SECURITY ENHANCEMENT OF
CREDIT CARD ONLINE PURCHASING SYSTEM
BY
ANAS S. HOUSAIN
INTERNATIONAL ISLAMIC UNIVERSITY MALAYSIA
2010
ii ABSTRACT
Credit Cards have become one of the most successful elements in the business world.
The low security of online purchasing systems using credit cards presents countless opportunities for fraud. The current online purchasing system using credit cards has some security drawbacks; therefore, its security needs to be enhanced with taking into account the cost, time and friendly using issues. An integrated authentication model of online purchasing using credit cards is proposed. A security enhancement is suggested in this work by implementing a prototype which integrates the current credit card authentication system with the fingerprint authentication. Moreover, it complements the new techniques for validating and transmitting the fingerprint template whereby, the customer submits his/her credit card information through the internet together with a file containing the fingerprint template and a validation code. This technique makes the model more secure, at the same time; it makes credit card fraud more difficult.
Credit card information, FP-TAC (Fingerprint Transaction Authorization Code) and fingerprint template are the main components of the prototype. The FP-TAC is able to handle the usage of the scanned fingerprint template only once and prevents the submission of the old and expired templates. In addition, The BAC (Biometric and Authorization Code) file is presented in this work to increase the fingerprint template’s security; it has its own structure in terms of storing the FP-TAC and fingerprint template which is unknown for the attacker and known only for the matching program. This technique ensures that only the matching program has the ability of loading the BAC file and extracting the FP-TAC and fingerprint template.
The model is fast and reliable in extracting and matching the FP-TAC, at the same time, it validates the received fingerprint template efficiently. Fingerprint verification provides the desired processing time and accuracy rate in terms of capturing and matching the fingerprint templates. The average processing time consumed by the model to match the data is 2.47 seconds while the overall accuracy rate is 99.48%
with 0.52% error rate. Combining both credit card information and fingerprint authentication leads to a user friendly, stronger and more secure online purchasing system while the cost and processing time remains within reasonable limits.
Evaluating the performance of the prototype shows very good potential that encourages the continuance of the investigations in this field.
iii
ﻠﻣ
ّﺨ ﺚﺤﺒﻟا ﺺ
ﺪﻘﻟ لﺎﻤﻋﻻا ﻢﻟﺎﻋ ﻲﻓ ﺮﺻﺎﻨﻌﻟا ﺢﺠﻧا ﻦﻣ ﻩﺪﺣاو نﺎﻤﺘﺋﻻا تﺎﻗﺎﻄﺑ ﺖﺤﺒﺻأ .
أ ﺪﻗو ىد ﻣﻻا ىﻮﺘﺴﻣ ﻒﻌﺿ ﺖﻴﻧﺮﺘﻧﻻا ﺮﺒﻋ ءاﺮﺸﻟا ﻢﻈﻨﻟ ﻦ
لﺎﺠﻤﻟا ﺢﺘﻓ ﻰﻟا
ﻟ دﺪﻌ لﺎﻴﺘﺣﻻا تﺎﻴﻠﻤﻋ ﻦﻣ ﻰﺼﺤﻳﻻ .
و ﺖﻴﻧﺮﺘﻧﻻا ﺮﺒﻋ ءاﺮﺸﻠﻟ ﻲﻟﺎﺤﻟا مﺎﻈﻨﻟا
ﺾﻌﺑ ﻰﻠﻋ يﻮﺘﺤﻳ نﺎﻤﺘﺋﻻا تﺎﻗﺎﻄﺑ ﻖﻳﺮﻃ ﻦﻋ ﺔﻴﻨﻣﻻا بﻮﻴﻌﻟا
ﻲﻟﺎﺘﻟﺎﺑو ، ،
جﺎﺘﺤﻳ اﺬه
ﻞﻣاﻮﻋ ﻰﻟا رﺎﺒﺘﻋﻻا ﻦﻴﻌﺑ ﺬﺧﻻا ﻊﻣ ﺔﻴﻨﻣا تﺎﻨﻴﺴﺤﺗ ﻰﻟا مﺎﻈﻨﻟا
و ﺔﻔﻠﻜﺘﻟاو ﺖﻗﻮﻟا
ّدو ماﺪﺨﺘﺳﻻا ﺔﻳ ﺎﻬﻟ ىّﺪﺼﺗ ﻲﺘﻟا ﺔﻠﻜﺸﻤﻟا ﻞﺜﻤﻳ اﺬهو ،
ﻲﻟﺎﺤﻟا ﺚﺤﺒﻟا .
