CHAPTER ONE

INTRODUCTION

1.1. Background of the Study

In the current ATM system where what obtains is two-factor authentication, security can
be breached when password is divulged to an unauthorized user or card is stolen by an impostor.
Chris (2014) states that ATMs have been incorporated in our way of life. They offer real
convenience to those on the run, but this advantage can be undone if customers do not feel
secure when using the facilities. Moreover, they are prone to fraud, and offer some elements of
risk. Furthermore, simple passwords are easy to guess by any impostor while difficult password
may be snooped using sophisticated techniques; therefore, this system is not secure. Having the
first two security mechanisms (two-factor authentication) in place might not be enough.
However, it is based on this argument that adding a third level authentication can provide
significant authentication strength by relying on something that the user ‘is’. This means
something about that person that cannot be changed and easily mimicked, such as fingerprints,
facial features or eyes, which can be used as a factor of identity verification, hence three-factor
authentication.
Nowadays the interest towards different systems of biometric identification
among users of computer systems has grown up. Spheres of use of technologies
of identification are not bounded. Government and private organizations are
interested in technologies of fingerprint as it allows for increase in the level of
protection of secret and confidential information. Companies that deal in the
sphere of information technologies are interested in technologies of fingerprints,
face, voice, iris recognition in order to check penetration of outside people to
their net. Payment processing has long been the weakest link in the transaction
processing cycle of a typical online business. Despite the advancement in
technologies for E-commerce applications, payment related activities have been
the sources of major breach and security concerns. As fraud continues to increase
every year, many financial institutions are looking for possible solutions to this
problem. Among those new technologies for dealing with payment processing,
biometric payment technology has recently attracted more and more attention as
a viable solution to decrease identity theft (Swann, 2004).
In a bid to address issues of safety of customers’ funds and avoiding losses
through compromise of Personal Identification Numbers (PIN), the apex bank,
Central Bank of Nigeria (CBN) is to introduce Biometric authentication of Point of
Sale (PoS) and Automated Teller Machines (ATMs) by 2015.
The apex bank had taken a giant step to gain the confidence of ATM
consumers following the circular enforcing migration from Magstripe type of
debit card to chip and Pin (EMV compliance) type of debit card. Statistics show
that this effort has reduced the fraud incidences by 90 per cent. Many customers
are now embracing these electronic (ATM and PoS) channels in their transactions
because of near-impossible efforts of would-be fraudsters to clone debit cards to
perpetrate fraud as was the case during the pre-migration era”. Interswitch also
helps customers with the availability of its e-payment solutions such as Paydirect,
Autopay, Direct Debit, Verve Card, Quickteller, Webpay and Smartgov”. The
Biometric authentication for POS and ATMs to address safety of customers’ fund
and avoid losses through compromise of PIN is being considered by the apex bank
and it will be implemented by 2015,’’
Fingerprint based authentication is a prospective contestant to replace
password-based authentication. Among all the biometrics, fingerprint based
identification is one of the most mature and proven technique. At the time of
transaction fingerprint image is acquired at the ATM terminal using high
resolution fingerprint scanner. Security measures at banks can play a critical,
contributory role in preventing attacks on customers (Kuykendall, et al, 2003).
In this project, a better approach for securing ATM was developed using
password, biometric Finger print and token based authentication
.

1.2. Aim and Objectives of the Study

This aim of this project is to develop a system that will enhance the security of ATM
machine using 3 Factor authentication strategies.
The objectives of this study is stated as follow:
a) To design three (3) factor authentication system for ATM security.
b) To implement three (3) factor authentication system for ATM security.
c) To Evaluate three (3) factor authentication system for ATM security.

1.3 Statement of the Problem

As ATM technology evolves, fraudsters are devising different skills to beat the security of the
system. Various forms of frauds are perpetuated, ranging from; ATM card theft, skimming, PIN
theft, card reader techniques, PIN pad techniques, force withdrawals and lot more. Also, further
posits that managing the risk associated with ATM fraud as well as diminishing its impact is an
important issue that faces financial institutions as fraud techniques have become more advanced
with increased occurrences. Smartcard-based password authentication provides two-factor
authentication, namely; a successful login that requires the client to have a valid smartcard, and a
correct password or PIN. While it provides stronger security guarantees than just password
authentication, it could also fail if both authentication factors are compromised (e.g., an attacker
has successfully obtained the password and the data in the smartcard). In this case, a third
authentication factor can alleviate the problem and further improve the system’s assurance. This
motivates three-factor authentication, which incorporates the advantages of the authentication
base PIN, smartcard and biometrics.
1.4 Scope of the Study
This project work covers the design and implementation of an enhance software for ATM
security which uses three (3) authentication method which include user password, biometric
finger print and token based authentication. The system developed simulates the existing ATM
use for banking transaction.
1.5 Limitation of the study
The Limitation of the study is as follows:
Due to the time factor allocated to this project I was combining my course work with the
research hence certain areas was not covered.
Inadequate fund also affected me in the conduct of this research.
Significance of the Study
Since the introduction of the first automated teller machine (ATM) in 1967, perpetrators have
been devising ways to try to steal the cash inside. Because ATMs eliminate the need for round-
the clock human involvement and tend to be located in places that make them more vulnerable to
attack, they are often attractive targets for perpetrators. ATM crime is not limited to the theft of
cash in the ATM. Many ATM attacks seek to obtain a consumer’s personal information, such as
their card number and personal identification number (PIN). Personal identification number
(PIN) or password is one important aspect in ATM security
system. If the system is developed it better the security of ATM machine and it will improve the
confidence of customer.
 CHAPTER TWO
LITERATURE REVIEW
2.1 Historical Development
The present-day ATM system in the United States has evolved in response to the needs of the
several different groups of users and providers of the ATM services. These groups include air
carrier, air taxi, military, general aviation, business aviation, pilots association, and air traffic
controllers association. The ATM system has changed with technological advancements in the
areas of communication, navigation, surveillance, computer hardware, and computer software.
Detailed historical accounts of ATM development are available in Refs. 1 and 3. In the history of
ATM development, five periods are easily identifiable. Early aviation developments took place
during the period from 1903 to 1925. This period saw the development of aircraft construction
methods, use of radio as a navigation aid, nighttime navigation using ground lighting, and the
development of airmail service. The important legislative action that marks this period is the
Airmail Act of 1925, which enabled the Postmaster General to contract with private individuals
and corporations for transporting mail. An important consequence of this Act was that
companies like Boeing, Douglas, and Pratt and Whitney got into the business of supplying
aircraft and engines to the budding airmail industry. With the increase in air traffic activity, a
need for regulation was felt to unify the industry through common sets of rules and procedures.
An advisory board made its recommendation in the Morrow Report which led to the signing of
the Air Commerce Act into law in 1926. This Act marks the beginning of the second period of
ATM development.
The period between 1926 and 1934 saw Charles Lindbergh’s flight across the Atlantic,
installation of ground-to-air radio in aircraft, development of ground-based radio navigation aids,
airline aircraft equipped with two-way radio telephone, radio-equipped air traffic control tower,
and the development of a new generation of faster higher-flying transport aircraft capable of
being flown solely with reference to cockpit instrumentation. The third phase of the ATM
development is marked by the creation of the Bureau of Air Commerce in 1934.
During the third phase that lasted until 1955, numerous changes took place that shaped the ATM
system to its present form. The principal airlines established interline agreements in
1935 to coordinate traffic into the Newark, Chicago, and Cleveland airports. The center
established at Newark became the first airway traffic control unit (ATCU) in the world. In 1938,
the US Congress created the Civil Aeronautics Authority which in 1940 was reorganized as the
Civil Aeronautics Administration (CAA). This period saw the development of visual flight rules
(VFR) and instrument flight rules (IFR). The civil airways system, controlled airports, airway
traffic control areas, even and odd altitude levels, and radio fixes for mandatory position
reporting by IFR aircraft were established during this phase. By 1942, 23 ARTCCs (former AT –
CUs) provided coverage of the complete continental airways system. During the World War II
years between 1941 and 1945, the CAA set up approach control facilities at the busiest airports
to separate arriving and departing aircraft out to 20 miles. In 1947, the International Civil
Aviation Organization (ICAO) was formed. It adopted the US navigation and communication
standard as the worldwide standard and English as the common language for air traffic control.
The most important development of this period was the radio detection and ranging (radar)
device. The postwar era saw the development of direct controller/pilot interaction,
implementation of the VHF omnidirectional range (VOR) and distance measuring equipment
(DME), installation of the instrument landing system (ILS) for pilot aiding during landing, and
application of radar for surveillance in the airport areas.

The fourth phase of ATM development occurred during 1955 to 1965. A short-range air
navigation system known as the VORTAC system was developed by colocating the civilian
VOR and the US Navy developed tactical air navigation (TA – CAN) system in common
facilities. Experience with radar use during the postwar era eventually led to the development of
air route surveillance radar (ARSR). The first such system was installed at the Indianapolis
Center in 1956. In the same year, the first air traffic control computer was also installed at the
Indianapolis Center. Research and development efforts were begun by the CAA for a secondary
radar system that would use a ground interrogator to trigger transponders onboard the aircraft
and obtain replies to display the aircraft identification and altitude on the controller’s radar
screen. An experimental version of this system known as the air traffic control radar beacon
system (ATCRBS) was implemented in 1957. In 1958 the US Congress
passed the Federal Aviation Act which created the Federal Aviation Agency as the new
independent agency to succeed the CAA. Due to the acceptance of radar surveillance as the
principal tool for control of air traffic, new separation standards were needed. Other significant
changes during this period were the introduction of high-speed commercial jet aircraft and
increase in traffic volume. To accommodate these developments and to keep the task of ATM
manageable, smaller segments of airspace known as sectors were developed based on air traffic
flow patterns and controller workload considerations. To reduce the workload associated with
bookkeeping caused by sectoriza – tion, a computerized flight information system for updating
flight information and automatically printing flight progress strips was developed. By 1963
several of the flight data processing (FDP) computers were placed into operational ATM service.
The first prototype of a computerized radar system for arrival and departure control called the
automated radar terminal system (ARTS) was installed in the Atlanta, Georgia, air traffic control
tower in 1964. In addition to the steady.

