Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

Flaws & Frauds Hindering Credit Cards Security Abhishek Maheshwari , S.K. Saritha

advertisement 
International Journal of Engineering Trends and Technology (IJETT) – Volume 24 Number 1- June 2015
Flaws & Frauds Hindering Credit Cards Security
Abhishek Maheshwari#1, S.K. Saritha*2
#
*
Department of Computer Science & Engineering, Maulana Azad National Institute of Technology
Bhopal, Madhya Pradesh, India
Department of Computer Science & Engineering, Maulana Azad National Institute of Technology
Bhopal, Madhya Pradesh, India
Abstract - In today’s world, people are mobilizing at a
fast pace. No one has the time to draw cash from the
bank or any other financial institution for the purpose of
making transactions. To overcome this bank issues credit
cards to fulfil the need of their customers. Due to this, a
large collection of cards are being issued to the
customers and simultaneously validating these cards is a
necessary task. At Present, Verhoeff and Luhn algorithm
are the two famous card validation algorithms exists.
There are many instances reflecting limitations in these
algorithms. With the advancement of technology today,
an enhanced validation technique is required to use these
cards safely in the evolving e-market. In this paper, an
overview of these validating algorithms which was
proposed w.r.t credit cards is enlightened. It also helps to
overcome the limitations of existing algorithms stated
above. In addition, the frauds associated with the
payment industry hindering the security are also been
highlighted here.
MII (Major Industry Identifier): The first
digit of Credit Card number is MII, which
represents the category of entity as shown in
Table 1 [4].
Table 1: MII digit values
MII Digit
Issuer Category
Value
0
ISO/TC 68 and other
industry assignments
1
Airlines
Keywords- Credit card, Verhoeff Algorithm, Luhn
Algorithm
2
Airlines and other industry
assignments
I. INTRODUCTION
Credit cards [1] are the simplest mode of payment
while doing any sort of transactions. It is issued by
financial banks or organizations enabling its customer
an alternative method to borrow funds, easy
transactions and transfers. Credit card industry has
evolved over a period of time. It charges various fees
either quarterly, half yearly or sometimes annually for
its services. It provides facilities to the customer for
using this card anywhere, anytime round the globe.
Credit card is small size plastic cards, having its
details printed on the front and on magnetic stripe at
the back. This helps in accessing their details on
transaction. They can make online transactions too.
The size of most credit cards is 3 3/8 × 2 1/8 in (85.60
× 53.98 mm), compliant to the ISO/IEC 7810 ID-1
standard. Credit cards have a printed or embossed
bank card number complying with the ISO/IEC 7812
numbering standard. The specifications for credit card
numbering is been drawn by the International
Organization for Standardization (ISO/IEC 78121:1993) and the American National Standards Institute
(ANSI X4.13) [2].
According to the standards, numbers in the Credit
card is broadly classified [3] into four attributes,
namely:
3
Travel and entertainment
4
Banking and financial
5
Banking and financial
6
Merchandizing and banking
7
Petroleum
8
Telecommunications and
other industry assignments
9
National assignment
ISSN: 2231-5381
IIN/BIN (Issuer Identification Number/
Bank Identification Number): The first six
digits of credit card number (including the
initial MII digit) form the issuer identifier is
IIN/BIN.
Account Identifier/Number: The digits from
7 to (n-1) of credit card number represent
Account Identifier or Account Number.
Checksum: The last digit of credit card
number is a check digit. It is used to validate
whether the card number is unique or not.
http://www.ijettjournal.org
Page 26
International Journal of Engineering Trends and Technology (IJETT) – Volume 24 Number 1- June 2015
Through this process the whole sequence is
Using six digit numbers as stated in [6], Verhoeff
analyzed for its uniqueness.
reported the following classification of errors in Table
2:
Table 2: Classification of Errors
Figure 1: Different Attributes of Credit Card
II. RELATED WORK
Over a period of time several attempts have been
made to provide a concrete algorithm to uniquely
identify the sequencing number for the validation
purpose. In those of many, only Verhoeff, Luhn
validation algorithm suitably fit. They both work on a
unique methodology to provide the checksum & then
validating each of the sequencing numbers.
