experiment

15
Our Experiment Description Index Online Shopping Sites, their concern for Security. Existing Security Measures in the Market. Existing counter measures in Credit Card Transactions. Ratio of Counterfeit Frauds. Industry counter measures for Counterfeit Frauds. Encryption/Decryption Techniques and their limitations. What is lacking? Existing Practices for Data Security. Our Experiment. Our Architecture Overview. About Acunetix Tool. Reports Generated by Acunetix Tool. Online Shopping Sites, their concern for Security Data Security is the major concern for all the online shopping sites where each transaction happens through online using Credit Cards or Debit Cards For all major Banking Sites and Shopping Cart Sites, securing transactions is a major issue where the credit card or debit card details are to be maintained confidential. For this concern, all these merchants are using various tools which provides security for the transactions. Though there are many tools available in the market, still the probability of frauds happening is more as these tools are not capable enough to handle the transactions by securing the actual card data. For this reason we find a large amount of fraudulent transactions happening throughout the world due to data theft and other types of hacking techniques.

Upload: jbashask

Post on 24-May-2015

295 views

Category:

Economy & Finance


3 download

TRANSCRIPT

Page 1: Experiment

Our Experiment Description

Index

Online Shopping Sites, their concern for Security.

Existing Security Measures in the Market.

Existing counter measures in Credit Card Transactions.

Ratio of Counterfeit Frauds.

Industry counter measures for Counterfeit Frauds.

Encryption/Decryption Techniques and their limitations.

What is lacking?

Existing Practices for Data Security.

Our Experiment.

Our Architecture Overview.

About Acunetix Tool.

Reports Generated by Acunetix Tool.

Online Shopping Sites, their concern for Security

Data Security is the major concern for all the online shopping sites where each transaction happens through online using Credit Cards or Debit Cards

For all major Banking Sites and Shopping Cart Sites, securing transactions is a major issue where the credit card or debit card details are to be maintained confidential.

For this concern, all these merchants are using various tools which provides security for the transactions.

Though there are many tools available in the market, still the probability of frauds happening is more as these tools are not capable enough to handle the transactions by securing the actual card data.

For this reason we find a large amount of fraudulent transactions happening throughout the world due to data theft and other types of hacking techniques.

The current scenario in the market is to provide proper security for the data so that if data transmission is secure then there would be minimum scope for the frauds to happen.

Existing Security Measures in the Market

There are many tools available today in the market which are providing security for all the online card based transactions.

Page 2: Experiment

Some of the tools like Vfraud, or the sites like PayPal, Paisa Pay are well known in the market.

Almost all the existing security systems are using HTTPS protocols as well as different Encryption/Decryption techniques.

Digital Certificate is also one of the security that is being used by all the sites throughout the internet.

Most of the merchants like eBay, Sify shopping, India Times shopping etc are taking the support of PayPal or Paisa Pay to secure their transactions.

Though, so many methodologies are in use by in the market, all these practices are common in every product and every tool.

Existing counter measures in Credit Card Transactions

All the Tools that are available in the market are using the concept of Filters.

These filters are nothing but different layers through which data flows during the card transactions.

There are various filters available in the market which filters the data based on the Geographical criteria's as well as the number of transactions made on that particular card.

These layers can identify and filter the transactions when duplicate cards or duplicate card data is being used during any card transaction.

There are many products releasing in the market, which has more robust filters embedded, but still these filters are unable to identify the fraud even after providing the genuine details of credit card. These types of transaction are the root cause for Counterfeit Frauds which are very high and are the major concern in the market.

What is a Counterfeit Fraud?

Duplicating the Credit / Debit cards by stealing the card data from the magnetic stripes is called as Counterfeiting.

In Counterfeiting either the fraudster uses a counterfeit card made from the stolen data or uses a stolen card itself. The information travelling through the secure channels remain the same as that of a genuine card even though all the filters are activated.

Hence as there are no such products in the market which can identify the counterfeit cards, the percentage of Counterfeit Frauds is more as compared to all the other types of fraud.

Hence it has been a high concern for all the merchants, banks and the customers that the counterfeit frauds should be minimized.

Industry counter measures for Counterfeit Frauds

Some of the Industry counter measures for the counterfeit cards are

Encryption/ Decryption and Hash

Page 3: Experiment

Address Verification System

Geography profile of Billing Address and Shipping Address.

Etc…..

However many of the techniques currently being recommended or used by banks or other financial sectors are either outdated or as the technical sophistication of the fraudsters has evolved, are vulnerable to getting compromised

For example in recent years there were successful attempts to break some of the very strong encryption techniques like DES. Also now hackers are maintaining their private centralized databases containing large collection of combination of hash and its alphabet profile

Also hackers or fraudsters have become so skillful that they can dynamically tamper with the secure data in transit or can compromise a user’s system.

In offline cases where card is physically present, fraudsters are coming up with efficient new techniques like magnetic card readers , postal tweaks and some time even have dare to phone the target and represent themselves as bank card officers and try to sneak out information from the target without his knowledge.

Tamper Data is one of the tools available which can tamper the data that is being entered in the most secured sites like Citibank, HDFC Bank etc

Hence the counter measures already in practice are also not completely successful in reducing the counterfeit frauds.

Some of the Industry counter measures for the counterfeit cards are using different encryption/decryption techniques or using some data value pairs in order to verify the card user’s genuineness.

Some of the measures like verifying the Billing Address and the Shipping Address to be the same are also in practice.

Though these counter measures are taken care it is not always possible to verify the Billing and the Shipping address as there are so many sites which gives the facility for the instant download, where there is no point of shipping address.