و ﻦﻣ ﺔﻠﻣﺎﻜﺘﻣ ﺔﻴﻨﻣا تﺎﻨﻴﺴﺤﺗ حاﺮﺘﻗا ﻢﺗ ،ﻚﻟذ ﻰﻠﻋ اءﺎﻨﺑ
لﻼﺧ ﻳ جذﻮﻤﻧ ﺬﻴﻔﻨﺗ
ﺔﻴﻠﻤﻋ ﺞﻣﺪ مﺎﻈﻧ ﻊﻣ ﻪﻤﺼﺒﻟا ﻖﻳﺮﻃ ﻦﻋ ﺔﻗدﺎﺼﻤﻟا
ﺔﻗدﺎﺼﻤﻟا ﺖﻴﻧﺮﺘﻧﻻا ﺮﺒﻋ ءاﺮﺸﻠﻟ
ﻦﻋ ﻼﻀﻓ ﺔﺤﺻ ﻦﻣ ﺪآﺄﺘﻠﻟ ةﺪﻳﺪﺟ تﺎﻴﻨﻘﺗ
ﺖﻴﻧﺮﺘﻧﻻا ﺮﺒﻋ تﺎﻤﺼﺒﻟا ﻞﻘﻧو .
أ ﻦﻣو ، ﺔﺣﺮﺘﻘﻤﻟا ءاﺮﺸﻟا ﺔﻴﻠﻤﻋ لﺎﻤآا ﻞﺟ
نﺎﻤﺘﺋﻻا ﺔﻗﺎﻄﺑ تﺎﻣﻮﻠﻌﻣ ﺮﻴﻓﻮﺘﺑ ﻞﻴﻤﻌﻟا مﻮﻘﻳ ﻦﻋ ﻼﻀﻓ
ﻰﻠﻋ يﻮﺘﺤﻳ ﻒﻠﻣ
ﻦﻣ ﻖﻘﺤﺘﻟا ﺰﻣرو ﺔﻤﺼﺒﻟا ﺐﻟﺎﻗ ﺔﺤﺼﻟا
. ﺮﺜآا مﺎﻈﻨﻟا ﻞﻌﺠﻳ بﻮﻠﺳﻻا اﺬه نا
ﺎﻨﻣا
، و ﺖﻗﻮﻟا ﻲﻓ ﻪﺗاذ
ﻻا ﺔﻴﻠﻤﻋ ﻦﻣ ﻞﻌﺠﻳ ، تﺎﻗﺎﻄﺑ ماﺪﺨﺘﺳﺎﺑ لﺎﻴﺘﺣ
أ نﺎﻤﺘﺋﻻا ﺔﺑﻮﻌﺻ ﺮﺜآ
. أ ﻦﻳﺮﺼﻨﻋ ﻰﻠﻋ جذﻮﻤﻨﻟا ىﻮﺘﺣا ﺪﻗو ﺎﻤه ﻦﻴﺳﺎﺳ
ﺔﻤﺼﺒﻟا ﻖﻳﺮﻃ ﻦﻋ ﻞﻳﻮﺤﺘﻟا ﻞﻳﻮﺨﺗ ﺰﻣر FP-TAC
، ﺔﻤﺼﺒﻟا ﺐﻟﺎﻗو .
