Flaws & Frauds Hindering Credit Cards Security

Transcription

1 Flaws & Frauds Hindering Credit Cards Security Abhishek Maheshwari #1, S.K. Saritha *2 # Department of Computer Science & Engineering, Maulana Azad National Institute of Technology Bhopal, Madhya Pradesh, India * Department of Computer Science & Engineering, Maulana Azad National Institute of Technology Bhopal, Madhya Pradesh, India Abstract - In today s world, people are mobilizing at a fast pace. No one has the time to draw cash from the bank or any other financial institution for the purpose of making transactions. To overcome this bank issues credit cards to fulfil the need of their customers. Due to this, a large collection of cards are being issued to the customers and simultaneously validating these cards is a necessary task. At Present, Verhoeff and Luhn algorithm are the two famous card validation algorithms exists. There are many instances reflecting limitations in these algorithms. With the advancement of technology today, an enhanced validation technique is required to use these cards safely in the evolving e-market. In this paper, an overview of these validating algorithms which was proposed w.r.t credit cards is enlightened. It also helps to overcome the limitations of existing algorithms stated above. In addition, the frauds associated with the payment industry hindering the security are also been highlighted here. MII (Major Industry Identifier): The first digit of Credit Card number is MII, which represents the category of entity as shown in Table 1 [4]. MII Digit Value 0 Table 1: MII digit values 1 Airlines Issuer Category ISO/TC 68 and other industry assignments Keywords- Credit card, Verhoeff Algorithm, Luhn Algorithm 2 Airlines and other industry assignments I. INTRODUCTION Credit cards [1] are the simplest mode of payment while doing any sort of transactions. It is issued by financial banks or organizations enabling its customer an alternative method to borrow funds, easy transactions and transfers. Credit card industry has evolved over a period of time. It charges various fees either quarterly, half yearly or sometimes annually for its services. It provides facilities to the customer for using this card anywhere, anytime round the globe. Credit card is small size plastic cards, having its details printed on the front and on magnetic stripe at the back. This helps in accessing their details on transaction. They can make online transactions too. The size of most credit cards is 3 3/8 2 1/8 in ( mm), compliant to the ISO/IEC 7810 ID-1 standard. Credit cards have a printed or embossed bank card number complying with the ISO/IEC 7812 numbering standard. The specifications for credit card numbering is been drawn by the International Organization for Standardization (ISO/IEC :1993) and the American National Standards Institute (ANSI X4.13) [2]. According to the standards, numbers in the Credit card is broadly classified [3] into four attributes, namely: 3 Travel and entertainment 4 Banking and financial 5 Banking and financial 6 Merchandizing and banking 7 Petroleum 8 Telecommunications and other industry assignments 9 National assignment IIN/BIN (Issuer Identification Number/ Bank Identification Number): The first six digits of credit card number (including the initial MII digit) form the issuer identifier is IIN/BIN. Account Identifier/Number: The digits from 7 to (n-1) of credit card number represent Account Identifier or Account Number. Checksum: The last digit of credit card number is a check digit. It is used to validate whether the card number is unique or not. ISSN: Page 26

