استخدام آلية التواجد الجغرافي في التجارة الإلكترونية لمنع الاحتيال في بطاقات الائتمان

Preventing Credit Card Fraud in E-Commerce Using the Geo-location, Credit Card Number and Type Validations and Address Verification Service Techniques By Rania Abdulrahman Molla

A Thesis submitted to King Abdul Aziz University, in partial fulfillment of the requirements for the degree of Master of science in Computer Science.

Agenda 1. Introduction 2. Objectives 3. Geo-location Technique 4. Credit Card Number Validation 5. Credit Card Type Validation 6. Address Verification Service (AVS) 7. Implementation Model 8. Conclusion 9. Future Work 10. Acknowledgment

Introduction Since 1995, online credit card fraud has increased by 369%. Since 1995, online credit card fraud has increased by 369%. In 2001, 61.8$ billion were spent on online sales, 1.4% of it (about 700,000,000$) was lost to fraud. 1 In 2001, 61.8$ billion were spent on online sales, 1.4% of it (about 700,000,000$) was lost to fraud. 1 History of Online Fraud History of Online Fraud o Use of Famous Names o Credit Card Generators o Order Hijacking o 1998 – Dummy Websites o Consumer Accounts o 2000 – Online Gangs and Fraud Rings 1 Credit Card Fraud Prevention using.NET Framework in C# or VB.NET, by Ivy Tang January 16,2006

The True Cost of Fraud

Objectives Reduce online credit card fraud. Reduce online credit card fraud. 1 Investigate and identify the techniques used for preventing online credit card fraud 2 Design card fraud model 2.1 Locating site (Detecting) 2.1 Locating site (Detecting) 2.2 Validate card number 2.2 Validate card number 2.3 Validate card type 2.3 Validate card type 2.4 AVS 2.4 AVS 3 Implement card fraud model 3.1 Locating site (Detecting) 3.1 Locating site (Detecting) 3.2 Validate card number 3.2 Validate card number 3.3 Validate card type 3.3 Validate card type 3.4 AVS 3.4 AVS

Geo-location Technique

Introduction Introduction o According to Cyber Source, e-retail merchants have lost over 2.6$ billion dollars to online payment fraud, and this loss will increase by 37% in the year o Geo-location Service was found in January 2000 by Quova, Inc., which is a solution for online fraud.

Geo-location Technique What is Geo-location ? What is Geo-location ? A web geography technology that instantly determines an online customers geographic location- from country level down to city precision. Geo-location Benefits Geo-location Benefits 1- Effectiveness 2- Fraud Detection 3- Digital Rights Management 4- Regulatory Compliance

Geo-location Technique Applications that uses Geo-location Technique: Applications that uses Geo-location Technique: 1- Financial Services 2- E-Commerce 3- Government 4- Media Distribution a- Live Sports Web Casts b- Digital Movies c- Digital Music 5- Online Gaming

Geo-location Technique Geo-location Studies Geo-location Studies o The most recent study was done in 2004 by a leading provider of automated identity verification, called LexisNexis RiskWise. o LexisNexis RiskWise analyzed tens of thousands of online credit card purchase using the geo-location technology, and found that : o 75% of all fraudulent online orders originated outside the US. o 97.9% of all transactions originating in Africa were fraudulent. o 74.8% of all transactions originating in Asia (including Russia) were fraudulent. o 64.4% of all transactions routed via satellite were fraudulent.

Geo-location Technique Geo-location Studies – (continued) Geo-location Studies – (continued) o In over 85% of all fraudulent orders, the customers billing address did not match the state from which the order was actually placed, while only 28% of legitimate orders displayed a state-level mismatch. o Another study done by Experian have found that when the IP origination point of an online order is in a different state from the customers billing address, the transaction turns out to be fraudulent 68% of the time.

Geo-location Technique Geo-location technique Types: Geo-location technique Types: 1 Quova Technique. 2 IP2Location Technique. 3 Other..

Quova Technique Quovas Geo-location Architecture Overview Quovas Geo-location Architecture Overview 1- Global Data Collection Network (DCN). 1- Global Data Collection Network (DCN). 2- Geo-Point Data Delivery Server (DDS). 3- Closed Loop Methodolgy.

Quova Technique Global Data Collection Network (DCN) Global Data Collection Network (DCN) o Largest IP geo-location data collection network in the world. o Collects 1.4 billion active IP addresses. o There are 16 agents which are globally distributed around the world.

Quova Technique GeoPoint Data Delivery Server (DDS) GeoPoint Data Delivery Server (DDS) o Collected data are passed to the DDS, which allows integration of real-time geo-location information with any online web-based application. o Applications have access to the GeoPoint DDS geo-location information, to provide geo-location information about an IP address (Web visitor).

Quova Technique GeoPoint Data Delivery Server (DDS)- (Continued) GeoPoint Data Delivery Server (DDS)- (Continued) o Each GeoPoint DDS contains a local copy of the IP geo- location data, which is automatically updated on a regular basis from the data center. o GeoPoint DDS automatically sends the received geol- location information back to Quova in order to improve the quality of Quovas services and to enable additional research.

