An ATM Security Measure for Smart Card Transactions to Prevent Unauthorized Cash Withdrawal

Hisao OGATA  Tomoyoshi ISHIKAWA  Norichika MIYAMOTO  Tsutomu MATSUMOTO  

IEICE TRANSACTIONS on Information and Systems   Vol.E102-D   No.3   pp.559-567
Publication Date: 2019/03/01
Publicized: 2018/12/06
Online ISSN: 1745-1361
DOI: 10.1587/transinf.2018EDP7136
Type of Manuscript: PAPER
Category: Dependable Computing
ATM,  security,  malware,  cryptography,  device,  

Full Text: FreePDF(1.5MB)

Recently, criminals frequently utilize logical attacks to install malware in the PC of Automated Teller Machines (ATMs) for the sake of unauthorized cash withdrawal from ATMs. Malware in the PC sends unauthorized cash dispensing commands to the dispenser to withdraw cash without generating a transaction. Existing security measures primarily try to protect information property in the PC so as not to be compromised by malware. Such security measures are not so effective or efficient because the PC contains too many protected items to tightly control them in present ATM operational environments. This paper proposes a new ATM security measure based on secure peripheral devices; the secure dispenser in an ATM verifies the authenticity of a received dispensing command with the withdrawal transaction evidence, which is securely transferred from the secure card reader of an ATM. The card reader can capture the transaction evidence since all transaction data flows through the card reader in a smart card transaction. Even though the PC is compromised, unauthorized dispensing commands are not accepted by the secure dispenser. As a result, the new security measure does not impose heavy burden of tighter security managements for the PCs on financial institutes while achieving stringent security for the logical attacks to ATMs.