanized, both to meet security needs and to meet usage habits.
  • a computer program comprising computer readable code, when said computer readable code is run on a computing device, causing said computing device to perform a mobile based operation as described above The payment method of the terminal.
  • a computer readable medium storing the above computer program is provided.
  • FIG. 1 is a schematic diagram of a mobile terminal based payment device according to an embodiment of the present invention.
  • FIG. 2 is a schematic diagram of a mobile terminal based payment method according to an embodiment of the present invention.
  • FIG. 3 is a flowchart of determining a mobile terminal entering a payment scenario in a mobile terminal-based payment method according to an embodiment of the present invention
  • FIG. 4 is an optional detailed flowchart of a mobile terminal based payment method according to an embodiment of the present invention.
  • FIG. 5 schematically shows a block diagram of a computing device for performing a mobile terminal based payment method in accordance with the present invention
  • Fig. 6 schematically shows a storage unit for holding or carrying program code implementing a mobile terminal based payment method according to the present invention.
  • the payment device 100 of the mobile terminal may generally include a payment scenario determining module 110, a network connection detecting module 120, a transmission channel establishing module 130, a payment data transmission module 140, a transmission state monitoring module 150, a payment channel exit module 160, and the above module.
  • the configuration may be flexibly performed according to the functional requirements of the mobile terminal-based payment device 100 of the present embodiment. In some optional environments, all the above modules may not be configured.
  • the mobile terminal-based payment device 100 of the present embodiment can be installed in the mobile terminal or other mobile payment device of the embodiment, and runs in the process of the mobile terminal performing mobile payment to ensure the transmission security of the payment data of the mobile terminal.
  • the payment scenario determining module 110 is configured to determine that the mobile terminal enters a payment scenario.
  • the determination of the payment scenario may be determined according to the client initiated by the mobile terminal. When it is detected that the mobile terminal has a new client startup, it is determined whether the newly activated client is a mobile payment client, and if it is determined that the mobile terminal starts the payment client. And determining that the mobile terminal enters the payment scenario.
  • the process of determining whether the newly launched client is a mobile payment client can be implemented by local client list verification and client feature matching.
  • a specific structure of the payment scenario determining module 110 may be configured: a data comparison sub-module and a feature analysis sub-module.
  • the data comparison sub-module compares the client information with the client information of the preset payment client list. If there is a list item with the matching result, the comparison is successful, and the payment client list is pre-stored. Characteristic information of various payment class clients.
  • the feature analysis sub-module extracts the package name and the tag name in the client information, and queries whether the package name and the tag name include the feature keyword of the payment client, and if so, the comparison is successful.
  • the list of payment clients used by the data comparison sub-module can be dynamically adjusted according to the specific usage of the mobile terminal to record information of all installed payment clients.
  • the features used in the feature analysis sub-module generally include a package name and a tag name (lable), and may also include signatures, version numbers, and the like.
  • the feature analysis can be performed locally on the mobile terminal, or the feature information can be uploaded to the cloud, and the judgment result is returned to the mobile terminal after being judged by the cloud.
  • the network connection detecting module 120 detects the network connection type of the mobile terminal.
  • the general network connection type may include various network standard mobile communication networks provided by mobile operators (for example, mobile networks such as CDMA, GPRS, WCDMA, TD-CDMA, and LTE provided by various operators) and various wireless local area networks (for example, WIFI). .
  • mobile operators for example, mobile networks such as CDMA, GPRS, WCDMA, TD-CDMA, and LTE provided by various operators
  • WIFI wireless local area networks
  • wireless LANs they can be divided into public networks and encrypted networks.
  • users can use their wireless routers to set up their own WIFI networks, and in some public places, they also provide some public WIFI hotspots. Some malicious WIFIs pretend to be wireless hotspots.
  • intercept the communication data of the terminal thereby obtaining information such as the user name and password.
  • the network connection detecting module 120 can determine whether there is a hidden danger of information transmission leakage by detecting the type of network connection in which the mobile terminal is involved. For example, when the network accessed by the mobile terminal is a wireless network that is initially connected or has no encryption, the wireless network is considered to have a hidden danger of information transmission leakage.
  • the network connection detecting module 120 can detect the network connection of the mobile terminal by using a process similar to the WiFi physical check, for example, detecting the security of the management account of the wireless router (for example, using a default password), and whether the DNS of the router's WAN port is maliciously falsified. Whether the DNS of the router's DHCP service has been tampered with, whether the router is allowed to be remotely controlled, etc., when the above check items may have security risks, the user is reminded to use the secure network transmission channel for mobile payment.
  • the transmission channel establishing module 130 establishes a secure network transmission channel of the mobile terminal to the payment server according to the network connection type.
  • An optional structure of the transmission channel establishing module 130 may include: determining a submodule, prompting Submodule, execution submodule.
  • the determining sub-module determines whether the network connection type is a wireless transmission network with a risk of information leakage; for example, when the network accessed by the mobile terminal is a wireless network that is initially connected or has no encryption, the wireless network is considered to have a hidden danger of information transmission leakage.
  • the DNS of the router's WAN port is maliciously tampered with
  • the DNS of the router's DHCP service is tampered with, and the router is allowed to be remotely controlled, etc., it is also considered that there is a risk of information leakage on the current network.
  • the prompt sub-module prompts the payment risk of the network connection through the interface of the mobile terminal when the judgment result of the sub-module is YES, and provides an operation option for starting the preset virtual private network transmission.
  • the interface may prompt the risk of the current network connection through a pop-up window, prompt the user to use the network connection to transmit the hidden danger of the payment, and provide corresponding options, such as providing a preset virtual private network connection by means of a menu or a button. Operational entrance.
  • the execution sub-module After receiving the operation of the user, the execution sub-module connects to the corresponding virtual private network according to the operation of the operation option by the user. For example, the user selects a button or menu in the operation option to pay with a secure network, and the execution sub-module switches the network connection of the mobile terminal to a secure transmission state, for example, repackaging the data packet and then transmitting it through IP tunneling technology,
  • the method of selecting is to use a virtual private network (VPN) technology for data transmission, and pre-establish a virtual private network for processing data transmission of the mobile terminal.
  • VPN virtual private network
  • a workflow of the execution sub-module is: initiating a connection request to a preset virtual private network; determining whether the connection is successful within a predetermined time; if yes, transmitting the payment data by using the virtual private network, and transmitting the payment data by using the secure network transmission channel; If not, a reconnection request is initiated to the preset virtual private network until the connection is successful or the number of connections exceeds a preset threshold, for example, reconnection is more than 2 times or 3 times, and the connection is deemed unsuccessful.
  • the execution sub-module may also prompt the virtual private network connection to be unsuccessful through the mobile terminal after the connection number exceeds the preset threshold, and generate a prompt option for the next operation, and perform corresponding operation according to the user's selection of the prompt option.
  • the operation, prompt options include any one or more of the following: temporarily stop the payment, try to connect to other virtual private networks, ignore the risk to continue to pay.
  • the payment data transmission module 140 can transmit the payment data by using the secure network transmission channel until the payment is completed.
  • the payment data transmission module 140 can perform interactive data exchange between the mobile terminal and the payment server by means of transparent transmission, that is, the length and content of the data of the sender and the receiver are completely consistent, and the compatibility of data transmission is ensured.
  • the transmission status monitoring module 150 monitors the transmission status of the secure network transmission channel during the data transmission by the payment data transmission module 140, and retransmits the transmission channel to the secure network when an abnormality occurs in the transmission status, such as a disconnection or a data error. Initiate a connection request. Thereby ensuring the reliability of the network connection and improving the user experience.
  • the payment channel exit module 160 disconnects the secure network transmission channel after exiting the payment scenario. Release the link capability of the secure transmission channel, reduce the load pressure of the secure transmission channel, and ensure the normal operation of other functions of the mobile terminal.
  • the above secure transmission channel can implement transparent forwarding of payment data by using various IP tunnel technologies including VPN.
  • the secure network transmission channel established based on the virtual private network that is, the communication tunnel implemented based on the virtual private network protocol, specifically, any one of PPTP, L2TP, and IPSEC may be adopted.
  • the protocol is implemented, and the remote communication data involved in the mobile terminal payment scenario, particularly related to the active interface related to the payment, is encrypted and transmitted through the communication tunnel, thereby further ensuring the security of the related payment data, making it difficult to be stolen or cracked.
  • a service module may be registered in advance with the system, and the system operating environment is monitored by the service module to obtain control rights for establishing and maintaining the communication tunnel.
  • the service module is flexible in implementation form and can be integrated into the same program together with each module of the aforementioned device.
  • the service module after monitoring the incoming payment scenario, does not establish the communication tunnel, and then prompts the user interface to prompt the user whether to establish the communication tunnel, when the user selects to establish the communication tunnel.
  • the service module is responsible for invoking the system function and establishing a communication tunnel based on the virtual private network protocol; otherwise, the communication tunnel is not established. That is, the service module gives control of whether to establish a communication tunnel to the user for processing, and determines whether to establish the communication tunnel based on the user selection.
  • the communication tunnel no longer exists, which means that the service module fails to establish the communication tunnel successfully through multiple attempts, or although the communication tunnel is successfully established once, but after the subsequent disconnection, the communication tunnel cannot be established again. Or the user forcibly disconnects the communication tunnel through a third-party application. In this case, it means that the payment scenario will work in a public connection environment and cannot achieve the construction purpose of the secure payment environment to be achieved by the present invention. Therefore, the method of the present invention forcibly withdraws from the payment scenario and rejects the user's Subsequent payment operations.
  • the active interface for executing the payment instruction may be closed, and then the entire application is exited to complete the exit of the payment scenario.
  • the above embodiments of the present invention are capable of ensuring that the operation of the payment scenario and the remote transmission of the data are performed based on a secure communication tunnel, thereby ensuring the security of the payment operation of the mobile terminal.
  • the basis for performing the secure connection payment method is based on the identification of the payment scenario, and the identification of such a payment scenario is located at the level of the application package, that is, for a specific application. Identification and processing. For example, once a third-party payment application such as WeChat or Alipay is activated, it means that the payment scenario is activated, that is, the service module described in the present invention is triggered, and the service module will try to query the frame or directly establish the service module. Communication tunnels (implemented in some undescribed embodiments), and the purpose of the user's use of such applications is not to make online payments each time, such that frequent human interactions will cause the user to bother.
  • a third-party payment application such as WeChat or Alipay
  • the following manner is also provided to determine that the mobile terminal enters a payment scenario, or determines that a payment scenario is initiated.
  • the determination of the payment scenario in this embodiment is specific to the level of the active interface of the third-party payment application.
  • the present invention can identify an active interface in a payment scenario by:
  • each active interface corresponds to an active component, that is, Activity, and Activity is one of the executable components of Android.
  • payment applications often include multiple activity interfaces, including an activity interface for performing payment operations (instructions), and an activity interface for presenting information.
  • the call between the various activities implemented by means of Intent technology, through HOOK (hook)
  • the technology intercepts the Intent to know the calling intention of the active component corresponding to the current active interface, thereby determining whether the user has the real activity intention of performing the payment operation, and determining that the user has the intention of the real activity,
  • the determination that the payment scenario is initiated that is, the concept of the payment scenario in the previous embodiment is narrowly understood, and only a series of active interfaces for performing payment operations in the payment application are regarded as payment scenarios, and key features are identified. After one or more of the active interfaces are invoked, it is determined whether the payment application has entered the payment scenario.
  • One or more referred to herein may inevitably be determined to be in a payment scenario; when calling for a selected bank card, for querying a bill, etc.
  • the active interface is different, but the active interfaces related to the payment are successively called, the user is deemed to be interested in entering the payment scenario. Therefore, by identifying the calling relationship of the active interface, it is sufficient to determine whether the current process starts the payment scenario.
  • the so-called key feature recognition activity interface involves the acquisition of process information in the HOOK technology, and the keyword of the class name related to the activity interface, as a basis for logical judgment, etc., which are known to those skilled in the art, and will not be described .
  • the determination of the payment scenario is performed before the active interface is invoked, and the active interface is not yet activated.
  • the present invention can establish a communication tunnel first, and the response is timely and the identification is efficient.
