ISBN: 378-26-138420-01
INTERNATIONAL CONFERENCE ON CURRENT TRENDS IN ENGINEERING RESEARCH, ICCTER - 2014
Vulnerabilities in credit card security S.Krishnakumar Department of Computer science and Engineering MNM Jain Engineering College Chennai krishnakumar.srinivasan1@gmail.com 9789091381 provider and system administrator. It should be secured from unauthorized access by third parties or individuals. Above all the database information must be properly encrypted to prevent illegal elements from accessing such data
Abstract—This paper is intended to highlight the vulnerabilities in online payment gateways of e-commerce sites and security of customer credit card information stored in them and how they can be exploited. This paper also suggests different mechanisms in which these vulnerabilities can be plugged.
C. Vulnerability analysis tools: I. INTRODUCTION A lot of open source and free cyber security and penetration testing tools are freely available in the internet. While the purpose of these tools is to detect and expose vulnerabilities and loopholes in the integrity of a system they can also be used by hackers to scan system and websites which are vulnerable and can be easily exploited. Hence service providers and e-commerce companies must periodically test and analyze their websites and systems for security loopholes and find ways to plug it. Such tools can also be used by hackers to perform credit fraud by stealing customer data from websites which they found to be vulnerable in their tests. So either the service provider had to do the integrity test else an hacker will save him the trouble.
The reach of the Internet throughout the world is growing day by day and this development has led to the launch of a host of online services like Banking, online shopping, e-ticket booking etc. But almost all forms of services have an element of monetary transaction in them. The services which are mostly based on such online monetary transactions are banking and online shopping or e-commerce. These service providers collect and record a lot of information about their customers and clients especially their financial information like credit card number and in some cases Pin number apart from their name address and preferences. Hence it becomes imperative for these service providers to have a foolproof security mechanism to protect their customer data which they store .Failing to do which might expose such sensitive data to hackers and third parties who might misuse them for personal gain which not just affects the customer but may also erode their trust in the integrity of service providers , mostly highly vulnerable sites only have this problem.Hence this paper highlights some of the security loopholes found in payment gateways and securing customer data.
D. Authentication mechanisms: E. The authentication mechanisms employed by ecommerce sites for their customers also have some loopholes which can be exploited by a hacker once he gets access to sensitive customer data of the e-commerce website. Most of the prominent e-commerce sites do not verify whether the shipping and billing address are same when a customer places an order. This gives leeway to a hacker impersonating as a customer to get away with goods purchased with the customers id and credit card. A proper layer of authentication layers would be essential to prevent such frauds apart from securing customer data.
II. VULNERABILITY A. Storage of customer data: First, almost all highly vulnerable e-commerce sites collect and store customer information like their name, address, password, preferences, history of purchase and transaction, and in some cases even the credit card number and its cvv number.They use these data for analyzing customer trends and to customize the online experience of the customer. Hence it becomes imperative for them to either have a foolproof mechanism to protect this data or avoid collecting such sensitive data.
III. EXPLOINTING THE VULNERABILITIES
B. Access of customer data: The customer records and data stored on the website should be accessible by only the authorized personnel of the service
This section will explain how a combined exploitation of the mentioned vulnerabilities can be used to gain access of
INTERNATIONAL ASSOCIATION OF ENGINEERING & TECHNOLOGY FOR SKILL DEVELOPMENT
194
www.iaetsd.in
ISBN: 378-26-138420-01
INTERNATIONAL CONFERENCE ON CURRENT TRENDS IN ENGINEERING RESEARCH, ICCTER - 2014 ●
customer data stored on e-commerce sites and how they can be exploited for the personal gain of the hacker.
after getting the database , we should find the tables in the database in each table we should scan the columns
F. Scanning for vulnerabilities: ●
in all shopping websites we can see this example: TOTAL ORDERS, CUST_DETAILS ,CUST PAYMENTS, CUST EMAILS ● if its highly vulnerable we can see the payment methods and we can retrieve all the information’s of the credit cards details and the address of the owner ● all these things are appilicable only to highly vulnerable shopping sites ..in these days mostly many websites record all info’s like CVV and all that .. so these websites are always vulnerable
● First a hacker will scan for vulnerable e-commerce sites with a free security tool called ****dork scanner.*This tool is a simple python script which returns websites which include a specified keyword in their url like buy_now, add_to_cart, PayPal etc. ● The hacker enters keywords related to payments like add_to_cart, payment, PayPal, buy_now which are found in the url of payment pages of e-commerce websites as input to Dork scanner. ● The Dork scanner scans the web for websites having the keywords and returns a list of websites having them. ● From the given list of sites the hacker filters a list of sites having a particular kind of vulnerability like SQL injection and XSS ● After selecting a vulnerable site SQL map python tool is used to retrieve tables from the website database which store customer financial data for reference. ● In case of highly vulnerable sites these tables containing keywords like payment are retrieved along with the data stored in them. ● Some of these tables display the last four digits of a credit card and incase of least protected websites they display all the numbers.
if we need full cc information we can upload a shell on website and if we get the cpanel full cc info will be there..even many websites directly displaying full cc number..
encryption is very much essential and sql databases should be tested G. Exploiting authentication mechanism : After obtaining customer financial data including his/her login id and password and credit card number ...the hacker can use it to impersonate the customer and place orders online. Since most of the websites do not check whether the billing and shipping address are the same it forms a loophole for the hacker to exploit ...its applicable to great websites The hacker after extracting the customer data will know where the customer is from and what his preferences are.
how hackers get the info’s : ● ●
After scanning the websites , highly vulnerable sites will be targeted . we would need to attack the database of the website using sql injection or XSS .. we would need to find the length of the database
●
He will then get a VPN connection or remote desktop of that location and then place orders on the website.
●
the hacker can match credit card location and vpn location , so that it would easy for him to purchase
●
the hacker clear all his cookies and remove all blacklisted ip and so that he can get a fresh vpn so match this
INTERNATIONAL ASSOCIATION OF ENGINEERING & TECHNOLOGY FOR SKILL DEVELOPMENT
195
www.iaetsd.in
ISBN: 378-26-138420-01
INTERNATIONAL CONFERENCE ON CURRENT TRENDS IN ENGINEERING RESEARCH, ICCTER - 2014 ●
this methodology is used to bypass any website and many websites cant able to find this
I.
Avoid storing credit card information
so this illegal access should be fixed The e-commerce websites must avoid retaining sensitive financial information about the customer. ..the website should not save cvv number’s and also once they are directed to payment gateways the cvv number should be encrypted even to the website ,and then directed to the bank authentication ..
Some Common Loop holes in storing the data : ● Highly secure websites will not store the credit card information of the customer after the transaction but vulnerable sites will store the credit card data even after transaction.
J. Authentication mechanism to fix loop holes in payment gateways :
● The stored data in these sites is not secure as most of them are not encrypted.
The e-commerce websites must have a proper authentication mechanism to make sure whether the order is placed by the original customer and not by an impersonator.
. loop holes in payment gateways: ●
●
even good shopping websites cannot find unauthorized transactions … payment gateways failed to authorize the ip address of the person who is been involved in placing the order and the location of the credit card. payment gateways not having enough security to verify authorize illegal ip address ..
● ● ●
loop holes in payment gateway ssl: ● ●
●
some times hacker’s normally use vpn to bypass the website ..many websites are not finding the untrusted connection’s , ssl verification is not that much secure so hacker’s tend to use vpn to bypass it .. all the websites should have good ssl verification to stop illegal ip access and also it should have good certificate verification
●
● ●
IV.
PREVENTIVE SECURITY MEASURES
first it should check whether the billing address matching the credit card address if it matches then it should verify its billing phone number with the bank details verification of ip should be strong , it should have good ssl certification to check the trusted connection after this it should verify the card ip address when it was first accessed and the user ip who is placing the order dynamic ip address can be noted and matching of dynamic range is possible to identify illegal access suppose if the user is placing an order from some other location , then the website should give the authentication code to user and then the user should contact the bank to process the order banking websites should maintain credit card ip’s when it was first used payment gateways should be built with open source coding like python so that the untrusted and encrypted ip’s can be verified..
These security loopholes can be plugged by various security mechanisms. basic algorithm : H.
Encryption of user records: if user enter’s the website and processed for checkout and entering his card information then website payment gateway should verify trusted connection to find illegal ip access if yes then website should check credit card first accessed ip location dynamic range of ip address can be possible and it should match the location of the user who is been placing the order ( basic authentication)
The e-commerce websites which store customer data and financial records must encrypt all data in their database to prevent unauthorized use of these sensitive data. Several free and strong open source encryption tools are easily available. Encrypted data is hard to decrypt without proper authentication key and would require huge computing resources. This technique would render the data unusable even after it is retrieved in an unauthorized way.
