Card Information Is Stolen

Internet Virtual Credit Card Model Anshul Jain, Tarun Sharma Indian Institute of Information Technology, Allahabad India {ajain1_b04, tsharma_b04}@iiita.ac.in Abstract----Credit cards have become ubiquitous. The Credit cards are highly vulnerable as all the information needed for transaction is on the card itself. That’s why the security of transactions is a major issue for credit card companies. The online transactions have made credit cards more and more vulnerable to fraud. Many techniques have been proposed to make credit card transaction more secure than it used to be. These techniques prevent data from being sniffed or eavesdropped while traveling through internet. But what if someone steals credit card information out of the immediate view of credit card owner? In this paper we have discussed about credit cards, credit card numbers, various models, schemes and protocols currently available for customers to do online transaction. We have proposed a possible solution, Internet Virtual Credit Card model to overcome the drawbacks of already in use models. Key words: Internet Virtual Credit Card Number, CVV2, expiry date, acquiring bank, issuing bank. 1. Introduction Digits 7 to (n - 1) of a credit card number are individual account identifier. The maximum length of a credit card number is 19 digits. Since the initial 6 digits of a credit card number are the issuer identifier, and the final digit is the check digit, this means that the maximum length of the account number field is 19 - 7, or 12 digits. The final digit is a check digit. This is calculated with the Luhn’s algorithm [12]. In addition to the main credit card number, credit cards also carry issue and expiry dates (given to the nearest month), as well as extra codes such as issue numbers and security codes. These numbers are used in addition to the main number 2. Credit Card Numbers The credit card numbering is done under ISO 7812 [2]. The maximum length of such a number is 19 digits. The first digit is called the major industry identifier. Following are the list of major industry identifiers: 0 ISO/TC 68 and other industry assignments 1 Airlines 2 Airlines and other industry assignments 3 Travel and entertainment 4 Banking and financial 5 Banking and financial 6 Merchandizing and banking 7 Petroleum 8 Telecommunications and other industry assignments 9 National assignment The first six digits, including the major industry identifier, compose the issuer identifier number (IIN). This identifies the issuing organization. The American Banking Association is the registration authority for IINs. A credit card is a small plastic card [1] issued to the customers of specified systems. In the case of credit cards, the issuer lends money to the customer (or the user). A credit card allows the consumer to 'revolve' their balance, at the cost of having interest charged. Most credit cards are the same shape and size, as specified by the ISO 7810 standard. The information or credentials needed, to do a transaction using credit card, is on the card itself which makes it more vulnerable to attack. There is a magnetic strip present on the card which is used to store information about the account of the customer and validation information which are used for face to face transactions. to provide extra information to identify that the card is probably genuine. The card security code or CVV2 (card validation value) is calculated using algorithm which is known to acquiring bank only. 3. Overview of credit card forgeries though internet and loses Another most common type of credit card forgery is done by social engineering when the customer gets a link of site which looks same as the authorized sites and customer gives his credit card information there. The customer will get a message saying that the transaction was incomplete due to various reasons and the information given by customer is stored at some place and then used for forgery. The loss due to online frauds was $1,611.39 M in 2005 in US according to Celent Communications, via Lafferty Publications. 4. Related work Credit card fraud is a kind of fraud where a merchant (business, service provider, seller, etc.) is "tricked" into releasing merchandise or rendering services, believing that a credit card account will provide payment for goods/services. The merchant later learns that they will not be paid, or the payment they received will be reclaimed by the card's issuing bank. Typically, the fraudster causes a credit card of another person to be charged for a purchase. Today, half of all credit card fraud is conducted online, meaning that the fraudsters make online purchases with the credit card details of other people. Using a stolen credit card number a thief will orders merchandise from a website and have it shipped to a fake or forwarding address. The thief then takes the merchandise and disappears with it. When the real cardholder realizes that he/she did not make the purchase, he/she calls his/her credit card issuer and requests a chargeback. The merchant then loses the money from the transaction, in addition to the merchandise that they do not recover. This is the most common type of credit card fraud. There are many types of internet frauds and our paper has exploited the following type of frauds: When a card holder loses or has their credit card stolen, it is possible for the thief to make unauthorized purchases on that card until the card is cancelled. The theft of credit card information by a dishonest employee of a legitimate merchant, manually copying down numbers, or using a magnetic stripe reader on a pocket-sized electronic device. Common scenarios for this kind of forgery are restaurants or bars where the fraud has possession of the victim's credit card out of their immediate view. The fraud will typically use a small keypad to unobtrusively transcribe the 3 or 4 digits Card Security Code which is not present on the magnetic stripe. The first attempt at making online credit card transactions secure was to take the transaction off-line. Many sites will allow you to call in your credit card number to a customer support person. This solves the problem of passing the credit card number over the Internet, but eliminates the merchant's ability to automate the purchasing process. The next method that was developed, which is currently used by many sites, is hosting the WWW site on a secure server. A secure server is one that uses a protocol such as SSL or S-HTTP to transmit data between the browser and the server. These protocols encrypt the data being transmitted, so when you submit your credit card number through their WWW form it travels to the server encrypted. This section describes the three most famous system ,from which Internet Virtual Card Model is inspired, of secure credit card transactions First virtual, CyberCash and SET(Secure Electronic Transactions) First Virtual The first virtual [5] was the first successfully used model that made internet transactions secure. Instead of using credit card numbers, transactions are done using a First VirtualPIN which references the buyer's First Virtual account. These PIN numbers can be sent over the Internet because even if they are intercepted, they cannot be used to charge purchases to the buyer's account. A person's account is never charged without email verification from them accepting the charge. Their payment system is based on existing Internet protocols, with the backbone of the system designed around Internet