.

Credit card vulnerabilities and security measures

Sartaj Singh
*

Department of Computer Applications, Lovely Professional University Punjab (India)
Abstract
The usage of credit cards being in vogue all over the world, more and more people are using various types of Visa or Master
Card or Debit card because banks also encourage online money revolving through this system. The banks earn a lot through
credit card system and online transactions without the knowledge of the customer. With the advancement of technology, its
misuse has also been on the rise. The instances of tech-savvy swindlers, cloning credit cards and swipe machines to con
gullible customers, have been rampant. The credit card cloning machines can be easily obtained on the internet. The credit
card skimmer takes just two minutes to transfer all the vital data on to its computer along with specialized software. As
security measure the swipe machine is given UTId and UMId. However the clever con men go a step ahead and create a
machine using the unique pair of any merchants UTId and UMId. In order to stall credit card frauds RBI has already
suggested a number of steps to be implemented by the banks. They are asking the merchants to strictly verify the identity of
the card holder through photo identity proofs like PAN Cards, Passport or Voter ID cards.There is a dire need of some fool
proof device which may involve some system which may have a synchronized swipe machine attached with interface and a
smart card. There should be a provision of matching a photograph and finger prints of the credit card user with fresh finger
prints through virtual image to ensure authenticity of the card holder.
2013 Elsevier Science. All rights reserved.
Keywords:UTId (Unique Terminal Identification), UMId (Unique Merchant Identification), RBI (reserve Bank of India), PAN (Permanent
Account Number)Introduction
1. Introduction
The advantages of credit cards being safer than carrying cash are replacing fast the traditional way of banking.
The worldwide functionality due to Visa and Master Card merchant acceptance makes the system popular. One
doesnt have to worry about paying a credit card bill or going into debt. The usage of credit card being in vogue
all over the world, more and more people are coming forward to use various types of Visa or Master Card or
debit card. Even banks encourage this system because they earn a lot through this system of online transaction,
without the knowledge of the customer.At present there are three ways through which the debit card
transactions
[1]
are carried out: FTPOS (also known as online debit or PIN debit), offline debit (also known as
signature debit) and the Electronic Purse Card System. One physical card includes the functions of all three types,
and as such, it can be used in different circumstances.Although many debit cards are of the MasterCard or Visa
brand, there are many other types of this kind. These are accepted only within a particular country or region.For
example Laser in Ireland, Carte Bleue in France, UnionPay in China, EC electronic cash (formerly Eurocheque)
in Germany, Switch (now: Maestro) and Solo in the United Kingdom,RuPay in India and EFTPOS cards in New
Zealand and Australia
[2]
.
2. How the banks make money from credit cards?
When borrowers revolve credit, banks earn a high interest income. According to an RBI data, money revolving
in India was over 80% in 2009 which came down to 60% in 2012. According to an estimate HDFC bank earns
4% interest on the money it lends
[3]
. Ten banks account for 88% of credit cards issued in India. The four private
banks HDFC, ICICI Bank, AXIS Bank and Indusind Bank put together handle approximately 65% of the total
Proceedings of International Conference on Computing Sciences
WILKES100 ICCS 2013
ISBN: 978-93-5107-172-3
448 Elsevier Publications, 2013
Sartaj Singh
credit card outstanding balances in the banking system. When a customer opts for a 0% equated monthly
instalment of EMI option, a nominal transaction fee is charged by the bank
[4]
.
3. Existing security arrangements
It is a pity that banks in India are not taking credit card data security seriously. A survey of security in Indian
banks shows that most of the banks do not follow even the basic steps to ensure card security and to protect
personal data of the customer.The survey highlights that banks in India lag far behind in security of cards
[5]

