The challenges of ATM Banking

The most common form of ATM authentication is a bank or credit card and a PIN, where the PIN is again assigned or chosen by the customer.

The following are some examples of fraud that have compromised existing authentication methods:

Lebanese loop and card skimming
the most commonly used methods of ATM fraud. Both methods involve tampering with the card reader and are equally as costly for the customer as well as to the financial institution.

Fake ATMs and point-of-sale terminals
When a customer attempts to use the machine, the cards themselves or information stored on the cards (on the magnetic strip on the back of the card) can be obtained. The false machines also record the PINs that are entered by the customers, and these are later used to withdraw funds.

“Cashing”
ATM cards can also be cloned by obtained the card number or information from the magnetic strip. If the PIN can also be obtained, either by covert observation (shoulder surfing or hidden cameras), or by tricking the user into revealing it, then the false card can be used. Using fraudulent, or fraudulently obtained, ATM cards and PINs to withdraw cash from bank accounts is commonly called “cashing” and is an important step in many of today’s successful identity thefts.

“Phishing”
Frequently, there is a relationship between phishing and ATM fraud. If a phishing attack can obtain bank card information and PINs, then false bank cards can be created and withdrawals can be made from ATM machines. Bank card numbers and PINs are frequently the target of phishing attacks because of the ease of the cashing phase of the fraud, where the identity information is converted to real cash.



The Goal

Static passwords or PIN numbers for authentication have several security drawbacks as evidenced in just some of the fraud attacks described above. A better, more secure way of authentication is “two-factor” or “strong authentication” based on one time passwords (OTP).

SABSP’s goal was to deploy on each banking customer’s mobile phone a software application that can generate an OTP and provide banking customers the ability to perform the following with only a mobile phone and without the need of any bank or credit card:

ATM Authentication
A customer authenticates himself to an ATM with two factor authentication: something he has and something he knows. He generates a one time password using his mobile phone and then enters it into the ATM along with his mobile phone number.

Money Transfer
A customer transfer funds to a mobile phone number and then uses just the mobile phone to withdraw cash from an ATM. This is accomplished by first logging onto his on-line banking site and requesting money to be allocated to a particular mobile phone number. The recipient then goes to an ATM, using his mobile phone to generate a time-based One-time password that is entered into the ATM, along with his mobile phone number – and withdraws the cash.


Implementation

Following an extensive evaluation, SABSP decided that since the security of the entire system is based on the security of the mobile platform - which is extremely vulnerable to a variety of attacks - it required the most advanced mobile security technology.

After the highest levels of technology diligence and security scrutiny by SABSP, Cidway was chosen as the security technology supplier. CIDWAY had unmatched mobile security technology that was also easy to implement. CIDWAY’s One Time Password (OTP) technology provides a real time strong identification that is the most secure two-factor authentication technology available for mobile phones.

The most crucial security components to SABSB were:

Mobile phone protection
Advanced mobile phone software protection against module reverse-engineering, PIN sniffers/prediction/tries, module cloning, secrets generation/transmission, module activation, module substitution by phishing, trojan horse, brute force attacks

Automatic synchronization
Transparent process that never requires tech support or user intervention

End-to-end protection
Security protection ensured at every step – token deployment, download and registration/enrollment, PIN selection and management, secrets protection, time-based OTP and digital signature generation and transmission, download/registration server, authentication server, token database, system administration

Advanced protection
Against phishing, pharming, network eavesdropping (man-in-the-middle), Trojan horse, key logging, identity theft, network penetration, phone line eavesdropping, customer repudiation, customer privacy violation, customer physical hijack and more

Configurable acceptance period
The authorized period of time between one-time password generation and when the user actually uses is configurable. This offers extra protection, especially from man-in-the-middle attacks.


The direct and indirect costs that are associated with implementation and customer roll-out were another important consideration for SABSP. CIDWAY’s mobile token deployment technology not only took into consideration every security mechanism against illegal hacking but also contained cost-effective efficiencies and a methodology for easy user adaptability. Implementing CIDWAY’s mobile and authentication server technologies was surprisingly fast and simple to integrate - creating a successful user-friendly ATM “Cardless” mobile system.