Flaws & Frauds Hindering Credit Cards Security

Similar documents
Enhance Luhn Algorithm for Validation of Credit Cards Numbers

Credit Card Fraud Detection using Hidden Morkov Model and Neural Networks

Understanding Credit Card Frauds

Anatomy of Credit card Numbers

Check Digit Schemes and Error Detecting Codes. By Breanne Oldham Union University

Identification Numbers and Check Digits 1

Merchant Guide to the Visa Address Verification Service

THE FIVE Ws OF EMV BY DAVE EWALD GLOBAL EMV CONSULTANT AND MANAGER DATACARD GROUP

Guide to credit card security

How To Spot & Prevent Fraudulent Credit Card Activity

Fraud Minimisation Guide ANZ Merchant Business Solutions

How To Process Credit Card Receipts

Market Intelligence Cell. Fighting Financial Crime

Merchant Best Practices & Guidelines

EMV and Restaurants: What you need to know. Mike English. October Executive Director, Product Development Heartland Payment Systems

EMV and Small Merchants:

BWA Merchant Services. Credit Card Fraud Protection User Guide

The need for a secure & trusted payment instrument in e-commerce. Ali AlMeshal

WHITEPAPER. V12 Group West Front Street, Suite 410 Red Bank, NJ

A Secured Approach to Credit Card Fraud Detection Using Hidden Markov Model

TOP TRUMPS Comparisons of how to pay for goods and services online

Steps for staying PCI DSS compliant Visa Account Information Security Guide October 2009

Langara College PCI Awareness Training

ONLINE CREDIT CARD FRAUD PREVENTION SYSTEM FOR DEVELOPING COUNTRIES

Figure 1: Attacker home-made terminal can read some data from your payment card in your pocket

Mitigating Fraud Risk Through Card Data Verification

Payment systems. Tuomas Aura T Information security technology

Sending money abroad. Plain text guide

Beyond passwords: Protect the mobile enterprise with smarter security solutions

Protecting the POS Answers to Your Frequently Asked Questions

AIB Merchant Services AIB Merchant Services Quick Reference Guide Ingenico

Payment Systems Department

MARYLAND IDENTITY THEFT RANKING BY STATE: Rank 10, 85.8 Complaints Per 100,000 Population, 4821 Complaints (2007) Updated January 29, 2009

Avoiding Fraud. Learn to recognize the warning signs for fraud and follow these card acceptance guidelines to reduce your risk.

Yes, your card will expire at a given date, which is printed on the front of your card.

Credit Card PIN & PAY Frequently Asked Questions (FAQ)

Actorcard Prepaid Visa Card Terms & Conditions

The Merchant. Skimming is No Laughing Matter. A hand held skimming device. These devices can easily be purchased online.

Payment Fraud Statistics

White paper. Biometrics and the mitigation of card-related fraud

Securing the Payments System. The facts about fraud prevention

Payment Card Industry Data Security Standard PCI DSS

IDENTITY THEFT WHAT YOU NEED TO KNOW. Created by GL 04/09

An Introduction to Cryptography and Digital Signatures

Payments Fraud Best Practices

Electronic Commerce and E-wallet

A multi-layered approach to payment card security.

INTERNET SECURITY SEMINAR

MISSISSIPPI IDENTITY THEFT RANKING BY STATE: Rank 32, 57.3 Complaints Per 100,000 Population, 1673 Complaints (2007) Updated December 21, 2008

Helping you to protect yourself against fraud and financial crime

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

Payments Transformation - EMV comes to the US

VISA. Classic. Credit Card. Agreement and Disclosure Statement. Classic. Federally insured by NCUA

Statistics in Retail Finance. Chapter 7: Fraud Detection in Retail Credit

Whitepaper on AuthShield Two Factor Authentication with ERP Applications

EMV EMV TABLE OF CONTENTS

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker

Merchant Business Solutions. Protecting business against credit card fraud.

ISO27001 Controls and Objectives

Enhancing Payment Card Security New Measures to be Phased in from 2 nd Quarter 2010 to 1 st Quarter 2011

Financial Transactions and Fraud Schemes

Fraud Management in the Credit Card Industry 1

Prevention Is Better Than Cure EMV and PCI

Fraud Prevention Issuer s Best Practice Guide

AUSTRALIAN PAYMENTS FRAUD DETAILS AND DATA

Research Article. Research of network payment system based on multi-factor authentication

TERMS AND CONDITIONS FOR THE ICICI BANK INDIAN RUPEE TRAVEL CARD

Check Digits for Detecting Recording Errors in Horticultural Research: Theory and Examples

STATE BANK OF INDIA. Rules and Regulations of Internet Banking. General Information:

University of York Policy on the Management of Debit/ Credit Card Data

Cumberland Business Debit Card. Terms & Conditions

With the Target breach on everyone s mind, you may find these Customer Service Q & A s helpful.

