With the development of the Internet, Internet-based applications such as Internet banking, online shopping, social media, e-commerce, instant messaging and other applications that provide users with a variety of services, are increasing. In order to facilitate user management and for security reasons, the majority of Internet applications require users to log in before using the service. For example, the user is required to enter a user account name and the corresponding password (also known as passcode) on the login screen of a PC or mobile device display, and allowed to enter to use the services provided by the application only after the user identity is verified by the server.
Using “account+password” authentication method is relatively easy, but an occurrence of an account and password theft causes inconvenience and even economic losses to the user. In order to prevent this from happening, the mobile Internet services have started to use new forms of security measures such as bonding a mobile device for authorization. For example, before being allowed to use a mobile application on a mobile device for some sensitive operations (e.g., account login, password changing, making a payment, and viewing account information, etc.), the user is required to bond the user's application account with an authorized mobile device used by the user to logon and use the application account. Specifically, the user can only use the authorized bound mobile communications device to perform sensitive operations. This measure could avoid unauthorized use of stolen accounts and passwords by providing additional security for user accounts. If the user replaces the mobile device, a procedure can be used to change or update the bonding relationship between the account and mobile communications device.
In the traditional technical conditions, the above bonding authorization process and the bonding change process are implemented using SMS-based verification codes only. The process typically includes the following steps:
1) user submits on a mobile device a bonding request or a change bonding request through the user interface provided by a mobile application;
2) mobile application provider sends an SMS message containing a dynamic verification code to the user;
3) user enters the dynamic verification code according to the guide in the bound mobile application user interface; and
4) the system completes the bonding authorization after a successful verification by mobile application provider.
In practical applications, the above bonding authorization process poses quite serious security risks. First, if a thief has stolen the user's account and password, the thief can perform the initial bonding operations using his own mobile device. Second, due to the current network environment, the SMS verification code leak problem is serious. Even if the user has an account already bounded with an authorized mobile device, upon stealing the user's account and password, a thief may still be able to change the bonding using SMS diversion through deception or by using Trojans installed on the user mobile device to obtain an SMS text message verification code. Using such fraudulent means, the thief may be able to replace the user's mobile device that is already authorized by his own mobile device.
As the existing technologies are unable to identify whether a client device really belongs to an account owner, but can only achieve bonding authorization using an SMS verification code, an application provider cannot determine if a client device to be bound with an account really belongs to the account holder. That is, the application providers are unable to eliminate such security risks, and as result may allow a thief's device to be bound to a user account, providing an illegitimate opportunity to the thief, but causing unnecessary trouble as well as economic losses to the legitimate user.