IP2Location Technique

Current Study in Geo-location

IP2Location Algorithm

IP2Location Technique Algorithm Steps: Algorithm Steps: 1 Detect IP Address. 2 Convert IP Address to IP Number. 3 Search by IP Number 4 Credit Card Number validation. 5 Credit Card Type Validation. 6 AVS

IP2Location Database Format COULMN NUMBERCOULMN DESCRIPTION 1Beginning IP number 2Ending IP number 3Country Code (ISO 3166) (2 characters) 4Full Country name 5Region 6City 7Latitude 8Longitude 9Zip Code 10ISP 11Domain Name

IP2Location Database Example COULMN NUMBER COULMN DESCRIPTIONCOLUMN VALUES 1Beginning IP number Ending IP number Country Code (ISO 3166) (2 characters)US 4Full Country nameUNITED STATES 5RegionSOUTH CAROLINA 6CityGEORGETOWN 7Latitude Longitude Zip Code ISPCITY OF GEORGETOWN 11Domain NameCITYOFGEORGETO WN.COM

IP2Location Database Specification FIELD #FIELD NAMEDATA TYPEFIELD DESCRIPTION 1IP_FROMNUMERICAL (DOUBLE) Beginning of IP address range. The data is represented in IP number format 2IP_TONUMERICAL (DOUBLE) Ending of IP address range. The data is represented in IP number format. 3COUNTRY_CODECHAR(2)Two-character country code based on ISO COUNTRY_NAMEVARCHAR(64)Country name based on ISO REGIONVARCHAR(128)Region name 6CITYVARCHAR(128)City name

FIELD #FIELD NAMEDATA TYPEFIELD DESCRIPTION 7LATITUDENUMERICAL (DOUBLE) City latitude. Default to capital city latitude if city is unknown. 8LONGITUDENUMERICAL (DOUBLE) City longitude. Default to capital city longitude if city is unknown. 9ZIPCODECHAR(5)Five-digit ZIP codes for US cities only. 10ISP_NAMEVARCHAR(256)Internet Service Provider registered under the IP address range. 11DOMAIN_NAMEVARCHAR(128)Domain name assigned to Internet network. IP2Location Database Specification

Method of Converting IP Address into IP Number IP Number = (256) 3 * W + (256) 2 * X * Y + Z Where: W: the first block of numbers in the IP address. X: the second block of numbers in the IP address. Y: the third block of numbers in the IP address. Z: the forth block of numbers in the IP address.

IP Address = IP Number = (256) 3 * 4 + (256) 2 * * = Example of Converting IP Address into IP Number

Credit Card Number Validation

Validation Algorithm Validation Algorithm o In order to validate and verify the credit card number, a special algorithm called (MOD 10 Check) or (LUHN Formula) is used. o The MOD 10 Check takes the provided credit card number from the customer and validates that the number is in the correct range and format to be a credit card number and it is the type of credit card the customer says it is.

Credit Card Number Validation o MOD 10 Check does not tell if the credit card number is active or not, just that it is in the correct format. o This test is used on websites to validate that the credit card submitted is a recognizable credit card number. o It helps preventing processing credit card authorizations on numbers that could not possibly be credit cards.

Credit Card Number Validation Credit Card Number Validation Algorithm Credit Card Number Validation Algorithm Step 1. Double the value of alternating digits, starting from the second to last digit of the credit card number. Step 2. Add the separate digits of the product from the previous step. Step 3. Add the uneffected digits of the credit card number. Step 4. Add the results from step2 and step3 and divide the total by 10, if the remainder was zero, then its a valid number

Credit Card Number Validation o Example Step1: Starting with the second to last digit and moving left, Double the value of all alternating digits. For example: if we have a credit card with the following number we will do the following: x 2 = 14 5 x 2 = 10 3 x 2 = 6 1 x 2 = 2 7 x 2 = 14 5 x 2 = 10 3 x 2 = 6 1 x 2 = 2

Credit Card Number Validation Step2: Add the separate digits of the products from step1. (1+4) + (1+0) + (6) + (2) + (1+4) + (1+0) + (6) + (2) = 28 Step3: Add all the unaffected digits (the digits that we did not double) = 32 Step4: Add the results from step 2 and step3, and divide by = 60 If the result is divisible by 10, then the credit card number is valid.

Credit Card Number Validation Sequence Diagram Sequence Diagram

Credit Card Type Validation

o It verifies whether that the customer has provided the correct credit card type o All Credit Cards have specific number length and numerical prefix. Card TypePrefixNumber Length Master Card VISA413 or 16 American Express34 or 3715 Diners Club/Carte Blanche , 36, 3814 enRoute2014, Discover JCB316 JCB2131,

Credit Card Type Validation Credit Card Type Validation Algorithm Credit Card Type Validation Algorithm

Credit Card Type Validation Sequence Diagram Sequence Diagram

Credit Card Type and Number Validations Model Activity Diagram Model Activity Diagram