devang_ashar
New member
You can find information on this website cardbhai.com
Warm Rgds,
Devang.
Warm Rgds,
Devang.
Project/Reports on Credit Card Industry In India
- Thread starter bhansali.ritu
- Start date
-
- Tags
- analysis report atm card bank credit card credit credit analysis credit bank credit card credit india credit project credit report credit sector debit card financial card financial report india industry plastic card project on credit project on credit sector project or reports strategic analysis strategic report
sunny.bhalla24
New member
hey thanx a lot ........................................................................................................................................................................................................................................................................................................................................................................................................
hey,.........................................................................................................................................................................................
pratikmalde
Pratik Malde
Thanks Really helpful. This will help in strategies adopted by CC companies in current scnario
shetalkale
Shetal Kale
Range Estimation Trainer
Luther George Simjian was a lifelong innovator whose inventions include the self-focusing camera, a flight speed indicator for airplanes, an automatic postage metering machine, teleprompter, Range Estimation Trainer and contributions to the evolution of the Bankmatic automatic teller machine (ATM).
Simjian was born in Turkey on January 28, 1905. As a young child he developed a keen interest in optics and photography. After World War I he was separated from his family. He fled to Beirut, then on to Marseille, and eventually to the United States. At age 15 he arrived in the U.S. alone, and went to New Haven, Connecticut, where he stayed with relatives and found self-sufficiency through a job with a photographer. Simjian originally intended to study medicine, but changed his mind after the medical school at Yale gave him a job in its photographic laboratory. In 1928 he was named director of the photography department at the medical school, and he soon developed a way of projecting microscopic images and photographing specimens under water.
In 1934 Simjian moved to New York, where he developed a color X-ray machine and a self-posing portrait camera, allowing the subject to look into a mirror and see exactly the picture that was about to be taken. Soon after, Simjian established a company to license and manufacture the camera for use in department store studios. He eventually sold the camera and rights to the Photoreflex name. However, he renamed the company he had started to Reflectone and continued to explore developments in optics, electro-mechanical devices, and the new field of electronics. When Simjian initially came up with the idea of creating a hole-in-the-wall machine that would allow customers to make financial transactions, the idea was met with a great deal of skepticism. Starting in 1939, Simjian registered 20 patents related to the device and persuaded what is now Citicorp to give it a trial. After six months, the bank reported that there was little demand.
"It seems the only people using the machines were a small number of prostitutes and gamblers who didn't want to deal with tellers face to face," wrote Simjian.
Later, of course, the idea caught on, and today, modern versions of the automatic teller machine stand on nearly every street corner. Despite the notoriety that came with his ATM concept, Simjian's most important invention of the era during World War II was his Range Estimation Trainer, designed to improve the methods used to train Allied pilots. Using a miniature airplane, synchronized moving mirrors, and controlled lighting, he built a device that would allow an instructor to remotely vary speed, lighting, and angles. This simulator could be used to train aviators in identifying types of aircraft and determining their distance and speed. The U.S. Navy was very interested in these devices; Reflectone sold more than 2000 trainers, which were used all over the country.
Simjian remained President and Chairman of Reflectone for 22 years, until the company merged with Universal Match Corp. in 1961. It was sold again in 1996 to British Aerospace. Meanwhile Simjian formed two other companies, General Research and Command Automation, to help to capitalize on his other inventions, which included a remote-controlled postage meter, a meat tenderizer and an ultrasound device for use in hospitals. He also patented an indoor golf practice range, using an analog computer to project the "flight" of the ball. Toward the end of his life Simjian built a small research and development lab in Fort Lauderdale, Florida, and continued inventing until his death on October 23, 1997. Simjian was issued his last patent recently -- in March of 2000 he received a patent for a process to improve the resonance of wood used for musical instruments.
History
An old Nixdorf ATM
British actor Reg Varney using the world's first ATM in 1967, located at a branch of Barclays Bank, Enfield. The system was developed by De La Rue
.
The first mechanical cash dispenser was developed and built by Luther George Simjian and installed in 1939 in New York City by the City Bank of New York,[citation needed] but removed after 6 months due to the lack of customer acceptance.[2]
Thereafter, the history of ATMs paused for over 25 years, until De La Rue developed the first electronic ATM, which was installed first in Enfield Town in North London, United Kingdom[3] on 27 June 1967 by Barclays Bank.[4] This instance of the invention is credited to John Shepherd-Barron, although various other engineers were awarded patents for related technologies at the time.[5] Shepherd-Barron was awarded an OBE in the 2005 New Year's Honours List.[6] The first person to use the machine was the British variety artist and actor Reg Varney.[7][8] The first ATMs accepted only a single-use token or voucher, which was retained by the machine. These worked on various principles including radiation and low-coercivity magnetism that was wiped by the card reader to make fraud more difficult.[5] The machine dispensed pre-packaged envelopes containing ten pounds sterling. The idea of a PIN stored on the card was developed by the British engineer James Goodfellow in 1965.[5]
In 1968 the networked ATM was pioneered in Dallas, Texas, by Donald Wetzel who was a department head at an automated baggage-handling company called Docutel. In 1995 the Smithsonian's National Museum of American History recognised Docutel and Wetzel as the inventors of the networked ATM. [9]
ATMs first came into wide UK use in 1973; the IBM 2984 was designed at the request of Lloyds Bank. The 2984 CIT (Cash Issuing Terminal) was the first true Cashpoint, similar in function to today's machines; Cashpoint is still a registered trademark of Lloyds TSB in the U.K. All were online and issued a variable amount which was immediately deducted from the account. A small number of 2984s were supplied to a US bank. Notable historical models of ATMs include the IBM 3624 and 473x series, Diebold 10xx and TABS 9000 series, and NCR 5xxx series.
[edit] Location
An ATM Encrypting PIN Pad (EPP) with German markings
ATMs are placed not only near or inside the premises of banks, but also in locations such as shopping centers/malls, airports, grocery stores, petrol/gas stations, restaurants, or any place large numbers of people may gather. These represent two types of ATM installations: on and off premise. On premise ATMs are typically more advanced, multi-function machines that complement an actual bank branch's capabilities and thus more expensive. Off premise machines are deployed by financial institutions and also ISOs (or Independent Sales Organizations) where there is usually just a straight need for cash, so they typically are the cheaper mono-function devices. In Canada, when an ATM is not operated by a financial institution it is known as a "White Label ATM".
In North America, banks often have drive-thru lanes providing access to ATMs.
Many ATMs have a sign above them indicating the name of the bank or organization owning the ATM, and possibly including the list of ATM networks to which that machine is connected. This type of sign is called a topper.
[edit] Financial networks
An ATM in the Netherlands. The logos of a number of interbank networks this ATM is connected to are shown.
Most ATMs are connected to interbank networks, enabling people to withdraw and deposit money from machines not belonging to the bank where they have their account or in the country where their accounts are held (enabling cash withdrawals in local currency). Some examples of interbank networks include PULSE, PLUS, Cirrus, Interac, Interswitch, STAR, and LINK.
ATMs rely on authorization of a financial transaction by the card issuer or other authorizing institution via the communications network. This is often performed through an ISO 8583 messaging system.
Many banks charge ATM usage fees. In some cases, these fees are charged solely to users who are not customers of the bank where the ATM is installed; in other cases, they apply to all users. Where machines make a charge some people will not use them, but go to a system without fees.
In order to allow a more diverse range of devices to attach to their networks, some interbank networks have passed rules expanding the definition of an ATM to be a terminal that either has the vault within its footprint or utilizes the vault or cash drawer within the merchant establishment, which allows for the use of a scrip cash dispenser.
A Diebold 1063ix with a dial-up modem visible at the base
ATMs typically connect directly to their ATM Controller via either a dial-up modem over a telephone line or directly via a leased line. Leased lines are preferable to POTS lines because they require less time to establish a connection. Leased lines may be comparatively expensive to operate versus a POTS line, meaning less-trafficked machines will usually rely on a dial-up modem. That dilemma may be solved as high-speed Internet VPN connections become more ubiquitous. Common lower-level layer communication protocols used by ATMs to communicate back to the bank include SNA over SDLC, TC500 over Async, X.25, and TCP/IP over Ethernet.
In addition to methods employed for transaction security and secrecy, all communications traffic between the ATM and the Transaction Processor may also be encrypted via methods such as SSL.[10]
[edit] Global use
An ATM in the Tokyo subway
There are no hard international or government-compiled numbers totaling the complete number of ATMs in use worldwide. Estimates developed by ATMIA place the number of ATMs in use at over 1.5 million as of August 2006.[11]
For the purpose of analyzing ATM usage around the world, financial institutions generally divide the world into seven regions, due to the penetration rates, usage statistics, and features deployed. Four regions (USA, Canada, Europe, and Japan) have high numbers of ATMs per million people[12] and generally slowing growth rates.[13] Despite the large number of ATMs,[14] there is additional demand for machines in the Asia/Pacific area as well as in Latin America.[15] ATMs have yet to reach high numbers in the Near East/Africa.[16]
The world's most northerly installed ATM is located at Longyearbyen, Svalbard, Norway.[17]
The world's most southerly installed ATM is located at McMurdo Station, Antarctica.[18]
The world's highest installed ATM is located at Nathu La Pass, India installed by the Union Bank of India [19]
While ATMs are ubiquitous on modern cruise ships, ATMs can also be found on some US Navy ships.[20]
In the United Kingdom, an ATM may be colloqually referred to as a "Cashpoint", named after the Lloyds Bank ATM brand, or "hole-in-the-wall", an expression[21] after which the equivalent Barclays brand was later named. In Scotland the term Cashline has become a generic term for an ATM, based on the branding from the Royal Bank of Scotland.
In the Republic of Ireland, ATM's are also commonly referred to as a "Banklink", named after the Allied Irish Bank brand of machines.
[edit] Hardware
A block diagram of an ATM
An ATM is typically made up of the following devices:
• CPU (to control the user interface and transaction devices)
• Magnetic and/or Chip card reader (to identify the customer)
• PIN Pad (similar in layout to a Touch tone or Calculator keypad), often manufactured as part of a secure enclosure.
• Secure cryptoprocessor, generally within a secure enclosure.
• Display (used by the customer for performing the transaction)
• Function key buttons (usually close to the display) or a Touchscreen (used to select the various aspects of the transaction)
• Record Printer (to provide the customer with a record of their transaction)
• Vault (to store the parts of the machinery requiring restricted access)
• Housing (for aesthetics and to attach signage to)
Recently, due to heavier computing demands and the falling price of computer-like architectures, ATMs have moved away from custom hardware architectures using microcontrollers and/or application-specific integrated circuits to adopting a hardware architecture that is very similar to a personal computer. Many ATMs are now able to use operating systems such as Microsoft Windows and Linux. Although it is undoubtedly cheaper to use commercial off-the-shelf hardware, it does make ATMs vulnerable to the same sort of problems exhibited by conventional computers.
Business owners often lease ATM terminals from ATM service providers.
Two Loomis employees refilling an ATM at the Downtown Seattle REI.
The vault of an ATM is within the footprint of the device itself and is where items of value are kept. Scrip cash dispensers do not incorporate a vault.
Mechanisms found inside the vault may include:
• Dispensing mechanism (to provide cash or other items of value)
• Deposit mechanism, including a Cheque Processing Module and Batch Note Acceptor (to allow the customer to make deposits)
• Security sensors (Magnetic, Thermal, Seismic)
• Locks: (to ensure controlled access to the contents of the vault)
• Journaling systems; some are electronic (a sealed flash memory device based on proprietary standards) or a solid-state device (an actual printer) which accrues all records of activity, including access timestamps, number of bills dispensed, etc. - This is considered sensitive data and is secured in similar fashion to the cash as it is a similar liability.
ATM vaults are supplied by manufacturers in several grades. Factors influencing vault grade selection include cost, weight, regulatory requirements, ATM type, operator risk avoidance practices, and internal volume requirements.[22]
Industry standard vault configurations include Underwriters Laboratories UL-291 "Business Hours" and Level 1 Safes,[23] RAL TL-30 derivatives,[24] and CEN EN 1143-1:2005 - CEN III/VdS and CEN IV/LGAI/VdS.[25][26]
ATM manufacturers recommend that vaults be attached to the floor to prevent theft.[27]
[edit] Software
A Wincor Nixdorf ATM running Windows 2000
With the migration to commodity PC hardware, standard commercial "off-the-shelf" operating systems and programming environments can be used inside of ATMs. Typical platforms used in ATM development include RMX, OS/2, and Microsoft operating systems (such as MS-DOS, PC-DOS, Windows NT, Windows 2000, Windows XP Professional, or Windows XP Embedded). Java, Linux and Unix may also be used in these environments.
Linux is also finding some reception in the ATM marketplace. An example of this is Banrisul, the largest bank in the south of Brazil, which has replaced the MS-DOS operating systems in its ATMs with Linux. Banco do Brasil is also migrating ATMs to Linux.
Common application layer transaction protocols, such as Diebold 911 or 912, IBM PBM, and NCR NDC or NDC+ provide emulation of older generations of hardware on newer platforms with incremental extensions made over time to address new capabilities, although companies like NCR continuously improve these protocols issuing newer versions (latest NCR Aptra Advance NDC Version 3.x.y (Where x.y are subversions). Most major ATM manufacturers provide software packages that implement these protocols. Newer protocols such as IFX have yet to find wide acceptance by transaction processors.[28]
With the move to a more standardized software base, financial institutions have been increasingly interested in the ability to pick and choose the application programs that drive their equipment. WOSA/XFS, now known as CEN XFS (or simply XFS), provides a common API for accessing and manipulating the various devices of an ATM.
J/XFS is a Java implementation of the CEN XFS API.[29]
A Suncorp Metway ATM running OS/2
While the perceived benefit of XFS is similar to the Java's "Write once, run anywhere" mantra, often different ATM hardware vendors have different interpretations of the XFS standard. The result of these differences in interpretation means that ATM applications typically use a middleware to even out the differences between various platforms.
With the onset of Windows operating systems and XFS on ATM's, the software applications have the ability to become more intelligent. This has created a new breed of ATM applications commonly referred to as programmable applications. These types of applications allows for an entirely new host of applications in which the ATM terminal can do more than only communicate with the ATM switch. It is now empowered to connected to other content servers and video banking systems.
Notable ATM software that operates on XFS platforms include Triton PRISM, Diebold Agilis, CR2 BankWorld, KAL Kalignite, NCR Corporation Aptra Edge, Phoenix Interactive VISTAatm, and Wincor Nixdorf Protopas.
With the move of ATMs to industry-standard computing environments, concern has risen about the integrity of the ATM's software stack.[30]
[edit] Security
A Triton brand ATM with a dip style card reader and a triple DES keypad
Security, as it relates to ATMs, has several dimensions. ATMs also provide a practical demonstration of a number of security systems and concepts operating together and how various security concerns are dealt with.
[edit] Physical
A Wincor Nixdorf Procash 2100xe Frontload that was opened with an angle grinder
Early ATM security focused on making the ATMs invulnerable to physical attack; they were effectively safes with dispenser mechanisms. A number of attacks on ATMs resulted, with thieves attempting to steal entire ATMs by ram-raiding.[31] Since late 1990s, criminal groups operating in Japan improved ram-raiding by stealing and using a truck loaded with a heavy construction machinery to effectively demolish or uproot an entire ATM and any housing to steal its cash.[32]
Another attack method, plofkraak, is to seal all openings of the ATM with silicone and fill the vault with a combustible gas or to place an explosive inside, attached, or near the ATM.[33] This gas or explosive is ignited and the vault is opened or distorted by the force of the resulting explosion and the criminals can break in.
Modern ATM physical security, per other modern money-handling security, concentrates on denying the use of the money inside the machine to a thief, by means of techniques such as dye markers and smoke canisters.[34]
A common method is to simply rob the staff filling the machine with money. To avoid this, the schedule for filling them is kept secret, varying and random. The money is often kept in cassettes, which will dye the money if incorrectly opened.
[edit] Transactional secrecy and integrity
The security of ATM transactions relies mostly on the integrity of the secure cryptoprocessor: the ATM often uses commodity components that are not considered to be "trusted systems".
Encryption of personal information, required by law in many jurisdictions, is used to prevent fraud. Sensitive data in ATM transactions are usually encrypted with DES, but transaction processors now usually require the use of Triple DES.[35] Remote Key Loading techniques may be used to ensure the secrecy of the initialization of the encryption keys in the ATM. Message Authentication Code (MAC) or Partial MAC may also be used to ensure messages have not been tampered with while in transit between the ATM and the financial network.
[edit] Customer identity integrity
A BTMU ATM with a palm scanner (to the right of the screen)
There have also been a number of incidents of fraud by Man-in-the-middle attacks, where criminals have attached fake keypads or card readers to existing machines. These have then been used to record customers' PINs and bank card information in order to gain unauthorized access to their accounts. Various ATM manufacturers have put in place countermeasures to protect the equipment they manufacture from these threats.[36][37]
Alternate methods to verify cardholder identities have been tested and deployed in some countries, such as finger and palm vein patterns,[38] iris, and facial recognition technologies. However, recently, cheaper mass production equipment has been developed and being installed in machines globally that detect the presence of foreign objects on the front of ATMs, current tests have shown 99% detection success for all types of skimming devices.[39]
[edit] Device operation integrity
ATMs that are exposed to the outside must be vandal and weather resistant.
Openings on the customer-side of ATMs are often covered by mechanical shutters to prevent tampering with the mechanisms when they are not in use. Alarm sensors are placed inside the ATM and in ATM servicing areas to alert their operators when doors have been opened by unauthorized personnel.
This article may be confusing or unclear to readers. Please help clarify the article; suggestions may be found on the talk page. (February 2009)
Rules are usually set by the government or ATM operating body that dictate what happens when integrity systems fail. Depending on the jurisdiction, a bank may or may not be liable when an attempt is made to dispense a customer's money from an ATM and the money either gets outside of the ATM's vault, or was exposed in a non-secure fashion, or they are unable to determine the state of the money after a failed transaction.[40] Bank customers often complain that banks have made it difficult to recover money lost in this way, but this is often complicated by the bank's own internal policies regarding suspicious activities typical of the criminal element.[41]
[edit] Customer security
Dunbar Armored ATM Techs watching over ATMs that have been installed in a van.
In some countries, multiple security cameras and security guards are a common feature.[42] In the United States, The NY State Comptroller's Office has criticized the NY State Department of Banking for not following through on safety inspections of ATMs in high crime areas.[43]
Critics of ATM operators assert that the issue of customer security appears to have been abandoned by the banking industry;[44] it has been suggested that efforts are now more concentrated on deterrent legislation than on solving the problem of forced withdrawals.[45]
At least as far back as July 30, 1986, critics of the industry have called for the adoption of an emergency PIN system for ATMs, where the user is able to send a silent alarm in response to a threat.[46] Legislative efforts to require an emergency PIN system have appeared in Illinois,[47] Kansas[48] and Georgia,[49] but none have succeeded as of yet. In January 2009, Senate Bill 1355 was proposed in the Illinois Senate that revisits the issue of the reverse emergency PIN system. [50] The bill is again resisted by the banking lobby and supported by the police. [51]
[edit] Alternative uses
Two NCR Personas 84 ATMs at a bank in Jersey dispensing two types of pound sterling banknotes: Bank of England notes, and States of Jersey notes
Although ATMs were originally developed as just cash dispensers, they have evolved to include many other bank-related functions. In some countries, especially those which benefit from a fully integrated cross-bank ATM network (e.g.: Multibanco in Portugal), ATMs include many functions which are not directly related to the management of one's own bank account, such as:
• Deposit currency recognition, acceptance, and recycling[52][53]
• Paying routine bills, fees, and taxes (utilities, phone bills, social security, legal fees, taxes, etc.)
• Printing bank statements
• Updating passbooks
• Loading monetary value into stored value cards
• Purchasing
o Postage stamps.
o Lottery tickets
o Train tickets
o Concert tickets
o Movie tickets
o Shopping mall gift certificates.
• Games and promotional features[54]
• Donating to charities[55]
• Cheque Processing Module
• Adding pre-paid cell phone credit.
Increasingly banks are seeking to use the ATM as a sales device to deliver pre approved loans and targeted advertising using products such as ITM (the Intelligent Teller Machine) from CR2 or Aptra Relate from NCR. ATMs can also act as an advertising channel for companies to advertise their own products or third-party products and services.[56]
In Canada, ATMs are called guichets automatiques in French and sometimes "Bank Machines" in English. The Interac shared cash network does not allow for the selling of goods from ATMs due to specific security requirements for PIN entry when buying goods.[57] CIBC machines in Canada, are able to top-up the minutes on certain pay as you go phones.
A South Korean ATM with mobile bank port and bar code reader
Manufacturers have demonstrated and have deployed several different technologies on ATMs that have not yet reached worldwide acceptance, such as:
• Biometrics, where authorization of transactions is based on the scanning of a customer's fingerprint, iris, face, etc. Biometrics on ATMs can be found in Asia.[58][59][60]
• Cheque/Cash Acceptance, where the ATM accepts and recognise cheques and/or currency without using envelopes[61] Expected to grow in importance in the US through Check 21 legislation.
• Bar code scanning[62]
• On-demand printing of "items of value" (such as movie tickets, traveler's cheques, etc.)
• Dispensing additional media (such as phone cards)
• Co-ordination of ATMs with mobile phones[63]
• Customer-specific advertising[64]
• Integration with non-banking equipment[65][66]
[edit] Reliability
An ATM running Microsoft Windows that has crashed
Before an ATM is placed in a public place, it typically has undergone extensive testing with both test money and the backend computer systems that allow it to perform transactions. Banking customers also have come to expect high reliability in their ATMs,[67] which provides incentives to ATM providers to minimize machine and network failures. Financial consequences of incorrect machine operation also provide high degrees of incentive to minimize malfunctions.[68]
ATMs and the supporting electronic financial networks are generally very reliable, with industry benchmarks typically producing 98.25% customer availability for ATMs[69] and up to 99.999% availability for host systems. If ATMs do go out of service, customers could be left without the ability to make transactions until the beginning of their bank's next time of opening hours.
This said, not all errors are to the detriment of customers; there have been cases of machines giving out money without debiting the account, or giving out higher value notes as a result of incorrect denomination of banknote being loaded in the money cassettes. Errors that can occur may be mechanical (such as card transport mechanisms; keypads; hard disk failures); software (such as operating system; device driver; application); communications; or purely down to operator error.
An ATM running OS/2 that has crashed
To aid in reliability, some ATMs print each transaction to a roll paper journal that is stored inside the ATM, which allows both the users of the ATMs and the related financial institutions to settle things based on the records in the journal in case there is a dispute. In some cases, transactions are posted to an electronic journal to remove the cost of supplying journal paper to the ATM and for more convenient searching of data.
Improper money checking can cause the possibility of a customer receiving counterfeit banknotes from an ATM. While bank personnel are generally trained better at spotting and removing counterfeit cash,[70][71] the resulting ATM money supplies used by banks provide no absolute guarantee for proper banknotes, as the Federal Criminal Police Office of Germany has confirmed that there are regularly incidents of false banknotes having been dispensed through bank ATMs.[72] Some ATMs may be stocked and wholly owned by outside companies, which can further complicate this problem. Bill validation technology can be used by ATM providers to help ensure the authenticity of the cash before it is stocked in an ATM; ATMs that have cash recycling capabilities include this capability.[73]
[edit] Fraud
As with any device containing objects of value, ATMs and the systems they depend on to function are the targets of fraud. Fraud against ATMs and people's attempts to use them takes several forms.
The first known instance of a fake ATM was installed at a shopping mall in Manchester, Connecticut in 1993. By modifying the inner workings of a Fujitsu model 7020 ATM, a criminal gang known as The Bucklands Boys were able to steal information from cards inserted into the machine by customers.[74]
In some cases, bank fraud could occur at ATMs whereby the bank accidentally stocks the ATM with bills in the wrong denomination, therefore giving the customer more money than should be dispensed.[75] The result of receiving too much money may be influenced on the card holder agreement in place between the customer and the bank.[76][77]
In a variation of this, WAVY-TV reported an incident in Virginia Beach of September 2006 where a hacker who had probably obtained a factory-default admin password for a gas station's white label ATM caused the unit to assume it was loaded with $5 USD bills instead of $20s, enabling himself—and many subsequent customers—to walk away with four times the money they said they wanted to withdraw.[78][79] This type of scam was featured on the TV series The Real Hustle.
ATM behavior can change during what is called "stand-in" time, where the bank's cash dispensing network is unable to access databases that contain account information (possibly for database maintenance). In order to give customers access to cash, customers may be allowed to withdraw cash up to a certain amount that may be less than their usual daily withdrawal limit, but may still exceed the amount of available money in their account, which could result in fraud.[80]
[edit] Card fraud
ATM lineup
The big queue at an ATM in Masalli, Azerbaijan.
In an attempt to prevent criminals from shoulder surfing the customer's PINs, some banks draw privacy areas on the floor.
For a low-tech form of fraud, the easiest is to simply steal a customer's card. A later variant of this approach is to trap the card inside of the ATM's card reader with a device often referred to as a Lebanese loop. When the customer gets frustrated by not getting the card back and walks away from the machine, the criminal is able to remove the card and withdraw cash from the customer's account.
Another simple form of fraud involves attempting to get the customer's bank to issue a new card and stealing it from their mail.[81]
Some ATMs may put up warning messages to customers to not use them when it detects possible tampering
The concept and various methods of copying the contents of an ATM card's magnetic stripe on to a duplicate card to access other people's financial information was well known in the hacking communities by late 1990.[82]
In 1996 Andrew Stone, a computer security consultant from Hampshire in the UK, was convicted of stealing more than £1 million (at the time equivalent to US$1.6 million) by pointing high definition video cameras at ATMs from a considerable distance, and by recording the card numbers, expiry dates, etc. from the embossed detail on the ATM cards along with video footage of the PINs being entered. After getting all the information from the videotapes, he was able to produce clone cards which not only allowed him to withdraw the full daily limit for each account, but also allowed him to sidestep withdrawal limits by using multiple copied cards. In court, it was shown that he could withdraw as much as £10,000 per hour by using this method. Stone was sentenced to five years and six months in prison.[83]
By contrast, a newer high-tech modus operandi involves the installation of a magnetic card reader over the real ATM's card slot and the use of a wireless surveillance camera or a modified digital camera to observe the user's PIN. Card data is then cloned onto a second card and the criminal attempts a standard cash withdrawal. The availability of low-cost commodity wireless cameras and card readers has made it a relatively simple form of fraud, with comparatively low risk to the fraudsters.[84]
In an attempt to stop these practices, countermeasures against card cloning have been developed by the banking industry, in particular by the use of smart cards which cannot easily be copied or spoofed by un-authenticated devices, and by attempting to make the outside of their ATMs tamper evident. Older chip-card security systems include the French Carte Bleue, Visa Cash, Mondex, Blue from American Express[85] and EMV '96 or EMV 3.11. The most actively developed form of smart card security in the industry today is known as EMV 2000 or EMV 4.x.
EMV is widely used in the UK (Chip and PIN) and other parts of Europe, but when it is not available in a specific area, ATMs must fallback to using the easy to copy magnetic stripe to perform transactions. This fallback behaviour can be exploited.[86] However the fallback option has been removed by several UK banks, meaning if the chip is not read, the transaction will be declined.
In February 2009, a group of criminals used counterfeit ATM cards to steal $9 million from 130 ATMs in 49 cities around the world all within a time period of 30 minutes. [87]
Card cloning and skimming can be detected by the implementation of magnetic card reader heads and firmware that can read a signature embedded in all magnetic stripes during the card production process. This signature known as a "MagnePrint" or "BluPrint" can be used in conjunction with common two factor authentication schemes utilized in ATM, debit/retail point-of-sale and prepaid card applications.
