“A novel approach for ATM Users Security”
Khan
Asif Ahmed 1, Prof. D. N. Besekar 2, 3 Dr. Mohammed
Atique 3
1, 2 Department of Computer Science & IT
Shri Shivaji
College of Arts Commerce &
Science, Akola
aasifnasim@gmail.com,
dnbesekar@gmail.com
3 P.G. Department of Computer Science,
SGB Amravati
University, Amravati
atique_shaikh@rediffmail.com
ABSTRACT:
ATM has made banking more
convenient than ever before. With the touch of a few buttons you can withdraw
cash. ATM bank cash machines have
been incorporated in our way of life. They offer a real convenience to those on
the run, but at the same time offer an element of risk. Using a bank ATM
machine safely requires awareness and a little planning. Just because a bank
ATM machine is open and available 24-hours a day doesn't mean it is always safe
to use it.
Security is provided by the customer entering a personal
identification number (PIN). PIN (user security code so called password it is
only 4 digits) are not more than sufficient. PIN security can be break easily.
Also ATM Card can be cloned.
ATM machines, Cards and Users are at risk, because day by day
frauds rate is increasing which can be prevented by with the help of
Biometrics, where authorization of transactions is based on the scanning of a
customer's signature, fingerprints, iris and face, etc.
Biometrics refers to authentication
techniques that rely on measurable physical characteristics that can be
automatically checked.
There are several types of biometric
identification schemes: - Face: the analysis of facial characteristics
- Fingerprint: the analysis of an individual’s unique fingerprints
- Hand geometry: the analysis of the shape of the hand and the length of the fingers
- Retina: the analysis of the capillary vessels located at the back of the eye
- Iris: the analysis of the colored ring that surrounds the eye’s pupil
- Signature: the analysis of the way a person signs his name.
- Vein: the analysis of pattern of veins in the back if the hand and the wrist
- Voice: the analysis of the tone, pitch, cadence and frequency of a person’s voice.
INTRODUCTION:
An automated teller machine (ATM)
is a computerized telecommunications device that provides the customers of a
financial institution with access to financial transactions in a public space
without the need for a human clerk or bank teller. On most modern ATMs, the
customer is identified by inserting a plastic ATM card with a magnetic stripe
or a plastic smartcard with a chip that contains a unique card number and some
security information, such as an expiry date or CVC (CVV). Security is provided
by the customer entering a personal identification number (PIN).
The Card Security Code (CSC),
sometimes called Card Verification Value (CVV or CV2), Card
Verification Value Code (CVVC), Card Verification Code (CVC), Verification
Code (V-Code or V Code), or Card Code Verification (CCV) is a
security feature for credit or debit card transactions, giving increased
protection against credit card fraud.
SECURITY:
Security, as it relates to ATMs, has several dimensions. ATMs also provide a practical demonstration of a number of security systems and concepts operating together and how various security concerns are dealt with.
1.0 Transactional secrecy and integrity:
The security of ATM
transactions relies mostly on the integrity of the secure cryptoprocessor: the
ATM often uses commodity components that are not considered to be "trusted
systems".
Encryption of personal
information, required by law in many jurisdictions, is used to prevent fraud.
Sensitive data in ATM transactions are usually encrypted with DES, but
transaction processors now usually require the use of Triple DES. [1]
Remote Key Loading techniques may be used to ensure the secrecy of the
initialization of the encryption keys in the ATM. Message Authentication Code
(MAC) or Partial MAC may also be used to ensure messages have not been tampered
with while in transit between the ATM and the financial network.
1.1 Customer identity integrity:
There have also been a
number of incidents of fraud where criminals have attached fake keypads or card
readers to existing machines. These have then been used to record customers'
PINs and bank card information in order to gain unauthorized access to their
accounts. Various ATM manufacturers have put in place countermeasures to
protect the equipment they manufacture from these threats. [2][3]
RELIABILITY:
Before an ATM is placed in
a public place, it typically has undergone extensive testing with both test
money and the backend computer systems that allow it to perform transactions.
Banking customers also have come to expect high reliability in their ATMs. Which
provides incentives to ATM providers to minimize machine and network failures?
Financial consequences of incorrect machine operation also provide high degrees
of incentive to minimize malfunctions. [4]
Of course, not all errors
are to the detriment of customers; there have been cases of machines giving out
money without debiting the account, or giving out higher value notes as a
result of incorrect denomination of banknote being loaded in the money
cassettes. Errors that can occur may be mechanical (such as card transport
mechanisms; keypads; hard disk failures); software (such as operating system;
device driver; application); communications; or purely down to operator error.
To aid in reliability,
some ATMs print each transaction to a roll paper journal that is stored inside
the ATM, which allows both the users of the ATMs and the related financial
institutions to settle things based on the records in the journal in case there
is a dispute. In some cases, transactions are posted to an electronic journal
to remove the cost of supplying journal paper to the ATM and for more
convenient searching of data.
FRAUD:
As with any device
containing objects of value, ATMs and the systems they depend on to function
are the targets of fraud. Fraud against ATMs and people's attempts to use them
takes several forms.
The first known instance
of a fake ATM was installed at a shopping mall in Manchester, Connecticut
in 1993. By modifying the inner workings of a Fujitsu model 7020 ATM, a
criminal gang known as The Bucklands Boys was able to steal information from
cards inserted into the machine by customers. [6]
In some cases, bank fraud
could occur at ATMs whereby the bank accidentally stocks the ATM with bills in
the wrong denomination, therefore giving the customer more money than should be
dispensed.[7] The result of receiving too much money may be
influenced on the card holder agreement in place between the customer and the
bank.[8][9]
ATM behavior can change
during what is called "stand-in" time, where the bank's cash
dispensing network is unable to access databases that contain account
information (possibly for database maintenance). In order to give customers
access to cash, customers may be allowed to withdraw cash up to a certain
amount that may be less than their usual daily withdrawal limit, but may still
exceed the amount of available money in their account, which could result in
fraud.[10]
CARD FRAUD:
In an attempt to prevent
criminals from shoulder surfing the customer's PINs, some banks draw privacy
areas on the floor.
For a low-tech form of
fraud, the easiest is to simply steal a customer's card. A later variant of
this approach is to trap the card inside of the ATM's card reader with a device
often referred to as a Lebanese loop. When the customer gets frustrated by not
getting the card back and walks away from the machine, the criminal is able to
remove the card and withdraw cash from the customer's account.
Another simple form of
fraud involves attempting to get the customer's bank to issue a new card and
stealing it from their mail. [11]
Some ATMs may put up
warning messages to customers to not use them when it detects possible
tampering
The concept and various methods of
copying the contents of an ATM card's magnetic stripe on to a duplicate card to
access other people's financial information was well known in the hacking communities
by late 1990.[12]
By contrast, a newer
high-tech modus operandi involves the installation of a magnetic card
reader over the real ATM's card slot and the use of a wireless surveillance
camera or a modified digital camera to observe the user's PIN. Card data is
then cloned onto a second card and the criminal attempts a standard cash
withdrawal. The availability of low-cost commodity wireless cameras and card
readers has made it a relatively simple form of fraud, with comparatively low
risk to the fraudsters. [13]
In an attempt to stop
these practices, countermeasures against card cloning have been developed by
the banking industry, in particular by the use of smart cards which cannot
easily be copied or spoofed by un-authenticated devices, and by attempting to
make the outside of their ATMs tamper evident. Older chip-card security systems
include the French Carte Bleue, Visa Cash, Mondex, Blue from American Express
[14] and EMV '96 or EMV 3.11. The most actively developed form of smart
card security in the industry today is known as EMV 2000 or EMV 4.x.
EMV is widely used in the UK (Chip and PIN) and other parts of Europe, but when it is not available in a specific area,
ATMs must fallback to using the easy to copy magnetic stripe to perform
transactions. This fallback behaviour can be exploited. [15] However
the fallback option has been removed by several UK banks, meaning if the chip is
not read, the transaction will be declined.
In February 2009, a group
of criminals used counterfeit ATM cards to steal $9 million from 130 ATMs in 49
cities around the world all within a time period of 30 minutes. [16]
Card cloning and skimming
can be detected by the implementation of magnetic card reader heads and
firmware that can read a signature embedded in all magnetic stripes during the
card production process. This signature known as a "MagnePrint" or
"BluPrint" can be used in conjunction with common two factor
authentication schemes utilized in ATM, debit/retail point-of-sale and prepaid
card applications.
PROPOSED SECURITY SYSTEMS:
Alternate methods to verify
cardholder identities have been tested and deployed in some countries, such as
finger and palm vein patterns,[17] iris, and facial recognition
technologies. However, recently, cheaper mass production equipment has been
developed and being installed in machines globally that detect the presence of
foreign objects on the front of ATMs, current tests have shown 99% detection
success for all types of skimming device.[18]
Manufactures have
demonstrated and have deployed several different technologies on ATMs that have
not yet reached worldwide acceptance, such as:
- Biometrics, where authorization of transactions is based on the scanning of a customer's fingerprint, iris, face, etc.
- Co-ordination of ATMs with mobile phones[19]
·
Note that an IC Cash Card is the Japanese term for a
SmartCard-based ATM card. This definition excludes, I believe, credit cards
with Chip and Pin functionality, and is sometimes associated with extra
biometrics information - a good number of the ATMs in Japan are fitted out with
fingerprint or vein scanners.
There are several types of
biometric identification schemes: - Face: the analysis of facial characteristics
- Fingerprint: the analysis of an individual’s unique fingerprints
- Hand geometry: the analysis of the shape of the hand and the length of the fingers
- Retina: the analysis of the capillary vessels located at the back of the eye
- Iris: the analysis of the colored ring that surrounds the eye’s pupil
- Signature: the analysis of the way a person signs his name.
CONCLUSION:
ATM machines, Cards and Users are at
risk, because day by day frauds rate is increasing which can be prevented by
with the help of Biometrics, where authorization of transactions is based on
the scanning of a customer's fingerprint, iris, face etc.
Specially:
·
An ATM machines with Biometrics scanning support system
·
The existing ATM card can be modified, with individual photos,
fingerprints, iris etc.
·
An ATM card can also
be modified as Cell Phone SIM Card (for Wireless Networking)
·
An ATM Card can be replaced by fingerprints, hand, iris, and
face.
REFERENCES:
[2] "The No. 1 ATM security
concern" www.atmmarketplace.com
[3] "ATM Fraud and Security White Paper” a Diebold report
via Credit Union National Association http://buy.cuna.org/download/diebold_fraudpaper.pdf
[4] "ATM
gives out free cash and lands family in court" Guardian Unlimited http://www.guardian.co.uk/uk_news/story/0,3604,875749,00.html
[5] "Uptime in Real Time” PDF NCR publication http://www.ncr.com/en/self-service/services_v_1.pdf
[6] The
Bucklands Boys and Other Tales of the ATM http://www.wired.com/wired/archive/1.05/atm_pr.htm
[7] Double money
in cash point error BBC
http://news.bbc.co.uk/1/hi/england/tyne/3667279.stm
[8] Client
Agreement – Client Card and Personal Identification Number Royal Bank of Canada
Client Card Cardholder Agreement http://www.rbcroyalbank.com/cards/documentation/ch_agreements/ch_agree_client.html
[9] "Mad
rush to faulty ATM in France"
BBC report about a cash machine not being stocked correctly http://news.bbc.co.uk/1/hi/world/europe/4552288.stm
[10] HCA 4; (1986) 160
CLR 129 (20 February 1986) Australasian Legal Information Institute http://en.wikipedia.org/wiki/AustLII
[11] Fun with
Automatic Tellers Phrack Magazine Volume One, Issue Eight http://venus.soci.niu.edu/~cudigest/phracks/phrack-08
[12] Phrack Magazine,
Phrack Classic Volume Three, Issue 32
[13] Snopes.com Snopes
[14] What the Hell
Do Smart Cards Do? Fast Company http://www.fastcompany.com/magazine/56/wth.html
[15] Four more
held in fake credit card racket case The Hindu
[16] Debit Card
Cloning Ring Nets $9 Million in ATM Heist, ABC News, February 5, 2009
[17] "Japan
Seeks To Standardize Biometric ID Method for ATMs" International Biometric
Industry Association http://en.wikipedia.org/w/index.php?title=IBIA&action=edit&redlink=1
[18] "Cards:
Biometrics Stalled Amid The Hype" International Biometric Industry
Association http://www.ibia.org/biometrics/industrynews_view.asp?id=103
[19] Japanese bank to allow cell phone ATM
access Engadget http://www.engadget.com/2006/01/27/japanese-bank-to-allow-cellphone-atm-access/
Comments
Post a Comment