email and the MIME (Multipurpose Internet Mail Extensions) [3] standard. First Virtual uses email to communicate with a buyer to confirm charges against their account. Sellers use either email, Telnet, or automated programs that make use of First Virtual's Simple MIME Exchange Protocol (SMXP) [5] to verify accounts and initiate payment transactions. To use this scheme of transaction customer and merchant, both should have an account on first virtual’s server. The First virtual’s model was one of the most successfully used models but it is out of use now. CyberCash CyberCash [4] makes safe passage over the Internet for credit card transaction data. They take the data that is sent to them from the merchant, and pass it to the merchant's acquiring bank for processing. Except for dealing with the merchant through CyberCash's server, the acquiring bank processes the credit card transaction as they would process transactions received through a point of sale (POS) terminal in a retail store. The CyberCash payment system is centered on the CyberCash Wallet software program [4], which buyers use when making a purchase. This program handles passing payment information, encrypted, between the buyer and the merchant. SET MasterCard and Visa have developed SET [6] as a license-free protocol for credit card transactions over the Internet. SET is based on two earlier protocols STT(Secure transaction technology) [7] and SEPP(Secure Electronic Payment Protocol) [8]. Secure Electronic Transaction (SET) is a system for ensuring the security of financial transactions on the Internet. It was supported initially by MasterCard, Visa, Microsoft, Netscape, and others. With SET, a user is given an electronic wallet (digital certificate) and a transaction is conducted and verified using a combination of digital certificates and digital signatures among the purchaser, a merchant, and the purchaser's bank in a way that ensures privacy and confidentiality. SET makes use of Secure Socket Layer (SSL) [9], and Secure Hypertext Transfer Protocol (SHTTP) [10]. SET uses some but not all aspects of a public key infrastructure (PKI) [6]. Many other systems are also functional like PayPal, DigiCash etc. Disadvantages: All the concentration of researches is on making the online transaction of credit card more and more secure by using various encryption and cryptographic techniques but very less heed has been paid towards making credit card number secure. There are techniques to make data on magnetic strip of credit card secure so that it cannot be read by a simple magnetic card reader. The necessary devil in this field is that customers can make transactions without having the card in physical possession. Though there are models that can make the transaction highly secure but if credit card details are stolen without owner’s knowledge (section 3) the model may not be able to stop any forgery as the fraudster can comfortably use information to transact from merchants who are not using any of these system. These systems are highly secure but are rarely used by customers and merchants. These models secure your transaction over internet but cannot stop any forgery if credit card information is lost physically or when customer gives his information in wrong hands. The internet virtual card model could be used with any of these, already proposed, models (like first virtual, CyberCash, PayPal, SET etc) and if credit card information is stolen physically, then too it can stop any kind of forgery over internet. 5. Internet Virtual Credit Card Model This model has been proposed to help eliminate the disadvantage of above mentioned models that is online use of stolen card details. According to Internet Virtual Credit Card Model the issuing bank issues a credit card valid only for face to face transactions. A login id and a password are issued by bank along with the credit card. The login id and password would be used to login to the secure website of card issuing bank. The customer may use this login id and password to log into the secure website of bank to activate his card for phone and online transactions. Once the customer logs in, he is asked for his credit card details in order to make sure that the person logging in has the possession of the card thus avoiding leakage of id and password. If the user is authenticated an internet virtual credit card number is issued. The expiry date of this newly issued number may be selected by the user on any date between the present date and the expiry date of the card. A new CVV2 number based on the newly acquired card number and the expiry date selected by user is issued. These numbers could be used for transactions where physical presence of card is not required. The new expiry date could also function as a timer. Customers, who transact very often, could activate the internet virtual credit card only for a few days, in order to avoid forgery. If the credit card information is stolen it cannot be used for online transactions. Even if the internet virtual credit card number and the corresponding CVV2 number are somehow stolen and the customer is oblivious to this fact, the numbers will automatically become ineffective after the expiry date, thus minimizing the amount of loss. The Internet Virtual card number remains the same for a credit card but with the change of expiry date the CVV2 will change. So, even if the Internet Virtual Card details are stolen then too it will change after the internet card is activated again. This reduces probability of forgery. References: [1] ISO 7810 documentation available on World Wide Web. [2] ISO 7812 documentation available on World Wide Web. [3] RFC 1521 Multipurpose Internet Mail Extensions by N. Borenstein and N. Freed [4] RFC 1898 CyberCash Credit Card Protocol Version by D. Eastlake 3rd,B. Boesch, S. Crocker and M. Yesil [5] First Virtual’s documentation available on World Wide Web. [6] SET’s documentation available on World Wide Web by Visa and MasterCard. [7] Secure Transaction Technology Documentation available on World Wide Web proposed by Visa and Microsoft [8] SEPP’s documentation available on World Wide Web [9] Netscape’s Secure Socket documentation and RFC 2246 layer’s The internet virtual credit card is not required for face to face transactions and may be retrieved any time, before the selected expiry date, by logging into the website of the bank and providing the card information. If the information on the credit card is stolen no internet transactions can be made by the fraudster based on this information as the login id and password are required to retrieve the internet virtual credit card number and the CVV2 number required for online transactions. If the customer suspects that he has given his credit card information to an unauthentic site the internet virtual card number may be immediately deactivated through the website or phone obviating any forgery. This model ensures safety from forgery under the circumstances when only the credit information, and not the card, is stolen. 6. Advantages To make this model more secure, it could be integrated with any other models in use as the internet virtual card number is as good as the actual card number on internet. The expiry date functions as a timer for the customers who are extra conscious, about internet transactions. [10] RFC-2660 Secure Hyper Text Transfer Protocol by E. Rescorla and A. Schiffman [11] PayPal documentation available on World Wide Web. [12] Modulus 10 algorithm by Hans Peter Luhn, IBM.