View
213
Download
0
Tags:
Embed Size (px)
Citation preview
October 18, 2006 Green Team 3
This family received food stamps
www.co.kern.ca.us/dhs/images/0987.jpg
October 18, 2006 Green Team 4
This family received money from FEMA
www.katrinapictures.blogspot.com/
October 18, 2006 Green Team 5
This family received both
http://www.spasearch.org/admin/images/fld_main_photo/fld_main_photo_38.jpg
October 18, 2006 Green Team 6
What do these families have in common?
• All these families received Government money
• The first two used the money as intended
• The third is guilty of spending government money on things other than the intended purpose
October 18, 2006 Green Team 7
FEMA Fraud
• Hurricane Katrina victims– 900,000 of 2.5
Million aid applicants were fraudulent*
* http://www.msnbc.msn.com/id/11326973/
Obtainedfundsthroughfraud
Obtainedfundslegally
October 18, 2006 Green Team 8
Problem Statement
Government organizations and private businesses have inadequate protection
against unauthorized purchases by authorized cardholders, which results in a
loss of funds.
October 18, 2006 Green Team 9
Problem Analysis
• Out of a $2.5 trillion government budget**
– $14 billion was spent on private purchases by employees
–$2 billion was spent on unauthorized purchases by employees*
* Foiling credit card fraud by Jenny C. McCune • Bankrate.com
** http://www.gpoaccess.gov/usbudget/
October 18, 2006 Green Team 10
Problem Characteristics•Tracking physical receipts
–Archaic–Inaccurate–Unreliable–Easy to lose
•Employees produced 20% of all transaction receipts*
•Cards can be stolen•Organization loses money
–Money spent unwisely by an authorized user of the card is not covered under fraud protection
* http://www.dallasnews.com
October 18, 2006 Green Team 11
Solution Characteristics
• Prevention of lost corporate funds– Reduces personal, unwarranted spending
• Biometrics– Prevents unauthorized use
• Uses customizable database– Allows different business to have different
options
October 18, 2006 Green Team 12
C3 Protection Card
•So what is C3P? – Customizable Credit Card Protection
October 18, 2006 Green Team 13
Objectives
• Develop a customizable credit card system to prevent unauthorized purchases by employees – Customizable database to hold prohibited
purchases• GUI to allow customization of database
– Uses Merchant Commercial Codes (MCCs)– Use Universal Product Codes (UPCs)
• Implement latest security technology for card protection
October 18, 2006 Green Team 14
Features
•Secure Credit card
–128-bit DES encryption
–Biometrics
•Fingerprint
•Photo ID
–Allows customizable control over card’s use
–Controlled by a user interface to each business’ personal database
October 18, 2006 Green Team 15
Customers
•Hard Customers
-Visa
-MasterCard
-Discover
-American Express
•Soft Customers
-Every business that holds a business credit card
-Caring and concerned parents who issue credit cards to their children
October 18, 2006 Green Team 16
Customer Characteristics
•Credit Card Companies
-Spend millions each year on securing their credit cards*
-Minors are Credit Card Company’s new target consumer**
•Credit Card Company’s Consumers
-Small businesses report billions of dollars in losses through embezzlement each year***
-Parents are concerned with giving children control of a credit card yet are even more concerned about giving a child real cash**
* http://news.com.com/Retailers+feel+security+heat/2100-7349_3-5680788.html
** http://www.bankrate.com/fox/news/cc/20000508.asp
*** http://www.fbi.gov/publications/financial/fcs_report052005/fcs_report052005.htm
October 18, 2006 Green Team 17
Why does the customer need this?
•Soft customer
–Secure and efficient control of company funds
–Reduced costs to prevent and lesson the effects of fraud
–Parental control of children's spending
•Hard Customer
–Offer safer card services to credit users
–Larger customer base
•Increase of large, reliable customers
October 18, 2006 Green Team 19
RFID Card Specifications
• An embedded antenna that is attached to the chip is used to transfer information stored in the chip's memory
• The range of operation is 2.5" to 3.9“
• Information can be written to the card the same way it is read.