ﺪﻗو
أ ﻰﻄﻋ ﺰﻣﺮﻟا اﺬه
FP-TAC ﺳا ﻰﻠﻋ ةرﺪﻘﻟا
ﺔﺣﻮﺴﻤﻤﻟا ﺔﻤﺼﺒﻟا لﺎﻤﻌﺘ
ةﺮﻤﻟ ﺎﻴﺋﻮﺿ ﺎﻘﺑﺎﺳ ﺔﻣﺪﺨﺘﺴﻤﻟا ﺐﻟاﻮﻘﻟا ماﺪﺨﺘﺳا ﻊﻨﻣو ﻩﺪﺣاو
. ﻞﺟا ﻦﻣ
ﺔﻤﺼﺒﻟا ﺐﻟﺎﻘﻟ ﻞﻗﺎﻨﻟا ﻒﻠﻤﻟا ﻦﻣا ﻦﻴﺴﺤﺗ ﺔﻳﻮﻴﺤﻟا ﺲﻴﻳﺎﻘﻤﻟا ﻒﻠﻣ حاﺮﺘﻗا ﻢﺗ ،
ﺔﻗدﺎﺼﻤﻟا ﺰﻣرو BAC
. و ﺔﻘﻳﺮﻃ ﺔﻴﺣﺎﻧ ﻦﻣ ﺔﺻﺎﺨﻟا ﻪﺘﻴﻨﺑ ﻒﻠﻤﻟا اﺬه ﻚﻠﺘﻤﻳ
و ﺔﻤﺼﺒﻟا ﺐﻟﺎﻗ نﺰﺧ ﺰﻣﺮﻟا
FP-TAC .
ﻚﻟﺬﻟ
، ﺔﻴﻨﺒﻟا ﻩﺬه ّﺪﻌﺗ يﻻ ﺔﻟﻮﻬﺠﻣ
ﻢﺟﺎﻬﻣ
،
َﺮﻌﻣو تﺎﻤﺼﺒﻟا ﺔﻧرﺎﻘﻣ ﺞﻣﺎﻧﺮﺑ ﻞﺒﻗ ﻦﻣ ﻂﻘﻓ ﺔﻓ
، ردﺎﻘﻟا ﺪﻴﺣﻮﻟا ﻮهو
ﺔﺤﻴﺤﺻ ةرﻮﺼﺑ تﺎﻣﻮﻠﻌﻤﻟا ﺔﻤﺟﺮﺗو جاﺮﺨﺘﺳا ﻰﻠﻋ .
ﺪﻗو ﻴﻘﺗ ﻢﺗ ﻴ مﺎﻈﻨﻟا ﻢ
حﺮﺘﻘﻤﻟا ﻪﻧا ﺪﺟوو
لﺎﻌﻓو ﻊﻳﺮﺳ
، ﺔﻴﻟﺎﻋ ﺔﻗد ﺔﺒﺴﻧ ﻖﻘﺣو .
ﻎﻠﺑ ﺪﻗو ﻂﺳﻮﺘﻣ
ﻚﻠﻬﺘﺴﻤﻟا ﺖﻗﻮﻟا ﻘﻤﻟ مﺎﻈﻨﻟا ﻦﻣ
تﺎﻧﺎﻴﺒﻟا ﺔﻓﺎآ ﺔﻧرﺎ 2.47
ﺔﻴﻧﺎﺛ
، ﻗد ﺔﺒﺴﻧ ﻊﻣ ﺔ
99.48%
، و 0.52%
ﺄﻄﺨﻟا ﺔﺒﺴﻨﻟ .
أ ﺪﻗو مﺎﻈﻨﻠﻟ مﺎﻌﻟا ﻢﻴﻴﻘﺘﻟا ﺮﻬﻇ
اﺬه ﻲﻓ ﻲﻤﻠﻌﻟا ﺚﺤﺒﻟاو ﺮﻳﻮﻄﺘﻟا ﻲﻓ راﺮﻤﺘﺳﻼﻟ اﺪﺟ ﺔﻌﺠﺸﻣ ﺞﺋﺎﺘﻧ حﺮﺘﻘﻤﻟا لﺎﺠﻤﻟا .
iv
APPROVAL PAGE
I certify that I have supervised and read this study and that in my opinion it conforms to acceptable standards of scholarly presentation and is fully adequate, in scope and quality, as a dissertation for the degree of Master of Science in Computer and Information Engineering.
...
Ahmed Wathik Naji Supervisor
...
Shihab Ahmed Hameed Co-Supervisor
I certify that I have read this study and that in my opinion it conforms to acceptable standards of scholarly presentation and is fully adequate, in scope and quality, as a dissertation for the degree of Master of Science in Computer and Information Engineering.
...
Aisha Hassan Abdalla Internal Examiner
...
Azween Abdullah External Examiner
This dissertation was submitted to the Department of Electrical and Computer Engineering and is accepted as a partial fulfilment of the requirements for the degree of Master of Science in Computer and Information Engineering.
...
Othman O. Khalifa
Head, Department of Electrical and Computer This dissertation was submitted to the Kulliyyah of Engineering and is accepted as a partial fulfilment of the requirements for the degree of Master of Science in Computer and Information Engineering.
...
Amir Akramin Shafie
Dean, Kulliyyah of Engineering
v
DECLARATION
I hereby declare that this dissertation is the result of my own investigations, except where otherwise stated. I also declare that it has not been previously or concurrently submitted as a whole for any other degrees at IIUM or other institutions.
Anas S. Housain
Signature ……… Date ………..
vi
INTERNATIONAL ISLAMIC UNIVERSITY MALAYSIA
DECLARATION OF COPYRIGHT AND
AFFIRMATION OF FAIR USE OF UNPUBLISHED RESEARCH
Copyright © 2010 by Anas S Housain. All rights reserved.
SECURITY ENHANCEMENT OF CREDIT CARD ONLINE PURCHASING SYSTEM
No part of this unpublished research may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise without prior written permission of the copyright holder except as provided below.
1. Any material contained in or derived from this unpublished research may only be used by others in their writing with due acknowledgement.
2. IIUM or its library will have the right to make and transmit copies (print or electronic) for institutional and academic purposes.
3. The IIUM library will have the right to make, store in retrieval system and supply copies of this unpublished research if requested by other universities and research libraries.
Affirmed by Anas S. Housain.
………. ………..
Signature Date
vii
ACKNOWLEDGEMENTS
I would like to express my sincerest gratitude to my supervisor Dr. Ahmed Wathik Naji for giving me the opportunity to carry out this research work under his supervision, and would like to express my appreciation for his patience, support and guidance. I would also like to express my sincere thanks to my co-supervisor Dr.
Shihab Ahmed Hameed for his support and valuable advice.
I would like to record my warmest appreciation to my parents; Prof. Sabah Al-Ajeeli and Prof. Hana’a Al-Fulfuli for their patience and continuous support throughout this time, their love and affection have made it possible for me to continue my studies up to this moment. Thanks are also due to siblings, family and friends for their support and love. I am very grateful to my friends Adham, Ahmed, Ammar A., Ammar S., Laith, Mazin, Rafal and Zaidoun who have accompanied me during this stage in my life and were more than brothers to me; their love and support has eased living and studying outside our beloved country Iraq. Special thanks go to Capt. Abbas Serhad for his encouragement and continuous support to complete my studies. Also thanks are due to my colleagues Bro. Mohammed Abdul Jawad and Bro. Waleed Dhman for the effective discussions we used to have throughout our studies.
Last but not least, I would like to thank ECE department, Faculty of Engineering and all IIUM staff whose direct and indirect support helped me to achieve my master’s degree. Special thanks go to the Malaysian people for their hospitality throughout my period of stay in their wonderful country.
viii
To my beloved mother and father, for their love and support.
May Allah S.W.T shower His Mercy upon them always.
To my wonderful Moon, Sun and Sky To my beloved friends and family.
ix
TABLE OF CONTENTS
Abstract ... ii
Abstract in Arabic ... iii
Approval Page ... iv
Declaration Page ... v
Copyright Page ... vi
Acknowledgments ... vii
Dedication ... viii
List of Tables ... xii
List of Figures ... xiii
List of Abbreviations ... xv
CHAPTER 1: INTRODUCTION ... 1
1.1 Introduction ... 1
1.2 Background and Research Motivation ... 2
1.3 Problem Statement ... 5
1.4 Research Objectives ... 8
1.5 Research Methodology ... 9
1.6 Dissertation Outline ... 10
CHAPTER 2: LITERATURE REVIEW ... 11
2.1 Introduction ... 11
2.2 E-Payment and E-Shopping ... 11
2.3 Credit Card System ... 12
2.3.1 Card Specifications ... 12
2.3.1.1 Credit Card Numbers ... 13
2.3.1.2 Card Security Code ... 14
2.3.2 Credit Card Electronic Verification ... 15
2.3.3 Credit Card Security ... 15
2.4 Biometrics ... 16
2.4.1 Physiological Biometrics ... 16
2.4.1.1 Fingerprints ... 17
2.4.1.2 Iris ... 18
2.4.1.3 Facial Recognition ... 19
2.4.2 Behavioral Biometrics ... 20
2.4.2.1 Signature ... 21
2.4.2.2 Keystroke ... 21
2.4.2.3 Voice ... 22
2.4.3 Other Biometrics Areas ... 23
2.5 Fingerprints ... 25
2.5.1 Fingerprint Sensors ... 26
2.5.1.1 Optical Sensors ... 27
2.5.1.2 Capacitive Sensors ... 28
x
2.5.1.3 Ultra-Sound Sensors ... 29
2.5.1.4 Thermal Sensors ... 29
2.6 Questionnaire ... 30
2.7 Literature Review ... 35
2.7.1 Identification and Fraud Prevention ... 36
2.7.2 Protocols ... 41
2.7.3 Biometrics ... 42
2.8 Summary ... 46
CHAPTER 3: DESIGN OF THE INTEGRATED AUTHENTICATION MODEL 48 3.1 Introduction ... 48
3.2 Proposed Integrated Authentication Model ... 48
3.2.1 Model Components and Diagram ... 49
3.2.2 Model’s Security Elements ... 52
3.2.2.1 Fingerprint Transaction Authorization Code ... 52
3.2.2.2 Biometrics and Authorization Code File ... 53
3.2.3 Main Structure And Function ... 54
3.2.3.1 Registering the user (Registration Part) ... 54
3.2.3.2 Requesting and Generating the FP-TAC (Verification Part) ... 57
3.2.3.3 Filling the Form and Selecting the Finger (Verification Part) ... 58
3.2.3.4 Scanning the Fingerprint (Capturing Part) ... 58
3.2.3.5 Submitting and Uploading the Data (Verification Part) ... 59
3.2.3.6 Establishing a Connection with Database (Verification Part) .... 59
3.2.3.7 Matching Data (Verification Part) ... 59
3.2.4 Model Design ... 61
3.2.4.1 Registration ... 61
3.2.4.2 Capturing and Verification ... 64
3.3 Summary ... 65
CHAPTER 4: IMPLEMANTAION AND RESULT ... 66
4.1 Introduction ... 66
4.2 Prototype ... 67
4.2.1 Main Structure ... 67
4.2.2 Prototype Components ... 67
4.2.3 Prototype Design ... 68
4.3 Implementation Environment ... 69
4.4 Prototype Implementation ... 71
4.4.1 Fingerprint Programs ... 71
4.4.1.1 Enrollment Program ... 71
4.4.1.2 Capturing Program ... 73
4.4.1.3 Matching Program ... 75
4.4.2 Web Pages ... 75
4.4.2.1 Home Page ... 76
xi
4.4.2.2 Processing Page ... 78
4.4.2.3 Transaction Status Page ... 79
4.4.2.4 Error Pages ... 80
4.4.3 Database ... 82
4.5 Model Testing ... 84
4.5.1 Registration and Enrollment ... 85
4.5.2 Correct Data ... 86
4.5.3 False Data ... 89
4.5.3.1 File Upload’s Error Experiment (Case One) ... 89
4.5.3.2 CC Information’s Error Experiment (Case Two) ... 90
4.5.3.3 FP-TAC’s Error Experiment (Case Three) ... 90
4.5.3.4 Fingerprint Matching’s Error Experiment (Case Four) ... 92
4.6 Result Analysis ... 92
4.6.1 Correct Data Results ... 93
4.6.2 False Data Results ... 94
4.6.2.1 File Upload’s Error Experiment Results ... 94
4.6.2.2 CC Information’s Error Experiment Results ... 94
4.6.2.3 FP-TAC’s Error Experiment Results ... 95
4.6.2.4 Fingerprint Matching’s Error Experiment Results ... 96
4.6.3 Processing Time ... 97
4.7 Result Discussion ... 97
4.8 Summary ... 100
CHAPTER 5: CONCLUSIONS AND FUTURE WORK ... 101
5.1 Conclusion ... 101
5.2 Limitations ... 104
5.3 Future Work ... 105
BIBLIOGRAPHY ... 107
APPENDIX I: Questionnaire Sample Paper ... 112
xii
LIST OF TABLES
Table No. Page No.
1.1 Online credit card fraud losses 5
2.1 Advantages and disadvantages of several biometrics types 24 2.2 Questionnaire results 31 2.3 Critical review summary 45 4.1 Model’s results with correct data ... 93
4.2 File Upload’s Error results ... 94
4.3 Information’s Error Results ... 95
4.4 FP-TAC’s Error results ... 96
4.5 Fingerprint Matching’s Error results ... 96
4.6 Results analysis ... 98
4.7 Subjective comparison ... 99
4.8 Objective comparison ... 100
xiii
LIST OF FIGURES
Figure No. Page No.
1.1 Fingerprint image ... 4
1.2 Snap shot for the current credit card online payment page ... 6
1.3 Valuable information as available on credit card ... 7
1.4 Snap shot for how to find the security code link ... 7
2.1 Fingerprint categories ... 17
2.2 Iris scanner looking for unique identifiers ... 19
2.3 Facial features detection... 20
2.4 Assorted commercial live-scan fingerprint readers ... 27
2.5 General schematic for an FTIR based optical sensor ... 28
2.6 A capacitive sensor schematic ... 28
2.7 Thermal fingerprint sensor ... 30
2.8 Using the credit card in online purchasing ... 31
2.9 Losing money through credit card fraud ... 32
2.10 Satisfaction with security of online purchasing ... 33
2.11 The need for security enhancement ... 33
2.12 Biometrics types’ acceptance rates ... 34
2.13 Supporting the proposed model ... 35
3.1 Model’s diagram ... 50
3.2 Input components ... 50
3.3 The BAC file’s structure ... 54
3.4 The proposed scheme ... 55
3.5 Customer’s fingerprint enrollment ... 56
xiv
3.6 Verification Part ... 57
3.7 Part two of verification stage ... 61
3.8 Registration’s part flow chart 62 3.9 Capturing and verification flowchart ... 63
4.1 Prototype components ... 68
4.2 Implementation Prototype design ... 69
4.3 UPEK fingerprint reader ... 70
4.4 Fingerprint template quality check ... 72
4.5 FP-TAC entering ... 73
4.6 Capturing program ... 74
4.7 Home page ... 76
4.8 Transaction Status page ... 80
4.9 Database table ... 83
4.10 Enrollment program 85 4.11 Fingerprint templates are ready to be enrolled 86 4.12 Adding and enrolling the customer’s data into database 86 4.13 Home page is ready to be filled 87 4.14 User enters the right FP-TAC and scans the correct finger 88 4.15 Filled home page with selected BAC file 88 4.16 Model approves the transaction 89 4.17 Uploading Error page ... 90
4.18 Information error scenarios ... 91
4.19 Template Expiration Error page ... 92
4.20 Fingerprint matching error ... 93
xv
LIST OF ABBREVIATION
ATM Automated Teller Machine B2B Business to Bossiness B2C Business to Consumer
BAC Biometric and Authorization Code BIR Biometric Identification Record
CC Credit Card
CCD Charged couple Device CCID Credit Card Identification CCT Credit Card Transaction Number CCV Card Code Verification
CID Card Identification CSC Card Security Code CVC Card Verification Code CVV Card Verification Value CVVC Card Verification Value Code DES Data Encryption Standard e-ID Electronic Identification
EISC Electronic Internet Shopping Card FAR False Acceptance Rate
FP Fingerprint
FP-TAC Fingerprint Transaction Authorization Code FRR False Rejection Rate
FTIR Frustrated Total Internal Reflection IAM Integrated Authentication Model
ID Identification
IEC International Electrotechnical Commission IIn Issuer Identification Number
ISO International Organization for Standardization
KB Kilobyte
MII Major Industry Identifier
xvi
NCCPS Notified Credit Card Payment System PIN Personal Identification Number PKI Public Key Infrastructure
POS Point of Sale
RFID Radio Frequency Identification
RSA Rivest-Shamir-Adleman
SDK Software Development Kit
S-HTTP Secure Hyper Text Transfer Protocol SIM Subscriber Identification Module SMS Short Message Services
SOM Self Organization Map SQL Structured Query Language SSL Secure Sockets Layer S-TTD Semi Trusted protocol USB Universal Serial Bus
1
CHAPTER ONE INTRODUCTION
1.1 INRODUCTION
During the past two decades, the E-world has witnessed vast and tremendous improvements that proved its crucial importance of making the world smaller and easier to live in. It is much easier and more convenient today to use E-mail instead of mail, E-business instead of business, E-forms instead of physical forms, and so on, hence the dramatic growth in the number of Internet users.
Nevertheless; the E-piracy has accompanied this development and become threat number one in the E-technology, as for any online transaction in E-shopping, thieves try to fake other persons’ identities to gain some illegal advantages. This brings up the urge of seeking better means of identity verification for a safe transaction.
Current authentication system for online purchasing using the credit card is based on information located on the credit card (CC) (Sahut, 2008). That information provides a certain level of security but not as a high level as is needed for this type of online money transaction. Also, that information is exposed to loss and theft. For those reasons, a strong authentication system is needed to enhance the security of online purchasing.
This chapter aims to present a briefing about the credit card online purchasing and its security drawbacks. In addition, the chapter presents the research problem statement and how the lack of online credit card purchasing security is affecting the E- commerce. Also in this chapter, the research objectives are listed and a research
2
methodology to achieve those objectives is presented. Finally, to introduce the content of the next chapters, a dissertation outline is presented.
1.2 BACKGROUND AND RESEARCH MOTIVATION
Credit Cards have become one of the most successful elements in the business world.
There is no doubt that the credit card plays a big role in the rapid growth of E- commerce (Aldrich, 2008). Using credit card in online purchasing means there is no physical paper in use like cash or cheques. Customers simply browse merchant’s website and choose their preferred goods. After one click, they need to type their credit card number and other information on the payment form and wait for their purchase to be shipped to them. The only thing that needs to be passed between customer and merchant is the credit card number and other information such as card holder's name, credit card expiry date and etc (Radu, 2003).
It is not as simple as it sounds, as many people have logical fears about passing their credit card information through the Internet. It is an open network and has a limited security features built in; therefore, data travel between customer and the other side insecurely (Sahut, 2008). Due to these fears, many techniques have been developed to make the online purchasing more secure and trustable.
The customer identity is another crucial issue in online purchasing. This issue is important for both customers and merchants. Customers will ensure that no one else can use their credit card. On the other hand, merchants will ensure that the purchasing process was made by an authorized customer and it protects them from the customer’s denial of service. There are many authentication methods but all are based on information either found on customers’ credit cards or saved in their minds (Oppliger, 2003). Those methods are not safe enough since so many people are
3
sharing their secret information with others such as a family member or a close friend.
Also, this information is exposed to loss by losing the credit card or forgetting that information.
The online purchasing needs a strong authentication system to handle the security issues. The strongest authentication systems are based on biometrics (Woodward, Orlans, & Higgins, 2003). Biometric authentication is based on something you are. It can provide a high level of authentication and ensure the person’s identity. Integrating the credit card online purchasing system with biometrics will ensure that no one can use the credit card except the authorized customer. This will protect both customers and merchants from credit card fraud and denial of service.
Biometrics is a technology, which identifies a person based on his/her physiological or behavioural characteristics. It relies on "something which you are" to make a personal identification and therefore we can inherently differentiate between an authorized person and a fraudulent impostor (Biometrics, 2006). Recently, biometrics technology has received a great deal of attention. Most biometric identifiers currently available are fingerprint, iris, facial image, signature and voice (Jain, Flynn, & Ross, 2008). Among those types, the fingerprint is the widely used biometric and has low to medium cost while the accuracy is medium to high rate (Woodward et al., 2003).
Fingerprints are imprints or impressions of patterns formed by friction ridges of the skin in the fingers and thumbs as shown in Figure 1.1. These friction ridges flow in a certain direction and form a unique pattern on a fingerprint, whereas the friction ridges from each human being can be positively identified through the comparison of fingerprints (Cowger, 1983). Fingerprinting also fulfils the
4
permanence characteristic where the pattern of a person’s print will not change as the time goes by. The biometrics system based on fingerprints generally performs the following three modes (operations) below (Cappelli, 2000):
• Classification Mode.
• Identification Mode.
• Verification / Authentication Mode.
A classification mode automatically classifies the input fingerprint according to their pattern class (Zhang, 2002). The classification mode is very important because if the input fingerprint is misclassified, definitely the input fingerprint will be unidentified (Meltem, 1997).
Figure 1.1: Fingerprint image.
An identification mode identifies the inputted fingerprint by searching the particular class (which has been selected by the classification mode) of the database for a match (Isenor, 1986). It is a one-to-many comparison which matches the inputted fingerprint of a person against a given database to establish the identity of the
5
person. Its goal is to determine whether the person is present in the database or not and then establish the identity of the person according to retrieved results.
A verification mode authenticates a person's identity by comparing the captured fingerprint with his/her own fingerprint template stored in the system (Asker, 2000). It is a one-to-one comparison to determine whether the inputted fingerprint and stored fingerprint template are the same or not.
1.3 PROBLEM STATEMENT
The low security of the online purchasing systems using credit card presents countless opportunities for fraud. These opportunities have created a huge black market in stolen credit card numbers, which are generally used quickly before the cards are reported stolen. That is why, the credit card online purchasing losses have reached very high rates as shown in Table 1.1 based on Javelin Strategy and Research financial statistics (Strategy). In 2009, the losses reached 1.83 billion US Dollar due to credit card online fraud around the world.
Table 1.1
Online credit card fraud losses
Year 2006 2007 2008 2009
Losses in US Dollar 0.99 billion 1.03 billion 1.35 billion 1.83 billion
Most internet fraud is done through the use of stolen credit card information which is obtained in many ways, the simplest being copying information from retailers, either online or offline. To carry out credit card online purchasing, the customer is requested to submit some valuable information to approve the transaction.
As shown in Figure 1.2, the requested information are 1-CC type, 2-card number, 3- card security code, 4-expiry date, 5-cardholder’s name and 6-issuing bank’s name.
6
The problem is, all that valuable information is located on the physical credit card as shown in Figure 1.3. Added to that, the security code which the online authentication system is relying on is also located on the card. In addition, the payment page provides a link to explain how to find that security code on the credit card, so any amateur can perform online credit card payment easily and without any difficulties (Figure 1.4). In addition, so many people are sharing their valuable information with friends and family or saving them on personal computers or smart phones.
Consequently, the illegal use of credit card in online purchasing is increased since the verification process asks for that information only.
Figure 1.2: Snap shot for the current credit card online payment page ("Online- Papers,").
1 2
5 6 3
4
7
Figure 1.3: Valuable information as available on credit card ("Money and Matter,").
Figure 1.4: Snap shot for how to find the security code link ("Online-Papers,").
On the other hand, increasing the authentication components in any system may cause too much delay and increase the processing time. Moreover, the more authentication components make the purchasing process more complicated and affect 1 2 6
5
4
3
8
the user acceptability for the system. On 22nd of April 2010, AmBank launched the 3D Secure which is a security feature provided by VISA/MasterCard to enhance the security of online payment based on a fixed password ("AmBank Group," 2010). As mentioned before, it’s not a good solution since many people are sharing their passwords with others or storing it in their computers and smart phones. The AmBank’s step proves that the credit card online purchasing security is lacking behind and needs a lot of efforts to improve and enhance it. Hence, including a biometric based verification system could highly improve the level of security of online credit card purchasing.
The following points summarize the CC online purchasing problems:
• The current security algorithm of credit card online purchasing is not sufficient to deal with the wide fraud operations acting on credit cards.
• Adding any verification component leads to making the online purchasing uncomfortable for the customer and increase the processing time.
• Transferring sensitive information through the Internet is vulnerable to
attacks and hence, it needs a proper solution to overcome those attacks and limit their effects.
1.4 RESEARCH OBJECTIVES
This research aims to enhance the security of credit card online purchasing through incorporating fingerprint authentication with the current authentication scheme to achieve a foolproof authentication system. There are several goals that need to be achieved at the end of completion of this research:
