Information security is important in many applications of services, especially in the financial field where payment security has always been an issue that draws a lot of attention. Currently, one payment method is to perform authentication via a communication terminal using short messages and then finish the payment. The method takes advantage of the great number of users of communication terminals (including cell phones, Personal Handy-phone System terminals and other devices capable of making short message interactions) and the growing number of issued bank cards. By binding a bank account or a third-party virtual account to a communication terminal, SMS (Short Messaging Service) messages can be sent via the communication terminal to a particular service number for account transfer, product purchase, etc.
Now refer to FIG. 1, which illustrates the current method for authentication via a communication terminal using short messages. First, with the short message interaction function of a communication terminal 101, a user inputs important information such as payee's account, payment amount and payment password, which is sent in a particular format to a short message interaction system 102. The short message interaction system 102 extracts key information from the received short message, including the number of the communication terminal that sent the short message, payee's account identifier, payment amount and payment password, finds a payment account with which the communication terminal number has a binding relationship, and forwards information such as the payment account identifier, payee's account identifier, payment amount and payment password to a payment system 103. The payment system 103 receives the payment request, transfers the payment amount from the payment account of the user to the payee's account after it determines that the payment password inputted by the user is correct and returns operation information to the user.
During the above procedure, the biggest challenge for short message payment via communication terminals is security. Currently, the short message interaction system 102 is normally delegated by an SP (Service Provider) and short message interactions are done in plaintext (unencrypted data format). Furthermore, short messages are to be sent in the plaintext form when the user inputs transfer information and short messages sent by the user are to be stored in the plaintext form at the user's communication terminal. Therefore, payment information of the user is at risk in the following two aspects:
The first risk occurs when the proxy SP forwards the short message. Because the content of the short message is extracted by the proxy SP end, if the proxy SP leaks important information such as the payment account identifier, payment password, payee's account identifier and payment amount to other people, a lot of damage may be done to the user. For example, someone may change the payee's account and the payment amount to his own account and a greater amount, or take money directly from the payment account using the payment password. The second risk occurs when sent short messages stored in the user's communication terminal are viewed by other people. Important information such as payment password, payee's account identifier and payment amount are also easy to be leaked out and illegally used by other people.
In addition, current short message gateways have stability issues; the loss rate and delay rate of short messages are relatively high. Once the short message indicating successful payment is not received in time, the user may initiate the transaction continuously; or when the waiting time expires, the short message system resends the message. Either of these may lead to the user paying twice, or even three times for one transaction.