Abstract
Disposable credit card numbers are a recent approach to tackling the severe problem of credit card fraud, nowadays constantly growing, especially in the context of e-commerce payments. Whenever we cannot rely on a secure communication channel between cardholder and issuer, a possibility is to generate new numbers on the basis of some common scheme, starting from a shared secret information. However, in order to make the approach meaningful from a practical point of view, the solution should guarantee backward compatibility with the current system, absence of new investments in dedicated hardware, wide-spectrum usability, and adequate security level. In this paper, we propose a solution based on the use of standard mobile phones, fully meeting the above desiderata. Importantly, our solution does not require any cryptographic support and, as a consequence, the use of PADs or smart phones, opening then its usability to a wider potential market.
Similar content being viewed by others
References
Borisov, N., Goldberg, I., & Wagner, D. (2001). Intercepting mobile communications: the insecurity of 802.11. In MobiCom’01: Proceedings of the 7th annual international conference on Mobile computing and networking (pp. 180–189). New York: ACM.
Buccafurri, F., & Lax, G. (2008). A light number-generation scheme for feasible and secure credit-card-payment solutions. In Proc. of the international conference on electronic commerce and web technologies (EC-Web 2008) (pp. 11–20).
Buccafurri, F., & Lax, G. (2010). A lightweight authentication protocol for web applications in mobile environments. In Emergent web intelligence: advanced information retrieval (pp. 371–391). Berlin: Springer.
Bundesamt für Sicherheit in der Informationstechnik, http://www.bsi.de/english/index.htm.
Chen, R. C., Chen, T. S., & Lin, C. C. (2006). A new binary support vector system for increasing detection rate of credit card fraud. International Journal of Pattern Recognition and Artificial Intelligence (IJPRAI), 20(2), 227–239.
Debbabi, M., Saleh, M., Talhi, C., & Zhioua, S. (2006). Security evaluation of J2ME CLCD embedded Java platform. Journal of Object Technology, 5.
Dodge, Y. (1996). A natural random number generator. International Statistical Review, 64(3), 329–343.
Dynamic passcode authentication, http://www.visaeurope.com.
ECMA (1992). ECMA-182: data interchange on 12.7 mm 48-track magnetic tape cartridges—DLT1 format. http://www.ecma.ch/ecma1/STAND/ECMA-182.HTM.
Estévez, P. A., Held, C. M., & Perez, C. A. (2006). Subscription fraud prevention in telecommunications using fuzzy rules and neural networks. Expert Systems With Applications, 31(2), 337–344.
Functionality classes and evaluation methodolog for deterministic random number generators (AIS 20, version 2.0, 2 December 1999). http://www.bsi.de/zertifiz/zert/interpr/ais20e.pdf.
Gao, J., Fan, W., Han, J., & Yu, P. S. (2007). A general framework for mining concept-drifting data streams with skewed distributions. In Seventh SIAM international conference on data mining.
González, C. M., Larrondo, H. A., & Rosso, O. A. (2005). Statistical complexity measure of pseudorandom bit generators. Physica A: Statistical Mechanics and Its Applications, 354, 281–300.
Haller, N. (1994). The s/key one-time password system. In Proceedings of the ISOC symposium on network and distributed system security (pp. 151–157).
Haller, N., Metz, C., Nesser, P., & Straw, M. (1998). A one-time password system. RFC 2289 (February 1998).
Hand, D. J., Whitrow, C., Adams, N. M., Juszczak, P., & Weston, D. (2008). Performance criteria for plastic card fraud detection tools. The Journal of the Operational Research Society, 59, 956–962.
Hill, J. R. (1979). A table driven approach to cyclic redundancy check calculations. SIGCOMM Computer Communication Review, 9(2), 40–60.
ISO/IEC Standard 7811-6 (2001). Identification cards-recording technique-part 6: magnetic stripe-high coercivity. http://www.iso.org.
Itani, W., & Kayssi, A. (2004). J2ME application-layer end-to-end security for m-commerce. Journal of Network and Computer Applications, 27(1), 13–32.
Kahn, C. M., & Roberds, W. (2008). Credit and identity theft. Journal of Monetary Economics, 55(2), 251–264.
Kou, Y., Lu, C. T., Sirwongwattana, S., & Huang, Y. P. (2004). Survey of fraud detection techniques. In 2004 IEEE international conference on networking, sensing and control (pp. 749–754).
Koza, J. R. (1991). Evolving a computer program to generate random numbers using the genetic programming paradigm. In Proceedings of the fourth international conference on genetic algorithms (pp. 37–44).
Lamport, L. (1981). Password authentication with insecure communication. Communications of the ACM, 24(11), 770–772.
Li, Y., & Zhang, X. (2004). A security-enhanced one-time payment scheme for credit card. In RIDE’04: Proceedings of the 14th international workshop on research issues on data engineering: web services for e-commerce and e-government applications (RIDE’04) (pp. 40–47). Los Alamitos: IEEE Comput. Soc.
Li, Y., & Zhang, X. (2005). Securing credit card transactions with one-time payment scheme. Electronic Commerce Research and Applications, 4, 413–426.
Luhn, H. P. (1960). Computer for verifying numbers. US Patent 2,950,048 (August 23, 1960).
Madhavapeddy, A., & Tse, A. (2005). A study of bluetooth propagation using accurate indoor location mapping. UbiComp 2005: Ubiquitous Computing (pp. 105–122).
Maurer, U. M. (1991). A universal statistical test for random bit generators. In CRYPTO’90: proceedings of the 10th annual international cryptology conference on advances in cryptology (pp. 409–420). Berlin: Springer.
Meacham, J. D. (2008). Credit card fraud: how big is the problem? Practical eCommerce.
Nakanishi, Y., Kumazawa, S., Tsuji, T., & Hakozaki, K. (2003). iCAMS2: developing a mobile communication tool using location information and schedule information with J2ME. In Mobile HCI (pp. 400–404).
National Institute of Standards and Technology (1999). Federal Information Processing Standards Publication, Washington.
Park, N. J., & Song, Y. J. (2001). M-Commerce security platform based on WTLS and J2ME. In Industrial electronics, 2001. Proceedings. ISIE 2001. IEEE international symposium (pp. 1775–1780). Berlin: Springer.
Paypal, http://www.paypal.com.
Phua, C., Lee, V., Smith, K., & Gayler, R. (2005). A comprehensive survey of data mining-based fraud detection research. Artificial Intelligence Review.
Private Payments, http://www10.americanexpress.com.
Rubin, A., & Wright, N. (2001). Off-line generation of limited-use credit card numbers. In Proceedings of the fifth international conference on financial cryptography (pp. 165–175).
Seredynski, F., Bouvry, P., & Zomaya, A. Y. (2004). Cellular automata computations and secret key cryptography. Parallel Computing, 30(5–6), 753–766. doi:10.1016/j.parco.2003.12.014.
SET Secure Electronic Transaction LLC, http://www.setco.org.
Shelfer, K. M., & Procaccino, J. D. (2002). Smart card evolution. Communications of the ACM, 45(7), 83–88.
Singh, A., & dos Santos, A. L. M. (2002). Grammar based off line generation of disposable credit card numbers. In SAC’02: proceedings of the 2002 ACM symposium on applied computing (pp. 221–228).
Singh, A., & dos Santos, A. L. M. (2004). Context free grammar for the generation of one time authentication identity. In FLAIRS conference.
Stubblefield, A., Ioannidis, J., & Rubin, A. D. (2004). A key recovery attack on the 802.11b wired equivalent privacy protocol (wep). ACM Transactions on Information and System Security, 7(2), 319–332.
Sullivan, R. J. (2008). Can smart cards reduce payments fraud and identity theft? Economic Review (Q III), 35–62. http://ideas.repec.org/a/fip/fedker/y2008iqiiip35-62nv.93no.3.html.
Sun Java Wireless Toolkit for CLDC, http://java.sun.com/products/sjwtoolkit.
Wang, A. I., Norum, M. S., & Lund, C. H. W. (2006). Issues related to development of wireless peer-to-peer games in J2ME. In AICT-ICIW’06: Proceedings of the advanced int’l conference on telecommunications and int’l conference on internet and web applications and services (p. 115). Los Alamitos: IEEE Comput. Soc.
Xiao, H., Christianson, B., & Zhang, Y. (2008). A purchase protocol with live cardholder authentication for online credit card payment. In ISIAS’08. Fourth international conference on information assurance and security (pp. 15–20).
Yalcin, M. E., Suykens, J. A. K., & Vandewalle, J. (2004). True random bit generation from a double scroll attractor. IEEE Transactions on Circuits and Systems, 51(7), 1395–1404.
Author information
Authors and Affiliations
Corresponding author
Additional information
A shorter abridged version of this paper appeared in Proceedings of the 9th International Conference on E-Commerce and Web Technologies, Giuseppe Psaila, Roland Wagner (Eds.): EC-Web 2008, Turin, Italy, September 3–4, 2008. Lecture Notes in Computer Science 5183, Springer, 2008 [2].
Rights and permissions
About this article
Cite this article
Buccafurri, F., Lax, G. Implementing disposable credit card numbers by mobile phones. Electron Commer Res 11, 271–296 (2011). https://doi.org/10.1007/s10660-011-9078-0
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10660-011-9078-0