This article's tone or style may not be appropriate for Wikipedia. Specific concerns may be found on the talk page. See Wikipedia's guide to writing better articles for suggestions. (April 2008)
Automated Teller Machines were first used in 1939. Nowadays, about 1.5 million are installed worldwide[1].
In the consideration of ATM, there are different aspects that should be considered. First, one has to have an idea about the communication within ATMs. Second, the issue of security is of paramount importance because all over the world, there is an increasing use of ATMs and so the risks of hacking turn to be a reality more than ever before. In the past, the function of ATMs was to deliver cash in the form of bank notes and to debit a corresponding bank account. Cards were used to identify the user. As for the withdrawal of money, different methods were used. For instance, punched cards were used. By the use of such cards, only one payment was authorized. Thereby, a user had to get a supply of cards from his/her bank because the punched cards were not returned to the user. Another example was the use of a magnetic card which had a limited life. The use of such cards allowed; for instance, twenty withdrawals of money. From the beginning, personal identification number PIN has been of very great importance in the overall operation.
D.W. Davies & W. L. Price (1984). Security for computer networks : an introduction to data security in teleprocessing and electronic funds transfer. ISBN 0-471-90063-X.
The use of it has been done with the aim to decrease the risks that might result from the loss of cards and the misuses that might be connected to that. In fact, in the past as well as in the present, there have been different aspects in the consideration of the designing and the communicative basics of Automated Teller Machines. One aspect of it has been how communication between its participants could be possible[2]. The second of it has been to take into consideration the purposes which could be a part and a parcel of any communicative act. In this context, there are different participants involved in ATMs communication. To cite but a few of them, in an ATM communication, there are remote partners and interfaces to the outside world and these interfaces are in their turn subject to more than one classification. The first interface represents the relationship between the End-user and Automated Teller Machine. The second interface occurs between the ATM and the central bank computer.
Contents
[hide]
• 1 Protection of Communication [3]
o 1.1 PIN validation, Management and Algorithmic Checking
1.1.1 PIN Validation for local Transactions
1.1.1.1 On-Line PIN Validation
1.1.1.2 Off-Line PIN Validation
1.1.2 PIN Validation for Interchange Transactions
1.1.2.1 Shared ATMs [4]
o 1.2 Hardware Security Module
o 1.3 Authentication and Data Integrity
• 2 Security [6]
• 3 Conclusion
• 4 References
• 5 External links
[edit] Protection of Communication [3]
[edit] PIN validation, Management and Algorithmic Checking
The method of checking relies on an algorithm which is typically a cipher[1] with a secret key.
[edit] PIN Validation for local Transactions
[edit] On-Line PIN Validation
The validation of on-line PIN occurs if the terminal in question is connected to the central data base. The customer's entered PIN is always compared against as in the financial institutions recorded PIN of reference.
[edit] Off-Line PIN Validation
In off-line PIN validation, the ATM is not connected to the central data base. A condition for off-line PIN validation is that the ATM should be able to compare the customer's entered PIN against the PIN of reference. the terminal must be able to perform cryptographic operations and it must have at its disposal the required encryption keys its very slow
[edit] PIN Validation for Interchange Transactions
There are three PIN procedures for the operation of a high secure interchange transaction. PIN is encrypted at the entry terminal, a secret cryptographic key is used. In addition to other transaction elements, the encrypted PIN is transmitted to the acquirer's system. Second the encrypted PIN is routed from the acquirer's system to a Hardware Security Module. Within it, with the use of the cryptographic key of the terminal, the PIN will be decrypted. With a cryptographic key used for interchange, the decrypted key will be immediately reencrypted and will be routed to the issuer's system over normal communications channels. Third, the routed PIN will be decrypted in the issuer's security module and then validated on the basis of the techniques for on-line local PIN validation.
[edit] Shared ATMs [4]
There are different methods used in shared ATMs with regards to the encipherment of PIN and message authentication among them is the so called "ZONE ENCRYPTION". In this method, a trustful authority is appointed to operate on behalf of a group of banks so as they could interchange messages for ATM payment approvals.
[edit] Hardware Security Module
For a successful communication between a bank and ATMs, the incorporation of a cryptographic module named security module is of a very great importance. The security module is designed to be tamper resistant[5]. The security module performs a plethora of functions among them PIN verification, PIN translation in interchange, Key management and message authentication. As far as the use of PIN in interchanges is concerned, the PIN can be translated by the security module from the cryptographic key and format used by ATM to the format used for interchange. Moreover, the generation, the control, the maintenance and the protection of all keys associated with the user's network are within the capacities of the security module.
In the consideration of the personal verification process, it begins with the user's
supply of personal verification information. It is "the users remembered information". These information include among others a PIN and the provided customer's information which is recorded on the bank card. In cases where there is a storage of a cryptographic key on the bank card, it is called Personal key (KP). the pe [edit] Authentication and Data Integrity
rformance of personal identification can be done by the Authentication Parameter (AP). There are two possible ways of its operation. On the one, an AP can be time invariant. In such a case, an AP of reference can be stored in a verification table at the issuer and it can be precomputed. On the other, an AP can be time variant. In such a case, we have the dynamic computation of an AP of reference. Another point worth mentioning is the case where we have an IP which is based on both time variant information and on the transaction request message. In such a case where an AP can be used as a message authentication code (MAC), the use of message authentication is made recourse to find out stale or bogus messages which might be routed both into the communication path and the detection of modified messages which are fraudulent and which can traverse non-secure communication systems. In such cases, AP turns out to perform a double purpose. That is, it must be made recourse to for personal verification and message authentication. In cases where a duplicate of AP is recorded in a verification table at the authenticating code or where the authenticator is able to compute an AP of reference, the personal authentication code is used. In cases where it is not possible to assure the integrity of the verification table or the secrecy and the integrity of the recorded information to compute the AP of reference, then the personal identification can dwell on ID, AP and a personal authentication code (PAC).
[edit] Security [6]
A first approximation of security exposures in Electronic funds transfer systems can be done without delimiting their components. Electronic funds transfer systems have three components; namely communication links, computers, and terminals(ATMs). To begin with, communication links are subject to attacks. There are two techniques made recourse to as far as the inception of messages is concerned. On the one, they are subject to attack by the use of passive techniques such as listening. On the other, they might be subject to attack by active techniques such as data alteration and substitution. Moreover, both techniques can be used in combination. The second component is computer security. There are different techniques that can be used in order to have access to a computer such as the access to it via a remote terminal or other peripheral devices as the card reader. As a result of such attacks, abusers could copy, replace or even destroy programs or data saved in or being processed in a computer system. As for terminal security, it is of a great importance in cases where cipher keys reside in terminals. In the absence of physical security, an abuser may be probe for a key or substitute its value. In order to avoid such abuses, the preserving of both the integrity of non-secret parameters and the confidentiality of secret parameters should be incorporated. Moreover, the use of public key cryptosystem (PKC) where public keys in the Electronic funds transfer are made recourse to prove to be insecure in the absence of physical security at the entry points. Moreover, as a public key allows the terminal the authentication of the response messages received from the issuer, for the generation of the MACs on transaction request messages sent to the issuer, a secret key is still needed. In the conduction of transactions at the Electronic funds transfer terminal, the only required thing is personal verification. That is, the authentication of a message between the EFT terminal and the issuer is theoretically not required. In such a case, the installation of a public key in the Electronic funds transfer terminal would be adequate as far as the permission of personal verification is concerned
[edit] Conclusion
The application of cryptography to electronic funds transfer systems has shown that attacks may occur in different sub-systems. In other words, the protection of Electronic funds transfer terminals from attack by unauthorized outsiders is realized. Terminal's protection from authorized insiders is an impossible task. In order to go beyond these problems, the combined implementation of physical security, procedural protection and cryptography should be applied.
[edit] References
LIMITATION
Abstract
PNOs have observed that it has been very difficult to actually measure the performance of ATM networks. The problem they faced was that the materials contained in ITU-T recommendations were incomplete, contained inconsistencies and in some situations were too complex to be efficiently implemented in network equipment. This paper thus identifies the limitations in the standards related to ATM performance measurement on the three main performance areas (information transfer performance, availability performance and call processing performance) and proposes a solution for most of identified limitations. Extending results from earlier initiatives (ATM Pilot, JAMES project, various Eurescom projects including P515, P708), it aims at providing operators with a better means of handling performance aspects of ATM networks and switch vendors with a better understanding of operators needs
[88][89]
Luther George Simjian was a lifelong innovator whose inventions include the self-focusing camera, a flight speed indicator for airplanes, an automatic postage metering machine, teleprompter, Range Estimation Trainer and contributions to the evolution of the Bankmatic automatic teller machine (ATM).
Simjian was born in Turkey on January 28, 1905. As a young child he developed a keen interest in optics and photography. After World War I he was separated from his family. He fled to Beirut, then on to Marseille, and eventually to the United States. At age 15 he arrived in the U.S. alone, and went to New Haven, Connecticut, where he stayed with relatives and found self-sufficiency through a job with a photographer. Simjian originally intended to study medicine, but changed his mind after the medical school at Yale gave him a job in its photographic laboratory. In 1928 he was named director of the photography department at the medical school, and he soon developed a way of projecting microscopic images and photographing specimens under water.
In 1934 Simjian moved to New York, where he developed a color X-ray machine and a self-posing portrait camera, allowing the subject to look into a mirror and see exactly the picture that was about to be taken. Soon after, Simjian established a company to license and manufacture the camera for use in department store studios. He eventually sold the camera and rights to the Photoreflex name. However, he renamed the company he had started to Reflectone and continued to explore developments in optics, electro-mechanical devices, and the new field of electronics. When Simjian initially came up with the idea of creating a hole-in-the-wall machine that would allow customers to make financial transactions, the idea was met with a great deal of skepticism. Starting in 1939, Simjian registered 20 patents related to the device and persuaded what is now Citicorp to give it a trial. After six months, the bank reported that there was little demand.
"It seems the only people using the machines were a small number of prostitutes and gamblers who didn't want to deal with tellers face to face," wrote Simjian.
Later, of course, the idea caught on, and today, modern versions of the automatic teller machine stand on nearly every street corner. Despite the notoriety that came with his ATM concept, Simjian's most important invention of the era during World War II was his Range Estimation Trainer, designed to improve the methods used to train Allied pilots. Using a miniature airplane, synchronized moving mirrors, and controlled lighting, he built a device that would allow an instructor to remotely vary speed, lighting, and angles. This simulator could be used to train aviators in identifying types of aircraft and determining their distance and speed. The U.S. Navy was very interested in these devices; Reflectone sold more than 2000 trainers, which were used all over the country.
Simjian remained President and Chairman of Reflectone for 22 years, until the company merged with Universal Match Corp. in 1961. It was sold again in 1996 to British Aerospace. Meanwhile Simjian formed two other companies, General Research and Command Automation, to help to capitalize on his other inventions, which included a remote-controlled postage meter, a meat tenderizer and an ultrasound device for use in hospitals. He also patented an indoor golf practice range, using an analog computer to project the "flight" of the ball. Toward the end of his life Simjian built a small research and development lab in Fort Lauderdale, Florida, and continued inventing until his death on October 23, 1997. Simjian was issued his last patent recently -- in March of 2000 he received a patent for a process to improve the resonance of wood used for musical instruments.
History
An old Nixdorf ATM
British actor Reg Varney using the world's first ATM in 1967, located at a branch of Barclays Bank, Enfield. The system was developed by De La Rue
.
The first mechanical cash dispenser was developed and built by Luther George Simjian and installed in 1939 in New York City by the City Bank of New York,[citation needed] but removed after 6 months due to the lack of customer acceptance.[2]
Thereafter, the history of ATMs paused for over 25 years, until De La Rue developed the first electronic ATM, which was installed first in Enfield Town in North London, United Kingdom[3] on 27 June 1967 by Barclays Bank.[4] This instance of the invention is credited to John Shepherd-Barron, although various other engineers were awarded patents for related technologies at the time.[5] Shepherd-Barron was awarded an OBE in the 2005 New Year's Honours List.[6] The first person to use the machine was the British variety artist and actor Reg Varney.[7][8] The first ATMs accepted only a single-use token or voucher, which was retained by the machine. These worked on various principles including radiation and low-coercivity magnetism that was wiped by the card reader to make fraud more difficult.[5] The machine dispensed pre-packaged envelopes containing ten pounds sterling. The idea of a PIN stored on the card was developed by the British engineer James Goodfellow in 1965.[5]
In 1968 the networked ATM was pioneered in Dallas, Texas, by Donald Wetzel who was a department head at an automated baggage-handling company called Docutel. In 1995 the Smithsonian's National Museum of American History recognised Docutel and Wetzel as the inventors of the networked ATM. [9]
ATMs first came into wide UK use in 1973; the IBM 2984 was designed at the request of Lloyds Bank. The 2984 CIT (Cash Issuing Terminal) was the first true Cashpoint, similar in function to today's machines; Cashpoint is still a registered trademark of Lloyds TSB in the U.K. All were online and issued a variable amount which was immediately deducted from the account. A small number of 2984s were supplied to a US bank. Notable historical models of ATMs include the IBM 3624 and 473x series, Diebold 10xx and TABS 9000 series, and NCR 5xxx series.
[edit] Location
An ATM Encrypting PIN Pad (EPP) with German markings
ATMs are placed not only near or inside the premises of banks, but also in locations such as shopping centers/malls, airports, grocery stores, petrol/gas stations, restaurants, or any place large numbers of people may gather. These represent two types of ATM installations: on and off premise. On premise ATMs are typically more advanced, multi-function machines that complement an actual bank branch's capabilities and thus more expensive. Off premise machines are deployed by financial institutions and also ISOs (or Independent Sales Organizations) where there is usually just a straight need for cash, so they typically are the cheaper mono-function devices. In Canada, when an ATM is not operated by a financial institution it is known as a "White Label ATM".
In North America, banks often have drive-thru lanes providing access to ATMs.
Many ATMs have a sign above them indicating the name of the bank or organization owning the ATM, and possibly including the list of ATM networks to which that machine is connected. This type of sign is called a topper.
[edit] Financial networks
An ATM in the Netherlands. The logos of a number of interbank networks this ATM is connected to are shown.
Most ATMs are connected to interbank networks, enabling people to withdraw and deposit money from machines not belonging to the bank where they have their account or in the country where their accounts are held (enabling cash withdrawals in local currency). Some examples of interbank networks include PULSE, PLUS, Cirrus, Interac, Interswitch, STAR, and LINK.
ATMs rely on authorization of a financial transaction by the card issuer or other authorizing institution via the communications network. This is often performed through an ISO 8583 messaging system.
Many banks charge ATM usage fees. In some cases, these fees are charged solely to users who are not customers of the bank where the ATM is installed; in other cases, they apply to all users. Where machines make a charge some people will not use them, but go to a system without fees.
In order to allow a more diverse range of devices to attach to their networks, some interbank networks have passed rules expanding the definition of an ATM to be a terminal that either has the vault within its footprint or utilizes the vault or cash drawer within the merchant establishment, which allows for the use of a scrip cash dispenser.
A Diebold 1063ix with a dial-up modem visible at the base
ATMs typically connect directly to their ATM Controller via either a dial-up modem over a telephone line or directly via a leased line. Leased lines are preferable to POTS lines because they require less time to establish a connection. Leased lines may be comparatively expensive to operate versus a POTS line, meaning less-trafficked machines will usually rely on a dial-up modem. That dilemma may be solved as high-speed Internet VPN connections become more ubiquitous. Common lower-level layer communication protocols used by ATMs to communicate back to the bank include SNA over SDLC, TC500 over Async, X.25, and TCP/IP over Ethernet.
In addition to methods employed for transaction security and secrecy, all communications traffic between the ATM and the Transaction Processor may also be encrypted via methods such as SSL.[10]
[edit] Global use
An ATM in the Tokyo subway
There are no hard international or government-compiled numbers totaling the complete number of ATMs in use worldwide. Estimates developed by ATMIA place the number of ATMs in use at over 1.5 million as of August 2006.[11]
For the purpose of analyzing ATM usage around the world, financial institutions generally divide the world into seven regions, due to the penetration rates, usage statistics, and features deployed. Four regions (USA, Canada, Europe, and Japan) have high numbers of ATMs per million people[12] and generally slowing growth rates.[13] Despite the large number of ATMs,[14] there is additional demand for machines in the Asia/Pacific area as well as in Latin America.[15] ATMs have yet to reach high numbers in the Near East/Africa.[16]
The world's most northerly installed ATM is located at Longyearbyen, Svalbard, Norway.[17]
The world's most southerly installed ATM is located at McMurdo Station, Antarctica.[18]
The world's highest installed ATM is located at Nathu La Pass, India installed by the Union Bank of India [19]
While ATMs are ubiquitous on modern cruise ships, ATMs can also be found on some US Navy ships.[20]
In the United Kingdom, an ATM may be colloqually referred to as a "Cashpoint", named after the Lloyds Bank ATM brand, or "hole-in-the-wall", an expression[21] after which the equivalent Barclays brand was later named. In Scotland the term Cashline has become a generic term for an ATM, based on the branding from the Royal Bank of Scotland.
In the Republic of Ireland, ATM's are also commonly referred to as a "Banklink", named after the Allied Irish Bank brand of machines.
[edit] Hardware
A block diagram of an ATM
An ATM is typically made up of the following devices:
• CPU (to control the user interface and transaction devices)
• Magnetic and/or Chip card reader (to identify the customer)
• PIN Pad (similar in layout to a Touch tone or Calculator keypad), often manufactured as part of a secure enclosure.
• Secure cryptoprocessor, generally within a secure enclosure.
• Display (used by the customer for performing the transaction)
• Function key buttons (usually close to the display) or a Touchscreen (used to select the various aspects of the transaction)
• Record Printer (to provide the customer with a record of their transaction)
• Vault (to store the parts of the machinery requiring restricted access)
• Housing (for aesthetics and to attach signage to)
Recently, due to heavier computing demands and the falling price of computer-like architectures, ATMs have moved away from custom hardware architectures using microcontrollers and/or application-specific integrated circuits to adopting a hardware architecture that is very similar to a personal computer. Many ATMs are now able to use operating systems such as Microsoft Windows and Linux. Although it is undoubtedly cheaper to use commercial off-the-shelf hardware, it does make ATMs vulnerable to the same sort of problems exhibited by conventional computers.
Business owners often lease ATM terminals from ATM service providers.
Two Loomis employees refilling an ATM at the Downtown Seattle REI.
The vault of an ATM is within the footprint of the device itself and is where items of value are kept. Scrip cash dispensers do not incorporate a vault.