2 Through this process the whole sequence is Using six digit numbers as stated in [6], Verhoeff analyzed for its uniqueness. reported the following classification of errors in Table 2: Table 2: Classification of Errors Figure 1: Different Attributes of Credit Card II. RELATED WORK Over a period of time several attempts have been made to provide a concrete algorithm to uniquely identify the sequencing number for the validation purpose. In those of many, only Verhoeff, Luhn validation algorithm suitably fit. They both work on a unique methodology to provide the checksum & then validating each of the sequencing numbers. A. ERROR DETECTING DECIMAL CODES Verhoeff Algorithm is a checksum formula [5] developed by the Dutch mathematician Jacobus Verhoeff for detecting errors and was published in Verhoeff had an aim of finding a decimal code, where the check digit is a simple decimal digit. It can detect all single-digit errors and all transpositions of adjacent digits. This algorithm was the first decimal check digit algorithm which identifies all transposition and single-digit errors involving two adjacent digits which at that time thought impossible to exists. He based the assessment of different codes on real time data from the Dutch postal system, using a weighted point system for different categories of errors. The study broke the errors down into a number of classifications. Verhoeff formulated his algorithm using the properties of the dihedral group of order 10 i.e., D 10 (a non-commutative system of operations on 10 elements, which corresponds to the rotation & reflection of a regular pentagon), combined with a permutation. The Verhoeff algorithm can be implemented [7] using three tables: a multiplication table d as shown in Table 3, an inverse table inv in Table 4, and a permutation table p in Table 5. Here, the multiplication table d is based on multiplication in the dihedral group D 5 [8] which represent the Cayley table of the non-commutative group i.e., for some value of j and k, d(j,k) d(k,j). The inverse table inv denotes multiplicative inverse of a digit i.e., d(j,inv(j)) = 0. And finally the permutation table p relates a permutation to each digit based on its position in the number. Here a single permutation ( )(3 6) is iteratively been used i.e., p(i+j,n) = p(i,p(j,n)). ISSN: Page 27

3 The Verhoeff checksum calculation follows the following steps: Step 1: Construct an array n from the individual digits of the number, taken in reverse order i.e., rightmost digit is n 0 then n 1 and so on. Step 2: Set the checksum c to zero. Step 3: For each index i of the array n, starting at zero, replace c with d(c, p (i mod 8, n i )). To generate a check digit, append a zero and then calculate, the check digit should be inv(c). The original number validates only when c is zero, else invalid. Considering an illustration of generating a check digit for a number say 236 and then validating it, is as shown in the Table 6 and Table 7. Here, in the Table 6, c is 2 so the check digit is inv (2) which is 3. And correspondingly in Table 7, c is zero, so the checksum is correct. Finally the correct validating sequence will be Despite of its unique nature of finding all transposition and single-digit errors involving in two adjacent digits at that time, it had some limitations like: Technology Limitations: The technology was in the initial stages that the time of development of algorithm. So it looks hard to generate and validate the check digit using the algorithm using device. High complexity: The whole mathematical evaluation process requires to uphold three matrix side by side. Therefore, the overall method seems highly complex. Feasibility Issues: Because of not having ample support of technology at time around 1969, feasibility of the whole process was in question. Storage Space: The process requires maintain the matrixes: Multiplication matrix (d), Inverse matrix (inv), and the Permutation matrix (p) together for the computations purpose. Hence each time, more storage space is required which is costly enough practically. B. LUHN ALGORITHM The process used to determine the check digit is the Luhn Algorithm (or mod 10), named after IBM scientist Hans Peter Luhn, patented [9] in the year The following are the steps carried out in the Luhn algorithm [10] [11]: Step 1: Starting from right hand side of the card number, skip the last digit i.e., Consider a 16 digit card number Here we skip the last digit 4. Step 2: Double every alternate number starting from n-1.i.e., in n-digit number, double the digits at (n-1), (n-3), (n-5) positon and so on. Step 3: Write down the rest of the number as it is i.e., write the digits at position (n), (n-2), (n-4), (n-6) and so on, as they are. Step 4: If the doubled number from step 2 have two digits, then add them together i.e., if number is 14, then 1+4=5. Step 5: Add together all the digits in the card i.e., adding digits, (n) + (n-1) + (n-2) Step 6: Calculate mod 10 of that number, if zero, then valid otherwise declare invalid i.e., if total sum of digit is divided by 10 completely, then valid, else invalid. At present, Luhn algorithm works behind the credit card validation. Due to its simplicity, it has some limitations, like: 1. It is not intended to be cryptographically secure hash function (not following One-way function) i.e. card numbers travels over a ISSN: Page 28

4 network in a readable form, which enables anyone to easily look into the network and illegally use the details of the customer. 2. It is not protected against malicious attacks. As the information flows in a readable form, so it is easy for an attacker to collect the information flowing through. 3. It cannot detect the transposition of the two digit sequence. i.e., <first-validcharacter><last-valid-character> to <lastvalid-character><first-valid-character> (or vice-versa). 4. It fails to distinguish credit cards from one another (i.e., Master Card, VISA, etc.) [12]. For example shown in the Figure 2, first two digit of Master Card number is been altered such that the overall checksum remains the same but it validates VISA card as shown in Figure 3. Figure 2: Master Card number Figure 3: After altering starting two digits of the card number 5. It fails to determine the length of the credit card number [12]. For example: as shown in Figure 4, 16-digit card validates Master Card, then after trimming the last three digits, it comes to 13-digit as shown in Figure 5. But it still validates without giving any error. Figure 4: Before trimming the card number Figure 5: After trimming the last three digit of card number C. TYPES OF CREDIT CARD FRAUDS Credit Card has become an important source of payment both online as well as for traditional payments. This increases the chance of occurrence of fraud [13]. Though the incidences reported are limited to only 0.1% of the total transactions which causes a big loss as fraudulent transactions have ISSN: Page 29

5 been bulky transaction values [14]. As the technology is advancing day by day, so is the level of fraudster s activities. Some of the commonly occurred frauds [15] that are reported [16] are: Application Fraud: When the users apply for the credit card, they present their personal credentials at the time of issuing card. This information may include details like landline number, communication address, address and etc. Using these details application fraud can be done. There are three common ways of committing application fraud: 1. Assumed Identity: In it, a fraud individual illegally obtains credentials of legitimate individual and enjoys services using partially legitimate information. 2. Financial Fraud: In it, an individual provides false information about his or her financial status to illegally acquire credit. 3. Postal Intercepts Fraud: In it, card is stolen from the postal service before it reaches its owner s destination place. Lost or Stolen Cards: In it, legitimate individual misplaces his or her card due to some absence of mind or someone steals it for criminal purpose. This type of fraud is the easiest to get hold of individual s credit card. Fake or Counterfeit Cards: The designing of counterfeit card, together with the lost/stolen poses the utmost threat in the credit card frauds. For designing false and counterfeit cards. A fraud person can tamper with the card by wiping out the metallic magnetic strip with the help of powerful electro-magnet. He then tampers with the details on the card so that details matches with the genuine card e.g., consider fraud person gives the credit card at the terminal, the cashier will swipe the card several times, before understanding that the magnetic strip does not work. The cashier will then manually input the details of the card into the system. But this is outmoded with the introduction of hologram and lot of other security feature in the card. Duplicate Site: Criminals are high-tech today. They are using technology merely for the purpose of destruction only. They design the duplicate site which has very close resemblance with the genuine site in order to get confidential data from the victim user. Genuine users buy products giving all the credit card information on the site and get trapped. The criminals get all the details for accessing the card, thus make them ready to do some criminal offence. Skimming: It is a theft of payment card information used in a legitimate transaction. Here the original data stored on the card s magnetic stripe is electronically transferred onto another. This makes criminals to read the details of the cardholder illegally and use further into some other transaction process. Skimming takes place without the consent of card holder and thus it is very difficult to trace back. The card holder is uninformed of the fraud until a statement arrives displaying the purchases they did not make. Merchant Collision: In this type of fraud, merchant and/or their associated employees leak out the details of their customer s account and/or personal information to the fraud person. Triangulation: In this type of fraud, someone operates from the website. Goods displayed are heavily discounted on the e- commerce site. The deal looks appealing to the customers. The customer place the order online by providing true details such as name, communication address, mobile number, valid credit card details. Once the fraud person has enough information, he purchases other goods using the credit card details of the customer. BIN Fraud: In it, credit cards are produced in the BIN ranges. Issuer authorities or institutions do not uses random generation of the card number. In this case attacker may obtain one genuine card number and generate several other valid card numbers simply by changing the last four numbers using a generator. The expiry date of these cards would be same as that of the acquired card. Thus attacker has several cards with sufficient information to make some criminal offense. Tele Phishing: In this, attacker attain the list of customers details, such as name, communication address, phone number so as to feel them that they are talking to some trusted organization or institution over some sensitive information such as credit card details, bank account number, etc. Once the trust is established in between, the customer spit out all the information to the attacker and becomes a victim himself. III. CONCLUSIONS Internet miscreants of all sorts have bundled together and form an explicit threat over the e-market. The existing Luhn validation algorithm despite of gaining popularity suffers from variety of weaknesses as discussed in section B, which hinders its functionality as well as the trust of its genuine users. In section C, some of the well identified frauds are also been discussed which obstructs the normal functioning of the system due to the mischievous or ISSN: Page 30

