Skip to main content

Does The Online Card Payment Landscape Unwittingly Facilitate Fraud?

Ali, Mohammed Aamir, Arief, Budi, Emms, Martin, van Moorsel, Aad (2017) Does The Online Card Payment Landscape Unwittingly Facilitate Fraud? IEEE Security & Privacy, 15 (2). pp. 78-86. ISSN 1540-7993. E-ISSN 1558-4046. (doi:10.1109/MSP.2017.27) (KAR id:58364)

PDF Author's Accepted Manuscript
Language: English
Download (408kB) Preview
[thumbnail of SandP_article_v62.pdf]
This file may not be suitable for users of assistive technology.
Request an accessible format
Official URL


This article provides an extensive study of the current practice of online payment using credit and debit cards, and the intrinsic security challenges caused by the differences in how payment sites operate. We investigated the Alexa top-400 online merchants’ payment sites, and realised that the current landscape facilitates a distributed guessing attack. This attack subverts the payment functionality from its intended purpose of validating card details, into helping the attackers to generate all security data fields required to make online transactions. We will show that this attack would not be practical if all payment sites performed the same security checks. As part of our responsible disclosure measure, we notified a selection of payment sites about our findings, and we report on their responses. We will discuss potential solutions to the problem and the practical difficulty to implement these, given the varying technical and business concerns of the involved parties.

Item Type: Article
DOI/Identification number: 10.1109/MSP.2017.27
Uncontrolled keywords: security; online payment; distributed attack; fraudulent transactions; survey; ethical disclosure.
Subjects: Q Science > QA Mathematics (inc Computing science) > QA 75 Electronic computers. Computer science
Divisions: Divisions > Division of Computing, Engineering and Mathematical Sciences > School of Computing
Depositing User: Budi Arief
Date Deposited: 03 Nov 2016 12:00 UTC
Last Modified: 16 Feb 2021 13:38 UTC
Resource URI: (The current URI for this page, for reference purposes)
Ali, Mohammed Aamir:
Arief, Budi:
  • Depositors only (login required):


Downloads per month over past year