Skip to main content
SpringerLink
Log in

Implementing disposable credit card numbers by mobile phones

  • Published:
Electronic Commerce Research Aims and scope Submit manuscript

Abstract

Disposable credit card numbers are a recent approach to tackling the severe problem of credit card fraud, nowadays constantly growing, especially in the context of e-commerce payments. Whenever we cannot rely on a secure communication channel between cardholder and issuer, a possibility is to generate new numbers on the basis of some common scheme, starting from a shared secret information. However, in order to make the approach meaningful from a practical point of view, the solution should guarantee backward compatibility with the current system, absence of new investments in dedicated hardware, wide-spectrum usability, and adequate security level. In this paper, we propose a solution based on the use of standard mobile phones, fully meeting the above desiderata. Importantly, our solution does not require any cryptographic support and, as a consequence, the use of PADs or smart phones, opening then its usability to a wider potential market.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Borisov, N., Goldberg, I., & Wagner, D. (2001). Intercepting mobile communications: the insecurity of 802.11. In MobiCom’01: Proceedings of the 7th annual international conference on Mobile computing and networking (pp. 180–189). New York: ACM.

    Chapter  Google Scholar 

  2. Buccafurri, F., & Lax, G. (2008). A light number-generation scheme for feasible and secure credit-card-payment solutions. In Proc. of the international conference on electronic commerce and web technologies (EC-Web 2008) (pp. 11–20).

    Google Scholar 

  3. Buccafurri, F., & Lax, G. (2010). A lightweight authentication protocol for web applications in mobile environments. In Emergent web intelligence: advanced information retrieval (pp. 371–391). Berlin: Springer.

    Chapter  Google Scholar 

  4. Bundesamt für Sicherheit in der Informationstechnik, http://www.bsi.de/english/index.htm.

  5. Chen, R. C., Chen, T. S., & Lin, C. C. (2006). A new binary support vector system for increasing detection rate of credit card fraud. International Journal of Pattern Recognition and Artificial Intelligence (IJPRAI), 20(2), 227–239.

    Article  Google Scholar 

  6. Debbabi, M., Saleh, M., Talhi, C., & Zhioua, S. (2006). Security evaluation of J2ME CLCD embedded Java platform. Journal of Object Technology, 5.

  7. Dodge, Y. (1996). A natural random number generator. International Statistical Review, 64(3), 329–343.

    Article  Google Scholar 

  8. Dynamic passcode authentication, http://www.visaeurope.com.

  9. ECMA (1992). ECMA-182: data interchange on 12.7 mm 48-track magnetic tape cartridges—DLT1 format. http://www.ecma.ch/ecma1/STAND/ECMA-182.HTM.

  10. Estévez, P. A., Held, C. M., & Perez, C. A. (2006). Subscription fraud prevention in telecommunications using fuzzy rules and neural networks. Expert Systems With Applications, 31(2), 337–344.

    Article  Google Scholar 

  11. Functionality classes and evaluation methodolog for deterministic random number generators (AIS 20, version 2.0, 2 December 1999). http://www.bsi.de/zertifiz/zert/interpr/ais20e.pdf.

  12. Gao, J., Fan, W., Han, J., & Yu, P. S. (2007). A general framework for mining concept-drifting data streams with skewed distributions. In Seventh SIAM international conference on data mining.

    Google Scholar 

  13. González, C. M., Larrondo, H. A., & Rosso, O. A. (2005). Statistical complexity measure of pseudorandom bit generators. Physica A: Statistical Mechanics and Its Applications, 354, 281–300.

    Article  Google Scholar 

  14. Haller, N. (1994). The s/key one-time password system. In Proceedings of the ISOC symposium on network and distributed system security (pp. 151–157).

    Google Scholar 

  15. Haller, N., Metz, C., Nesser, P., & Straw, M. (1998). A one-time password system. RFC 2289 (February 1998).

  16. Hand, D. J., Whitrow, C., Adams, N. M., Juszczak, P., & Weston, D. (2008). Performance criteria for plastic card fraud detection tools. The Journal of the Operational Research Society, 59, 956–962.

    Article  Google Scholar 

  17. Hill, J. R. (1979). A table driven approach to cyclic redundancy check calculations. SIGCOMM Computer Communication Review, 9(2), 40–60.

    Article  Google Scholar 

  18. ISO/IEC Standard 7811-6 (2001). Identification cards-recording technique-part 6: magnetic stripe-high coercivity. http://www.iso.org.

  19. Itani, W., & Kayssi, A. (2004). J2ME application-layer end-to-end security for m-commerce. Journal of Network and Computer Applications, 27(1), 13–32.

    Article  Google Scholar 

  20. Kahn, C. M., & Roberds, W. (2008). Credit and identity theft. Journal of Monetary Economics, 55(2), 251–264.

    Article  Google Scholar 

  21. Kou, Y., Lu, C. T., Sirwongwattana, S., & Huang, Y. P. (2004). Survey of fraud detection techniques. In 2004 IEEE international conference on networking, sensing and control (pp. 749–754).

    Google Scholar 

  22. Koza, J. R. (1991). Evolving a computer program to generate random numbers using the genetic programming paradigm. In Proceedings of the fourth international conference on genetic algorithms (pp. 37–44).

    Google Scholar 

  23. Lamport, L. (1981). Password authentication with insecure communication. Communications of the ACM, 24(11), 770–772.

    Article  Google Scholar 

  24. Li, Y., & Zhang, X. (2004). A security-enhanced one-time payment scheme for credit card. In RIDE’04: Proceedings of the 14th international workshop on research issues on data engineering: web services for e-commerce and e-government applications (RIDE’04) (pp. 40–47). Los Alamitos: IEEE Comput. Soc.

    Google Scholar 

  25. Li, Y., & Zhang, X. (2005). Securing credit card transactions with one-time payment scheme. Electronic Commerce Research and Applications, 4, 413–426.

    Article  Google Scholar 

  26. Luhn, H. P. (1960). Computer for verifying numbers. US Patent 2,950,048 (August 23, 1960).

  27. Madhavapeddy, A., & Tse, A. (2005). A study of bluetooth propagation using accurate indoor location mapping. UbiComp 2005: Ubiquitous Computing (pp. 105–122).

  28. Maurer, U. M. (1991). A universal statistical test for random bit generators. In CRYPTO’90: proceedings of the 10th annual international cryptology conference on advances in cryptology (pp. 409–420). Berlin: Springer.

    Google Scholar 

  29. Meacham, J. D. (2008). Credit card fraud: how big is the problem? Practical eCommerce.

  30. Nakanishi, Y., Kumazawa, S., Tsuji, T., & Hakozaki, K. (2003). iCAMS2: developing a mobile communication tool using location information and schedule information with J2ME. In Mobile HCI (pp. 400–404).

    Google Scholar 

  31. National Institute of Standards and Technology (1999). Federal Information Processing Standards Publication, Washington.

  32. Park, N. J., & Song, Y. J. (2001). M-Commerce security platform based on WTLS and J2ME. In Industrial electronics, 2001. Proceedings. ISIE 2001. IEEE international symposium (pp. 1775–1780). Berlin: Springer.

    Google Scholar 

  33. Paypal, http://www.paypal.com.

  34. Phua, C., Lee, V., Smith, K., & Gayler, R. (2005). A comprehensive survey of data mining-based fraud detection research. Artificial Intelligence Review.

  35. Private Payments, http://www10.americanexpress.com.

  36. Rubin, A., & Wright, N. (2001). Off-line generation of limited-use credit card numbers. In Proceedings of the fifth international conference on financial cryptography (pp. 165–175).

    Google Scholar 

  37. Seredynski, F., Bouvry, P., & Zomaya, A. Y. (2004). Cellular automata computations and secret key cryptography. Parallel Computing, 30(5–6), 753–766. doi:10.1016/j.parco.2003.12.014.

    Article  Google Scholar 

  38. SET Secure Electronic Transaction LLC, http://www.setco.org.

  39. Shelfer, K. M., & Procaccino, J. D. (2002). Smart card evolution. Communications of the ACM, 45(7), 83–88.

    Article  Google Scholar 

  40. Singh, A., & dos Santos, A. L. M. (2002). Grammar based off line generation of disposable credit card numbers. In SAC’02: proceedings of the 2002 ACM symposium on applied computing (pp. 221–228).

    Chapter  Google Scholar 

  41. Singh, A., & dos Santos, A. L. M. (2004). Context free grammar for the generation of one time authentication identity. In FLAIRS conference.

    Google Scholar 

  42. Stubblefield, A., Ioannidis, J., & Rubin, A. D. (2004). A key recovery attack on the 802.11b wired equivalent privacy protocol (wep). ACM Transactions on Information and System Security, 7(2), 319–332.

    Article  Google Scholar 

  43. Sullivan, R. J. (2008). Can smart cards reduce payments fraud and identity theft? Economic Review (Q III), 35–62. http://ideas.repec.org/a/fip/fedker/y2008iqiiip35-62nv.93no.3.html.

  44. Sun Java Wireless Toolkit for CLDC, http://java.sun.com/products/sjwtoolkit.

  45. Wang, A. I., Norum, M. S., & Lund, C. H. W. (2006). Issues related to development of wireless peer-to-peer games in J2ME. In AICT-ICIW’06: Proceedings of the advanced int’l conference on telecommunications and int’l conference on internet and web applications and services (p. 115). Los Alamitos: IEEE Comput. Soc.

    Chapter  Google Scholar 

  46. Xiao, H., Christianson, B., & Zhang, Y. (2008). A purchase protocol with live cardholder authentication for online credit card payment. In ISIAS’08. Fourth international conference on information assurance and security (pp. 15–20).

    Chapter  Google Scholar 

  47. Yalcin, M. E., Suykens, J. A. K., & Vandewalle, J. (2004). True random bit generation from a double scroll attractor. IEEE Transactions on Circuits and Systems, 51(7), 1395–1404.

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. DIMET Dept., University “Mediterranea” of Reggio Calabria, Via Graziella, Località Feo di Vito, 89122, Reggio Calabria, Italy

    Francesco Buccafurri & Gianluca Lax

Authors
  1. Francesco Buccafurri
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Gianluca Lax
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Francesco Buccafurri.

Additional information

A shorter abridged version of this paper appeared in Proceedings of the 9th International Conference on E-Commerce and Web Technologies, Giuseppe Psaila, Roland Wagner (Eds.): EC-Web 2008, Turin, Italy, September 3–4, 2008. Lecture Notes in Computer Science 5183, Springer, 2008 [2].

Rights and permissions

Reprints and permissions

About this article

Cite this article

Buccafurri, F., Lax, G. Implementing disposable credit card numbers by mobile phones. Electron Commer Res 11, 271–296 (2011). https://doi.org/10.1007/s10660-011-9078-0

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10660-011-9078-0

Keywords

Search

Navigation