A. ERROR DETECTING DECIMAL CODES
Verhoeff Algorithm is a checksum formula [5]
developed by the Dutch mathematician Jacobus
Verhoeff for detecting errors and was published in
1969. Verhoeff had an aim of finding a decimal code,
where the check digit is a simple decimal digit. It can
detect all single-digit errors and all transpositions of
adjacent digits. This algorithm was the first decimal
check digit algorithm which identifies all transposition
and single-digit errors involving two adjacent digits
which at that time thought impossible to exists.
He based the assessment of different codes on real
time data from the Dutch postal system, using a
weighted point system for different categories of
errors. The study broke the errors down into a number
of classifications.
Here, the multiplication table d is based on
multiplication in the dihedral group D5 [8] which
represent the Cayley table of the non-commutative
group i.e., for some value of j and k, d(j,k) ≠ d(k,j).
The inverse table inv denotes multiplicative inverse of
ISSN: 2231-5381
Verhoeff formulated his algorithm using the
properties of the dihedral group of order 10 i.e., D 10 (a
non-commutative system of operations on 10 elements,
which corresponds to the rotation & reflection of a
regular pentagon), combined with a permutation.
The Verhoeff algorithm can be implemented [7]
using three tables: a multiplication table d as shown in
Table 3, an inverse table inv in Table 4, and a
permutation
table
p
in
Table
5.
a digit i.e., d(j,inv(j)) = 0. And finally the permutation
table p relates a permutation to each digit based on its
position in the number. Here a single permutation (1 5
8 9 4 2 7 0)(3 6) is iteratively been used i.e., p(i+j,n) =
p(i,p(j,n)).
http://www.ijettjournal.org
Page 27
International Journal of Engineering Trends and Technology (IJETT) – Volume 24 Number 1- June 2015
The Verhoeff checksum calculation follows the
following steps:
Step 1: Construct an array n from the
individual digits of the number, taken in
reverse order i.e., rightmost digit is n0 then n1
and so on.
Step 2: Set the checksum c to zero.
Step 3: For each index i of the array n,
starting at zero, replace c with d(c, p (i mod 8,
ni )).
Here, in the Table 6, c is 2 so the check digit is inv
(2) which is 3. And correspondingly in Table 7, c
is zero, so the checksum is correct. Finally the
correct validating sequence will be 2363.
Despite of its unique nature of finding all
transposition and single-digit errors involving in
two adjacent digits at that time, it had some
limitations like:
Technology
Limitations:
The
technology was in the initial stages that
the time of development of algorithm. So
it looks hard to generate and validate the
check digit using the algorithm using
device.
High complexity:
The whole
mathematical evaluation process requires
to uphold three matrix side by side.
Therefore, the overall method seems
highly complex.
Feasibility Issues: Because of not
having ample support of technology at
time around 1969, feasibility of the
whole process was in question.
Storage Space: The process requires
maintain the matrixes: Multiplication
matrix (d), Inverse matrix (inv), and the
Permutation matrix (p) together for the
computations purpose. Hence each time,
more storage space is required which is
costly enough practically.
ISSN: 2231-5381
To generate a check digit, append a zero and then
calculate, the check digit should be inv(c). The
original number validates only when c is zero, else
invalid.
Considering an illustration of generating a check
digit for a number say 236 and then validating it, is as
shown in the Table 6 and Table 7.
B. LUHN ALGORITHM
The process used to determine the check digit is
the Luhn Algorithm (or mod 10), named after IBM
scientist Hans Peter Luhn, patented [9] in the year
1954. The following are the steps carried out in the
Luhn algorithm [10] [11]:
Step 1: Starting from right hand side of the
card number, skip the last digit i.e., Consider
a 16 digit card number 5397373822153004.
