آلية آلية استخدام استخدامالجغرافي الجغرافي التواجد التواجد

التجارة التجارة في فيلمنع لمنع اإللكترونية اإللكترونية

في في االحتيال االحتيالاالئتمان االئتمان بطاقات بطاقات

Preventing Credit Card Preventing Credit Card Fraud in E-Commerce Fraud in E-Commerce

Using the Geo-location, Using the Geo-location, Credit Card Number and Credit Card Number and

Type Validations and Type Validations and Address Verification Service Address Verification Service

TechniquesTechniques

A Thesis submitted to King A Thesis submitted to King Abdul Aziz University, in partial Abdul Aziz University, in partial fulfillment of the requirements fulfillment of the requirements

for the degree of Master of for the degree of Master of science in Computer Science.science in Computer Science.

AgendaAgenda1.1. IntroductionIntroduction

2.2. ObjectivesObjectives

3.3. Geo-location TechniqueGeo-location Technique

4.4. Credit Card Number ValidationCredit Card Number Validation

5.5. Credit Card Type ValidationCredit Card Type Validation

6.6. Address Verification Service (AVS)Address Verification Service (AVS)

7.7. Implementation ModelImplementation Model

8.8. Conclusion Conclusion

9.9. Future WorkFuture Work

10.10. AcknowledgementAcknowledgement

IntroductionIntroduction Since 1995, online credit card fraud has Since 1995, online credit card fraud has

increased by 369%.increased by 369%. In 2001, 61.8$ billion were spent on online In 2001, 61.8$ billion were spent on online

sales, 1.4% of it (about 700,000,000$) was lost sales, 1.4% of it (about 700,000,000$) was lost to fraud.to fraud.11

History of Online FraudHistory of Online Fraudo Use of Famous NamesUse of Famous Nameso Credit Card GeneratorsCredit Card Generatorso Order HijackingOrder Hijackingo 1998 – Dummy Websites1998 – Dummy Websiteso Consumer AccountsConsumer Accountso 2000 – Online Gangs and Fraud Rings2000 – Online Gangs and Fraud Rings

1 1 Credit Card Fraud Prevention using .NET Framework in C# or VB.NET, Credit Card Fraud Prevention using .NET Framework in C# or VB.NET, by Ivy Tang January 16,2006by Ivy Tang January 16,2006

The True Cost of FraudThe True Cost of Fraud

ObjectivesObjectives Understand the scope of e-commerce crime Understand the scope of e-commerce crime

and security problems.and security problems. Reduce online credit card fraud.Reduce online credit card fraud.

1 Investigate and identify the techniques 1 Investigate and identify the techniques used for preventing online credit card used for preventing online credit card fraud fraud

2 Design card fraud model2 Design card fraud model 2.1 Locating site (Detecting)2.1 Locating site (Detecting) 2.2 Validate card number2.2 Validate card number 2.3 Validate card type2.3 Validate card type 2.4 AVS2.4 AVS3 Implement card fraud model 3 Implement card fraud model 3.1 Locating site (Detecting)3.1 Locating site (Detecting) 3.2 Validate card number3.2 Validate card number 3.3 Validate card type3.3 Validate card type 3.4 AVS3.4 AVS

Geo-location Geo-location TechniqueTechnique

Geo-location TechniqueGeo-location Technique

IntroductionIntroduction

o According to Cyber Source, e-retail merchants According to Cyber Source, e-retail merchants have lost over 2.6$ billion dollars to online have lost over 2.6$ billion dollars to online payment fraud, and this loss will increase by payment fraud, and this loss will increase by 37% in the year 2007.37% in the year 2007.

o Geo-location Service was found in January Geo-location Service was found in January 2000 by Quova, Inc., which is a solution for 2000 by Quova, Inc., which is a solution for online fraud.online fraud.

Geo-location TechniqueGeo-location Technique

What is Geo-location ?What is Geo-location ?A web geography technology that instantly A web geography technology that instantly

determines an online customer’s geographic determines an online customer’s geographic location- from country level down to city location- from country level down to city precision.precision.

