Secure Online Transaction Algorithm: Securing ... - ScienceDirect.com

Available online at www.sciencedirect.com

ScienceDirect

Available online at www.sciencedirect.com Procedia Computer Science 00 (2017) 000–000

ScienceDirect

www.elsevier.com/locate/procedia

Procedia Computer Science 114 (2017) 93–99

Complex Adaptive Systems Conference with Theme: Engineering Cyber Physical Systems, CAS October 30 – November 1, 2017, Chicago, Illinois, USA

Secure Online Transaction Algorithm: Securing Online Transaction Using Two-Factor Authentication Joseph Gualdoni, Andrew Kurtz, Ilva Myzyri, Megan Wheeler, and Syed Rizvi* Department of Imformation Sciences and Technology, Penn State University, Altoona PA, 16601, USA

Abstract Identity theft is a very scary and real threat to everyone. In an attempt to give people peace of mind a new algorithm of mitigating risk is presented, the Secure Online Transaction Algorithm (SOTA). The proposed SOTA seeks to use two-factor authentication with the random codes. This form of user authentication has become widely accepted and many companies have started to implement this security feature. This can be utilized to identify users and establish secure way of purchasing items online. The proposed SOTA uses mobile devices to log into card accounts via an application to view the randomly generated code. This is then inputted on an online retailer’s website when prompted in order to authenticate the individual making the purchase. This minimizes the possibility that an illegitimate user can use someone else’s information to make fraudulent purchases. Without a valid code, identity thieves cannot use the stolen card information to make purchases. This in turns protects both the consumer and the credit card companies, which could be harmed financially. In order to better understand how our model could protect someone from having a stolen credit card used, we provide one case study to showcase the security. © 2017 The Authors. Published by Elsevier B.V. Peer-review under responsibility of the scientific committee of the Complex Adaptive Systems Conference with Theme: Engineering Cyber Physical Systems. Keywords: Two-Factor Authentication; Secure Online Transaction Algorithm (SOTA); AES Encrpytion; SHA–256

1. Introduction Credit cards are a common method for payment both purchases in retailer stores and online purchases. However, while using credit cards for an online purchase there is more security in place to secure an e-mail account than a credit card. With the growing popularity of two-factor authentication many services have adopted it as the new security standard.

* Syed Rizvi. Tel.: +1-814-949-5292 E-mail address: [email protected] 1877-0509 © 2017 The Authors. Published by Elsevier B.V.

Peer-review under responsibility of the scientific committee of the Complex Adaptive Systems Conference with Theme: Engineering Cyber Physical Systems.

1877-0509 © 2017 The Authors. Published by Elsevier B.V. Peer-review under responsibility of the scientific committee of the Complex Adaptive Systems Conference with Theme: ­Engineering Cyber Physical Systems. 10.1016/j.procs.2017.09.016

94

Joseph Gualdoni et al. / Procedia Computer Science 114 (2017) 93–99 Rizvi / Procedia Computer Science 00 (2017) 000–000

Two-factor authentication if implemented for online purchases that utilize a credit card could help reduce if not almost eliminate fraudulent purchases made with credit cards. Users of credit cards are the most susceptible to identity theft due to the complacency users have along with the lack of security already in use. Around 18 million adults in the United States, in 2014, were victims of Identity theft [2]. Of the total amount, 86% of identity theft victims were also victims of credit card and account theft [2]. It only makes sense to use the same if not more security to secure your assets as it is to secure your e-mail. There are many different types of threats to credit card holders. Credit cards have a majority of the information needed to make a purchase found directly on the card such as card number, security code, and expiration date. This information can be viewed and even copied by someone who you give the physical card and allow them to walk out of your sight with the card, such as a waiter or waitress [3]. Another security threat could simply be the lack of knowledge of scams to gain access to the information or being too trusting of individuals that pretend to be in a position of authority that they are not. For instance, phone call scams asking for money to provide a service that needs immediate attention. College students are at greater risk to these attacks because they are too gullible [6]. Many times, employees will be to blame for misusing or handling personal identifiable information. In turn credit card information, can then exploited by attackers [5]. Attacks on businesses databases can also be used to gain a vast amount of individual’s personal identifiable information. These attacks if successful could result in leaving those that are unknowingly victims of the attack vulnerable to future attacks with their stolen information. Social engineering is a very dangerous scam that can be used by anyone to gain information. Social engineering is manipulating an individual(s) to perform a task or provide sensitive information. This type of scam can be used to gain credit card information from one individual or even used on an individual at a company to gain access to their databases [7]. A professional penetration tester named Mati Aharoni was tasked to attempt to break into a company that had little to no presence online. He found a high ranking company official that used his corporate e-mail on a forum about collecting stamps and was interested in stamps from the 1950’s. Mati registered for a URL that was about a stamp collecting site and used Google to find images of old stamps from the 1950s. He then crafted an e-mail to the high ranking company official that said that he was selling stamps and provided a link to the website. He also left a message for the official saying that he recently took possession of some 1950’s and 1960’s stamps. However, Mati had embedded a malicious frame on the website link that he provided to the official. The official clicked the link and compromised the system [7]. This could have easily been a real attack that would have consequences for the company. An identity thief could easily gather the information needed to use a stolen credit card and make fraudulent purchases online. In order to counter credit card fraud, redundancies are set. Two-factor authentication (TFA) is now a widelyaccepted way to confirm user identity [1]. Random pin generators can be used in along with two-factor authentication. This code would be received by the individual that holds the account the credit card is registered to via a mobile application linked to the account. By using a random pin generator while attempting to use a credit card to purchase online goods, the identity of the individual using the credit card can be verified. A purchase could be attempted by an individual who has obtained stolen information, but without the randomly generated code, the purchase would not be approved. This provides yet another safeguard from possible credit card theft. Using two-factor authentication along with a random code generator could create a safe system that is also user friendly. The Secure Online Transaction Algorithm (SOTA) is the only type of credit card security that offers both unique authentication, and multi-layered security for the consumer. The SOTA provides security that would be able to stop a fraudulent transaction if it is attempted. The model utilizes an application provided by the credit card company. This application would be able to provide the random code for every credit card transaction. The combination of a code and registered application provides the perfect vetting of a consumer and their credit card account. 2. Related Work Everyone’s personal identifiable information is always in danger. As long as the information exists, it is susceptible to being stolen. As an example, an attack took place via Facebook in 2011 in which an individual who was a “friend” sent



Joseph Gualdoni et al. / Procedia Computer Science 114 (2017) 93–99 Rizvi / Procedia Computer Science 00 (2017) 000–000

95

a video link to an unsuspecting user. This link would take the user to a website that informed the user their computer was out of date and needed updated. It would then provide a download link which scans the user’s computer for their information [3]. Identity theft and phishing scams are the two most common types of fraud found within the online market. To mitigate both of these types of fraud, a method was proposed by V. Lokeswara Reddy Ph.D. and T. Anusha of KSRM College of Engineering that uses steganography and visual cryptography for an online payment system. This system works by only providing the minimum information that is needed to verify that the consumer has made a payment from their bank account. The coding used in this model utilizes characteristics of the English language. This increases the complexity and allows for freedom from the point of view of sentence construction within the code [5]. The way this model works in a transaction during online shopping is a customer selects the items they wish to purchase. The customer then inputs their credit or debit card detail such as the numbers and expiration date. Next, the customers submit their unique authentication password. The customer then authenticates their account number in connection to the online retailer and that is placed above the cover text. The next step is for an informal photograph of two texts is taken. Two portions are generated by utilizing cryptanalysis. One of the portions is kept by the customer and the other portion is kept in the Certified Authority’s database. When the customer is attempting to finalize their purchase they are directed by the online retailer to the Certified Authority’s imposing entrance. In the imposing entrance, the customer provides its records and then the Certified Authority provides their portion to create a master image. The online retailer then sends this to the customer bank and receives authentication [5]. Fraud is a real problem that is continuing to grow. Two types of fraud that have been prevalent recently are Nigerian e-mail scams and UK Lottery scams. The Nigerian e-mail scam ask the victim to send money so that they might unfreeze their assets and in return the scammer will grant the victim a large sum of money as a “thank-you” gift for their help, this is not what would actually happen. The scammer would receive from the victim’s personal identifiable information. The second type of fraudulent act that has been prevalent in recent years is the UK Lottery scams. This scam is very similar to the Nigerian e-mail scam and follows the same basic design in an attempt to gain personal identifiable information from the victim [6]. Cybercrimes have become a lucrative and safe alternative to tradition crimes such as armed robbery. Hacking into a company’s database or simply sending out a mass phasing e-mail while at a computer on your couch can be more successful financially and be safer than performing a bank robbery for the same amount of money or information. Another factor that needs to be considered is the geography of the attack. This is due the lack of cyber laws in some countries and also the victim’s law enforcement might not be able to prosecute the attacker due to the attacker residing in another nation [6]. Credit cards are a very common method of payment for most purchases. Credit cards can be used to make in-store purchases or online. The amount of credit cards that are used means that there is a lot of credit card information being sent over the internet at any given time. This creates a great opportunity for credit cards to be used in fraudulent purchases. The Hidden Markov Model (THMM) is one method that tries to counter these fraudulent purchases by running in the background (without having to interact with the user). THMM tries to monitor the buying habits and prices of the items bought by the card holder. THMM can prevent fraudulent credit card purchases, but there is still the opportunity for false positives (purchases that are believed to be fraudulent but aren’t). With 2FA there is no chance of a false positive because the user either confirms the purchase or doesn’t. The THMM has the potential to stop some fraudulent credit card purchases, however it is automated and allows a chance for an unnecessary error to occur [8]. 3. Proposed SOTA Framework The SOTA utilizes a smartphone application that is registered to a specific credit card. The application will be the transmission device used to provide a code to authenticate the purchase the consumer is attempting to make. If the consumer inputs the code, provided by the application, the purchase is verified and authenticated. If an unauthorized user, for example an identity thief, inputs an incorrect code the purchase is declined. The number of attempts to input the code would be left to the judgement of the credit card company. 3.1. The Smartphone Application For the proposed algorithm to function properly, the account holder, of the credit card, must to download an

96

Joseph Gualdoni et al. / Procedia Computer Science 114 (2017) 93–99 Rizvi / Procedia Computer Science 00 (2017) 000–000

application provided by the credit card company. This application will be how the one-time password will be received by the account holder. A possible addition to the proposed algorithm is to only allow one device to be linked to a credit card at one time. This is a possible option in an attempt to stop a fraudulent user from simply registering a device along with the credit card account holder. If the account holder wishes to link other devices to their account, they must authorize it using their device 3.2. Two-Factor Authentication and One Time Password Tokens We are proposing using Two-Factor Authentication (TFA) in along with One-Time Password (OTP). OTP is simply a password used for a specific time period or transaction then it becomes invalid after that transaction is completed or time period has elapsed. This is an example of a transaction attempt made by a legitimate Consumer. The Consumer attempts to make an online purchase with an Online Retailer. Once the Consumer has located the desired products, the Consumer proceeds to checkout. It is at this point in the process that the SOTA would start to provide the security. The Consumer proceeds to input their preferred method of payment. If the Consumer selects a credit card secured with SOTA, the Consumer inputs their credit card number and billing address. The Online Retailer transmits an inquiry to the data inputted by the Consumer to the Credit Card Company using Public Key Infrastructure Advanced Encryption Standard (PKI AES) Encryption. PKI allows for the information to securely be sent from the Online Retailer to the Credit Card Company. Once the information is confirmed the Credit Card Company then sends, using Secure Hash Algorithm (SHA-256 hash), a randomly generated eight-digit number to the Online Retailer, and using PKI the same eight digit OTP token to the Consumer's credit account smart phone application. The Consumer logs into their application, to view the eight-digit code, and inputs the code where prompted on the Online Retailer’s website. Next, the Online Retailer then hashes the inputted code using SHA-256. If the hashed code entered by the Consumer matches the hashed code provided to the Online Retailer from the Credit Card Company, the Online Retailer finalizes the purchase. In the case that a fraudulent purchase is attempted with a credit card that has the SOTA, the perpetrator would able to start to make a purchase, however would not have access to the OTP and without the OTP the perpetrator could not validate the purchase. Like with anything, there is always the possibility of “human error.” The Consumer might accidently enter the code wrong. However, if the code is input incorrectly to many times the proposed algorithm allows the Credit Card Company, can then react as they deem necessary in order to protect their cardholders. Implementing Two-Factor Authentication and One-Time Passwords together can allow for a credit card purchases receive the strong security measure. For a break down this method of security, please refer to Figure 1 and Figure 2 for visual guidance.

Figure 1. Break Down of Packet Messaging Scheme



Joseph Gualdoni et al. / Procedia Computer Science 114 (2017) 93–99 Rizvi / Procedia Computer Science 00 (2017) 000–000

97

Figure 2. Pass or Fail Verification of Random Number

In order to guarantee the safety of individuals who are looking to make a purchase online, it is imperative to secure the lines of communication between the Consumer, Online Retailer, and the Credit Card Company. This is especially true when transmitting banking information, or credit card information. If you transmit these in plain text, then anyone who wishes to see your data can easily do so with free software. If it is hashed, then individuals attempting to view your data cannot. Now, the method of making online purchases provides no way for consumer authentication. Without securing communication, authentication would be rendered obsolete. There are a variety of different ways to achieve secure messages. Public Key Infrastructure AES encrypts data using two keys, a secret key and a public key. Both parties must have individual private and public keys. Another method that could be utilized to secure information is Hash Algorithm. Hash Algorithms are different from standard encryption. Unlike encryption, you cannot revert the hashed message back to its original text form. When a piece of data is hashed, an algorithm is used to hash it. The form of hashing we plan on utilizing is SHA-256. This means that the algorithm used would turn the message into a 256-bit hash. To use SHA-256 one could hash their data, and match the hashes to make sure it is the same piece of data. This is so that the code would never be seen and the chance of an attacker viewing it in time to be virtually nonexistent. With our proposed algorithm, we hope to provide confidentiality, integrity and availability. The proposed methodology utilizes Public Key Infrastructure AES along with SHA-256 to communicate between the Consumer, Credit Card Company, and Online Retailer. The setup between the three is the most secure method of communication. The proposed method would provide a balance between security, and convenience. SHA-256 can provide a secure method for transmitting the random code to the Consumer, and to the Online Retailer from the Credit Card Company. Refer to Figure 3 for a visual breakdown of the encryption method used in the proposed method. Using SHA-256 is an effective way to concealing information, while providing integrity to the information. If one bit is changed while in transit, then the hashed data would not match the other hashed data. Thus, making it unable to authenticate the user and not allow the purchase to be successful. 4. Types of Attacks The most common form of attack used to gain personal information is social engineering [2]. A waiter or waitress stealing credit card information is one way an identity thief can use social engineering to gain access to your credit card information. Skimming credit cards is another form of attack that can be used by identity thieves.

98

Joseph Gualdoni et al. / Procedia Computer Science 114 (2017) 93–99 Rizvi / Procedia Computer Science 00 (2017) 000–000