Mechanisms found inside the vault may include:
• Dispensing mechanism (to provide cash or other items of value)
• Deposit mechanism, including a Cheque Processing Module and Batch Note Acceptor (to allow the customer to make deposits)
• Security sensors (Magnetic, Thermal, Seismic)
• Locks: (to ensure controlled access to the contents of the vault)
• Journaling systems; some are electronic (a sealed flash memory device based on proprietary standards) or a solid-state device (an actual printer) which accrues all records of activity, including access timestamps, number of bills dispensed, etc. - This is considered sensitive data and is secured in similar fashion to the cash as it is a similar liability.
ATM vaults are supplied by manufacturers in several grades. Factors influencing vault grade selection include cost, weight, regulatory requirements, ATM type, operator risk avoidance practices, and internal volume requirements.[22]
Industry standard vault configurations include Underwriters Laboratories UL-291 "Business Hours" and Level 1 Safes,[23] RAL TL-30 derivatives,[24] and CEN EN 1143-1:2005 - CEN III/VdS and CEN IV/LGAI/VdS.[25][26]
ATM manufacturers recommend that vaults be attached to the floor to prevent theft.[27]
[edit] Software
A Wincor Nixdorf ATM running Windows 2000
With the migration to commodity PC hardware, standard commercial "off-the-shelf" operating systems and programming environments can be used inside of ATMs. Typical platforms used in ATM development include RMX, OS/2, and Microsoft operating systems (such as MS-DOS, PC-DOS, Windows NT, Windows 2000, Windows XP Professional, or Windows XP Embedded). Java, Linux and Unix may also be used in these environments.
Linux is also finding some reception in the ATM marketplace. An example of this is Banrisul, the largest bank in the south of Brazil, which has replaced the MS-DOS operating systems in its ATMs with Linux. Banco do Brasil is also migrating ATMs to Linux.
Common application layer transaction protocols, such as Diebold 911 or 912, IBM PBM, and NCR NDC or NDC+ provide emulation of older generations of hardware on newer platforms with incremental extensions made over time to address new capabilities, although companies like NCR continuously improve these protocols issuing newer versions (latest NCR Aptra Advance NDC Version 3.x.y (Where x.y are subversions). Most major ATM manufacturers provide software packages that implement these protocols. Newer protocols such as IFX have yet to find wide acceptance by transaction processors.[28]
With the move to a more standardized software base, financial institutions have been increasingly interested in the ability to pick and choose the application programs that drive their equipment. WOSA/XFS, now known as CEN XFS (or simply XFS), provides a common API for accessing and manipulating the various devices of an ATM.
J/XFS is a Java implementation of the CEN XFS API.[29]
A Suncorp Metway ATM running OS/2
While the perceived benefit of XFS is similar to the Java's "Write once, run anywhere" mantra, often different ATM hardware vendors have different interpretations of the XFS standard. The result of these differences in interpretation means that ATM applications typically use a middleware to even out the differences between various platforms.
With the onset of Windows operating systems and XFS on ATM's, the software applications have the ability to become more intelligent. This has created a new breed of ATM applications commonly referred to as programmable applications. These types of applications allows for an entirely new host of applications in which the ATM terminal can do more than only communicate with the ATM switch. It is now empowered to connected to other content servers and video banking systems.
Notable ATM software that operates on XFS platforms include Triton PRISM, Diebold Agilis, CR2 BankWorld, KAL Kalignite, NCR Corporation Aptra Edge, Phoenix Interactive VISTAatm, and Wincor Nixdorf Protopas.
With the move of ATMs to industry-standard computing environments, concern has risen about the integrity of the ATM's software stack.[30]
[edit] Security
A Triton brand ATM with a dip style card reader and a triple DES keypad
Security, as it relates to ATMs, has several dimensions. ATMs also provide a practical demonstration of a number of security systems and concepts operating together and how various security concerns are dealt with.
[edit] Physical
A Wincor Nixdorf Procash 2100xe Frontload that was opened with an angle grinder
Early ATM security focused on making the ATMs invulnerable to physical attack; they were effectively safes with dispenser mechanisms. A number of attacks on ATMs resulted, with thieves attempting to steal entire ATMs by ram-raiding.[31] Since late 1990s, criminal groups operating in Japan improved ram-raiding by stealing and using a truck loaded with a heavy construction machinery to effectively demolish or uproot an entire ATM and any housing to steal its cash.[32]
Another attack method, plofkraak, is to seal all openings of the ATM with silicone and fill the vault with a combustible gas or to place an explosive inside, attached, or near the ATM.[33] This gas or explosive is ignited and the vault is opened or distorted by the force of the resulting explosion and the criminals can break in.
Modern ATM physical security, per other modern money-handling security, concentrates on denying the use of the money inside the machine to a thief, by means of techniques such as dye markers and smoke canisters.[34]
A common method is to simply rob the staff filling the machine with money. To avoid this, the schedule for filling them is kept secret, varying and random. The money is often kept in cassettes, which will dye the money if incorrectly opened.
[edit] Transactional secrecy and integrity
The security of ATM transactions relies mostly on the integrity of the secure cryptoprocessor: the ATM often uses commodity components that are not considered to be "trusted systems".
Encryption of personal information, required by law in many jurisdictions, is used to prevent fraud. Sensitive data in ATM transactions are usually encrypted with DES, but transaction processors now usually require the use of Triple DES.[35] Remote Key Loading techniques may be used to ensure the secrecy of the initialization of the encryption keys in the ATM. Message Authentication Code (MAC) or Partial MAC may also be used to ensure messages have not been tampered with while in transit between the ATM and the financial network.
[edit] Customer identity integrity
A BTMU ATM with a palm scanner (to the right of the screen)
There have also been a number of incidents of fraud by Man-in-the-middle attacks, where criminals have attached fake keypads or card readers to existing machines. These have then been used to record customers' PINs and bank card information in order to gain unauthorized access to their accounts. Various ATM manufacturers have put in place countermeasures to protect the equipment they manufacture from these threats.[36][37]
Alternate methods to verify cardholder identities have been tested and deployed in some countries, such as finger and palm vein patterns,[38] iris, and facial recognition technologies. However, recently, cheaper mass production equipment has been developed and being installed in machines globally that detect the presence of foreign objects on the front of ATMs, current tests have shown 99% detection success for all types of skimming devices.[39]
[edit] Device operation integrity
ATMs that are exposed to the outside must be vandal and weather resistant.
Openings on the customer-side of ATMs are often covered by mechanical shutters to prevent tampering with the mechanisms when they are not in use. Alarm sensors are placed inside the ATM and in ATM servicing areas to alert their operators when doors have been opened by unauthorized personnel.
This article may be confusing or unclear to readers. Please help clarify the article; suggestions may be found on the talk page. (February 2009)
Rules are usually set by the government or ATM operating body that dictate what happens when integrity systems fail. Depending on the jurisdiction, a bank may or may not be liable when an attempt is made to dispense a customer's money from an ATM and the money either gets outside of the ATM's vault, or was exposed in a non-secure fashion, or they are unable to determine the state of the money after a failed transaction.[40] Bank customers often complain that banks have made it difficult to recover money lost in this way, but this is often complicated by the bank's own internal policies regarding suspicious activities typical of the criminal element.[41]
[edit] Customer security
Dunbar Armored ATM Techs watching over ATMs that have been installed in a van.
In some countries, multiple security cameras and security guards are a common feature.[42] In the United States, The NY State Comptroller's Office has criticized the NY State Department of Banking for not following through on safety inspections of ATMs in high crime areas.[43]
Critics of ATM operators assert that the issue of customer security appears to have been abandoned by the banking industry;[44] it has been suggested that efforts are now more concentrated on deterrent legislation than on solving the problem of forced withdrawals.[45]
At least as far back as July 30, 1986, critics of the industry have called for the adoption of an emergency PIN system for ATMs, where the user is able to send a silent alarm in response to a threat.[46] Legislative efforts to require an emergency PIN system have appeared in Illinois,[47] Kansas[48] and Georgia,[49] but none have succeeded as of yet. In January 2009, Senate Bill 1355 was proposed in the Illinois Senate that revisits the issue of the reverse emergency PIN system. [50] The bill is again resisted by the banking lobby and supported by the police. [51]
[edit] Alternative uses
Two NCR Personas 84 ATMs at a bank in Jersey dispensing two types of pound sterling banknotes: Bank of England notes, and States of Jersey notes
Although ATMs were originally developed as just cash dispensers, they have evolved to include many other bank-related functions. In some countries, especially those which benefit from a fully integrated cross-bank ATM network (e.g.: Multibanco in Portugal), ATMs include many functions which are not directly related to the management of one's own bank account, such as:
• Deposit currency recognition, acceptance, and recycling[52][53]
• Paying routine bills, fees, and taxes (utilities, phone bills, social security, legal fees, taxes, etc.)
• Printing bank statements
• Updating passbooks
• Loading monetary value into stored value cards
• Purchasing
o Postage stamps.
o Lottery tickets
o Train tickets
o Concert tickets
o Movie tickets
o Shopping mall gift certificates.
• Games and promotional features[54]
• Donating to charities[55]
• Cheque Processing Module
• Adding pre-paid cell phone credit.
Increasingly banks are seeking to use the ATM as a sales device to deliver pre approved loans and targeted advertising using products such as ITM (the Intelligent Teller Machine) from CR2 or Aptra Relate from NCR. ATMs can also act as an advertising channel for companies to advertise their own products or third-party products and services.[56]
In Canada, ATMs are called guichets automatiques in French and sometimes "Bank Machines" in English. The Interac shared cash network does not allow for the selling of goods from ATMs due to specific security requirements for PIN entry when buying goods.[57] CIBC machines in Canada, are able to top-up the minutes on certain pay as you go phones.
