Does the Online Card Payment Landscape Unwittingly Facilitate Fraud?

“…Such an unusual design for a payment protocols offers at least two opportunities for an attacker to obtain payment card details. Firstly, it is well-known for a contactless card that card number and expiry date could be skimmed from a distance with any NFC enabled device [24] [41] and in fact, in a single google play search, we located 38 freely available Android apps which could be used by an attacker to read the contactless payment cards. Another channel that an adversary can follow to obtain the card number details is from the merchants sales receipt from reader Point of Sale (POS) terminal.…”

“…It can be learned from a card number that customer account number fills nine spaces and therefore, the maximum number of possible active card numbers for a bank would be one less to 109 (a billion). An attacker starts after selecting target banks BIN (bank with a high number of customers would give high positives), randomly generates thousands of accounts number using Luhn's check algorithm [44] (or with automated bots as demonstrated in [41]) and makes transactions using the generated card numbers on online payment websites. When a transaction is made, a transaction authorization request is sent by the merchant to the card issuing bank.…”

“…Educating a user/attacker about the incorrect card data element. Having known that the VISA authorization network does not detect multiple invalid attempts when distributed across multiple payment gateways [41], attacker has countless attempts to guess expiry date and all the other card data required to make an online payment [41]. Using the AuthRes codes an attacker could easily be able to obtain card data fields for all Visa cards [41].…”

Consumer-facing technology fraud: Economics, attack methods and potential solutions

“…Such an unusual design for a payment protocols offers at least two opportunities for an attacker to obtain payment card details. Firstly, it is well-known for a contactless card that card number and expiry date could be skimmed from a distance with any NFC enabled device [24] [41] and in fact, in a single google play search, we located 38 freely available Android apps which could be used by an attacker to read the contactless payment cards. Another channel that an adversary can follow to obtain the card number details is from the merchants sales receipt from reader Point of Sale (POS) terminal.…”

“…It can be learned from a card number that customer account number fills nine spaces and therefore, the maximum number of possible active card numbers for a bank would be one less to 109 (a billion). An attacker starts after selecting target banks BIN (bank with a high number of customers would give high positives), randomly generates thousands of accounts number using Luhn's check algorithm [44] (or with automated bots as demonstrated in [41]) and makes transactions using the generated card numbers on online payment websites. When a transaction is made, a transaction authorization request is sent by the merchant to the card issuing bank.…”

“…Educating a user/attacker about the incorrect card data element. Having known that the VISA authorization network does not detect multiple invalid attempts when distributed across multiple payment gateways [41], attacker has countless attempts to guess expiry date and all the other card data required to make an online payment [41]. Using the AuthRes codes an attacker could easily be able to obtain card data fields for all Visa cards [41].…”

Consumer-facing technology fraud: Economics, attack methods and potential solutions

“…-4th Attack: in the case of small merchants, the mobile PoS is less secure than the professional PoS, because during a contact or an NFC purchase transaction, the merchant's smartphone receives the banking data from the mobile PoS without encryption: android's attackers can then retrieve the banking data [29] [30]. -5th Attack: recently, authors in [31] show an attack by brute force where it is possible to easily and quickly obtain the ExpDate and the security code using only the PAN. They carried out this attack first to obtain the ExpDate from the PAN as follows: by using a website that does not ask for the security code and does not block this type of brute force attack, they tested all possible combinations month/year taking into account 5 years as a maximum duration of validity (12 months * 5 years = 60 tests).…”

The EMV Payment System: Is It Reliable?

“…The increased convenience, though, comes with inherent security risks [1]. The cybercrime involving online payment services often has the characteristics of diversification, specialization, industrialization, concealment, scenario, and cross-region, which makes the security prevention and control of online payment extremely challenging [2]. There is an urgent need for realizing effective and comprehensive online payment fraud detection.…”

Representing Fine-Grained Co-Occurrences for Behavior-Based Fraud Detection in Online Payment Services