6 criminal offensive activities of the attacker targeting the genuine customer. Over a period of time, as the technology advances, in future, one cannot neglect the existence of other types of loopholes in these validating algorithms. Fraudster coming up with new enhanced techniques to breach the security. With government, different regulatory bodies should come up to perform risk assessments of credit card issuers on regular basis in order to avoid such type of frauds. Awareness, in both, the industry and the customer will always be an advantage. In this paper, an enriching light on various aspects of flaws and frauds which obstructed in the payment card security are identified from the previous existing instances. The available validation algorithms are discussed and existing limitations are explored in depth with the aim of highlighting loopholes present in the system.working on these boundaries helps to enhance the system and in future designing it to make more secure as well as trustworthy. We consider this study as an initial step towards the safer use of the credit cards. It also provides new directions and insight into the state of privacy and information security Numbers in IJCSMS, Vol.2, Issue.7, July 2013, pg , ISSN X [13] Credit Card Fraud ( [14] Hassibi PhD, Khosrow (2000). Chapter 9 on Detecting Payment Card Fraud with Neural Networks in book in Business Applications of Neural Networks, Singapore-New Jersey-London-Hong Kong: World Scientific ISBN [15] Eswari.M, Navaneetha Krishnan.M, Survey on Various Types of Credit Card Fraud and Security Measures, IJARCSSE, Vol. 1, Issue 4, January 2014, ISSN: X. [16] Tej Paul Bhatla, Vikram Prabhu,Amit Dua, Understanding Credit Card Frauds, Tata Consultancy Services Card, Business Review 2003#01 ( bhatla.pdf) REFERENCES [1] Credit Cards ( [2] [2] ISO/IEC :2006 Identification Card Identification of Issuer ( _detail.htm?csnumber=39698) [3] Credit Cards meaning ( [4] Bank Card Number ( [5] Verhoeff algorithm ( [6] J. Verhoeff, Error Detecting Decimal Codes. (Mathematical Centre Tracts, 29), ZAMM - Journal of Applied Mathematics and Mechanics, Volume 51, Issue 3, pages , 1971 [7] Salomon, David, Coding for Data and Computer Communications, Springer. p. 56. ISBN [8] Gallian, Joseph A. (2010). Contemporary Abstract Algebra (7th ed.). Brooks/Cole. p ISBN ( =PA111&lpg=PA111&dq=verhoeff+check+digit&source=bl &ots=nqn1lc4h3z&sig=4cwknr6vvesegprwuzeotpx ZfA8&hl=en&ei=WNpXTsXdHLPSiAKm_LimCQ&sa=X& oi=book_result&ct=result#v=onepage&q=verhoeff%20check %20digit&f=false) [9] U.S Patent 2, 950, 0450 ( Computer for Verifying Numbers, Hans P. Luhn, August [10] Luhn Algorithm ( [11] Anibrika, B. S. K. (2014). Validation of Credit Card Numbers Using the C# Programming Language. Africa Development and Resources Research Institute Journal, Ghana: Vol. 10, No. 10(2). [12] Khalid Waleed Hussein, Dr. Nor Fazlida Mohd. Sani, Professor Dr. Ramlan Mahmod, Dr. Mohd. Taufik Abdullah, Enhance Luhn Algorithm for Validation of Credit Cards ISSN: Page 31