2.2 Security Issues in ATM

Coventry, (2003) presented usability and Biometric verification at the ATM interface. Advanced
Technology and Research NCR Financial Solutions Division. The motivation of the research is
the methods for increasing security, such as regularly changing PINs and passwords, increasing
their length, ensuring they do not form words and ensuring all are different, makes them more
difficult to remember and, therefore, error-prone. The objective of the paper is to provide a
summary of the user centre aspect of the research they carried out over the last five years to
understand attitudes towards, and behavior with, biometrics verification at the Automated Teller
Machine (ATM) interface. The objectives of the above were accomplished by adopting this
methodology: With iris verification, for application at ATMs, a wide angle camera finds the head
of the person to be identified. A zoom lens then targets in on the user’s iris and takes a digital
photo. A template of concentric lines is laid on the iris image and a number of specific points
are recorded and the information converted into a digital template. This can then be compared
with others for verification and identification purposes. The general interest in iris verification
applied to public technology is centre upon its accuracy or reliability, which is much greater than
say fingerprints and the fact that the biometric itself can be acquired without the individual
having to come into physical contact with the ‘end-point. The researcher after a critical review
on the mode of authentication in ATM security, decided to bring multifactor Authentication
system into use, he explored the possibilities of having multifactor authentication system in the
user which can be adopted in other machines. The limitation of the paper is the researcher should
have used a 3-D API for a Graphical User Interface (GUI). Example is openGL in place of Java
Swing API. The JDBC architecture could have been extended to three- tier using application
server like APPLET server. There was no fingerprint matching algorithm.

Adeniran & Junaidu (2014) proposed an Empirical study of Automated Teller machine(ATM)
and user satisfaction in Nigeria: A Study of United Bank for Africa in Sokoto Metropolis: The
motivation for the research is that it provides significant relationship between service quality and
firm’s performance based on improved productivity, increased market share, enhanced
customers attraction and loyalty, improved staff morale and sustained profitability. Stress the
positive dimension of ATM based on freedom of transaction. Customer focused ATM delivery
system shall fulfills their needs and maximize operational performance is an essential dimension
for bank to achieve. Examine the factors that influence customers satisfaction on about ATM
service quality. These factors include costs involved in the use of ATM, and efficient functioning
of ATM. The objectives of this paper is to know how user perceive ease of the use of ATM. To
know how availability of money in both affect user satisfaction. To know how transaction affect
user transaction. To know how service security affect user satisfaction. The objectives of the
above where accomplished by adopting this stated methodology: This study adopt survey
research. It probes deeply into the opinion of respondents regarding their satisfaction with
automated teller machine services. However, the research focuses on users of users of United
Bank for Africa in Sokoto metropolis. The rationale for the selection of the states is that it
constitute a relatively a new area where much empirical research has not been conducted. Most
of realated researches concentrated on other zones and countries. Data will be collected on user
satisfaction through the use of questionnaire. With the above methodology led to method of data
collection. The Data of this study was collected in sokoto metropolis and was obtained through
survey method using a standard questionnaire. Data analysis investigates the extent to which
Automated Teller Machine (ATM) services in terms of their ease, availability of money,
transaction cost and services security affect the customer satisfaction in Nigeria using a sample
of customer obtained from (UBA) branches in sokoto metropolis. The researched is contribute to
knowledge in the use of ATM service satisfaction as: By increasing confidence in ATM system.
How ATM users can use the machine easily. The limitation of this research is: The researcher
did not introduce the use of Biometric fingerprint which is the uniqueness peculiar genetic code
of DNA in each person. Also, did not utilized One Time Password (OTP) as a medium of
authentication in ATM.

Olatunji, K.A et al (2016) proposed Design and Implementation of a multifactor Authentication

system in ATM security. The motivation for the research is that increasing security method such
as regularly changing PINs and passwords, increasing their length, ensuring that they do not
form words and ensuring they are all different making them more difficult to remember. Also
considered the numerous security challenges encountered by Automated Teller Machines (ATM)
and given that the existing security in the ATM system has not been able to address these
challenges, and the need to enhance the ATM security system to overcome these challenges. The
objective of the paper is: This paper combines the pin verification and fingerprint recognition
technology for identification. Methodology the research utilized to accomplished the stated
objective are detailed as follows:
First and foremost, the researcher reviewed relevant material related the study area. The
ATMs are networked and connected to a centralized computer (switch), which controls the
ATMs. The use of biometric identification is possible at an ATM. The information can be stored
at a bank branch or Network Provider. The typical ATM has two input devices (a card reader and
keypad) and four output devices (display screen, cash dispenser, receipt, printer and speaker).
Invisible to the client is a communications mechanism that links the ATM directly to an ATM
host network. The ATM functions much like a PC, it comes with an operating system (usually
OS/2) and application software for the user interface and communications. While most ATMs
use magnetic strip cards and personal identification to identify account holders, other systems
may use smart cards with fingerprint validation. The
ATM forwards information read from the client’s card and the client’s request to a host
processor, which routes the request to the concerned financial institution. If the cardholder is
requesting cash, the host processor signals from the customer’s bank account to the host
processor’s account. Once the funds have been transferred, the ATM receives an approval code
authorizing it to dispense cash. This communication, verification, and authorization can be
delivered in several ways. The researched is contributed to knowledge in the following way: At
the end of this research, a multifactor authentication system for securing ATMs to help reduce
crime rates at the ATM was developed. Multifactor Authentication in ATM is a very important
technology which should be adopted in various financial institutions to curb the crime rate that
has been facing the country. This project has helped in providing a more secure way of
protecting user’s account. It brought what you know, what you have and who you are (factors)
together to function as one. The system was implemented with C# using MS Visual Studio 13.
The PIN which is a combination of four digits number is given by the bank which can be
changed by the user’s at any time, the OTP was sent to the user’s phone with the help of the
Clickatell API. The limitation is Multifactor authentication provides better security for ATM.
They should have used the minutia approach for avoiding the database type attacks. These are so
many fingerprint recognition models that are available practice with new fingerprint recognition
method.

Dondo, et al (2017) proposed a Fingerprint and pin Authentication to Enhance Security at the
Automated Teller Machines. The motivation for the research is that the current authentication
systems are characterized by an increasing interest in Biometric techniques. Among these
techniques are face, fingerprint, hand geometry, hand vein, iris, retinal pattern, signature and
voiceprint. All these method have different degree of uniqueness, permanence, measurability,
performance, user’s acceptability and robustness against issues like fraud and fingerprint is the
most preferred. Ability to distinguish masquerading attacker action from legitimate user
activities. Also, considering the numerous security challenges encountered by Automated Teller
Machines (ATM) and users and given that the existing security in the ATM system has not been
able to address these challenges, there is need to overcome these challenges. This research focus
on how to enhance security of transaction actions in ATM system fingerprint. The system adopt
the same measure as the current work by formulating modules for fingerprint enrolment,
enhancement, feature extraction and database and matching. The objective of this research is to
enhance the security of the existing system ATM (Automated Teller Machine) system by
integrating the existing Pin(Personal Identification Number) with fingerprint. To propose the use
of fingerprint and PIN as an authentication system in the Bank’s ATM. The objectives of the
above were accomplished by adopting this stated methodology: This research presents security
in two ways, a design that considers the fingerprint image for the client side security and also
considers the algorithm for the secured communication in between the client and server. The
Biometric authentication process adds a new dimension of security for any person sensitive to
authentication. With the above methodology led to method of data collection. Data can be
collected with two sets: The primary and secondary data collection. The primary data can be
collected using questionnaires and personal interviews while the secondary data is collected
mainly from library research. Dta analysis involved editing, coding, classification and tabulating
of the data collected. The researcher after a critical review on the mode of authentication in ATM
security, decided to bring 2 factor authentication into use, he explore the possibilities of
having multifactor authentication system in the user which can be adopted in other machines.
The limitation of the paper is the researcher does not introduce the use of OTP (One Time
Password) security.
2.3 Authentication Concept
According to Christopher, et al (2013) ‘Identification’, ‘authentication’ and ‘authorization’ are
three interrelated concepts, which form the core of a security system. Identification is the
communication of an identity to an IS. Before authentication, the claimant typically provides
the IS an identity anyway (for example, a login or an email address), and the monitor asserts the
identity by authentication (for example, using a password). An authentication is a proof given by
a claimant to assert a monitor that he/she really corresponds to the identity he/she provided. The
monitor then asserts the IS of the identity of the user. Finally, the authorization is the granted
privileges given to the user.
Authentication systems provide the answers to both questions: (i) who is the user? and (ii) is the
user really who he/she represents himself/herself to be? Hence, authentication represents one of
the most promising way concerning trust and security enhancement for commercial applications.
It also denotes a property of ensuring the identity of the previously mentioned entities. Besides,
authorization is a process of giving individuals an access to the system
objects based on their identity. Authorization systems provide the answers to the three
questions:
(i) Is user U authorized to access resource R?;
(ii) Is user U authorized to perform operation O?; and Is user U authorized to
(iii) Perform operation O on resource R?
There is often confusion between ‘identification’, ‘authentication’ and ‘authorization’. These
words/terms do not have the same meaning at all. Each of these concepts requires an enrolment
step. Enrolment is the ‘registration’ of a new user, including the emission of tokens and
credentials. Enrolment is a major concern and should also be carefully handled.
In the rest of this project, we will consider the IS has already registered the claimant having said
that, we then need to have a link between both the claimant and the monitor. This link is denoted
channel. A channel is a support of communication between the claimant and the monitor. It can
either be considered as confidential, authentic, secure or as insecure. A confidential channel is
resistant to interception; an authentic channel is resistant to tampering; a secure channel is
resistant to both; and an insecure channel is none. The authentication goal is to assert an
identity,but the scope of authentication methods is very large and it can vary in many ways.
Below is a list of some of the common authentication methods:
An ID (Identification)/password: to open a session on a computer or to authenticate on
Internet;
A PIN (Personal Identification Number) code: to unlock a smartcard;
An RFID card: for accessing a building;
A fingerprint: to unlock a door;
A facial recognition system with a webcam: to open a session on Internet;
A USB token;
A one-time password token;
Each one of the authentication methods has a specific use and inherent drawbacks.
Tokens can be stolen, facial recognition systems can be broken by presenting a photo of
the genuine user. . . It concerns the trust ability of the authentication method. In
consequence, the goal of authentication is to verify the identity of an entity with a given
level of trust. If an authentication method cannot be fully trustable, the provided
verification cannot be either. Even a good authentication technique will not be secured if
the implementation allows backdoors as shown in figure 2.1
 Figure 2.1: An authentication system seen on a Wi-Fi router that clearly indicates an
attacker, which password to try first.

