Preventing Credit Card Fraud in ECommerce Using the

Preventing Credit Card Fraud in E-Commerce Using the Geo-location, Credit Card Number and Type Validations and Address Verification Service Techniques

A Thesis submitted to King Abdul Aziz University, in partial fulfillment of the requirements for the degree of Master of science in Computer Science.

Agenda 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Introduction Objectives Geo-location Technique Credit Card Number Validation Credit Card Type Validation Address Verification Service (AVS) Implementation Model Conclusion Future Work Acknowledgement

Introduction n Since 1995, online credit card fraud has increased by 369%. In 2001, 61. 8$ billion were spent on online sales, 1. 4% of it (about 700, 000$) was lost to fraud. 1 History of Online Fraud o Use of Famous Names o Credit Card Generators o Order Hijacking o 1998 – Dummy Websites o Consumer Accounts o 2000 – Online Gangs and Fraud Rings 1 Credit Card Fraud Prevention using. NET Framework in C# or VB. NET, by Ivy Tang January 16, 2006

The True Cost of Fraud

Objectives n n 1 2 3 Understand the scope of e-commerce crime and security problems. Reduce online credit card fraud. Investigate and identify the techniques used for preventing online credit card fraud Design card fraud model 2. 1 Locating site (Detecting) 2. 2 Validate card number 2. 3 Validate card type 2. 4 AVS Implement card fraud model 3. 1 Locating site (Detecting) 3. 2 Validate card number 3. 3 Validate card type 3. 4 AVS

Geo-location Technique

Geo-location Technique n Introduction o According to Cyber Source, e-retail merchants have lost over 2. 6$ billion dollars to online payment fraud, and this loss will increase by 37% in the year 2007. o Geo-location Service was found in January 2000 by Quova, Inc. , which is a solution for online fraud.

Geo-location Technique n What is Geo-location ? A web geography technology that instantly determines an online customer’s geographic location- from country level down to city precision. n Geo-location Benefits 1 - Effectiveness 2 - Fraud Detection 3 - Digital Rights Management 4 - Regulatory Compliance

Geo-location Technique n Applications that uses Geo-location Technique: 1 - Financial Services 2 - E-Commerce 3 - Government 4 - Media Distribution a- Live Sports Web Casts b- Digital Movies c- Digital Music 5 - Online Gaming

Geo-location Technique n Geo-location Studies o The most recent study was done in 2004 by a leading provider of automated identity verification, called Lexis. Nexis Risk. Wise. o Lexis. Nexis Risk. Wise analyzed tens of thousands of online credit card purchase using the geo-location technology, and found that : o o o 75% of all fraudulent online orders originated outside the US. 97. 9% of all transactions originating in Africa were fraudulent. 74. 8% of all transactions originating in Asia (including Russia) were fraudulent.

Geo-location Technique n Geo-location Studies – (continued) o In over 85% of all fraudulent orders, the customer’s billing address did not match the state from which the order was actually placed, while only 28% of legitimate orders displayed a state-level mismatch. o Another study done by Experian have found that when the IP origination point of an online order is in a different state from the customer’s billing address, the transaction turns out to be fraudulent 68% of the time.

Geo-location Technique n Geo-location technique Types: 1 2 Quova Technique. IP 2 Location Technique.

Quova Technique n Quova’s Geo-location Architecture Overview 1 - Global Data Collection Network (DCN). 2 - Geo-Point Data Delivery Server (DDS). 3 - Closed Loop Methodolgy.

Quova Technique n Global Data Collection Network (DCN) o Largest IP geo-location data collection network in the world. Collects 1. 4 billion active IP addresses. There are 16 agents which are globally distributed around the world. o o

Quova Technique q Geo. Point Data Delivery Server (DDS) o Collected data are passed to the DDS, which allows integration of real-time geo-location information with any online web-based application. o Applications have access to the Geo. Point DDS geolocation information, to provide geo-location information about an IP address (Web visitor).

Quova Technique q Geo. Point Data Delivery Server (DDS)(Continued) o Each Geo. Point DDS contains a local copy of the IP geo-location data, which is automatically updated on a regular basis from the data center. o Geo. Point DDS automatically sends the received geol -location information back to Quova in order to improve the quality of Quova’s services and to enable additional research.

IP 2 Location Technique

Current Study in Geo-location

IP 2 Location Algorithm

IP 2 Location Technique n Algorithm Steps: 1 Detect IP Address. Convert IP Address to IP Number. Search by IP Number Credit Card Number validation. Credit Card Type Validation. AVS 2 3 4 5 6

IP 2 Location Database Format COULMN NUMBER COULMN DESCRIPTION 1 Beginning IP number 2 Ending IP number 3 Country Code (ISO 3166) (2 characters) 4 Full Country name 5 Region 6 City 7 Latitude 8 Longitude 9 Zip Code 10 ISP 11 Domain Name

IP 2 Location Database Example COULMN NUMBER COULMN DESCRIPTION COLUMN VALUES 1 Beginning IP number 67297944 2 Ending IP number 67297951 3 Country Code (ISO 3166) (2 characters) 4 Full Country name 5 Region 6 City 7 Latitude 33. 4905 8 Longitude 79. 2882 9 Zip Code 29440 10 ISP 11 Domain Name US UNITED STATES SOUTH CAROLINA GEORGETOWN CITY OF GEORGETOWN CITYOFGEORGETO WN. COM

IP 2 Location Database Specification FIELD # FIELD NAME DATA TYPE FIELD DESCRIPTION 1 IP_FROM NUMERICAL (DOUBLE) Beginning of IP address range. The data is represented in IP number format 2 IP_TO NUMERICAL (DOUBLE) Ending of IP address range. The data is represented in IP number format. 3 COUNTRY_CODE CHAR(2) Two-character country code based on ISO 3166. 4 COUNTRY_NAME VARCHAR(64) Country name based on ISO 3166 5 REGION VARCHAR(128) Region name 6 CITY VARCHAR(128) City name

IP 2 Location Database Specification FIELD # FIELD NAME DATA TYPE FIELD DESCRIPTION 7 LATITUDE NUMERICAL (DOUBLE) City latitude. Default to capital city latitude if city is unknown. 8 LONGITUDE NUMERICAL (DOUBLE) City longitude. Default to capital city longitude if city is unknown. 9 ZIPCODE CHAR(5) Five-digit ZIP codes for US cities only. 10 ISP_NAME VARCHAR(256) Internet Service Provider registered under the IP address range. 11 DOMAIN_NAME VARCHAR(128) Domain name assigned to Internet network.

Method of Converting IP Address into IP Number = (256)3 * W + (256)2 * X + 256 * Y + Z Where: W: the first block of numbers in the IP address. X: the second block of numbers in the IP address. Y: the third block of numbers in the IP address. Z: the forth block of numbers in the IP address.

Example of Converting IP Address into IP Number IP Address = 4. 2. 226. 135 IP Number = (256)3 * 4 + (256)2 * 2 + 256 * 226 + 135 = 67297927

Credit Card Number Validation

Credit Card Number Validation n Validation Algorithm o In order to validate and verify the credit card number, a special algorithm called (MOD 10 Check) or (LUHN Formula) is used. o The MOD 10 Check takes the provided credit card number from the customer and validates that the number is in the correct range and format to be a credit card number and it is the type of credit card the customer says it is.

Credit Card Number Validation o MOD 10 Check does not tell if the credit card number is active or not, just that it is in the correct format. o This test is used on websites to validate that the credit card submitted is a recognizable credit card number. o It helps preventing processing credit card authorizations on numbers that could not possibly be credit cards.

Credit Card Number Validation n Credit Card Number Validation Algorithm Step 1. Double the value of alternating digits, starting from the second to last digit of the credit card number. Step 2. Add the separate digits of the product from the previous step. Step 3. Add the uneffected digits of the credit card number. Step 4. Add the results from step 2 and step 3 and divide the total by 10, if the remainder was zero, then it’s a valid number

Credit Card Number Validation o Example Step 1: Starting with the second to last digit and moving left, Double the value of all alternating digits. For example: if we have a credit card with the following number 1234 5678 1234 5670. we will do the following: 1234 5678 1234 5670 7 x 2 = 14 5 x 2 = 10 3 x 2= 6 1 x 2= 2 7 x 2 = 14 5 x 2 = 10 3 x 2=6 1 x 2=2

Credit Card Number Validation Step 2: Add the separate digits of the products from step 1. (1+4) + (1+0) + (6) + (2) + (1+4) + (1+0) + (6) + (2) = 28 Step 3: Add all the unaffected digits (the digits that we did not double). 1234 5678 1234 5670 0 + 6 + 4 + 2 + 8 + 6 + 4 + 2 = 32 Step 4: Add the results from step 2 and step 3, and divide by 10. 28 + 32 = 60 If the result is divisible by 10, then the credit card number is valid.

Credit Card Number Validation n Sequence Diagram

Credit Card Type Validation

Credit Card Type Validation o o It verifies whether that the customer has provided the correct credit card type All Credit Cards have specific number length and numerical prefix. Card Type Prefix Number Length Master Card 51 -55 16 4 13 or 16 34 or 37 15 300 -305, 36, 38 14 en. Route 2014, 2149 15 Discover 6011 16 JCB 3 16 JCB 2131, 1800 15 VISA American Express Diners Club/Carte Blanche

Credit Card Type Validation n Credit Card Type Validation Algorithm

Credit Card Type Validation n Sequence Diagram

Credit Card Type and Number Validations n Model Activity Diagram