Professional Documents
Culture Documents
KOTTAYAM
SUBMITTED BY
Adrian Ashfield invented the basic idea of a card combining the key
and user's identity in February 1962. This was granted UK Patent 959,713
for "Access Controller" in June 1964 and assigned to W. S. Atkins &
Partners who employed Ashfield. He was paid ten shillings for this, the
standard sum for all patents. It was originally intended to dispense petrol
but the patent covered all uses.
Credit card
A debit card (also known as a bank card, plastic card or check card)
is a plastic payment card that can be used instead of cash when making
purchases. It is similar to a credit card, but unlike a credit card, the money
comes directly from the user's bank account when performing a
transaction.
Unlike credit and charge cards, payments using a debit card are
immediately transferred from the cardholder's designated bank account,
instead of them paying the money back at a later date.
Debit cards usually also allow for instant withdrawal of cash, acting
as an ATM card for withdrawing cash. Merchants may also offer cashback
facilities to customers, where a customer can withdraw cash along with
their purchase.
Procedure for issuing ATM Cards
Natural PIN
There are different methods of generating a natural PIN. The natural PIN
is a number. One of the methods adopted is to encrypt the card number.
After encryption, the encrypted value of the card number is obtained. This
encrypted value is decimalized which in turn will produce a number with
several digits. The first four digits of the above number is called natural
PIN. The natural PIN is deducted from the PIN value. The value of the
natural PIN is deducted from the PIN value which gives the offset value.
ATM uses
The customer swipes his ATM card and information provided in the
magnetic strip is read by the machine.
The customer has to key his Personal Identification Number(PIN)
which he has received by means of PIN mailer sent by the bank.
The PIN entered is immediately encrypted by the machine called
PIN machine. Sometimes this process is also achieved by means of
the software which resides in the ATM server. The encryption may
be done by means of a hardware or software. When it is done by the
hardware, there is a hardware security model (HSM); if this is done
by software, there is software security model (SSM). HSM or SSM
encrypts the PIN entered by the customer by means of an encryption
algorithm. This algorithm is loaded into the machine by the officers
of the bank. As it is necessary to ensure security, the loading process
is done under dual control by two officers each loading one half of
algorithm.
When account number and PIN provided by the customer tally with
the data available at the database of switch and PIN generated by
the PIN machine, the customer is authenticated. It means that the
customer has been recognised as a genuine customer of the bank.
It will be observed that the loss of ATM card alone is not a matter of
concern such as losing both the ATM card and the PIN information.
Once the customer is authenticated, the process requested by the
customer is initiated.
The activity of cash disposal is facilitated by the ATM switch. The
cash is then picked by the customer.
After the cash has been dispensed and the customer has picked up
the cash, the ATM switch communicates with the Central Data Base
server so that the cash withdrawal is recirded and the balance is
accordingly reduced.
As we all know, there are arrangements between banks by which
ATM card of one bank can be processed at the ATM kiosk of another
bank. This process is possible within the banks which have entered
into an agreement to this effect. The process that follows when the
ATM card of a different bank is swiped at the ATM kiosk is slightly
different. As the ATM card of different bank is swiped, the
information regarding the bank and the customer number are
available to the ATM. The information so obtained is directed to the
ATM switch of the other bank. The process thereafter is similar to
the process discussed above.
It is possible that a customer did not or could not collect the cash
dispensed by the cash dispenser. In such a case, the cash dispensed
would be collected in a secure tray for collecting rejected cash. Also
the fact that cash was not collected would be reported by the ATM to
the switch. The switch in turn would request the host computer for
reversal of entry.
The switch and host computer log all events, thus facilitationg
reconciliatoin of cash and entries.
Verification of PIN
The customer enters his PIN and there is a process which takes place
before the pin is accepted and authentic by the machine. The various steps
are as follows:
1. The customer inserts the card adn thereafter types the PIN.
2. The encrypted PIN is sent to the ATM switch.
3. The details of ATM card issued are already in the database and when
the ATM card is inserted the machine verified to see whether the
number in the database and satisfies itself of the exustence.
4. From the cardnumber, natural PIN is generated. As already discussed
natural PIN is generated by decimalizing the encrypted value of the
card and considering only the first four digits represent the natural
PIN.
5. The difference between the actual pin andn the natural pin is stored in
the atm switch as an initial step. Subsequently whenever the customer
inserts his ATM and keys his PIN in the machine, the correctness of the
PIN is verified by the system by adopting a process. The system has
stored the offset value.
6. When the card is inserted, the card number is encrypted by the HSM or
SSM. The enccrypted value is decimalised and the natural PIN is
obtained.
7. The value of the natural PIN obtained is added to the offset value
available already in the system. At this stage, the relevant PIN is
generated within the system.
8. The generated PIN as discribed above is compared with the PIN typed
by the customer; if they tally the customer is authenticated.
Knowing the PIN alone will not facilitate a person to access the ATM
facility. It is a combined effect of the ATM card and the PIN which permits
access to the ATM.
Hardware
The vault of an ATM is within the footprint of the device itself and is
where items of value are kept. Scrip cash dispensers do not incorporate a
vault.
With the onset of Windows operating systems and XFS on ATMs, the
software applications have the ability to become more intelligent. This has
created a new breed of ATM applications commonly referred to as
programmable applications. These types of applications allows for an
entirely new host of applications in which the ATM terminal can do more
than only communicate with the ATM switch. It is now empowered to
connect to other content servers and video banking systems.
ATM vandals can either physically tamper with the ATM machine to
obtain cash, or employ credit card skimming methods to acquire control of
the user's credit card account. Credit card fraud can be done by inserting
discreet skimming devices over the keypad or credit card reader . The
alternative way to credit card fraud is to identify the PIN directly with
devices such as cameras concealed near the keypad.
Rules are usually set by the government or ATM operating body that
dictate what happens when integrity systems fail. Depending on the
jurisdiction, a bank may or may not be liable when an attempt is made to
dispense a customer's money from an ATM and the money either gets
outside of the ATM's vault, or was exposed in a non-secure fashion, or they
are unable to determine the state of the money after a failed transaction.
Customers often commented that it is difficult to recover money lost in this
way, but this is often complicated by the policies regarding suspicious
activities typical of the criminal element.
Figure 4 A BTMU ATM with a palm scanner (to the right of the screen)
There are three PIN procedures for the operation of a high security
interchange transaction. The supplied PIN is encrypted at the entry
terminal, during this step, a secret cryptographic key is used. In addition
to other transaction elements, the encrypted PIN is transmitted to the
acquirer's system. Then, the encrypted PIN is routed from the acquirer's
system to a Hardware Security Module. Within it, the PIN is decrypted.
With a cryptographic key used for interchange, the decrypted key is
immediately reencrypted and is routed to the issuer's system over normal
communications channels. Lastly, the routed PIN is decrypted in the
issuer's security module and then validated on the basis of the techniques
for on-line local PIN validation.
Shared ATMs
The personal verification process begins with the user's supply of personal
verification information. These information include a PIN and the
provided customer's information which is recorded on the bank account. In
cases where there is a storage of a cryptographic key on the bank card, it is
called a Personal key (PK). Personal identification processes can be done
by the Authentication Parameter (AP). It is capable of operating in two
ways. The first option is where an AP can be time invariant. The second
option is where an AP can be time variant. There is the case where there is
an IP which is based on both time variant information and on the
transaction request message. In such a case where an AP can be used as a
message authentication code (MAC), the use of message authentication is
made recourse to find out stale or bogus messages which might be routed
both into the communication path and the detection of modified messages
which are fraudulent and which can traverse non-secure communication
systems. In such cases, the AP serves two purposes.
Customer security
Paying routine bills, fees, and taxes (utilities, phone bills, social
security, legal fees, income taxes, etc.)
Printing or ordering bank statements
Updating passbooks
Cash advances
Cheque Processing Module
Paying (in full or partially) the credit balance on a card linked to a
specific current account.
Transferring money between linked accounts (such as transferring
between accounts)
Deposit currency recognition, acceptance, and recycling
This said, not all errors are to the detriment of customers; there
have been cases of machines giving out money without debiting the
account, or giving out higher value notes as a result of incorrect
denomination of banknote being loaded in the money cassettes. The result
of receiving too much money may be influenced by the card holder
agreement in place between the customer and the bank
Fraud
Card fraud
EMV is widely used in the UK (Chip and PIN) and other parts of
Europe, but when it is not available in a specific area, ATMs must fall
back to using the easy–to–copy magnetic stripe to perform transactions.
This fallback behaviour can be exploited. However, the fallback option has
been removed on the ATMs of some UK banks, meaning if the chip is not
read, the transaction will be declined.