Toggle Main Menu Toggle Search

Open Access padlockePrints

Does The Online Card Payment Landscape Unwittingly Facilitate Fraud?

Lookup NU author(s): Mohammed Ali, Dr Leonardus Arief, Dr Martin Emms, Professor Aad van Moorsel



This is the authors' accepted manuscript of an article that has been published in its final definitive form by Institute of Electrical and Electronics Engineers, 2017.

For re-use rights please refer to the publisher's terms and conditions.


This article provides an extensive study of the current practice of online payment using credit and debit cards, and the intrinsic security challenges caused by the differences in how payment sites operate. We investigated the Alexa top-400 online merchants’ payment sites, and realised that the current landscape facilitates a distributed guessing attack. This attack subverts the payment functionality from its intended purpose of validating card details, into helping the attackers to generate all security data fields required to make online transactions. We will show that this attack would not be practical if all payment sites performed the same security checks. As part of our responsible disclosure measure, we notified a selection of payment sites about our findings, and we report on their responses. We will discuss potential solutions to the problem and the practical difficulty to implement these, given the varying technical and business concerns of the involved parties.

Publication metadata

Author(s): Ali MA, Arief B, Emms M, van Moorsel A

Publication type: Article

Publication status: Published

Journal: IEEE Security & Privacy

Year: 2017

Volume: 15

Issue: 2

Pages: 78-86

Online publication date: 03/04/2017

Acceptance date: 01/11/2016

Date deposited: 01/12/2016

ISSN (print): 1540-7993

ISSN (electronic): 1558-4046

Publisher: Institute of Electrical and Electronics Engineers


DOI: 10.1109/MSP.2017.27


Altmetrics provided by Altmetric


Funder referenceFunder name