2.4 One-Time Password Token

The main drawback of static passwords is their lack of protection against replay attacks, hence,
the purpose of the OTP mechanism is to annihilate the replay ability of passwords with the
generation of a new password for each use. OTP systems can be considered as a bridge between
a static password authentication and a better authentication method. It facilitates the migration of
legacy applications that were designed to rely only on passwords (mainframes, websites, the IS
of an organization.). The only impacted component is the monitor, and the IS does not need any
change. An OTP token generally consists in a device with an LCD (Liquid-crystal Display)
screen, which displays alphanumeric characters. It can have a button to generate OTPs, and some
are locked by a PIN code (whose keyboard is either directly on the device either on the reader),
so they can be considered as TF-A. As OTP generates a password, the verification requires
synchronization between the token and the monitor. There are several categories of OTP,
depending on counter synchronized, time synchronized, involving a secure channel, or with a
shared list of passwords.

Figure 2.2: Left token is a challenge type OTP card with a PIN code (CRYPTOCardc ). The one
on the right is a counter synchronized OTP token (ZyXEL).

A counter synchronised OTP, sometimes also called “Mathematical hash chain OTP” or
“Mathematical key chain OTP”, often implies to a token with a button on it. Each press on the
button generates a new password that can be used to log on. Most are based on the Leslie
Lamport-scheme (Lamport, 1981). Secondly, in a time synchronized OTP, the token has an
internal clock and so as the monitor. New passwords are generated from the value of the current
timestamp, rather than on a shared secret or a previous password. The value of the generated
password usually changes every one or two minutes. Thirdly, an OTP can also be sent to the
claimant through a secure channel. The claimant has to be authenticated through an unsecured
channel, but the monitor could provide the claimant with a random OTP
through a third party channel, which is considered as secured, where the claimant is already
authenticated.
The claimant then sends back the OTP through the unsecure channel to prove his/her
identity to the monitor. Finally, with a shared list of password, the claimant and the monitor
share copies of the same unpredictable list of passwords. If the list is ordered, the only allowed
passwords are those following the last one used, and if it is not, each password from the list can
be used only once. Another form of an authentication method is a cryptographic challenge-
response based authentication (Syed Zulkarnain, et al 2013).
2.5 Biometrics
According to Christopher, et al (2013) state that biometrics is used as a form of identity access
management and access control. However, biometrics is an ancient Greek word and is the
combination of two words (bio) means life, (-metric) means measurement. According to
(Wikipedia, 2011a), biometrics has been around since about 29,000 BC when cavemen would
sign their drawings with handprints. However, it is said that the history of biometrics techniques
originated in China in the 14th century. It was a form of finger printing as reported by the
Portuguese historian Joao de Barros. Biometrics is a science that consists of methods for
uniquely recognizing humans based upon one or more intrinsic physical or behavioral traits. It
has become one of the popular and trustable security systems that have become an alternative to
password-based security system. Biometrics techniques have been developed for a machine-
based verification of the identity of a person. Biometrics characteristics can be divided into three
main classes namely ‘Morphological’, ‘Behavioral’ and ‘Biological’. Morphological is related to
the shape of the body such as retina, voice, prints (finger, thumb, palm), iris, hand geometry, face
recognition, ear, height, weight, skin, veins, gender. Behavioral is related to the behavior of a
person such as gait, signature, keystroke dynamics, voice, driving, gaming. . . Biological is
related to the inner part of a living organism such as heart beat, odor, DNA, blood. Voice can be
categorized in both morphological and also behavioral trait because every person has a different
vocal tract, but voice recognition is mainly based on the study of the way a person speaks, hence
commonly classified as behavioral. Some researchers have coined the term behaviometrics for
behavioral class of biometrics.
Biometric recognition is largely studied in computer science. The use of biometric techniques,
such as face, fingerprints, iris and ears is a solution for obtaining a secure
personal authentication method. Biometrics uses the authentication factors, which are methods
based on something that qualifies the user and something that he/she can do. The main advantage
of these authentication methods is that there exists a strong relationship between the individual
(user) and its authenticator (biometric data). Furthermore, it is difficult to copy the biometric
characteristics of an individual compared to most of other authentication methods. Nonetheless,
there is a drawback in biometric authentication, which
is the uncertainty of its verification result, for example, in fingerprints authentication; there could
be a possible error due to bad positioning of the finger (McQuay and Smari, 2009).
Each time a user authenticates him/her, he/she provides biometric information with its
reference. This information is generally similar at each authentication attempt. An attacker could
intercept the information and replay it. Therefore, the solutions to this predicament have to be
dynamic.
In (Simske, 2009), the author defined that dynamic biometrics is known as a dynamic means of
granting access rights that must exist. There are several ways to achieve this such as by defining
a generalization of a challenge-based password for biometrics, one-time password authentication
scheme or perhaps free text on keystroke dynamics, and hence to achieve a system with a lighter
workload and higher security. Biometric authentication can be summarized in two steps namely
enrolment and authentication. The stage of the enrolment is where the user provide his/her
biometric data. The biometric data will be captured and then, the features will be extracted and
stored into the database. During the authentication process, the stored features will be compared
with the ones currently presented for an access. If it matches, then, an access will be granted. For
example, in keystroke dynamics, during the enrolment stage, the users are asked to provide their
way of typing i.e. by typing given a password or a passphrase on a keyboard between 5 to 10
times. Because keystroke dynamics is a behavioural biometrics, hence, it has to be done
collectively i.e. several number of times because each time, the way the users type a
password/passphrase, their typing rythm may differ slightly.
As mentioned by (Simske, 2009), we are proposing keystroke dynamics as a solution,
especially for password-based authentication. Keystroke dynamics is an interesting and a low
cost biometric modality as it enables the biometric system to authenticate or identify an
individual based on a person’s way of typing a password or a passphrase on a keyboard. It
belongs to the class of behavioral biometrics, in the sense that the template of a user reflects
an aspect of his/her behaviour, as mentioned earlier. Generally speaking, the global
performances of keystroke dynamics based authentication systems are lower than those of
popular morphologic modalities based authentication systems (such as fingerprints, iris, etc. . . ).
We use the GREYC Keystroke software to capture biometric data as shown in Figure 2.5.
However, there is no single biometric modality expected to effectively satisfy the needs of all
authentication applications (usability, security, cost). Subsequently, a vast number of biometrics
has been proposed, researched, analyzed and evaluated (Jain et al., 1999). Thus, each biometric
has its strengths and limitations, therefore, the respective biometric invokes to specific
authentication applications (Jain et al., 1999; Stallings and Brown, 2008). The common problem
of personal authentication raises a number of important research issues such as “which
technologies are the most effective to achieve accurate and reliable authentication of
individuals?” Some of these problems are well-known open problems. As examples, in pattern
recognition and computer vision, it need a systematic cross disciplinary effort compared to other
authentication methods. Therefore, biometric technology alone may not be sufficient in order to
solve these issues effectively, thus the solutions to the outstanding open problems may lie in the
innovative engineering designs exploiting the constraints. Otherwise, it would be unavailable to
the applications and in harnessing the biometrics technology in combination with other allied
technologies (Jain et al., 1999).
In order to prevent information from being accessed by illegitimate or unauthorized
users, remote user authentication is certainly one of the most important service. However, a
major concern with the morphological-based biometrics is that if it can be copied by the
impostor using, say, deceit or force, the authentic user would be faced with a life-long loss of
identity. If this phenomenon ever happens, the consequences could be disastrous.
Figure 2.5 Characteristics of Biometrics.
2.6 Review of Related Works
For customers to really embrace the use of ATM for their major transactions the issue of
ATM security must be taken with all seriousness. ATM cards must be very secure even when the
owner misplaced or lost the card this will prevent any attacker from using the card on any ATM
machine. Since security measures at ATM centers play a significant role in preventing attacks on
customers money, several researches have proposed the used of fingerprint in a like manner of
this paper, to shift from PIN to biometric based security. Fingerprinting has been the most widely
used during the 20th century. The maturity of
Biometric techniques and generally the dramatic improvement of the captured devices have led
to the proposal of fingerprinting in multiple applications but in the last years, minutiae have been
the main type of algorithm used. The minutiae are relatively stable and robust to
contrast, image resolution and global distortion as compared to other fingerprint representation.
Santhi and Kumar (2012) provided a better understanding of the benefits and limitation of
integration of biometrics in a PIN-base payment authentication system. Based on their review
they proposed a biometric that can be integrated in a PIN-based authentication infrastructure by
binding a fixed binary, renewable string to a noisy biometric sample. The South African Social
Security Agency (SASSA) has introduced a new SASSA Payment Card that has a fingerprint
authenticated features. The card is a SASSA-branded smart payment MasterCard, which has an
embedded chip containing personal details, fingerprint and secret PIN, with the card the
customers can easily withdraw and make payment at point-of-sale (POS) center, purchase
airtime, pay water and electricity bill from the accounts, or open accounts.. Ibiyemi et al(2012)
proposed a fingerprint orientation model based on 2D Fourier expansions (FOMFE) in the phase
plane. Though FOMFE does not require prior knowledge of singular points, it is able to describe
the overall ridge topology seamlessly. [9] proposed a smartcard based encryption/authentication
scheme for ATM banking system. The first layer of the scheme is used to perform authentication
based on available information on the smartcard. Fingerprint based authentication via feature and
minutiae matching then followed on the second layer. [ focused on vulnerabilities and the
increasing wave of criminal activities occurring at ATMs and presented a prototype
fingerprint authentication for enhancing security. The systems adopt the same measure as the
current work by formulating modules for fingerprint enrolment, enhancement, feature extraction
and database and matching. Das, and Jhunu (2011) proposed an ATM security enhancing method
with secured Personal Identification Image (PII) process. A detailed study on various existing
biometric systems is also presented stating the strengths and limitations. Bhosale and Sawant
(2012) present ground-breaking models for biometric ATMs which replaces card system with
biometric technology. The proposed systems hybridize feature-based fingerprint, iris and PIN to
provide reliable and fool-proof ATM authentication.
Mali et al (2012) provided a network security framework for real time ATM application using a
combination of PIN, thumb scanning and face recognition to foster security. The proposed
framework is expected to register thumb and face features to be stored at a server side in
encrypted format. Authentication is done by decrypting patterns from database, and matching
with input pattern before access is granted for ATM operations. The integrated system uses
Principal Component Analysis (PCA) and Eigen algorithm for face recognition, LSB algorithm
for stenography and AES algorithm for cryptography. Though the framework looks promising,
its practicality is not supported by detailed implementation and evaluation. Abayomi-Alli et
al(2012) proposed an enhanced e-banking system where customer can access multiple accounts
over different banks institutions with a single ATM card with fingerprint authentication. A
match-on-card technique was used that relies on a one-to-one matching where the data from the
ATM fingerprint sensor is compared only to the template stored on the user’s ATM card. This
will help in privacy concern of users; the system will also help the users to have access to
multiple accounts with a single ATM card. It is secured and help in reducing ATM fraud. The
paper used the characteristic features of fingerprint to overcome the limitations of the PIN based
ATM authentication. However, the proposed method presented adequate implementation and
evaluation to back-up the performance claim. The proposed system is different from others
approaches because it makes use of the UML modeling in designing the system, used a three-tier
architectural structure and minutiae for the extraction of the fingerprint.
 CHAPTER THREE
RESEARCH METHODOLOGY
3.1 Preamble

