The rapid growth of the internet and the world wide web within the recent years has created an interesting phenomenon in e-commerce by offering buyers the expediency of buying from an ubiquitous marketplace and saving the merchants the cost of making brick and mortar investments but for fraudsters the internet has established an anonymous and low-risk avenue to steal and commit crime on the internet.
Information security has become a critical and important requirement in ecommerce as the perceptions of risk and threats continue to strengthen, this security requirement is not only the need for the protection of confidentiality and integrity of the sensitive information, but also e-commerce authentication and verification of the identity of the cardholder during internet card payment is a crucial necessity and a major problem because of the insufficient and flawed authentication requirement by card issuers to authorise card not present transactions. On the positive side (form the customer’s viewpoint) the card issuers are generally good about responding to challenges and giving refunds, but it would be better for all concerned if the number of fraudulent card not present transactions can be reduced (Walton R. 2005, p. 4).
The e-commerce transaction uses the internet as its corner-stone and strength of operation but there is the perception that using a card to make a payment over the internet is risky and inflicted by information security imperfection which mostly lead to losses of credibility, identity-theft and impersonation. The basic requirement to make a successful card payment over the internet is mostly the provision and submission of the card & personal information, mainly static pass-codes and IDs, to the payment processor for authentication and authorisation, if the card information submitted are correct the authentication will be successful regardless if the card information was provided by the legitimate cardholder or not.
The introduction of the Chip and Pin in the United Kingdom to secure card payment at the point of sale has been a major investment and success story for retailers and the card industry, but its security capability does not extend to secure card payment when the card is not present at the point of sale and this has adversely brought more fraud concentration on this vacuum (Hunter, 2004, p. 4), resulting in utilizing the anonymity and flexibility of the circumstance to make fraudulent card payment on the internet using stolen card information.
The ability to verify that the card information submitted over the internet is done by the legitimate cardholder remains the authentication goal and a huge problem to all merchants who are accepting card payments online since transactions done in this scenario makes use of the card information as opposed to card payment made in the face to face transaction which combine the use of the physical card (what you have) and the Pin (What you know) to authenticate the transaction.
Crime can never be defeated but managed, and this can mean merely the diversion of crime techniques from one channel to another for a variety of reasons including flexibility, benefit, and risk-level (Hunter, 2006, p. 14).
The card not present transaction fraud evolves with e-commerce, but the flexibility, phenomenal and ubiquitous nature of e-commerce which allow buyers to buy from anywhere remotely brought negligence into the scenario aided by the development and introduction of more simplified technology systems which in some cases are used contrary to their purposes to facilitate card not present fraud which in the early year of e-commerce are not possible or difficult to achieve making card not present transaction fraud paramount to all card frauds on UK issued cards. As the world is changing in technology following technology advancement, almost every technology developed has brought benefits as well as attached risks, to every technology there is an anti-technology making it double edged tool to solve and unsolved.
According to academic research, card-not-present fraud has been influenced by the static nature of the payment method which is vulnerable to phishing and other type of identity theft techniques because same data is used over and over again.
Some Vulnerabilities in Card-Not-Present Solutions
- Verified by Visa and MasterCard SecureCode program promise additional levels of authentication using agreed personal codes or passwords provided by the card issuer, However, as with all static username and password, these could potentially be compromised by fraudsters using phishing or other identity theft techniques, furthermore, the 3D secure protocol requires an optional enrolment from the participants, if neither the card processor nor the cardholder is enrolled in the program, the 3 D secure functionality will not exist in the transaction process.
- Card Verification Value 2 (CVV2) & Address Verification Service (AVS)CVV2 and AVS verification was introduced by the card scheme as an additional parameter to fortify verification process of cardholders, CVV2 aimed to verify the 3 or 4 digits code on the reverse of the card, while the AVS aimed to verify the billing address of the card, by extracting all the numeric in address and post code. these information are static and used over and over again, All the parameters required for e-commerce card not present transactions are transmitted and stored in the server, including the security code and the billing address, Vulnerabilities in the storage system can allow unauthorised access to fraudsters, Bogus merchants can sell card information to fraudsters or using phishing technique to willingly allow the cardholders to submit their card information.