transactions. It was found that banks still follow highly risky practices such as storing and printing authorisation
information like CVV numbers and expiry dates, and non-masking of card numbers.Most of the banks have used
security provisions such as SMS alerts, a separate transaction password and a virtual keyboard for online
banking, however, this is not enough. The banks have still not adopted the features that make card transactions
secure such as identity grid, risk-based authentication and one-time-password
[6]
(a dynamic token).When we talk
of privacy of customer data, the present scenario is even worse. Although the IT (Amendment) Act,
2008
[7]
recommends provisions for privacy of data, fool-proof systems for consumers' data security and privacy
protection are yet to be adopted by many banks. Survey results reveal that banks are constantly exposed to
sophisticated, organised and financially motivated threats and customers are being targeted through phishing,
vishing and smishing attacks
[8]
. As such, banks don't have sufficient mechanisms in place to track and stall
frauds.They still depend largely on incidents being reported by customers and employees.
3.1. Modus operandi of fraudsters
Credit-card fraud is usually perpetrated by copying or stealing card-authorization forms from stores, hotels and
restaurants or even from a person's own trash. Clever conmen use profitable approach by hacking into a credit-
card processor's database. Skimmers fitting magnetic-stripe clandestinely
[10]
on ATM machines and petrol pumps
etc. has become every days talk. And the old standby of using phishing attacks over the phone or the
internetto con individuals into parting with their card's security detailsremains as widespread as ever.
Foreigners visiting America are taken aback by how careless local card holders are when using credit or debit
cards to make purchases. They are surprised to see people allowing a sales clerk to swipe a card at a check-out,
instead of doing it personally on a shielded terminal while keying in a PIN number[11]. They hand over a credit
card to a waiter in a hotel or restaurant, who disappears for five minutes before returning with a counterfoil for
signature verification. Yet, we all do it in India with only a little bit of reservations
With the rest of the developed world having adopted more secure smart cards, America remains the only major
country that still relies on old fashioned
[12]
payment cards that encode their sensitive data information in a
magnetic stripe on the card. So far as security is concerned, it is as safe as writing details of your account on a
post-card and mailing it
449 Elsevier Publications, 2013
Credit Card Vulnerabilities and Security Measures
4. How is the credit card cloned?
In the usage of Credit card or online transactions there have been inherent dangers of data theft and
swindling
[13]
. With the growing usage of credit cards and debit cards the incidents of fraud, related with them,
have also been on the increase throughout India. In the year 2009 there were an estimated five crore credit cards
and an average of more than 2000 frauds were reported every month. Besides there were about 30 crore debit
cards also.
A fraudster can easily get the credit card cloning machine on the Internet. The cloning kit carries instructions
with it. This credit card skimmer
[14]
takes just 2 minutes to transfer all the vital data on to its own personal
computer. The software is also provided by the company that includes the credit card skimmer. When the 'upload'
button is clicked complete detail of the credit card
[15]
, that the person swipes, comes onto the computer. The
machine has the capacity of storing details of more than 2500 credit cards in its database.
On order, the hacker receives the kit with a credit card writer. All a fraudster has to do is just to swipe a
blank credit card through this credit card writer and lo! the data stored on it is instantly transferred to the
fraudster's blank credit card. It is amazing that, these counterfeit cards are complete with security hologram
markings as well
[16]
. There is major spurt in the problem of credit card cloning in North America and Europe.
In India, with fast growing usage of plastic money, the problem has been even more magnified than it was
supposed to be.
With the technology advances, its misuse has also been on the increase. The tech-savvy fraudsters clone
credit cards as well as swipe machines tocon gullibe customers. A delhi based trio had become notorious first