PCI Training for Retail Jamboree Staff Volunteers. Securing Cardholder Data

Unauthorized Use of the GPC Page 1 of 29 Welcome to Unauthorized Use of the GPC

Ti ps. Merchant. for Credit Card Transactions. Processing Tips CARD ONE INTERNATIONAL INC

Payment systems. Tuomas Aura T Information security technology. Aalto University, autumn 2012

Data Mining Application for Cyber Credit-card Fraud Detection System

Chargeback Reason Code List - U.S.

SMARTCARD FRAUD DETECTION USING SECURE ONETIME RANDOM MOBILE PASSWORD

Where every interaction matters.

Monitoring Data Integrity while using TPA in Cloud Environment

Integrated EFTPOS User Guide

Prepared testimony of W. Joseph Majka Head of Fraud Control and Investigations Visa Inc.

Merchant Services. How to help protect your business

Protect Your Personal Information. Tips and tools to help safeguard you against identity theft

Advanced Authentication

Recurrent Patterns Detection Technology. White Paper

Transcription:

Flaws & Frauds Hindering Credit Cards Security Abhishek Maheshwari #1, S.K. Saritha *2 # Department of Computer Science & Engineering, Maulana Azad National Institute of Technology Bhopal, Madhya Pradesh, India * Department of Computer Science & Engineering, Maulana Azad National Institute of Technology Bhopal, Madhya Pradesh, India Abstract - In today s world, people are mobilizing at a fast pace. No one has the time to draw cash from the bank or any other financial institution for the purpose of making transactions. To overcome this bank issues credit cards to fulfil the need of their customers. Due to this, a large collection of cards are being issued to the customers and simultaneously validating these cards is a necessary task. At Present, Verhoeff and Luhn algorithm are the two famous card validation algorithms exists. There are many instances reflecting limitations in these algorithms. With the advancement of technology today, an enhanced validation technique is required to use these cards safely in the evolving e-market. In this paper, an overview of these validating algorithms which was proposed w.r.t credit cards is enlightened. It also helps to overcome the limitations of existing algorithms stated above. In addition, the frauds associated with the payment industry hindering the security are also been highlighted here. MII (Major Industry Identifier): The first digit of Credit Card number is MII, which represents the category of entity as shown in Table 1 [4]. MII Digit Value 0 Table 1: MII digit values 1 Airlines Issuer Category ISO/TC 68 and other industry assignments Keywords- Credit card, Verhoeff Algorithm, Luhn Algorithm 2 Airlines and other industry assignments I. INTRODUCTION Credit cards [1] are the simplest mode of payment while doing any sort of transactions. It is issued by financial banks or organizations enabling its customer an alternative method to borrow funds, easy transactions and transfers. Credit card industry has evolved over a period of time. It charges various fees either quarterly, half yearly or sometimes annually for its services. It provides facilities to the customer for using this card anywhere, anytime round the globe. Credit card is small size plastic cards, having its details printed on the front and on magnetic stripe at the back. This helps in accessing their details on transaction. They can make online transactions too. The size of most credit cards is 3 3/8 2 1/8 in (85.60 53.98 mm), compliant to the ISO/IEC 7810 ID-1 standard. Credit cards have a printed or embossed bank card number complying with the ISO/IEC 7812 numbering standard. The specifications for credit card numbering is been drawn by the International Organization for Standardization (ISO/IEC 7812-1:1993) and the American National Standards Institute (ANSI X4.13) [2]. According to the standards, numbers in the Credit card is broadly classified [3] into four attributes, namely: 3 Travel and entertainment 4 Banking and financial 5 Banking and financial 6 Merchandizing and banking 7 Petroleum 8 Telecommunications and other industry assignments 9 National assignment IIN/BIN (Issuer Identification Number/ Bank Identification Number): The first six digits of credit card number (including the initial MII digit) form the issuer identifier is IIN/BIN. Account Identifier/Number: The digits from 7 to (n-1) of credit card number represent Account Identifier or Account Number. Checksum: The last digit of credit card number is a check digit. It is used to validate whether the card number is unique or not. ISSN: 2231-5381 http://www.ijettjournal.org Page 26