This chapter discuss details of the research methodology and analysis of the existing and the
propose system and the detail design plan for the new system. A software development
methodology or system development methodology in software engineering is a framework that is
used to structure, plan, and control the process of developing an information system.
The methodology adopted is follow:
 Systems Development Life Cycle (SDLC)

3.2 Methodology Adopted

In this project work, we adopted the software development life cylcle (SDLC) because of
its simplicity in the process of design of a new system. The systems development life
cycle (SDLC) is a conceptual model used in project management that describes the stages
involved in an information system development project, from an initial feasibility study
through maintenance of the completed application. Various SDLC methodologies have
been developed to guide the processes involved, including the waterfall model (which
was the original SDLC method); rapid application development (RAD); joint application
development (JAD); the fountain model; the spiral model; build and fix; and
synchronize-and-stabilize.
Often, several models are combined into some sort of hybrid methodology.
Documentation is crucial regardless of the type of model chosen or devised for any
application, and is usually done in parallel with the development process. Some methods
work better for specific types of projects, but in the final analysis, the most important
factor for the success of a project may be how closely the particular plan was followed.
In general, an SDLC methodology follows these steps:
1. If there is an existing system, its deficiencies are identified. This is accomplished by
interviewing users and consulting with support personnel.
2. The new system requirements are defined including addressing any deficiencies in the
existing system with specific proposals for improvement.
3. The proposed system is designed. Plans are created detailing the hardware, operating
systems, programming, and security issues.
4. The new system is developed. The new components and programs must be obtained
and installed. Users of the system must be trained in its use, and all aspects of
performance must be tested. If necessary, adjustments must be made at this stage.
5. The system is put into use. This can be done in various ways. The new system can
phased in, according to application or location, and the old system gradually replaced. In
some cases, it may be more cost-effective to shut down the old system and implement the
new system all at once.
6. Once the new system is up and running for a while, it should be exhaustively
evaluated. Maintenance must be kept up rigorously at all times. Users of the system
should be kept up-to-date concerning the latest modifications and procedures

3.3 Data Collection

The techniques of observation, study of manuals and interview were employed during the
process of data gathering on the existing system, from the information gather security
issues still exists in the old system, sometimes the machine traps customer cards which
made not access their funds, loss of ATM cards was a great challenge and the issue of
customer forgetting their pin were among some of the problems identified during the
process of data collection.
3.3.1 Characteristic of the Population
In this work, we carried out our study in Union Bank Ogwashi, were student usually
experience a long queue as the process of authenticating a customer was time consuming.

3.3.2 Sampling Design and Procedure

In this work, we interview fifty(50) ATM users with Diamond bank and their various
issues they experience in using ATM was recorded.

3.3.3 Data Collection Instrument

In this work, the observation and the interview method was the instrument used for data
collection in this work. Although we have several challenges most customers were
reluctant to give detail information about their transaction as results of the fear ofs the
unknown.

3.4 System Analysis Procedure

The purpose of the Systems Analysis Procedure is to create documents that define the
functions the system will perform. The Systems Analysis Procedure also creates an
acceptance test plan—which describes how to test system functions—and a beta test
plan—which describes how to conduct a user test of those functions. The Systems
Analysis Procedure applies to all software products and updates released by the company.
In system analysis the following procedures are applicable in the analysis of both existing
and proposed system. The procedures include:
Systems Analysis-Introduction
Systems Analysis-Requirements
Systems Analysis-Information Flows Documentation
Systems Analysis-Acceptance Test Plan
Systems Analysis-Beta Test Plan
Systems Analysis-Review
3.4.1 Performance Indicators for Existing System

The use of an ATM by a bank customer starts with an account opening process. A customer who
wishes to utilize the services provided by ATM systems must have an account with one of the
commercial banks. The customer is made to fill an account opening form by a representative of
the bank. In the process of filling the form, the customer will indicate if he/she would want to be
issued an ATM card. Although, a customer who did not indicate interest during account opening
process can always apply for an ATM card subsequently. Once the account is opened and
customer’s details saved in the bank database, the customer is issued a card for activation. To
activate a card, the customer is issued a secret code (OTP) printed on paper which will be used
for authentication. At the ATM terminal the customer
activates the card using the code to change to a preferred PIN which must not be disclosed to a
third party for subsequent transactions.
At the ATM, a customer begins a transaction by selecting from the customer screen options. The
customer inserts an ATM card into the card reader of the terminal. The card must be inserted so
that the magnetic stripe can be scanned by the card reader’s sensor. If the customer inserts the
card incorrectly, a warning message will be displayed, accompanied by several beeps to get
attention. Once the card has been read successfully, a surcharge message, if applicable, may be
displayed (the surcharge message may be displayed at the end of the customer’s transaction
selection). The customer must then enter a secret PIN code. Once the PIN has been entered, the
transaction type and account are selected, and the desired amount of the transaction, if needed.
The transaction will be processed, typically in a matter of seconds. If the transaction was
processed successfully, the customer is prompted to retrieve the requested cash (for withdrawal
transactions) and/or the applicable transaction receipt, as needed. If the transaction was declined,
a short receipt indicating the problem is printed. The architecture of a traditional ATM is
depicted in Figure 3.1
The ATM sends the customer transaction request to a processor. A processor is a financial
intermediary, such as an Independent Sales Organization (ISO), bank, or other financial
institution that provides transaction- processing services for ATMs. The ATM must be set up
with a particular processor before customer transactions can take place. The processor routes the
transaction to the appropriate ATM network. An ATM network is a regionally or nationally
organized clearing house for financial transactions that deals directly with the appropriate
financial institution, such as the customer’s bank, in order to complete the transaction. The ATM
network routes the transaction to the appropriate bank or other institution for off-bank
transaction, confirms successful completion of the transaction, and sends a confirmation message
back to the processor. If the request was for a cash withdrawal, an Electronic Funds Transfer
(EFT) takes place to debit the funds (including any surcharge
fee, if applicable) from the customer’s bank account. The processor forwards a confirmation
message to the ATM (and an authorization to dispense currency, in the case of a cash
withdrawal). The ATM dispenses the requested currency, if necessary, and provides the
customer with a printed receipt as a record of the transaction. The method of authentication is
simple and does not take much time. It is relatively cheap since no extra device is installed and
four (4) digit PIN can easily be remembered.

3.4.2 Performance Indicators for the Proposed System

The system provides strong security with the use of biometric and the incorporation of
alphanumeric keypad, password becomes very difficult if not impossible to be guessed correctly
by fraudsters ATM card theft will be reduced since a person’s biometric which is not
transferrable is required before a successful authentication process.
Customers’ confidence will be restored on the use of ATM to meet their banking needs Many
Customers will be attracted to use ATM for their banking transaction
With the use of OTP the problem of replay attack is completely eliminated

3.5 Data Presentation and System Analysis

The four activities performed in the analysis of the proposed system include the following:
Modeling the functions of the system.
Finding and identifying the business objects.
Organizing the objects and identifying their relationships.
Modeling the behavior of the objects.

3.5.1 Modeling the functions of the system

The approach that is commonly used to model the functional aspects of a system is called use
case modeling.
Use case modeling: This is the process of modeling a system’s functions in terms of business
events, who initiated the events, and how the system responds to the events.
Use case: Use case is a behaviorally related sequence of steps (a scenario), both automated and
manual, for the purpose of completing a single business task. Use cases are initiated or triggered
by external users or systems called actors
Actor: An actor represents anything that needs to interact with the system to exchange
information. An actor is a user, a role, which could be an external system as well as a person.
Use cases provide the following benefits:
As a basis to help identify objects and their high-level relationships and responsibilities a view of
system behavior from an external person’s viewpoint,
an effective tool for validating requirements, an effective communication tool,
as a basis for a test plan, as a basis for a user’s manual.
Steps involved in use case modeling:
Identify actors and use cases: The actors in this system are the bank customers and bank
personnel. The use cases associated with the bank customers are authentication (session),
transaction (which include withdrawal, fund transfer, change PIN and balance inquiry). Use
cases associated with the bank personnel are authentication, open account, issuance of ATM
card, enroll fingerprint, and refill ATM with cash.
Construct a use case model – a diagram used to graphically depict the system scope and
boundaries, which represents the relationships between the actors and use cases defined for each
business subsystem. The use case diagram of the proposed system is shown in Figure 3.2
 FundTransfer Inquiry
Change
Withdraw
PIN
al

Authenticat Transacti
<<Include >>
ion on
<<extend>> <<extend>>

<<extend>>
Customer Authentication
using password Authorizati
Authenticati ooooo0non
on
Bank
usinfingerpri Admin
nt Authenticat
ion using
OTP

Operations

Bank
Personnel

Open Account

<<extend>>
Refill ATM
Issue Card
Enroll fingerprint Modify account

Figure 3.2 Use case diagram of the proposed system

Document the use case course of events – only general information about the business event
(typical and alternative courses), which is called requirements use case.
The usage of ATMs begins with opening of an account with a bank. If the customer wishes to
utilize the services of the ATM he indicates at the point of account opening, the customer can as
well come at a later date to fill a form for the use of ATM. The bank personnel are responsible
for account opening and issuance of ATM card. Switching on and off of the ATM system and
refilling the ATM with cash are also carried out by the bank personnel. With the ATM card in
customer’s possession, the customer can perform different banking transaction after changing the
initial PIN to a more secured password of choice.
Define the analysis use cases – more information regarding each use case, which specifies the
systems functionality in detail (but without implementation details). The proposed system
consists of the following use cases:

Authentication use case: This use case validates the identity of the users (actors) of the
system (bank personnel and customers) to ensure that unauthorized users are not granted
access to the system.

ii) Open account use case: The open account use case allows bank personnel to perform
account opening activity.
iii) Enroll fingerprint use case: This is part of the activities performed during account
opening. It provides the platform for the fingerprint templates of customers to be stored
the in the bank database for subsequent use during authentication.
iv) Issue card use case: This use case allows the bank personnel to issue ATM cards to
customers.
v) Transaction use case: The transaction use case allows a customer to select transaction of
choice from options provided after a successful user authentication. These transaction
types include:
Withdrawal transaction: for making withdrawal
Change Password transaction: for change of password
Inquiry transaction: for making inquiry on balance
Fund transfer transaction: for transferring of fund from one account to another.

3.5.2 Finding and Identifying the Business Objects

Steps involved in identifying and finding business objects for object modeling:
Find the potential objects – the best way is to review each use case to find nouns that
correspond to business entities or events,
Select the proposed objects –the list of all potential business objects must be cleaned up by
removing: synonyms, nouns outside the scope of system, nouns that are roles without unique
behavior or are external roles, unclear nouns that need focus and nouns that are really actions or
attributes.
The proposed system is an improvement on the existing card-based and PIN based ATM system.
The objects of the system were identified and represented using the object model diagram shown
in Figure 3.3

Figure 3.3: Object Model of the proposed ATM system

3.5.3 Organizing the Objects and Identifying their Relationships
A class diagram is used to graphically depict the identified objects and their associations and
relationships. On this diagram we also include multiplicity, associations, generalization/
specialization relationships and aggregation relationships.
Steps in constructing class diagram:
Identify associations and multiplicity – association between two objects/classes is what on
object/class “needs to know” about the other; to help insure that all possible relationships are
identified we can create an object/class matrix,
Identify generalization/specialization relationships – we should look for all one-to-one
multiplicity relationships between objects because they may be generalization/specialization
relationships as well as for objects that have common attributes and behaviors.
Identify aggregation relationships – we must remember that aggregation relationships do not
imply inheritance (the object, which is the part of another object does not inherit behavior or
attributes from the whole object), but they propagate behavior (behavior applied to the whole is
automatically applied to the parts),
Prepare the class diagram.
The class diagram of the proposed system is depicted on Figure 4.16. The solid line that connects
two classes represents an association, that is, a relationship between the classes. The numbers
near each end of the line are multiplicity value, which indicate how many objects of each class
participate in the association. The solid diamond attached to the association line of class ATM
indicates that class ATM has a composition relationship with class screen, keypad, cash
dispenser and fingerprint scanner. Composition implies a whole/part relationship. The class that
has the composition symbol (the solid diamond) on its end of the association line is the whole (in
this case, ATM), and the classes on the other end of the association line are the part – in this
case, class screen, keypad, cash dispenser and fingerprint scanner.
3.5.4 Modeling the Behavior of the Objects
All object have state, which is the value of its attributes at one point in time. An object changes
state when something happens or when the value of one of its attributes changes. This change in
state is triggered by an event.
A state diagram models the life cycle of a single object. It depicts the different states an object
can have, the events that cause the object to change state over time and the rules that govern the
object’s transition between states. State diagrams are not required for all objects. Typically a
state diagram is constructed only for those objects that clearly have identifiable states and
complex behavior.
The proposed system uses three different layers of security protocols to validate ATM users’
identity to foster improved security in order to eliminate the problem of identity theft inherent in
the existing ATM system. The three authentication mechanisms in use are:

Password
Biometric (fingerprint) and
OTP

The system incorporates alphanumeric keypad (see Figure 3.4) and a fingerprint scanner to the
existing ATM.
The system consists of a car reader, keypad, cash dispenser, screen, fingerprint scanner, and bank
database. When the system is idle, a greeting message is displayed, the keys on the keypad will
remain inactive until a bank card has been inserted. To perform a transaction, a customer is
expected to undergo a registration process in order to obtain an ATM card. During the
registration process, the customer’s personal detail is taken, including the mobile phone number
with which OTP will be sent to the customer. Fingerprint enrollment of customers is also carried
out during registration and stored in the bank database server together with other personal
details. The system proposes character password and OTP of more than four (4) characters; for
the purpose of demonstration, a six (6) character password and an eight (8) digit OTP was used.
At the ATM, the customer inserts an ATM Card into the card reader slot, after card validation,
the system prompts the customer to supply his/her password which is shown on the display
(screen). This is the first level of authentication; the customer uses the keypad to input six (6)
alphanumeric characters as password. This is one of the distinguishing features of the proposed
system. The system validates the password by comparing it with the one encoded on the card, if
there is a match, the user proceeds to the second level of authentication which is the use of
biometric (fingerprint). The customer provides his/her fingerprint template using the fingerprint
scanner. The system compares the fingerprint template with the one encoded on the card, if there
is a match the user is provided with the final stage of authentication, which is the use of OTP.
The user is required to enter eight (8) characters generated by the system and sent to his/her
mobile phone. If the OTP is correct and entered within the specified time limit, the customer is
authenticated and granted access to perform the transaction of choice which could be
withdrawal, change of password, Balance Inquiry or Transfer of Fund. The transaction goes
through a network to connect to customers’ accounts in the bank’s database. The cash dispenser
provides cash to the customer in the case of withdrawal transaction, if the customer wishes to
perform no other transaction, a transaction receipt is printed and card ejected. The behavior of
the objects and their states at any given time as described above is represented using the state
chart diagram of Figure 3.5
 3.6 System Design

The design objective is to design an ATM system with three layers of authentication which is
interfaced with a fingerprint scanner for biometric authentication and a system that is capable of
generating token as one-time-password. The system design will as well introduce alphabets and
special characters to the existing numeric keypad of an ATM system. The design will depict the
different objects of the system and how they interact with external entities. The design is aimed
at providing robust security on the existing card-based ATM system by eliminating the problem
of identity theft through the introduction of password as a substitute for PIN, and the use of
fingerprint and OTP for second and third tier- authentication respectively. The Main menu
presents the primary list of the system components from which subsystems evolve as the
proposed system is a complex one, hence, the need to break the system into main menu and
submenu for easy manageability (see Figure 3.6).
3.6.1 Sub Menu/ Sub System
3.6.2 Activity Diagram
The activity diagram of the new system shows the steps involved in designing the program
intended to derive the proposed three –tier authentication model for ATM. The activity diagram
of Figure 3.8 shows how the new system will perform user authentication. The system starts by
validating the user’s card, if this process is successful, a welcome message is displayed on the
screen and the user is prompted to supply password which in this case a 6-character password. If
the correct password is entered the user progresses to fingerprint authentication otherwise a
message asking the user to input the correct password is displayed and if the user fails to enter
the correct password after three attempts the authentication process will be terminated and the
user’s card ejected.
The user’s fingerprint template captured during fingerprint authentication is compared with what
is available on the storage device, if there is a match, the user progresses to the final
stage of authentication which is the use of OTP else a repeat of fingerprint capture is carried out
twice more, if the process is unsuccessful the authentication process is terminated even if the
first level of authentication was successful. This invariably means that the three authentication
levels must be in the affirmative before access is granted otherwise access is denied should any
level turn out to be unsuccessful. At the final stage of authentication, the user will supply an OTP
sent to his/her mobile phone by the system, if the OTP entered is correct the user is granted
access to select transaction of choice. The system processes the transaction selected and
terminates if no other transaction is selected by the user.