swindlers in India to steal lacs of rupees by cloning swipe machine
[17]
. The police procured from them several
swipe machines and credit cards. Some bank employees also came in ambit of police suspicion. These three
young men stole crucial and vital data to make Iake credit cards and debit cards. there aIter they use these
cards at some saIe terminals. It is rightly apprehended that machine cloning might become the preIerred mode
oI swindling and hacking.
450
Elsevier Publications, 2013
Woiking of anti scheming Aleit system
4.1 Cloning of swipe machines
Sartaj Singh
5. Three Pronged Measures Suggested
From the above analysis, it emerges that more stringent measures are required to be taken. Three pronged
measures suggested below can go a long way in preventing such frauds:
a) Validation check.
b) Modified, safer personalized credit card (PCC)
c) Smarter Swipe Machine
5.1. Validation Check
It is suggested that technologies like adaptive authentication should be implemented at the banks, by the
merchants and at the swipe terminals. Verification of signatures, photograph, and fresh index finger print of the
card holder by matching the same to the ingrained signature, photograph and index finger print in the virtual
image produced by swiping the PCC
[22]
in the smarter modified swipe machine is sure to nullify the occurrence
of fraud incidents
5.2 Modified, safer personalized credit card (PCC)
Encrypted data related problems of computing have caused innumerable new attractive technologies. Various
security technologies have been in practice like Tokenization, Cornell Spider, SENF and EnCase Forensic[23].
As the technology has advanced, there has emerged another technology of RFID for contactless access control
which can access passport and credit cards etc.
Contactless skimming is carried out even without the card holders knowledge that it has happened. Your data
showing identity, financial status and other related information could be stolen by someone sitting behind you in
a train, a bus or standing in a queue.
Paratech, the inventor of and leader in Quantum Tunnelling Composite technology known as QTCTM materials
offers a solution to this problem[24]. A very thin but robust, pressure-sensitive material acts as a switch
embedded in the circuit of the credit card. Then it is laminated just as credit cards are produced. Only 70 microns
thick, the switch is thinner even than the chip and it is easily embedded into a credit card
451 Elsevier Publications, 2013
4.2 Existing protection measured emploved
n order to prevent online transactions conning and credit card frauds, the RBI announced new guidelines in this
regard. It has been suggested that funds be transferred via NEFT, RTGS and IMPS methods
[18]
. The banks have
been advised that they should capture Internet Protocol (IP) address as an additional validation check.
As precautionary measure it has also been suggested that international cards will have to be EMV Chip and PIN
enabled. In other words the consumer will have to enter a PIN for every card swipe for transaction. Whereas it
enhances security to prevent frauds, it might also cause inconvenience to users. Still, it is a common international
card practice.
ssuing banks should convert all existing MagStripe cards to EMV Chip card
[19]
for all customers who have used
their cards internationally at least once through e- commerce/ATM/POS. Banks should make sure that all the
requisite infrastructure that is currently operational on IP (Internet Protocol) based solutions be made compulsory
to go through PCI-DSS and PA-DSS certification
[20]
. This should be for all --large merchants, acquirers and
processors / aggregators.
The terminals installed at the merchants for card payments, including the double swipe terminals used, should
be mandatorily certified for PCI-DSS (Payment Card Industry- Data Security Standards) and PA-DSS (Payment
Applications -Data Security Standards)
[21]
.
A smart personilzed credit card is needed to be created using QTC material
|25|
. These electro-active
polymeric materials enable the action oI 'touch'. It is translated into an electricak reaction, which in turn
enables a vast array oI devices to incoorporate very thin and robust 'sensing' oI touch and pressure.
Importantly, QTC oIIers enormous Ilexibility in design, style, thickness and shape oI a switch and pressure
sensor.
Credit Card Vulnerabilities and Security Measures
5.3 Smarter Swipe Machine
A more effective system comprising really PCC with compatible, virtual-interface-equipped swipe-machine
[28]

has to be contrived which may testify the true identity of a genuine card holder by displaying his/her image,
signature
[29]
and index finger print on the interface created by the swipe machine. If the fresh index finger print,
signatures and the image are Okayed only then the transaction should further proceed
[30]
. It will be the first step
towards forestalling sneaking of database at the back end
6. Conclusion
The data protection and security measures discussed above are bound to curtail the fraud occurrences, card
cloning and data theft to a large extent. Of course, the proposed method being a bit lengthy may cause annoyance
on the part of card users, bankers and merchants. May be, it would appear to them cumbersome and a tedious
process; and in the present time cut-throat competition banks cant afford to lose their customers. However the
suggested security measures are essential to be put into practice and both the ends- front end and back end. The
usage of contactless card in the UK is a good move. Such cards known as Oyster Visa wave and O
2
Wallet
[31]
,
now on trial in the UK are hoped to show good results. So far as online shopping or e-shopping is concerned, a
separate research is required to be conducted to forestall data leakage and sneaking incidents. It is true that
carelessness and security cannot go together. Therefore, more vigil on the part of card holders is a must.
References
[1] http://www.ocregister.com/articles/cards-522127-spalding-investigators.html
[2] http://krebsonsecurity.com/category/all-about-skimmers/
[3] http://ewh.ieee.org/r10/bombay/news5/SmartCards.htm
[4] http://news.yahoo.com/data-brokers-d-b-lexisnexis-altegrity-report-cyber-020617370--sector.html
[5] http://in.finance.yahoo.com/news/how-banks-make-money-of-your-credit-cards-041430667.html
[6] http://www.smartcardbasics.com/smart-card-security.html
[7] http://en.wikipedia.org/wiki/Smart_card
[8] http://in.finance.yahoo.com/news/not-credit-card-103934914.html
[9] http://www.smartcardbasics.com/smart-card-security_2.html
[10] https://blogs.oracle.com/irm/entry/taking_the_pain_out_of_pki_a_m
[11] http://www.nodus.com/credit_card_encryption.html
[12] http://in.specials.yahoo.com/news/fraud-proof-credit-card-180902540.html
[13] http://docs.oracle.com/cd/E16216_01/crm91pbr0/eng/psbooks/ccrm/chapter.htm?File=ccrm/htm/ccrm11.htm
[14] http://www.embedded.com/design/safety-and-security/4369714/Enhance-system-security-with-better-data-at-rest-encryption
[15] http://www-03.ibm.com/press/us/en/pressrelease/38090.wss
[16] http://docs.oracle.com/cd/E39583_01/fscm92pbr0/eng/fscm/fexp/task_EnablingCreditCardEncryption-9f5a4d.html
[17] http://www.slashgear.com/credit-card-skimmers-now-more-sophisticated-than-ever-30292155/
[18] http://www.slashgear.com/credit-card-skimmers-now-more-sophisticated-than-ever-30292155/
[19] http://www.youtube.com/watch?v=xPpaXEJ Z7W8
[20] http://krebsonsecurity.com/tag/atm-skimmer/
[21] http://www.informationweek.com/security/vulnerabilities/ipad-credit-card-reader-hacked-as-skimme/231300283
[22] http://security.stackexchange.com/questions/36135/detecting-skimmers-and-other-atm-traps
[23] http://www.ask.com/question/how-do-you-clone-credit-cards
[24] http://www.lovemoney.com/news/scams-and-rip-offs/scams/15992/credit-card-cloning-fraudsters-spent-2000-on-my-husbands-credit-
card-without-stealing-it
[25] http://uk.finance.yahoo.com/news/how-credit-card-cloning-works.html
[26] http://www.makeuseof.com/tag/fraudsters-still-clone-credit-cards-keep-plastic-in-your-pocket/
[27] http://www.scamwatch.gov.au/content/index.phtml/tag/CardSkimming
[28] http://www.bankrate.com/brm/news/cc/20020524a.asp
[29]http://money.aol.co.uk/2012/06/19/how-credit-card-cloning-works/
[30]http://blog.unibulmerchantservices.com/skimming-cloning-and-credit-card-fraud/
[31] http://www.creditcardchaser.com/what-is-credit-card-skimming-or-cloning/
452 Elsevier Publications, 2013
A solution to the security problems regarding outsourced databases are likely to be solved iI the data are properly
encrypted on both ends- Iront end and back end. At this stage, Homomorphic and holographic encryption seems to
oIIer a viable and dependable solution to the problem at hand. From the above discussion it is established|26|,
without an iota oI doubt that so Iar no hunky-dory protection/security oI database inIormation has been
achieved|27|. The personalized credit card should carry a photograph, Iore Iinger print and signature oI the card
holder to be displayed in the virtual image, created by the swipe machine. The machine should ensure that the card
holder`s Iace, Iresh index Iinger print and Iresh signatures tally and only then Iurther transaction should be allowed.
Index

C
Cross-layer protocols, 445446

W
Wireless sensor network (WSN), 443
cross layer issues in, 444