Abstract
Recently, criminals frequently utilize logical attacks to Automated Teller Machines (ATMs) and financial institutes’ networks to steal cash. An ATM security measure called “Control Command Verification” has been proposed to cope with the issues. The measure utilizes peripheral devices to prevent logical attacks “unauthorized cash withdrawals” for smart card transactions. When this measure is applied to magnetic stripe card transactions, there are a variety of implementable systems because of less implementation constraints resulted from the existing security standards for magnetic stripe card transactions. Properly implementable systems should be selected from these systems in terms of three viewpoints: preventing a wide range of logical attacks in a transaction, harmonizing with existing ATM operations, and minimizing the number of peripheral devices to be modified. This paper proposes a systematic implementation design method of the measure to satisfy those three viewpoints. Three proper systems out of the 135 implementable systems can be selected by applying the design method to magnetic stripe card transactions.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
EMV is a registered trademark in the U.S. and other countries and an unregistered trademark elsewhere. The EMV trademark is owned by EMVCo, LLC.
References
European law enforcement agency: Guidance and recommendations regarding logical attacks on ATMs. https://www.ncr.com/content/dam/ncrcom/content-type/brochures/EuroPol_Guidance-Recommendations-ATM-logical-attacks.pdf. Accessed 07 July 2019
Symantec: Backdoor.Padpin. Press Release, Symantec Security Response (2014). https://www.symantec.com/security_response/writeup.jsp?docid=2014-051213-0525-99&tabid=2. Accessed 07 July 2019
Kaspersky Lab.: Tyupkin Virus (Malware) | ATM Security. https://www.kaspersky.com/resource-center/threats/tyupkin-malware-atm-security-malware. Accessed 07 July 2019
Symantec Official Blog: Backdoor.Ploutus Reloaded – Ploutus Leaves Mexico. http://www.symantec.com/connect/blogs/backdoorploutus-reloaded-ploutus-leaves-mexico. Accessed 07 July 2019
The Times of India: ATM JACKPOT WITH MALWARE. TIMES NATION | Politics & Policy (2015). http://www.pressreader.com/india/the-times-of-india-mumbai-edition/20150509/282003260992233. Accessed 07 July 2019
EUROPOL: 27 arrested in successful hit against ATM Black Box attacks. Press Release (2017). https://www.europol.europa.eu/newsroom/news/27-arrested-in-successful-hit-against-atm-black-box-attacks. Accessed 07 July 2019
The European Association for Secure Transactions (EAST): EAST reports 2016 crime stats for Europe’s ATMs; black box attacks up 287 percent. (2017). https://www.atmmarketplace.com/news/east-reports-2016-crime-stats-for-europes-atms-black-box-attacks-up-287-percent/. Accessed 07 July 2019
NCR: ATM security EXPL a ining attack vectors, defense strategies and solutions. (2018). https://www.ncr.com/content/dam/ncrcom/content-type/white_papers/12518fin-b-atm_security_attack_vectors_and_solutions_update-fin-web.pdf. Accessed 07 July 2019
CEN: Extensions for Financial Services (XFS) interface specification Release 3.30 - Part 1: Application Programming Interface (API) - Service Provider Interface (SPI) - Programmer’s Reference. European Committee for Standardization (2015). ftp://ftp.cen.eu/CWA/CEN/WS-XFS/CWA16926/CWA%2016926-1.pdf
China Zhijian Publishing House: GA 1280-2015, Security requirements for automatic teller machines. (in Simplified Chinese) https://www.spc.org.cn/online/GA%25201280-2015/
ATM marketplace: ATMs left behind as Windows XP support ends (2014). https://www.atmmarketplace.com/articles/atms-left-behind-as-windows-xp-support-ends/. Accessed 07 July 2019
Bräuer, J., Gmeiner, B., Sametinger, J.: A risk assessment of logical attacks on a CEN/XFS-based ATM platform. Int. J. Adv. Secur. 9(3&4), 122–132 (2016). ISSN 1942-2636
Ogata, H., Ishikawa, T., Miyamoto, N., Matsumoto, T.: An ATM security measure for smart card transactions to prevent unauthorized cash withdrawal. IEICE Trans. Inf. Syst. 102(3), 559–567 (2019). https://search.ieice.org/bin/pdf_link.php?category=D&lang=E&year=2019&fname=e102-d_3_559&abst
EMVCo, LLC: EMV Integrated Circuit Card Specifications for Payment Systems Book 2 Security and Key Management Version 4.3 (2011). https://www.emvco.com/terms-of-use/?u=wp-content/uploads/documents/EMV_v4.3_Book_2_Security_and_Key_Management_20120607061923900.pdf
International Organization for Standardization: ISO 9564-1:2017, ISO 9564-2:2014, Financial services – Personal Identification Number (PIN) management and security. https://www.iso.org/standard/68669.html. https://www.iso.org/standard/61448.html
PCI SSC: Payment Card Industry (PCI) PIN Transaction Security (PTS) Point of Interaction (POI) Modular Security Requirements Version 5.1 (2018). https://www.pcisecuritystandards.org/documents/PCI_PTS_POI_SRs_v5-1.pdf
PCI SSC: Payment Card Industry (PCI) PIN Security Requirements and Testing Procedures Version 3.0 (2018). https://www.pcisecuritystandards.org/documents/PCI_PIN_Security_Requirements_Testing_v3_Aug2018.pdf
PCI SSC: Payment Card Industry (PCI) PIN Transaction Security (PTS) Hardware Security Module (HSM) Modular Security Requirements Version 3.0 (2016). https://www.pcisecuritystandards.org/documents/PCI_HSM_Security_Requirements_v3_2016_final.pdf
IOActive, Inc.: IOActive Security Advisory (2017). https://ioactive.com/pdfs/ATM_security-advisory_FINAL_v4-davis_cm.pdf. Accessed 07 July 2019
PCI SSC: Payment Card Industry (PCI) Point-to-Point Encryption: Solution Requirements and Testing Procedures Version 2.0 (Revision 1.1) (2015). https://www.pcisecuritystandards.org/documents/P2PE_v2_r1-1.pdf
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Ogata, H., Ishikawa, T., Miyamoto, N., Matsumoto, T. (2019). Secure ATM Device Design by Control Command Verification. In: Shankar Sriram, V., Subramaniyaswamy, V., Sasikaladevi, N., Zhang, L., Batten, L., Li, G. (eds) Applications and Techniques in Information Security. ATIS 2019. Communications in Computer and Information Science, vol 1116. Springer, Singapore. https://doi.org/10.1007/978-981-15-0871-4_3
Download citation
DOI: https://doi.org/10.1007/978-981-15-0871-4_3
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-15-0870-7
Online ISBN: 978-981-15-0871-4
eBook Packages: Computer ScienceComputer Science (R0)