Through this process the whole sequence is Using six digit numbers as stated in [6], Verhoeff analyzed for its uniqueness. reported the following classification of errors in Table 2: Table 2: Classification of Errors Figure 1: Different Attributes of Credit Card II. RELATED WORK Over a period of time several attempts have been made to provide a concrete algorithm to uniquely identify the sequencing number for the validation purpose. In those of many, only Verhoeff, Luhn validation algorithm suitably fit. They both work on a unique methodology to provide the checksum & then validating each of the sequencing numbers. A. ERROR DETECTING DECIMAL CODES Verhoeff Algorithm is a checksum formula [5] developed by the Dutch mathematician Jacobus Verhoeff for detecting errors and was published in 1969. Verhoeff had an aim of finding a decimal code, where the check digit is a simple decimal digit. It can detect all single-digit errors and all transpositions of adjacent digits. This algorithm was the first decimal check digit algorithm which identifies all transposition and single-digit errors involving two adjacent digits which at that time thought impossible to exists. He based the assessment of different codes on real time data from the Dutch postal system, using a weighted point system for different categories of errors. The study broke the errors down into a number of classifications. Verhoeff formulated his algorithm using the properties of the dihedral group of order 10 i.e., D 10 (a non-commutative system of operations on 10 elements, which corresponds to the rotation & reflection of a regular pentagon), combined with a permutation. The Verhoeff algorithm can be implemented [7] using three tables: a multiplication table d as shown in Table 3, an inverse table inv in Table 4, and a permutation table p in Table 5. Here, the multiplication table d is based on multiplication in the dihedral group D 5 [8] which represent the Cayley table of the non-commutative group i.e., for some value of j and k, d(j,k) d(k,j). The inverse table inv denotes multiplicative inverse of a digit i.e., d(j,inv(j)) = 0. And finally the permutation table p relates a permutation to each digit based on its position in the number. Here a single permutation (1 5 8 9 4 2 7 0)(3 6) is iteratively been used i.e., p(i+j,n) = p(i,p(j,n)). ISSN: 2231-5381 http://www.ijettjournal.org Page 27

The Verhoeff checksum calculation follows the following steps: Step 1: Construct an array n from the individual digits of the number, taken in reverse order i.e., rightmost digit is n 0 then n 1 and so on. Step 2: Set the checksum c to zero. Step 3: For each index i of the array n, starting at zero, replace c with d(c, p (i mod 8, n i )). To generate a check digit, append a zero and then calculate, the check digit should be inv(c). The original number validates only when c is zero, else invalid. Considering an illustration of generating a check digit for a number say 236 and then validating it, is as shown in the Table 6 and Table 7. Here, in the Table 6, c is 2 so the check digit is inv (2) which is 3. And correspondingly in Table 7, c is zero, so the checksum is correct. Finally the correct validating sequence will be 2363. Despite of its unique nature of finding all transposition and single-digit errors involving in two adjacent digits at that time, it had some limitations like: Technology Limitations: The technology was in the initial stages that the time of development of algorithm. So it looks hard to generate and validate the check digit using the algorithm using device. High complexity: The whole mathematical evaluation process requires to uphold three matrix side by side. Therefore, the overall method seems highly complex. Feasibility Issues: Because of not having ample support of technology at time around 1969, feasibility of the whole process was in question. Storage Space: The process requires maintain the matrixes: Multiplication matrix (d), Inverse matrix (inv), and the Permutation matrix (p) together for the computations purpose. Hence each time, more storage space is required which is costly enough practically. B. LUHN ALGORITHM The process used to determine the check digit is the Luhn Algorithm (or mod 10), named after IBM scientist Hans Peter Luhn, patented [9] in the year 1954. The following are the steps carried out in the Luhn algorithm [10] [11]: Step 1: Starting from right hand side of the card number, skip the last digit i.e., Consider a 16 digit card number 5397373822153004. Here we skip the last digit 4. Step 2: Double every alternate number starting from n-1.i.e., in n-digit number, double the digits at (n-1), (n-3), (n-5) positon and so on. Step 3: Write down the rest of the number as it is i.e., write the digits at position (n), (n-2), (n-4), (n-6) and so on, as they are. Step 4: If the doubled number from step 2 have two digits, then add them together i.e., if number is 14, then 1+4=5. Step 5: Add together all the digits in the card i.e., adding digits, (n) + (n-1) + (n-2) +. + 2 + 1. Step 6: Calculate mod 10 of that number, if zero, then valid otherwise declare invalid i.e., if total sum of digit is divided by 10 completely, then valid, else invalid. At present, Luhn algorithm works behind the credit card validation. Due to its simplicity, it has some limitations, like: 1. It is not intended to be cryptographically secure hash function (not following One-way function) i.e. card numbers travels over a ISSN: 2231-5381 http://www.ijettjournal.org Page 28

network in a readable form, which enables anyone to easily look into the network and illegally use the details of the customer. 2. It is not protected against malicious attacks. As the information flows in a readable form, so it is easy for an attacker to collect the information flowing through. 3. It cannot detect the transposition of the two digit sequence. i.e., <first-validcharacter><last-valid-character> to <lastvalid-character><first-valid-character> (or vice-versa). 4. It fails to distinguish credit cards from one another (i.e., Master Card, VISA, etc.) [12]. For example shown in the Figure 2, first two digit of Master Card number is been altered such that the overall checksum remains the same but it validates VISA card as shown in Figure 3. Figure 2: Master Card number Figure 3: After altering starting two digits of the card number 5. It fails to determine the length of the credit card number [12]. For example: as shown in Figure 4, 16-digit card validates Master Card, then after trimming the last three digits, it comes to 13-digit as shown in Figure 5. But it still validates without giving any error. Figure 4: Before trimming the card number Figure 5: After trimming the last three digit of card number C. TYPES OF CREDIT CARD FRAUDS Credit Card has become an important source of payment both online as well as for traditional payments. This increases the chance of occurrence of fraud [13]. Though the incidences reported are limited to only 0.1% of the total transactions which causes a big loss as fraudulent transactions have ISSN: 2231-5381 http://www.ijettjournal.org Page 29

been bulky transaction values [14]. As the technology is advancing day by day, so is the level of fraudster s activities. Some of the commonly occurred frauds [15] that are reported [16] are: Application Fraud: When the users apply for the credit card, they present their personal credentials at the time of issuing card. This information may include details like landline number, communication address, email address and etc. Using these details application fraud can be done. There are three common ways of committing application fraud: 1. Assumed Identity: In it, a fraud individual illegally obtains credentials of legitimate individual and enjoys services using partially legitimate information. 2. Financial Fraud: In it, an individual provides false information about his or her financial status to illegally acquire credit. 3. Postal Intercepts Fraud: In it, card is stolen from the postal service before it reaches its owner s destination place. Lost or Stolen Cards: In it, legitimate individual misplaces his or her card due to some absence of mind or someone steals it for criminal purpose. This type of fraud is the easiest to get hold of individual s credit card. Fake or Counterfeit Cards: The designing of counterfeit card, together with the lost/stolen poses the utmost threat in the credit card frauds. For designing false and counterfeit cards. A fraud person can tamper with the card by wiping out the metallic magnetic strip with the help of powerful electro-magnet. He then tampers with the details on the card so that details matches with the genuine card e.g., consider fraud person gives the credit card at the terminal, the cashier will swipe the card several times, before understanding that the magnetic strip does not work. The cashier will then manually input the details of the card into the system. But this is outmoded with the introduction of hologram and lot of other security feature in the card. Duplicate Site: Criminals are high-tech today. They are using technology merely for the purpose of destruction only. They design the duplicate site which has very close resemblance with the genuine site in order to get confidential data from the victim user. Genuine users buy products giving all the credit card information on the site and get trapped. The criminals get all the details for accessing the card, thus make them ready to do some criminal offence. Skimming: It is a theft of payment card information used in a legitimate transaction. Here the original data stored on the card s magnetic stripe is electronically transferred onto another. This makes criminals to read the details of the cardholder illegally and use further into some other transaction process. Skimming takes place without the consent of card holder and thus it is very difficult to trace back. The card holder is uninformed of the fraud until a statement arrives displaying the purchases they did not make. Merchant Collision: In this type of fraud, merchant and/or their associated employees leak out the details of their customer s account and/or personal information to the fraud person. Triangulation: In this type of fraud, someone operates from the website. Goods displayed are heavily discounted on the e- commerce site. The deal looks appealing to the customers. The customer place the order online by providing true details such as name, communication address, mobile number, valid credit card details. Once the fraud person has enough information, he purchases other goods using the credit card details of the customer. BIN Fraud: In it, credit cards are produced in the BIN ranges. Issuer authorities or institutions do not uses random generation of the card number. In this case attacker may obtain one genuine card number and generate several other valid card numbers simply by changing the last four numbers using a generator. The expiry date of these cards would be same as that of the acquired card. Thus attacker has several cards with sufficient information to make some criminal offense. Tele Phishing: In this, attacker attain the list of customers details, such as name, communication address, phone number so as to feel them that they are talking to some trusted organization or institution over some sensitive information such as credit card details, bank account number, etc. Once the trust is established in between, the customer spit out all the information to the attacker and becomes a victim himself. III. CONCLUSIONS Internet miscreants of all sorts have bundled together and form an explicit threat over the e-market. The existing Luhn validation algorithm despite of gaining popularity suffers from variety of weaknesses as discussed in section B, which hinders its functionality as well as the trust of its genuine users. In section C, some of the well identified frauds are also been discussed which obstructs the normal functioning of the system due to the mischievous or ISSN: 2231-5381 http://www.ijettjournal.org Page 30

