ANEXO I: MANUAL DE CALIDAD

The present system is very useful to bank customers and bankers in the following ways.

1. Customers can make payment for purchases using credit card. This reduces the stress of queuing up in the bank to withdraw cash thereby wasting much time.

2. The existing system verifies the credit card details and users password before transactions can be carried out. This reduces the chances of fraudulent transactions using credit cards.

3. The workload on bankers is seriously reduced as transactions with credit card limit the number of customers they attend to on daily basis.

Credit card Transactions

Credit card fraud detection system using HMM Algorithm

Fraudulent Transaction

Genuine Transaction

Raise Alarm Incoming set

of transactions

and amount Decision making

to check if transactions is fraud or not

Yes

No

93 3.2.1.2 Disadvantages of the Present System

The current credit card protocol has several aspects which render it dangerous. Sensitive data is transmitted; it can be re-used by malicious parties. Proximity is used as an indicator of intent, requiring a card holder to maintain constant vigilance on the surroundings of their credit cards.

These aspects invite a number of security attacks on the protocol.

1. Eavesdropping fraud: The goal of an eavesdropper is to gain the victim's credit card information such as the credit card number and expiration date. Eavesdropping is a passive attack, where the eavesdropper hears all communication between the Point-of-Sale and the credit card (Kortvedt, 2009). Communication between the bank and the Point-of-Sale is assumed to be secure. An outline of this attack is shown in Fig. 3.3.

Fig. 3.3: Eavesdropping (Kortvedt, 2009)

One has demonstrated the feasibility of this attack by building a very low form-factor antenna capable of eaves-dropping on communications. In the current implementation of the CC Protocol, an eavesdropper acquires the credit card number, expiration date and the issuing bank name.

2. Skimming fraud: The goal of a skimmer is to perform a purchase on behalf of the victim, without the victim's knowledge or consent. First, the skimmer masquerades as a Point-of-Sale to the victim's credit card, acquiring the credit card number, expiration date, issuing bank name, and the iCVV. Subsequently, the skimmer masquerades as a credit card to a legitimate Point-of-Sale, making a purchase on behalf of the victim by replaying the skimmed credit card information and the iCVV. An outline of this attack is shown in Fig.

3.4.

94 Fig. 3.4: Skimming

3. Compromised Point-of-Sale fraud: Any protocol in which the Point-of-Sale learns information capable of permitting multiple charges is vulnerable to Compromised Point-of-Sale attacks. We use this term to refer to any attack which involves the Point-Point-of-Sale or merchant performing (possibly unintentional) actions leading to credit card theft (Eun, 2013). For example, a Point-of-Sale might be compromised and re-programmed to transmit credit card information to an attacker after every successful purchase. An outline of this attack is shown in Fig. 3.5.

Fig. 3.5: Compromised Point-of-Sale (Robin, 2014)

95 3.2.2 Analysis of the New System

This dissertation focused on credit card application which is used to detect the fraudulent credit card activities on credit transaction. In this peculiar type, the pattern of current fraudulent usage of the credit card has been analyzed with the previous transactions, by using the multi- agents in data mining algorithm. Fig. 3.6 shows the data flow diagram of the new system model. The system has three data mining engines: customer/bank database and fraud detection database.

The customer/bank database has the following: opening of account operation, withdrawal and deposit transaction and statement account. Fraud techniques database will give details of attack attempts on customer’s credit card (such as date, time, amount and action taken). The New Credit Card Fraud Multi- Agents Model (CCFMAM) which is to detect the credit card fraud by analyzing the spending patterns on every card and figure out any inconsistency with respect to the usual spending patterns. Multi- agents will make use of these inputs (from user transaction input and past recorded credit fraud detection input) watch ongoing transaction to check whether is fraudulent or not, beginning from the most recent attack methods of fraudsters and concentrating on the most recent spending pattern of the transaction.

In the new system, when a credit card transaction is initiated, the system verifies the user’s pin code and username by validating it on the bank database. If the pin fails to validate after three consecutive attempts, the account will be blocked and fraud alert sent to the fraud database.

But if the pin verification was successful, the system will capture the credit card transaction details and verify the credit card information (such as name of the bank that issued the card, CCN, expiration date and iCVV) before passing the information to data monitoring agent.

The monitoring agent will use the last ten credit card transaction to build a transaction pattern for the customer and forward the pattern to the collating agent. The Monitoring agent will use machine learning technique to retrieve previous credit card fraud patterns from the credit card database and also retrieve the customer details from the bank database. At monitoring agent, each of these agents focuses on a particular type of credit card fraud, in parallel and report any suspicious attack to collating agent. However, the collating agent is responsible for communication with the diagnosing agent, which includes sending the task to be performed as input and providing the required data. The diagnosing agent will match the existing pattern of credit card transaction with the new transaction to check if there are variations in the pattern.

If the transaction pattern does not match, the system will request for a secret question and answer from the user for more authentication. If the user fails the question, a fraud alert is sent

96

to the reporting agent. The reporting agent will then forward the extracted credit card transaction status to the database of the bank and the customer’s phone and the transaction blocked. But where the credit card profile matched with the existing customer profile, the transaction is allowed to go through and the customer’s account updated. At this, the transaction will be recorded on the credit card database and amount transferred will be deducted from the customer’s account balance. Fig. 3.7 shows the Enterprise Architecture of the New System.

Fig. 3.6: Data Flow Diagram of the New System User/customer

Login

Verification pin

& Acct. No.

Customer Database

Bank database Generate

Token

Account No.

Monitoring Agents (Spending pattern)

Collating Agents

Diagnosing Agent (Expert driven approach)

Reporting Agent Fraud Alert

Fraud database

97 Enterprise Architecture of the New System

The Enterprise Architecture of the New System is shown in Fig. 3.7

Fig. 3.7: Enterprise Architecture (EA) of the New System