  • the method of the present invention can obtain the active interface that has been activated from the message queue through the service module provided by the method, and the key feature information of the current active interface can be used as a basis for determining whether to start the payment scenario. Determine if the communication tunnel needs to be established.
  • the logic analysis of the key feature information of the active interface can be utilized to realize the judgment of the behavior track of the user's operating habit. For example, when the WeChat is running, entering the "wallet” activity interface, and then clicking the "transfer” page, it can be determined that the payment operation needs to be performed, and then the payment scenario is deemed to be initiated, and as a technical basis for establishing the communication tunnel. .
  • the active interface is already in an active state at the top of the stack before establishing the communication tunnel; if the Intent is used to obtain the Calling the relevant active interface key feature information, before the communication tunnel is established, the active interface may be in an inactive state, including a pause, stop, end, etc., until the communication tunnel is successfully established, and then the related activity is activated. This shows the active interface.
  • the role of the communication tunnel is mainly for transmitting data related to payment, and does not care whether the data involved in the active component corresponding to the other payment-independent active interface of the current payment application needs to be performed through the communication tunnel. transmission.
  • the communication tunnel is mainly used to transmit an active interface for executing the payment instruction included in the payment scenario.
  • the data in theory, understood in the broad sense of data transmission, is only used to transmit the data used by such active interfaces. In fact, these data include not only the payment-related passwords, amounts, and instructions involved, but also related data that determines the correct transmission of such data. However, for the purposes of the present invention, the focus is on these various types of data related to payment, ensuring that it is securely transmitted through the communication tunnel.
  • the above determines the manner in which the payment scenario is initiated, further ensuring the implementation of secure communication, and improving the user experience of human-computer interaction.
  • the embodiment of the present invention further provides a mobile terminal-based payment method, which can be executed by the mobile terminal-based payment device of the above embodiment to eliminate the security risk of the mobile payment and ensure the security of the user's property information.
  • Step S202 determining that the mobile terminal enters a payment scenario
  • Step S204 detecting a network connection type of the mobile terminal
  • Step S206 establishing a secure network transmission channel of the mobile terminal to the payment server according to the network connection type
  • Step S208 the payment data is transmitted by using the secure network transmission channel until the payment is completed.
  • the determining of the payment scenario in step S202 may be determined according to the client initiated by the mobile terminal.
  • the payment client determines that the mobile terminal enters the payment scenario.
  • the process of determining whether the newly launched client is a mobile payment client can be implemented by local client list verification and client feature matching.
  • FIG. 3 is a flowchart of determining a mobile terminal entering a payment scenario in a mobile terminal-based payment method according to an embodiment of the present invention, where the process includes:
  • Step S302 monitoring whether a new client is started in the mobile terminal
  • Step S304 determining whether the newly started client is a client recorded in the local payment client list, and if yes, determining to enter the payment scenario, and if not, performing step S306 to determine that the payment scenario is not entered;
  • Step S306 determining whether the feature of the newly activated client matches the payment type client feature keyword, if yes, determining to enter the payment scenario, and if not, determining not to enter the payment scenario;
  • the mobile terminal may pre-store a payment client list for recording the payment client information installed by the mobile terminal.
  • the cloud query may be further used. It is determined that, for example, the characteristics such as the package name, the tag name, and the version information of the client are matched with the feature keywords of the payment type client saved in the cloud. Therefore, after determining to open the payment type client, the mobile terminal can be considered to enter the payment scenario.
  • the above payment client list can be dynamically adjusted according to the usage of the mobile terminal to record information of all installed payment clients.
  • the key features of the active interface of the third-party payment application mentioned above may be determined to determine whether the payment scenario has been entered, and details are not described herein again.
  • the payment client may also be first verified by the version, and the payment is cleared, that is, the process unrelated to the payment is closed.
  • An optional process of step S204 is: determining whether the network connection type is a wireless transmission network with a risk of information leakage; if yes, prompting the payment risk of the network connection through the interface of the mobile terminal, and providing the preset virtual private network transmission Operation options; connect the corresponding virtual private network according to the user's operation on the operation options.
  • the wireless network accessed by the mobile terminal is a wireless network that is initially connected or has no encryption
  • the wireless network is considered to have a hidden danger of information transmission leakage
  • the DNS of the router's WAN port is maliciously tampered with
  • the router's DHCP service is In the case where the DNS is tampered with, the router is allowed to be remotely controlled, etc., the current network is also considered to be at risk of information leakage.
  • an optional process of step S206 is: initiating a connection request to the preset virtual private network; Whether the connection is successful within a certain time; if yes, the virtual private network is used to transmit the payment data; if not, the reconnection request is initiated to the preset virtual private network until the connection is successful or the number of connections exceeds a preset threshold.
  • the reconnection threshold can be configured according to the actual situation, for example, configured as 2 or 3 times.
  • the mobile terminal may also prompt the virtual private network connection to be unsuccessful, and generate a prompt option for the next operation, and the prompt option includes any of the following options. Or multiple: temporarily stop the payment, try to connect to other virtual private networks, ignore the risk to continue to pay; follow the user's choice of prompt options to perform the corresponding operations.
  • step S206 can implement transparent transmission of the interaction data between the mobile terminal and the payment server through the secure network transmission channel.
  • the transmission status of the secure network transmission channel can also be monitored, and when the transmission status is abnormal, the connection request is re-initiated to the virtual private network.
  • the method further includes: disconnecting the secure network transmission channel and exiting the payment scenario, thereby releasing the load of the virtual private network, and restoring the operation of other processes.
  • the above security service channel can be implemented by using VPN technology or other IP tunneling technology.
  • the VPN can utilize the bearer function of IP and other networks, and combine the corresponding authentication and authorization mechanisms to establish a secure virtual private network.
  • the executor of the mobile terminal-based payment method of this embodiment can access its internal network to the internet through a dedicated line, and the user can use the VPN channel service to enter the virtual private network anywhere in the country, and securely access the network. The information resources needed.
  • a wireless VPN network can be used.
  • the VPN network can be located in the wireless data network of the operator and is isolated from the Internet.
  • the mobile terminal is connected to the wireless VPN network, and firstly, the network of the access point name carried by the wireless VPN is connected. (Access Point Name, APN for short) network, users of other APN networks or networked channels cannot access the VPN network.
  • APN Access Point Name
  • the wireless VPN network can adopt a virtual private network built on the APN network.
  • the connection process of the wireless VPN network is to first connect the APN channel carrying the VPN network, and then establish a VPN network.
  • the networking parameters of the VPN network include the networking parameters of the carried APN network and the networking parameters of the VPN.
  • the mobile terminal can only connect to the VPN network, which is a limitation of the system implementation of the route management in the network management. Therefore, you need to exit the VPN network after completing the payment.
  • FIG. 4 is an optional detailed flowchart of a mobile terminal-based payment method according to an embodiment of the present invention. As shown in the figure, after determining that a mobile terminal enters a payment scenario and closes an unrelated process to complete the clearing, the following steps are performed:
  • step S402 it is determined that the network accessed by the mobile terminal is a public WiFi. If yes, step S404 is performed, and if no, step S416 is performed; in addition to determining the public WiFi, the network judgment may be further performed in a manner similar to the WiFi physical check, for example, detecting the wireless router. Security of the management account (for example, using the default password), whether the DNS of the router's WAN port has been maliciously tampered, whether the DNS of the router's DHCP service has been tampered with, whether the router is allowed to be remotely controlled, etc., when the above check items may appear safe In case of hidden danger, step S404 is performed;
  • Step S404 popping up the risk prompt interface, suggesting to use a secure payment VPN, and providing a user selection button or a selection menu;
  • Step S406 detecting whether the user chooses to use the secure payment VPN, and if so, executing step S408, and if not, executing step S424;
  • Step S408 attempting to connect to a secure payment VPN
  • step S410 it is determined whether the secure payment VPN is successfully connected within 5 seconds. If yes, step S412 is performed. If no step S418 is performed, the threshold of 5 seconds may be modified according to the actual use situation, which is merely an example, not the embodiment. limits;
  • Step S412 performing a subsequent payment operation using a secure payment VPN
  • Step S414 the VPN is interrupted during the subsequent operation, and if so, returning to step S408 to perform reconnection, if not, executing step S416;
  • step S4108 it is determined whether the number of connections has exceeded the threshold, for example, the connection has failed twice. If the step S420 is performed, if the step S422 is performed, the threshold of the number of reconnections can be modified according to the actual usage, and the two times here are only examples. It is not a limitation of this embodiment;
  • Step S420 prompting that the VPN is temporarily unavailable, suggesting that the user temporarily not perform the payment operation, and providing an option to withdraw the payment and continue to pay;
  • Step S422 if the option of receiving the user to try to connect again is returned to step S408, if not step S424;
  • Step S424 completing a subsequent payment operation by using the currently connected public WiFi network
  • Step S426 determining whether the user selects the option of "temporarily not performing the payment operation", if not, returning to step S424, if yes, executing step S428;
  • step S430 it is determined whether the secure payment VPN is still connected. If the secure payment VPN is disconnected, the process ends. If it is disconnected, the process is directly terminated, and the state of the mobile terminal before entering the payment scenario is restored.
  • the threshold of the number of reconnection times and the setting of the connection time are not limited to two times and five seconds, and can be flexibly adjusted according to the application environment, and the VPN can also adopt various other IP tunnel technologies that implement data transparent forwarding. .
  • multiple VPNs can be provided for users to choose, further improving the reliability of network connections.
  • the mobile terminal-based payment method and apparatus of the present embodiment and the mobile terminal for mobile payment use the VPN or other IP tunnel transmission technology to perform mobile payment by switching the networking channel, and satisfy the security switching requirements of the network service and the secure payment for different applications.
  • the mobile terminal only has a unique networked dedicated mobile secure payment data network, which eliminates the security risks of the transmission channel to mobile payment, and combines other measures and means to ensure the security of the mobile payment system.
  • the payment method of the present invention adopts the reconnection and prompting manner to ensure the working reliability of the network channel, reduce the operation of the user, and improve the user experience.
  • the present invention specifically identifies the payment scenario to its active interface, that is, corresponding to its active component, enhances the intelligence of the recognition, eliminates unnecessary frame harassment of the user operation, and makes the service function of the application more Humanized, both to meet security needs and to meet usage habits.
  • modules in the devices of the embodiments can be adaptively changed and placed in one or more devices different from the embodiment.
  • the modules or units or components of the embodiments may be combined into one module or unit or component, and further they may be divided into a plurality of sub-modules or sub-units or sub-components.
  • any combination of the features disclosed in the specification, including the accompanying claims, the abstract and the drawings, and any methods so disclosed, or All processes or units of the device are combined.
  • Each feature disclosed in this specification (including the accompanying claims, the abstract and the drawings) may be replaced by alternative features that provide the same, equivalent or similar purpose.
  • the various component embodiments of the present invention may be implemented in hardware, or in a software module running on one or more processors, or in a combination thereof. It should be understood by those skilled in the art that a mobile terminal or a digital signal processor (DSP) can be implemented in practice to implement a mobile terminal-based payment device and mobile terminal according to an embodiment of the present invention, and a device for protecting payment security of a mobile terminal. And some or all of the functions of some or all of the components of the mobile terminal.
  • the invention can also be implemented as a device or device program (e.g., a computer program and a computer program product) for performing some or all of the methods described herein. Such a program implementing the invention may be stored on a computer readable medium or may be in the form of one or more signals. Such signals may be downloaded from an Internet website, provided on a carrier signal, or provided in any other form.
  • Figure 5 illustrates a computing device that can implement a method of transferring data between smart terminals.
  • the computing device conventionally includes a processor 510 and a computer program product or computer readable medium in the form of a memory 520.
  • the memory 520 may be an electronic memory such as a flash memory, an EEPROM (Electrically Erasable Programmable Read Only Memory), an EPROM, a hard disk, or a ROM.
  • Memory 520 has a memory space 530 for program code 531 for performing any of the method steps described above.
  • storage space 530 for program code may include various program code 531 for implementing various steps in the above methods, respectively.
  • the program code can be read from or written to one or more computer program products.
  • These computer program products include program code carriers such as hard disks, compact disks (CDs), memory cards or floppy disks.
  • Such computer program products are typically portable or fixed storage units as described with reference to FIG.
  • the storage unit may have storage segments, storage spaces, and the like that are similarly arranged to memory 520 in the computing device of FIG.
  • the program code can be compressed, for example, in an appropriate form.
  • the storage unit includes computer readable code 531', code that can be read by a processor such as 510, such generations
  • the code when run by the computing device, causes the computing device to perform various steps in the methods described above.

Landscapes

  • Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Accounting & Taxation (AREA)
  • Strategic Management (AREA)
  • Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A mobile terminal-based payment method and apparatus, and mobile terminal. The mobile terminal-based payment method comprises: determining a mobile terminal has entered a payment scenario (S202); detecting the network connection type of the mobile terminal (S204); on the basis of the network connection type, establishing a secure network transmission channel from the mobile terminal to a payment server (S206); and using the secure network transmission channel to transmit payment data until the payment is complete (S208). Using a VPN or other tunnelling transmission technology to implement a secure network transmission channel for implementing mobile payment fulfils the secure switching requirements of different network service and secure payment applications, ensuring that during the process of a payment operation, the mobile terminal only connects to a dedicated mobile secure payment data network, eliminating the security risks of mobile payment caused by the transmission channel.

Description

基于移动终端的支付方法、装置及移动终端Mobile terminal based payment method, device and mobile terminal 技术领域Technical field
本发明涉及移动通信领域,特别是涉及一种基于移动终端的支付方法、装置及移动终端。The present invention relates to the field of mobile communications, and in particular, to a mobile terminal-based payment method, apparatus, and mobile terminal.
背景技术Background technique
移动支付将终端设备、互联网、应用提供商以及金融机构相融合,为用户提供货币支付、缴费等金融业务。随着移动电子商务迅速发展,第三方支付、银行等争相推出移动支付客户端,购物、理财、生活服务等交易类客户端也在不断出现,大大丰富了移动支付的市场应用环境。Mobile payment combines terminal equipment, the Internet, application providers, and financial institutions to provide users with financial services such as money payment and payment. With the rapid development of mobile e-commerce, third-party payment, banking and other companies are rushing to launch mobile payment clients. Shopping clients such as shopping, wealth management and life services are also emerging, which greatly enriches the market application environment of mobile payment.
移动支付使用用户的手机号或其他标识作为关联支付账户,通过身份确认来进行支付交易活动。移动支付接入方式可以包括短信、语音、网络连接等方式。目前在远程移动支付领域,网络连接方式应用最为广泛,用户通过移动向提供某种商品或服务的商家发出交易申请,利用无线网络传输交易数据并完成交易支付。The mobile payment uses the user's mobile phone number or other identification as an associated payment account, and the payment transaction activity is performed through identity confirmation. The mobile payment access method may include a short message, a voice, a network connection, and the like. At present, in the field of remote mobile payment, the network connection method is the most widely used, and the user sends a transaction request to a merchant that provides a certain commodity or service by using a mobile network, and transmits the transaction data and completes the transaction payment by using the wireless network.
移动支付的安全性是影响支付业务能否发展的关键因素。移动支付的安全性涉及用户信息的保密、用户资金和支付信息的安全等问题,其面临的安全风险主要来自于两个方面:网络和系统的安全性,终端的安全性。The security of mobile payments is a key factor affecting the development of payment services. The security of mobile payment involves the confidentiality of user information, the security of user funds and the security of payment information. The security risks are mainly from two aspects: network and system security, and terminal security.
移动支付数据在无线网络中进行传输时,存在信号被截获等安全隐患,例如一些恶意软件可以伪装成无加密的公共WiFi网络,在用户连接后,截取用户传输移动数据。When mobile payment data is transmitted in a wireless network, there are security risks such as interception of signals. For example, some malware can be disguised as a public WiFi network without encryption, and after the user connects, intercept the user to transmit mobile data.
在终端和网络侧一些木马程序和钓鱼网站会伪装成支付网站和支付客户端,骗取用户的账号密码或者直接进行金融诈骗。Some Trojans and phishing websites on the terminal and network side will pretend to be payment websites and payment clients, defrauding the user's account password or directly conducting financial fraud.
因此移动支付的安全问题是移动支付推广的主要瓶颈和隐患。Therefore, the security issue of mobile payment is the main bottleneck and hidden danger of mobile payment promotion.
发明内容Summary of the invention
鉴于上述问题,提出了本发明以便提供一种克服上述问题或者至少部分地解决上述问题的基于移动终端的支付方法、装置及移动终端。In view of the above problems, the present invention has been made in order to provide a mobile terminal-based payment method, apparatus, and mobile terminal that overcome the above problems or at least partially solve the above problems.
根据本发明的一方面,提供了一种基于移动终端的支付方法,包括:确定移动终端进入支付场景;检测移动终端的网络连接类型;根据网络连接类型建立移动终端至支付服务器的安全网络传输通道;利用安全网络传输通道传输支付数据,直至支付完成。According to an aspect of the present invention, a mobile terminal-based payment method is provided, including: determining that a mobile terminal enters a payment scenario; detecting a network connection type of the mobile terminal; and establishing a secure network transmission channel of the mobile terminal to the payment server according to the network connection type. Transfer the payment data using the secure network transmission channel until the payment is completed.
根据本发明的另一方面,还提供了一种基于移动终端的支付装置,该基于移动终端的支付装置包括:支付场景确定模块,配置为确定移动终端进入支付场景;网络连接检测模块,配置为检测移动终端的网络连接类型;传输通道建立模块,配置为根据网络连接类型建立移动终端至支付服务器的安全网络传输通道;支付数据传输模块,配置为利用安全网络传输通道传输支付数据,直至退出支付场景。 According to another aspect of the present invention, a mobile terminal-based payment device is further provided, the mobile terminal-based payment device comprising: a payment scenario determining module configured to determine that the mobile terminal enters a payment scenario; and a network connection detecting module configured to Detecting a network connection type of the mobile terminal; the transmission channel establishing module is configured to establish a secure network transmission channel of the mobile terminal to the payment server according to the network connection type; the payment data transmission module is configured to transmit the payment data by using the secure network transmission channel until the payment is withdrawn Scenes.
根据本发明的另一方面,还提供了一种移动终端。该移动终端包括了以上介绍的基于移动终端的支付装置。According to another aspect of the present invention, a mobile terminal is also provided. The mobile terminal includes the mobile terminal based payment device described above.
本发明的有益效果为:The beneficial effects of the invention are:
本发明的基于移动终端的支付方法和装置在进入支付场景后根据网络连接情况,建立安全的网络连接通道,避免网络截取支付数据,从网络传输的方面消除了移动支付的安全隐患。The mobile terminal-based payment method and device of the present invention establishes a secure network connection channel according to the network connection condition after entering the payment scenario, thereby avoiding network interception of payment data, and eliminating the security risk of mobile payment from the aspect of network transmission.
进一步地,本发明的支付方法在连接安全网络传输通道和数据传输过程中,采取重连和提示的方式保证网络通道的工作可靠性,减少用户的操作,提高用户体验。Further, in the connection method of the secure network transmission channel and the data transmission process, the payment method of the present invention adopts the reconnection and prompting manner to ensure the working reliability of the network channel, reduce the operation of the user, and improve the user experience.
此外,本发明将支付场景的识别具体到其活动界面,也即对应到其活动组件,增强识别的智能化程度,免除对用户操作的不必要的弹框骚扰,使应用程序的服务功能更为人性化,既满足安全需求,又符合使用习惯。In addition, the present invention specifically identifies the payment scenario to its active interface, that is, corresponding to its active component, enhances the intelligence of the recognition, eliminates unnecessary frame harassment of the user operation, and makes the service function of the application more Humanized, both to meet security needs and to meet usage habits.
根据本发明的又一方面,提供了一种计算机程序,其包括计算机可读代码,当所述计算机可读代码在计算设备上运行时,导致所述计算设备执行根据上文所述的基于移动终端的支付方法。According to still another aspect of the present invention, a computer program is provided, comprising computer readable code, when said computer readable code is run on a computing device, causing said computing device to perform a mobile based operation as described above The payment method of the terminal.
根据本发明的再一方面,提供了一种计算机可读介质,其中存储了上述的计算机程序。According to still another aspect of the present invention, a computer readable medium storing the above computer program is provided.
上述说明仅是本发明技术方案的概述,为了能够更清楚了解本发明的技术手段,而可依照说明书的内容予以实施,并且为了让本发明的上述和其它目的、特征和优点能够更明显易懂,以下特举本发明的具体实施方式。The above description is only an overview of the technical solutions of the present invention, and the above-described and other objects, features and advantages of the present invention can be more clearly understood. Specific embodiments of the invention are set forth below.
附图说明DRAWINGS
通过阅读下文优选实施方式的详细描述,各种其他的优点和益处对于本领域普通技术人员将变得清楚明了。附图仅用于示出优选实施方式的目的,而并不认为是对本发明的限制。而且在整个附图中,用相同的参考符号表示相同的部件。在附图中:Various other advantages and benefits will become apparent to those skilled in the art from a The drawings are only for the purpose of illustrating the preferred embodiments and are not to be construed as limiting. Throughout the drawings, the same reference numerals are used to refer to the same parts. In the drawing:
图1是根据本发明实施例的基于移动终端的支付装置的示意图;1 is a schematic diagram of a mobile terminal based payment device according to an embodiment of the present invention;
图2是根据本发明实施例的基于移动终端的支付方法的示意图;2 is a schematic diagram of a mobile terminal based payment method according to an embodiment of the present invention;
图3是根据本发明实施例的基于移动终端的支付方法中确定移动终端进入支付场景的流程图;3 is a flowchart of determining a mobile terminal entering a payment scenario in a mobile terminal-based payment method according to an embodiment of the present invention;
图4是根据本发明实施例的基于移动终端的支付方法的一种可选详细流程图;4 is an optional detailed flowchart of a mobile terminal based payment method according to an embodiment of the present invention;
图5示意性地示出了用于执行根据本发明的基于移动终端的支付方法的计算设备的框图;以及FIG. 5 schematically shows a block diagram of a computing device for performing a mobile terminal based payment method in accordance with the present invention;
图6示意性地示出了用于保持或者携带实现根据本发明的基于移动终端的支付方法的程序代码的存储单元。Fig. 6 schematically shows a storage unit for holding or carrying program code implementing a mobile terminal based payment method according to the present invention.
具体实施方式detailed description
下面结合附图和具体的实施方式对本发明作进一步的描述。The invention is further described below in conjunction with the drawings and specific embodiments.
图1是根据本发明一个实施例的基于移动终端的支付装置100的示意图,该基 于移动终端的支付装置100一般性地可以包括支付场景确定模块110、网络连接检测模块120、传输通道建立模块130、支付数据传输模块140、传输状态监控模块150、支付通道退出模块160,以上模块可以根据本实施例的基于移动终端的支付装置100的功能需求,灵活进行配置,在一些可选环境下,可以不配置以上所有模块。1 is a schematic diagram of a mobile terminal-based payment device 100, which is based on an embodiment of the present invention. The payment device 100 of the mobile terminal may generally include a payment scenario determining module 110, a network connection detecting module 120, a transmission channel establishing module 130, a payment data transmission module 140, a transmission state monitoring module 150, a payment channel exit module 160, and the above module. The configuration may be flexibly performed according to the functional requirements of the mobile terminal-based payment device 100 of the present embodiment. In some optional environments, all the above modules may not be configured.
本实施例的基于移动终端的支付装置100可以安装于本实施例的移动终端或其他移动支付设备中,并在移动终端进行移动支付的过程中运行,保证移动终端的支付数据的传输安全。The mobile terminal-based payment device 100 of the present embodiment can be installed in the mobile terminal or other mobile payment device of the embodiment, and runs in the process of the mobile terminal performing mobile payment to ensure the transmission security of the payment data of the mobile terminal.
在本实施例的基于移动终端的支付装置100的各部件中,支付场景确定模块110用于确定移动终端进入支付场景。支付场景的确定可以根据移动终端启动的客户端来判断,当检测到移动终端有新的客户端启动后,判断新启动的客户端是否为移动支付客户端,如果确定移动终端启动了支付客户端,则确定移动终端进入支付场景。判断新启动的客户端是否为移动支付客户端的过程可以通过本地的客户端列表验证以及客户端特征匹配来实现。In each component of the mobile terminal-based payment device 100 of the present embodiment, the payment scenario determining module 110 is configured to determine that the mobile terminal enters a payment scenario. The determination of the payment scenario may be determined according to the client initiated by the mobile terminal. When it is detected that the mobile terminal has a new client startup, it is determined whether the newly activated client is a mobile payment client, and if it is determined that the mobile terminal starts the payment client. And determining that the mobile terminal enters the payment scenario. The process of determining whether the newly launched client is a mobile payment client can be implemented by local client list verification and client feature matching.
支付场景确定模块110的一种具体结构可以设置:数据比对子模块和特征分析子模块。其中,数据比对子模块将客户端信息与预置的支付客户端列表的客户端信息进行比对,如果存在比对结果一致的列表项,则比对成功,支付客户端列表中预先保存有多种支付类客户端的特征信息。特征分析子模块提取客户端信息中的包名和标签名,查询包名和标签名中是否包含支付类客户端的特征关键字,若是则比对成功。数据比对子模块使用的支付客户端列表可以根据移动终端的具体使用情况进行动态调整,以记录所有已安装支付客户端的信息。特征分析子模块中使用的特征一般包括包名和标签名(lable),此外还可以包括签名、版本号等特征。特征分析可以在移动终端本地进行,也可以将特征信息上传至云端,由云端进行判断后,将判断结果返回给移动终端。A specific structure of the payment scenario determining module 110 may be configured: a data comparison sub-module and a feature analysis sub-module. The data comparison sub-module compares the client information with the client information of the preset payment client list. If there is a list item with the matching result, the comparison is successful, and the payment client list is pre-stored. Characteristic information of various payment class clients. The feature analysis sub-module extracts the package name and the tag name in the client information, and queries whether the package name and the tag name include the feature keyword of the payment client, and if so, the comparison is successful. The list of payment clients used by the data comparison sub-module can be dynamically adjusted according to the specific usage of the mobile terminal to record information of all installed payment clients. The features used in the feature analysis sub-module generally include a package name and a tag name (lable), and may also include signatures, version numbers, and the like. The feature analysis can be performed locally on the mobile terminal, or the feature information can be uploaded to the cloud, and the judgment result is returned to the mobile terminal after being judged by the cloud.