INTERNATIONAL ASSOCIATION OF ENGINEERING & TECHNOLOGY FOR SKILL DEVELOPMENT
196
www.iaetsd.in
ISBN: 378-26-138420-01
INTERNATIONAL CONFERENCE ON CURRENT TRENDS IN ENGINEERING RESEARCH, ICCTER - 2014 ●
;\\ if the credit card is from new york , the user ip should be near by to its state location”// else transaction should declined if the user is placing the order from some other country with his own card then authentication code from shopping website to the bank is supplied
●
new solution : ● ● ● ●
finding high encrypted vpn or scoks5:
●
def ipEntered(): global ipEntered ipEntered = input (“ please enter the ip’”):
● ●
“””” get the ip address from the user who is been ordering in the website”””””” if ipEntered .match (dynamic.socketsauth()) access”# then print “ failed”
existing system using just normal php code to accept the card details after accepting , the payment would be fulfilled
● ●
#“ illegal ip
● ●
else ● ip.sucess if ● ipEntered.match a = s.split(‘) match.credit card details return True
every payment gateways should be tested , all anonymous proxy’s should be verified all ip’s should be back listed to avoid illegal access all banking websites should maintain the database , the database should contain dynamic matching of ip address of the credit card when it was first accessed if the user placing an order from different location then website should provide authentication code to process the order tor browser anonymity should be cleared mostly all user’s use credit card’s from own location then this method would be very useful authentication code for different location user’s should be automated python should be integrated with database for easy access trusted and secured ssl should be used to avoid man in the middle attack all websites payment’s and ip address of the order should be verified with database records of the bank even if the hacker uses high encrypted vpn the exact location will not acquired , if it also matches then the ip authentication with bank database can find this illegal access verifying the ip range with bank database and then websites orders would be fulfilled
else payment.failed its not a brief coding , its a basic authentication for the payments gateways , if the websites fix some open source coding to verify untrusted connection and also to match ip ..illegal access can be reduced
comparing with existing payment gateways : ●
●
existing system mainly use php or asp to create payment gateways , mainly php websites are vulnerable to cross site scripting attack and also the server reply is not fully secured existing system doesn’t have good verification method to find illegal ip’s
conclusion : thus if we maintain good encrypted records and good payment gateway with trusted ssl connection then the illegal access will be stopped
INTERNATIONAL ASSOCIATION OF ENGINEERING & TECHNOLOGY FOR SKILL DEVELOPMENT
197
www.iaetsd.in
ISBN: 378-26-138420-01
INTERNATIONAL CONFERENCE ON CURRENT TRENDS IN ENGINEERING RESEARCH, ICCTER - 2014
REFERENCES
S. Ghosh and D.L. Reilly, “Credit Card Fraud Detection with a Neural-Network,” Proc. 27th Hawaii Int’l Conf. System Sciences: Information Systems: Decision Support and Knowledge-Based Systems,vol. 3, pp. 621-630, 1994. M. Syeda, Y.Q. Zhang, and Y. Pan, “Parallel Granular Networks for Fast Credit Card Fraud Detection,” Proc. IEEE Int’l Conf. Fuzzy Systems, pp. 572-577, 2002. Organism Information Visualization Technology Editing Committee Edition: Organism Information Visualization Technology. (in Japanese), Corona Publication Co., Ltd., p.235 (1997). The Federation of Bankers Associations of Japan: Statistics from the Questionnaire on the Number of Withdrawals and the Amount of Money Withdrawn Using Stolen Passbooks. http://www.zenginkyo.or.jp/en/news/index.html “Palm Vein Authentication Technology” white paper, Bioguard, Innovative Biometric Solutions, March, 2007. Yuhang Ding, Dayan Zhuang and Kejun Wang, “A Study of Hand Vein Recognition Method”, The IEEE International Conference on Mechatronics & Automation Niagara Falls, Canada, July 2005. Shi Zhao, Yiding Wang and Yunhong Wang, “Extracting Hand Vein Patterns from Low-Quality Images: A New Biometric Technique Using Low-Cost Devices”, Fourth International Conference on Image and Graphics, 2007.
INTERNATIONAL ASSOCIATION OF ENGINEERING & TECHNOLOGY FOR SKILL DEVELOPMENT
198
www.iaetsd.in