ArticlePDF Available

Three-Factor Authentication for Automated Teller Machine System

Authors:
Jane Ngozi Oruh at University of KwaZulu-Natal
Jane Ngozi Oruh
Download full-text PDF
Read full-text
Download citation

Abstract and Figures

This paper discusses three-factor authentication for the Automated Teller Machine system; pointing out the security vulnerabilities in the two-factor authentication method of the ATM system where password (PIN) and smartcard (ATM card) are currently used for banking transaction authentication. It was seen from the study presented here, that two-factor authentication has not provided effective security for the ATM system. A proposal was made for a system that will integrate biometric authentication as a third level authentication in the system, creating a three-factor authentication ATM system that includes user smartcard, user PIN and user fingerprint information.
Figures - uploaded by Jane Ngozi Oruh
Author content
All figure content in this area was uploaded by Jane Ngozi Oruh
Content may be subject to copyright.
Content uploaded by Jane Ngozi Oruh
Author content
All content in this area was uploaded by Jane Ngozi Oruh on Mar 12, 2021
Content may be subject to copyright.
IRACST - International Journal of Computer Science and Information Technology & Security (IJCSITS), ISSN: 2249-9555
Vol. 4, No.6, December 2014
160
Three-Factor Authentication for Automated Teller
Machine System
Jane Ngozi Oruh
Department of Computer Science,
Michael Okpara University of Agriculture,Umudike,
Umuahia, Nigeria.
ngozibenphilips@gmail.com
Abstract – This paper discusses three-factor
authentication for the Automated Teller Machine
system; pointing out the security vulnerabilities in
the two-factor authentication method of the ATM
system where password (PIN) and smartcard
(ATM card) are currently used for banking
transaction authentication. It was seen from the
study presented here, that two-factor
authentication has not provided effective security
for the ATM system. A proposal was made for a
system that will integrate biometric authentication
as a third level authentication in the system,
creating a three-factor authentication ATM
system that includes user smartcard, user PIN and
user fingerprint information.
Keywords: Three-factor, ATM, Biometric-
Authentication
I. INTRODUCTION
In the current ATM system where what
obtains is two-factor authentication, security can be
breached when password is divulged to an
unauthorized user or card is stolen by an impostor.
Reference [4] states that ATMs have been
incorporated in our way of life. They offer real
convenience to those on the run, but this advantage
can be undone if customers do not feel secure when
using the facilities. Moreover, they are prone to
fraud, and offer some elements of risk.
Furthermore, simple passwords are easy to
guess by any impostor while difficult password may
be snooped using sophisticated techniques; therefore,
this system is not secure. Having the first two
security mechanisms (two-factor authentication) in
place might not be enough. However, it is based on
this argument that adding a third level authentication
can provide significant authentication strength by
relying on something that the user ‘is’. This means
something about that person that cannot be changed
and easily mimicked, such as fingerprints, facial
features or eyes, which can be used as a factor of
identity verification, hence three-factor
authentication. Three-factor authentication is the use
of three independent mechanisms for authentication.
To solve this problem, we added fingerprint
verification to this method. Fingerprint Verification
System is an easy-to-use library that allows
programmers to integrate fingerprint technology into
their software without specific know-how.
A. PROBLEM STATEMENT
As ATM technology evolves, fraudsters are
devising different skills to beat the security of the
system. Various forms of frauds are perpetuated,
ranging from; ATM card theft, skimming, PIN theft,
card reader techniques, PIN pad techniques, force
withdrawals and lot more [18]. Also, [18] further
posits that managing the risk associated with ATM
fraud as well as diminishing its impact is an
important issue that faces financial institutions as
fraud techniques have become more advanced with
increased occurrences. Smartcard-based password
authentication provides two-factor authentication,
namely; a successful login that requires the client to
have a valid smartcard, and a correct password or
PIN. While it provides stronger security guarantees
than just password authentication, it could also fail if
both authentication factors are compromised (e.g., an
attacker has successfully obtained the password and
the data in the smartcard). In this case, a third
authentication factor can alleviate the problem and
further improve the system’s assurance. This
motivates the three-factor authentication, which
incorporates the advantages of the authentication
based on PIN, smartcard and biometrics [17].
IRACST - International Journal of Computer Science and Information Technology & Security (IJCSITS), ISSN: 2249-9555
Vol. 4, No.6, December 2014
161
II. ATM FRAUD
Reference [1] identified security as well as
power outage as major challenges facing the ATM
users in Nigeria. Reference [8] expressed concern
about the lack of cooperation among banks in the
fight to stem the incidence of ATM frauds now
plaguing the industry. He expressed that the silence
among banks on ATM frauds makes it difficult for
banks to share vital information that will help curb
the menace. Reference [12] blamed the menace of
ATM frauds on indiscriminate issue of ATM card
without regard to the customer’s literacy level.
According to him one of the frequent causes of fraud
is when customers are careless with their cards and
PIN as well as their response to unsolicited e-mail
messages to provide their card detail. Reference [14]
opined that the current upsurge and nefarious
activities of Automated Teller Machine (ATM)
fraudster is threatening electronic payment system in
the nation’s banking sector with users threatening
massive dumping of the cards if the unwholesome act
is not checked.
Reference [13] citing A Report on Global ATM
Frauds, 2007 identified the following types of ATM
Frauds:
(a) Shoulder Surfing: This is a fraud method in
which the ATM fraudster use a giraffe
method to monitor the information the
customer keys in into the ATM machine
unknown to the customers.
(b) Lebanese Loop: This is a device used to
commit and identify theft by exploiting
Automated Teller Machine
(ATM). Its name comes from its regular use
among Lebanese financial crime
perpetrators, although it has
now spread to various other international
crime groups.
(c) Using Stolen Cards: This is a situation in
which the ATM card of a customer is stolen
and presented by a fake presenter.
(d) Card Jamming: Once the ATM card is
jammed, fraudster pretending as a genuine
sympathizer will suggest that the victim re-
enter his or her security code. When the card
holder ultimately leaves in despair the
fraudster retrieves the card and enters the
code that he has doctored clandestinely.
(e) Use of Fake Cards: Fraudsters use data
collected from tiny cameras and devices
called ‘skimmers’ that capture and record
bank account information.
(f) Duplicate ATMs: The fraudsters use
software which records the passwords typed
on those machines. Thereafter
duplicate cards are manufactured and money
is withdrawn with the use of stolen
Passwords. Sometimes such frauds are
insiders’ job with the collusion of the
employees of the company issuing
the ATM Cards.
(g) Card Swapping: This is a card theft trick
whereby a fraudster poses as a “Good
Samaritan” after forcing the ATM to
malfunction and then uses a sleight of hand
to substitute the customer’s card with an old
bank card. As the customers is endlessly
trying to push the card through, the fraudster
offer assistance by pretending to help the
customer push through the card.
Reference [3] in their study concluded that the
location of ATM is a high determinant to fraud or
crime carried out at ATM point. From their research
over 75% of the respondents affirm that the location
of ATM in secluded place contribute to the fraud
perpetuated at ATM point. ATM within the banking
premises is more secure than ATMs outside the bank
premises. Also, it is obvious that the location of ATM
in attractive place does not make it prone for fraud.
Reference [6] states that the major form of ATM
fraud is PIN theft which is carried out by various
means; skimming, shoulder surfing, camera, keypad
recorder etc. This study elucidates that the common
type of fraud perpetuated is PIN theft which is mostly
as a result of congestion at ATM points. Other forms
of fraud that were enumerated by respondents were;
force withdrawal, card theft, and skimming and
congestion method fraud at ATM.
Reference [5] states that the 24 hours access to
the ATM machine is a double edge sword, it has both
advantage and disadvantage. It is easy to deduce that
ATM fraud is carried out most in the day time. Also
there are occurrences at night but most ATM users
prefer to make withdraw during the day thus
preventing incidences of robbery at night.
A. AUTHENTICATION
Authentication is the process of determining
whether someone or something is, in fact, who or
what it is declared to be. In private and public
computer networks (including the Internet),
authentication is commonly done through the use of
logon passwords. Knowledge of the password is
assumed to guarantee that the user is authentic [10].
IRACST - International Journal of Computer Science and Information Technology & Security (IJCSITS), ISSN: 2249-9555
Vol. 4, No.6, December 2014
162
Reference [16] defines authentication as the act of
confirming the truth of an attribute of a single piece
of data or entity. In summary, user authentication is a
means of identifying the user and verifying that the
user is allowed to access some restricted service; for
example, a user must be identified as a particular
student with an assigned property in the form of a
registration number in order to have access to their
student information.
Two-factor authentication
This is a security process in which the user
provides two means of identification, one of which is
typically a physical token; such as a card and the
other of which is typically something memorized,
such as security code [10]. This is also called strong
authentication. It may also be any two of the
following;
Something known, like a password,
Something possessed, like your ATM card,
or
Something unique about your appearance or
person, like a fingerprint.
When the confidentiality of information is
particularly needful, the use of two-factor
authentication may not guarantee enough protection.
A stronger means of authentication, something that is
more difficult to compromise is necessary. This is
what we hope to achieve with the three-factor
authentication model.
Three-factor authentication
This includes something you know, something
you have and something you are [7]. It involves the
use of three independent variables for authentication,
which will normally include the following;
Password (something known only by an
individual i.e. password, passphrase or PIN)
ATM card (token held by an individual)
Fingerprint (something the individual only,
is).
The use of three-factor authentication improves
the security of any given system, making it almost
impossible for attackers and hackers to break into the
system without specialized aid.
Biometric authentication
Biometric authentication is one of the most
exciting technical improvements of recent history and
looks set to change the way in which the majority of
individuals live. According to [2], biometric systems
recognize individuals based on their anatomical traits
(fingerprint, face, palm-print, iris, voice) or
behavioral traits (signature, gait). Before now, [9]
had already proposed a two ID-based password
authentication scheme where users are authenticated
by smartcards, passwords and fingerprints. Biometric
authentication is built on the fact that no two
individuals can share the same morphological
characteristics. Reference [15] presents integration of
two technologies, namely biometrics and smartcard
to meet some of the technical challenges posed in a
network-based authentication system. Biometrics
provide the accuracy needed by these systems with
smartcards providing security far beyond the
magnetic strip cards. By combining the two, the
overall system requirements are better met than each
of them individually.
In all, biometrics in general – especially
fingerprint technology in particular, can provide a
much more accurate, secure and reliable user
authentication method especially for the proposed
three-factor authentication system for ATMs.
III. NEW SYSTEM DESIGN
The proposed new ATM system will
comprise three input devices. The input devices
include card reader, keypad and fingerprint sensor.
They provide interface through which authentication
will be done.
Card Reader
The card reader reads data from the
smartcard (ATM card) and is part of the
identification of a particular account. The ATM card
provides the first level authentication for the user. A
magnetic strip on the reverse side of the ATM card is
used for connection with the card reader. The card is
swiped or pressed on the card reader which captures
the card information. The captured information from
the card is passed on to the ATM processing server.
This server uses the captured card information to get
the account information of the card holder.
IRACST - International Journal of Computer Science and Information Technology & Security (IJCSITS), ISSN: 2249-9555
Vol. 4, No.6, December 2014
163
Keypad
The keypad provides an interface for ATM
users to key in their PIN into the system. The PIN is
the second level authentication coming after the
smartcard. The PIN is transmitted in encrypted form
to the ATM server which checks the correctness of
the PIN. When this check returns positive, the
machine prompts the user to complete the third factor
authentication which is the fingerprint information.
Fingerprint Sensor
The fingerprint sensor provides the last level
of authentication for the user. Users only need to
place their finger on the scanner for the fingerprint
information to be captured. Once captured, the
information is encrypted and transmitted to the ATM
server. The ATM server matches the fingerprint
information with the one stored on the database (the
template). If a match is confirmed, the server
establishes a connection with the customers’ bank
server and subsequently opens transaction interaction
with the customer via the ATM display screen. On
the ATM display screen, the customer can select and
perform any transactions of their choice.
Fig. 1 Architectural diagram of the proposed ATM
system
A. AUTHENTICATION ALGORITHM
The authentication algorithm for the proposed
system follows a simple process as explained below;
1. User inserts the smartcard (ATM card) on
the card slot. The card reader reads the card
information and transmits the encrypted card
information to the ATM server.
2. The ATM server decrypts the card
information to get user’s account detail; and
subsequently prompts the user through the
ATM display screen to supply their PIN.
3. The user keys in their PIN using the keypad,
the PIN is encrypted and transmitted to the
ATM server.
4. The ATM server decrypts the PIN and
checks with the PIN database for the
correctness of the PIN; and if correct
prompts the user to supply their fingerprint
information through the display screen or
return “invalid PIN” if not correct and
subsequently requests user to retype their
PIN.
5. User places their finger on the fingerprint
sensor to take a scan. The fingerprint reader
processes the fingerprint information,
encrypts it and transmits it to the ATM
server.
6. The ATM server checks with the fingerprint
database for correctness of the information;
and if correct establishes a connection with
the User’s bank for transaction operations or
returns “invalid fingerprint” and
subsequently takes the user to algorithm
number 3.
7. When the first transaction is completed, user
only needs to supply their fingerprint
information to perform another transaction
so long as the card has not been ejected.
8. When user completes their entire
transactions, the card is ejected and the
operations are terminated.
Card
Reader
PIN
Reader
Fingerprint
Scanner
ATM
Server Bank
Server
PIN
Database
Fingerprint
Database
Display
Cash
Dispenser
Receipt
Printer
Speaker
Encr
yp
tion
IRACST - International Journal of Computer Science and Information Technology & Security (IJCSITS), ISSN: 2249-9555
Vol. 4, No.6, December 2014
164
B. BIOMETRIC SYSTEM OPERATION
The biometric system will normally comprise the
biometric sensor (camera or scanner), the biometric
processor (device and software algorithm that process
the biometric information), the cryptographic module
and the biometric information database. The
biometric sensor is integrated in the ATM machine
while the biometric database is integrated in the
ATM server. Also, the biometric processor and the
cryptographic module are integrated both in the ATM
machine and the ATM server.
Biometric Enrollment
During card registration also called
biometric enrolment, a new user supplies their
biometric information to the biometric system. The
biometric sensor captures and sends the information
to the ATM client-side biometric processor. The
client-side biometric processor processes the
information, and with the help of the cryptographic
module, encrypts and transmits the encrypted
information over the network to the ATM server-side
processor. The server-side processor decrypts and
processes the encrypted information and extracts
some unique features such as fingerprint minutiae
using a software algorithm called feature extractor.
Other identifiers (name and identification number)
are added and sent to the biometric database for
storage as a template. This completes the biometric
enrollment.
In this work, we have proposed four-finger
enrollment, meaning a new user will have to supply
fingerprint information for their two thumbs and two
index fingers. This limits the probability of a denial
of service due to system errors or mild fingerprint
changes.
During authentication, when the system
returns a mismatch for the first finger, users can
choose to try any of the other three fingers.
Fig. 2 Thumbs and index fingers for biometric
capture
C. USER THIRD-FACTOR
AUTHENTICATION
During biometric authentication referred to as
user third-factor authentication, a user presents new
biometric sample information to the biometric system
through the sensor. The client processor processes the
biometric information and with the cryptographic
module encrypts the information and sends it to the
server side processor. At the server side processor,
the supplied information is decrypted and processed.
The unique features together with the name and
identification number are extracted and placed on the
sample memory map. The server side processor then
queries the biometric database with the sample name
and identification number. The requested templates
are supplied and placed on the template map. The
processor now uses a biometric matcher to compare
the sample and all four templates associated with the
user for similarities. The matcher returns a match
score representing the degree of similarity between
the closest template and the sample. The system
accepts the identity claim only if the match score is
above a predefined threshold.
IRACST - International Journal of Computer Science and Information Technology & Security (IJCSITS), ISSN: 2249-9555
Vol. 4, No.6, December 2014
165
Fig. 3 Macro model of the proposed biometric
authentication system
IV. LIMITATIONS OF BIOMETRIC
AUTHENTICATION
Though biometrics as a third factor
authentication for the ATM system adds improved
security to the system, it does have its own problems.
Reference [2] named the two authentication errors
that are mainly seen in biometric systems to include
false nonmatch and false match. They further
explained that false match occurs when two samples
from the same individual have low similarity that the
system cannot correctly match them, while false
match occurs when two samples from different
individuals have high similarity that the system
incorrectly declares them as a match. The former case
results in a Denial of Service to a legitimate user
while the later results in intrusion into the system by
an unauthorized user.The system proposed here
adopts four-finger enrollment, making it more
difficult for a denial service to occur.
Similarly, the fact that we are adopting a
three-factor authentication system in our model
means that an impostor will need to have the
smartcard, the user PIN and hope that a false match
occurs to be able to break into the system. This
decreases the chances of an impostor breaking into
the system.
V. CONCLUSION
Biometric-based authentication offers
several advantages over other authentication methods
such as passwords, passphrase and PINs. This is so
because, the fraudster may match everything but may
never match the biometric peculiarities. Biometric
tokens are the safest means of preventing ATM fraud.
By further integrating biometric authentication in the
ATM system as a third-factor authentication, we are
sure that attackers, impostors and fraudsters as the
case may be, would have a difficult time breaking
into peoples’ accounts.
Though there exists a probability of a
possible compromise of the system, the attacker
would have to weigh the attack-resources needed to
achieve this with the possible gain; and because our
proposed system offers extremely high attack-
resources to gain ratio, such efforts may well be an
exercise in futility.
The massive adoption and implementation
of the system proposed here will go a long way in
solving our ATM security needs.
REFERENCES
[1] Adeloye, L.A., “E-banking as new frontiers for banks,”
Sunday punch (Nigeria), 14 September, 2008 P.25.
[2] Anil K. Jain and Karthik Nandakumar, “Biometric
authentication: system security and user privacy,”
Published by the IEEE Computer Society, November,
2012.
[3] Brunner, A., Decressin, J. & Kudela, B., “Germany’s
three-pillar banking system – cross country perspectives
in europe,” Occasional Paper, International Monetary
Fund, Washington DC., 2004.
[4] Chris, E. M., “ATM machine security: bank ATM
security advice,” retrieved October 15, 2014 from
http://www.crimedoctor.com/business.htm
[5] Cynthia, B., “The measurement of white-collar crime
using Uniform Crime Reporting (UCR) Data,” S
department of Justice, Federal Bureau of Investigation,
New York, 2000.
[6] Diebold, I., “ATM fraud and security: White Paper,”
New York. Hsu C.T. and Wu J.L. (1999):Hidden
Digital Watermarks in Images IEEE Transactions on
Image Processing vol.8,No.1, pp 58-68, 2006.
[7] Frogtalk technology news, 3 “Factor authentication:
why you need it to protect your business,” retrieved
Biometric
Sensor
Client side
Processor
Server side
Processor Biometric Matcher
Feature
Extractor
Sample
map Templat
e map
Biometric
Database
Cryptog-
raphic
module
ATM
ATM
Server
IRACST - International Journal of Computer Science and Information Technology & Security (IJCSITS), ISSN: 2249-9555
Vol. 4, No.6, December 2014
166
Aug 15, 2014 form
http://www.ribbit.net/frogtalk/id/121/3-factor-
authentication-why-you-need-it-to-protect-your-
business
[8] Ihejiahi, R., “How to fight ATM fraud online,”
Nigeria Daily News (Nigeria), 21 June, 2009 P. 18,
June 2009.
[9] Kim, H.S. Lee, J.K. and Yoo, K.Y., “ID-based
Password Authentication Scheme Using Smart Cards
and Fingerprints,” ACM SIGOPS Operating Syst.
Rev., vol. 37, no. 4, pp. 32-41,Oct. 2003.
[10] Margaret R., retrieved Oct 10, 2014 from
http://www.searchsecurity.techtarget.com/definition/tw
o-factor-authentication
[11] Margaret R., retrieved Oct 12, 2014 from
http://www.searchsecurity.techtarget.com
[12] Obiano, W., “How to fight ATM fraud,” Online Nigeria
Daily News, 21 June, 2009
http://www.Krepublishers.com/02-Journals/JSS/JSS-
27-000011-Web/JSS-27-1-000-11
[13] Olabode J. A., “Automated teller machine (atm) frauds
in nigeria: the way out,” 2011.
[14] Omankhanlen O., “ATM fraud rises: Nigerians groan in
Nigeria,” Daily News, Sunday (Nigeria), 21 June, 2009
P. 8-10
[15] Ratha, N.K. and Bolle R.M., “Smart card based
Authentication,” IBM Systems Journal, retrieved
August 2014 from
http://www.cse.msu.edu/~cse891/Sect601/textbook/18.
pdf
[16] Wikipedia, “Authentication,” retrieved Oct 12, 2014
from http://en.wikipedia.org/wiki/Authentication
[17] Xinyi Huang, Yang Xiang, Ashley Chonka, Jianying
Zhou, and Robert H. Deng, “A Generic framework for
three-factor authentication: preserving security and
privacy in distributed systems,” IEEE Transactions on
parallel and distributed systems 2010
[18] (Selina O. et al, 2012)
AUTHORS’ PROFILE
Jane Oruh received a bachelor’s degree in Computer Science
from Michael Okpara University of Agriculture, Umudike
(MOUAU), Abia State, Nigeria, in 2005. She received her M.Sc in
Computer Science from Ebonyi State University, Abakaliki in
2013. She is currently an Assistant Lecturer with the Computer
Science department of Michael Okpara University of Agriculture,
Umudike, Nigeria. Her research interests are information Security,
biometric authentication systems and context aware systems.
I.
... ii) In several authentication schemes, GSM or authorized persons are used for distributing authentication messages and OTP which is a serious security concern in itself [30], [32], [35], [38]. iii) The contemporary authentication mechanisms [31], [38], [39] have been found to have several issues such as increased processing time, computational cost, reduced system speed and massive storage due to the employment of fuzzy vault schemes, public key operations, and self-updating hash chains. ...
... viii) The authentication schemes so far developed rely on a single biometric trait as the third authenticating factor or in some cases take into consideration only biometrics ignoring the first two authentication factors which may be vulnerable to impersonation attacks. As a result, there are security breaches in those authentication schemes and cannot be used in applications demanding high security such as banking sector, airport information systems, etc. [20], [32], [33]. ix) Popularly used biometrics like voice, iris scan and facial features encounter several issues when used for authentication. ...
Rehashing system security solutions in e-banking
Article
Full-text available
  • Dec 2018
Applications meant for exchanging cash, or individual data are becoming progressively common in mobile communications and on the Internet. The expansion of electronic banking services by utilizing various electronic channels provide added value to the users. As such, client authentication is required in these applications for affirming the legitimacy of the clients. The most widely recognized service of accreditations utilized today is the static passwords. Weak passwords prove to be an awful choice because it exposes online banking services to various security dangers. Different arrangements have been put forward to eradicate the clients' need for the creation and management of passwords. In this regard, a typical method developed is the one-time password (OTP), i.e., passwords which remain valid for a single exchange or session. Sadly, the vast majority of these password arrangements doesn't fulfil the requirement of usability and scalability and hence can be considered to be unreliable. In this paper, the usability and security facets of the present-day strategies for validation schemes centred on non-OTP and OTP structures are contemplated. At last, the loopholes, as well as the open challenges, are discussed, highlighting their prominence in the related field of study.
View
... However, the system employs GSM besides being vulnerable to man-in-middle and imitation attacks. The security vulnerabilities of 2FA in the ATM system have been explored by (Oruh, 2014) and a three-factor authentication scheme is proposed for providing effective security to ATM banking transactions. However, the system uses a single biometric, i.e., fingerprint information in addition to user PIN and smart-card. ...
... • The authentication schemes so far developed rely on a single biometric trait as the third authenticating factor or in some cases take into consideration only biometrics ignoring the first two authentication factors which may be vulnerable to impersonation attacks. As a result, there are security breaches in those authentication schemes and cannot be used in applications demanding high security such as banking sector, airport information systems, etc. (Avhad and Satyanarayana, 2014;Davaanaym et al., 2009;Oruh, 2014). ...
Scrutinising internet banking security solutions
Article
  • Jan 2019
  • Int J Inform Comput Secur
Internet-banking is a crucial service offered by financial Institutions and has gained popularity at a high pace. Owing to the increasing usage of this service, it is being frequently targeted by adversaries. The login process by the user is one of the main points that are at risk of this assault. Hence, a robust security mechanism is essential for warding off those risks. Among other security solutions, a typical arrangement presently employed is the one-time password (OTP), i.e., passwords that remain valid for a single exchange or session. However, the majority of these password generation and processing mechanisms do not fulfil the requirement of usability and/or scalability and hence can be considered as less reliable/fragile. This paper reviews the security mechanisms in E-banking. The pros and con of OTP as well as other non-OTP security solutions have been presented. Finally, the prominence of open issues have been elucidated.
View
... In any computing system, the user authentication process is the first line of protection that verifies that the user is who they claim to be. Today, three universally acknowledged authentication factors based on knowledge, possession, and biometrics are used to authenticate legitimate users [12][13][14][15][16][17][18]. Authentication based on knowledge and possession has a specific limitation that makes them susceptible to various attacks. ...
Smartphone-based Biometric Authentication Scheme for Access Control Management in Client-server Environment
Article
Full-text available
  • Aug 2022
As the information put together by the blend of smartphones, the cloud, the IOT, and ubiquitous computing continue to expand at an alarming rate, a data breach increases. Today, users' strong authentication and authorization approaches are increasingly important to secure sensitive, confidential, secret information. Possession and knowledge-based authentication techniques for computers, the internet, email accounts, etc., are commonly used to access vital information; they do not link a user to an established identity, resulting in most security vulnerabilities. Biometric authentication, on the other hand, has the privilege of being more reliable than traditional authentication as biometric characteristics of a person can’t be lost; they are tough to distribute, exchange or duplicate; and it requires the user to be present during the authentication process, thereby relating the users to established identities. Biometrics provides a higher level of assurance that the individual attempting to ascertain is the individual in question. Thus, resulting in a more reliable, usable, and cost-effective model with a higher level of protection to deter an attacker from obtaining entry to a computer or network and gaining access to confidential data. This paper introduces a novel fingerprint-based authentication scheme for mobile environments, enabling user authentication based on fingerprint features using a challenge-response-based authentication process. In this study, the proposed authentication system has been developed on a real Android-based smartphone, tested on actual users, and performance analysis has been carried out; empirical results reveal that the proposed authentication scheme achieves increased performance. Moreover, a usability analysis has been done to determine efficiency, effectiveness, and user satisfaction. The evaluation results indicate its feasibility to use it as an effective authentication mechanism for mobile phone environments.
View
... To prevent unauthorised money withdrawal banking sectors started implementing either one time password (OTP) or message alert to their registered mail or Biometric authentication or SMS to their registered phone (Hossian et al., 2013;Oruh, 2014). Banks also alert the customers by informing through pamphlets. ...
View
... To prevent unauthorised money withdrawal banking sectors started implementing either one time password (OTP) or message alert to their registered mail or Biometric authentication or SMS to their registered phone (Hossian et al., 2013;Oruh, 2014). Banks also alert the customers by informing through pamphlets. ...
View
... The current authentication schemes depend on a single biometric trait as the third authentication factor or in certain situations, just biometrics, missing the first two authentication factors, may be susceptible to impersonation attacks. Consequently, such authentication mechanisms have security flaws and cannot be used in applications that need high security, such as banking and airport information systems (Moon et al., 2012;Avhad and Satyanarayana, 2014;Oruh, 2021). ...
A novel OTP based tripartite authentication scheme
Article
Full-text available
  • Aug 2021
Purpose Because of the continued use of mobile, cloud and the internet of things, the possibility of data breaches is on the increase. A secure authentication and authorization strategy is a must for many of today’s applications. Authentication schemes based on knowledge and tokens, although widely used, lead to most security breaches. While providing various advantages, biometrics are also subject to security threats. Using multiple factors together for authentication provides more certainty about a user’s identity; thus, leading to a more reliable, effective and more difficult for an adversary to intrude. This study aims to propose a novel, secure and highly stable multi-factor one-time password (OTP) authentication solution for mobile environments, which uses all three authentication factors for user authentication. Design/methodology/approach The proposed authentication scheme is implemented as a challenge-response authentication where three factors (username, device number and fingerprint) are used as a secret key between the client and the server. The current scheme adopts application-based authentication and guarantees data confidentiality and improved security because of the integration of biometrics with other factors and each time new challenge value by the server to client for OTP generation. Findings The proposed authentication scheme is implemented on real android-based mobile devices, tested on real users; experimental results show that the proposed authentication scheme attains improved performance. Furthermore, usability evaluation proves that proposed authentication is effective, efficient and convenient for users in mobile environments. Originality/value The proposed authentication scheme can be adapted as an effective authentication scheme to accessing critical information using android smartphones.
View
... However, the system employs GSM besides being vulnerable to man-in-middle and imitation attacks. The security vulnerabilities of two factor authentications in ATM system have been explored in [38] and a three-factor authentication scheme is proposed for providing effective security to ATM banking transactions. However, the system uses a single biometric i.e. fingerprint information in addition to user PIN and smart-card. ...
fingerprint
Article
Full-text available
  • Nov 2020
: The growth of online application used for financial transactions and transferring personal information is increasingly common on internet and in mobile communication. These applications require authenticating legitimate users by assigning digital identities. Static passwords are perhaps most common type of credentials used today to authenticate the users. To avoid tedious task of remembering passwords, users often behave less securely by using low entropy and weak passwords, thus presenting security threats to online services. Various solutions have been provided to eliminate the need of users to create and manage passwords' typical solution is based on generating one time password (OTP) for a single session or transaction. Unfortunately in most of the general mechanisms used for generating one time password (OTP) randomness of OTP system breaks after certain period of time and hence passwords become predictable. To solve this problem, in this paper a novel OTP generation method has been proposed, which generates OTP from fingerprint features of the user. The OTP produced from the system is secure as it uses fingerprint features in the seed and RIPEMD160 hash function in OTP generation procedure.
View
... In [12] the author proposed a three-factor authentication mechanism for ATM systems. The third factor in addition to password or PIN (something you know), ATM card (something you have) in their study is fingerprint (something unique about you). ...
Design and Implementation of Cost Effective Multi-factor Authentication Framework for ATM Systems
Article
Full-text available
  • Apr 2020
Banks and financial institutions all over the world have adopted and continue to adopt Automated Teller Machine (ATM) systems into their transactions to extend banking hours, and also provide convenience for their customers. ATM systems are networked computerized systems, and as the case is in these systems, their security must be given the highest priority. Among the many strategies for ensuring secured networked systems, authentication is very important. Authentication is the process of verifying the identity of a user or a process that attempts to access information resources from a system. Good authentication methods and schemes are one of the best standard ways of implementing security on computerized systems. The importance of selecting an environment appropriate authentication method is perhaps the most crucial decision in designing secure systems. Authentication protocols are capable of simply authenticating the connecting party or authenticating the connecting party as well as authenticating itself to the connecting party. The verification process is usually based on authentication factors like facts, characteristics, behaviors, or knowledge known only to both the claimant and the verifier. Based on these authentication factors, authentication is classified into knowledge-based (KBA), token-based (TBA) and biometrics-based (BBA) authentications. In this paper, we designed and implemented a hybrid and secure cost-effective authentication framework for ATM systems based on the strengths of the three main authentication classifications.
View
... The use of token and GSM are prone to theft, the incorporation of third party could breach the security of the system. Similar three factor authentication system was proposed by Oruh in [8]. The proposed technique includes: the password, ATM card and fingerprint which improves the security of the ATM system. ...
This work is licensed under the Creative Commons Attribution 4.0 International Licence. Secure Bio-Cryptographic Authentication System for Cardless Automated Teller Machines
Article
Full-text available
  • Jan 2019
Security is a vital issue in the usage of Automated Teller Machine (ATM) for cash, cashless and many off the counter banking transactions. Weaknesses in the use of ATM machine could not only lead to loss of customer's data confidentiality and integrity but also breach in the verification of user's authentication. Several challenges are associated with the use of ATM smart card such as: card cloning, card skimming, cost of issuance and maintenance. In this paper, we present secure bio-cryptographic authentication system for cardless ATM using enhanced fingerprint biometrics trait and encrypted Personal Identification Number (PIN). Fingerprint biometrics is used to provide automatic identification/verification of a legitimate customer based on unique feature possessed by the customer. Log-Gabor filtering algorithm was used for enhancing low image quality and effect of noise on feature extracted from customer's fingerprint minutiae. Truncated SHA 512/256 hash algorithm was used to secure the integrity and confidentiality of the PIN from sniffers and possible adversary within the channel of remote ATM banking transactions. Performance evaluation was carried out using False Acceptance Rate (FAR), False Rejection Rate (FRR) metrics and Collision Attack was performed on the Truncated SHA-512/256 hashed data (PIN). Results of the system performance shows Genuine Acceptance Rate (1-FRR) of 97.5% to 100%, Equal Error Rate of 0.0015% and Collision Attack carried out on the encrypted PIN message digest gave an unsuccessful attack. Therefore, the results of performance evaluation show the applicability of the developed system for secure cardless ATM transaction.
View
... However, the system employs GSM besides being vulnerable to man-in-middle and imitation attacks. The security vulnerabilities of two-factor authentication in ATM system have been explored in a research 21 , and a three-factor authentication scheme is proposed for providing effective security to ATM banking transactions. However, the system uses a single biometric, i.e., fingerprint information in addition to user PIN and smart-card. ...
View
Automated Teller Machine (ATM) Frauds in Nigeria: The Way Out
Article
Full-text available
  • Apr 2011
The problem of Automated Teller Machine (ATM) frauds is global in nature and its consequences on bank patronage should be of concern to the stakeholders in banks. This paper investigates the dimensions of ATM frauds in Nigeria and proffer solutions that will mitigate the ATM frauds in the Nigerian banking system. The paper employs both primary and secondary data to investigate the ATM frauds in Nigerian banks. The chi-square statistical technique was used to analyze the data and test the hypothesis raised. The paper concludes that both bank customers and bankers have a joint role to play in stopping the perpetrators of ATM frauds in the banks. Card jamming, shoulder surfing and Stolen ATM cards constitute 65.2% of ATM frauds in Nigeria.
View
A Generic Framework for Three-Factor Authentication: Preserving Security and Privacy in Distributed Systems
Article
Full-text available
  • Sep 2011
As part of the security within distributed systems, various services and resources need protection from unauthorized use. Remote authentication is the most commonly used method to determine the identity of a remote client. This paper investigates a systematic approach for authenticating clients by three factors, namely password, smart card, and biometrics. A generic and secure framework is proposed to upgrade two-factor authentication to three-factor authentication. The conversion not only significantly improves the information assurance at low cost but also protects client privacy in distributed systems. In addition, our framework retains several practice-friendly properties of the underlying two-factor authentication, which we believe is of independent interest.
View
Banking: New Frontiers
Chapter
  • Jan 2022
We begin by highlighting several challenges banks will face as the core of their business. The customers are shifting online purchasing (credit/debit cards). The footfall at branches is reduced considerably. The need is necessary changes on a very broad front. The needs and responses can be assessed only through data analysis, AI applications and such. There is no need for every bank in the public sector to reinvent the wheel. There should be ONE well-staffed research center for the PSUs.
View
Biometric Authentication: System Security and User Privacy
Article
  • Nov 2012
While biometric systems aren't foolproof, the research community has made significant strides to identify vulnerabilities and develop measures to counter them.
View
The Measurement of White-Collar Crime Using Uniform Crime Reporting (UCR) Data
Article
he idea of white-collar crime was first introduced by Edwin H. Sutherland during his presidential address at the American Sociological Society Meeting in 1939. He raised concern over the criminological community's preoccupation with the low status offender and "street crimes" and the relative inattention given to the offenses perpetrated by people in higher status occupations. In his book, White Collar Crime, Sutherland explained fur- ther that white-collar crime "may be defined approximately as a crime committed by a person of respectability and high social status in the course of his occupation" (p. 9). Unfortunately, this definition seemed to spark more debate rather than further delineate the range of criminal behaviors that constitute white-collar crime. People continue to focus on the word "approxi- mately" and use that as a basis to stretch or shrink the scope of white-collar crime to serve their purposes. Currently, the definition of white-collar crime is still hotly contested within the com - munity of experts. Although there is a multitude of variations, there appears to be three major orientations: those that define white-collar crime by the type of offender (e.g., high socioeco - nomic status and/or occupation of trust); those that define it in terms of the type of offense (e.g., economic crime); and those that study it in terms of the organizational culture rather than the offender or offense. Additionally, there are also those that confine the definition mainly to economic crime, as well as others that include other corporate crimes like environmental law vio- lations and health and safety law violations. The Federal Bureau of Investigation has opted to approach white-collar crime in terms of the offense. The Bureau has defined white-collar crime as ". . . those illegal acts which are char - acterized by deceit, concealment, or violation of trust and which are not dependent upon the application or threat of physical force or violence. Individuals and organizations commit these acts to obtain money, property, or services; to avoid the payment or loss of money or services; or to secure personal or business advantage." (USDOJ, 1989, p. 3.) Some experts have criticized defining white-collar crime in terms of type of offense because this definition emphasizes the nature of the acts rather than the background of the offender. Within the FBI definition, there is no mention of the type of occupation or the socioeconomic position of the "white-collar" offender.
View
Dimensions of E-quality
Article
  • May 2002
  • Int J Qual Reliab Manag
The aim of this paper is to identify the features or dimensions that customers use to assess the quality of a virtual service or operation. It will focus on identifying those characteristics that are perceived by customers as a necessity in achieving customer satisfaction in a virtual operation.
View
ID-based password authentication scheme using smart cards and fingerprints
Article
  • Oct 2003
This paper proposes two ID-based password authentication schemes, which does not require a dictionary of passwords or verification tables, with smart card and fingerprint. In these schemes, users can change their passwords freely. For a network without synchronization clocks, the proposed nonce-based authentication scheme can withstand message replay attacks. The proposed two schemes require a system to authenticate each user by each user's knowledge, possession, and biometrics, and this feature makes our schemes more reliable.
View
Minutiae Extraction from Fingerprint Images
  • Jan 2011
  • 1694-0814
  • B Roli
  • S Priti
  • B Punam
Roli, B., Priti S. and Punam B. (2011): Minutiae Extraction from Fingerprint Images. International Journal of Computer Science Issues, vol.8, Issue 5, No3. ISSN(online):1694-0814 www.IJCSI.org
Germany's three-pillar banking system -cross country perspectives in europe
  • Jan 2004
  • A Brunner
  • J Decressin
  • B Kudela
Brunner, A., Decressin, J. & Kudela, B., "Germany's three-pillar banking system -cross country perspectives in europe," Occasional Paper, International Monetary Fund, Washington DC., 2004.
ATM fraud and security: White Paper
  • Jan 2002
  • I Diebold
Diebold I. (2002). ATM fraud and security: White Paper, New York.