Int'l Conf. Software Eng.
Research and Practice | SERP'17 |
Software Engineering Experience- Fraud Detection
Suhair Amer and Zirou Qiu
Department of Computer Science,
Southeast Missouri State University, One University plaza, Cape Girardeau, MO, USA 63701
Abstract – an undergraduate student produced
documentation and implemented a preliminary system as
part of the requirements of a software engineering course.
The developed system is concerned with credit card
fraud detection system. G score was the key element that
the system used to determine if the transaction is a fraud
action.
Keywords: G score, fraud detection, software
engineering.
1 Introduction
Credit card fraud is defined as:” unauthorized use of
a credit/debit card, or card number, to fraudulently obtain
money or property” (Brody et al, 2014), which is an
increasing issue in every country. Around ten percent of
Americans were victims of credit card fraud and $5.55
billion in credit card fraud was reported in 2012
worldwide. (Brody et al, 2014). In terms of number of
people who own a credit card, in 2012, 60% of college
seniors owned a credit card, 27% of people over the age
of 50 had four or more credit cards (Arora et al. 2015).
Because of the huge number of credit card users and use
of technology, having a functional and effective credit
card fraud detection system has become necessary for
everyone. Currently, there are several ways used by big
companies to prevent illegal actions from happening,
such as, Card Verification Value Plus CVVplus. On the
back of almost every major credit card there is
a Card Verification Value CVV to verify payments
when people do shopping online. But that CVV code is
static and is not considered private once someone else
knows it. The CVVPlus system provides consumers with
a code that is updated daily (Kerner 2015). This is a good
idea when it comes to fraud detection system design.
Some scientists also worked on developing a new binary
support vector system to increase detection rate of card
fraud. This involves artificial intelligence design to learn
the spending pattern of users (Chen and Chen, 2006).
This design is very classic and could effetely detect
suspicious activities. Currently in U.S., the most
common type of card fraud is card-present fraud, where
a user physically swipes the card using the card reader.
EMV chip technology, which embedded a smart chip in
ISBN: 1-60132-468-5, CSREA Press ©
131
the card, provide an extra shield of protection to a credit
card (Marshall and Lattin, 2015). Major banks are now
updating their cards with this new technology. There are
many other ways to help user detect unrecognized
behavior, such as, distributed anomaly detection using
cooperative learners and association rule analysis
(Deshmeh and Rahmati, 2008).
The student in the Software Engineering course was
required to use a software process to complete
documentation related to analysis, design, object design,
implementing and testing. To relate these steps to a real
time project, the student chose to develop a credit card
fraud detection system that uses user spending patterns
and location to check for unusual patterns. The system
stores previous transaction patterns for each user. Based
on the user’s spending ability and country, it calculates
user's characteristics. If more than 20 -30 % deviation in
user's transaction (spending history and
operating country) is detected, it will be considered an
invalid attempt and the system takes action (require the
user to login again or even block the user for more than
3 invalid attempts).
2 Analysis
The purpose of the fraud detection system is to
protect user’s data and increase the security level of
credit cards. It learns users’ spending patterns, configure
users’ information and automatically notifies users or
locks the account when unidentified actions happen.
The target customers are banks and their clients who
have credit cards. The number of users we are expecting
is 1000. The geographic region the system is going to
cover is our county.
The objective and success-criteria of the project is
that the system will formulize the user’s dynamic
spending pattern based on first N purchases, comparing
each purchases with the pattern and update the pattern
gradually. Many factors are considered while building
the pattern database which include: user’s approximate
132
annual income; gender; address; when and where most
of the transaction had taken place; the average amount
per transaction; the frequency of using the ATM; user’s
tipping habits; categories of items that had been bought
and so on. In terms of comparing the most recent
purchase P1 with the pattern P, system will analysis a set
of figures G, which includes, the distance between P1
and P, the amount of transaction between P1 and P, the
time (i.e. attempting to use the card at 2 am when the user
never used it after 1 pm before) of P1 and P and many
other factors, to come up with a numeric value Gs. Based
on the value of Gs, system will determine the suspicious
level S of P1 from grade of 1(least) to 5(most) and make
corresponding actions (whether it should let it go through
without notifying users, let it go through with notifying
users, or block the transaction while it is pending and
lock the card).
The goal of this project is to design credit card fraud
detection system which could potentially learn users’
spending patterns, configure users information and
automatically notify users or lock the account when
unidentified actions happens depending on a set of
figures G.
The Functional Requirements are:
1. The system will formulize the user’s dynamic
spending pattern based on first N purchases,
comparing each purchases with the pattern and
update the pattern gradually.
2. Many factors are considered in building the
pattern including user’s approximate annual
income; gender; address; when and where most
of the transaction had taken place; the average
amount per transaction; the frequency of using
ATM; user’s tipping habits; categories of items
that had been bought and so on.
3. In terms of comparing the most recent purchase
P1 with the pattern P, the system will analyse a
set of figures G, which includes the distance
between P1 and P, the amount of transaction
between P1 and P, the time of P1 and P and
many other factors, used to come up with a
numeric value Gs.
4. Based on the value of Gs, the system will
determine the suspicious level S of P1 from
grade of 1(least) to 5(most) and make
corresponding actions (Whether it should let it
go through without notifying users, let it go
through with notifying users, or block the
ISBN: 1-60132-468-5, CSREA Press ©
Int'l Conf. Software Eng. Research and Practice | SERP'17 |
transaction while it is pending and lock the
card).
Table 1 explains what happens when some one uses a
card.
Table1: scenario regarding checking who used the
card
Scenarios WhoUsedMyCard
name:
Participating Alex: card owner
actor Ben: bad guy
instance:
Flow of 1. Ben, who hacked into Alex’s
events computer and got his card
information at 1am and bought many
food online.
2. After comparing the user’s
spending pattern, the system found
that the location where transaction
happened and the time doesn’t
match and the suspicious level is
really high. The system immediately
lock Alex’s account and send a
message to Alex, notifying this
unrecognized action.
3. Alex receives the
acknowledgment, after realizing the
card has been used by someone else,
he called the card company and do
the further process.
For the use case model, the following were
identified:
x Client: The card owner
x Card: the credit card issued by the card
company
x Previous record: The previous fraud record of
this card
x No fraud action: the transaction suspicious
level is 1, no action should be made
x Suspicious level 2: the system change the
suspicious class of the transaction to level 2
x Suspicious level 3: the system change the
suspicious class of the transaction to level 3
x Suspicious level 4: the system change the
suspicious class of the transaction to level 4
x Suspicious level 5: the system change the
suspicious class of the transaction to level 5
x System manager: the system manager gets
noticed if the transaction level is higher than 2
Int'l Conf. Software Eng. Research and Practice | SERP'17 | 133