Even the data value pairs technique which is being used by many of the banking sites is not so secure as it could be captured by some of the sniffing tools installed in the system.

Tamper Data is one of such tools available which can tamper the data that is being entered in the most secured sites like Citibank, HDFC Bank etc.

Hence the counter measures already in practice are also not completely successful in reducing the counterfeit frauds.

Sample using Tamper Data Tool on citibank site

Page 4: Experiment

Sample using Tamper Data Tool on citibank site

Sample using Tamper Data Tool on citibank site

Original Data Entered

Original Data Entered

© ADLUX CONSULTANCY SERVICES PVT. LTD.

Page 5: Experiment

Man in the Middle Attack (False Certificate)

Sample using Tamper Data Tool on citibank site

Tampered Data

© ADLUX CONSULTANCY SERVICES PVT. LTD.

Page 6: Experiment

This diagram represents how Man in the Middle attack happens by using False Certificate and steal the user Credentials. (In our architecture even if Man in the Middle attack happens and the intruder steals the user data, the data remains useless as this data could only be decrypted by our server)

Encryption/Decryption Techniques and their limitations

All the tools that are using encryption decryption techniques are using some of the common standard encryption algorithms which have been identified by the industry through years.

None of the latest tools or the banking sites are using any new encryption logics apart from the old standard ones for which the decryption tools are also available in the internet as freeware.

Any data that is encrypted using some encryption algorithm could be decrypted by the key. If this key is stolen or if this data is captured in the internet, this data could be decrypted and used to make counterfeit frauds.

So, finally what is lacking in the whole scenario is the Data Security. For every transaction, data is the major input and as long as the data is not secured, the scope for the frauds is always open.

In our entire research we found that all the tools that are existing in the market are only concentrating on filters. There is no such tools in the existing market which mainly concentrates on how to secure the data throughout the transit.

Our Experiment

Looking at all the aforesaid scenarios and the causes for the frauds, we have experimented with an architecture which mainly concentrates on the data security.

Page 7: Experiment

Our main aim is to make the data tamper proof so that even if the data that is transmitted by our architecture is captured makes no sense to the other party.

We mainly experimented on Protecting data in the transit through the internet by encrypting the whole page, so that even if some hackers tries to view the source, the page is totally encrypted so that, the source that the hacker can view makes no sense and has no direct relationship with the actual data that is present in the page.

We are also experimenting in the URL and Session Profiling in order to safeguard the data from external script or data injecting.

With our experiment to make the data tamper proof, we ensured the security of data to the maximum extent after creating various layers of wrappers around the data.

Our Architecture Overview

Sample using Tamper Data Tool on Our Architecture

Y is the encrypted data sent to the browser, and is visible to the user as X using Images. The value for X is stored as Y in the server for each profile for each request and changes dynamically for each profile and only the server can understand the meaning of Y.

Our Architecture Overview

Browser

X - Actual DataY – Encrypted Data

Y – Encrypted Data Generated by our architecture using X – Actual Data as input

Generated Using

0 Dynamic Encrypted Algorithms

N Generated Using

0 Dynamic Seeds*

N

Y

User Enters Data through Browser.

*A Seed is a dynamic number based on which the encryption algorithm is chosen.© ADLUX CONSULTANCY SERVICES PVT. LTD.

Page 8: Experiment

Sample using Tamper Data Tool on Our Architecture

Original Data Entered(Actual Architecture)

Encrypted Architectu

re

© ADLUX CONSULTANCY SERVICES PVT. LTD.

Page 9: Experiment

Sample using Tamper Data Tool on Our Architecture

Tampered Data (Encrypted – Meaning less)

© ADLUX CONSULTANCY SERVICES PVT. LTD.

Page 10: Experiment

Moreover as a extra level of security the whole page content will be fill with numbers with no logic/method ,it will be only understandable by the browser compiler only

(c)ADLUX CONSULTANCY SERVICES PVT. LTD.

Page 11: Experiment

About Acunetix Tool

Acunetix is a web site scanning tool which scans a given website for all the types of possible vulnerabilities.

This tool scans and tests the websites by sending large amount of different types of requests to verify the standards and the security of the wrappers around the site.

This tool even checks for the security of the website by using various hacking techniques available in the market and generates reports stating the strength and weaknesses of the website.

This tool attacks the websites using various techniques to verify the stability of the website or any other online tools.

In the report generated by this tool, it describes about the risks and categorizes them as high, middle, low and informational risks.

This tool scans for all the vulnerabilities according to the existing industry standards. Though our main criteria was data security, we even mitigated our architecture which can satisfy the industry standards.

(c)ADLUX CONSULTANCY SERVICES PVT. LTD.

Page 12: Experiment

We have tested our architecture using this tool and found ‘0’ vulnerabilities. (All the Reports are attached in the next slide)

We have also scanned some of the famous sites to check the standards of the tool and also to compare with our product.

Conclusion

Based on our architecture, all the data that would be transmitted is always secure and remains useless even if any intruder gets it, as the encrypted data changes for every request and for every profile as explained in the architecture.

Based on the reports by Acunetix tool, our testers and also third party people who worked on breaking our architecture, declared it to be tamper proof.

Furthermore we are still making R & D on enhancing this architecture and working towards building a robust solution.

Reports Generated by Acunetix Tool

IRCTC Report

IRCTC Report

Scotia Bank Report

Scotia Bank

Report

eBay Report

eBay Report

Secured Shopping Cart Application (Our

Architecture)

© ADLUX CONSULTANCY SERVICES PVT. LTD.

Our Architecture Report