网络连接检测模块120检测移动终端的网络连接类型。一般网络连接类型可以包括移动运行商提供的各种网络制式的移动通信网络(例如各运营商提供的CDMA、GPRS、WCDMA、TD-CDMA、LTE等移动网络)、各种无线局域网(例如WIFI)。而对于无线局域网而言,又可以分为公共网络和加密网络,例如,用户可以利用无线路由器搭设自己的WIFI网络,而在一些公众场合下也提供了一些公共WIFI热点。有些恶意的WIFI伪装成无线热点,当有移动终端连接时,截取终端的通信数据,从而获取相关的用户名密码等信息。网络连接检测模块120可以通过检测移动终端介入的网络连接类型,确定是否存在信息传输泄露的隐患。例如,当移动终端接入的网络是初次连接的或者无加密措施的无线网络,则认为无线网络存在信息传输泄露的隐患。网络连接检测模块120可以采用类似于WiFi体检的流程检测移动终端的网络连接的情况,例如检测无线路由器的管理账号的安全性(例如采用默认密码)、路由器的WAN口的DNS是否被恶意篡改,路由器的DHCP服务的DNS是否被篡改,路由器是否允许被远程控制等项目,当以上检查项目可能出现安全隐患时,则提醒用户使用安全网络传输通道进行移动支付。The network connection detecting module 120 detects the network connection type of the mobile terminal. The general network connection type may include various network standard mobile communication networks provided by mobile operators (for example, mobile networks such as CDMA, GPRS, WCDMA, TD-CDMA, and LTE provided by various operators) and various wireless local area networks (for example, WIFI). . For wireless LANs, they can be divided into public networks and encrypted networks. For example, users can use their wireless routers to set up their own WIFI networks, and in some public places, they also provide some public WIFI hotspots. Some malicious WIFIs pretend to be wireless hotspots. When there is a mobile terminal connection, intercept the communication data of the terminal, thereby obtaining information such as the user name and password. The network connection detecting module 120 can determine whether there is a hidden danger of information transmission leakage by detecting the type of network connection in which the mobile terminal is involved. For example, when the network accessed by the mobile terminal is a wireless network that is initially connected or has no encryption, the wireless network is considered to have a hidden danger of information transmission leakage. The network connection detecting module 120 can detect the network connection of the mobile terminal by using a process similar to the WiFi physical check, for example, detecting the security of the management account of the wireless router (for example, using a default password), and whether the DNS of the router's WAN port is maliciously falsified. Whether the DNS of the router's DHCP service has been tampered with, whether the router is allowed to be remotely controlled, etc., when the above check items may have security risks, the user is reminded to use the secure network transmission channel for mobile payment.
传输通道建立模块130根据网络连接类型建立移动终端至支付服务器的安全网络传输通道。传输通道建立模块130的一种可选结构可以包括:判断子模块、提示 子模块、执行子模块。The transmission channel establishing module 130 establishes a secure network transmission channel of the mobile terminal to the payment server according to the network connection type. An optional structure of the transmission channel establishing module 130 may include: determining a submodule, prompting Submodule, execution submodule.
判断子模块判断网络连接类型是否为存在信息泄漏风险的无线传输网络;例如,当移动终端接入的网络是初次连接的或者无加密措施的无线网络,则认为无线网络存在信息传输泄露的隐患,另外当出现路由器的WAN口的DNS被恶意篡改,路由器的DHCP服务的DNS被篡改,路由器允许被远程控制等的情况下,也同样认为当前网络存在信息泄露风险。The determining sub-module determines whether the network connection type is a wireless transmission network with a risk of information leakage; for example, when the network accessed by the mobile terminal is a wireless network that is initially connected or has no encryption, the wireless network is considered to have a hidden danger of information transmission leakage. In addition, when the DNS of the router's WAN port is maliciously tampered with, the DNS of the router's DHCP service is tampered with, and the router is allowed to be remotely controlled, etc., it is also considered that there is a risk of information leakage on the current network.
提示子模块在判断子模块的判断结果为是的情况下,通过移动终端的界面提示网络连接的支付风险,并提供开启预设的虚拟专用网络传输的操作选项。例如界面上可以通过弹窗等方式提示当前网络连接的风险,提示用户使用该网络连接传送支付的隐患,并提供相应的选项,例如以菜单、按钮的方式提供开启预设的虚拟专用网络连接的操作入口。The prompt sub-module prompts the payment risk of the network connection through the interface of the mobile terminal when the judgment result of the sub-module is YES, and provides an operation option for starting the preset virtual private network transmission. For example, the interface may prompt the risk of the current network connection through a pop-up window, prompt the user to use the network connection to transmit the hidden danger of the payment, and provide corresponding options, such as providing a preset virtual private network connection by means of a menu or a button. Operational entrance.
执行子模块在接收到用户的操作后,根据用户对操作选项的操作连接对应的虚拟专用网络。例如,用户选择操作选项中以安全网络进行支付的按钮或菜单,执行子模块将移动终端的网络连接切换至安全传输状态,例如,将数据包重新封装然后通过IP隧道技术进行发送,一种可选的方式是采用虚拟专用网络(Virtual Private Network,简称VPN)技术进行数据传输,预先建立虚拟专用网络,用于处理移动终端的数据传输。执行子模块的一种工作流程为:向预设的虚拟专用网络发起连接请求;判断在预定时间内是否连接成功;若是,利用虚拟专用网络传输支付数据,并利用安全网络传输通道传输支付数据;若否,向预设的虚拟专用网络发起重连请求,直至连接成功或连接次数超过预设阈值,例如重连超过2次或3次,则认定连接不成功。如果出现连接VPN不成功,执行子模块还可以在连接次数超过预设阈值之后,通过移动终端提示虚拟专用网络连接不成功,并生成下一步操作的提示选项,按照用户对提示选项的选择执行对应的操作,提示选项包括以下任意一项或多项:暂时停止进行支付,尝试连接其他虚拟专用网络,忽略风险继续支付。After receiving the operation of the user, the execution sub-module connects to the corresponding virtual private network according to the operation of the operation option by the user. For example, the user selects a button or menu in the operation option to pay with a secure network, and the execution sub-module switches the network connection of the mobile terminal to a secure transmission state, for example, repackaging the data packet and then transmitting it through IP tunneling technology, The method of selecting is to use a virtual private network (VPN) technology for data transmission, and pre-establish a virtual private network for processing data transmission of the mobile terminal. A workflow of the execution sub-module is: initiating a connection request to a preset virtual private network; determining whether the connection is successful within a predetermined time; if yes, transmitting the payment data by using the virtual private network, and transmitting the payment data by using the secure network transmission channel; If not, a reconnection request is initiated to the preset virtual private network until the connection is successful or the number of connections exceeds a preset threshold, for example, reconnection is more than 2 times or 3 times, and the connection is deemed unsuccessful. If the connection VPN is unsuccessful, the execution sub-module may also prompt the virtual private network connection to be unsuccessful through the mobile terminal after the connection number exceeds the preset threshold, and generate a prompt option for the next operation, and perform corresponding operation according to the user's selection of the prompt option. The operation, prompt options include any one or more of the following: temporarily stop the payment, try to connect to other virtual private networks, ignore the risk to continue to pay.
支付数据传输模块140在传输通道建立模块130完成传输通道建立后,可以利用安全网络传输通道传输支付数据,直至支付完成。在传输过程中,支付数据传输模块140可以采用透明传输的方式在移动终端与支付服务器之间进行交互数据,即保证发送方和接收方数据的长度和内容完全一致,保证数据传输的兼容性。After the transmission channel establishing module 130 completes the transmission channel establishment, the payment data transmission module 140 can transmit the payment data by using the secure network transmission channel until the payment is completed. During the transmission process, the payment data transmission module 140 can perform interactive data exchange between the mobile terminal and the payment server by means of transparent transmission, that is, the length and content of the data of the sender and the receiver are completely consistent, and the compatibility of data transmission is ensured.
传输状态监控模块150在支付数据传输模块140进行数据传输的过程中,监控安全网络传输通道的传输状态,并在传输状态出现异常时,例如连接断开或者数据错误等,向安全网络传输通道重新发起连接请求。从而保证网络连接的可靠性,提高用户体验。The transmission status monitoring module 150 monitors the transmission status of the secure network transmission channel during the data transmission by the payment data transmission module 140, and retransmits the transmission channel to the secure network when an abnormality occurs in the transmission status, such as a disconnection or a data error. Initiate a connection request. Thereby ensuring the reliability of the network connection and improving the user experience.
支付通道退出模块160退出支付场景之后断开安全网络传输通道。释放安全传输通道的链接能力,减少安全传输通道的负载压力,并保证移动终端其他功能的正常运行。The payment channel exit module 160 disconnects the secure network transmission channel after exiting the payment scenario. Release the link capability of the secure transmission channel, reduce the load pressure of the secure transmission channel, and ensure the normal operation of other functions of the mobile terminal.
以上安全传输通道可以使用包括VPN的各种IP隧道技术实现支付数据的透明转发。The above secure transmission channel can implement transparent forwarding of payment data by using various IP tunnel technologies including VPN.
在本发明一实施例中,基于虚拟专用网络建立的安全网络传输通道,即基于虚拟专网协议实现的通信隧道,具体而言,可以采用PPTP、L2TP、IPSEC中任意一种 协议实现,通过该通信隧道,对移动终端支付场景下特别是涉及支付的活动界面相关组件所涉的远程通信数据进行加密传输,可以进一步确保相关支付数据的安全,使其不易被窃取或破解。In an embodiment of the present invention, the secure network transmission channel established based on the virtual private network, that is, the communication tunnel implemented based on the virtual private network protocol, specifically, any one of PPTP, L2TP, and IPSEC may be adopted. The protocol is implemented, and the remote communication data involved in the mobile terminal payment scenario, particularly related to the active interface related to the payment, is encrypted and transmitted through the communication tunnel, thereby further ensuring the security of the related payment data, making it difficult to be stolen or cracked.
为了实现对通信隧道的建立和维护,本发明的方法中,可以预先向系统注册一服务模块,通过该服务模块对系统运行环境实施监控,以取得建立和维护所述通信隧道的控制权。该服务模块,在实现形式上较为灵活,可以与前述的装置的各个模块一并集成在同一程序中。In order to implement the establishment and maintenance of the communication tunnel, in the method of the present invention, a service module may be registered in advance with the system, and the system operating environment is monitored by the service module to obtain control rights for establishing and maintaining the communication tunnel. The service module is flexible in implementation form and can be integrated into the same program together with each module of the aforementioned device.
所述的服务模块,在监控到进入支付场景之后,未建立所述的通信隧道之前,先向用户界面弹框,以提示用户是否建立所述的通信隧道,当用户选择建立所述通信隧道时,由该服务模块负责调用系统功能,建立基于虚拟专网协议的通信隧道;否则,则不建立该通信隧道。也即,服务模块将是否建立通信隧道的控制权交给用户处理,以用户选定为依据决定是否建立所述通信隧道。The service module, after monitoring the incoming payment scenario, does not establish the communication tunnel, and then prompts the user interface to prompt the user whether to establish the communication tunnel, when the user selects to establish the communication tunnel. The service module is responsible for invoking the system function and establishing a communication tunnel based on the virtual private network protocol; otherwise, the communication tunnel is not established. That is, the service module gives control of whether to establish a communication tunnel to the user for processing, and determines whether to establish the communication tunnel based on the user selection.
进一步,当所述通信隧道不复存在时,退出所述的支付场景。Further, when the communication tunnel no longer exists, the payment scenario is exited.
通信隧道不复存在,是指所述的服务模块通过多次尝试均未能成功建立所述通信隧道,或者虽然一度成功建立该通信隧道,但后续断开后,未能再次建立所述通信隧道,又或者用户通过第三方应用强制断开所述通信隧道等情况。在这种情况下,意味着支付场景将工作在公共连接环境下,无法达到本发明所要达到的安全支付环境的构建目的,因此,本发明的方法,便会强制退出该支付场景,拒绝用户的后续支付操作。The communication tunnel no longer exists, which means that the service module fails to establish the communication tunnel successfully through multiple attempts, or although the communication tunnel is successfully established once, but after the subsequent disconnection, the communication tunnel cannot be established again. Or the user forcibly disconnects the communication tunnel through a third-party application. In this case, it means that the payment scenario will work in a public connection environment and cannot achieve the construction purpose of the secure payment environment to be achieved by the present invention. Therefore, the method of the present invention forcibly withdraws from the payment scenario and rejects the user's Subsequent payment operations.
退出所述支付场景之前,可以先关闭用于执行支付指令的活动界面,然后再退出整个应用,完成支付场景的退出。在支付场景的最终退出前,可以进一步查看通信隧道是否依然存在,将其彻底关断后再行退出,以免影响系统的后续操作。Before exiting the payment scenario, the active interface for executing the payment instruction may be closed, and then the entire application is exited to complete the exit of the payment scenario. Before the final exit of the payment scenario, you can further check whether the communication tunnel still exists, and then completely shut it down before exiting, so as not to affect the subsequent operation of the system.
以上的本发明的实施例,能够确保支付场景的运行及其数据的远程传输,均基于安全的通信隧道而进行,从而确保移动终端的支付操作的安全。The above embodiments of the present invention are capable of ensuring that the operation of the payment scenario and the remote transmission of the data are performed based on a secure communication tunnel, thereby ensuring the security of the payment operation of the mobile terminal.
然而,由于上例中,执行安全连接支付方法的基础,是基于对支付场景的识别而进行,这样的支付场景的识别,被定位到应用程序包的层面,也即针对具体某个应用程序进行识别和处理。例如,一旦微信、支付宝之类的第三方支付应用被启动,即意味着启动了所述的支付场景,即触发本发明所述的服务模块,服务模块便会尝试弹框询问,或者直接去建立通信隧道(在某些未详述的实施例中实现),而用户使用这类应用的目的,并非每次均是要进行在线支付,这样,频繁地人机交互将使用户不厌其烦。However, in the above example, the basis for performing the secure connection payment method is based on the identification of the payment scenario, and the identification of such a payment scenario is located at the level of the application package, that is, for a specific application. Identification and processing. For example, once a third-party payment application such as WeChat or Alipay is activated, it means that the payment scenario is activated, that is, the service module described in the present invention is triggered, and the service module will try to query the frame or directly establish the service module. Communication tunnels (implemented in some undescribed embodiments), and the purpose of the user's use of such applications is not to make online payments each time, such that frequent human interactions will cause the user to bother.
为此,根据本发明的实施例,还提供了以下方式来确定移动终端进入支付场景,或者说确定支付场景被启动。To this end, according to an embodiment of the present invention, the following manner is also provided to determine that the mobile terminal enters a payment scenario, or determines that a payment scenario is initiated.
首先,本实施例对所述支付场景的确定,具体到第三方支付应用的活动界面的层面。具体而言,本发明可以通过如下方式识别到支付场景中的活动界面:First, the determination of the payment scenario in this embodiment is specific to the level of the active interface of the third-party payment application. Specifically, the present invention can identify an active interface in a payment scenario by:
以Android系统为例,其应用程序中,每一活动界面即对应一个活动组件,即Activity,Activity即为Android的可执行组件之一。从功能的角度看,支付应用往往包括多种活动界面,包括用于执行支付操作(指令)的活动界面,和用于展示信息的活动界面等。各个Activity之间的调用,借助Intent技术实现,通过HOOK(钩子) 技术截获Intent(意图)便可知晓当前活动界面所对应的活动组件的调用意图,从而判断出用户是否存在进行支付操作的真实活动意图,在确定用户存在该真实活动意图的前提下,才视为支付场景被启动的确定,也就是说,将前一实施例中的支付场景的概念狭义理解,仅将支付应用中一系列用于执行支付操作的活动界面视为支付场景,在通过关键特征识别该些活动界面中的一个或多个被调用之后,来确定支付应用是否已经进入所述支付场景。这里所称的一个或多个,例如,当调用用于确定是否立即支付的活动界面时,这时必然可以判定为处于支付场景中;当调用用于选定银行卡、用于查询账单之类的活动界面时,可以将这些内容不同但却与支付实际相关的活动界面陆续被调用时,视为用户有意进入支付场景。因此,通过对活动界面调用关系的识别,足可确定当前进程是否启动支付场景。所谓通过关键特征识别活动界面,例如涉及HOOK技术中对进程信息的获取,获知活动界面相关的类名之类的关键词,作为逻辑判断的基础等,为本领域技术人员所知晓,恕不赘述。本例中,对支付场景的确定,在活动界面被调用之前,此时活动界面尚未处于激活状态,本发明即可先行建立通信隧道,响应及时,识别高效。Take the Android system as an example. In the application, each active interface corresponds to an active component, that is, Activity, and Activity is one of the executable components of Android. From a functional point of view, payment applications often include multiple activity interfaces, including an activity interface for performing payment operations (instructions), and an activity interface for presenting information. The call between the various activities, implemented by means of Intent technology, through HOOK (hook) The technology intercepts the Intent to know the calling intention of the active component corresponding to the current active interface, thereby determining whether the user has the real activity intention of performing the payment operation, and determining that the user has the intention of the real activity, The determination that the payment scenario is initiated, that is, the concept of the payment scenario in the previous embodiment is narrowly understood, and only a series of active interfaces for performing payment operations in the payment application are regarded as payment scenarios, and key features are identified. After one or more of the active interfaces are invoked, it is determined whether the payment application has entered the payment scenario. One or more referred to herein, for example, when invoking an active interface for determining whether to pay immediately, may inevitably be determined to be in a payment scenario; when calling for a selected bank card, for querying a bill, etc. When the active interface is different, but the active interfaces related to the payment are successively called, the user is deemed to be interested in entering the payment scenario. Therefore, by identifying the calling relationship of the active interface, it is sufficient to determine whether the current process starts the payment scenario. The so-called key feature recognition activity interface, for example, involves the acquisition of process information in the HOOK technology, and the keyword of the class name related to the activity interface, as a basis for logical judgment, etc., which are known to those skilled in the art, and will not be described . In this example, the determination of the payment scenario is performed before the active interface is invoked, and the active interface is not yet activated. The present invention can establish a communication tunnel first, and the response is timely and the identification is efficient.