3.6.3 Database Development Tool

The database development tool used in the study is Microsoft (Ms) SQL Server. Ms SQL Server
is a relational database management system developed by Microsoft. As a database server, it is a
software product with the primary function of storing and retrieving data as requested by other
software applications which may run either on the same computer or on another computer across
a network. The architecture of Microsoft SQL server is broadly divided into three components:
SQLOS that implements basic services required by SQL server, including thread scheduling,
memory management and I/O management; the Database Engine, which implements the
relational database components including support for databases, tables, queries and stored
procedure as well as implements the type system; and the protocol layer that exposes the SQL
server functionality. All operations that can be invoked on SQL server are communicated to it
via a Microsoft-defined format called Tabular Data Stream (TDS).

3.6.4 Database Design and Structure

Database design is the process of producing a detailed data model of a database. It involves the
overall process of designing, not just the database structure, but also the forms and queries used
as part of the overall database application within the database management system.
In an attempt to design the database of the proposed system, the following tasks were performed:
The data to be stored in the database were determined and organized in tables
Primary keys and foreign keys were specified The relationships between the different data
elements were created and A logical structure of the relationships between the data elements
were mapped out.

Relationship among tables were created because a database consisting of independent and
unrelated tables serves little purpose, this can lead to data redundancy and update inconsistency.
The database used by the proposed ATM system consists of the following tables:

Admin login table

Account info table
Account login table
OTP table
Transfer fund table
Account Balance table
Transaction details table

Table 3.1 Admin Login Table

Column Name Data Type Allow Null
ID Numeric (18,0)
Username Varchar (50)
Password Varchar (50)

Table 3.1 specifies the login credentials of a bank personnel who is responsible for account
opening
Table 3.2 Account Login Table
Column Name Data Type Allow Null
ID Numeric (18,0)
Account No Varchar (50)

Account Password Varchar (50)

Table 3.2 contains the credentials of an ATM user needed for first-tier authentication
Table 3.3 Account Information Table
Column Name Data Type Allow Null
ID Numeric (18,0)
Account No Varchar (50)
Account Name Varchar (50)
Gender Varchar (50)
Date of Birth Datetime
Email Varchar (50)
Phone No Varchar (50)
Contact Address Varchar (max)
Account Type Varchar (50)
Password Varchar (50)
Fingerprint Bit
Date created Datetime
Table 3.3 contains information about customers who were issued ATM cards.
Table 3.4 OTP Table
Column Name Data Type Allow Null
ID Numeric (18,0)
Account No Varchar (50)
Token Varchar (50)
Date-Generated Datetime
Expired time Datetime
Table 3.4 specifies the OTP generated by the system
Table 3.5 Transfer Table
Column Name Data Type Allow Null
Transaction ID Numeric (18,0)
Sender’s Account No Varchar (50)
Receiver’s Account No Varchar (50)
Amount Numeric (18,2)
Date Transferred Datetime

Table 3.5 contains information about electronic fund transfer made by an ATM user

Table 3.6 Account Balance Table

Column Name Data Type Allow Null
ID Numeric (18,0)
Account No Varchar (50)
Balance Numeric (18,2)

Table 3.6 contains information about the deposit made by ATM users and the corresponding
balance after withdrawal has been made.
Table 3.7 Transaction Details Table
Column Name Data Type Allow Null
ID Numeric (18,0)

Account No Varchar (50)

Transaction Type Varchar (50)
Amount Numeric (18,2)
Date of Transaction Datetime

Table 3.7 contains details of ATM transactions made by customers on daily basis.

3.6.4 UML Diagrams of the New System

3.6.4.1 Sequence Diagram
A sequence diagram shows objects as lifelines running down the page and with their interactions
over time represented as messages drawn as arrows from the source lifeline to the target lifeline.
Sequence diagrams are good at showing which objects communicate with which other objects
and what messages trigger those communications. See Figure 3.6.4.
3.6.4 Algorithm
Insert ATM card
DO WHILE count <= 3
PRINT ‘Enter Account number’
PRINT ‘Enter Password’
IF Password = ‘Password’ And Account number = ‘Account number’ THEN
PRINT ‘Capture fingerprint’
IF fingerprint =’fingerprinttemplate’ THEN
PRINT ‘Enter OTP’
IF OTP = ‘OTP passcode’ THEN GOTO 50
50 PRINT ‘Select Option’
REPEAT PRINT ‘1. Make withdrawal’
PRINT ‘2. Make inquiry’
PRINT ‘3. Change password’
PRINT ‘4. Transfer fund’
PRINT ‘5. Quit’
IF Option = 1 THEN
PRINT ‘Enter amount to withdraw’
Balance = Balance – amount
ELSEIF Option = 2 THEN
PRINT ‘Your Balance’ = Balance
ELSEIF Option = 3 THEN
PRINT ‘Enter new Password’
PRINT ‘Confirm Password’
IF Newpassword = Confirmpassword THEN
PRINT ‘Password change successful’
ELSEIF Option = 4 THEN
PRINT ‘Enter receiver’s account number’
PRINT ‘Enter Amount’
UNTIL Option = 5
STOP
 CHAPTER FOUR

IMPLEMENTAION

4.1 Program Module Specification

This specifies the modules which contain codes and data that will be used to implement the
functionalities of the new system. The program modules are as follow:

Administrative login: This module is for administrative login. It handles the authentication
process of a bank personnel who is responsible for account opening and issuance of ATM cards.
Password authentication: This module handles the first –tier authentication process of a
customer or an ATM user.
Change password: with is module a user is allowed to change his/her password.
OTP: This module handles the third- tier authentication process where the user is prompted to
provide a token generated by the system.
Transaction selection: this module allows a user to select transaction of choice (withdrawal,
inquiry, change of Password, and fund transfer).
New Account Registration Module: This module is used for registration of an ATM user.
Biometric authentication: This module handles the second layer of authentication which
enables an ATM user to provide his/her fingerprint template.
Fund Transfer: with this module a user is allowed to transfer fund to another customer’s
account.
Withdrawal: This module handles cash withdrawal transactions.
Inquiry: this module allows a customer to check his/her account balance.
4.2 Input/output Format/Specification
Input Specification
The input format specifies the type of input to be supplied by the user. The system uses
textboxes to accept inputs from users and the inputs are entered via the keypad and fingerprint
scanner. The following input formats are available:

Admin Login form

The bank personnel who is responsible for issuance of ATM cards access the system by
providing input parameters for authentication through the interface shown in Figure 3.5.

Figure 4.1. Admin Login Form

The form above is administrator logic form. For the admin to be able to have access to
the site he/she must provide the correct username and password. The username is admin in
capital letter while the password is admin in capital letter also. A registration page which is
managed by the bank representative for ATM registration and fingerprint enrollment. The bank
representative must be authenticated before access is granted.

New Account Registration Form

This form is used to register new ATM users and information about their account details are
entered via the form. See Figure 4.2

Figure 4.2 New account registration form

The above is New account registration form. After the successful login of the Admin, the Admin
use the above form to register new ATM users and information about their account details. The
customer will have to provide his/her full names, date of birth, active phone number, gender,
email address, alternate phone number if there is any, contact address. After that, the will
proceed to the type of account the customer if it is saving account or current account. The
customer will enter any password choose by the customer that he/she can remember. The
password must be a four digit letters or characters or combination. The final process is the
Admin will have to use the fingerprint machine to capture the Biometric of the customer that he
can remember. Then finally the Admin will submit. The information gathered on this form is
stored on the bank database server.
User Authentication form
This provides an interface for an ATM user to supply input for first level of authentication. This
is shown in Figure 4.9.

Figure 4.3 User authentication input form

The above is a first tier authentication. When the machine is idle, a greeting message is
displayed, the keys on the keypad will remain inactive until a bank card has been entered. When
a bank card is inserted, the card reader attempts to read it, if the card cannot be read, the user is
informed that the card is unreadable, and the card is ejected. If the card is readable, the card
reads the account number and PIN off the card and asks the user to enter his/her password. The
user is given feedback (in the form of asterisks, but not specific character entered) as to the
number of characters entered at the alphanumeric keypad. The password entered by the user is
compared to the password on the ATM card. This is the first-tier authentication, if the password
is entered correctly; the user is prompted with the second-tier authentication.
Biometric Authentication Form
The interface represented in Figure 4.4 is used to capture the user’s fingerprint template for
biometric authentication

Figure 4.4 Fingerprint authentication form

The above is s second tier authentication. At the second-tier, the user uses the fingerprint reader
to capture one of his/her fingers. The fingerprint template captured is compared to the one
encoded on the card, if there is a match, the system generates an OTP and sends it to the user’s
mobile phone.
OTP Authentication Form
This generates OTP and prompts the user to enter the OTP on the textbox provided. The OTP
authentication is depicted in Figure 4.11.

