Skip to main content
SpringerLink
Log in

Secure ATM Device Design by Control Command Verification

  • Conference paper
  • First Online:
Applications and Techniques in Information Security (ATIS 2019)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 1116))

  • 503 Accesses

Abstract

Recently, criminals frequently utilize logical attacks to Automated Teller Machines (ATMs) and financial institutes’ networks to steal cash. An ATM security measure called “Control Command Verification” has been proposed to cope with the issues. The measure utilizes peripheral devices to prevent logical attacks “unauthorized cash withdrawals” for smart card transactions. When this measure is applied to magnetic stripe card transactions, there are a variety of implementable systems because of less implementation constraints resulted from the existing security standards for magnetic stripe card transactions. Properly implementable systems should be selected from these systems in terms of three viewpoints: preventing a wide range of logical attacks in a transaction, harmonizing with existing ATM operations, and minimizing the number of peripheral devices to be modified. This paper proposes a systematic implementation design method of the measure to satisfy those three viewpoints. Three proper systems out of the 135 implementable systems can be selected by applying the design method to magnetic stripe card transactions.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    EMV is a registered trademark in the U.S. and other countries and an unregistered trademark elsewhere. The EMV trademark is owned by EMVCo, LLC.

References

  1. European law enforcement agency: Guidance and recommendations regarding logical attacks on ATMs. https://www.ncr.com/content/dam/ncrcom/content-type/brochures/EuroPol_Guidance-Recommendations-ATM-logical-attacks.pdf. Accessed 07 July 2019

  2. Symantec: Backdoor.Padpin. Press Release, Symantec Security Response (2014). https://www.symantec.com/security_response/writeup.jsp?docid=2014-051213-0525-99&tabid=2. Accessed 07 July 2019

  3. Kaspersky Lab.: Tyupkin Virus (Malware) | ATM Security. https://www.kaspersky.com/resource-center/threats/tyupkin-malware-atm-security-malware. Accessed 07 July 2019

  4. Symantec Official Blog: Backdoor.Ploutus Reloaded – Ploutus Leaves Mexico. http://www.symantec.com/connect/blogs/backdoorploutus-reloaded-ploutus-leaves-mexico. Accessed 07 July 2019

  5. The Times of India: ATM JACKPOT WITH MALWARE. TIMES NATION | Politics & Policy (2015). http://www.pressreader.com/india/the-times-of-india-mumbai-edition/20150509/282003260992233. Accessed 07 July 2019

  6. EUROPOL: 27 arrested in successful hit against ATM Black Box attacks. Press Release (2017). https://www.europol.europa.eu/newsroom/news/27-arrested-in-successful-hit-against-atm-black-box-attacks. Accessed 07 July 2019

  7. The European Association for Secure Transactions (EAST): EAST reports 2016 crime stats for Europe’s ATMs; black box attacks up 287 percent. (2017). https://www.atmmarketplace.com/news/east-reports-2016-crime-stats-for-europes-atms-black-box-attacks-up-287-percent/. Accessed 07 July 2019

  8. NCR: ATM security EXPL a ining attack vectors, defense strategies and solutions. (2018). https://www.ncr.com/content/dam/ncrcom/content-type/white_papers/12518fin-b-atm_security_attack_vectors_and_solutions_update-fin-web.pdf. Accessed 07 July 2019

  9. CEN: Extensions for Financial Services (XFS) interface specification Release 3.30 - Part 1: Application Programming Interface (API) - Service Provider Interface (SPI) - Programmer’s Reference. European Committee for Standardization (2015). ftp://ftp.cen.eu/CWA/CEN/WS-XFS/CWA16926/CWA%2016926-1.pdf

    Google Scholar 

  10. China Zhijian Publishing House: GA 1280-2015, Security requirements for automatic teller machines. (in Simplified Chinese) https://www.spc.org.cn/online/GA%25201280-2015/

  11. ATM marketplace: ATMs left behind as Windows XP support ends (2014). https://www.atmmarketplace.com/articles/atms-left-behind-as-windows-xp-support-ends/. Accessed 07 July 2019

  12. Bräuer, J., Gmeiner, B., Sametinger, J.: A risk assessment of logical attacks on a CEN/XFS-based ATM platform. Int. J. Adv. Secur. 9(3&4), 122–132 (2016). ISSN 1942-2636