Figure 3. Encryption and Hashing Algorithm Used

Card information can be digitally copied using a device, a credit card skimmer, used to cover the original swiping device on a point of sale [6]. These devices store the credit card information so an attacker can retrieve the information after a transaction has occurred. A social engineering attack can be used along with phishing to call a consumer’s phone to ask questions about personal information pretending to be a company that needs it. The individual simply trusts the attacker and provides the information they request. 4.1. Attack Model The SOTA could defend against multiple different types of common attacks as well as multi-stage attacks. The SOTA contributes to all of the CIA (Confidentiality, Integrity, and Availability) aspects needed to secure a system of networks. The PKI AES encryption, keeps data secure by contributing to both confidentiality, and the integrity of the data which is being transmitted. Giving the consumer a way to log into the smartphone application gives users availability to utilize the proposed algorithm all while keeping the sensitive information encrypted. Attackers could attempt to probe and eavesdrop the model, but in every case, either be blocked by encryption, Secure Hash Algorithm (SHA-256), or need for authentication by the card account holder. 4.2. Parallel Multiple Attacks This scenario, Figure 4, assumes an attacker already has gained the Consumer’s username and password to the smartphone application. The attacker then tries to register as the Consumer on his or her own smartphone. The countermeasure in this scenario is when an application is registered to a smartphone, personal information needs to be given in order to register it. If the individual registering the application already has an account registered to a smartphone, another level of clearance needs to be provided. A call will be made to the already registered account number and verbal permission will be required in order to register the application to a different smartphone. Only one device can have the registered account. This countermeasure is important for a variety of reasons; keeping track of the account and the device that the application is registered with is paramount. The Financial Credit Company shall have a sufficient policy to enforce this. The ability to prevent others from registering the application on different devices for the same user will prevent attackers from being able to access the smartphone application and retrieving the secure code to facilitate purchases on the Consumer’s credit card. This scenario protects Consumers who may have their username and password intercepted through social engineering means. If the credentials are compromised, then the attacker would need to steal the Consumer’s smartphone to access the registered application. This layer of security makes it more difficult for an attacker to recover authentication credentials to complete fraudulent charges on a stolen credit card account.



Joseph Gualdoni et al. / Procedia Computer Science 114 (2017) 93–99 Rizvi / Procedia Computer Science 00 (2017) 000–000

99

Figure 4. Secondary authentication attack

5. Conclusion The Secure Online Transaction Algorithm (SOTA) would benefit not only the account holders but also the credit card companies. Our model works by using two-factor authentications and a random code that the consumer would be generated and supplied on an application. Credit card companies, users, and providers would need to be utilizing our scheme to so that the scheme to work properly. Our proposed algorithm creates an extra layer of security that would prevent hackers from possibly destroying someone both financially and mentally. The model itself would cost credit card companies some money in order to implement it. However, would be worth it to the credit card companies to save both time and possibly money in the long run. This process can be used by anyone who has a device that can use an application. The Secure Online Transaction Algorithm creates a new level of security that has not been implemented into credit cards yet. This algorithm could instrumental in reducing the number of fraudulent purchases made with stolen credit cards. References 1. A. Yadva, “Design and Analysis of Digital True Random Number Generator,” in Background of Random Number Generator, Virginia: Richmond, 2013. 2. E. Harrell, “Victims of Identity Theft 2014,” U.S. Department of Justice, Office of Justice Programs, North Carolina, 2015, pp.1-25. 3. G.C. Anup, “Credit Card Security,” Finland: Rovaniemen University, 2013. 4. A. Hedayati, "An Analysis of Identity Theft: Motives, Related Frauds, Techniques and Prevention." Journal of Law and Conflict Resolution Vol. 4(1), pp. 1-12, January 2012. 5. V. L. Reddy and T. Anusha. Combine use of steganography and visual cryptography for online payment system. International Journal of Computer Applications 124(6), 2015. 6. B. R. Williams, A. A. Chuvakin, and D. Milroy, PCI compliance: understand and implement effective PCI data security standard compliance, third edition. Waltham: Syngress, 2012. 7. C. Hadnagy and P. Wilson, Social engineering: the art of human hacking. Hoboken, N.J: Wiley, 2011. 8. Bhusari, V., and S. Patil. "Study of Hidden Markov Model in Credit Card Fraudulent Detection." International Journal of Computer Applications, (0975 –8887), Volume 20–No.5, April 2011.