CM50209 Coursework 2
1 February 2021
Updated 6 February 2021
The aim of this coursework, worth 50% of the total for CM50209, is to write
a report on the security of payment (credit and debit) card usage, ideally your
1 Key Dates
All timings UK time (UTC until 01:00 28 March, then UTC+1)
20:00 Friday 12 March 2021 Submit your raw data. ideally as three zip
files. It is possible that it will be too big for Moodle, in which case use
Dropbox or another repository, and submit a file for each site with the
links in it. each site should be in a separate archive. Also submit a
text file Pseudonym.txt with some pseudonym of your invention.
20:00 Friday 16 April Final Coursework report due (as a PDF, divided into
five chapters according to the five parts listed below). Also submit the
same text file Pseudonym.txt.
The purpose of Pseudonym.txtis to connect the two anonymous submis-
2 Phase 1: Data Gathering
I require each of you to make (or “pretend to make”, getting as far as sub-
mitting syntactically correct payment card data1) three online purchases from
different vendors, at least two of which must be commercial vendors (i.e. not
government/university websites). For these online purchases, you should collect:
• The web page (i.e. the actual HTML) you were entering the purchase
data (Primary Account Number, CVV etc.) into — note that you may
wish to save the web page before entering the data!;
1Note that if you just type in 16 digits as your card number, it is unlikely to
be syntactically correct: many sites do give correct card numbers for this purpose,
e.g. https://www.freeformatter.com/credit-card-number-generator-validator.html or
• A screen shot of the page (again, probably before data entry);
• The browser’s log (typically a HAR file) of the entire process, from your
starting to interact with the website to purchase accepted/declined;2
• The network trace (Wireshark or equivalent), of the purchase process.
I will demonstrate this process in the week 2 LOIL sessions.
3 Phase 2: Analysis
You should write a report with the following sections
1–3. Analysis (10 marks each) in detail of three of your online transactions
to three different merchants. This should include the following.
(a) With which websites does your browser communicate during the
transaction? Are there any that worry you, or whose function you
do not understand?
(b) Looking at the logs, to which sites does your payment card number
get sent, and how is it protected in transit? You should quote the
relevant part of the logs, but should replace the card number and
any other identifying/sensitive data, e.g. by NNNN NNNN NNNN NNNN,
etc. this calls3, do you feel confident you know what it is doing with
(d) How dependent is the HTML/JavaSscript. . . you have in your exam-
ples on the correct functioning of the DNS (Note that I am not asking
how the DNS might be hacked, but rather what if.)? In particular,
could bad DNS results result in a security problem?
(e) What makes you think that the sum of money displayed to you is
the sum that will be transmitted to your bank?
4. Comparison (10 marks) Having looked at these three sites: what are
their strengths and weaknesses from a security point of view. Is there any
site you would rather not use ( from a security point of view)?
5. Conclusions (10 marks).
(a) What have you learned about the security of your card data?
2There’s a FNU (Feature of Negative Utility) in Chrome (at least v84): if you are working
in one tab, with logging on, and get switched to a different tab, the different tab doesn’t
automatically get logged (whereas an iframe in the same tab should get logged). Beware that
this might mean you don’t log the critical part.
investigation might have to - see the BA hack).
(b) In particular, what did you learn from the logs/HTML/etc. that you
could not have reasonably deduced as a shopper with no access to
(c) How obvious is the security of the websites to the shopper?
(d) How might the system be more transparent to the shopper?
Q Debit cards?
A Same as credit cards for this purpose. Your contract with the issuer is
different, but the payment process doesn’t care.
Q Paypal accounts?
A I’m not sure: try it once and discuss the data with me.
Q I tried recording my network traffic, this time using Firefox4 but still my
debit card details are not present.
A The student was using first Chrome, and then Firefox, and connecting to
wizzair.com (an Eastern European airline - think Ryanair translated into
Hungarian). I repeated the experiments, first using GWR (Great West-
ern Railways) and the using Wizzair, with both browsers (it seems to be
browser-independent). The student is mostly correct - with GWR the
credit card number shows up in a POST command from the browser, but
with Wizzair it doesn’t. With wizzair, though, I can see my address re-
flected back, BUT only in a response field. This is in response to what
looks like a post of an encoded string. I haven’t yet worked out the precise
mechanism. But the lesson is clear: the address is in a response field, but
not visible in a sent packet, so it must be sent somehow, and the card
number presumably is as well, encoded somehow in this.
Q How much to anonymise?
A At least the credit card number (PAN) and the CVV should be anonymised:
names and addresses are optional.
Q What is the relationshop between 1(b) (or 2(b) or 3(b)) and 5(b)?
A So 1(b) (etc.) are about a specific site, while question 5 is your overall view
of the process (based on a sample of 3, obviously). So you might say “Site
2 was much more transparent than the others, and is a good example of
what can be achieved, because . . . ” (assuming that’s what you observed!).
4Because of the Chrome FNU 学霸联盟