Abstract. Electronic transaction security is becoming more and more important in all aspects of Automated. Teller Machine (ATM). As the number of persons ...
20162016 IEEE6th 6thInternational InternationalAdvanced Conference Computing on Advanced Conference Computing
A SAFEGUARD AGAINST ATM FRAUD Shweta Sankhwar
Dhirendra Pandey
Department of Information Technology Babasaheb Bhimrao Ambedkar University Lucknow, India shweta.sank@gmail.com
Department of Information Technology Babasaheb Bhimrao Ambedkar University Lucknow, India prof.dhiren@gmail.com
paper is organized as follows: Section-1 is Introduction, Section-2 briefly describes the ATM fraud, Section-3 describes techniques/ tools used in ATM fraud, Section-4 discuss about the existing safeguard of ATM. Section-5 proposes the enhanced safeguard of ATM, Section-6 highlights the future work and Section-7 concludes the paper.
Abstract. Electronic transaction security is becoming more and more important in all aspects of Automated Teller Machine (ATM). As the number of persons using an ATM, are becoming more desirable targets for attacks. These attacks could be counted as a security risk in the form of card cloning or PIN release, etc. It has been observed that the secure electronic transaction has become a top priority to avoid ATM fraud. In this research article, the tools and techniques of ATM fraud are contemplated. A secure layer electronic transaction mechanism of ATM is developed to prevent ATM frauds. Through this mechanism a cardholder identification, authentication, authorization and security clearances are boosted. Against shoulder suffering (a fraud technique) two technical security tools are proposed to enhance ATM transaction security.
II.
As the number of persons using ATM, are becoming more desirable targets for attacks. These attacks could be counted as a security risk in the form of card cloning or PIN release, etc. These risks broadly lead to a violation of privacy, direct financial loss due to ATM fraud. It has been generally believed that high-quality security perk up trust and confidence of end users, but it has been observed that so called high-quality security of ATM machine are decreasing day by day.
Keywords — ATM, ATM Fraud, Insecure Transaction in Electronic Banking, OTP (One Time Password).
I.
INTRODUCTION
A cardholder is identified by inserting a credit/debit with a magnetic strip contain a unique number and some security information in the ATM machine. Security could be hampered by tricking Personal Identification Number (PIN) or credit/debit card details. Card cloning is a major problem these days; criminals create a duplicate copy of credit/debit card containing relevant details of Card Holder[1]. Personal Identification Number (PIN) capturing is a crucial problem. PIN is 4 Digit security number. Fraudsters generally capture cardholders’ PIN to access bank account to withdraw money or make purchases. Excellent standard of security risk or fraud are, therefore, required to maintain the secure, reliable and trustworthy electronic transaction.
III.
TECHNIQUES/ TOOLS USED IN ATM FRAUD
ATM provides several services, i.e., cash withdrawal, fund transfer etc. ATM is most leading technological innovations of the twentieth century also called as cash machine. ATM Card is a plastic card with a magnetic stripe containing relevant details of the Card Holder[2]. Some Techniques/ Tools used in ATM card present transaction fraud are discussed below: A. Shoulder suffering: Personal Identification Number (PIN) capturing is a crucial problem. Shoulder suffering refers to observing someone entering the PIN at ATM machine. It is most effective in crowded places; fraudster stand too close to the genuine ATM. Both card holder and fraudster can see card details i.e., PIN, card number, expiry date, CVV number. Now-a-day more than two ATM machine kept in a single ATM room which invites shoulder suffering. This includes distracting people at ATM machines and then stealing their cards without noticing them, as well as simply tricking them to hand over their cards and PINs on their own doorstep [3].
To maintain the users’ trust and confidence in ATM security it is necessary to develop a secure layer of electronic transaction security. Towards this purpose, in this research paper a secure layer electronic transaction mechanism of ATM is developed. This Mechanism is proposed to reduce anonymity and
increase authenticity, confidentiality as well as users’ trust towards ATM electronic transaction security.This research 978-1-4673-8286-1/16 $31.00 © 2016 IEEE DOI 10.1109/IACC.2016.135
ATM FRAUD
691 690 701
B.
Hidden camera:
ATM machine which results in no evidence. If by chance fraudsters get ATM PIN and skims credit/debit card then they try to takeout the maximum amount in a short span of time.
PIN capturing could be done by various imaging devices such as camera, camera lens. Cameras placed in a hidden manner to capture users PIN while entering in the ATM keyboard. It is observed that most of the fraud took place due to release of credit/ debit card PIN. A concealed camera is also used with the skimming device to capture individual’s PIN while typing into the ATM keypad [4]. Camera is usually hidden somewhere to focus at ATM keypad as shown in Fig.1.
For an instance, fraudsters steal the PIN and credit /debit card or maybe they cloned the credit /debit card of cardholder to withdraw the amount. Fraudsters commit the fraud with the maximum limit amount at 11:55 pm that very day and do the next withdrawal of a maxim limit amount at 12:05 am of the next day. By this trick he avails maximum amount within few minutes.
IV.
EXISTING SAFEGUARD
For the last few years, banks acknowledged strict checks into the authentication procedure for electronic transaction. One time Password (OTP) based authentication is now common across all internet banking. But it is totally new for ATM withdrawal, therefore this concept is proposed here. Electronic transaction security is potentially a massive problem. Therefore, It becomes essential to develop a mechanism which is reliable and secure. Over the last few years, the need for secure electronic transaction mechanism or system has become increasingly evident. Lack of control over credit/debit data confidentiality can lead to fraud by unscrupulous elements. Inadequate control over credit/debit security data is the single largest factor which promotes the scopes of fraud.
Fig.1 Techniques/ Tools used in ATM fraud C.
Skimmer
Skimming is a technique used by hackers/fraudesters to capture confidential data from the magnetic strip of an ATM card. An “ATM skimmer” is malicious devices criminals attach to an ATM to create a copy of credit/debit card and capture users PIN [3,4]. D.
Keypad Overlays
Literally it is new technique that is designed to go unnoticed and blend in with the standard ATM keypad. The overlay allows the keypad underneath to function properly, so person uses the ATM without issue [4]. An overlay records and captures keystroke (i.e., steals customer PIN) when person punching their PIN into the dummy keypad placed over the existing ATM keypad. At the same time the ATM cardslot overlay facsimiles/records the confidential data from magnetic strip of ATM cards. Hackers/fraudesters assemble information in their computer to clone the ATM card by using blank card stock [5]. It is a big threat and it requires a proper approach to overcome the problems. E.
Since the data is usually stored on magnetic media in the absence of adequate control, any tampering with the data cannot be detected easily. Unauthorized changes & modification in the ATM machine can directly lead the frauds. Implementation of an effective control mechanism is required for successful management of risks associated with the use of ADC of banking. A successful attack penetrates the protection layer and harms the vulnerable design Successive layers of protection defeat some of the actions of an attacker. The regulatory framework must also take into account all the related issues like card cloning, right to privacy of relevant information of the user. A.
Credit / Debit / ATM card
Cashless Transaction is accumulated through these credit /debit cards. The user’s authentication process is established by swiping the card in the ATM machine. These cards are used to carry on the authentication process of the user in ATM machine through user account bank.[4] But still some security risk occurs which could be defined as the possibility of credit or debit card detail loss and financial loss. There are numerous entities involved in card system, they are:
Mid-night ATM fraud
This is a real fraudulent activity which takes place in the real scenario. Due to advance persistent fraud and new security trends, fraudsters manage to purge logs from the targeted
• • 702 691 692
Cardholder Card Issuing bank
• • •
ATM Card Association Bank Database Server
Pin No. • User Verification
B. Personal Identification Number(PIN)
• Secure layer of Authentication
• User Authentication
Card
A PIN is like a security password of 4 digit that a cardholder has to give when he/she wants to use it. Unfortunately, in an ATM machine the password can be a combination of numerical digits only as it uses a limited number of keys to operate [6].
OTP
Fig 2: Secure layer Electronic Transaction Mechanism of ATM One Time Password (OTP) is a secure layer of electronic transaction of ATM which enhances the security in terms of both authorization and authentication. OTP could be received via registered mobile (SIM card) in the user’s ATM bank account. Basically Sim card is RFID. This secure layer electronic transaction mechanism of ATM strengthens the confidentiality and stand against security risk, such as card cloning or card skimming as shown in fig.2. If a fraudster planned to use cloned credit/ debit card than it's impossible for him to withdraw money or to purchase [8][9].
A magnetic strip is fixed on the back of the card. This strip holds certain information about the user such as his account no., PIN no., expiry date, CVV number. After insertion of the card into the appropriate slot, the ATM machine reads the account no., with the no. Embossed on the card itself and checks no. The information stored into the database availed to it through an attached computer. Once the card is found valid the ATM machine prompts the cardholder to enter his/her PIN. Once this PIN is entered by the cardholder the ATM machine checks whether it is correct or not. Once the PIN matches with the one stored in the server, the card holder will be allowed to proceed with his transaction on the ATM machine [6].
USER
BANK DATABASE SERVER
1
Pseudo code for current ATM transaction pattern:
8
2
7/13
6(ii) /13(ii)
9
1. 2. 3. 4. 5. 6. 7. 8.
6(i)
Insert card into an ATM machine Popup input field to check (is a human being or not) Select Language Input PIN no. Prompt for choose Account Type Select the Activity choice Input Transaction Amount Receive Transaction Amount
10 /13(i)
ATM MACHINE
3/11(i)
ISSUING BANK
V.
PROPOSED SAFEGUARD
4/11(ii) 5/12
A. Secure layer electronic transaction mechanism of ATM: One Time Password (OTP):
CARD ASSOCIATION
Fig. 3. Secure layer Electronic Transaction Model of ATM
This research paper proposes a secure layer of Authentication i.e. One Time Password (OTP) approaches for protection from advanced persistent threats or fraud. Simple ATM card and PIN no. Security approaches are not sufficient to deal with the kind of advanced persistent threats or fraud we see today [7]. It is necessary to include OTP as it resembles a unique thought process about secure electronic transaction of ATM security, and builds trust and confidence of users’ towards ADC of banking [8].
The above Figure.3, “Secure layer Electronic Transaction Model of ATM” is explained below in points: 1. 2.
703 692 693
Cardholder uses a credit/debit card as a payment mode ATM Machine sends transaction information to the Bank database server after swiping of card and manually feeding of PIN no.
3. 4.
5.
6.
7.
The Bank Database Server transmit the transaction details to the card association. The card association transmit the transaction details to the Issuing bank for authorization. Issuing bank validates the cardholder details to card association network for the transaction. Card association also validates to the Bank Database Server which is further transmitted to the ATM machine. ATM Machine instructs to collect the Withdrawal amount.
transmitted. Card holders can withdrawal the amount without OTP. 3.
ii.
9. 10.
11.
12. 13.
14.
An issuing bank generates an OTP and sends to cardholder. Cardholder manually feeds the OTP in ATM machine. ATM Machine sends OTP transaction information to the Bank Database Server after the manual feeding of OTP. The Bank Database Server sends the transaction information to the issuing bank via card association for OTP validation. An issuing bank validates the OTP to Card Association. Card Association further validates to the Bank Database Server which is finally transmitted to the ATM machine. Withdrawal transaction is completed.
1.
2.
To implement OTP a mobile number should be registered in the bank. The bank needs to ask a threshold limit for OTP to the cardholder. Suppose the cardholder declare a threshold limit for OTP = Rs.10,000 in the bank. Then in this state two cases arise; explained below in detail: i.
Case II. OTP for second transaction for an amount
If card detail, Pin no and other condition for withdrawal of an amount are true then ATM transaction process begins. Threshold limit for OTP is verified for OTP transmission.
If CONDITIONS met to generate OTP then8.
Transaction= TRUE; Withdrawal Amount=5,000 ; OTP is required. After the second transaction if cardholder needs to do more withdrawal, then card holder go for third transaction; here withdrawal amount seems less than threshold limit but actually it exceeds by 5,000 or 15,000 in addition of first or second condition withdrawal amount i.e. (10,000+5000=15,000) or (10,000+10,000+5000=25,000), hence withdrawal amount is greater than threshold limit. Therefore OTP will be transmitted for transaction process; without OTP cardholder can’t withdraw the amount.
4.
Transaction= TRUE; Withdrawal Amount=20,000; OTP is required. After the third transaction if cardholder needs to do more withdrawal, then card holder go for fourth transaction; here withdrawal amount is 20000 which is directly greater than threshold limit. Hence OTP will be transmitted for transaction process; without OTP cardholder can’t withdraw the amount.
If card detail, Pin no and other condition for withdrawal of an amount are true then ATM transaction process begins. Threshold limit for OTP is verified for OTP transmission. Transaction=TRUE ; Withdrawal Amount=10,000 ; No OTP is required. In first condition withdrawal amount is 10,000 which is equal to threshold limit i.e. 10,000. Therefore OTP will not be transmitted. The cardholders can withdrawal the amount without OTP. 2.
Transaction=TRUE ; Withdrawal Amount=5,000 ; No OTP is required. In second condition, here withdrawal amount is less then threshold limit, therefore OTP will not be 704 693 694
Transaction= TRUE ; Withdrawal Amount=10,000 ; NO OTP is required. In first condition withdrawal amount is 10,000 which is equal to threshold limit i.e. 10’000. Therefore OTP will not be transmitted. The card holder can withdraw the amount without OTP. Transaction= TRUE; Withdrawal Amount=10,000; OTP is required. After the first transaction if cardholder needs to do more withdrawal, then card holder go for second transaction; here withdrawal amount is 10,000 seems equal to threshold limit but actually it exceeds by 10,000 in addition of first condition withdrawal amount i.e. 10,000 (10,000+10000=20000). Now Withdrawal amount become greater than threshold limit, i.e. 10,000. Therefore OTP will be transmitted for transaction process; without OTP cardholder can’t withdraw the amount.
3.
Case I. OTP for first transaction for an amount
1.
Transaction=TRUE ; Withdrawal Amount=20,000 ; OTP is required In third condition, here withdrawal amount is greater than threshold limit, hence OTP will be transmitted for transaction process; without OTP cardholder can’t withdrawal the amount.
B. ATM /EDC Digital Swapping Keypad
authentication and authorization is based on possession of credit/ debit card details and a security number i.e. PIN which is not reliable. In this research paper, a greater demand for fast and accurate user identification, authentication and authorization is considered. Therefore, a secure layer of Electronic Transaction mechanism is proposed to developed cardholder identification, authentication, authorization and security clearances. This research paper recommended security controls, including ATM/EDC Digital Swapping Keypad and ATM/ EDC Censored Keypad Shield Cover. Hence, there will be delicate level of trust and confidence on electronic transaction ATM.
As an addition to the Credit/Debit card PIN Security a Digital Swapping Keypad (DSK) is proposed for ATM/Electronic Data Capturing (EDC) machine installed at Point of Sale (POS). The Digital Swapping Keypad could overcome the Shoulder Suffering and Keypad Overlay frauds. [10] The numeric digits of Digital Swapping Keypad get swapped after sliding/swiping the Credit/debit card on the machine. Every numeric digit gets replaced by other numeric digit; it would provide a new position to every digit. This particular way of representing the keypad will avoid the risk of shoulder surfing of PIN and remembered by any person, who is just trying to identify the digits of PIN by getting the idea of its place on the keypad.
REFERENCES . 1.
Sergei Skorobogatov, and Richard Anderson, "Chip and Skim: cloning EMV cards with the pre-play attack", In Security and Privacy (SP), 2014 IEEE Symposium on, pp. 49-64. IEEE, 2014. 2. “Casey schaufler , Friedrich von Schiller”, Banking and Bookkeeping, Security Engineering: A Guide to Building Dependable Distributed Systems 3. Card skimming theft [online] Available http://www.identitytheft.info/credit-card-skimmerpictures.aspx. 4. Crime Prevention Section Awareness Alert, Skimming at ATM Machines[online]Available http://www.nyc.gov/html/nypd/downloads/pdf/crime _prevention/ATMskimmingtip.pdf 5. ATM Card Skimmers, Debit Card Skimmers and Credit Card Skimmers images http://www.banking.org.za/consumerinformation/bank-crime/card-skimming-theft 6. “Indian Institute of Banking and Finance”, Principles and Practices of Banking, 2012, Macmillan 7. Barker, Katherine J., Jackie D'Amato, and Paul Sheridon. "Credit card fraud: awareness and prevention." Journal of Financial Crime 15, no. 4 (2008): 398-410. 8. Law, Eric Chun Wah, and Lap Yam. "Single onetime password token with single PIN for access to multiple providers." U.S. Patent Application 11/376,771, filed March 15, 2006. 9. De Luca, Alexander, Marc Langheinrich, and Heinrich Hussmann. "Towards understanding ATM security: a field study of real world ATM use." In Proceedings of the sixth symposium on usable privacy and security, p. 16. ACM, 2010. 10. Hinde, Steven. "Banking on security and control: UK companies face overhaul of controls." Computer Fraud & Security 2004, no. 8 (2004): 4-6.
C. ATM/ EDC Censored keypad shield cover As an addition to the Credit/Debit card PIN Security a Censored Flap Cover is proposed to reduce the Shoulder Suffering and the hidden camera frauds [10]. It has been noticed that cardholders are trickily tampered while entering the PIN. The cardholder uses his/her hand to hide the Keystroke in the ATM/ EDC keypad (i.e., to enter the PIN in the ATM machine). The censored flap cover will cover the ATM keypad, just after sliding/swiping the credit/debit card. This particular way of representing the keypad will avoid the risk to easily capture PIN through any individuals’ eyes or camera.
VI.
ADVANTAGE
These security controls enables the banks to reduce fraudulent transactions, reduce legal risks and achieve regulatory compliance, cardholder trust & confidence. It could provide Better risk/ fraud management. It could enhance trust and confidence which could result more usability of ATM.
VII.
LIMITATION
The above approach made in this paper isn't feasible in context of time and availability of particular mobile network. As a future work, network complexity could be reduced and a user friendly environment developed. A security layer could be developed for the network layer.
VIII.
G. Bond, Mike, Omar Choudary, Steven J. Murdoch,
CONCLUSION
The ATM Electronic transaction is playing very persistent and pervasive role. Basically the conventional method of
705 694 695