Here we skip the last digit 4.
Step 2: Double every alternate number
starting from n-1.i.e., in n-digit number,
double the digits at (n-1), (n-3), (n-5) …
positon and so on.
Step 3: Write down the rest of the number as
it is i.e., write the digits at position (n), (n-2),
(n-4), (n-6) and so on, as they are.
Step 4: If the doubled number from step 2
have two digits, then add them together i.e.,
if number is 14, then 1+4=5.
Step 5: Add together all the digits in the card
i.e., adding digits, (n) + (n-1) + (n-2) +…. + 2
+ 1.
Step 6: Calculate mod 10 of that number, if
zero, then valid otherwise declare invalid i.e.,
if total sum of digit is divided by 10
completely, then valid, else invalid.
At present, Luhn algorithm works behind the
credit card validation. Due to its simplicity, it has
some limitations, like:
1. It is not intended to be cryptographically
secure hash function (not following One-way
function) i.e. card numbers travels over a
http://www.ijettjournal.org
Page 28
International Journal of Engineering Trends and Technology (IJETT) – Volume 24 Number 1- June 2015
2.
3.
network in a readable form, which enables
anyone to easily look into the network and
illegally use the details of the customer.
It is not protected against malicious attacks.
As the information flows in a readable form,
so it is easy for an attacker to collect the
information flowing through.
It cannot detect the transposition of the two
digit
sequence.
i.e.,
<first-validcharacter><last-valid-character> to <last-
4.
valid-character><first-valid-character>
(or
vice-versa).
It fails to distinguish credit cards from one
another (i.e., Master Card, VISA, etc.) [12].
For example shown in the Figure 2, first two
digit of Master Card number is been altered
such that the overall checksum remains the
same but it validates VISA card as shown in
Figure 3.
Figure 2: Master Card number
Figure 3: After altering starting two digits of the card number
5.
It fails to determine the length of the credit
card number [12]. For example: as shown in
Figure 4, 16-digit card validates Master Card,
then after trimming the last three digits, it
comes to 13-digit as shown in Figure 5. But
it still validates without giving any error.
Figure 4: Before trimming the card number
Figure 5: After trimming the last three digit of card number
C. TYPES OF CREDIT CARD FRAUDS
Credit Card has become an important source of
payment both online as well as for traditional
ISSN: 2231-5381
payments. This increases the chance of occurrence
of fraud [13]. Though the incidences reported are
limited to only 0.1% of the total transactions which
causes a big loss as fraudulent transactions have
http://www.ijettjournal.org
Page 29
International Journal of Engineering Trends and Technology (IJETT) – Volume 24 Number 1- June 2015
been bulky transaction values [14]. As the
technology is advancing day by day, so is the level
of fraudster’s activities. Some of the commonly
occurred frauds [15] that are reported [16] are:
Application Fraud: When the users apply
for the credit card, they present their personal
credentials at the time of issuing card. This
information may include details like landline
number, communication address, email
address and etc.
Using these details
application fraud can be done. There are
three common ways of committing
application fraud:
1. Assumed Identity: In it, a fraud
individual illegally obtains credentials of
legitimate individual and enjoys services
using partially legitimate information.
2. Financial Fraud: In it, an individual
provides false information about his or
her financial status to illegally acquire
credit.
3. Postal Intercepts Fraud: In it, card is
stolen from the postal service before it
reaches its owner’s destination place.
Lost or Stolen Cards: In it, legitimate
individual misplaces his or her card due to
some absence of mind or someone steals it
for criminal purpose. This type of fraud is the
easiest to get hold of individual’s credit card.
Fake or Counterfeit Cards: The designing
of counterfeit card, together with the
lost/stolen poses the utmost threat in the
credit card frauds. For designing false and
counterfeit cards. A fraud person can tamper
with the card by wiping out the metallic
magnetic strip with the help of powerful
electro-magnet. He then tampers with the
details on the card so that details matches
with the genuine card e.g., consider fraud
person gives the credit card at the terminal,
the cashier will swipe the card several times,
before understanding that the magnetic strip
does not work. The cashier will then
manually input the details of the card into the
system. But this is outmoded with the
introduction of hologram and lot of other
security feature in the card.
Duplicate Site: Criminals are high-tech
today. They are using technology merely for
the purpose of destruction only. They design
the duplicate site which has very close
resemblance with the genuine site in order to
get confidential data from the victim user.
Genuine users buy products giving all the
credit card information on the site and get
trapped. The criminals get all the details for
accessing the card, thus make them ready to
do some criminal offence.
Skimming: It is a theft of payment card
information used in a legitimate transaction.
ISSN: 2231-5381
Here the original data stored on the card’s
magnetic stripe is electronically transferred
onto another. This makes criminals to read
the details of the cardholder illegally and use
further into some other transaction process.
Skimming takes place without the consent of
card holder and thus it is very difficult to
trace back. The card holder is uninformed of
the fraud until a statement arrives displaying
the purchases they did not make.
Merchant Collision: In this type of fraud,
merchant and/or their associated employees
leak out the details of their customer’s
account and/or personal information to the
fraud person.
Triangulation: In this type of fraud,
someone operates from the website. Goods
displayed are heavily discounted on the ecommerce site. The deal looks appealing to
the customers. The customer place the order
online by providing true details such as name,
communication address, mobile number,
valid credit card details. Once the fraud
person has enough information, he purchases
other goods using the credit card details of
the customer.
BIN Fraud: In it, credit cards are produced
in the BIN ranges. Issuer authorities or
institutions do not uses random generation of
the card number. In this case attacker may
obtain one genuine card number and generate
several other valid card numbers simply by
changing the last four numbers using a
generator. The expiry date of these cards
would be same as that of the acquired card.
Thus attacker has several cards with
sufficient information to make some criminal
offense.
Tele Phishing: In this, attacker attain the list
of customers details, such as name,
communication address, phone number so as
to feel them that they are talking to some
trusted organization or institution over some
sensitive information such as credit card
details, bank account number, etc. Once the
trust is established in between, the customer
spit out all the information to the attacker and
becomes a victim himself.
III. CONCLUSIONS
Internet miscreants of all sorts have bundled
together and form an explicit threat over the e-market.
The existing Luhn validation algorithm despite of
gaining popularity suffers from variety of weaknesses
as discussed in section B, which hinders its
functionality as well as the trust of its genuine users.
In section C, some of the well identified frauds are
also been discussed which obstructs the normal
functioning of the system due to the mischievous or
http://www.ijettjournal.org
Page 30
International Journal of Engineering Trends and Technology (IJETT) – Volume 24 Number 1- June 2015
criminal offensive activities of the attacker targeting
the genuine customer.
Over a period of time, as the technology advances,
in future, one cannot neglect the existence of other
types of loopholes in these validating algorithms.
Fraudster coming up with new enhanced techniques to
breach the security. With government, different
regulatory bodies should come up to perform risk
assessments of credit card issuers on regular basis in
order to avoid such type of frauds. Awareness, in both,
the industry and the customer will always be an
advantage.
In this paper, an enriching light on various aspects
of flaws and frauds which obstructed in the payment
card security are identified from the previous existing
instances. The available validation algorithms are
discussed and existing limitations are explored in
depth with the aim of highlighting loopholes present
in the system .Working on these boundaries helps to
enhance the system and in future designing it to make
more secure as well as trustworthy.