• The fingerprint scanner can be added
October 18, 2006 Green Team 20
Software Features
• Intuitive web-based GUI Interface– Able to customize MCCs and/or UPCs by
creating an ‘acceptance’ list– Able to analyze and graph employee
spending habits
• Incoming UPCs and MCCS are compared with an ‘acceptable’ database of allowed codes
October 18, 2006 Green Team 21
Receipt Tracking
• For each business, all employee purchases are tracked and listed by employee
• Receipts will list accepted and rejected purchases
• Receipts can be grouped by purchaser, date, and/or MCC
October 18, 2006 Green Team 22
Smart Card Setup
• User account access information added to smart card memory by C3P
• 1st user finger scan saves a three-dimensional electrical image of the fingerprint's unique pattern using small variations in finger surface capacitance.
October 18, 2006 Green Team 23
Authentication ProcessCurrent Process NEW Process
Vendor must take the credit card and ID from customer
Then vendor must authenticate the
customer by judgment alone.
If the customer matches the
identification, the transaction is made.
Hold your thumb over the fingerprint
scanner to prove your identity.
If your fingerprint matches, the Smart Card & RFID chip will be activated
Touch the card to the card
reader and the transaction will be processed.
October 18, 2006 Green Team 24
Payment ProcessCurrent Process NEW Process
Vendor swipes your card at
the point-of-sale register.
The data is sent to a computer to verify your
credit.
If you have the funds, your
purchase is allowed.
You swipe your card at the point-of-sale register.
Your data is sent to our servers for verification.
Your data is then sent to the credit servers to verify.
If your card is accepted and your purchases are valid, sale is complete.
October 18, 2006 Green Team 25
What’s In The Box
What’s in the Box?
Loading Station
What’s In The Box What’s Not In The Box
IF REQUESTED:
•Authentication code for website
•Website URL (holds database)
•Requirements for submission of pictures and info
Credit card customer information
Computer with Internet connection
Businesses
Credit Card Companies
October 18, 2006 Green Team 26
Flow of Information/Hardware
a. Request CC w/C3P
b1. Camera? How many cards?
b2. Reply
e. Send camera (opt.) & authentication code
f. Send photos
h. Send cards with CC logo & photo ID
Business accesses C3P
database online
c. Send notification of request
d. Sell camera (opt.) & authentication code
g. Sell cards with C3P (RFID chip/C3P logo/biometrics
C3P makes RFID smart cards w/
biometrics
October 18, 2006 Green Team 27
What this product does not do
• Provide point-of-sale RFID readers
• Protect against blocking of authorized purchases– Will mostly be a result of human error– Will decrease in occurrence as more
businesses use product
• Provide credit for businesses
October 18, 2006 Green Team 28
Competition Matrix
MTU Purchasing X X X X X
Government Credit X X X
Food Stamps X X X X X X
Worldwide Purchasing X X X X X X
LeCarte Purchase X X X X X
NASA SmartPay X X X
Smart X
C3P X X X X X X X X X X X X
Cards Uses existing card
readers
Tracks purchases and pattern
s
Uses existing card
readers
Customizable purchase re
strictio
ns
Can set Spending Lim
its
Blacks-out MCC codes
Blacks out UPC codes
Biometric ID
(photo and fin
gerprin
t)
Prevents Duplic
ation
For Govern
ment Use
For Personal U
se
For Business U
se
October 18, 2006 Green Team 29
Cost (Soft Customer)
Components Number Required Price Cost
Camera (optional) 1 $110.00 $110.00
Access to website 1 FREE FREE
Authentication code (convenience fee)
1 $10.00 $10.00
RFID smart card w/biometrics* 1 per member $20.00 $20.00/member
Total Cost (Max) $120.00
+ $20.00/member
Total Cost (Min) $10.00
+ $20.00/member
* http://www.processor.com/editorial/article.asp?article=articles/P2716/30p16.asp&guid=
October 18, 2006 Green Team 30