同样以Android为例,借助Android的广播消息机制。本发明的方法,通过其提供的服务模块,可以从消息队列中,获得当前已经被激活的活动界面,通过当前活动界面的关键特征信息,便可以作为确定是否启动所述支付场景的基础,进而确定是否需要建立所述通信隧道。Also take Android as an example, with the help of Android's broadcast messaging mechanism. The method of the present invention can obtain the active interface that has been activated from the message queue through the service module provided by the method, and the key feature information of the current active interface can be used as a basis for determining whether to start the payment scenario. Determine if the communication tunnel needs to be established.
本发明中,无论是通过Intent还是广播消息,均可以利用对活动界面的关键特征信息的逻辑分析,来实现用户操作习惯的行为轨迹的判断。例如,当微信运行后,进入“钱包”活动界面,继而点击“转账”页面,即可判定为需要进行支付操作,继而视为启动了所述支付场景,而作为建立所述通信隧道的技术依据。In the present invention, whether through the Intent or the broadcast message, the logic analysis of the key feature information of the active interface can be utilized to realize the judgment of the behavior track of the user's operating habit. For example, when the WeChat is running, entering the "wallet" activity interface, and then clicking the "transfer" page, it can be determined that the payment operation needs to be performed, and then the payment scenario is deemed to be initiated, and as a technical basis for establishing the communication tunnel. .
可以看出,如果利用广播消息来实现活动界面关键特征信息的识别,则在建立所述通信隧道之前,所述活动界面已经处于激活状态,位于堆栈的顶部;如果利用Intent隔离的方式来获得与调用有关的活动界面关键特征信息,则建立所述通信隧道之前,所述活动界面可能处于非激活状态,包括暂停、停止、结束等状态,直到成功建立所述通信隧道后,才激活相关Activity,从而显示活动界面。It can be seen that if the broadcast message is used to realize the identification of the key feature information of the active interface, the active interface is already in an active state at the top of the stack before establishing the communication tunnel; if the Intent is used to obtain the Calling the relevant active interface key feature information, before the communication tunnel is established, the active interface may be in an inactive state, including a pause, stop, end, etc., until the communication tunnel is successfully established, and then the related activity is activated. This shows the active interface.
其次,本实施例中,通信隧道的作用主要用于传输与支付有关的数据,而不关心当前支付应用的其它与支付无关的活动界面所对应的活动组件所涉的数据是否需要通过通信隧道进行传输。Secondly, in this embodiment, the role of the communication tunnel is mainly for transmitting data related to payment, and does not care whether the data involved in the active component corresponding to the other payment-independent active interface of the current payment application needs to be performed through the communication tunnel. transmission.
当将支付场景是否启动的判定基础具体到应用程序的活动界面继而才建立所述的通信隧道时,所述通信隧道便主要用于传输所述支付场景所包含的用于执行支付指令的活动界面的数据,理论上,在数据传输的广义角度来理解,则是仅用于传输这种活动界面所使用的数据。实际上,这些数据不仅包括涉及的支付相关的密码、金额以及指令,还包括与确定这些数据正确传输的相关数据。但对于本发明而言,重点便是关注这些与支付有关的各种类型的数据,确保其通过所述通信隧道进行安全传输。When the determination basis of whether the payment scenario is initiated is specific to the active interface of the application, and then the communication tunnel is established, the communication tunnel is mainly used to transmit an active interface for executing the payment instruction included in the payment scenario. The data, in theory, understood in the broad sense of data transmission, is only used to transmit the data used by such active interfaces. In fact, these data include not only the payment-related passwords, amounts, and instructions involved, but also related data that determines the correct transmission of such data. However, for the purposes of the present invention, the focus is on these various types of data related to payment, ensuring that it is securely transmitted through the communication tunnel.
以上确定支付场景被启动的方式,进一步确保安全通信的实现,并且改善了人机交互的用户体验。 The above determines the manner in which the payment scenario is initiated, further ensuring the implementation of secure communication, and improving the user experience of human-computer interaction.
本发明实施例还提供了一种基于移动终端的支付方法,该支付方法可以由以上实施例的基于移动终端的支付装置执行,以消除移动支付的安全隐患,保证用户的财产信息安全,图2是根据本发明实施例的基于移动终端的支付方法的示意图,如图所示,该基于移动终端的支付方法包括:The embodiment of the present invention further provides a mobile terminal-based payment method, which can be executed by the mobile terminal-based payment device of the above embodiment to eliminate the security risk of the mobile payment and ensure the security of the user's property information. A mobile terminal-based payment method according to an embodiment of the present invention. As shown in the figure, the mobile terminal-based payment method includes:
步骤S202,确定移动终端进入支付场景;Step S202, determining that the mobile terminal enters a payment scenario;
步骤S204,检测移动终端的网络连接类型;Step S204, detecting a network connection type of the mobile terminal;
步骤S206,根据网络连接类型建立移动终端至支付服务器的安全网络传输通道;Step S206, establishing a secure network transmission channel of the mobile terminal to the payment server according to the network connection type;
步骤S208,利用安全网络传输通道传输支付数据,直至支付完成。Step S208, the payment data is transmitted by using the secure network transmission channel until the payment is completed.
步骤S202中支付场景的确定可以根据移动终端启动的客户端来判断,当检测到移动终端有新的客户端启动后,判断新启动的客户端是否为移动支付客户端,如果确定移动终端启动了支付客户端,则确定移动终端进入支付场景。判断新启动的客户端是否为移动支付客户端的过程可以通过本地的客户端列表验证以及客户端特征匹配来实现。图3是根据本发明实施例的基于移动终端的支付方法中确定移动终端进入支付场景的流程图,该流程包括:The determining of the payment scenario in step S202 may be determined according to the client initiated by the mobile terminal. When it is detected that the mobile terminal has a new client, it is determined whether the newly activated client is a mobile payment client, and if it is determined that the mobile terminal is activated. The payment client determines that the mobile terminal enters the payment scenario. The process of determining whether the newly launched client is a mobile payment client can be implemented by local client list verification and client feature matching. FIG. 3 is a flowchart of determining a mobile terminal entering a payment scenario in a mobile terminal-based payment method according to an embodiment of the present invention, where the process includes:
步骤S302,监控移动终端中是否有新的客户端启动;Step S302, monitoring whether a new client is started in the mobile terminal;
步骤S304,判断新启动的客户端是否是本地支付客户端列表中记录的客户端,若是,确定进入支付场景,若否,可以进一步执行步骤S306确定未进入支付场景;Step S304, determining whether the newly started client is a client recorded in the local payment client list, and if yes, determining to enter the payment scenario, and if not, performing step S306 to determine that the payment scenario is not entered;
步骤S306,判断新启动的客户端的特征是否与支付类客户端特征关键字匹配若是,确定进入支付场景,若否,确定未进入支付场景;Step S306, determining whether the feature of the newly activated client matches the payment type client feature keyword, if yes, determining to enter the payment scenario, and if not, determining not to enter the payment scenario;
在步骤S304中,移动终端在本地中可以预先保存一个支付客户端列表,用于记录移动终端安装的支付类客户端信息,当新启动的客户端不在列表中时,可以利用云查询的方法进一步确定,例如对客户端的包名、标签名、版本信息等特征与云端保存的支付类客户端的特征关键字进行匹配。从而在确定打开支付类客户端后,就可以认为移动终端进入支付场景。以上支付客户端列表可以根据移动终端的使用情况进行动态调整,以记录所有已安装支付客户端的信息。In step S304, the mobile terminal may pre-store a payment client list for recording the payment client information installed by the mobile terminal. When the newly launched client is not in the list, the cloud query may be further used. It is determined that, for example, the characteristics such as the package name, the tag name, and the version information of the client are matched with the feature keywords of the payment type client saved in the cloud. Therefore, after determining to open the payment type client, the mobile terminal can be considered to enter the payment scenario. The above payment client list can be dynamically adjusted according to the usage of the mobile terminal to record information of all installed payment clients.
在本发明的另一实施例中,还可以通过上文提及的对第三方支付应用的活动界面的关键特征进行判断,确定是否已进入支付场景,此处不再赘述。In another embodiment of the present invention, the key features of the active interface of the third-party payment application mentioned above may be determined to determine whether the payment scenario has been entered, and details are not described herein again.
在步骤S202之后,还可以首先对支付客户端进行版本校验,并进行支付清场,即关闭与支付无关的进程。After step S202, the payment client may also be first verified by the version, and the payment is cleared, that is, the process unrelated to the payment is closed.
步骤S204的一种可选流程为:判断网络连接类型是否为存在信息泄漏风险的无线传输网络;若是,通过移动终端的界面提示网络连接的支付风险,并提供开启预设的虚拟专用网络传输的操作选项;根据用户对操作选项的操作连接对应的虚拟专用网络。例如,当移动终端接入的网络是初次连接的或者无加密措施的无线网络,则认为无线网络存在信息传输泄露的隐患,另外当出现路由器的WAN口的DNS被恶意篡改,路由器的DHCP服务的DNS被篡改,路由器允许被远程控制等的情况下,也同样认为当前网络存在信息泄露风险。An optional process of step S204 is: determining whether the network connection type is a wireless transmission network with a risk of information leakage; if yes, prompting the payment risk of the network connection through the interface of the mobile terminal, and providing the preset virtual private network transmission Operation options; connect the corresponding virtual private network according to the user's operation on the operation options. For example, when the network accessed by the mobile terminal is a wireless network that is initially connected or has no encryption, the wireless network is considered to have a hidden danger of information transmission leakage, and when the DNS of the router's WAN port is maliciously tampered with, the router's DHCP service is In the case where the DNS is tampered with, the router is allowed to be remotely controlled, etc., the current network is also considered to be at risk of information leakage.
在用户选择使用本实施例的基于移动终端的支付方法提供的安全网络传输通道时,步骤S206的一种可选流程为:向预设的虚拟专用网络发起连接请求;判断在预 定时间内是否连接成功;若是,利用虚拟专用网络传输支付数据;若否,向预设的虚拟专用网络发起重连请求,直至连接成功或连接次数超过预设阈值。重连次数阈值可以根据实际情况进行配置,例如配置为2次或3次。When the user selects to use the secure network transmission channel provided by the mobile terminal-based payment method of the embodiment, an optional process of step S206 is: initiating a connection request to the preset virtual private network; Whether the connection is successful within a certain time; if yes, the virtual private network is used to transmit the payment data; if not, the reconnection request is initiated to the preset virtual private network until the connection is successful or the number of connections exceeds a preset threshold. The reconnection threshold can be configured according to the actual situation, for example, configured as 2 or 3 times.
如果出现在连接次数超过预设阈值的情况,也就是虚拟专用网络无法成功连接:还可以通过移动终端提示虚拟专用网络连接不成功,并生成下一步操作的提示选项,提示选项包括以下任意一项或多项:暂时停止进行支付,尝试连接其他虚拟专用网络,忽略风险继续支付;按照用户对提示选项的选择执行对应的操作。If the number of connections exceeds the preset threshold, that is, the virtual private network cannot be successfully connected: the mobile terminal may also prompt the virtual private network connection to be unsuccessful, and generate a prompt option for the next operation, and the prompt option includes any of the following options. Or multiple: temporarily stop the payment, try to connect to other virtual private networks, ignore the risk to continue to pay; follow the user's choice of prompt options to perform the corresponding operations.
如果虚拟专用网络组成的安全网络传输通道成功建立,步骤S206可以通过安全网络传输通道实现移动终端与支付服务器之间的交互数据的透明传输。在传输过程中,还可以监控安全网络传输通道的传输状态,并在传输状态出现异常时,向虚拟专用网络重新发起连接请求。If the secure network transmission channel formed by the virtual private network is successfully established, step S206 can implement transparent transmission of the interaction data between the mobile terminal and the payment server through the secure network transmission channel. During the transmission process, the transmission status of the secure network transmission channel can also be monitored, and when the transmission status is abnormal, the connection request is re-initiated to the virtual private network.
在步骤S208完成支付之后还包括:断开安全网络传输通道并退出支付场景,从而释放虚拟专用网络的负载,并且恢复其他进程的运行。After completing the payment in step S208, the method further includes: disconnecting the secure network transmission channel and exiting the payment scenario, thereby releasing the load of the virtual private network, and restoring the operation of other processes.
以上安全服务通道可以利用VPN技术或其他IP隧道技术实现,VPN可以利用IP和其他网络的承载功能,结合相应的认证和授权机制,可以建立安全的虚拟专用网络。本实施例的基于移动终端的支付方法的执行方可以将其内部网通过一条专线接入到互联网络,用户即可在国内任何地方使用VPN通道业务进入到该虚拟专用网中,安全地访问自己所需要的信息资源。The above security service channel can be implemented by using VPN technology or other IP tunneling technology. The VPN can utilize the bearer function of IP and other networks, and combine the corresponding authentication and authorization mechanisms to establish a secure virtual private network. The executor of the mobile terminal-based payment method of this embodiment can access its internal network to the internet through a dedicated line, and the user can use the VPN channel service to enter the virtual private network anywhere in the country, and securely access the network. The information resources needed.
本实施例可以使用无线VPN网络,VPN网络可以设在运营商的无线数据网内,与互联网是隔离的,移动终端连接无线VPN网络,首先要连接该无线VPN所承载的接入点名称的网络(Access Point Name,简称APN)网络,其他APN网络或联网通道的用户无法访问该VPN网络。In this embodiment, a wireless VPN network can be used. The VPN network can be located in the wireless data network of the operator and is isolated from the Internet. The mobile terminal is connected to the wireless VPN network, and firstly, the network of the access point name carried by the wireless VPN is connected. (Access Point Name, APN for short) network, users of other APN networks or networked channels cannot access the VPN network.
无线VPN网络可以采用构建在APN网络之上的虚拟专用网络,无线VPN网络的连接流程是,先连接承载VPN网络的APN通道,再建立VPN网络。VPN网络的联网参数包括承载的APN网络的联网参数和VPN的联网参数。VPN连接后,移动终端只能连接VPN网络,这是系统在网络管理中路由管理实现的一种限制。所以在完成支付后需要退出VPN网络。The wireless VPN network can adopt a virtual private network built on the APN network. The connection process of the wireless VPN network is to first connect the APN channel carrying the VPN network, and then establish a VPN network. The networking parameters of the VPN network include the networking parameters of the carried APN network and the networking parameters of the VPN. After the VPN connection, the mobile terminal can only connect to the VPN network, which is a limitation of the system implementation of the route management in the network management. Therefore, you need to exit the VPN network after completing the payment.
图4是根据本发明实施例的基于移动终端的支付方法的一种可选详细流程图,如图,在确定移动终端进入支付场景且关闭无关进程完成清场后,执行以下步骤:4 is an optional detailed flowchart of a mobile terminal-based payment method according to an embodiment of the present invention. As shown in the figure, after determining that a mobile terminal enters a payment scenario and closes an unrelated process to complete the clearing, the following steps are performed:
步骤S402,判断移动终端接入的网络为公共WiFi,若是,执行步骤S404,若否执行步骤S416;除了判断公共WiFi外,还可以进一步采用类似与WiFi体检的方式进行网络判断,例如检测无线路由器的管理账号的安全性(例如采用默认密码)、路由器的WAN口的DNS是否被恶意篡改,路由器的DHCP服务的DNS是否被篡改,路由器是否允许被远程控制等项目,当以上检查项目可能出现安全隐患时,则执行步骤S404;In step S402, it is determined that the network accessed by the mobile terminal is a public WiFi. If yes, step S404 is performed, and if no, step S416 is performed; in addition to determining the public WiFi, the network judgment may be further performed in a manner similar to the WiFi physical check, for example, detecting the wireless router. Security of the management account (for example, using the default password), whether the DNS of the router's WAN port has been maliciously tampered, whether the DNS of the router's DHCP service has been tampered with, whether the router is allowed to be remotely controlled, etc., when the above check items may appear safe In case of hidden danger, step S404 is performed;
步骤S404,弹出风险提示界面,建议使用安全支付VPN,并提供用户选择按钮或选择菜单;Step S404, popping up the risk prompt interface, suggesting to use a secure payment VPN, and providing a user selection button or a selection menu;
步骤S406,检测用户是否选择使用安全支付VPN,若是,执行步骤S408,若否执行步骤S424; Step S406, detecting whether the user chooses to use the secure payment VPN, and if so, executing step S408, and if not, executing step S424;
步骤S408,尝试连接安全支付VPN;Step S408, attempting to connect to a secure payment VPN;
步骤S410,判断安全支付VPN在5秒内是否连接成功,若是,执行步骤S412,若否执行步骤S418,5秒的阈值可以根据实际使用情况进行修改,此处仅为例举,并非对本实施例的限制;In step S410, it is determined whether the secure payment VPN is successfully connected within 5 seconds. If yes, step S412 is performed. If no step S418 is performed, the threshold of 5 seconds may be modified according to the actual use situation, which is merely an example, not the embodiment. limits;
步骤S412,使用安全支付VPN进行后继支付操作;Step S412, performing a subsequent payment operation using a secure payment VPN;
步骤S414,在后继操作过程中VPN中断,若是,返回执行步骤S408进行重连,若否执行步骤S416;Step S414, the VPN is interrupted during the subsequent operation, and if so, returning to step S408 to perform reconnection, if not, executing step S416;
步骤S416,完成移动支付操作;Step S416, completing the mobile payment operation;
步骤S418,判断连接次数是否已经超过阈值,例如已经连接2次失败,若是执行步骤S420,若否执行步骤S422,重连次数的阈值可以根据实际使用情况进行修改,此处的2次仅为例举,并非对本实施例的限制;In step S418, it is determined whether the number of connections has exceeded the threshold, for example, the connection has failed twice. If the step S420 is performed, if the step S422 is performed, the threshold of the number of reconnections can be modified according to the actual usage, and the two times here are only examples. It is not a limitation of this embodiment;
步骤S420,提示VPN暂时不可用,建议用户暂时不进行支付操作,并提供退出支付和继续支付的选项;Step S420, prompting that the VPN is temporarily unavailable, suggesting that the user temporarily not perform the payment operation, and providing an option to withdraw the payment and continue to pay;
步骤S422,接收用户是否尝试再次连接的选项若是返回执行步骤S408,若否执行步骤S424;Step S422, if the option of receiving the user to try to connect again is returned to step S408, if not step S424;
步骤S424,使用当前连接的公共WiFi网络完成后继支付操作;Step S424, completing a subsequent payment operation by using the currently connected public WiFi network;
步骤S426,判断用户是否选择“暂时不进行支付操作”的选项,若否返回执行步骤S424,若是执行步骤S428;Step S426, determining whether the user selects the option of "temporarily not performing the payment operation", if not, returning to step S424, if yes, executing step S428;
步骤S428,退出支付客户端,从而退出支付场景;Step S428, exiting the payment client, thereby exiting the payment scenario;
步骤S430,判断安全支付VPN是否仍然继续连接,若是断开安全支付VPN后结束流程,若已断开,直接结束流程,恢复进入支付场景前的移动终端状态。In step S430, it is determined whether the secure payment VPN is still connected. If the secure payment VPN is disconnected, the process ends. If it is disconnected, the process is directly terminated, and the state of the mobile terminal before entering the payment scenario is restored.
需要说明的是,以上重连次数的阈值以及连接时间的设定并不局限于2次和5秒,可以根据应用环境灵活进行调整,VPN也可以采用其他各种实现数据透明转发的IP隧道技术。另外,还可以提供多个VPN供用户选择,进一步提高网络连接的可靠性。It should be noted that the threshold of the number of reconnection times and the setting of the connection time are not limited to two times and five seconds, and can be flexibly adjusted according to the application environment, and the VPN can also adopt various other IP tunnel technologies that implement data transparent forwarding. . In addition, multiple VPNs can be provided for users to choose, further improving the reliability of network connections.
本实施例的基于移动终端的支付方法和装置与移动终端针对移动支付,通过切换联网通道的方法,利用VPN或其他IP隧道传输技术进行移动支付,满足网络业务与安全支付不同应用的安全切换需求,保障在支付操作过程中,移动终端唯一联网专用移动安全支付数据网络,杜绝传输通道给移动支付的安全隐患,结合其他措施和手段确保移动支付系统的安全。进一步,本发明的支付方法在连接安全网络传输通道和数据传输过程中,采取重连和提示的方式保证网络通道的工作可靠性,减少用户的操作,提高用户体验。The mobile terminal-based payment method and apparatus of the present embodiment and the mobile terminal for mobile payment, use the VPN or other IP tunnel transmission technology to perform mobile payment by switching the networking channel, and satisfy the security switching requirements of the network service and the secure payment for different applications. In the process of payment operation, the mobile terminal only has a unique networked dedicated mobile secure payment data network, which eliminates the security risks of the transmission channel to mobile payment, and combines other measures and means to ensure the security of the mobile payment system. Further, in the connection method of the secure network transmission channel and the data transmission process, the payment method of the present invention adopts the reconnection and prompting manner to ensure the working reliability of the network channel, reduce the operation of the user, and improve the user experience.
此外,本发明将支付场景的识别具体到其活动界面,也即对应到其活动组件,增强识别的智能化程度,免除对用户操作的不必要的弹框骚扰,使应用程序的服务功能更为人性化,既满足安全需求,又符合使用习惯。In addition, the present invention specifically identifies the payment scenario to its active interface, that is, corresponding to its active component, enhances the intelligence of the recognition, eliminates unnecessary frame harassment of the user operation, and makes the service function of the application more Humanized, both to meet security needs and to meet usage habits.
在此处所提供的说明书中,说明了大量具体细节。然而,能够理解,本发明的实施例可以在没有这些具体细节的情况下实践。在一些实例中,并未详细示出公知的方法、结构和技术,以便不模糊对本说明书的理解。In the description provided herein, numerous specific details are set forth. However, it is understood that the embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures, and techniques are not shown in detail so as not to obscure the understanding of the description.
类似地,应当理解,为了精简本公开并帮助理解各个发明方面中的一个或多个, 在上面对本发明的示例性实施例的描述中,本发明的各个特征有时被一起分组到单个实施例、图、或者对其的描述中。然而,并不应将该公开的方法解释成反映如下意图:即所要求保护的本发明要求比在每个权利要求中所明确记载的特征更多的特征。更确切地说,如下面的权利要求书所反映的那样,发明方面在于少于前面公开的单个实施例的所有特征。因此,遵循具体实施方式的权利要求书由此明确地并入该具体实施方式,其中每个权利要求本身都作为本发明的单独实施例。Similarly, it should be understood that in order to streamline the present disclosure and to help understand one or more of the various inventive aspects, In the above description of the exemplary embodiments of the present invention, various features of the present invention are sometimes grouped together in a single embodiment, figure, or description. However, the method disclosed is not to be interpreted as reflecting the intention that the claimed invention requires more features than those recited in the claims. Rather, as the following claims reflect, inventive aspects reside in less than all features of the single embodiments disclosed herein. Therefore, the claims following the specific embodiments are hereby explicitly incorporated into the embodiments, and each of the claims as a separate embodiment of the invention.
本领域那些技术人员可以理解,可以对实施例中的设备中的模块进行自适应性地改变并且把它们设置在与该实施例不同的一个或多个设备中。可以把实施例中的模块或单元或组件组合成一个模块或单元或组件,以及此外可以把它们分成多个子模块或子单元或子组件。除了这样的特征和/或过程或者单元中的至少一些是相互排斥之外,可以采用任何组合对本说明书(包括伴随的权利要求、摘要和附图)中公开的所有特征以及如此公开的任何方法或者设备的所有过程或单元进行组合。除非另外明确陈述,本说明书(包括伴随的权利要求、摘要和附图)中公开的每个特征可以由提供相同、等同或相似目的的替代特征来代替。Those skilled in the art will appreciate that the modules in the devices of the embodiments can be adaptively changed and placed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and further they may be divided into a plurality of sub-modules or sub-units or sub-components. In addition to such features and/or at least some of the processes or units being mutually exclusive, any combination of the features disclosed in the specification, including the accompanying claims, the abstract and the drawings, and any methods so disclosed, or All processes or units of the device are combined. Each feature disclosed in this specification (including the accompanying claims, the abstract and the drawings) may be replaced by alternative features that provide the same, equivalent or similar purpose.
此外,本领域的技术人员能够理解,尽管在此所述的一些实施例包括其它实施例中所包括的某些特征而不是其它特征,但是不同实施例的特征的组合意味着处于本发明的范围之内并且形成不同的实施例。例如,在下面的权利要求书中,所要求保护的实施例的任意之一都可以以任意的组合方式来使用。In addition, those skilled in the art will appreciate that, although some embodiments described herein include certain features that are included in other embodiments and not in other features, combinations of features of different embodiments are intended to be within the scope of the present invention. Different embodiments are formed and formed. For example, in the following claims, any one of the claimed embodiments can be used in any combination.
本发明的各个部件实施例可以以硬件实现,或者以在一个或者多个处理器上运行的软件模块实现,或者以它们的组合实现。本领域的技术人员应当理解,可以在实践中使用微处理器或者数字信号处理器(DSP)来实现根据本发明实施例的基于移动终端的支付装置及移动终端,以及保护移动终端支付安全的装置及移动终端中的一些或者全部部件的一些或者全部功能。本发明还可以实现为用于执行这里所描述的方法的一部分或者全部的设备或者装置程序(例如,计算机程序和计算机程序产品)。这样的实现本发明的程序可以存储在计算机可读介质上,或者可以具有一个或者多个信号的形式。这样的信号可以从因特网网站上下载得到,或者在载体信号上提供,或者以任何其他形式提供。The various component embodiments of the present invention may be implemented in hardware, or in a software module running on one or more processors, or in a combination thereof. It should be understood by those skilled in the art that a mobile terminal or a digital signal processor (DSP) can be implemented in practice to implement a mobile terminal-based payment device and mobile terminal according to an embodiment of the present invention, and a device for protecting payment security of a mobile terminal. And some or all of the functions of some or all of the components of the mobile terminal. The invention can also be implemented as a device or device program (e.g., a computer program and a computer program product) for performing some or all of the methods described herein. Such a program implementing the invention may be stored on a computer readable medium or may be in the form of one or more signals. Such signals may be downloaded from an Internet website, provided on a carrier signal, or provided in any other form.
例如,图5示出了可以实现在智能终端之间传输数据的方法的计算设备。该计算设备传统上包括处理器510和以存储器520形式的计算机程序产品或者计算机可读介质。存储器520可以是诸如闪存、EEPROM(电可擦除可编程只读存储器)、EPROM、硬盘或者ROM之类的电子存储器。存储器520具有用于执行上述方法中的任何方法步骤的程序代码531的存储空间530。例如,用于程序代码的存储空间530可以包括分别用于实现上面的方法中的各种步骤的各个程序代码531。这些程序代码可以从一个或者多个计算机程序产品中读出或者写入到这一个或者多个计算机程序产品中。这些计算机程序产品包括诸如硬盘,紧致盘(CD)、存储卡或者软盘之类的程序代码载体。这样的计算机程序产品通常为如参考图6所述的便携式或者固定存储单元。该存储单元可以具有与图5的计算设备中的存储器520类似布置的存储段、存储空间等。程序代码可以例如以适当形式进行压缩。通常,存储单元包括计算机可读代码531’,即可以由例如诸如510之类的处理器读取的代码,这些代 码当由计算设备运行时,导致该计算设备执行上面所描述的方法中的各个步骤。For example, Figure 5 illustrates a computing device that can implement a method of transferring data between smart terminals. The computing device conventionally includes a processor 510 and a computer program product or computer readable medium in the form of a memory 520. The memory 520 may be an electronic memory such as a flash memory, an EEPROM (Electrically Erasable Programmable Read Only Memory), an EPROM, a hard disk, or a ROM. Memory 520 has a memory space 530 for program code 531 for performing any of the method steps described above. For example, storage space 530 for program code may include various program code 531 for implementing various steps in the above methods, respectively. The program code can be read from or written to one or more computer program products. These computer program products include program code carriers such as hard disks, compact disks (CDs), memory cards or floppy disks. Such computer program products are typically portable or fixed storage units as described with reference to FIG. The storage unit may have storage segments, storage spaces, and the like that are similarly arranged to memory 520 in the computing device of FIG. The program code can be compressed, for example, in an appropriate form. Typically, the storage unit includes computer readable code 531', code that can be read by a processor such as 510, such generations The code, when run by the computing device, causes the computing device to perform various steps in the methods described above.
本文中所称的“一个实施例”、“实施例”或者“一个或者多个实施例”意味着,结合实施例描述的特定特征、结构或者特性包括在本发明的至少一个实施例中。此外,请注意,这里“在一个实施例中”的词语例子不一定全指同一个实施例。"an embodiment," or "an embodiment," or "an embodiment," In addition, it is noted that the phrase "in one embodiment" is not necessarily referring to the same embodiment.
应该注意的是上述实施例对本发明进行说明而不是对本发明进行限制,并且本领域技术人员在不脱离所附权利要求的范围的情况下可设计出替换实施例。在权利要求中,不应将位于括号之间的任何参考符号构造成对权利要求的限制。单词“包含”不排除存在未列在权利要求中的元件或步骤。位于元件之前的单词“一”或“一个”不排除存在多个这样的元件。本发明可以借助于包括有若干不同元件的硬件以及借助于适当编程的计算机来实现。在列举了若干装置的单元权利要求中,这些装置中的若干个可以是通过同一个硬件项来具体体现。单词第一、第二、以及第三等的使用不表示任何顺序。可将这些单词解释为名称。It is to be noted that the above-described embodiments are illustrative of the invention and are not intended to be limiting, and that the invention may be devised without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as a limitation. The word "comprising" does not exclude the presence of the elements or steps that are not recited in the claims. The word "a" or "an" The invention can be implemented by means of hardware comprising several distinct elements and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means can be embodied by the same hardware item. The use of the words first, second, and third does not indicate any order. These words can be interpreted as names.
此外,还应当注意,本说明书中使用的语言主要是为了可读性和教导的目的而选择的,而不是为了解释或者限定本发明的主题而选择的。因此,在不偏离所附权利要求书的范围和精神的情况下,对于本技术领域的普通技术人员来说许多修改和变更都是显而易见的。对于本发明的范围,对本发明所做的公开是说明性的,而非限制性的,本发明的范围由所附权利要求书限定。 In addition, it should be noted that the language used in the specification has been selected for the purpose of readability and teaching, and is not intended to be construed or limited. Therefore, many modifications and changes will be apparent to those skilled in the art without departing from the scope of the invention. The disclosure of the present invention is intended to be illustrative, and not restrictive, and the scope of the invention is defined by the appended claims.

Claims (27)

  1. 一种基于移动终端的支付方法,包括:A payment method based on a mobile terminal, comprising:
    确定移动终端进入支付场景;Determining that the mobile terminal enters a payment scenario;
    检测所述移动终端的网络连接类型;Detecting a network connection type of the mobile terminal;
    根据所述网络连接类型建立所述移动终端至支付服务器的安全网络传输通道;Establishing a secure network transmission channel of the mobile terminal to the payment server according to the network connection type;
    利用所述安全网络传输通道传输支付数据,直至退出所述支付场景。The payment data is transmitted using the secure network transmission channel until the payment scenario is exited.
  2. 根据权利要求1所述的方法,其中,根据所述网络连接类型建立所述移动终端至支付服务器的安全网络传输通道包括:The method of claim 1, wherein establishing the secure network transmission channel of the mobile terminal to the payment server according to the network connection type comprises:
    判断所述网络连接类型是否为存在信息泄漏风险的无线传输网络;Determining whether the network connection type is a wireless transmission network with a risk of information leakage;
    若是,通过所述移动终端的界面提示所述网络连接的支付风险,并提供开启预设的虚拟专用网络传输的操作选项;If yes, prompting the payment risk of the network connection through the interface of the mobile terminal, and providing an operation option for starting a preset virtual private network transmission;
    根据用户对所述操作选项的操作通过所述虚拟专用网络建立所述安全网络传输通道。The secure network transmission channel is established over the virtual private network in accordance with user operations on the operational options.
  3. 根据权利要求2所述的方法,其中,根据用户对所述操作选项的操作通过虚拟专用网络建立所述安全网络传输通道包括:The method according to claim 2, wherein the establishing the secure network transmission channel through the virtual private network according to the operation of the operation option by the user comprises:
    向所述虚拟专用网络发起连接请求;Initiating a connection request to the virtual private network;
    判断在预定时间内是否连接成功;Determine whether the connection is successful within the predetermined time;
    若是,利用所述虚拟专用网络传输支付数据;If yes, transmitting the payment data by using the virtual private network;
    若否,向所述虚拟专用网络发起重连请求,直至连接成功或连接次数超过预设阈值。If not, a reconnection request is initiated to the virtual private network until the connection is successful or the number of connections exceeds a preset threshold.
  4. 根据权利要求3所述的方法,其中,在连接次数超过预设阈值之后还包括:The method according to claim 3, wherein after the number of connections exceeds a preset threshold, the method further comprises:
    通过所述移动终端提示所述虚拟专用网络连接不成功,并生成下一步操作的提示选项,所述提示选项包括以下任意一项或多项:暂时停止进行支付,尝试连接其他虚拟专用网络,忽略风险继续支付;The mobile terminal prompts that the virtual private network connection is unsuccessful, and generates a prompt option for the next operation, where the prompting option includes any one or more of the following: temporarily stopping the payment, attempting to connect to other virtual private networks, and ignoring The risk continues to be paid;
    按照用户对所述提示选项的选择执行对应的操作。The corresponding operation is performed according to the user's selection of the prompt option.
  5. 根据权利要求3或4所述的方法,其中,利用所述虚拟专用网络传输支付数据包括:The method of claim 3 or 4, wherein transmitting the payment data using the virtual private network comprises:
    通过所述虚拟专用网络完成所述移动终端与所述支付服务器之间的交互数据的透明传输。Transparent transmission of interaction data between the mobile terminal and the payment server is completed by the virtual private network.
  6. 根据权利要求1至5中任一项所述的方法,其中,在利用所述安全网络传输通道传输支付数据的过程中还包括:The method according to any one of claims 1 to 5, wherein, in the process of transmitting the payment data by using the secure network transmission channel, the method further comprises:
    监控所述安全网络传输通道的传输状态,并在所述传输状态出现异常时,向所述安全网络传输通道重新发起连接请求。Monitoring a transmission status of the secure network transmission channel, and re-initiating a connection request to the secure network transmission channel when the transmission status is abnormal.
  7. 根据权利要求1至6中任一项所述的方法,其中,在退出支付场景之后还包括:The method according to any one of claims 1 to 6, further comprising: after exiting the payment scenario, further comprising:
    断开所述安全网络传输通道。Disconnect the secure network transmission channel.
  8. 根据权利要求2所述的方法,其中,通过确定所述支付场景的活动界面被调 用而确定移动终端进入该支付场景。The method of claim 2 wherein the active interface of the payment scenario is adjusted It is determined that the mobile terminal enters the payment scenario.
  9. 根据权利要求8所述的方法,其中,所述支付场景包括一个或多个活动界面,通过对所述活动界面的关键特征进行判断,确定是否已进入所述支付场景。The method of claim 8, wherein the payment scenario comprises one or more activity interfaces that determine whether a payment scenario has been entered by determining a key feature of the active interface.
  10. 根据权利要求8或9所述的方法,其中,所述虚拟专用网络建立的所述安全网络传输通道仅用于传输所述支付场景所包含的用于执行支付指令的活动界面的数据。The method of claim 8 or 9, wherein the secure network transmission channel established by the virtual private network is only used to transmit data of an active interface for executing payment instructions included in the payment scenario.
  11. 根据权利要求8或9所述的方法,其中,所述每个活动界面,对应一个可执行的活动组件。The method of claim 8 or 9, wherein each of the active interfaces corresponds to an executable activity component.
  12. 根据权利要求8或9所述的方法,其中,建立所述安全网络传输通道之前,所述活动界面已经处于激活状态。The method of claim 8 or 9, wherein the active interface is already in an active state prior to establishing the secure network transmission channel.
  13. 根据权利要求8或9所述的方法,其中,建立所述安全网络传输通道之前,所述活动界面处于非激活状态,建立所述安全网络传输通道之后,所述活动界面处于激活状态。The method according to claim 8 or 9, wherein the active interface is in an inactive state before the secure network transmission channel is established, and the active interface is in an active state after the secure network transmission channel is established.
  14. 根据权利要求2所述的方法,其中,建立所述安全网络传输通道之前,弹框询问是否建立该安全网络传输通道,以用户选定为依据决定是否建立所述安全网络传输通道。The method according to claim 2, wherein before the secure network transmission channel is established, the bullet box queries whether to establish the secure network transmission channel, and determines whether to establish the secure network transmission channel based on the user selection.
  15. 根据权利要求2所述的方法,其中,所述安全网络传输通道采用PPTP、L2TP、IPSEC中任意一种协议实现。The method according to claim 2, wherein the secure network transmission channel is implemented by any one of PPTP, L2TP, and IPSEC.
  16. 根据权利要求8或9所述的方法,其中,当所述安全网络传输通道中断时,先退出已经激活的用于执行支付指令的活动界面,再退出所述支付场景。The method according to claim 8 or 9, wherein when the secure network transmission channel is interrupted, the active interface for executing the payment instruction is exited first, and then the payment scenario is exited.
  17. 根据权利要求2所述的方法,其中,仅对被判定为公共网络接入点的当前连接建立所述的安全网络传输通道。The method of claim 2 wherein said secure network transmission channel is established only for a current connection determined to be a public network access point.
  18. 一种基于移动终端的支付装置,包括:A payment device based on a mobile terminal, comprising:
    支付场景确定模块,配置为确定移动终端进入支付场景;a payment scenario determining module, configured to determine that the mobile terminal enters a payment scenario;
    网络连接检测模块,配置为检测所述移动终端的网络连接类型;a network connection detecting module configured to detect a network connection type of the mobile terminal;
    传输通道建立模块,配置为根据所述网络连接类型建立所述移动终端至支付服务器的安全网络传输通道;a transmission channel establishing module, configured to establish a secure network transmission channel of the mobile terminal to the payment server according to the network connection type;
    支付数据传输模块,配置为利用所述安全网络传输通道传输支付数据,直至退出所述支付场景。A payment data transmission module is configured to transmit payment data using the secure network transmission channel until exiting the payment scenario.
  19. 根据权利要求18所述的装置,其中,所述传输通道建立模块包括:The apparatus of claim 18, wherein the transmission channel establishing module comprises:
    判断子模块,配置为判断所述网络连接类型是否为存在信息泄漏风险的无线传输网络;a determining submodule configured to determine whether the network connection type is a wireless transmission network with a risk of information leakage;
    提示子模块,配置为在所述判断子模块的判断结果为是的情况下,通过所述移动终端的界面提示所述网络连接的支付风险,并提供开启预设的虚拟专用网络传输的操作选项;a prompting sub-module configured to prompt the payment risk of the network connection by using an interface of the mobile terminal, and provide an operation option for starting a preset virtual private network transmission, if the determination result of the determining sub-module is YES ;
    执行子模块,配置为根据用户对所述操作选项的操作通过所述虚拟专用网络建立所述安全网络传输通道。The execution sub-module is configured to establish the secure network transmission channel through the virtual private network according to a user operation of the operation option.
  20. 根据权利要求19所述的装置,其中,所述执行子模块还配置为:The apparatus of claim 19, wherein the execution sub-module is further configured to:
    向预设的虚拟专用网络发起连接请求; Initiating a connection request to a preset virtual private network;
    判断在预定时间内是否连接成功;Determine whether the connection is successful within the predetermined time;
    若是,利用所述虚拟专用网络传输支付数据;If yes, transmitting the payment data by using the virtual private network;
    若否,向所述虚拟专用网络发起重连请求,直至连接成功或连接次数超过预设阈值。If not, a reconnection request is initiated to the virtual private network until the connection is successful or the number of connections exceeds a preset threshold.
  21. 根据权利要求20所述的装置,其中,所述执行子模块还配置为:The apparatus of claim 20, wherein the execution sub-module is further configured to:
    在连接次数超过预设阈值之后,通过所述移动终端提示所述虚拟专用网络连接不成功,并生成下一步操作的提示选项,按照用户对所述提示选项的选择执行对应的操作,所述提示选项包括以下任意一项或多项:暂时停止进行支付,尝试连接其他虚拟专用网络,忽略风险继续支付。After the number of connections exceeds the preset threshold, the mobile terminal prompts that the virtual private network connection is unsuccessful, and generates a prompt option for the next operation, and performs a corresponding operation according to the user's selection of the prompt option, the prompt Options include any one or more of the following: Temporarily stop paying, try to connect to other virtual private networks, and ignore the risk to continue paying.
  22. 根据权利要求20或21所述的装置,其中,所述支付数据传输模块还配置为:The apparatus according to claim 20 or 21, wherein the payment data transmission module is further configured to:
    通过所述虚拟专用网络完成实现所述移动终端与所述支付服务器之间的交互数据的透明传输。Transparent transmission of interaction data between the mobile terminal and the payment server is implemented through the virtual private network.
  23. 根据权利要求20至22中任一项所述的装置,其中,还包括:The apparatus according to any one of claims 20 to 22, further comprising:
    传输状态监控模块,配置为监控所述安全网络传输通道的传输状态,并在所述传输状态出现异常时,向所述安全网络传输通道重新发起连接请求。The transmission status monitoring module is configured to monitor a transmission status of the secure network transmission channel, and re-initiate a connection request to the secure network transmission channel when the transmission status is abnormal.
  24. 根据权利要求18至23中任一项所述的装置,其中,还包括:The apparatus according to any one of claims 18 to 23, further comprising:
    支付通道退出模块,配置为在退出支付场景之后断开所述安全网络传输通道。The payment channel exit module is configured to disconnect the secure network transmission channel after exiting the payment scenario.
  25. 一种移动终端,包括:A mobile terminal includes:
    权利要求18至24中任一项所述的基于移动终端的支付装置。A mobile terminal-based payment device according to any one of claims 18 to 24.
  26. 一种计算机程序,包括计算机可读代码,当所述计算机可读代码在计算设备上运行时,导致所述计算设备执行根据权利要求1至17中任一项所述的方法。A computer program comprising computer readable code that, when executed on a computing device, causes the computing device to perform the method of any one of claims 1-17.
  27. 一种计算机可读介质,其中存储了如权利要求26所述的计算机程序。 A computer readable medium storing the computer program of claim 26.
PCT/CN2015/080711 2014-06-10 2015-06-03 Mobile terminal-based payment method and apparatus, and mobile terminal WO2015188718A1 (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
CN201410256922.9A CN104008482B (en) 2014-06-10 Method of payment based on mobile terminal and device and mobile terminal
CN201410256922.9 2014-06-10
CN201410645534.XA CN104463569A (en) 2014-11-11 2014-11-11 Secure connection payment method and device
CN201410645534.X 2014-11-11

Publications (1)

Publication Number Publication Date
WO2015188718A1 true WO2015188718A1 (en) 2015-12-17

Family

ID=54832899

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/080711 WO2015188718A1 (en) 2014-06-10 2015-06-03 Mobile terminal-based payment method and apparatus, and mobile terminal

Country Status (1)

Country Link
WO (1) WO2015188718A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3500925A4 (en) * 2016-08-18 2020-01-22 Alibaba Group Holding Limited System and method for wireless network security
CN112036883A (en) * 2020-08-31 2020-12-04 深圳市兆珑科技有限公司 Safety device
CN113438215A (en) * 2021-06-11 2021-09-24 郑州阿帕斯数云信息科技有限公司 Data transmission method, device, equipment and storage medium
CN114189460A (en) * 2021-09-17 2022-03-15 惠州高盛达智显科技有限公司 Cash register quick and stable networking method and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120054837A1 (en) * 2010-09-01 2012-03-01 Electronics And Telecommunications Research Institute Network control method for controlling client-and-server based high reliability session for secure payment using multi interface user terminal in wired of wireless internet
CN103619020A (en) * 2013-12-09 2014-03-05 成都达信通通讯设备有限公司 Mobile payment security system for wireless data private network physical isolation internet
CN104008482A (en) * 2014-06-10 2014-08-27 北京奇虎科技有限公司 Mobile terminal and payment method and device based on mobile terminal
CN104463569A (en) * 2014-11-11 2015-03-25 北京奇虎科技有限公司 Secure connection payment method and device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120054837A1 (en) * 2010-09-01 2012-03-01 Electronics And Telecommunications Research Institute Network control method for controlling client-and-server based high reliability session for secure payment using multi interface user terminal in wired of wireless internet
CN103619020A (en) * 2013-12-09 2014-03-05 成都达信通通讯设备有限公司 Mobile payment security system for wireless data private network physical isolation internet
CN104008482A (en) * 2014-06-10 2014-08-27 北京奇虎科技有限公司 Mobile terminal and payment method and device based on mobile terminal
CN104463569A (en) * 2014-11-11 2015-03-25 北京奇虎科技有限公司 Secure connection payment method and device

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3500925A4 (en) * 2016-08-18 2020-01-22 Alibaba Group Holding Limited System and method for wireless network security
US10951587B2 (en) 2016-08-18 2021-03-16 Alibaba Group Holding Limited System and method for wireless network security
TWI789350B (en) * 2016-08-18 2023-01-11 香港商阿里巴巴集團服務有限公司 WIFI security protection system, wireless network protection method, device and electronic equipment
CN112036883A (en) * 2020-08-31 2020-12-04 深圳市兆珑科技有限公司 Safety device
CN113438215A (en) * 2021-06-11 2021-09-24 郑州阿帕斯数云信息科技有限公司 Data transmission method, device, equipment and storage medium
CN114189460A (en) * 2021-09-17 2022-03-15 惠州高盛达智显科技有限公司 Cash register quick and stable networking method and system

Similar Documents

Publication Publication Date Title
JP7403020B2 (en) System and method for second factor authentication of customer support calls
WO2015188788A1 (en) Method and apparatus for protecting mobile terminal payment security, and mobile terminal
US8990912B2 (en) Authentication of data communications
WO2015169158A1 (en) Information protection method and system
CN105446713B (en) Method for secure storing and equipment
US20160149937A1 (en) Systems and methods for malicious code detection
US11978053B2 (en) Systems and methods for estimating authenticity of local network of device initiating remote transaction
US20180295514A1 (en) Method and apparatus for facilitating persistent authentication
CN104463569A (en) Secure connection payment method and device
US9485606B1 (en) Systems and methods for detecting near field communication risks
US9300674B2 (en) System and methods for authorizing operations on a service using trusted devices
WO2016188335A1 (en) Access control method, apparatus and system for user data
US11887124B2 (en) Systems, methods and computer program products for securing electronic transactions
US20160142398A1 (en) Method of network identity authentication by using an identification code of a communication device and a network operating password
JP2022525840A (en) Systems and methods for pre-authentication of customer support calls
WO2015188718A1 (en) Mobile terminal-based payment method and apparatus, and mobile terminal
US10826901B2 (en) Systems and method for cross-channel device binding
WO2017190436A1 (en) Data processing method and apparatus
US20190281053A1 (en) Method and apparatus for facilitating frictionless two-factor authentication
WO2017129008A1 (en) Application authentication method and apparatus for linux system based financial self-service device
US9235832B1 (en) Systems and methods for detecting transactions originating from an unauthenticated ATM device
US20230418923A1 (en) Techniques to perform dynamic call center authentication utilizing a contactless card
WO2019056343A1 (en) System and method for avoiding internet and mobile payment fraud
US20210211876A1 (en) Method and system for generating a secure one-time passcode using strong authentication
CN105592032B (en) Safety information interaction method Internet-based

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15806489

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15806489

Country of ref document: EP

Kind code of ref document: A1