Geo-location BenefitsGeo-location Benefits1- Effectiveness1- Effectiveness

2- Fraud Detection2- Fraud Detection

3- Digital Rights Management3- Digital Rights Management

4- Regulatory Compliance4- Regulatory Compliance

Geo-location TechniqueGeo-location Technique

Applications that uses Geo-location Applications that uses Geo-location Technique:Technique:1- Financial Services1- Financial Services

2- E-Commerce2- E-Commerce

3- Government3- Government

4- Media Distribution4- Media Distributiona- Live Sports Web Castsa- Live Sports Web Casts

b- Digital Moviesb- Digital Movies

c- Digital Musicc- Digital Music

5- Online Gaming5- Online Gaming

Geo-location TechniqueGeo-location Technique

Geo-location StudiesGeo-location Studieso The most recent study was done in 2004 by a The most recent study was done in 2004 by a

leading provider of automated identity verification, leading provider of automated identity verification, called LexisNexis RiskWise.called LexisNexis RiskWise.

o LexisNexis RiskWise analyzed tens of thousands of LexisNexis RiskWise analyzed tens of thousands of online credit card purchase using the geo-location online credit card purchase using the geo-location technology, and found that :technology, and found that :o 75% of all fraudulent online orders originated outside the 75% of all fraudulent online orders originated outside the

US.US.o 97.9% of all transactions originating in Africa were 97.9% of all transactions originating in Africa were

fraudulent.fraudulent.o 74.8% of all transactions originating in Asia (including 74.8% of all transactions originating in Asia (including

Russia) were fraudulent.Russia) were fraudulent.o 64.4% of all transactions routed via satellite were 64.4% of all transactions routed via satellite were

fraudulent.fraudulent.

Geo-location TechniqueGeo-location Technique

Geo-location Studies – (continued)Geo-location Studies – (continued)o In over 85% of all fraudulent orders, the In over 85% of all fraudulent orders, the

customer’s billing address did not match the customer’s billing address did not match the state from which the order was actually state from which the order was actually placed, while only 28% of legitimate orders placed, while only 28% of legitimate orders displayed a state-level mismatch.displayed a state-level mismatch.

o Another study done by Experian have found Another study done by Experian have found that when the IP origination point of an that when the IP origination point of an online order is in a different state from the online order is in a different state from the customer’s billing address, the transaction customer’s billing address, the transaction turns out to be fraudulent 68% of the time.turns out to be fraudulent 68% of the time.

Geo-location TechniqueGeo-location Technique

Geo-location technique Types:Geo-location technique Types:1 Quova Technique.1 Quova Technique.

2 IP2Location Technique.2 IP2Location Technique.

Quova TechniqueQuova Technique

Quova’s Geo-location Quova’s Geo-location Architecture OverviewArchitecture Overview

1- Global Data Collection Network (DCN).1- Global Data Collection Network (DCN).

2- Geo-Point Data Delivery Server (DDS).2- Geo-Point Data Delivery Server (DDS).

3- Closed Loop Methodolgy.3- Closed Loop Methodolgy.

Quova TechniqueQuova Technique

Global Data Collection Network Global Data Collection Network (DCN)(DCN)

o Largest IP geo-location data collection Largest IP geo-location data collection network in the world.network in the world.

o Collects 1.4 billion active IP addresses.Collects 1.4 billion active IP addresses.o There are 16 agents which are globally There are 16 agents which are globally

distributed around the world.distributed around the world.

Quova TechniqueQuova Technique

GeoPoint Data Delivery Server GeoPoint Data Delivery Server (DDS)(DDS)

o Collected data are passed to the DDS, which Collected data are passed to the DDS, which allows integration of real-time geo-location allows integration of real-time geo-location information with any online web-based information with any online web-based application.application.

o Applications have access to the GeoPoint DDS Applications have access to the GeoPoint DDS geo-location information, to provide geo-geo-location information, to provide geo-location information about an IP address location information about an IP address (Web visitor).(Web visitor).

Quova TechniqueQuova Technique

GeoPoint Data Delivery Server GeoPoint Data Delivery Server (DDS)-(Continued)(DDS)-(Continued)

o Each GeoPoint DDS contains a local copy of the Each GeoPoint DDS contains a local copy of the IP geo-location data, which is automatically IP geo-location data, which is automatically updated on a regular basis from the data updated on a regular basis from the data center.center.

o GeoPoint DDS automatically sends the received GeoPoint DDS automatically sends the received geol-location information back to Quova in geol-location information back to Quova in order to improve the quality of Quova’s services order to improve the quality of Quova’s services and to enable additional research.and to enable additional research.