3 Design data from the account and the form that is analyzed by
the workstation and then send to the user through report
The goal of this project is to design credit card fraud reply. Also, it will record the sequence number of the
detection system which could potentially learn users’ card reader the user used.
spending patterns, configure user’s information and
automatically notify users or lock the account when With regard to persistent data management, the
unidentified actions happens depending on a set of persistent data include a user’s password, history of
figures G. transactions, card information, etc. They will all be
stored in MySQL database.
Table 2, lists an example of an entity-objects table.
Table 3, lists an example of a boundary-objects table. With regard to access control and security, code
was added to prevent MySQL injection and JavaScript
Table 2 : Entity-objects table for ReportUndetected injection. All the passwords in the database are
encrypted by PHP password hashing. Specific users have
access to a particular database and system only grants
Entity Attributes & Definition
them the least privileges.
Object Associations
Account 1. balance A bank account
With regard to boundary conditions and the
2. history of owned by clients who
Start-Up condition, it generally takes 5 seconds for the
fraud action are currently using
system to start up. It generally takes 10 seconds for the
3. credit our fraud detection
system to shut down completely.
history system.
4. history of
Different design patterns have been checked to
transaction
identify what works and what does not work with the
customer 1. name Customs are clients
system.
2. account who own credit cards
x Pattern 1: Bridge design pattern would work
3. address and use our fraud
with the system because the system need to
4. type detection system.
decouple the interface of user class from its
Card 1. sequence Card reader is the
implementation and the developer should not be
reader number machine which user
constrained by the existing component.
2. Company uses to make
x Pattern 2: Adapter design pattern would work
transaction happen.
with the system because some PHP code need
to be encapsulated since they were not designed
to work with the system.
Table 3: Boundary objects table for
x Pattern 3: Strategy design pattern would work
ReportUndetected
with the system because so many algorithms
Boundary Object Definition
need to be decoupled from their
Login form The interface where user can
implementations. For example, the hash
log in with their account and
function used MD5.
password
x Pattern 4: Abstract Factory design pattern
Report Submit The button used by a customer
would not work with the system because the
Button to initialize the
system doesn’t need to encapsulate the creation
reportundetected use case.
of families of related objects since are no
Report form The interface where user can
related objects.
report a suspicious transaction
x Pattern 5: Command design pattern would not
which the system didn’t detect
work because the system doesn’t have any
Report reply The interface which system
object responsible for command processing.
replies to user’s report
x Pattern 6: Composite design pattern would not
Workstation The station system uses to
work because there is not hierarchies nor
analysis user data
superclass in the system.

An example of a Control objects is Report-

Undetected-Control which manages the reporting form
and reporting reply function. This object is created when
report form is filled and submitted. Then it collects the

ISBN: 1-60132-468-5, CSREA Press ©

134 Int'l Conf. Software Eng. Research and Practice | SERP'17 |

4 Implementation and results

The system was implemented as a client – server
model, using HTML, JavaScript and PHP. For the client
component, HTML and JavaScript are used for GUI and
client side validation. PHP is used to perform server data
validation, establish connection to the database, store
and retrieve data from database, and calculate G score.

Forms are implemented with HTML. After clicking

each input field, a corresponding JavaScript function is
called to check if the data is valid. After submitting data Figure 1: main page
through post method, PHP will first check again if the
data is valid to protect against web proxy attack. Then if
valid, it will connect to the database and store the data.
After logging in, user’s transaction history will be
retrieved and outputted to the browser.

User can successfully register, log in, process

transactions, view history and detect fraud actions.

In the main page [Figure 1] the user is required to

enter his/her email address, provide his/her password
and then click on the “Log in” button. The users have the
option to retrieve their passwords if they forgot them by Figure 2: Sign up page
clicking on the “Forgot Password?” link. If this is a first
time user, he/she can register by clicking on the “Sign
Up” link.

If this is a first time user, he/she will click on the

“Sign Up” link which will direct the user to a new form,
[Figure 2] which will ask for information such as name,
birthday date, password, security question, etc.

The system requires the user to enter the password

in a specific format. If this format is not met, the system
will produce an error and asks the user to enter a new
password [Figure 3]. The entry box of the password will
Figure 3: Error when password is in not in correct
be colored red if there is an error.
format (in red)
The system also checks and produced an error if
both provided passwords do not match [Figure 4]. The
entry box of the password will be colored red if there is
an error and colored green if it is correct.

Once both passwords match and are in the correct

format, the password is accepted and the box is colored
green [Figure 5].

Figure 4: Error when re-entered password does not

match (in red).

ISBN: 1-60132-468-5, CSREA Press ©

Int'l Conf. Software Eng. Research and Practice | SERP'17 | 135

Figure 5: Password re-entry accepted (in green).

Once the user is finished entering all required

information [Figure 6] they can click on the “Get Started”
button. The user has the option to cancel creating a new
account by clicking on “Already have an account” link.

Figure 8: want to start a new transaction. Chose

“New Transaction” option.

Once the user accesses the system, he/she can

choose one of the following items appearing on the top
part of the New Transaction menu [Figure 8]:
Figure 6: form is completed and ready to click “Get x “New Transaction” where a new transaction is
Started” occurring and an amount is being withdrawn.
x “Transaction History” which displays a log of
Once the user has successfully created an all transactions related to this account, [Figure
account, they are required to log in through the main 9].
form, [Figure 1]. The user will enter his/her email x “Fraud History” which displays a log of all
address and password, then click “Log in” button. If the transactions that are thought to be fraud.
email address and password do not match, an error x “About” which describes the project.
message will be displayed [Figure 7]. The user’s account x “Logout” to logout of the system or this form.
will be blocked after 4 failed attempts.

Figure 7: error message after entering the wrong user Figure 9: list of transactions.
name or password.

ISBN: 1-60132-468-5, CSREA Press ©

136 Int'l Conf. Software Eng. Research and Practice | SERP'17 |

5 Conclusion Marshall, E. A., & Lattin, M. (2015). Understanding the

Payment Card Fraud Liability Shift. Commercial
This paper described the process of developing a & Business Litigation, 17(1), 15-18.
system as part of the requirements of an undergraduate Porkess, R., & Mason, S. (2012). Looking at debit and
Software Engineering course. The student was required credit card fraud. Teaching Statistics, 34(3), 87-91.
to apply the concepts studied in the course to develop a
system that detect credit card fraud and produce all
necessary documents and graphs for the analysis, design,
object design, implementation, testing stages.

The main objective of the course is not to develop a

system but to apply concepts in developing a simple
system to give them an idea about the process. In
addition, the student had less than a month to implement
and test the system. Therefore, this is not, in any means,
a fully functioning system. The student was able to
provide a working prototype of the interface that would
be used if a user would use his/her card and receive
feedback on whether this was actually the user or a fraud
action. G score was the key element that the system used
to determine if the transaction is a fraud action.

The student successfully completed the

requirements of the course and after doing this project,
the student indicated that he had a deeper understanding
of PHP and web security.

6 References
Arora, R., Gupta, D., & Pahwa, P. (2015). Fraud
Detection Life Cycle Model: A Systematic Fuzzy
Approach to Fraud Management. International
Journal of Computational Intelligence &
Applications, 14(2).
Berghel, H. (2007). Credit Card
Forensics. Communications Of The ACM, 50(12),
11-14.
Brody, R. G., Brown, D. M., Chettry, A., & White, W. I.
(2014). Proliferation of Credit Card Fraud with
Current Technological Advances. Insights to A
Changing World Journal, 2014(2), 92-107.
Chen, R., Chen, T., and Lin C. (2006). A new binary
support vector system for increasing detection rate
of credit card fraud. International Journal of
Pattern Recognition & Artificial Intelligence,
20(2).
Davis, K. (1998). The Bonnie and Clyde of credit card
fraud. (Cover story). Kiplinger's Personal Finance
Magazine, 52(7), 65.
Deshmeh, G., & Rahmati, M. (2008). Distributed
anomaly detection, using cooperative learners and
association rule analysis. Intelligent Data
Analysis, 12(4), 339-357.
Kerner, S. M. (2015). Tender Armor Adding New Layer
of Security to Credit Card Transactions. Eweek,

ISBN: 1-60132-468-5, CSREA Press ©