SECURING ATM USING OTP

AND BIOMETRIC
By
Hamid Khan
Under guidance: Dr. Jyoti Joglekar
 Outlines
• ATM machine frauds
• ATM card frauds
• Existing system
• Problem definition
• Proposed system
• Objective of the system
• OTP and OTP generation
• Biometric authentication
• Purpose of the system
• Changes to current system
• Implementation constraints
 ATM MACHINE FRAUDS
• Card-trapping devices: This type of fraud occurs
when a fraudster uses a device at the ATM to capture
your card.
• Skimming from the magnetic stripe: Skimming is
the term used when a fraudster attaches a device to an
ATM to record the electronic details from the
magnetic stripe of your card.
• Shoulder surfing: Shoulder surfing is the term used
when the fraudster observes you entering your PIN at
an ATM or in a shop.
This video was published on YouTube on feb,2015
 ATM CARD FRAUDS
• Counterfeit card fraud: This type of fraud occurs when
a fake card is created using compromised card details.
• Lost or Stolen ATM card: by using ones stolen card, it
can be used by anyone who knows the password (like
family member) can have all the access. Or it can be used
as debit card for online purchase.
• Card not present: This type of fraud occurs when a
fraudster uses your personal card details to make
purchases without the card being present. This may be
online, over the phone or by mail order.
 Existing System
• In present days the ATM holds only one thing (i.e. PIN) to
secure the money saved in the bank and if we are not
considering the physical attacks.
– User enters the card to machine.
– Card Reader reads the information on the magnetic strip on the card and sends
the information to the bank server. If the card information is valid according to
the bank, the ATM will ask for PIN.
– User will enter PIN to the ATM machine.
– If PIN entered by User is correct according to server, User will be allowed
further to access for transactions.
– This is process will only be applicable for one time, i.e. if user want to
withdraw more money than he/she have to repeat the process again.
 Problem definition
• The problem with current ATM banking is,
every day there is something new that make
bad impact on security related to ATM
banking. This leads to necessity of new
techniques or algorithms to deal with new
possible attacks that can happen.
 Proposed system
• Swipes • Validates

•
card

Asks PIN
• OTP •
card

Verifies

• Enters PIN • BIOMETR • Validates

user

IC
• ASKs to • OTP
• ASK to choose generate
gener
one option OTP or to
ator
check
Biometric • OTP
authentica to
• tion user
Enters
OTP/
Biometric • Send OTP • D
• Access
B

Fig 1. Block Diagram of ATM with OTP and Biometric

 Objective of the system
1. Security
2. User friendly
3. Least overhead
 OTP
• A one-time password (OTP) is a password that
is valid for only one login session or transaction.

• Methods of generating the OTP

– Mathematical methods
– Time based methods

• Methods of delivering the OTP

 OTP generation
• OTP generation is based on two steps
– SHA-1 hash calculation of data retrieved from
database
– Selection of numerical OTP from that hash.
 OTP generation example
Step 1:
• User Name-SAKEC
• Account Number-0123456789
• Mobile number- 9870908062
• Address-chembur
• IMEI-12345678932
• Current Time - 210.30.12:12-12-2014

String Hash Value (SHA-1)

SAKEC 534480d2acc986f8ebb895655dc8b6280a98f57

SAKEC0123456789 e2ea34548628caf9278a225c456c60597f26cb8

SAKEC01234567899870908062chembur12345678932 fcdf34826cfd5c6c7813b667f466fab49d609aa8

SAKEC01234567899870908062chembur12345678932 29699c7fc6a0dc40cba6671486393d8f59e87ec
10.30.12:12-12-2014
 OTP generation example
Hash value: 29699c7fc6a0dc40cba6671486393d8f59e87ec
Step 2:
• Extract all numeric values from hash value.
2969976040667148639385987
• Select a number randomly from above string say
for example 9 is selected.
• Than a pointer will point to 9 th position of string
and 5 numbers from that position will be selected.
• Here 40667 will be considered as a OTP.
 OTP generation example
SAKEC01234567899870908062chembur123456
7893210.30.13:12-12-2014:
Hash value:
9cc1f30d516e4ec1202d174b352262bcdcca7149
Only Numeric values:
9130516412021743522627149
Selection of OTP: (suppose 7th is selected)
64120
 OTP delivery
• OTP will be delivered on mobile phone of the
user.
• There are some prerequisites
– Mobile number of the user should be present in the
database of the bank
– Mobile number should not be DND activated.
 Comparison between OTP generation
methods
• This section compares three algorithms in
terms of following factors
– Time taken to generate number of OTP.
– Repetition of OTP (if any)
– Possibility of regeneration of OTP.
Comparison on System 1*
Table 1. Results for 10000 to 50000 OTP calculation on system 1

* System 1:
Processor: AMD FX™-6100 Six Core Processor (3.30 GHz)
RAM: 4GB of RAM.
Comparison on System 1
Table 2. Results for 100000 to 200000 OTP calculation on system 1
Comparison on System 2*
Table 3. Results for 10000 to 50000 OTP calculation on system 2

* System 2:
Processor: Intel Core i3 4th Gen
RAM: 4GB of RAM.
Comparison on System 2
Table 4. Results for 100000 to 200000 OTP calculation on system 2
 Biometric authentication
• Biometric authentication refers to the
identification of humans by their
characteristics or attribute.
• Biometrics is used in computer science as a
form of identification and access control.
• Examples of biometric attributes are
fingerprint, Iris, hand geometry, voice etc.
 Fingerprint biometric
• Fingerprint is easy and oldest method in
biometric.
• In fingerprint biometric patterns of ridges are
matched with the database pattern, and if the
ridges are matching system access will be
granted.
 Fingerprint biometric
• The three basic patterns of fingerprint
ridges are the arch, loop, and whorl:
– arch: The ridges enter from one side of the
finger, rise in the center forming an arc, and
then exit the other side of the finger.
– loop: The ridges enter from one side of a
finger, form a curve, and then exit on that
same side.
– whorl: Ridges form circularly around a central
point on the finger.
 Pattern-based algorithm
• Pattern based algorithms compare the basic
fingerprint patterns (arch, whorl, and loop) between a
previously stored fingerprint and a current candidate
fingerprint.
• To do this images are aligned in the same orientation.
Then algorithm finds a central point the images.
• The candidate fingerprint is graphically compared
with stored fingerprint.
 Purpose of system

• How it will be effective to risk factors?

• OTP
• Biometric
• Changes to current system.
 Purpose of system
• How it will be effective to risk factors?
– Card not present: If card is not with the authentic person who is not satisfying
security needs will not be able to go further for transactions.
– Lost or Stolen ATM card: The card thief will not be able to have OTP or
Biometric pattern to get access to ATM.
– Counterfeit card fraud: Even if the counterfeit cards are made with
information related to a person, without OTP or Biometric the fraudulent card
will not grant the access to ATM.
– Card-trapping devices: If any one traps card for getting information will not
be able to do any malicious activity from that information.
– Skimming from the magnetic stripe: No use of stealing /Skimming because
information will not be usable.
– Shoulder surfing: Shoulder surfing will not help attacker because of OTP will
not be same every time or biometric security will stop attacker to go further .
 Purpose of system
• OTP
– If any legitimate user making known and authentic
person in-charge of his/her banking information like
giving card in the hand of son/daughter/wife/
husband etc., will give access to ATM by mutually
sending or calling OTP to respective person.
– OTP can be considered as a fast service as similar
as voice calling. Doesn't make much time difference
in ATM banking by enhancing the security.
 Purpose of system
• Biometric
– If any legitimate person not able to use mobile
phone or not knowing much about mobile, can use
biometric as authentication.
– Or if he/she is not able to access his/her mobile
phone due to any reasons like battery is dead,
forgot phone at home etc.
 Changes to current system

• The basic idea is not to make much change in the current

system.
• Changes will be, After card swipe machine will show
another popup on screen to ask users choice about OTP or
Biometric.
• At the server side an OTP generator algorithm will be
running and a biometric database will be stored.
• Less overhead for banks, because largest available
biometric database in the world is with India (i.e. Adhaar),
banks can take biometric information of every clients
available.
 Implementation constraints
• This project needs some changes in current design of ATM system that are
listed below.
– Mobile number of the user should be present in the system which is
necessary for this particular project.
– Database of biometric system should be maintained.
– While opening an account bank should get fingerprint information of
the user.
– One biometric (fingerprint scanner) should be attached on ATM
machine so that it can scan current fingerprint at the time of
authentication.
– Bank should have a fast and trusted SMS gateway to deliver OTP on
customer’s mobile number.
– New System should be explained to customer so that while accessing
ATM he/she should not face any difficulties or problems.
Thank you