We consider this study as an initial step towards the
safer use of the credit cards. It also provides new
directions and insight into the state of privacy and
information security
[13]
[14]
[15]
[16]
Numbers in IJCSMS, Vol.2, Issue.7, July 2013, pg. 262-272,
ISSN2320-088X
Credit
Card
Fraud
(http://en.wikipedia.org/wiki/Credit_card_fraud)
Hassibi PhD, Khosrow (2000). Chapter 9 on Detecting
Payment Card Fraud with Neural Networks in book in
Business Applications of Neural Networks, Singapore-New
Jersey-London-Hong Kong: World Scientific ISBN 9789810240899
Eswari.M, Navaneetha Krishnan.M, Survey on Various
Types of Credit Card Fraud and Security Measures,
IJARCSSE, Vol. 1, Issue 4, January 2014, ISSN: 2277 128X.
Tej Paul Bhatla, Vikram Prabhu ,Amit Dua, Understanding
Credit Card Frauds, Tata Consultancy Services Card,
Business
Review
2003#01
(http://www.popcenter.org/problems/credit_card_fraud/pdfs/
bhatla.pdf)
REFERENCES
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
Credit Cards (http://en.wikipedia.org/wiki/Credit_card)
[2] ISO/IEC 7812-1:2006 Identification Card–Identification
of
Issuer
(http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue
_detail.htm?csnumber=39698)
Credit
Cards
meaning
(http://www.computersolving.com/computer-tipstricks/what-your-credit-card-numbers-mean/)
Bank
Card
Number
(http://en.wikipedia.org/wiki/Bank_card_number)
Verhoeff
algorithm
(http://en.wikipedia.org/wiki/Verhoeff_algorithm)
J. Verhoeff, Error Detecting Decimal Codes. (Mathematical
Centre Tracts, 29), ZAMM - Journal of Applied Mathematics
and Mechanics, Volume 51, Issue 3, pages 240–241, 1971
Salomon, David, Coding for Data and Computer
Communications, Springer. p. 56. ISBN 0-387-21245-0.
Gallian, Joseph A. (2010). Contemporary Abstract Algebra
(7th ed.). Brooks/Cole. p. 111. ISBN 978-0-547-16509-7
(https://books.google.co.in/books?id=CnH3mlOKpsMC&pg
=PA111&lpg=PA111&dq=verhoeff+check+digit&source=bl
&ots=nqn1LC4H3Z&sig=4CWKNR6vvesEGPRWUzeotpX
ZfA8&hl=en&ei=WNpXTsXdHLPSiAKm_LimCQ&sa=X&
oi=book_result&ct=result#v=onepage&q=verhoeff%20check
%20digit&f=false)
U.S
Patent
2,
950,
0450
(http://www.google.com/patents/US2950048), Computer for
Verifying Numbers, Hans P. Luhn, August 23 1960
Luhn
Algorithm
(http://en.wikipedia.org/wiki/Luhn_algorithm)
Anibrika, B. S. K. (2014). Validation of Credit Card
Numbers Using the C# Programming Language. Africa
Development and Resources Research Institute Journal,
Ghana: Vol. 10, No. 10(2).
Khalid Waleed Hussein, Dr. Nor Fazlida Mohd. Sani,
Professor Dr. Ramlan Mahmod, Dr. Mohd. Taufik Abdullah,
Enhance Luhn Algorithm for Validation of Credit Cards
ISSN: 2231-5381
http://www.ijettjournal.org
Page 31
Related documents
Credit Card Validation Credit card numbers follow certain patterns
Credit Card Validation Credit card numbers follow certain patterns
Place Value
Place Value
Math 342 Problem set 5 (due 9/2/09) Congruences 1. We will calculate 15
Math 342 Problem set 5 (due 9/2/09) Congruences 1. We will calculate 15
Saul Sternberg's Memory Scanning Experiments
Saul Sternberg's Memory Scanning Experiments
Document10818967 10818967
Document10818967 10818967
Bridging through 10
Bridging through 10
15 digit accuracy Abstract Introduction:
15 digit accuracy Abstract Introduction:
Anatomy and Physiology
Anatomy and Physiology
Download
advertisement