criminal offensive activities of the attacker targeting the genuine customer. Over a period of time, as the technology advances, in future, one cannot neglect the existence of other types of loopholes in these validating algorithms. Fraudster coming up with new enhanced techniques to breach the security. With government, different regulatory bodies should come up to perform risk assessments of credit card issuers on regular basis in order to avoid such type of frauds. Awareness, in both, the industry and the customer will always be an advantage. In this paper, an enriching light on various aspects of flaws and frauds which obstructed in the payment card security are identified from the previous existing instances. The available validation algorithms are discussed and existing limitations are explored in depth with the aim of highlighting loopholes present in the system.working on these boundaries helps to enhance the system and in future designing it to make more secure as well as trustworthy. We consider this study as an initial step towards the safer use of the credit cards. It also provides new directions and insight into the state of privacy and information security Numbers in IJCSMS, Vol.2, Issue.7, July 2013, pg. 262-272, ISSN2320-088X [13] Credit Card Fraud (http://en.wikipedia.org/wiki/credit_card_fraud) [14] Hassibi PhD, Khosrow (2000). Chapter 9 on Detecting Payment Card Fraud with Neural Networks in book in Business Applications of Neural Networks, Singapore-New Jersey-London-Hong Kong: World Scientific ISBN 978-9810240899 [15] Eswari.M, Navaneetha Krishnan.M, Survey on Various Types of Credit Card Fraud and Security Measures, IJARCSSE, Vol. 1, Issue 4, January 2014, ISSN: 2277 128X. [16] Tej Paul Bhatla, Vikram Prabhu,Amit Dua, Understanding Credit Card Frauds, Tata Consultancy Services Card, Business Review 2003#01 (http://www.popcenter.org/problems/credit_card_fraud/pdfs/ bhatla.pdf) REFERENCES [1] Credit Cards (http://en.wikipedia.org/wiki/credit_card) [2] [2] ISO/IEC 7812-1:2006 Identification Card Identification of Issuer (http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue _detail.htm?csnumber=39698) [3] Credit Cards meaning (http://www.computersolving.com/computer-tipstricks/what-your-credit-card-numbers-mean/) [4] Bank Card Number (http://en.wikipedia.org/wiki/bank_card_number) [5] Verhoeff algorithm (http://en.wikipedia.org/wiki/verhoeff_algorithm) [6] J. Verhoeff, Error Detecting Decimal Codes. (Mathematical Centre Tracts, 29), ZAMM - Journal of Applied Mathematics and Mechanics, Volume 51, Issue 3, pages 240 241, 1971 [7] Salomon, David, Coding for Data and Computer Communications, Springer. p. 56. ISBN 0-387-21245-0. [8] Gallian, Joseph A. (2010). Contemporary Abstract Algebra (7th ed.). Brooks/Cole. p. 111. ISBN 978-0-547-16509-7 (https://books.google.co.in/books?id=cnh3mlokpsmc&pg =PA111&lpg=PA111&dq=verhoeff+check+digit&source=bl &ots=nqn1lc4h3z&sig=4cwknr6vvesegprwuzeotpx ZfA8&hl=en&ei=WNpXTsXdHLPSiAKm_LimCQ&sa=X& oi=book_result&ct=result#v=onepage&q=verhoeff%20check %20digit&f=false) [9] U.S Patent 2, 950, 0450 (http://www.google.com/patents/us2950048), Computer for Verifying Numbers, Hans P. Luhn, August 23 1960 [10] Luhn Algorithm (http://en.wikipedia.org/wiki/luhn_algorithm) [11] Anibrika, B. S. K. (2014). Validation of Credit Card Numbers Using the C# Programming Language. Africa Development and Resources Research Institute Journal, Ghana: Vol. 10, No. 10(2). [12] Khalid Waleed Hussein, Dr. Nor Fazlida Mohd. Sani, Professor Dr. Ramlan Mahmod, Dr. Mohd. Taufik Abdullah, Enhance Luhn Algorithm for Validation of Credit Cards ISSN: 2231-5381 http://www.ijettjournal.org Page 31

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information