A South Korean ATM with mobile bank port and bar code reader
Manufacturers have demonstrated and have deployed several different technologies on ATMs that have not yet reached worldwide acceptance, such as:
• Biometrics, where authorization of transactions is based on the scanning of a customer's fingerprint, iris, face, etc. Biometrics on ATMs can be found in Asia.[58][59][60]
• Cheque/Cash Acceptance, where the ATM accepts and recognise cheques and/or currency without using envelopes[61] Expected to grow in importance in the US through Check 21 legislation.
• Bar code scanning[62]
• On-demand printing of "items of value" (such as movie tickets, traveler's cheques, etc.)
• Dispensing additional media (such as phone cards)
• Co-ordination of ATMs with mobile phones[63]
• Customer-specific advertising[64]
• Integration with non-banking equipment[65][66]
[edit] Reliability
An ATM running Microsoft Windows that has crashed
Before an ATM is placed in a public place, it typically has undergone extensive testing with both test money and the backend computer systems that allow it to perform transactions. Banking customers also have come to expect high reliability in their ATMs,[67] which provides incentives to ATM providers to minimize machine and network failures. Financial consequences of incorrect machine operation also provide high degrees of incentive to minimize malfunctions.[68]
ATMs and the supporting electronic financial networks are generally very reliable, with industry benchmarks typically producing 98.25% customer availability for ATMs[69] and up to 99.999% availability for host systems. If ATMs do go out of service, customers could be left without the ability to make transactions until the beginning of their bank's next time of opening hours.
This said, not all errors are to the detriment of customers; there have been cases of machines giving out money without debiting the account, or giving out higher value notes as a result of incorrect denomination of banknote being loaded in the money cassettes. Errors that can occur may be mechanical (such as card transport mechanisms; keypads; hard disk failures); software (such as operating system; device driver; application); communications; or purely down to operator error.
An ATM running OS/2 that has crashed
To aid in reliability, some ATMs print each transaction to a roll paper journal that is stored inside the ATM, which allows both the users of the ATMs and the related financial institutions to settle things based on the records in the journal in case there is a dispute. In some cases, transactions are posted to an electronic journal to remove the cost of supplying journal paper to the ATM and for more convenient searching of data.
Improper money checking can cause the possibility of a customer receiving counterfeit banknotes from an ATM. While bank personnel are generally trained better at spotting and removing counterfeit cash,[70][71] the resulting ATM money supplies used by banks provide no absolute guarantee for proper banknotes, as the Federal Criminal Police Office of Germany has confirmed that there are regularly incidents of false banknotes having been dispensed through bank ATMs.[72] Some ATMs may be stocked and wholly owned by outside companies, which can further complicate this problem. Bill validation technology can be used by ATM providers to help ensure the authenticity of the cash before it is stocked in an ATM; ATMs that have cash recycling capabilities include this capability.[73]
[edit] Fraud
As with any device containing objects of value, ATMs and the systems they depend on to function are the targets of fraud. Fraud against ATMs and people's attempts to use them takes several forms.
The first known instance of a fake ATM was installed at a shopping mall in Manchester, Connecticut in 1993. By modifying the inner workings of a Fujitsu model 7020 ATM, a criminal gang known as The Bucklands Boys were able to steal information from cards inserted into the machine by customers.[74]
In some cases, bank fraud could occur at ATMs whereby the bank accidentally stocks the ATM with bills in the wrong denomination, therefore giving the customer more money than should be dispensed.[75] The result of receiving too much money may be influenced on the card holder agreement in place between the customer and the bank.[76][77]
In a variation of this, WAVY-TV reported an incident in Virginia Beach of September 2006 where a hacker who had probably obtained a factory-default admin password for a gas station's white label ATM caused the unit to assume it was loaded with $5 USD bills instead of $20s, enabling himself—and many subsequent customers—to walk away with four times the money they said they wanted to withdraw.[78][79] This type of scam was featured on the TV series The Real Hustle.
ATM behavior can change during what is called "stand-in" time, where the bank's cash dispensing network is unable to access databases that contain account information (possibly for database maintenance). In order to give customers access to cash, customers may be allowed to withdraw cash up to a certain amount that may be less than their usual daily withdrawal limit, but may still exceed the amount of available money in their account, which could result in fraud.[80]
[edit] Card fraud
ATM lineup
The big queue at an ATM in Masalli, Azerbaijan.
In an attempt to prevent criminals from shoulder surfing the customer's PINs, some banks draw privacy areas on the floor.
For a low-tech form of fraud, the easiest is to simply steal a customer's card. A later variant of this approach is to trap the card inside of the ATM's card reader with a device often referred to as a Lebanese loop. When the customer gets frustrated by not getting the card back and walks away from the machine, the criminal is able to remove the card and withdraw cash from the customer's account.
Another simple form of fraud involves attempting to get the customer's bank to issue a new card and stealing it from their mail.[81]
Some ATMs may put up warning messages to customers to not use them when it detects possible tampering
The concept and various methods of copying the contents of an ATM card's magnetic stripe on to a duplicate card to access other people's financial information was well known in the hacking communities by late 1990.[82]
In 1996 Andrew Stone, a computer security consultant from Hampshire in the UK, was convicted of stealing more than £1 million (at the time equivalent to US$1.6 million) by pointing high definition video cameras at ATMs from a considerable distance, and by recording the card numbers, expiry dates, etc. from the embossed detail on the ATM cards along with video footage of the PINs being entered. After getting all the information from the videotapes, he was able to produce clone cards which not only allowed him to withdraw the full daily limit for each account, but also allowed him to sidestep withdrawal limits by using multiple copied cards. In court, it was shown that he could withdraw as much as £10,000 per hour by using this method. Stone was sentenced to five years and six months in prison.[83]
By contrast, a newer high-tech modus operandi involves the installation of a magnetic card reader over the real ATM's card slot and the use of a wireless surveillance camera or a modified digital camera to observe the user's PIN. Card data is then cloned onto a second card and the criminal attempts a standard cash withdrawal. The availability of low-cost commodity wireless cameras and card readers has made it a relatively simple form of fraud, with comparatively low risk to the fraudsters.[84]
In an attempt to stop these practices, countermeasures against card cloning have been developed by the banking industry, in particular by the use of smart cards which cannot easily be copied or spoofed by un-authenticated devices, and by attempting to make the outside of their ATMs tamper evident. Older chip-card security systems include the French Carte Bleue, Visa Cash, Mondex, Blue from American Express[85] and EMV '96 or EMV 3.11. The most actively developed form of smart card security in the industry today is known as EMV 2000 or EMV 4.x.
EMV is widely used in the UK (Chip and PIN) and other parts of Europe, but when it is not available in a specific area, ATMs must fallback to using the easy to copy magnetic stripe to perform transactions. This fallback behaviour can be exploited.[86] However the fallback option has been removed by several UK banks, meaning if the chip is not read, the transaction will be declined.
In February 2009, a group of criminals used counterfeit ATM cards to steal $9 million from 130 ATMs in 49 cities around the world all within a time period of 30 minutes. [87]
Card cloning and skimming can be detected by the implementation of magnetic card reader heads and firmware that can read a signature embedded in all magnetic stripes during the card production process. This signature known as a "MagnePrint" or "BluPrint" can be used in conjunction with common two factor authentication schemes utilized in ATM, debit/retail point-of-sale and prepaid card applications.
This article's tone or style may not be appropriate for Wikipedia. Specific concerns may be found on the talk page. See Wikipedia's guide to writing better articles for suggestions. (April 2008)
Automated Teller Machines were first used in 1939. Nowadays, about 1.5 million are installed worldwide[1].
In the consideration of ATM, there are different aspects that should be considered. First, one has to have an idea about the communication within ATMs. Second, the issue of security is of paramount importance because all over the world, there is an increasing use of ATMs and so the risks of hacking turn to be a reality more than ever before. In the past, the function of ATMs was to deliver cash in the form of bank notes and to debit a corresponding bank account. Cards were used to identify the user. As for the withdrawal of money, different methods were used. For instance, punched cards were used. By the use of such cards, only one payment was authorized. Thereby, a user had to get a supply of cards from his/her bank because the punched cards were not returned to the user. Another example was the use of a magnetic card which had a limited life. The use of such cards allowed; for instance, twenty withdrawals of money. From the beginning, personal identification number PIN has been of very great importance in the overall operation.
D.W. Davies & W. L. Price (1984). Security for computer networks : an introduction to data security in teleprocessing and electronic funds transfer. ISBN 0-471-90063-X.
The use of it has been done with the aim to decrease the risks that might result from the loss of cards and the misuses that might be connected to that. In fact, in the past as well as in the present, there have been different aspects in the consideration of the designing and the communicative basics of Automated Teller Machines. One aspect of it has been how communication between its participants could be possible[2]. The second of it has been to take into consideration the purposes which could be a part and a parcel of any communicative act. In this context, there are different participants involved in ATMs communication. To cite but a few of them, in an ATM communication, there are remote partners and interfaces to the outside world and these interfaces are in their turn subject to more than one classification. The first interface represents the relationship between the End-user and Automated Teller Machine. The second interface occurs between the ATM and the central bank computer.