Figure 4.5 OTP Authentication Form

This above is a user final Authentication tier level. The user is asked to enter the OTP in a
textbox provided on the display screen. The OTP has time limit, it expires if not entered within
the space of two minutes. However, if the OTP is entered correctly, the authentication process is
completed and access is granted to the main menu. Otherwise, the user is given up to two
additional chances at each tier of authentication to provide the correct parameters (password,
fingerprint template or OTP). Failure to do so on the third try causes the system to keep the
user’s card.
Transaction Form
The below is a transaction form. It is used by the customer to select a transaction of choice after
a successful authentication process. See Figure 4.6.

Figure 4.6 ATM Transaction form

4.1.1 Output Format/Specification

The output format specifies the type of output provided to the user by the system. The system
uses label and button to communicate back to the user.

Check Balance Form

This presents result of inquiry made by the ATM user. The Check Balance form is shown in
Figure 4.7.
The form above is a check balance form that can display the inquiry result by the ATM user to
check account balance.

Invalid Account/Password Form

The Invalid Account/Password form shown in Figure 4.15

The above present feedback will display when an ATM user entered an invalid account number
or password.
Incorrect OTP form
This presents feedback to the user when an incorrect OTP is entered. See Figure 4.9.

An ATM user will receive the above feedback when the wrong OTP is being entered.

Fingerprint Mismatch form

This displays message when there is fingerprint mismatch. The Fingerprint mismatch form is
shown in Figure 4.10.

A process whereby the ATM user has forgotten the particular finger that was captured during the
ATM card enrolment, when the wrong finger is being place, it will return fingerprint mismatch
form above.
4.3 System Requirement
The proposed ATM system consists of a card reader, a display screen, a cash dispenser slot, an
alphanumeric keypad, a receipt printer, a fingerprint reader and the user must be in possession of
a mobile phone for the receipt of OTP. When the machine is idle, a greeting message is
displayed, the keys on the keypad will remain inactive until a bank card has been entered. When
a bank card is inserted, the card reader attempts to read it, if the card cannot be read, the user is
informed that the card is unreadable, and the card is ejected. If the card is readable, the card
reads the account number and PIN off the card and asks the user to enter his/her password. The
user is given feedback (in the form of asterisks, but not specific character entered) as to the
number of characters entered at the alphanumeric keypad. The password entered by the user is
compared to the password on the ATM card. This is the first-tier authentication, if the password
is entered correctly; the user is prompted with the second-tier authentication.
At the second-tier, the user uses the fingerprint reader to capture one of his/her fingers. The
fingerprint template captured is compared to the one encoded on the card, if there is a match, the
system generates an OTP and sends it to the user’s mobile phone. The user is asked to enter the
OTP in a textbox provided on the display screen. The OTP has time limit, it expires if not
entered within the space of two minutes. However, if the OTP is entered correctly, the
authentication process is completed and access is granted to the main menu (described below).
Otherwise, the user is given up to two additional chances at each tier of authentication to provide
the correct parameters (password, fingerprint template or OTP). Failure to do so on the third try
causes the system to keep the user’s card.
However, because the proposed system is being simulated using a personal computer(PC), the
insertion of ATM card into the card reader slot is replaced with the input of account number by
the user. All storage is done on the PC’s hard drive instead of an ATM card and a database
server. The user interface of the proposed ATM system contains the following:
 A registration page which is managed by the bank representative for ATM registration
and fingerprint enrollment. The bank representative must be authenticated before access is
granted. The information gathered on this form is stored on the bank database server.
The login page which prompts the user to enter account number and password of 10 and
6 characters respectively for first-level of authentication.
The biometric page which allows the user’s fingerprint to be captured
The OTP page which prompts the user to enter an OTP of 8 characters within a specified limit.

After a successful authentication, the user is granted access to the main menu which
contains a list of the transactions that can be performed. These transactions are as follow:

Withdraw fund from an account

Transfer fund from one account to another
Check the balance of an account
Change password

The user can select a transaction and specify all relevant information. When a transaction
has been completed, the system returns to the home page. It is worthy of note that before a
transaction is processed, all parameters (except OTP) used for authentication are verified again
against the parameters stored on the database, this is done to ensure that a robust security is
provided by the system.
At any time after reaching the main menu and before finishing a transaction, the user may
press/click the cancel key. The transaction being specified is cancelled, the user’s card is ejected
and the system once again becomes idle.
If a withdrawal transaction is selected, the user is asked to specify the amount to be withdrawn.
If the account contains sufficient fund, the funds are given to the user through the cash dispenser.
In the case of balance inquiry, the user is asked to specify the account whose balance is
requested, the balance is displayed on the screen.
In fund transfer transaction, the user is asked to specify the account and bank in which the fund
is to be transferred to and the amount to transfer. For change of password transaction, the user
specifies the old password, the new password and confirms the new one for change to be
effected. Software architecture of the new system is depicted in Figure 4.19.

4.4. Implementation and Testing

Implementation is the stage where the theoretical design is turned into a working system.
The most crucial stage in achieving a new successful system and in giving confidence on the
new system to the users that the automated system will work efficiently.
 The system can be implemented only after thorough testing is done and if it is found to
work according to the specification.
It involves careful planning, investigation of the current system and its constraints on
implementation, design of methods to achieve the change over and an evaluation of change over
methods a part from planning. Two major tasks of preparing the implementation are education
and training of the users and testing of the system.
The implementation phase comprises of several activities. The required hardware and
software acquisition is carried out. The system may require some software to be developed. For
this, programs are written and tested. The user then changes over to his new fully tested system
and the old system is discontinued.
The testing phase is an important part of software development. It is a process of finding errors
and missing operations and also a complete verification to determine whether the objectives are
met and the user requirements are satisfied.
Software testing is carried out in three steps:
1. The first includes unit testing, where in each module is tested to provide its correctness,
validity and also determine any missing operations and to verify whether the objectives have
been met. Errors are noted down and corrected immediately. Unit testing is the important and
major part of the project. So errors are rectified easily in particular module and program clarity is
increased. In this project entire system is divided into several modules and is developed
individually. So unit testing is conducted to individual modules.
2. The second step includes Integration testing. It need not be the case, the software whose
modules when run individually and showing perfect results, will also show perfect results when
run as a whole. The individual modules are clipped under this major module and tested again and
verified the results. This is due to poor interfacing, which may results in data being lost across an
interface. A module can have inadvertent, adverse effect on any other or on the global data
structures, causing serious problems.
3. The final step involves validation and testing which determines which the software
functions as the user expected. Here also some modifications were. In the completion of the
project.
 CHAPTER FIVE
SUMMARY RECOMMENDATION AND CONCLUSION

5.1 Summary of Findings

The incessant fraud at ATM which has resulted to illegal withdrawal of cash from
customer’s account necessitated this study. This research focused on the authentication process
of an ATM by proposing a three-tier authentication model. The proposed system introduces three
different layers of authentication; the first is the use of 6-character password which consists of
numbers, alphabets and special character. The second-tier uses fingerprint to authenticate users.
However, prior to authentication, the customer’s fingerprint template is enrolled and stored in the
database. This pre-enrolled fingerprint is matched with the live fingerprint template captured at
the point of authentication. The third authentication mechanism is the use of OTP which is
generated by the system and sent to the customer’s mobile phone. The three authentication
methods must be in the affirmative before access is granted to the customer to perform
transactions of choice.ATM keypad was modified in order to incorporate alphabet keys and
special character keys to the existing numeric keys on ATM keypad for password authentication.
Hence, with the modification of the ATM keypad and inclusion of a fingerprint scanner as a
component of the new system, the form factor of an ATM system is changed. The system was
developed to run on Windows operating system having .NET framework. The programming
language used to write the codes is visual basic.Net. Microsoft SQL Server was used to create
the database.
5.2 Conclusion
The problem of identity theft, unauthorized access to customers’ account details and
illegal withdrawal of cash from the ATM will be completely eliminated with the adoption of the
proposed three-tier authentication model as the current use of PIN for ATM user’s verification
and identification is marred with some level of insecurity. This three-tier authentication model
uses password, biometric and OTP to verify the validity of user’s identity at three different layers
of authentication. These three authentication mechanisms must be in the affirmative before
access is granted to the user. The adoption of the new system by financial institutions will
strengthen the security of ATM systems and restore the confidence of customers. The study will
no doubt foist a sense of futility on would-be perpetrators which discourages ATM fraud. Bank
customers are reassured that their account details and cash cannot be tampered with, hence,
better service delivery which will attract many customers to use ATM.
 REFERENCE
Christopher R & Syed Z.S (2013). A Review on Authentication Method: Australian. From
https//hal.archives-[ouvertes.fr/hal-00912435.

Coventry, A.A & Johnson, J (2003). Usability and Biometric Verification at the ATM Interface.

Chris, E.M (2014). ATM Machine Security from http:www.crimedoctor.com/business.htm.

Dondo, J.A.M, George, O. & Micheal, K. (2017). A Fingerprint &Pin Authentication to

Enhance Security At The Authentication Teller Machines. From https://www.ijer.org
>researchpaper.

Giot R. M. & El-Abed (2011). Rosenberger. Keystroke dynamics overview in Biometrics.

Rosenberger. From http://www.intechopen.com/articles/show/title/keystroke-
Dynamics-overview.

Ibiyemi, T.S& Obaje, S.E (2012). Development of Iris and Fingerprint Biometric Authenticated
Smart ATM Device&Card.http:csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf..

Jane, N.O (2014). Three-Factor Authentication for Automated Teller Machine System:
Umuahia, Nigeria. From http://en.wikipedia.org/wiki/Authentication.

Lasisi Ma, A.R.A & Abubakar, S.J (2014). An Empirical Study of Automated Teller Machine
(ATM ) And User Satisfaction in Nigeria. United Kingdom. European Centre for Research
Training And Development. From www.eajournals.org

Olabode, J.A(2011). Automated Teller Machine (atm) frauds in Nigeria. From http://www.cse.m
Su.edu/~cse891/Sec601/textbook/18.pdf

Olatunji, K.A etal & Afolu, C.A (2016). Design and Implementation of a Multifactor
Authentication System in ATM Security
 APPENDIX A
PROGRAM SOURCE CODES

Imports Neurotec.Biometrics
Imports System.Data.SqlClient
Module Functions
Public LoggedOnUserAccountNumber As String

Public Engine As Nffv

Public Sub InitializeFingerPrint()

Try
Engine = New Nffv("ATM_Fingerprint.db", "")
Catch ex As Exception
MessageBox.Show("Failed to initialize Nffv or create/load database." +
Environment.NewLine +
"Please check if:" + Environment.NewLine + " - Provided password is correct;" +
Environment.NewLine + " - Database filename is correct;" + Environment.NewLine +
" - Scanners are used properly." + Environment.NewLine, "Inmates Recovery System",
MessageBoxButtons.OK, MessageBoxIcon.Error)
Return
End Try
Dim db As New dbcodes
db.ConnectDatabase()
Dim cmd As New SqlCommand
cmd.Connection = db.cn
cmd.CommandText = "Select * from tblAccountInfo"
Dim da As New SqlDataAdapter(cmd)
Dim ds As New DataSet
 da.Fill(ds, "kk")

Dim cnt As Integer = ds.Tables(0).Rows.Count - 1

Dim ids As New List(Of Integer)

For i As Integer = 0 To cnt
Dim FingerPrintValue As Integer = ds.Tables(0).Rows(i).Item("FingerPrint")
ids.Add(FingerPrintValue)
Next

Dim nffvs As New List(Of Integer)

For Each user As NffvUser In Engine.Users
If Not ids.Contains(user.Id) Then
nffvs.Add(user.Id)
End If
Next

For Each itm As Integer In nffvs

Dim index = Engine.Users.IndexOf(itm)
Engine.Users.RemoveAt(index)
Next

End Sub
End Module
Imports System.IO
Imports System.Net
Imports System.Data.SqlClient
Imports System.Data
Public Class TokenManager
Public Sub TAlert(ByVal AccountNo As String)
Dim value As Long = Rnd(6777754334) * 785543322

Dim Phone As String = ""

value = Mid(value, 1, 6)
'Phone = "08119133990"
Dim db As New dbcodes
db.ConnectDatabase()
db.GetServerDate()
Dim cmd As New SqlCommand
cmd.Connection = db.cn
cmd.CommandText = "Select * from tblAccountInfo Where AccountNo=@AccountNo"
cmd.Parameters.AddWithValue("@AccountNo", AccountNo)
Dim dr As SqlDataReader = cmd.ExecuteReader
cmd.Parameters.Clear()
If dr.HasRows = True Then
dr.Read()
Phone = dr.Item("PhoneNo")
dr.Close()
cmd.CommandText = "Select * from tblOTP where AccountNo=@AccountNo"
cmd.Parameters.AddWithValue("@AccountNo", AccountNo)
dr = cmd.ExecuteReader
cmd.Parameters.Clear()
If dr.HasRows = True Then
dr.Close()
cmd.CommandText = "Update tblOTP Set
Token=@Token,Date_Generated=@Date_Generated,ExpiredTime=@ExpiredTime where
AccountNo=@AccountNo"
 cmd.Parameters.AddWithValue("@AccountNo", AccountNo)
cmd.Parameters.AddWithValue("@Token", value)
cmd.Parameters.AddWithValue("@Date_Generated", db.serverdate)
cmd.Parameters.AddWithValue("@ExpiredTime", db.serverdate.AddMinutes(10))
cmd.ExecuteNonQuery()
cmd.Parameters.Clear()

ElseIf dr.HasRows = False Then

dr.Close()
cmd.CommandText = "Insert into
tblOTP(AccountNo,Token,Date_Generated,ExpiredTime) values
(@AccountNo,@Token,@Date_Generated,@ExpiredTime)"
cmd.Parameters.AddWithValue("@AccountNo", AccountNo)
cmd.Parameters.AddWithValue("@Token", value)
cmd.Parameters.AddWithValue("@Date_Generated", db.serverdate)
cmd.Parameters.AddWithValue("@ExpiredTime", db.serverdate.AddMinutes(10))
cmd.ExecuteNonQuery()
cmd.Parameters.Clear()
End If
End If

Dim msg As String = "Your One Time Password for your Transaction is " & value
If My.Computer.Network.IsAvailable = True Then
Try
Dim client As WebClient = New WebClient
Dim baseurl As String =
"http://www.smslive247.com/http/index.aspx?cmd=login&owneremail=fegwara@yahoo.com&s
ubacct=bbi&subacctpwd=123456" '&message=A Message from VB.Net to test the functionality
of SMS API &sender=VB.Net Application &sendto=2348063806032&msgtype=0"
 'Dim baseurl As String =
"http://api.clickatell.com/http/sendmsg?user=fegwara&password=XeAbgbMOFcAAIZ&api_id=
3612508&to=2348032353712&text=" & msg

Dim data As Stream = client.OpenRead(baseurl)

Dim reader As StreamReader = New StreamReader(data)
Dim s As String = reader.ReadToEnd()
data.Close()
reader.Close()

Dim vericode As String = Mid(s, 4, Len(s))

'Exit Sub
baseurl = "http://www.smslive247.com/http/index.aspx?cmd=sendmsg&sessionid=" &
Trim(vericode) & "&message=" & msg & "&sender=" & "DSECURE" & "&sendto=" & Phone
& "&msgtype=0"

data = client.OpenRead(baseurl)
reader = New StreamReader(data)
Dim a As String = reader.ReadToEnd
data.Close()
reader.Close()
Catch ex As Exception
MsgBox("Unable to Reach the SMS Gate Way, Please Click the Resend Token Link
on the Form.")
End Try
ElseIf My.Computer.Network.IsAvailable = False Then
MsgBox("There is no Network Availabe Now, Please Click on Resend Token When
Network is Available")
End If
End Sub
 Public Function ValidateOTP(ByVal Code As String, ByVal AccountNo As String) As
Boolean
Dim ValidOTP As Boolean = False
Try
Dim db As New dbcodes
db.ConnectDatabase()
Dim cmd As New SqlCommand
cmd.Connection = db.cn
cmd.CommandText = "Select * from tblOTP where AccountNo=@AccountNo and
Token=@Token"

cmd.Parameters.AddWithValue("@AccountNo", AccountNo)
cmd.Parameters.AddWithValue("@Token", Code)
Dim dr As SqlDataReader = cmd.ExecuteReader
cmd.Parameters.Clear()
If dr.HasRows = True Then
dr.Close()
ValidOTP = True
Else
dr.Close()
ValidOTP = False
End If
Catch ex As Exception

End Try
Return ValidOTP
End Function
End Class
Public Class Form1
 Private Sub btnCancel_Click(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles btnCancel.Click
frmStart.Show()
Me.Close()
End Sub
Dim currTextBox As TextBox
Private Sub TextBox_Focus(ByVal sender As System.Object, ByVal e As System.EventArgs)
Handles txtAccount.Enter, txtPwd.Enter
currTextBox = sender
End Sub
Private Sub btn0_Click(ByVal sender As System.Object, ByVal e As System.EventArgs)
Handles btn0.Click, btn1.Click, btn2.Click, btn3.Click, btn4.Click, btn5.Click, btn6.Click,
btn7.Click, btn8.Click, btn9.Click, btnZ.Click, btnY.Click, btnX.Click, btnW.Click, btnV.Click,

btnU.Click, btnT.Click, btnS.Click, btnR.Click, btnQ.Click, btnP.Click, btnO.Click, btnN.Click,

btnM.Click, btnL.Click, btnK.Click, btnJ.Click, btnI.Click, btnH.Click, btnG.Click, btnF.Click,
btnE.Click, btnD.Click, btnC.Click, btnB.Click, btnA.Click, btn16.Click, btn15.Click,
btn14.Click, btn13.Click, btn12.Click, btn11.Click
currTextBox.Text = currTextBox.Text & sender.Text
End Sub

Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs)

Handles Button1.Click

If txtAccount.Text = "" Then

MsgBox("Please Enter your Account No", MsgBoxStyle.OkOnly +
MsgBoxStyle.Exclamation, "No Account Detail Supply")
txtAccount.Focus()
Exit Sub
 ElseIf txtPwd.Text = "" Then
MsgBox("Please Enter your Account Password", MsgBoxStyle.OkOnly +
MsgBoxStyle.Exclamation, "No Account Passord Supply")
txtPwd.Focus()
Exit Sub
Else
Dim db As New dbcodes
Dim LoginID As Integer = db.CustomerLogin(txtAccount.Text, txtPwd.Text)
If LoginID <> -2 Then
LoggedOnUserAccountNumber = txtAccount.Text
Dim frmVerify As New frmVerifyBiometric
frmVerify.fingerPrintId = LoginID
frmVerify.Show()
Me.Close()
Else

MsgBox("Invalid Customer Login Information, Try again or Contact Administrator",

MsgBoxStyle.OkOnly + MsgBoxStyle.Exclamation, "Access Denied")
End If
End If
End Sub
End Class