IP2Location TechniqueIP2Location Technique

Current StudyCurrent Studyinin

Geo-location Geo-location

IP2Location AlgorithmIP2Location Algorithm

IP2Location TechniqueIP2Location Technique

Algorithm Steps:Algorithm Steps:

11 Detect IP Address.Detect IP Address.

22 Convert IP Address to IP Number.Convert IP Address to IP Number.

33 Search by IP NumberSearch by IP Number

44 Credit Card Number validation.Credit Card Number validation.

55 Credit Card Type Validation.Credit Card Type Validation.

66 AVSAVS

IP2Location Database IP2Location Database FormatFormat

COULMN NUMBER COULMN DESCRIPTION

1 Beginning IP number

2 Ending IP number

3 Country Code (ISO 3166) (2 characters)

4 Full Country name

5 Region

6 City

7 Latitude

8 Longitude

9 Zip Code

10 ISP

11 Domain Name

IP2Location Database IP2Location Database ExampleExample

COULMN NUMBER

COULMN DESCRIPTION COLUMN VALUES

1 Beginning IP number 67297944

2 Ending IP number 67297951

3 Country Code (ISO 3166) (2 characters) US

4 Full Country name UNITED STATES

5 Region SOUTH CAROLINA

6 City GEORGETOWN

7 Latitude 33.4905

8 Longitude 79.2882

9 Zip Code 29440

10 ISP CITY OF GEORGETOWN

11 Domain Name CITYOFGEORGETOWN.COM

IP2Location Database IP2Location Database SpecificationSpecification

FIELD # FIELD NAME DATA TYPE FIELD DESCRIPTION

1 IP_FROM NUMERICAL(DOUBLE)

Beginning of IP address range. The data is represented in IP number format

2 IP_TO NUMERICAL(DOUBLE)

Ending of IP address range. The data is represented in IP number format.

3 COUNTRY_CODE CHAR(2) Two-character country code based on ISO 3166.

4 COUNTRY_NAME VARCHAR(64) Country name based on ISO 3166

5 REGION VARCHAR(128) Region name

6 CITY VARCHAR(128) City name

FIELD # FIELD NAME DATA TYPE FIELD DESCRIPTION

7 LATITUDE NUMERICAL(DOUBLE)

City latitude. Default to capital city latitude if city is unknown.

8 LONGITUDE NUMERICAL(DOUBLE)

City longitude. Default to capital city longitude if city is unknown.

9 ZIPCODE CHAR(5) Five-digit ZIP codes for US cities only.

10 ISP_NAME VARCHAR(256) Internet Service Provider registered under the IP address range.

11 DOMAIN_NAME VARCHAR(128) Domain name assigned to Internet network.

IP2Location Database IP2Location Database SpecificationSpecification

Method of Converting IP Method of Converting IP Address into IP NumberAddress into IP Number

IP Number = (256)IP Number = (256)3 3 * W + (256)* W + (256)22 * X + 256 * Y + Z * X + 256 * Y + Z

Where: Where:

W: the first block of numbers in the IP address.W: the first block of numbers in the IP address.

X: the second block of numbers in the IP address.X: the second block of numbers in the IP address.

Y: the third block of numbers in the IP address.Y: the third block of numbers in the IP address.

Z: the forth block of numbers in the IP address.Z: the forth block of numbers in the IP address.

IP Address = 4.2.226.135IP Address = 4.2.226.135

IP Number = (256)IP Number = (256)3 3 * 4 + (256)* 4 + (256)22 * 2 + 256 * 226 * 2 + 256 * 226

+ 135 = 67297927+ 135 = 67297927

Example of Converting IP Example of Converting IP Address into IP NumberAddress into IP Number

Credit Card Credit Card Number Number

ValidationValidation

Credit Card Number Credit Card Number ValidationValidation

Validation AlgorithmValidation Algorithmo In order to validate and verify the credit In order to validate and verify the credit

card number, a special algorithm called card number, a special algorithm called (MOD 10 Check) or (LUHN Formula) is used.(MOD 10 Check) or (LUHN Formula) is used.

o The MOD 10 Check takes the provided The MOD 10 Check takes the provided credit card number from the customer and credit card number from the customer and validates that the number is in the correct validates that the number is in the correct range and format to be a credit card number range and format to be a credit card number and it is the type of credit card the customer and it is the type of credit card the customer says it is.says it is.

Credit Card Number Credit Card Number ValidationValidation

o MOD 10 Check does not tell if the credit MOD 10 Check does not tell if the credit card number is active or not, just that it is card number is active or not, just that it is in the correct format.in the correct format.

o This test is used on websites to validate This test is used on websites to validate that the credit card submitted is a that the credit card submitted is a recognizable credit card number.recognizable credit card number.

o It helps preventing processing credit card It helps preventing processing credit card authorizations on numbers that could not authorizations on numbers that could not possibly be credit cards.possibly be credit cards.

Credit Card Number Credit Card Number ValidationValidation

Credit Card Number Validation AlgorithmCredit Card Number Validation AlgorithmStep 1.Step 1. Double the value of alternating digits, Double the value of alternating digits,

starting from the second to last digit of the starting from the second to last digit of the credit card number.credit card number.

Step 2.Step 2. Add the separate digits of the product from Add the separate digits of the product from the previous step.the previous step.

Step 3.Step 3. Add the uneffected digits of the credit card Add the uneffected digits of the credit card number.number.

Step 4.Step 4. Add the results from step2 and step3 and Add the results from step2 and step3 and divide the total by 10, if the remainder was zero, divide the total by 10, if the remainder was zero, then it’s a valid number then it’s a valid number

Credit Card Number Credit Card Number ValidationValidation

o ExampleExampleStep1:Step1: Starting with the second to last digit Starting with the second to last digit

and moving left, Double the value of all and moving left, Double the value of all alternating digits.alternating digits.

For example: if we have a credit card with For example: if we have a credit card with the following number 1234 5678 1234 the following number 1234 5678 1234 5670. we will do the following:5670. we will do the following:

1234 5678 1234 56701234 5678 1234 56707 x 2 = 147 x 2 = 145 x 2 = 105 x 2 = 103 x 2 = 63 x 2 = 61 x 2 = 21 x 2 = 27 x 2 = 147 x 2 = 145 x 2 = 105 x 2 = 103 x 2 = 63 x 2 = 61 x 2 = 21 x 2 = 2

Credit Card Number Credit Card Number ValidationValidation

Step2:Step2: Add the separate digits of the products Add the separate digits of the products from step1.from step1.

(1+4) + (1+0) + (6) + (2) + (1+4) + (1+0) + (6) + (1+4) + (1+0) + (6) + (2) + (1+4) + (1+0) + (6) + (2) = 28 (2) = 28

Step3:Step3: Add all the unaffected digits (the digits Add all the unaffected digits (the digits that we did not double).that we did not double).

1234 5678 1234 56701234 5678 1234 5670

0 + 6 + 4 + 2 + 8 + 6 + 4 + 2 = 320 + 6 + 4 + 2 + 8 + 6 + 4 + 2 = 32

Step4:Step4: Add the results from step 2 and step3, and Add the results from step 2 and step3, and divide by 10.divide by 10.

28 + 32 = 6028 + 32 = 60

If the result is divisible by 10, then the credit card If the result is divisible by 10, then the credit card number is valid.number is valid.

Credit Card Number Credit Card Number ValidationValidation

Sequence DiagramSequence Diagram

Credit Card Credit Card Type Type

ValidationValidation

Credit Card Type Credit Card Type ValidationValidation

o It verifies whether that the customer has It verifies whether that the customer has provided the correct credit card typeprovided the correct credit card type

o All Credit Cards have specific number length All Credit Cards have specific number length and numerical prefix.and numerical prefix.

Card Type Prefix Number Length

Master Card 51-55 16

VISA 4 13 or 16

American Express 34 or 37 15

Diners Club/Carte Blanche 300-305, 36, 38 14

enRoute 2014, 2149 15

Discover 6011 16

JCB 3 16

JCB 2131, 1800 15

Credit Card Type Credit Card Type ValidationValidation

Credit Card Type Validation AlgorithmCredit Card Type Validation Algorithm

Credit Card Type Credit Card Type ValidationValidation

Sequence DiagramSequence Diagram

Credit Card Type and Credit Card Type and Number ValidationsNumber Validations

Model Activity DiagramModel Activity Diagram