- Rule-based and neural networks solution: The aim is to analyse transactions in real time based on the rule setting and provide a score showing an estimated level of risk associated with the transaction. The system will try to look into the history of the card being used and analyse the spending pattern, number of chargeback associated with the card, it further check the country’s IP address from where the order originated and compare it with the country of the billing address, with this system a card with billing address in United Kingdom, stolen and used by a fraudster in USA will report that the card was used outside the home country which is a signal of a possible fraud, on the other hand, Stolen card information used within the range of the spending pattern will have a good report, and card information stolen and used within the country will also have a good report because the IP address will show the same country. Matching the billing address to the delivery address do not work for digital goods which are delivered online by email or download link after the order. And legitimate cardholders may not be able to use their card abroad, or if their spending pattern changed because of change in income.
The need and justification for alternative solution
If e-commerce is to take off, then merchants need to be reassured that the people they do business with really are the people they say they are and if consumers are to feel happy about e-commerce, they need to be reassured that their card details are not being used by thieves to make purchases on the Internet in their name, and the card issuers need to know that they are not becoming trapped into carrying a new and growing burden of fraud losses (Card Technology Today,2002, p. 11).
Paymenex: A Realistic Solution for Card-not-Present Fraud.
To cut of the influence of phishing on card-not-present transaction, card scheme should re-think. Possibly the introduction of dynamism during authentication making each transaction unique will greatly reduce the level of fraud resulting from card-not present transaction. Review has shown that new solutions has started paving way for online dynamic authentication during card-not present transaction, an example of such solution include, the 3W Sentry Card Security Solution introduced by Paymenex Inc. The operator of the Paymenex™ TransNET which its members use to deliver Paymenex range of cards and D-Voucher to their customers. Paymenex TransNET is an all-in-one payment and financial transaction network with a sophisticated 3 tie card security that provides a secure and reliable global network for processing financial transactions.
It offers a range of value-added services which includes:
Credit Card, Debit Card, Store Value Card, MSB Card, DCA Card, D-Voucher.
Solutions for Acquirers, Card Issuers and Payment Service Providers.
Gift cards, Incentive, Point and Reward Program Providers, Money Transmitters, Bill-pay and Debt collection providers.
Store-Value and e-Voucher providers.
Commercial and business customers who require an efficient and secure financial processing platform.
Paymenex is a product of an academic research following a Professional Doctoral Research at two top UK Universities. The Paymenex Card Security applied dynamism in CNP transaction making each transaction unique, and cardholders do not need to enter any personal information to pay online. This solutions are benefited by all their range of card products: credit and debit cards, D-Voucher, MSB Card for Money Service Businesses, and DCA Card for Bill payment management.
Walton, R. (2005) ‘Low-cost assurance for B2C E-commerce’, Computer Fraud & Security, 2005 (10), pp. 4-6.
Card Technology Today. (2002) ‘Card not present fraud’, Card Technology Today, 14 (7-8), pp. 11-13.
Hunter P. (2004) ‘Chip and PIN – biggest UK retail project since decimalisation, but not enough on its own to defeat card fraud’, Computer Fraud & Security, 2004 (5), pp. 4-5.
Hunter P. (2006) ‘Relentless pace of Internet trade in stolen credit card details continues’. Computer Fraud & Security, 2006 (2), pp. 14-16.
Walton, R. (2005) ‘Low-cost assurance for B2C E-commerce’, Computer Fraud & Security, 2005 (10), pp. 4-6.
NOTE FOR STUDENTS: PLEASE REFERENCE APPROPRIATELY, THIS ARTICLE IS AN ACADEMIC RESEARCH ARTICLE
Engr. Kingsley Chibuzor Aguoru BA(Hons) MSc FBCS CITP CEng MIET MIEEE CNP is a dynamic and highly-accomplished UK Chartered Engineer of the Engineering Council UK, Chartered IT Professional Fellow of the British Computer Society UK.
and an IT Leader with outstanding record of success in providing Information Technology solution development and management to companies. Expertise in developing and implementing information security solutions in a broad spectrum of industries – information technology, communications, manufacturing, engineering, healthcare, banking, retail, etc. Over 10 years experience working in Information Technology Industry, especially Financial services IT infrastructures, with more than 8 years specialization in Security solutions for payment cards, his area of interest and responsiblity focused on authentication and authorisation facets of Banking, E-commerce and E-Business security technologies, including transactions involving Financial Electronic Data Interchange (FEDI) and other types of Electronic payments, – E-money, Digital Money, E- Vouchers and the management of the associated fraud techniques.
1. Doctor of Information Security (IP) – University of East London-UK.
2. MSc in Information Technology (Information Security Major)- University of Liverpool- UK
3. BA(Hons) Business Computing – University of Teesside- UK
Listed in Marquis World Who’s Who in Scicence & Engineering
Listed in Marquis World Who’s Who in America
Listed in Marquis World Who’S Who in the World.