Contents
[hide]
• 1 Protection of Communication [3]
o 1.1 PIN validation, Management and Algorithmic Checking
1.1.1 PIN Validation for local Transactions
1.1.1.1 On-Line PIN Validation
1.1.1.2 Off-Line PIN Validation
1.1.2 PIN Validation for Interchange Transactions
1.1.2.1 Shared ATMs [4]
o 1.2 Hardware Security Module
o 1.3 Authentication and Data Integrity
• 2 Security [6]
• 3 Conclusion
• 4 References
• 5 External links
[edit] Protection of Communication [3]
[edit] PIN validation, Management and Algorithmic Checking
The method of checking relies on an algorithm which is typically a cipher[1] with a secret key.
[edit] PIN Validation for local Transactions
[edit] On-Line PIN Validation
The validation of on-line PIN occurs if the terminal in question is connected to the central data base. The customer's entered PIN is always compared against as in the financial institutions recorded PIN of reference.
[edit] Off-Line PIN Validation
In off-line PIN validation, the ATM is not connected to the central data base. A condition for off-line PIN validation is that the ATM should be able to compare the customer's entered PIN against the PIN of reference. the terminal must be able to perform cryptographic operations and it must have at its disposal the required encryption keys its very slow
[edit] PIN Validation for Interchange Transactions
There are three PIN procedures for the operation of a high secure interchange transaction. PIN is encrypted at the entry terminal, a secret cryptographic key is used. In addition to other transaction elements, the encrypted PIN is transmitted to the acquirer's system. Second the encrypted PIN is routed from the acquirer's system to a Hardware Security Module. Within it, with the use of the cryptographic key of the terminal, the PIN will be decrypted. With a cryptographic key used for interchange, the decrypted key will be immediately reencrypted and will be routed to the issuer's system over normal communications channels. Third, the routed PIN will be decrypted in the issuer's security module and then validated on the basis of the techniques for on-line local PIN validation.
[edit] Shared ATMs [4]
There are different methods used in shared ATMs with regards to the encipherment of PIN and message authentication among them is the so called "ZONE ENCRYPTION". In this method, a trustful authority is appointed to operate on behalf of a group of banks so as they could interchange messages for ATM payment approvals.
[edit] Hardware Security Module
For a successful communication between a bank and ATMs, the incorporation of a cryptographic module named security module is of a very great importance. The security module is designed to be tamper resistant[5]. The security module performs a plethora of functions among them PIN verification, PIN translation in interchange, Key management and message authentication. As far as the use of PIN in interchanges is concerned, the PIN can be translated by the security module from the cryptographic key and format used by ATM to the format used for interchange. Moreover, the generation, the control, the maintenance and the protection of all keys associated with the user's network are within the capacities of the security module.
In the consideration of the personal verification process, it begins with the user's
supply of personal verification information. It is "the users remembered information". These information include among others a PIN and the provided customer's information which is recorded on the bank card. In cases where there is a storage of a cryptographic key on the bank card, it is called Personal key (KP). the pe [edit] Authentication and Data Integrity
rformance of personal identification can be done by the Authentication Parameter (AP). There are two possible ways of its operation. On the one, an AP can be time invariant. In such a case, an AP of reference can be stored in a verification table at the issuer and it can be precomputed. On the other, an AP can be time variant. In such a case, we have the dynamic computation of an AP of reference. Another point worth mentioning is the case where we have an IP which is based on both time variant information and on the transaction request message. In such a case where an AP can be used as a message authentication code (MAC), the use of message authentication is made recourse to find out stale or bogus messages which might be routed both into the communication path and the detection of modified messages which are fraudulent and which can traverse non-secure communication systems. In such cases, AP turns out to perform a double purpose. That is, it must be made recourse to for personal verification and message authentication. In cases where a duplicate of AP is recorded in a verification table at the authenticating code or where the authenticator is able to compute an AP of reference, the personal authentication code is used. In cases where it is not possible to assure the integrity of the verification table or the secrecy and the integrity of the recorded information to compute the AP of reference, then the personal identification can dwell on ID, AP and a personal authentication code (PAC).
[edit] Security [6]
A first approximation of security exposures in Electronic funds transfer systems can be done without delimiting their components. Electronic funds transfer systems have three components; namely communication links, computers, and terminals(ATMs). To begin with, communication links are subject to attacks. There are two techniques made recourse to as far as the inception of messages is concerned. On the one, they are subject to attack by the use of passive techniques such as listening. On the other, they might be subject to attack by active techniques such as data alteration and substitution. Moreover, both techniques can be used in combination. The second component is computer security. There are different techniques that can be used in order to have access to a computer such as the access to it via a remote terminal or other peripheral devices as the card reader. As a result of such attacks, abusers could copy, replace or even destroy programs or data saved in or being processed in a computer system. As for terminal security, it is of a great importance in cases where cipher keys reside in terminals. In the absence of physical security, an abuser may be probe for a key or substitute its value. In order to avoid such abuses, the preserving of both the integrity of non-secret parameters and the confidentiality of secret parameters should be incorporated. Moreover, the use of public key cryptosystem (PKC) where public keys in the Electronic funds transfer are made recourse to prove to be insecure in the absence of physical security at the entry points. Moreover, as a public key allows the terminal the authentication of the response messages received from the issuer, for the generation of the MACs on transaction request messages sent to the issuer, a secret key is still needed. In the conduction of transactions at the Electronic funds transfer terminal, the only required thing is personal verification. That is, the authentication of a message between the EFT terminal and the issuer is theoretically not required. In such a case, the installation of a public key in the Electronic funds transfer terminal would be adequate as far as the permission of personal verification is concerned
[edit] Conclusion
The application of cryptography to electronic funds transfer systems has shown that attacks may occur in different sub-systems. In other words, the protection of Electronic funds transfer terminals from attack by unauthorized outsiders is realized. Terminal's protection from authorized insiders is an impossible task. In order to go beyond these problems, the combined implementation of physical security, procedural protection and cryptography should be applied.
[edit] References
LIMITATION
Abstract
PNOs have observed that it has been very difficult to actually measure the performance of ATM networks. The problem they faced was that the materials contained in ITU-T recommendations were incomplete, contained inconsistencies and in some situations were too complex to be efficiently implemented in network equipment. This paper thus identifies the limitations in the standards related to ATM performance measurement on the three main performance areas (information transfer performance, availability performance and call processing performance) and proposes a solution for most of identified limitations. Extending results from earlier initiatives (ATM Pilot, JAMES project, various Eurescom projects including P515, P708), it aims at providing operators with a better means of handling performance aspects of ATM networks and switch vendors with a better understanding of operators needs
[88][89]
khushaljuneja
Khushal Juneja
hey i need the attachment asap...if u see this today reply immediately... i m not able to access the attachment from the site,maybe becoz i m new to the site..
abhishreshthaa
Abhijeet S
abhishreshthaa
Abhijeet S
hey friend, search for the project in the search option in the site...
there are many project on CREDIT CARDS IN INDIA...
here is the link...
check it out...
http://www.google.com/custom?hl=en&safe=active&client=pub-5725286117170576&cof=FORID:13;AH:left;S:http://managementparadise.com/forums;CX:Management%2520Paradise%2520Site;L:http://www.managementparadise.com/images/logo.jpg;LH:100;LP:1;LC:%230000FF;VLC:%23663399;DIV:%23336699;KMBOC:%23336699;KMTC:%230000CC;KMTVC:%230000CC;&adkw=AELymgVOk3CMr4kJD7-pgUD62eNA69RRgAhl7vMwcf1EAzBTd8uAknRlnVrkWT5s6az_tiX5W_MbzEjiUzdN9qxAeTmMJj78XSO50L6LWbhSUIIvmvw1OerGXp1QMxbmTk3cnoCPwrCrhEoZpKFu-Uo7VVHMgolFlSquKFz8t79eHbdAz4_IeKPTtsJh7ynTrEvFYtvbo5ec&channel=2786296433&boostcse=0&ie=ISO-8859-1&oe=ISO-8859-1&q=credit+card+project&btnG=Search&cx=partner-pub-5725286117170576:e5hvzm-cg7o
:SugarwareZ-100:
Every year Venture infotech releases survey report on Credit cards.
You can download it. Very good one
Welcome to Venture Infotek
You can download it. Very good one
Welcome to Venture Infotek
jambisculits
Priya Sonawane
hiee i'm very need of project foe final year of mba plz send it:SugarwareZ-197:
jambisculits
Priya Sonawane
HIEE
ROHAN
I'M VERY MUCH NEED OF D PROJECT "CREDIT CARD INDUSTRY IN INDIA"
PLZZ SEND IT ON [email protected]:SugarwareZ-084:
ROHAN
I'M VERY MUCH NEED OF D PROJECT "CREDIT CARD INDUSTRY IN INDIA"
PLZZ SEND IT ON [email protected]:SugarwareZ-084:
jambisculits
Priya Sonawane
HIEE
PLZZZZZZZZ MAIL ME D PROJECT I'M VERY IN NEED OD IT
PLZZ SEND IT ON [email protected]
PLZZZ
YAAR
PLZZZZZZZZ MAIL ME D PROJECT I'M VERY IN NEED OD IT
PLZZ SEND IT ON [email protected]
PLZZZ
YAAR
jambisculits
Priya Sonawane
plzz send d project on credit card industry in india
i'm very much in need of it
plzz send it on [email protected]
i'm very much in need of it
plzz send it on [email protected]
abhishreshthaa
Abhijeet S
hey friend, here is the project on the topic but please do not post your email ids as we do not mail projects...
project on Credit Card Industry
check it out...........
:SugarwareZ-086: