ایمن سازی معاملات کارت اعتباری با طرح پرداخت یک زمان

Traditional credit card payment is not secure against credit card frauds because an attacker can easily know a semi-secret credit card number that is repetitively used. Recently one-time transaction number has been proposed by some researchers and credit card companies to enhance the security in credit card payment. Following this idea, we present a practical security enhancement scheme for one-time credit card payment. In our scheme, a hash function is used in generation of one-time credit card numbers with a secret only known to the card holder and issuer. Compared with related work, our scheme places less burden on credit card issuers, and can be easily deployed in on-line or off-line payment scenarios. Analysis and simulation show that the time and space complexity is affordable to the card issuer with desired security features

Credit card frauds have caused millions of dollars loss each year and exposed the security weaknesses in traditional credit card processing system [2]. In such system, a customer (i.e., credit card holder) repetitively uses a fixed credit card number as well as personal identifying information in all transactions. Because this credit card number is “sticky”, it is relatively easy for an attacker to steal it with intention to commit illegal activities. Some common ways to commit credit card fraud include: • Shoulder surfing: An attacker watches a customer from a nearby location as the customer punches in his credit card number. If the customer is giving his credit card number over the phone (e.g., to a hotel or car rental company), the attacker may listen to the conversation so as to get credit card information. • Dumpster diving: An attacker goes through a customer’s garbage cans or trash bins to obtain copies of credit card statements. • Packet intercepting: An attacker sniffs some e-commerce packets during on-line credit card payment. In some cases, the attacker does not need to break down the possibly encrypted packets (e.g., over Secure Socket Layer), but fools the customer into thinking that he or she is visiting an intended site but actually the attacker’s spoofing one. • Database stealing: To encourage purchasing, many merchants (who provide services to customers) choose to store their customers’ credit card information in online databases. Recent news reported that attackers could break into merchants’ web sites and steal millions of credit card numbers [1]. Not only does the credit card fraud cause millions of dollars loss each year, but also causes significant worry among customers. According to a recent study conducted by Opinion Research Corporation, it causes more worry than the war in Iraq in terms its impacts on customers’ awareness of security issues [5].

We have presented a security enhancement scheme for one-time credit card payment. In this scheme, one-time transaction numbers are generated by hashing their previous transaction numbers and a shared secret between card holder and issuer. The scheme is applicable in both on-line and off-line payment scenarios. Analysis and simulation show that the complexity of our scheme is comparable to that of traditional credit card payment and that the security of scheme is much stronger. We have also discussed several implementation options and compared our scheme with PKI-based approach. We concluded that our scheme is practical for thwarting credit card frauds with a good balance of ease of deployment for credit card companies and ease of use for individual customers.