Cost (Hard Customer)
ComponentsNumber
RequiredPrice Cost
Initial Training 1 day per store $3,000.00 $3,000.00 per day per company
Server* (incl. add’l features)
1 (for C3P use only)
$8,162.00 $8,162
RFID smart card printer 1 (for C3P use only)
$4,000.00 $4,000.00
RFID smart cards 1 per member (for C3P manufacturing)
$15.00 $15.00/card
Total Cost for C3P $12,162.00
+ 3,000/day of training
+ $15.00/card
* http://configure.us.dell.com/dellstore/config.aspx?c=us&cs=04&kc=6W300&l=en&oc=pe1950-max&s=bsd
October 18, 2006 Green Team 31
Pros• Smart Card Technology
– Quick– Uses Biometrics
• Safe and Secure• Customizable
– Spending limits– Tracks Items Bought– Tracks Vendors Bought From
• More Efficient– Saves Time Spent On Accounting
• Saves money• Keeps better records
– Automatic record of exact item bought and vendor shopped at– Better information for routine audits
October 18, 2006 Green Team 32
Cons
• Uses fingerprints– People are afraid of giving up such information
• Solved with encryption and marketing
• Vendors need RFID readers– Requires New Technology
• Many vendors are getting scanners– 7-11 is adding 5,600 RFID scanners this year*
• Accidental blocking of necessary purchases– Solved with training and research
• 24/7 Server/Website Maintenance
* mastercard.com
October 18, 2006 Green Team 33
Risk Probability/Impact Matrix
P81-100%
r
o61 - 80%
b
a41 - 60%
b
i21-40% 7 4 1, 2
l
i1-20% 6 5 3
t
y 1 2 3 4 5
Impact: 1(Low) - 5(high)
1Access to credit card
info
2 Hardware malfunction
3 Cards are not delivered
4 Software Malfunction
5 Insulting to Employee
6Employees won't give
up finger prints
7UPC database is
unavailable
October 18, 2006 Green Team 34
Risks
Risk# Risk Description Mitigation Actions
1 Access to Personal Info from Credit Card Companies
Encryption, policy of not reading the information
2 Hardware Malfunction or Viruses Out of our control
3 Cards are not delivered by contracted company
Out of our control
4 Software Malfunction Thorough testing and 24/7 support
October 18, 2006 Green Team 35
Risks
Risk# Risk Description Mitigation Actions
5 Insults Employee (can not be trusted)
Marketing plan and training to avoid insulting employees
6 Employees are reluctant to give up fingerprints due to privacy issues and fear of ‘Big Brother’
128-bit DES encryption, need of access to the money by user
7 UPC Database is unavailable Drop UPC solution from initial launch and use only MCCs
October 18, 2006 Green Team 36
Return on Investment
• Improves reputation of credit card company
• Reduces loss of money due to unscrupulous purchases
• Saves time used to perform manual audits
• Reduces fraud
• Reduces the number of investigations required
October 18, 2006 Green Team 37
Conclusion
• Regulates how funds are spent
• Uses biometrics
–Prevents the use or selling of stolen cards
•Vendors, credit customers, and card companies will benefit
–Vendors will get higher quantity and more efficient business
–Credit customers are protected and have less wait-time in line
–Card companies get to sell cards and RFID sensors to vendors while increasing their number of users
•C3P will revolutionize the credit system world wide
October 18, 2006 Green Team 39
References• DISD credit card oversight lax:
http://www.dallasnews.com• Picture 1:
www.co.kern.ca.us/dhs/images/0987.jpg • Picture 2:
www.katrinapictures.blogspot.com/• Picture 3:
http://www.spasearch.org/admin/images/fld_main_photo/fld_main_photo_38.jpg• FEMA Fraud, http://www.msnbc.msn.com/id/11326973/• IEEE Feasibility Study on biometric credit cards:
http://www.ee.ucla.edu/faculty/papers/ingridv_TransCE_nov04.pdf#search=%2 2Portable%20Biometrics%22
• Smart Card technology with localized, portable biometrics:
http://www.biometricassociates.com/smartcard.php
• Open source smart card technology, both software and hardware:
• http://www.smartcardalliance.org/industry_news/industry_news_item.cfm?itemID=1596
October 18, 2006 Green Team 40
References• Food stamp fraud:
http://www.frac.org/html/federal_food_programs/programs/fsp_faq.html#4• Food stamp info: http://www.fns.usda.gov/fsp/faqs.htm#9 • Data on food stamp fraud:
(http://www.eweek.com/article2/0,1895,1972079,00.asp) (http://www.foodstampfraud.org/) (http://www.cioinsight.com/article2/0,1540,1850300,00.asp)• FEMA Fraud data: http://www.cnn.com/2006/US/09/13/katrina.fraud/index.html?section=cnn_topstories)(http://www.msnbc.msn.com/id/11326973/)• Lockout codes http://www.admin.mtu.edu/acct/dept/pur/purchcard/lockout.htm
• Info on why this is a problem:http://www.dallasnews.com/sharedcontent/dws/news/localnews/stories/
070206dnmetpcards.192c71f.htmlhttp://financialplan.about.com/od/studentsandmoney/a/TeenCreditCards.htm
• Info on current program in place: http://arc.publicdebt.treas.gov/DWP/fs/fscredcard.htm#1
• Data and why this is needed – EPA’s complaint paper on current system!!!http://www.epa.gov/oig/reports/1995/bankrep.htm#CHAPTER%204
• How credit cards work: http://money.howstuffworks.com/credit-card2.htm
October 18, 2006 Green Team 42
Expert Testimony – Current Problems
• Navy sailors are given credit cards for travel because they do not have enough personal cash– Spending money in “Girly Bars”– Tabs in excess of $15,000
• Private Business– Employee used company credit card to put $14,000
down payment on a house– Employee bought several $1,500 airline tickets, and
canceled the flight to collect the cash refund, which he used to finance his private company
– Employee bought $1,500 in thongs at Victoria Secret
October 18, 2006 Green Team 43
Expert Testimony - Current Solutions
• Only activating the credit card for the duration of the travel
• Background credit checks on employees to be entrusted with company funds
October 18, 2006 Green Team 44
Expert Testimony – Loose ends left by current solution
• Can’t regulate purchases
• Company liable for purchases– Employees can’t pay the company back
• Must be taken to court
October 18, 2006 Green Team 45
Expert testimony – Time and Money spent on problem
• ~$25,000 per division per year
• 20 Divisions
• ~$250,000 per year for this company
• Credit card companies dropped the Navy as a customer because of fraud problems
October 18, 2006 Green Team 46
Expert Testimony - Data
• 2002: 1.4 million Government Travel Cards in use– $ 3.4 billion spent on purchases with these
cards
• One man made $262,800 in charges on 13 Government Credit Cards
October 18, 2006 Green Team 47
Expert Testimony – On C3P
• Target “high risk” employees– In the 18-25 year-old bracket
• Don’t know how to use credit
– Employees with bad credit
October 18, 2006 Green Team 48
AuthenticationMethods
Sec
ure
Inex
pens
ive
No
Mem
oriz
atio
n R
equi
red
Hig
h de
gree
of f
raud
pro
tect
ion
No
Hum
an V
erifi
catio
n R
equi
red
Eas
e of
use
Eas
e of
Impl
emen
tatio
n
Fingerprint Photo ID
PIN Password
Retinal Scan Signature
Authentication
October 18, 2006 Green Team 49
Fingerprints
Advantages: • Relatively Mature
Technology
• Low Cost
• Highly Portable Technology
Distinctiveness High
Permanence High
Collectibility Medium
Performance High
Acceptability Medium
Potential for Circumvention
Low
October 18, 2006 Green Team 50
Biometric Fingerprints
• Finger Print Characteristics– Genetic and environmental factors– Never the same– Biometric image cannot be
reproduced
• Finger Print Scanner– Capacitive Scanner– Electric Current
October 18, 2006 Green Team 51
Appendix B
Merchant Commercial Code (MCC) – A specialized code that categorizes a store based on what it sells (e.g. Target and Wal-Mart have the same MCC)
Universal Product Code (UPC) – A code that designates a specific product, different for every brand and variation of a product (Lay’s and Pringle’s potato chips still have different UPCs)