    Google Scholar 

  13. Ogata, H., Ishikawa, T., Miyamoto, N., Matsumoto, T.: An ATM security measure for smart card transactions to prevent unauthorized cash withdrawal. IEICE Trans. Inf. Syst. 102(3), 559–567 (2019). https://search.ieice.org/bin/pdf_link.php?category=D&lang=E&year=2019&fname=e102-d_3_559&abst

    Article  Google Scholar 

  14. EMVCo, LLC: EMV Integrated Circuit Card Specifications for Payment Systems Book 2 Security and Key Management Version 4.3 (2011). https://www.emvco.com/terms-of-use/?u=wp-content/uploads/documents/EMV_v4.3_Book_2_Security_and_Key_Management_20120607061923900.pdf

  15. International Organization for Standardization: ISO 9564-1:2017, ISO 9564-2:2014, Financial services – Personal Identification Number (PIN) management and security. https://www.iso.org/standard/68669.html. https://www.iso.org/standard/61448.html

  16. PCI SSC: Payment Card Industry (PCI) PIN Transaction Security (PTS) Point of Interaction (POI) Modular Security Requirements Version 5.1 (2018). https://www.pcisecuritystandards.org/documents/PCI_PTS_POI_SRs_v5-1.pdf

  17. PCI SSC: Payment Card Industry (PCI) PIN Security Requirements and Testing Procedures Version 3.0 (2018). https://www.pcisecuritystandards.org/documents/PCI_PIN_Security_Requirements_Testing_v3_Aug2018.pdf

  18. PCI SSC: Payment Card Industry (PCI) PIN Transaction Security (PTS) Hardware Security Module (HSM) Modular Security Requirements Version 3.0 (2016). https://www.pcisecuritystandards.org/documents/PCI_HSM_Security_Requirements_v3_2016_final.pdf

  19. IOActive, Inc.: IOActive Security Advisory (2017). https://ioactive.com/pdfs/ATM_security-advisory_FINAL_v4-davis_cm.pdf. Accessed 07 July 2019

  20. PCI SSC: Payment Card Industry (PCI) Point-to-Point Encryption: Solution Requirements and Testing Procedures Version 2.0 (Revision 1.1) (2015). https://www.pcisecuritystandards.org/documents/P2PE_v2_r1-1.pdf

Download references

Author information

Authors and Affiliations

  1. Hitachi-Omron Terminal Solutions, Corp., 1-6-3 Osaki, Shinagawa-ku, Tokyo, 141-8576, Japan

    Hisao Ogata, Tomoyoshi Ishikawa & Norichika Miyamoto

  2. Yokohama National University, 79-7 Tokiwadai, Hodogaya-ku, Yokohama, Kanagawa, 240-8501, Japan

    Hisao Ogata & Tsutomu Matsumoto

Authors
  1. Hisao Ogata
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Tomoyoshi Ishikawa
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Norichika Miyamoto
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Tsutomu Matsumoto
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Hisao Ogata .

Editor information

Editors and Affiliations

  1. School of Computing, SASTRA University, Thanjavur, India

    V. S. Shankar Sriram

  2. School of Computing, SASTRA University, Thanjavur, India

    V. Subramaniyaswamy

  3. School of Computing, SASTRA University, Thanjavur, India

    N. Sasikaladevi

  4. School of Information Technology, Deakin University, Geelong, VIC, Australia

    Leo Zhang

  5. School of Information Technology, Deakin University, Geelong, VIC, Australia

    Lynn Batten

  6. School of Information Technology, Deakin University, Geelong, VIC, Australia

    Gang Li

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Singapore Pte Ltd.

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Ogata, H., Ishikawa, T., Miyamoto, N., Matsumoto, T. (2019). Secure ATM Device Design by Control Command Verification. In: Shankar Sriram, V., Subramaniyaswamy, V., Sasikaladevi, N., Zhang, L., Batten, L., Li, G. (eds) Applications and Techniques in Information Security. ATIS 2019. Communications in Computer and Information Science, vol 1116. Springer, Singapore. https://doi.org/10.1007/978-981-15-0871-4_3

Download citation

  • DOI: https://doi.org/10.1007/978-981-15-0871-4_3

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-15-0870-7

  • Online ISBN: 978-981-15-0871-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation