WO2018121387A1 - Security verification method, platform, apparatus and system - Google Patents

Security verification method, platform, apparatus and system Download PDF

Info

Publication number
WO2018121387A1
WO2018121387A1 PCT/CN2017/117600 CN2017117600W WO2018121387A1 WO 2018121387 A1 WO2018121387 A1 WO 2018121387A1 CN 2017117600 W CN2017117600 W CN 2017117600W WO 2018121387 A1 WO2018121387 A1 WO 2018121387A1
Authority
WO
WIPO (PCT)
Prior art keywords
information
fingerprint
security verification
user
device fingerprint
Prior art date
Application number
PCT/CN2017/117600
Other languages
French (fr)
Chinese (zh)
Inventor
童耀刚
郑建宾
周钰
张玉凤
Original Assignee
中国银联股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中国银联股份有限公司 filed Critical 中国银联股份有限公司
Publication of WO2018121387A1 publication Critical patent/WO2018121387A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint

Definitions

  • the present invention relates generally to the field of bank card security technologies and, in particular, to security authentication methods and systems related to applications such as cardless payment.
  • the banking system is also beginning to try more and more cardless payments.
  • no card payment there are typically two ways to place a bank card in a mobile phone: one is that in the absence of a physical card, the user applies to the bank for "air card issuance" through a specific mobile application.
  • the bank After the bank authenticates, all the information of a financial IC card will be loaded onto the SIM card or SD card of the user's mobile phone; the other is to apply for the virtual card of the physical card to the issuing bank in the case of an existing physical card.
  • the account, the issuing bank sends a virtual card to the user based on the token technology.
  • there is a problem of difficulty in authentication Generally, banks only issue cards to old customers.
  • the method of SMS authentication is also easy to have a great security risk due to the replacement of the mobile phone card or the direct stealing of the verification code.
  • some existing air card issuance methods include collecting biometric information of the user for user identity authentication, and successfully issuing the card through the authentication audit.
  • biometric information such as fingerprints and voiceprints are easily stolen and forged, and hardware devices are required to support the collection of biometric information, which requires high hardware;
  • users The biometric information is stolen or counterfeited and is not easily detected, resulting in theft or forgery being able to use this method for a large number of card applications, resulting in sustained loss of user property; (3) no mechanism to block illegal behavior.
  • the over-the-air approach also relies to a large extent on the devices used by the user, and it may often be necessary to bind the account information associated with the virtual card to a particular user device.
  • the present invention provides a security verification scheme that can improve the above problems.
  • the present invention provides a security verification method, including: receiving a service request from a user, the service request including user information and device information; creating a current device fingerprint based on the device information; acquiring a device fingerprint list, The device fingerprint list includes previously stored device fingerprints of all devices associated with the user; comparing the current device fingerprint with the device fingerprint list; and in the current device fingerprint and the device fingerprint list
  • the service request is determined to pass security verification in the case of at least one match, wherein the device information includes device hardware parameters and device usage data, and the device fingerprint is a device model constructed based on the device information.
  • the device usage data includes one or more of network information of the device, geographic location information, and user preference behavior information.
  • the network information of the device includes one or more of network connection information of the device, TCP packet attributes, connected router attributes, HTTP protocol attributes, and WiFi list.
  • the geographical location information of the device comprises one or more of a base station location location, a GPS location location, a time associated trajectory, and a common location.
  • the user preference behavior information of the device includes an operating system type, a version number, a preference setting, an application installation preference setting, an alarm time, an on/off time, an application frequency and time, and a screen operation contact.
  • comparing the current device fingerprint with the device fingerprint list comprises: item-by-item comparison according to all parameters included in the device model; assigning matching weights to each parameter; The comparison result of each parameter is weighted and averaged according to the matching weight; and it is determined according to the result of the weighted average whether the current device fingerprint matches an item in the device fingerprint list.
  • comparing the current device fingerprint with the device fingerprint list comprises: predicting, for each device fingerprint change in the device fingerprint list, according to the device historical usage situation; The current device fingerprint is compared to each of the predicted results.
  • the method further comprises performing the current device fingerprint and the device fingerprint blacklist library before comparing the current device fingerprint with the device fingerprint list.
  • the device fingerprint blacklist library saves the device fingerprint of the illegal device.
  • comparing with the device fingerprint blacklist library comprises comparing the current device fingerprint with the device fingerprint in the blacklist library step by step according to the priority of the key device parameter.
  • the key device parameters include a MAC address, an international mobile device identity IMEI, a device serial number, and a system identity.
  • the security verification method as described above further comprising periodically updating device fingerprint data in the device fingerprint list by receiving device usage data from all devices associated with the user.
  • the service request includes a card issuance request and a transaction request.
  • the user information includes a username and a password associated with the service.
  • the present invention further provides a security verification platform, including: a data receiving module, configured to receive a service request from a user, the service request including user information and device information; and a device fingerprint creation module, configured to The device information is used to create a current device fingerprint; the list obtaining module is configured to obtain a device fingerprint list, where the device fingerprint list includes previously stored device fingerprints of all devices associated with the user; and a comparison module, configured to: The current device fingerprint is compared with the device fingerprint list; and the determining module is configured to determine that the service request passes the security verification if the current device fingerprint matches at least one of the device fingerprint lists, where The device information includes device hardware parameters and device usage data, and the device fingerprint is a device model constructed based on the device information.
  • a security verification platform including: a data receiving module, configured to receive a service request from a user, the service request including user information and device information; and a device fingerprint creation module, configured to The device information is used to create a current device fingerprint; the list obtaining module is configured to obtain a
  • the present invention provides a security verification method, including: obtaining an authorization to collect device information from a user at a device; collecting device information from the device according to the authorization, the device information including device hardware Parameter and device usage data; and adding the device information to the service request when the user sends a service request to the secure authentication platform using the device.
  • the security verification method as described above further comprising: periodically transmitting the device usage data to the secure verification platform.
  • the present invention provides a security verification apparatus including: an authorization module for setting The device is configured to acquire the device information from the user, and the information collecting module is configured to collect device information from the device according to the authorization, where the device information includes device hardware parameters and device usage data, and an information adding module, configured to: The device information is added to the service request when the user sends a service request to the security verification platform by using the device.
  • the present invention provides a security verification system including a user device, a security verification platform as described above, and a device fingerprint library, wherein the user device includes the security verification device as described above, and wherein The device fingerprint library is configured to store the device fingerprint list.
  • FIG. 1 is a schematic application scenario of a security verification system according to an example of the present invention.
  • FIG. 2 is a schematic flow chart of a security verification method in accordance with an example of the present invention.
  • FIG. 3 is a schematic flow chart of a security verification method in accordance with another example of the present invention.
  • FIG. 4 is a schematic block diagram of a secure authentication platform in accordance with one example of the present invention.
  • Figure 5 is a schematic block diagram of a security verification device in accordance with another example of the present invention.
  • a secure authentication system in accordance with the present invention includes a secure authentication platform 101, a user device 102, and a device fingerprint library 103, wherein the secure authentication platform 101 is configured to communicate with a card issuer.
  • the scenario shown in FIG. 1 can be, for example, a card issuance process in a cardless payment process.
  • the issuing bank may rely on the secure authentication platform 101 provided by the present invention for secure verification of the card issuance request from the user device 102. That is to say, the issuing bank 104 can determine the user device 102 as a trusted device after the user device 102 passes the verification of the security verification platform, thereby performing a card issuing operation of the virtual card for the device.
  • the secure verification platform 101 can, for example, serve multiple issuers simultaneously.
  • the security verification platform 101 can also provide verification for the transaction link. For example, when the user equipment needs to use the virtual card bound to the device for payment, the payment request may also be first received by the security verification platform for device identity verification, and the payment confirmation party may determine whether the verification result is based on the verification result. Perform payment operations.
  • the secure verification platform can be implemented independently or integrated into any third party trusted service platform. The operation of the secure authentication platform 101 will be described in detail below in conjunction with FIG.
  • the user equipment 102 shown in FIG. 1 may be any device whose hardware condition meets the cardless payment conditions of each institution. Moreover, the user equipment 102 should have at least remote communication capabilities, such as by any wired or wireless means.
  • the device can be, for example, any smart device that is existing or to be developed, such as a cell phone, a computer, a laptop, a personal digital assistant (PDA), and the like.
  • PDA personal digital assistant
  • the device fingerprint library 103 can be any database device or data server or the like that has been or is to be developed. Those skilled in the art will appreciate that the device fingerprint library can be implemented independently as shown in FIG. 1, or integrated with a secure authentication platform, or with other additional data processing devices.
  • FIG. 2 is a schematic flow chart of a security verification method in accordance with an example of the present invention. The method can be performed, for example, in the secure authentication platform 101 shown in FIG. Each step will be described below in conjunction with the scenario shown in FIG.
  • the secure authentication platform 101 receives a service request from a user.
  • the service request can be, for example, issued by a user via a certain smart device it holds, such as user device 102.
  • the service request may be, for example, a virtual card application request sent to the bank.
  • the business request may also be a transaction request, such as a payment request.
  • the service request sent by the user through the smart device includes both user information and device information.
  • the user information may be, for example, a username and password, which may be set by the user for a virtual service of an institution.
  • a bank may provide users with remote customer services such as online banking or mobile banking, and users may need to register users on the local device for use of these services, usually in the form of a username and password.
  • the user information may also include any other information that uniquely identifies the identity of the user.
  • the device information needs to include at least device hardware parameters and device usage data.
  • the hardware parameters of the device include any basic hardware parameters and number of the device when the device is shipped from the factory, and any information that can uniquely identify the device.
  • the device hardware parameters may include, for example, an international mobile device identity IMEI, a factory serial number of the device, and the like.
  • Device usage data is information related to the way the user applies the device.
  • the device usage data includes one or more of network information of the device, geographic location information, and user preference behavior information.
  • the network information of the device may include one or more of network connection information of the device, TCP packet attributes, connected router attributes, HTTP protocol attributes, and WiFi list.
  • the geographic location information of the device may be, for example, one or more of a base station location location, a GPS location location, a time associated trajectory, and a common location.
  • the user preference behavior information of the device may be, for example, an operating system type, a version number, a preference setting, an application installation preference setting, an alarm time, an on/off time, an application frequency and time, a contact area when the screen is operated, a sliding direction, and a keyboard input.
  • the secure verification platform 101 will create a current device fingerprint for the device based on the device information contained in the service request.
  • a device fingerprint is a device model built on both device hardware parameters and device usage data.
  • Device usage data can be the result of long-term data collection and statistics for the device.
  • the device model constructed according to this has real-time and dynamic characteristics, and can more reliably identify each device, thereby eliminating important information leakage, for example, when the device is stolen or maliciously tampered. The risk of vicious state cards, account theft and so on.
  • the secure authentication platform 101 will also obtain a device fingerprint list that includes previously stored device fingerprints for all devices associated with the user.
  • the device fingerprint list is stored in device fingerprint library 103.
  • previously stored device fingerprints are generated based on device hardware parameters and historical device usage data.
  • the secure authentication platform 101 can receive device usage data from the device, for example, before the user sends a service request. These device usage data may, for example, be collected from the user's remote service for the user's organization on the local device and sent to the secure authentication platform along with the device hardware parameters and user information.
  • the security verification platform 101 can aggregate these hardware information and dynamic information into device fingerprints capable of characterizing the device using a pre-designed modeling algorithm, and send the generated device fingerprints to the device fingerprint library 103 along with corresponding user information.
  • the device fingerprint of each device of the user may be stored in the form of a list with the user information as an index. In practice, one A user can have one or more smart devices, so the same user information can correspond to one device fingerprint or multiple device fingerprints.
  • the secure authentication platform can also periodically update device fingerprints in the device fingerprint list by receiving device usage data from devices associated with the user. As the actual situation of the user may change, the device usage may change accordingly. For example, the user's geographic location information changes due to changes in the place of residence. By continuously receiving recent device usage, the timeliness of device fingerprints can be guaranteed to provide a better user experience.
  • the device fingerprint library can also be generated by the user directly going to the issuing bank to perform on-site filing of the device. This way of establishing the device fingerprint library is particularly suitable for the case where the user requires virtual card binding when creating an account for the card issuer through the device for the first time.
  • the secure authentication platform may also receive similar device information from a third party for device fingerprint construction. In either case, the one-way encrypted transmission is preferably used in the transmission of the device usage data to ensure the security of the user information and the device information.
  • step 27 the secure verification platform 101 compares the generated current device fingerprint with all device fingerprints in the device fingerprint list to determine the legitimacy of the device that sent the service request.
  • item-by-item comparisons can be made based on all parameters included in the device model represented by the device fingerprint.
  • This item-by-item comparison can be thought of as a static match.
  • the parameters may include device hardware parameters and device usage parameters such as network information, geographic location information, and user preference behavior information.
  • each parameter can be given a matching weight.
  • a device fingerprint is a dynamic device identification in which parameters related to device usage change as the user's state changes. There is a certain difference in timeliness between the device fingerprint stored in the device fingerprint database and the currently generated device fingerprint. Therefore, each parameter does not necessarily need to be completely consistent, but can be distinguished by weight.
  • the comparison result of the current device fingerprint and each parameter of each item in the list may be weighted and averaged according to a pre-assigned matching weight, and the multi-value matching degree is calculated.
  • the result of the weighted average that is, the multi-value matching degree, it is judged whether the current device fingerprint matches the item in the device fingerprint list.
  • the result of the weighted average can be compared to a predetermined threshold: if it is above the threshold, it is considered a match, otherwise it is considered a mismatch.
  • dynamic matching can also be employed.
  • Device fingerprinting is a dynamic device identification, especially where parameters related to device usage may change continuously. Therefore, when the device fingerprints match, in addition to the exact match between the current value and the stored value, the current value can be compared with the prediction based on the previous data.
  • the externally collected hardware information and device usage data are analyzed by a machine learning method using an external processing device integrated with the device fingerprint library or independent of the device fingerprint library, thereby predicting continuous device fingerprint changes, The predicted result is stored in the device fingerprint database as an updated device fingerprint for subsequent device fingerprint comparison.
  • the user experience can be greatly improved while ensuring security, and the convenience of the entire business process is increased.
  • dynamic or static contrast can be used simultaneously or alternately.
  • the security verification platform determines in step 29 that the received service request passes the security verification. Further, in the scenario shown in FIG. 1, the security verification platform 101 notifies the issuing bank to start a normal virtual card issuance or card binding operation.
  • the device fingerprint is constructed by combining the usage data of the device, which effectively solves the problem that the existing cardless payment issuance and the transaction link are based only on the card number information and the mobile phone code verification, thereby greatly reducing the malicious binding and The risk of stealing.
  • the user's smart device can be detected by the security verification platform in time after being stolen, so as to contact the verification platform or the issuing bank in time for the device fingerprint to freeze or update the information, and the one-way encryption is adopted. The protection measures will not lose personal information even if the smart device is stolen.
  • the solution provided by the present invention makes the verification condition requirement at the user end reduced by enhancing the authentication process on the server side.
  • the secure authentication platform 101 may be further configured to perform the current device fingerprint and the device fingerprint blacklist library before comparing the current device fingerprint with the device fingerprint list.
  • the device fingerprint blacklist library stores device fingerprints of illegal devices, and the information of these illegal devices can be collected from the outside or accumulated through the previous comparison process.
  • the comparison with the device fingerprint blacklist library can also use the static and dynamic methods described above for the device fingerprint list alignment.
  • comparing with the device fingerprint blacklist library may compare the current device fingerprint with the device fingerprint in the blacklist library step by step according to the priority of the key device parameter.
  • the key device parameters may be a MAC address, an International Mobile Equipment Identity IMEI, a device serial number, and a system identification, and the priority is from high to low in the order listed in each item. That is, In the blacklist comparison, the MAC address information included in the current device fingerprint is first compared with the MAC address information in each device fingerprint item in the blacklist library. If a match is found, the device fingerprint in the current request can be determined to be an audit failure. If no entry is found for the MAC address information, then the device serial number is compared, and so on.
  • the multi-factor separate authentication method is adopted, based on key device parameters such as MAC address, IMEI, serial number and Android ID as the blacklist device fingerprint factor, and according to The uniqueness of several device fingerprint factors and the strength priority of reliability, the device fingerprint blacklist factor level library is constructed.
  • the blacklist storage stage the uniqueness and reliability of the relevant fingerprint factor are detected, and a reliable factor is selected into the blacklist factor level library according to the detection result, thereby improving the effectiveness of the blacklist library. Accurate matching tracking of blacklisted devices can be achieved based on pre-set reliability priority levels.
  • the blacklist may be established according to the following principle: the device fingerprint information that failed in one audit enters the graylist list, and the blacklist that fails the audit multiple times.
  • other business systems of the organization can also include violating equipment in the device fingerprint blacklist according to business rules.
  • device fingerprints in the blacklist can also be recovered.
  • the user can submit the user profile to the security verification platform. After the audit is successful, the corresponding device of the user in the blacklist can be deleted.
  • the blacklist comparison Before the device fingerprint list is compared, the blacklist comparison directly rejects the illegal device, which improves the security of cardless payment issuing and the efficiency of illegal device audit in high-risk situations.
  • FIG. 3 is a schematic flow chart of a security verification method in accordance with another example of the present invention.
  • the security verification method shown in FIG. 3 can be generally implemented in the user equipment 102 shown in FIG. 1, and cooperates with the method shown in FIG. 2 to complete the security verification scheme provided by the present invention.
  • the authorization to collect device information is first obtained from the user at the device at step 31.
  • step 33 device information is collected from the user's device in accordance with the authorization.
  • the collected device information includes at least device hardware parameters and device usage data, wherein the device usage data may be, for example, network information of the device, geographic location information, and user preference behavior information.
  • the collected device information is added to the service request when the user sends the service request to the security verification platform by using the device.
  • the method illustrated in FIG. 3 may be implemented, for example, in an application (APP) installed on a user device, or as a software development kit SDK to embed an application provided by an organization to a user device.
  • APP application
  • the APP can request authorization from the user after the user creates an account (usually including a username and password) and logs in with the account, and collects device information after authorization.
  • the collected information can be sent to a secure authentication platform to create a device fingerprint for the device, regardless of whether the user makes any business requests.
  • the secure authentication platform can store all device fingerprint information from the same user account as a device fingerprint list, as described above.
  • the application on the user device may also periodically transmit device usage data to the secure authentication platform for the security verification platform to continually update the device fingerprint library to facilitate subsequent receipt of the service. The device information in the request is compared.
  • FIG. 3 is not necessarily implemented on the user's device, but may be implemented, for example, by an independent third party. Moreover, the method can also be implemented in any form of software or hardware.
  • the security verification scheme provided by the present invention has no additional functional requirements for the smart device used by the user, and generally only requires the user to authorize the authenticator or the organization to acquire the device right, which greatly improves the user experience. It also reduces the cost of equipment audits for all parties.
  • the security verification platform 400 includes a data receiving module 41, a device fingerprint creating module 43, a list obtaining module 45, a matching module 47, and a determining module.
  • the data receiving module 41 is configured to receive a service request from a user.
  • these service requests include both user information and device information, where the device information will include device hardware parameters and device usage data.
  • the device fingerprint creation module 43 is configured to create a current device fingerprint based on the device information.
  • a device fingerprint is a device model built based on device hardware parameters and device usage data.
  • the list obtaining module 45 is configured to obtain a device fingerprint list including previously stored device fingerprints of all devices associated with the user.
  • the comparison module 47 is configured to compare the current device fingerprint with each device fingerprint in the device fingerprint list.
  • the determining module 49 is configured to determine that the received service request passes the security verification if the current device fingerprint matches at least one of the device fingerprint lists.
  • the security verification platform 400 shown in Figure 4 can be configured to implement any of the operations described above in connection with the security verification process implemented at the secure authentication platform provided by the present invention.
  • Those skilled in the art will appreciate that the module partitioning shown in FIG. 4 is merely illustrative, and that these modules can be integrated or further divided according to a specific implementation and implemented in any software or hardware form.
  • FIG. 5 is a schematic block diagram of a security verification device in accordance with another example of the present invention.
  • the security verification apparatus 500 includes an authorization module 51, an information collection module 53, and an information addition module 55.
  • the security verification device 500 can be integrated or installed in a device that a user may use to send a service request to an organization.
  • the authorization module 51 is configured to acquire an authorization to collect device information from the user at the device.
  • the information collection module 53 is configured to collect device information from the user's device according to the obtained authorization.
  • the collected device information will include both device hardware parameters and device usage data.
  • the information adding module 55 is configured to add the collected device information to the service request when the user sends a service request to the security verification platform by using the device.
  • the security verification device 500 shown in FIG. 5 can be configured to implement any of the operations described above at the user device associated with the security verification process provided by the present invention.
  • Those skilled in the art can understand that the module division shown in FIG. 5 is only schematic, and the modules can be integrated or further divided according to a specific implementation, and implemented in any software or hardware form.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Power Engineering (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Collating Specific Patterns (AREA)
  • Telephone Function (AREA)
  • Lock And Its Accessories (AREA)

Abstract

Provided are a security verification method, comprising: receiving a service request from a user, wherein the service request comprises user information and device information; creating a current device fingerprint based on the device information; acquiring a device fingerprint list, wherein the device fingerprint list comprises pre-stored device fingerprints of all the devices associated with the user; comparing the current device fingerprint with the device fingerprint list; and determining that the service request passes security verification where the current device fingerprint matches at least one item in the device fingerprint list, wherein the device information comprises a device hardware parameter and device usage condition data, and the device fingerprint is a device model built based on the device hardware parameter and the device usage condition data. Further provided are a corresponding security verification platform, a corresponding security verification method implemented on a user equipment, a corresponding security verification apparatus, and a security verification system.

Description

安全验证方法、平台、装置和系统Security verification method, platform, device and system 技术领域Technical field
本发明一般地涉及银行卡安全技术领域,并且具体地,涉及与诸如无卡支付等应用相关的安全验证方法和系统。The present invention relates generally to the field of bank card security technologies and, in particular, to security authentication methods and systems related to applications such as cardless payment.
背景技术Background technique
随着虚拟化交易的普及,银行系统也开始越来越多地尝试无卡支付。在无卡支付的情况下,将银行卡放于手机中典型地可以有两种方式:一种是在无实体卡的情况下,用户通过特定的手机应用程序,向银行申请“空中发卡”,银行进行身份验证后,会将一张金融IC卡的全部信息加载到用户手机的SIM卡或者SD卡上;另一种是在已有实体卡的情况下,通过向发卡行申请实体卡的虚拟账户,发卡行基于令牌技术向用户发虚拟卡。这两种方式都存在认证难度大的问题,一般银行只会发卡给老客户。一般短信验证的方式也容易由于手机卡补办或者直接盗取验证码的原因而存在很大的安全隐患。With the popularity of virtualization transactions, the banking system is also beginning to try more and more cardless payments. In the case of no card payment, there are typically two ways to place a bank card in a mobile phone: one is that in the absence of a physical card, the user applies to the bank for "air card issuance" through a specific mobile application. After the bank authenticates, all the information of a financial IC card will be loaded onto the SIM card or SD card of the user's mobile phone; the other is to apply for the virtual card of the physical card to the issuing bank in the case of an existing physical card. The account, the issuing bank sends a virtual card to the user based on the token technology. In both cases, there is a problem of difficulty in authentication. Generally, banks only issue cards to old customers. Generally, the method of SMS authentication is also easy to have a great security risk due to the replacement of the mobile phone card or the direct stealing of the verification code.
目前现有的一些空中发卡方法包括采集用户的生物特征信息进行用户身份认证,通过认证审核成功进行发卡。此类方法具有如下几个缺点:(1)如指纹、声纹等生物特征信息容易被盗取伪造,并且还需要硬件设备支持生物特征信息的采集功能,对硬件要求较高;(2)用户的生物特征信息被盗取或者伪造不易被察觉,导致盗取或者伪造者可利用该方法进行大量卡片申请,造成用户财产的持续损失;(3)没有屏蔽非法行为的机制。At present, some existing air card issuance methods include collecting biometric information of the user for user identity authentication, and successfully issuing the card through the authentication audit. Such methods have the following disadvantages: (1) biometric information such as fingerprints and voiceprints are easily stolen and forged, and hardware devices are required to support the collection of biometric information, which requires high hardware; (2) users The biometric information is stolen or counterfeited and is not easily detected, resulting in theft or forgery being able to use this method for a large number of card applications, resulting in sustained loss of user property; (3) no mechanism to block illegal behavior.
空中方法在很大程度上也依赖于用户所使用的设备,通常可能需要将与虚拟卡关联的账户信息与特定的用户设备进行绑定。目前对于诸如手机这样的多厂商不可控设备,也没有有效的终端ID可用于设备识别。这对于无卡支付的发卡阶段以及后续的交易阶段都造成了很大的安全隐患。The over-the-air approach also relies to a large extent on the devices used by the user, and it may often be necessary to bind the account information associated with the virtual card to a particular user device. Currently, for multi-vendor uncontrollable devices such as mobile phones, there is no valid terminal ID available for device identification. This poses a great security risk for the card issuance phase and the subsequent transaction phase.
因此,所期望的是设计一种可靠的安全验证方案,以提高无卡支付系统的安全性并且促进无卡支付技术的推广。Therefore, it is desirable to design a reliable security verification scheme to improve the security of cardless payment systems and to promote the promotion of cardless payment technologies.
发明内容 Summary of the invention
有鉴于此,本发明提供了一种安全验证方案,可改善上述问题。In view of this, the present invention provides a security verification scheme that can improve the above problems.
一方面,本发明提供了一种安全验证方法,其包括:接收来自用户的业务请求,所述业务请求包括用户信息以及设备信息;基于所述设备信息创建当前设备指纹;获取设备指纹列表,所述设备指纹列表包括与所述用户关联的所有设备的先前存储的设备指纹;将所述当前设备指纹与所述设备指纹列表比对;以及在所述当前设备指纹与所述设备指纹列表中的至少一项匹配的情况下判定所述业务请求通过安全验证,其中所述设备信息包括设备硬件参数以及设备使用情况数据,并且所述设备指纹是基于所述设备信息构建的设备模型。In one aspect, the present invention provides a security verification method, including: receiving a service request from a user, the service request including user information and device information; creating a current device fingerprint based on the device information; acquiring a device fingerprint list, The device fingerprint list includes previously stored device fingerprints of all devices associated with the user; comparing the current device fingerprint with the device fingerprint list; and in the current device fingerprint and the device fingerprint list The service request is determined to pass security verification in the case of at least one match, wherein the device information includes device hardware parameters and device usage data, and the device fingerprint is a device model constructed based on the device information.
如上所述的安全验证方法,其中,所述设备使用情况数据包括设备的网络信息、地理位置信息以及用户偏好行为信息中的一个或多个。The security verification method as described above, wherein the device usage data includes one or more of network information of the device, geographic location information, and user preference behavior information.
如上所述的安全验证方法,其中,设备的网络信息包括设备的网络连接信息、TCP包属性、连接的路由器属性、HTTP协议属性、WiFi列表中的一个或多个。The security verification method as described above, wherein the network information of the device includes one or more of network connection information of the device, TCP packet attributes, connected router attributes, HTTP protocol attributes, and WiFi list.
如上所述的安全验证方法,其中,设备的地理位置信息包括基站定位地点、GPS定位地点、与时间相关联的轨迹及常用地中的一个或多个。The security verification method as described above, wherein the geographical location information of the device comprises one or more of a base station location location, a GPS location location, a time associated trajectory, and a common location.
如上所述的安全验证方法,其中,设备的用户偏好行为信息包括操作系统类型、版本号、偏好设置、应用安装偏好设置、闹钟时间、开关机时间、应用使用频率及时间、屏幕操作时的接触面积、滑动方向、键盘输入的时间间隔、按压力度、陀螺仪信息、加速度计信息中的一个或多个。The security verification method as described above, wherein the user preference behavior information of the device includes an operating system type, a version number, a preference setting, an application installation preference setting, an alarm time, an on/off time, an application frequency and time, and a screen operation contact. One or more of area, sliding direction, time interval for keyboard input, pressing force, gyroscope information, and accelerometer information.
如上所述的安全验证方法,其中,将所述当前设备指纹与所述设备指纹列表比对包括:根据所述设备模型所包含的所有参数进行逐项对比;为每个参数赋予匹配权重;将各个参数的对比结果按所述匹配权重进行加权平均;并且根据所述加权平均的结果来判断所述当前设备指纹是否与所述设备指纹列表中的项匹配。The security verification method as described above, wherein comparing the current device fingerprint with the device fingerprint list comprises: item-by-item comparison according to all parameters included in the device model; assigning matching weights to each parameter; The comparison result of each parameter is weighted and averaged according to the matching weight; and it is determined according to the result of the weighted average whether the current device fingerprint matches an item in the device fingerprint list.
如上所述的安全验证方法,其中,将所述当前设备指纹与所述设备指纹列表对比包括:依据所述设备历史使用情况对所述设备指纹列表中的每个设备指纹变化进行预测;并且将所述当前设备指纹与每个所述预测结果进行对比。The security verification method as described above, wherein comparing the current device fingerprint with the device fingerprint list comprises: predicting, for each device fingerprint change in the device fingerprint list, according to the device historical usage situation; The current device fingerprint is compared to each of the predicted results.
如上所述的安全验证方法,其中,所述方法还包括在将所述当前设备指纹与所述设备指纹列表比对之前,将所述当前设备指纹与设备指纹黑名单库进行 对比,其中所述设备指纹黑名单库保存非法设备的设备指纹。The security verification method as described above, wherein the method further comprises performing the current device fingerprint and the device fingerprint blacklist library before comparing the current device fingerprint with the device fingerprint list. In contrast, the device fingerprint blacklist library saves the device fingerprint of the illegal device.
如上所述的安全验证方法,其中,与设备指纹黑名单库进行对比包括按关键设备参数的优先级逐级将所述当前设备指纹与黑名单库中的设备指纹进行比对。The security verification method as described above, wherein comparing with the device fingerprint blacklist library comprises comparing the current device fingerprint with the device fingerprint in the blacklist library step by step according to the priority of the key device parameter.
如上所述的安全验证方法,其中,所述关键设备参数包括MAC地址、国际移动设备标识IMEI、设备序列号以及系统标识。The security verification method as described above, wherein the key device parameters include a MAC address, an international mobile device identity IMEI, a device serial number, and a system identity.
如上所述的安全验证方法,其中,所述先前存储的设备指纹基于设备硬件参数以及历史的设备使用情况数据生成。A security verification method as described above, wherein the previously stored device fingerprint is generated based on device hardware parameters and historical device usage data.
如上所述的安全验证方法,其还包括周期性地从与所述用户关联的所有设备接收设备使用情况数据来更新所述设备指纹列表中的设备指纹。The security verification method as described above, further comprising periodically updating device fingerprint data in the device fingerprint list by receiving device usage data from all devices associated with the user.
如上所述的安全验证方法,其中,所述业务请求包括发卡请求以及交易请求。The security verification method as described above, wherein the service request includes a card issuance request and a transaction request.
如上所述的安全验证方法,其中,所述用户信息包括与所述业务相关联的用户名和密码。The security verification method as described above, wherein the user information includes a username and a password associated with the service.
另一方面,本发明还提供了一种安全验证平台,其包括:数据接收模块,用于接收来自用户的业务请求,所述业务请求包括用户信息以及设备信息;设备指纹创建模块,用于基于所述设备信息创建当前设备指纹;列表获取模块,用于获取设备指纹列表,所述设备指纹列表包括与所述用户关联的所有设备的先前存储的设备指纹;比对模块,用于将所述当前设备指纹与所述设备指纹列表比对;以及判定模块,用于在所述当前设备指纹与所述设备指纹列表中的至少一项匹配的情况下判定所述业务请求通过安全验证,其中所述设备信息包括设备硬件参数以及设备使用情况数据,并且所述设备指纹是基于所述设备信息构建的设备模型。In another aspect, the present invention further provides a security verification platform, including: a data receiving module, configured to receive a service request from a user, the service request including user information and device information; and a device fingerprint creation module, configured to The device information is used to create a current device fingerprint; the list obtaining module is configured to obtain a device fingerprint list, where the device fingerprint list includes previously stored device fingerprints of all devices associated with the user; and a comparison module, configured to: The current device fingerprint is compared with the device fingerprint list; and the determining module is configured to determine that the service request passes the security verification if the current device fingerprint matches at least one of the device fingerprint lists, where The device information includes device hardware parameters and device usage data, and the device fingerprint is a device model constructed based on the device information.
还有另一方面,本发明提供了一种安全验证方法,其包括:在设备处从用户获取采集设备信息的授权;依据所述授权从所述设备采集设备信息,所述设备信息包括设备硬件参数和设备使用情况数据;以及在用户使用所述设备向安全验证平台发送业务请求时在所述业务请求中添加所述设备信息。In still another aspect, the present invention provides a security verification method, including: obtaining an authorization to collect device information from a user at a device; collecting device information from the device according to the authorization, the device information including device hardware Parameter and device usage data; and adding the device information to the service request when the user sends a service request to the secure authentication platform using the device.
如上所述的安全验证方法,其还包括:周期性地向所述安全验证平台传送所述设备使用情况数据。The security verification method as described above, further comprising: periodically transmitting the device usage data to the secure verification platform.
又一方面,本发明提供了安全验证装置,其包括:授权模块,用于在设 备处从用户获取采集设备信息的授权;信息采集模块,用于依据所述授权从所述设备采集设备信息,所述设备信息包括设备硬件参数和设备使用情况数据;以及信息添加模块,用于在用户使用所述设备向安全验证平台发送业务请求时在所述业务请求中添加所述设备信息。In still another aspect, the present invention provides a security verification apparatus including: an authorization module for setting The device is configured to acquire the device information from the user, and the information collecting module is configured to collect device information from the device according to the authorization, where the device information includes device hardware parameters and device usage data, and an information adding module, configured to: The device information is added to the service request when the user sends a service request to the security verification platform by using the device.
还有另一方面,本发明提供了安全验证系统,其包括用户设备、如上所述的安全验证平台以及设备指纹库,其中所述用户设备包括如上所述的安全验证装置,并且其中,所述设备指纹库被配置为存储所述设备指纹列表。In still another aspect, the present invention provides a security verification system including a user device, a security verification platform as described above, and a device fingerprint library, wherein the user device includes the security verification device as described above, and wherein The device fingerprint library is configured to store the device fingerprint list.
附图说明DRAWINGS
本发明的前述和其他目标、特征和优点根据下面对本发明的实施例的更具体的说明将是显而易见的,这些实施例在附图中被示意。The foregoing and other objects, features, and advantages of the invention will be apparent from
图1是根据本发明一个示例的安全验证系统的示意应用场景。1 is a schematic application scenario of a security verification system according to an example of the present invention.
图2是根据本发明一个示例的安全验证方法的示意流程图。2 is a schematic flow chart of a security verification method in accordance with an example of the present invention.
图3是根据本发明另一示例的安全验证方法的示意流程图。3 is a schematic flow chart of a security verification method in accordance with another example of the present invention.
图4是根据本发明一个示例的安全验证平台的示意框图。4 is a schematic block diagram of a secure authentication platform in accordance with one example of the present invention.
图5是根据本发明另一示例的安全验证装置的示意框图。Figure 5 is a schematic block diagram of a security verification device in accordance with another example of the present invention.
具体实施方式detailed description
现在参照附图描述本发明的示意性示例,相同的附图标号表示相同的元件。下文描述的各示例有助于本领域技术人员透彻理解本发明,且各示例意在示例而非限制。图中各元件、部件、模块、装置及设备本体的图示仅示意性表明存在这些元件、部件、模块、装置及设备本体同时亦表明它们之间的相对关系,但并不用以限定它们的具体形状;流程图中各步骤的关系也不以所给出的顺序为限,可根据实际应用进行调整但不脱离本申请的保护范围。BRIEF DESCRIPTION OF THE DRAWINGS Exemplary embodiments of the present invention will now be described with reference to the drawings, wherein like reference numerals refer to the like. The examples described below are provided to enable those skilled in the art to understand the invention, and the examples are intended to be illustrative and not limiting. The illustrations of the various elements, components, modules, devices and device bodies in the figures are only illustrative of the existence of such elements, components, modules, devices, and device bodies, and also indicate the relative relationship between them, but are not intended to limit their specificity. Shape; the relationship of the steps in the flowchart is not limited to the order given, and can be adjusted according to the actual application without departing from the scope of protection of the present application.
图1是根据本发明一个示例的安全验证系统的示意框图。如图1所示,根据本发明的安全验证系统包括安全验证平台101、用户设备102以及设备指纹库103,其中安全验证平台101被配置为与发卡行通信。图1所示的场景可以例如是无卡支付过程中的发卡环节。发卡行可以依赖于本发明所提供的安全验证平台101对来自用户设备102的发卡请求进行安全验证。也就是说,发卡行104可以在用户设备102通过安全验证平台的验证之后将用户设备102确定为可信设备,从而对该设备进行虚拟卡的发卡操作。 1 is a schematic block diagram of a security verification system in accordance with one example of the present invention. As shown in FIG. 1, a secure authentication system in accordance with the present invention includes a secure authentication platform 101, a user device 102, and a device fingerprint library 103, wherein the secure authentication platform 101 is configured to communicate with a card issuer. The scenario shown in FIG. 1 can be, for example, a card issuance process in a cardless payment process. The issuing bank may rely on the secure authentication platform 101 provided by the present invention for secure verification of the card issuance request from the user device 102. That is to say, the issuing bank 104 can determine the user device 102 as a trusted device after the user device 102 passes the verification of the security verification platform, thereby performing a card issuing operation of the virtual card for the device.
该安全验证平台101可以例如同时为多个发卡行进行服务。除图1所示的发卡环节应用之外,该安全验证平台101还可以为交易环节提供验证。例如,当用户设备需要利用与该设备绑定的虚拟卡进行支付时,支付请求同样可以首先由该安全验证平台来接收,以进行设备身份验证,并且支付确认方可以依据该验证结果来判断是否执行支付操作。在实践中,该安全验证平台可以独立地实现或者被集成在任何第三方的可信服务平台中。将在下文中结合图2来详细描述安全验证平台101的操作。The secure verification platform 101 can, for example, serve multiple issuers simultaneously. In addition to the card issue application shown in FIG. 1, the security verification platform 101 can also provide verification for the transaction link. For example, when the user equipment needs to use the virtual card bound to the device for payment, the payment request may also be first received by the security verification platform for device identity verification, and the payment confirmation party may determine whether the verification result is based on the verification result. Perform payment operations. In practice, the secure verification platform can be implemented independently or integrated into any third party trusted service platform. The operation of the secure authentication platform 101 will be described in detail below in conjunction with FIG.
图1所示的用户设备102可以是任何硬件条件符合各机构的无卡支付条件的设备。此外,该用户设备102至少应具有远程通信能力,例如通过任何有线或无线的方式。举例来说,该设备可以例如是已有的或待开发的任何智能设备,例如手机、计算机、膝上型笔记本、个人数字助理(PDA)等等。The user equipment 102 shown in FIG. 1 may be any device whose hardware condition meets the cardless payment conditions of each institution. Moreover, the user equipment 102 should have at least remote communication capabilities, such as by any wired or wireless means. For example, the device can be, for example, any smart device that is existing or to be developed, such as a cell phone, a computer, a laptop, a personal digital assistant (PDA), and the like.
设备指纹库103可以是任何已有或待开发的数据库设备或数据服务器等。本领域技术人员能够理解该设备指纹库能够如图1所示的那样独立地实现,也可以与安全验证平台集成,或者与其他另外的数据处理设备集成。The device fingerprint library 103 can be any database device or data server or the like that has been or is to be developed. Those skilled in the art will appreciate that the device fingerprint library can be implemented independently as shown in FIG. 1, or integrated with a secure authentication platform, or with other additional data processing devices.
图2是根据本发明一个示例的安全验证方法的示意流程图。该方法可以例如在图1所示的安全验证平台101中执行。以下结合图1所示的场景来对各步骤进行描述。2 is a schematic flow chart of a security verification method in accordance with an example of the present invention. The method can be performed, for example, in the secure authentication platform 101 shown in FIG. Each step will be described below in conjunction with the scenario shown in FIG.
[038]首先,在步骤21中,安全验证平台101接收来自用户的业务请求。该业务请求可以例如是用户通过其所持有的某一智能设备,例如用户设备102所发出的。该业务请求可以例如是向银行端发送的虚拟卡申请请求。在其他一些示例中,该业务请求也可以是交易请求,例如支付请求。[038] First, in step 21, the secure authentication platform 101 receives a service request from a user. The service request can be, for example, issued by a user via a certain smart device it holds, such as user device 102. The service request may be, for example, a virtual card application request sent to the bank. In other examples, the business request may also be a transaction request, such as a payment request.
在本发明的一些示例中,用户通过智能设备所发出的业务请求均包含用户信息以及设备信息两部分。用户信息可以例如是用户名和密码,该用户名和密码可以是由用户针对某个机构的虚拟业务所设置的。举例来说,银行可能向用户提供诸如网上银行或手机银行之类的远程客户服务,用户可能需要为使用这些服务而在本地设备上进行用户注册,这通常以用户名和密码的形式来实现。本领域技术人员能够理解用户信息还可以包括其他任何能够唯一地标识用户身份的信息。In some examples of the present invention, the service request sent by the user through the smart device includes both user information and device information. The user information may be, for example, a username and password, which may be set by the user for a virtual service of an institution. For example, a bank may provide users with remote customer services such as online banking or mobile banking, and users may need to register users on the local device for use of these services, usually in the form of a username and password. Those skilled in the art will appreciate that the user information may also include any other information that uniquely identifies the identity of the user.
进一步地,设备信息至少需要包括设备硬件参数以及设备使用情况数据。 设备硬件参数包括设备本身出厂时的设备硬件基本参数及编号等任何能够唯一识别该设备的信息。在一些示例中,设备硬件参数可以例如包括国际移动设备标识IMEI、设备的出厂序列号等等。Further, the device information needs to include at least device hardware parameters and device usage data. The hardware parameters of the device include any basic hardware parameters and number of the device when the device is shipped from the factory, and any information that can uniquely identify the device. In some examples, the device hardware parameters may include, for example, an international mobile device identity IMEI, a factory serial number of the device, and the like.
设备使用情况数据是与用户应用设备的方式相关的信息。在一些示例中,设备使用情况数据包括设备的网络信息、地理位置信息以及用户偏好行为信息中的一个或多个。举例来说,设备的网络信息可以包括设备的网络连接信息、TCP包属性、连接的路由器属性、HTTP协议属性、WiFi列表中的一个或多个。设备的地理位置信息可以例如是基站定位地点、GPS定位地点、与时间相关联的轨迹及常用地中的一个或多个。设备的用户偏好行为信息可以例如是操作系统类型、版本号、偏好设置、应用安装偏好设置、闹钟时间、开关机时间、应用使用频率及时间、屏幕操作时的接触面积、滑动方向、键盘输入的时间间隔、按压力度、陀螺仪信息、加速度计信息中的一个或多个。Device usage data is information related to the way the user applies the device. In some examples, the device usage data includes one or more of network information of the device, geographic location information, and user preference behavior information. For example, the network information of the device may include one or more of network connection information of the device, TCP packet attributes, connected router attributes, HTTP protocol attributes, and WiFi list. The geographic location information of the device may be, for example, one or more of a base station location location, a GPS location location, a time associated trajectory, and a common location. The user preference behavior information of the device may be, for example, an operating system type, a version number, a preference setting, an application installation preference setting, an alarm time, an on/off time, an application frequency and time, a contact area when the screen is operated, a sliding direction, and a keyboard input. One or more of time interval, pressing force, gyroscope information, and accelerometer information.
在步骤23中,安全验证平台101将基于业务请求中所包含的设备信息为该设备创建当前设备指纹。设备指纹是基于设备硬件参数以及设备使用情况数据两者所构建的设备模型。设备使用情况数据可以是对该设备进行长期数据采集和统计的结果。由于加入了设备使用情况数据,依此构建的设备模型具有实时性和动态性,能够更可靠地对各个设备进行标识,消除了例如在设备被盗、遭到恶意篡改等情况下重要信息泄露、恶性邦卡、账户盗刷等的风险。In step 23, the secure verification platform 101 will create a current device fingerprint for the device based on the device information contained in the service request. A device fingerprint is a device model built on both device hardware parameters and device usage data. Device usage data can be the result of long-term data collection and statistics for the device. By adding device usage data, the device model constructed according to this has real-time and dynamic characteristics, and can more reliably identify each device, thereby eliminating important information leakage, for example, when the device is stolen or maliciously tampered. The risk of vicious state cards, account theft and so on.
在步骤25中,安全验证平台101还将获取设备指纹列表,该设备指纹列表包括与用户关联的所有设备的、先前存储的设备指纹。在一些示例中,该设备指纹列表被存储在设备指纹库103中。In step 25, the secure authentication platform 101 will also obtain a device fingerprint list that includes previously stored device fingerprints for all devices associated with the user. In some examples, the device fingerprint list is stored in device fingerprint library 103.
在一些示例中,先前存储的设备指纹基于设备硬件参数以及历史的设备使用情况数据生成。安全验证平台101可以例如在用户发送业务请求之前就从该设备接收设备使用情况数据。这些设备使用情况数据可以例如从用户为使用机构的远程服务在本地设备上进行用户注册时开始被收集并且与设备硬件参数和用户信息一起向安全验证平台发送。安全验证平台101可以利用预先设计的建模算法将这些硬件信息和动态信息汇总为能够表征设备的设备指纹,并且将所生成的设备指纹与相应的用户信息一起发送至设备指纹库103。在设备指纹库中,可以以用户信息为索引以列表的形式存储用户的每个设备的设备指纹。在实践中,一 个用户可以有一台或者多台智能设备,因此同一用户信息可以对应一个设备指纹,也可以对应多个设备指纹。In some examples, previously stored device fingerprints are generated based on device hardware parameters and historical device usage data. The secure authentication platform 101 can receive device usage data from the device, for example, before the user sends a service request. These device usage data may, for example, be collected from the user's remote service for the user's organization on the local device and sent to the secure authentication platform along with the device hardware parameters and user information. The security verification platform 101 can aggregate these hardware information and dynamic information into device fingerprints capable of characterizing the device using a pre-designed modeling algorithm, and send the generated device fingerprints to the device fingerprint library 103 along with corresponding user information. In the device fingerprint database, the device fingerprint of each device of the user may be stored in the form of a list with the user information as an index. In practice, one A user can have one or more smart devices, so the same user information can correspond to one device fingerprint or multiple device fingerprints.
在一些示例中,安全验证平台还可以周期性地从与用户关联的设备接收设备使用情况数据来更新所述设备指纹列表中的设备指纹。由于用户的实际情况可能发生变化,设备使用情况也可能相应地发生变化。例如用户由于居住地变化而导致设备的地理位置信息改变。通过不断接收最近的设备使用情况可以保证设备指纹的时效性,从而提供更好的用户体验。In some examples, the secure authentication platform can also periodically update device fingerprints in the device fingerprint list by receiving device usage data from devices associated with the user. As the actual situation of the user may change, the device usage may change accordingly. For example, the user's geographic location information changes due to changes in the place of residence. By continuously receiving recent device usage, the timeliness of device fingerprints can be guaranteed to provide a better user experience.
此外,设备指纹库还可以通过由用户直接去发卡行对设备进行现场备案来生成。设备指纹库的这种建立方式尤其适合用户在首次通过该设备针对发卡机构创建账户时要求虚拟卡绑定的情况。在另外一些示例中,安全验证平台还可以从第三方接收类似的设备信息来进行设备指纹的构建。无论在哪种情况下,在设备使用情况数据的传输过程中优选地采用单向加密传输的方式,以确保用户信息及设备信息的安全性。In addition, the device fingerprint library can also be generated by the user directly going to the issuing bank to perform on-site filing of the device. This way of establishing the device fingerprint library is particularly suitable for the case where the user requires virtual card binding when creating an account for the card issuer through the device for the first time. In still other examples, the secure authentication platform may also receive similar device information from a third party for device fingerprint construction. In either case, the one-way encrypted transmission is preferably used in the transmission of the device usage data to ensure the security of the user information and the device information.
在步骤27中,安全验证平台101将所生成的当前设备指纹与设备指纹列表中的所有设备指纹进行比对,以确定发送业务请求的设备的正当性。In step 27, the secure verification platform 101 compares the generated current device fingerprint with all device fingerprints in the device fingerprint list to determine the legitimacy of the device that sent the service request.
在一些示例中,可以根据设备指纹所代表的设备模型中包含的所有参数进行逐项对比。这种逐项对比可以被认为是一种静态匹配。其中,参数可以包括设备硬件参数以及诸如网络信息、地理位置信息以及用户偏好行为信息的设备使用情况参数。在按各个参数进行精确匹配的过程中,可以为每个参数赋予匹配权重。如在上文中所提及的,设备指纹是一种具有动态性的设备标识,其中与设备使用情况相关的参数会随着用户状态的改变而发生变化。设备指纹库中所存储的设备指纹与当前生成的设备指纹之间在时效性上存在一定的差异,因此不一定需要每个参数都完全一致,而是可以通过权重来加以区别。进一步地,可以将当前设备指纹与列表中的每一项的各个参数的对比结果按预先分配的匹配权重进行加权平均,计算多值匹配度。最后,根据加权平均的结果,即多值匹配度来判断当前设备指纹是否与设备指纹列表中的项匹配。在一些示例中,例如可以将加权平均的结果与预先确定的阈值进行比较:如高于阈值则认为是匹配,否则认为是不匹配。In some examples, item-by-item comparisons can be made based on all parameters included in the device model represented by the device fingerprint. This item-by-item comparison can be thought of as a static match. The parameters may include device hardware parameters and device usage parameters such as network information, geographic location information, and user preference behavior information. In the process of exact matching by each parameter, each parameter can be given a matching weight. As mentioned above, a device fingerprint is a dynamic device identification in which parameters related to device usage change as the user's state changes. There is a certain difference in timeliness between the device fingerprint stored in the device fingerprint database and the currently generated device fingerprint. Therefore, each parameter does not necessarily need to be completely consistent, but can be distinguished by weight. Further, the comparison result of the current device fingerprint and each parameter of each item in the list may be weighted and averaged according to a pre-assigned matching weight, and the multi-value matching degree is calculated. Finally, according to the result of the weighted average, that is, the multi-value matching degree, it is judged whether the current device fingerprint matches the item in the device fingerprint list. In some examples, for example, the result of the weighted average can be compared to a predetermined threshold: if it is above the threshold, it is considered a match, otherwise it is considered a mismatch.
在另外一些示例中,还可以采用动态匹配的方式。如在上文中所提及的, 设备指纹是一种具有动态性的设备标识,尤其是其中与设备使用情况相关的参数可能不断发生变化。因此,在设备指纹匹配时,除了当前值与存储值的精确匹配之外,还可以将当前值与基于以往数据的预测进行比较。在一些示例中,利用与设备指纹库集成的或独立于该设备指纹库的外部处理设备通过机器学习的方法,分析前期采集的硬件信息和设备使用情况数据,由此预测持续的设备指纹变化,并将该预测结果作为更新的设备指纹存储在设备指纹库中,用于后续的设备指纹比对。通过动态方法进行比对,可以在保证安全性的同时,大大改善用户体验,为整个业务处理过程增加便利性。此外,还可以同时地或交替地采用动态或静态的对比方式。In other examples, dynamic matching can also be employed. As mentioned above, Device fingerprinting is a dynamic device identification, especially where parameters related to device usage may change continuously. Therefore, when the device fingerprints match, in addition to the exact match between the current value and the stored value, the current value can be compared with the prediction based on the previous data. In some examples, the externally collected hardware information and device usage data are analyzed by a machine learning method using an external processing device integrated with the device fingerprint library or independent of the device fingerprint library, thereby predicting continuous device fingerprint changes, The predicted result is stored in the device fingerprint database as an updated device fingerprint for subsequent device fingerprint comparison. By comparing the dynamic methods, the user experience can be greatly improved while ensuring security, and the convenience of the entire business process is increased. In addition, dynamic or static contrast can be used simultaneously or alternately.
在将当前设备指纹与设备指纹列表中的各项进行比对,并且确定至少有一项匹配的情况下,安全验证平台在步骤29中判定所收到的业务请求通过安全验证。进一步地,在图1所示的场景中,安全验证平台101会通知发卡行可以开始正常的虚拟卡发卡或绑卡操作。In the case where the current device fingerprint is compared with the items in the device fingerprint list, and it is determined that there is at least one match, the security verification platform determines in step 29 that the received service request passes the security verification. Further, in the scenario shown in FIG. 1, the security verification platform 101 notifies the issuing bank to start a normal virtual card issuance or card binding operation.
在本发明中,通过结合设备的使用情况数据来构建设备指纹,有效地解决了现有无卡支付发卡和交易环节仅基于卡号信息及手机码验证等方式的不足,大大降低了恶意绑卡及盗刷的风险。相比于生物特征信息,用户的智能设备在被盗取后可以及时由安全验证平台发觉,从而及时联系验证平台或者发卡行进行设备指纹的报失冻结或者信息的更新,并且由于采取了单向加密的保护措施,即使智能设备被盗取也不会丢失个人信息。此外,本发明所提供的方案通过加强服务器端的验证处理,使得在用户端的验证条件要求被降低。In the present invention, the device fingerprint is constructed by combining the usage data of the device, which effectively solves the problem that the existing cardless payment issuance and the transaction link are based only on the card number information and the mobile phone code verification, thereby greatly reducing the malicious binding and The risk of stealing. Compared with the biometric information, the user's smart device can be detected by the security verification platform in time after being stolen, so as to contact the verification platform or the issuing bank in time for the device fingerprint to freeze or update the information, and the one-way encryption is adopted. The protection measures will not lose personal information even if the smart device is stolen. In addition, the solution provided by the present invention makes the verification condition requirement at the user end reduced by enhancing the authentication process on the server side.
在一些优选示例中,除图2所示的步骤之外,安全验证平台101还可以被配置为在将当前设备指纹与设备指纹列表比对之前,将该当前设备指纹与设备指纹黑名单库进行对比。一般地,设备指纹黑名单库保存非法设备的设备指纹,这些非法设备的信息可以从外部收集也可以通过在之前的比对过程中不断积累。In some preferred examples, in addition to the steps shown in FIG. 2, the secure authentication platform 101 may be further configured to perform the current device fingerprint and the device fingerprint blacklist library before comparing the current device fingerprint with the device fingerprint list. Compared. Generally, the device fingerprint blacklist library stores device fingerprints of illegal devices, and the information of these illegal devices can be collected from the outside or accumulated through the previous comparison process.
与设备指纹黑名单库的比对同样可以采用上文中就设备指纹列表比对所描述的静态和动态方法。在另外一些示例中,与设备指纹黑名单库进行对比可以是按关键设备参数的优先级逐级将所述当前设备指纹与黑名单库中的设备指纹进行比对。举例来说,关键设备参数可以是MAC地址、国际移动设备标识IMEI、设备序列号以及系统标识,优先级按各项所列出的顺序为从高到低。也就是说, 在黑名单比对中,首先将当前设备指纹包含的MAC地址信息与黑名单库中的每个设备指纹项中的MAC地址信息比对。如果找到匹配,则可以将当前请求中的设备指纹判定为审核失败。如果没有找到MAC地址信息匹配的项,则接着比对设备序列号,以此类推。The comparison with the device fingerprint blacklist library can also use the static and dynamic methods described above for the device fingerprint list alignment. In other examples, comparing with the device fingerprint blacklist library may compare the current device fingerprint with the device fingerprint in the blacklist library step by step according to the priority of the key device parameter. For example, the key device parameters may be a MAC address, an International Mobile Equipment Identity IMEI, a device serial number, and a system identification, and the priority is from high to low in the order listed in each item. That is, In the blacklist comparison, the MAC address information included in the current device fingerprint is first compared with the MAC address information in each device fingerprint item in the blacklist library. If a match is found, the device fingerprint in the current request can be determined to be an audit failure. If no entry is found for the MAC address information, then the device serial number is compared, and so on.
相比于传统的单因子体系和设备信息字符串体系的不足,采用多因子分离式认证方式,基于诸如MAC地址、IMEI、序列号和安卓ID等关键设备参数作为黑名单设备指纹因子,并根据几个设备指纹因子的唯一性和可靠性的强度优先级,构建设备指纹黑名单因子层级库。在黑名单入库阶段,会对相关指纹因子的唯一性和可靠性进行检测,并依据检测结果选择可靠的因子入黑名单因子层级库,从而提高了黑名单库的有效性。依据预先设定的可靠度优先级逐级比较,可以实现对黑名单设备的精确匹配追踪。Compared with the traditional single factor system and equipment information string system, the multi-factor separate authentication method is adopted, based on key device parameters such as MAC address, IMEI, serial number and Android ID as the blacklist device fingerprint factor, and according to The uniqueness of several device fingerprint factors and the strength priority of reliability, the device fingerprint blacklist factor level library is constructed. In the blacklist storage stage, the uniqueness and reliability of the relevant fingerprint factor are detected, and a reliable factor is selected into the blacklist factor level library according to the detection result, thereby improving the effectiveness of the blacklist library. Accurate matching tracking of blacklisted devices can be achieved based on pre-set reliability priority levels.
在一些示例中,黑名单的建立可以按照以下原则:一次审核失败的设备指纹信息进入灰名单列表,多次审核失败的进入黑名单。此外,机构的其他业务系统也可以按照业务规则将违规的设备列入设备指纹黑名单。In some examples, the blacklist may be established according to the following principle: the device fingerprint information that failed in one audit enters the graylist list, and the blacklist that fails the audit multiple times. In addition, other business systems of the organization can also include violating equipment in the device fingerprint blacklist according to business rules.
此外,黑名单列表中的设备指纹也可以进行恢复。例如,用户可以向安全验证平台提交用户资料,经过审核成功则可删除黑名单列表中用户的对应设备。In addition, device fingerprints in the blacklist can also be recovered. For example, the user can submit the user profile to the security verification platform. After the audit is successful, the corresponding device of the user in the blacklist can be deleted.
在设备指纹列表比对之前,通过黑名单比对直接对于非法设备拒绝审核,这提高了无卡支付发卡的安全性以及高危情况下非法设备审核的效率。Before the device fingerprint list is compared, the blacklist comparison directly rejects the illegal device, which improves the security of cardless payment issuing and the efficiency of illegal device audit in high-risk situations.
图3是根据本发明另一示例的安全验证方法的示意流程图。图3所示的安全验证方法通常可以在图1所示的用户设备102中实现,与图2所示的方法共同来完成本发明所提供的安全验证方案。3 is a schematic flow chart of a security verification method in accordance with another example of the present invention. The security verification method shown in FIG. 3 can be generally implemented in the user equipment 102 shown in FIG. 1, and cooperates with the method shown in FIG. 2 to complete the security verification scheme provided by the present invention.
如图3所示,首先在步骤31在设备处从用户获取采集设备信息的授权。接着,在步骤33中,依据该授权从用户的设备采集设备信息。在本发明中,所采集的设备信息至少包括设备硬件参数和设备使用情况数据两者,其中设备使用情况数据例如可以是设备的网络信息、地理位置信息以及用户偏好行为信息等等。进一步地,在步骤35中,当用户使用该设备向安全验证平台发送业务请求时在该业务请求中添加所采集的设备信息。As shown in FIG. 3, the authorization to collect device information is first obtained from the user at the device at step 31. Next, in step 33, device information is collected from the user's device in accordance with the authorization. In the present invention, the collected device information includes at least device hardware parameters and device usage data, wherein the device usage data may be, for example, network information of the device, geographic location information, and user preference behavior information. Further, in step 35, the collected device information is added to the service request when the user sends the service request to the security verification platform by using the device.
图3所示的方法可以例如在用户设备上安装的应用程序(APP)中实现,或者被实现为软件开发工具包SDK以嵌入机构向用户设备所提供的应用程序中。举 例来说,用户为使用机构所提供的手机银行服务可能需要在手机设备上安装相应的APP。该APP可以在用户创建帐户(通常包括用户名和密码)并用该帐户登录之后向用户请求授权,并在获得授权之后对设备信息进行采集。所采集的信息可以被发送至安全验证平台以为该设备创建设备指纹,无论用户是否进行任何业务请求。安全验证平台可以将所有来自同一用户账户的设备指纹信息存储为设备指纹列表,如在上文中所描述的那样。在一些示例中,用户设备上的应用程序还可以周期性地向安全验证平台传送设备使用情况数据,以供安全验证平台不断地对设备指纹库进行更新,从而有助于与之后收到的业务请求中的设备信息进行比对。The method illustrated in FIG. 3 may be implemented, for example, in an application (APP) installed on a user device, or as a software development kit SDK to embed an application provided by an organization to a user device. Lift For example, the mobile banking service provided by the user for the use of the institution may require the installation of the corresponding APP on the mobile device. The APP can request authorization from the user after the user creates an account (usually including a username and password) and logs in with the account, and collects device information after authorization. The collected information can be sent to a secure authentication platform to create a device fingerprint for the device, regardless of whether the user makes any business requests. The secure authentication platform can store all device fingerprint information from the same user account as a device fingerprint list, as described above. In some examples, the application on the user device may also periodically transmit device usage data to the secure authentication platform for the security verification platform to continually update the device fingerprint library to facilitate subsequent receipt of the service. The device information in the request is compared.
本领域技术人员能够理解图3所示的方法不必须实现在用户的设备上,而可以例如由独立的第三方来实现。此外,该方法也可以任何软件或硬件的形式来实现。Those skilled in the art will appreciate that the method illustrated in FIG. 3 is not necessarily implemented on the user's device, but may be implemented, for example, by an independent third party. Moreover, the method can also be implemented in any form of software or hardware.
[062]总的来说,采用本发明所提供的安全验证方案对于用户使用的智能设备没有附加的功能要求,通常只需要用户授权验证方或机构方获取设备的权利,这大大提高了用户体验并且降低了各方用于设备审核的成本。[062] In general, the security verification scheme provided by the present invention has no additional functional requirements for the smart device used by the user, and generally only requires the user to authorize the authenticator or the organization to acquire the device right, which greatly improves the user experience. It also reduces the cost of equipment audits for all parties.
图4是根据本发明一个示例的安全验证平台的示意框图。如图4所示,安全验证平台400包括数据接收模块41,设备指纹创建模块43、列表获取模块45、比对模块47以及判定模块。具体地,数据接收模块41用于接收来自用户的业务请求。在本发明中,这些业务请求就包括用户信息和设备信息两者,其中设备信息将包括设备硬件参数以及设备使用情况数据。设备指纹创建模块43用于基于设备信息创建当前设备指纹。在本发明中,设备指纹是基于设备硬件参数以及设备使用情况数据构建的设备模型。列表获取模块45用于获取设备指纹列表,该设备指纹列表包括与该用户关联的所有设备的先前存储的设备指纹。比对模块47用于将当前设备指纹与设备指纹列表中的各个设备指纹进行比对。判定模块49用于在当前设备指纹与设备指纹列表中的至少一项匹配的情况下判定所接收的业务请求通过安全验证。4 is a schematic block diagram of a secure authentication platform in accordance with one example of the present invention. As shown in FIG. 4, the security verification platform 400 includes a data receiving module 41, a device fingerprint creating module 43, a list obtaining module 45, a matching module 47, and a determining module. Specifically, the data receiving module 41 is configured to receive a service request from a user. In the present invention, these service requests include both user information and device information, where the device information will include device hardware parameters and device usage data. The device fingerprint creation module 43 is configured to create a current device fingerprint based on the device information. In the present invention, a device fingerprint is a device model built based on device hardware parameters and device usage data. The list obtaining module 45 is configured to obtain a device fingerprint list including previously stored device fingerprints of all devices associated with the user. The comparison module 47 is configured to compare the current device fingerprint with each device fingerprint in the device fingerprint list. The determining module 49 is configured to determine that the received service request passes the security verification if the current device fingerprint matches at least one of the device fingerprint lists.
图4所示的安全验证平台400能够被配置为实现上文所描述的任何与本发明所提供的、在安全验证平台处实现的安全验证过程相关的操作。本领域技术人员能够理解,图4所示的模块划分仅是示意性的,这些模块能够按照具体实现来集成或进一步划分,并且以任何软件或硬件的形式来实现。 The security verification platform 400 shown in Figure 4 can be configured to implement any of the operations described above in connection with the security verification process implemented at the secure authentication platform provided by the present invention. Those skilled in the art will appreciate that the module partitioning shown in FIG. 4 is merely illustrative, and that these modules can be integrated or further divided according to a specific implementation and implemented in any software or hardware form.
图5是根据本发明另一示例的安全验证装置的示意框图。如图5所示,安全验证装置500包括授权模块51、信息采集模块53以及信息添加模块55。在实践中,该安全验证装置500可以被集成或安装在用户可能用来向机构发送业务请求的设备中。具体地,授权模块51用于在设备处从用户获取采集设备信息的授权。信息采集模块53用于依据所获得的授权从用户的设备采集设备信息。在本发明中,所采集的设备信息将包括设备硬件参数和设备使用情况数据两者。信息添加模块55用于在用户使用其设备向安全验证平台发送业务请求时在该业务请求中添加所采集的设备信息。Figure 5 is a schematic block diagram of a security verification device in accordance with another example of the present invention. As shown in FIG. 5, the security verification apparatus 500 includes an authorization module 51, an information collection module 53, and an information addition module 55. In practice, the security verification device 500 can be integrated or installed in a device that a user may use to send a service request to an organization. Specifically, the authorization module 51 is configured to acquire an authorization to collect device information from the user at the device. The information collection module 53 is configured to collect device information from the user's device according to the obtained authorization. In the present invention, the collected device information will include both device hardware parameters and device usage data. The information adding module 55 is configured to add the collected device information to the service request when the user sends a service request to the security verification platform by using the device.
图5所示的安全验证装置500能够被配置为实现上文所描述的任何与本发明所提供的安全验证过程相关的、在用户设备处实现的操作。本领域技术人员能够理解,图5所示的模块划分仅是示意性的,这些模块能够按照具体实现来集成或进一步划分,并且以任何软件或硬件的形式来实现。The security verification device 500 shown in FIG. 5 can be configured to implement any of the operations described above at the user device associated with the security verification process provided by the present invention. Those skilled in the art can understand that the module division shown in FIG. 5 is only schematic, and the modules can be integrated or further divided according to a specific implementation, and implemented in any software or hardware form.
应当说明的是,以上具体实施方式仅用以说明本发明的技术方案而非对其进行限制。尽管参照上述具体实施方式对本发明进行了详细的说明,本领域的普通技术人员应当理解,依然可以对本发明的具体实施方式进行修改或对部分技术特征进行等同替换而不脱离本发明的实质,其均涵盖在本发明请求保护的范围中。 It should be noted that the above specific embodiments are merely illustrative of the technical solutions of the present invention and are not limited thereto. While the invention has been described in detail herein with reference to the preferred embodiments of the embodiments of the invention All are covered by the scope of the claimed invention.

Claims (19)

  1. 一种安全验证方法,其包括:A security verification method comprising:
    接收来自用户的业务请求,所述业务请求包括用户信息以及设备信息;Receiving a service request from a user, the service request including user information and device information;
    基于所述设备信息创建当前设备指纹;Creating a current device fingerprint based on the device information;
    获取设备指纹列表,所述设备指纹列表包括与所述用户关联的所有设备的先前存储的设备指纹;Obtaining a device fingerprint list, the device fingerprint list including previously stored device fingerprints of all devices associated with the user;
    将所述当前设备指纹与所述设备指纹列表比对;以及Comparing the current device fingerprint with the device fingerprint list;
    在所述当前设备指纹与所述设备指纹列表中的至少一项匹配的情况下判定所述业务请求通过安全验证,Determining that the service request passes security verification if the current device fingerprint matches at least one of the device fingerprint lists,
    其中所述设备信息包括设备硬件参数以及设备使用情况数据,并且所述设备指纹是基于设备硬件参数以及设备使用情况数据构建的设备模型。The device information includes device hardware parameters and device usage data, and the device fingerprint is a device model constructed based on device hardware parameters and device usage data.
  2. 如权利要求1所述的安全验证方法,其中,所述设备使用情况数据包括设备的网络信息、地理位置信息以及用户偏好行为信息中的一个或多个。The secure authentication method of claim 1, wherein the device usage data comprises one or more of network information of the device, geographic location information, and user preference behavior information.
  3. 如权利要求2所述的安全验证方法,其中,设备的网络信息包括设备的网络连接信息、TCP包属性、连接的路由器属性、HTTP协议属性、WiFi列表中的一个或多个。The security verification method according to claim 2, wherein the network information of the device comprises one or more of network connection information of the device, TCP packet attributes, connected router attributes, HTTP protocol attributes, and WiFi list.
  4. 如权利要求2所述的安全验证方法,其中,设备的地理位置信息包括基站定位地点、GPS定位地点、与时间相关联的轨迹及常用地中的一个或多个。The security verification method of claim 2, wherein the geographic location information of the device comprises one or more of a base station location location, a GPS location location, a time associated trajectory, and a common location.
  5. 如权利要求2所述的安全验证方法,其中,设备的用户偏好行为信息包括操作系统类型、版本号、偏好设置、应用安装偏好设置、闹钟时间、开关机时间、应用使用频率及时间、屏幕操作时的接触面积、滑动方向、键盘输入的时间间隔、按压力度、陀螺仪信息、加速度计信息中的一个或多个。The security verification method according to claim 2, wherein the user preference behavior information of the device includes an operating system type, a version number, a preference setting, an application installation preference setting, an alarm time, an on/off time, an application frequency and time, and a screen operation. One or more of the contact area, the sliding direction, the time interval of keyboard input, the pressing force, the gyroscope information, and the accelerometer information.
  6. 如权利要求1所述的安全验证方法,其中,将所述当前设备指纹与所述设备指纹列表比对包括:The security verification method according to claim 1, wherein comparing the current device fingerprint with the device fingerprint list comprises:
    根据所述设备模型所包含的所有参数进行逐项对比;Perform item-by-item comparison based on all parameters included in the device model;
    为每个参数赋予匹配权重;Give each parameter a matching weight;
    将各个参数的对比结果按所述匹配权重进行加权平均;并且Comparing the comparison results of the respective parameters by the matching weights; and
    根据所述加权平均的结果来判断所述当前设备指纹是否与所述设备指纹列表中 的项匹配。Determining, according to the result of the weighted averaging, whether the current device fingerprint is in the device fingerprint list The item matches.
  7. 如权利要求1所述的安全验证方法,其中,将所述当前设备指纹与所述设备指纹列表对比包括:The security verification method according to claim 1, wherein comparing the current device fingerprint with the device fingerprint list comprises:
    依据所述设备历史使用情况对所述设备指纹列表中的每个设备指纹变化进行预测;并且Predicting each device fingerprint change in the device fingerprint list according to the device history usage; and
    将所述当前设备指纹与每个所述预测结果进行对比。The current device fingerprint is compared to each of the predicted results.
  8. 如权利要求1所述的安全验证方法,其中,所述方法还包括在将所述当前设备指纹与所述设备指纹列表比对之前,将所述当前设备指纹与设备指纹黑名单库进行对比,其中所述设备指纹黑名单库保存非法设备的设备指纹。The security verification method according to claim 1, wherein the method further comprises comparing the current device fingerprint with the device fingerprint blacklist library before comparing the current device fingerprint with the device fingerprint list, The device fingerprint blacklist library saves the device fingerprint of the illegal device.
  9. 如权利要求8所述的安全验证方法,其中,与设备指纹黑名单库进行对比包括按关键设备参数的优先级逐级将所述当前设备指纹与黑名单库中的设备指纹进行比对。The security verification method according to claim 8, wherein comparing with the device fingerprint blacklist library comprises comparing the current device fingerprint with the device fingerprint in the blacklist library step by step according to the priority of the key device parameter.
  10. 如权利要求9所述的安全验证方法,其中,所述关键设备参数包括MAC地址、国际移动设备标识IMEI、设备序列号以及系统标识。The secure authentication method of claim 9, wherein the key device parameters comprise a MAC address, an international mobile device identity IMEI, a device serial number, and a system identity.
  11. 如权利要求1所述的安全验证方法,其中,所述先前存储的设备指纹基于设备硬件参数以及历史的设备使用情况数据生成。The secure authentication method of claim 1, wherein the previously stored device fingerprint is generated based on device hardware parameters and historical device usage data.
  12. 如权利要求1所述的安全验证方法,其还包括周期性地从与所述用户关联的所有设备接收设备使用情况数据来更新所述设备指纹列表中的设备指纹。The secure authentication method of claim 1 further comprising periodically updating device fingerprint data in said device fingerprint list by receiving device usage data from all devices associated with said user.
  13. 如权利要求1所述的安全验证方法,其中,所述业务请求包括发卡请求以及交易请求。The secure authentication method of claim 1, wherein the service request comprises a card issuance request and a transaction request.
  14. 如权利要求1所述的安全验证方法,其中,所述用户信息包括与所述业务相关联的用户名和密码。The secure authentication method of claim 1 wherein said user information comprises a username and password associated with said service.
  15. 一种安全验证平台,其包括:A security verification platform that includes:
    数据接收模块,用于接收来自用户的业务请求,所述业务请求包括用户信息以及设备信息;a data receiving module, configured to receive a service request from a user, where the service request includes user information and device information;
    设备指纹创建模块,用于基于所述设备信息创建当前设备指纹;a device fingerprint creation module, configured to create a current device fingerprint based on the device information;
    列表获取模块,用于获取设备指纹列表,所述设备指纹列表包括与所述用户关联的所有设备的先前存储的设备指纹;a list obtaining module, configured to acquire a device fingerprint list, where the device fingerprint list includes previously stored device fingerprints of all devices associated with the user;
    比对模块,用于将所述当前设备指纹与所述设备指纹列表比对;以及 判定模块,用于在所述当前设备指纹与所述设备指纹列表中的至少一项匹配的情况下判定所述业务请求通过安全验证,a comparison module, configured to compare the current device fingerprint with the device fingerprint list; a determining module, configured to determine that the service request passes security verification if the current device fingerprint matches at least one of the device fingerprint lists,
    其中所述设备信息包括设备硬件参数以及设备使用情况数据,并且所述设备指纹是基于设备硬件参数以及设备使用情况数据构建的设备模型。The device information includes device hardware parameters and device usage data, and the device fingerprint is a device model constructed based on device hardware parameters and device usage data.
  16. 一种安全验证方法,其包括:A security verification method comprising:
    在设备处从用户获取采集设备信息的授权;Obtaining authorization to collect device information from the user at the device;
    依据所述授权从所述设备采集设备信息,所述设备信息包括设备硬件参数和设备使用情况数据;以及Collecting device information from the device according to the authorization, the device information including device hardware parameters and device usage data;
    在用户使用所述设备向安全验证平台发送业务请求时在所述业务请求中添加所述设备信息。The device information is added to the service request when the user sends a service request to the security verification platform by using the device.
  17. 如权利要求16所述的安全验证方法,其还包括:周期性地向所述安全验证平台传送所述设备使用情况数据。The security verification method of claim 16 further comprising: periodically transmitting said device usage data to said secure authentication platform.
  18. 一种安全验证装置,其包括:A security verification device comprising:
    授权模块,用于在设备处从用户获取采集设备信息的授权;An authorization module for obtaining authorization to collect device information from a user at the device;
    信息采集模块,用于依据所述授权从所述设备采集设备信息,所述设备信息包括设备硬件参数和设备使用情况数据;以及An information collecting module, configured to collect device information from the device according to the authorization, where the device information includes device hardware parameters and device usage data;
    信息添加模块,用于在用户使用所述设备向安全验证平台发送业务请求时在所述业务请求中添加所述设备信息。The information adding module is configured to add the device information to the service request when the user sends a service request to the security verification platform by using the device.
  19. 一种安全验证系统,其包括用户设备、如权利要求15所述的安全验证平台以及设备指纹库,其中所述用户设备包括如权利要求18所述的安全验证装置,并且其中,所述设备指纹库被配置为存储所述设备指纹列表。 A security verification system comprising a user equipment, the security verification platform of claim 15, and a device fingerprint library, wherein the user equipment comprises the security verification device of claim 18, and wherein the device fingerprint The library is configured to store the device fingerprint list.
PCT/CN2017/117600 2016-12-30 2017-12-21 Security verification method, platform, apparatus and system WO2018121387A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201611259993.XA CN106991317B (en) 2016-12-30 2016-12-30 Security verification method, platform, device and system
CN201611259993.X 2016-12-30

Publications (1)

Publication Number Publication Date
WO2018121387A1 true WO2018121387A1 (en) 2018-07-05

Family

ID=59414363

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/117600 WO2018121387A1 (en) 2016-12-30 2017-12-21 Security verification method, platform, apparatus and system

Country Status (3)

Country Link
CN (1) CN106991317B (en)
TW (1) TWI718354B (en)
WO (1) WO2018121387A1 (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110427785A (en) * 2019-07-23 2019-11-08 腾讯科技(深圳)有限公司 Acquisition methods and device, the storage medium and electronic device of device-fingerprint
CN111193714A (en) * 2019-12-06 2020-05-22 武汉极意网络科技有限公司 Automatic tracking method and system for verification code printing platform
CN112765587A (en) * 2021-01-20 2021-05-07 Oppo广东移动通信有限公司 Service operation verification method and device, control method and device, and server
CN113191892A (en) * 2021-05-27 2021-07-30 中国工商银行股份有限公司 Account risk prevention and control method, device, system and medium based on equipment fingerprint
CN113572773A (en) * 2021-07-27 2021-10-29 迈普通信技术股份有限公司 Access equipment and terminal access control method
CN113643042A (en) * 2021-08-20 2021-11-12 武汉极意网络科技有限公司 Safety verification system based on online business safety
CN114499994A (en) * 2021-12-30 2022-05-13 科大讯飞股份有限公司 Device fingerprint identification method and device, electronic device and medium

Families Citing this family (27)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106991317B (en) * 2016-12-30 2020-01-21 中国银联股份有限公司 Security verification method, platform, device and system
CN107404491B (en) * 2017-08-14 2018-06-22 腾讯科技(深圳)有限公司 Terminal environments method for detecting abnormality, detection device and computer readable storage medium
CN110737881B (en) * 2018-07-18 2021-01-26 马上消费金融股份有限公司 Fingerprint verification method and device for intelligent equipment
CN109255623A (en) * 2018-07-27 2019-01-22 重庆小雨点小额贷款有限公司 A kind of business approval method, server, client and storage medium
CN109146616A (en) * 2018-07-27 2019-01-04 重庆小雨点小额贷款有限公司 A kind of business approval method, apparatus, server and storage medium
CN109120605A (en) 2018-07-27 2019-01-01 阿里巴巴集团控股有限公司 Authentication and account information variation and device
CN109889487B (en) * 2018-12-29 2021-11-12 奇安信科技集团股份有限公司 Processing method and device for external equipment access terminal
US20210264299A1 (en) * 2019-06-26 2021-08-26 Rakuten, Inc. Fraud estimation system, fraud estimation method and program
US11251963B2 (en) 2019-07-31 2022-02-15 Advanced New Technologies Co., Ltd. Blockchain-based data authorization method and apparatus
US11252166B2 (en) 2019-07-31 2022-02-15 Advanced New Technologies Co., Ltd. Providing data authorization based on blockchain
CN110473096A (en) * 2019-07-31 2019-11-19 阿里巴巴集团控股有限公司 Data grant method and device based on intelligent contract
US11057189B2 (en) 2019-07-31 2021-07-06 Advanced New Technologies Co., Ltd. Providing data authorization based on blockchain
CN110543506B (en) * 2019-09-10 2022-09-09 百度在线网络技术(北京)有限公司 Data analysis method and device, electronic equipment and storage medium
CN112491776B (en) * 2019-09-11 2022-10-18 华为云计算技术有限公司 Security authentication method and related equipment
CN110557829B (en) * 2019-09-17 2020-12-11 北京东方国信科技股份有限公司 Positioning method and positioning device for fusing fingerprint database
CN110689019B (en) * 2019-09-27 2022-05-24 中国银行股份有限公司 OCR recognition model determining method and device
CN112948771B (en) * 2019-12-11 2023-04-18 浙江宇视科技有限公司 Authority verification method and device, readable storage medium and electronic equipment
TWI727566B (en) * 2019-12-26 2021-05-11 玉山商業銀行股份有限公司 Method and system for authentication with device binding
US11310051B2 (en) 2020-01-15 2022-04-19 Advanced New Technologies Co., Ltd. Blockchain-based data authorization method and apparatus
CN111291356B (en) * 2020-03-03 2023-01-24 Oppo广东移动通信有限公司 Security risk control method and related product
CN112073375B (en) * 2020-08-07 2023-09-26 中国电力科学研究院有限公司 Isolation device and isolation method suitable for client side of electric power Internet of things
CN112581123B (en) * 2020-12-08 2024-02-23 中国银联股份有限公司 Card management method, user terminal, server, system and storage medium
CN113037736B (en) * 2021-03-02 2023-07-14 四川九州电子科技股份有限公司 Authentication method, device, system and computer storage medium
CN113468495A (en) * 2021-06-30 2021-10-01 上海和数软件有限公司 Method for realizing block chain fingerprint identification and authentication of personal assets
CN113901417B (en) * 2021-10-09 2024-01-30 中原银行股份有限公司 Mobile device fingerprint generation method and readable storage medium
TWI813326B (en) * 2022-06-08 2023-08-21 英屬開曼群島商網際威信股份有限公司 Method and system for inferring apparatus fingerprint
CN116975831B (en) * 2023-09-25 2023-12-05 国网山东省电力公司日照供电公司 Security authentication method and system based on fingerprint identification technology

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103186851A (en) * 2011-12-30 2013-07-03 上海博泰悦臻电子设备制造有限公司 Electronic payment system based on cloud data processing technology
CN104867011A (en) * 2014-02-21 2015-08-26 中国电信股份有限公司 Method and device for carrying out safety control on mobile payment
CN105144216A (en) * 2013-03-15 2015-12-09 维萨国际服务协会 Snap mobile security apparatuses, methods and systems
CN105989079A (en) * 2015-02-11 2016-10-05 阿里巴巴集团控股有限公司 Method and apparatus for obtaining device fingerprint
CN106991317A (en) * 2016-12-30 2017-07-28 中国银联股份有限公司 Safe verification method, platform, device and system

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102710770A (en) * 2012-06-01 2012-10-03 汪德嘉 Identification method for network access equipment and implementation system for identification method
CN105989373B (en) * 2015-02-15 2019-07-23 阿里巴巴集团控股有限公司 The acquisition device-fingerprint method and device realized using training pattern
CN105933266B (en) * 2015-08-20 2019-07-12 中国银联股份有限公司 A kind of verification method and server

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103186851A (en) * 2011-12-30 2013-07-03 上海博泰悦臻电子设备制造有限公司 Electronic payment system based on cloud data processing technology
CN105144216A (en) * 2013-03-15 2015-12-09 维萨国际服务协会 Snap mobile security apparatuses, methods and systems
CN104867011A (en) * 2014-02-21 2015-08-26 中国电信股份有限公司 Method and device for carrying out safety control on mobile payment
CN105989079A (en) * 2015-02-11 2016-10-05 阿里巴巴集团控股有限公司 Method and apparatus for obtaining device fingerprint
CN106991317A (en) * 2016-12-30 2017-07-28 中国银联股份有限公司 Safe verification method, platform, device and system

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110427785A (en) * 2019-07-23 2019-11-08 腾讯科技(深圳)有限公司 Acquisition methods and device, the storage medium and electronic device of device-fingerprint
CN110427785B (en) * 2019-07-23 2023-07-14 腾讯科技(深圳)有限公司 Equipment fingerprint acquisition method and device, storage medium and electronic device
CN111193714A (en) * 2019-12-06 2020-05-22 武汉极意网络科技有限公司 Automatic tracking method and system for verification code printing platform
CN112765587A (en) * 2021-01-20 2021-05-07 Oppo广东移动通信有限公司 Service operation verification method and device, control method and device, and server
CN113191892A (en) * 2021-05-27 2021-07-30 中国工商银行股份有限公司 Account risk prevention and control method, device, system and medium based on equipment fingerprint
CN113572773A (en) * 2021-07-27 2021-10-29 迈普通信技术股份有限公司 Access equipment and terminal access control method
CN113643042A (en) * 2021-08-20 2021-11-12 武汉极意网络科技有限公司 Safety verification system based on online business safety
CN113643042B (en) * 2021-08-20 2024-04-05 武汉极意网络科技有限公司 Security verification system based on online business security
CN114499994A (en) * 2021-12-30 2022-05-13 科大讯飞股份有限公司 Device fingerprint identification method and device, electronic device and medium
CN114499994B (en) * 2021-12-30 2024-06-04 科大讯飞股份有限公司 Equipment fingerprint identification method and device, electronic equipment and medium

Also Published As

Publication number Publication date
CN106991317A (en) 2017-07-28
TW201824108A (en) 2018-07-01
TWI718354B (en) 2021-02-11
CN106991317B (en) 2020-01-21

Similar Documents

Publication Publication Date Title
WO2018121387A1 (en) Security verification method, platform, apparatus and system
US11763311B2 (en) Multi-device transaction verification
JP6803935B2 (en) Logical validation of the device against fraud and tampering
EP1922632B1 (en) Extended one-time password method and apparatus
CN108804906B (en) System and method for application login
CN101751629B (en) Method and system for authenticating multifactor with changing unique values
RU2742910C1 (en) Encoded information processing
US11240220B2 (en) Systems and methods for user authentication based on multiple devices
KR20170039672A (en) System and method for authenticating a client to a device
US12112315B2 (en) Multi-device authentication process and system utilizing cryptographic techniques
US12081544B2 (en) Systems and methods for preventing unauthorized network access
EP3602995B1 (en) Fraudulent wireless network detection through proximate network data
CN114245889A (en) Systems, methods, and computer program products for authenticating transactions based on behavioral biometric data
CN117857071A (en) Password authentication using wallet card
KR101195027B1 (en) System and method for service security
KR101700833B1 (en) Card User Authentication System and Authentication Server and Portable Device for the same
KR101682678B1 (en) Card Transaction System and Encryption/Decryption Server for the same
KR20170072654A (en) Smart banking apparatus and method for enhanced security
KR20160014865A (en) User authentication method, server performing the same and system performing the same
KR20160033863A (en) Method of preventing illicit use of digital cerificate and server performing the same and method of loading digital cerificate and user terminal performing the same

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17886458

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17886458

Country of ref document: EP

Kind code of ref document: A1