The device is in particular an automated teller machine, an automatic cash system, an automatic cash safe and/or a payment terminal which is used, for example, in retail businesses or in restaurants for cashless payment of the billed amount via a magnetic stripe and/or chip card, in particular an EC or credit card. In known devices, a user inserts a magnetic stripe card and/or chip card into a slot provided for this purpose. By means of a reading unit, data via which the user is authenticated are read out from the magnetic stripe and/or chip card. The devices comprise a display unit via which the user is requested to enter a personal identification number, a so-called PIN, wherein the entry of the PIN shall guarantee that the user is indeed authorized to withdraw cash and/or to pay by means of the inserted magnetic stripe and/or chip card. The user then enters the PIN via a keypad provided for this purpose, in particular via a so-called Encrypted Pin Pad (EPP).
What is problematic with this entry of the PIN via the keypad is that an EPP keypad, the purchasing price of which is relatively high, has to be specially provided for this purpose to guarantee that the entered PIN cannot be intercepted. Further, for the EPP keypad installation space has to be provided which is already very limited in the afore-mentioned devices. In addition, such EPP keypads are susceptible to skimming attempts since additional keypads via which the PIN is spied out can easily be mounted thereon.
From the document DE 10 2008 014 324 A1, a self-service terminal is known which comprises an operating unit and a cover with recesses enclosing the operating unit.
From the document DE 10 2008 021 046 A1, a method for commencing operation of a keypad of a self-service terminal is known.
From the document U.S. Pat. No. 6,317,835 B1, a system for selectively generating encrypted and non-encrypted data is known.
It is the object of the invention to specify a device for reading magnetic stripe and/or chip cards, which enables a secure entry of a personal identification number.
By encrypting the second data which comprise information about the position of the touch of the display area by means of the touch module and by transmitting these data to the security module in an encrypted manner, it is achieved that the position of the touch is encrypted directly by the touch module so that the information about the position of the touch is not transmitted in a non-encrypted manner. Thus an interception of the non-encrypted information and thus conclusions on the digit of the personal identification number identified by the position of the touch or on the complete personal identification number are prevented. In this way, a secure entry of the PIN is made possible. By transmitting the first data with information for displaying a keypad by means of the display unit from the security module to the display unit, it is guaranteed that the information displayed by means of the display unit cannot be manipulated and the keypad for entering the PIN is only displayed when this is actually required for the transaction.
The touch module preferably comprises a processing unit, in particular a processor, which encrypts the second data. The touch module preferably has a separate crypto-processor by means of which the data are encrypted. By crypto-processor is in particular understood a chip or microprocessor which combines in itself the basic functions for the secure data communication such as cryptography, authentication and administration of crypto keys.
The device is in particular a device for handling notes of value, for example an automated teller machine, an automatic cash safe and/or and automatic cash system. Further, the device can also be a payment terminal, for example a terminal for cashless payment in retail stores and/or in the catering trade. In addition, the device can also be a statement printer and/or an information terminal in a bank branch.
The device comprises in particular a reading device into which the magnetic stripe or chip card is inserted and which reads out data from the magnetic stripe or chip card. After reading out the data, the user of the device is requested in particular via the display unit to enter the PIN to thus ensure that the user is authorized to use the magnetic stripe and/or chip card.
The display area on which the position of the touch is detected can be formed by a pane of the display unit and/or a separate pane of the touch module. Further, the display unit and the touch module can be integrally formed in the form of a touchscreen. The determination of the position of the touch via the sensor takes place in particular optically, resistively, capacitively and/or inductively.
The touch module can in particular be a resistive touch module, in which the sensor comprises two conductive layers arranged in front of the display unit, wherein a voltage being applied to at least one of these layers and the voltages being determined at the edges of the at least one layer. Dependent on these determined voltages, the position of the touch is detected in particular by means of the processing unit of the touch module. One of the two layers can in particular be formed by the pane.
Alternatively, the touch module can also be a capacitive touch module which comprises a pane that is coated with a transparent metal-oxide layer. At the edges of the coating, an electric voltage is applied which generates a uniform electric field. By touching the pane, small currents are generated which are measured at the edges. The resulting currents are directly related to the position where the pane of the touch module is touched by the user. The pane may also be a pane of the display unit.
In a further alternative embodiment, also a touch module can be provided that determines the position of the touch by means of infrared light. In this case, the touch module comprises diodes that emit infrared light and generate a grid of infrared beams across the pane. Opposite to the diodes that emit infrared light, diodes that detect infrared light are provided which receive the emitted infrared beams if these are not interrupted. When the pane is touched, at least a part of the emitted infrared beams is interrupted so that some of the detecting diodes detect no or substantially less infrared radiation. Dependent thereon, the position of the touch is determined in particular by means of the processing unit.
The first data and/or the second data can also be transmitted in the form of signals. By arranging the touch module in front of the display unit it is in particular understood that the touch module is arranged in front of a display area of the display unit. The detection area of the touch module for detecting the touch is preferably arranged between the display unit and the user.
In a preferred embodiment of the invention, the security module encrypts the first data and transmits these encrypted data to the display unit. This ensures that a manipulation of the first data and thus the manipulation of the information displayed by means of the display unit are prevented or at least made more difficult. In particular, this prevents that a keypad with the request for PIN entry is displayed on the display unit with intent to defraud.
The touch module in particular determines a first and/or a second coordinate of the position of the touch of the display area and determines a first transmission value by adding a first offset value to the first coordinate and/or a second transmission value by adding a second offset value to the second coordinate. The second data comprise information about the first transmission value and/or the second transmission value. By adding the offset values it is achieved that not the actual coordinate but a modified numerical value is transmitted. This ensures that no conclusions can be drawn from the transmission values on the position of the touch of the display area. In particular, only by means of the transmission values, without the offset values, no conclusions can be drawn on the digit or, respectively, the PIN entered via the touch module.
The security module preferably determines the first offset value and/or the second offset value, in particular by means of a random number generator. This ensures that the coordinates of different touches of the display area, in particular even every coordinate of different touches of the display area, are falsified with a different offset value so that a higher degree of security is obtained. The security module transmits third data with information about the first offset value and/or the second offset value to the touch module before the display area is touched. The transmission in particular takes place in an encrypted manner so that the offset values cannot be intercepted. The encrypted offset values are in particular decrypted by the processing unit of the touch module. Thus, the degree of security is increased even further. In particular each digit of a PIN is encrypted with different offset values.
The encryption of the first, the second and/or the third data preferably takes place by means of a stored encryption algorithm, in particular by means of a Data Encryption Standard (DES) encryption algorithm. Thus, the data transmission security is increased further. In a particularly preferred embodiment of the invention, the encryption of the data takes place both by the addition of the offset values and by the execution of the stored encryption algorithm so that a double encryption of the transmitted data is given. Thus, a very high degree of data security is obtained.
The encryption of the first, the second and/or the third data preferably takes place by means of the same encryption algorithm. In an alternative embodiment of the invention, the security module can encrypt the first and/or the third data also with an encryption algorithm different from the encryption algorithm with which the touch module encrypts the second data.
The security module preferably decrypts the second data received by the touch module and determines the first coordinate by subtracting the first offset value from the first transmission value and/or the second coordinate by subtracting the second offset value from the second transmission value. Thus, it is achieved that in the security module the position of the touch of the display area and consequently the entered digit can be determined via the coordinates.
The first data transmitted from the security module to the touch module in particular comprise information about the position where the keypad is to be displayed on the display unit. The first data comprise in particular a first coordinate and a second coordinate of a preset point of the keypad, in particular of the center of the keypad. The position where the keypad is displayed on the display unit is determined by the security module in particular by means of a random process. For this, the first coordinate and the second coordinate are preferably determined by means of a random number generator. This ensures that the keypad is displayed at different positions of the display unit in the case of different entries of PIN numbers. By this change in the position of the keypad on the display unit it is made impossible for people who try to spy out the PIN with intent to defraud to draw a conclusion on the digit of the PIN entered by the touch on the basis of the position where the display area is touched. In particular, it is thus prevented that a further unit for determining the position of the touch of the display area is attached with intent to defraud to the display area, via which further unit the people who commit the fraud try to obtain the PIN.
For this, the security module controls the display unit such that the display unit displays the keypad at a first position in the case of a first PIN entry and displays it at a second position different from the first position in the case of a second PIN entry.
The touch module and the security module are preferably connected to each other via a first cable connection, in particular by means of a USB cable. The display unit and the security module are preferably connected to each other via a second cable connection, in particular by means of a USB cable and/or a DVI cable. By connecting the security module to the touch module or, respectively, to the display unit via a wired connection, a higher degree of security is obtained compared to a wireless data transmission. Further, it is advantageous when a first sensor for determining an interruption of the first cable connection and/or a second sensor for determining an interruption of the second cable connection are provided. Thus, manipulation attempts, in particular the interposition of a unit for reading out the data transmitted via the respective cable connection can be detected and thus manipulation attempts can be prevented. When the first sensor and/or the second sensor detects an interruption of the first or, respectively, the second cable connection, preferably an alarm is set off so that a user's attention is drawn to the manipulation attempt. Further, when an interruption of the first and/or the second cable connection is detected, a red display element, for example an LED can be illuminated or a display area provided for this and/or a display element provided for this can be activated so that the user's attention is drawn to the manipulation. Alternatively, it is possible that in the case of an interruption of the first and/or the second cable connection the device is switched into a malfunction mode in which a PIN entry is not possible.
It is advantageous when the touch module comprises a memory element in which data for the unambiguous identification of the touch module, in particular a serial number, are stored. These data will be read out by the security module at preset intervals or continuously, and the security module will determine the presence of the touch module dependent on these read-out data. In a particularly preferred embodiment of the invention, the security module compares the read-out serial number with a preset desired serial number. When the read-out serial number and the desired serial number are not identical and/or when the security module cannot determine any serial number at all, the non-presence of the display unit is thus detected.
Further, it is advantageous when also the display unit comprises a memory element in which data for the unambiguous identification of the display unit are stored. These data are likewise read-out by the security module at preset intervals or continuously, and the security module determines the presence of the display unit dependent on the read-out data. In the memory element of the display unit a serial number is in particular stored which is compared to a preset desired serial number by the security module.
The memory element of the touch module and/or the memory element of the display unit are preferably connected via a respective Inter Integrated Circuit (I2C) bus to the security module. As a result thereof, an easy, tamper-proof connection is established.
Further, it is advantageous when the touch module and/or the display unit are mounted on a housing of the device in an installation position and when a first anti-removal switch and/or a second anti-removal switch are provided. By means of the first anti-removal switch the removal of the touch module from the installation position can be determined, and by means of the second anti-removal switch the removal of the display unit from the installation position can be determined. For this, the first anti-removal switch opens a closed electric circuit or closes an open electric circuit when the touch module is removed from its installation position. By opening or, respectively, closing the electric circuit, the security module detects the removal of the touch module from the installation position. Accordingly, the second anti-removal switch opens the same or another closed electric circuit or, respectively, closes the same or another open circuit when the display unit is removed from the installation position. The security module detects the removal of the display unit from the installation position dependent on the opening or, respectively, closing of the electric circuit. Thus, by means of the anti-removal switches it can easily be determined when the touch module and/or the display unit are removed from the installation position so that manipulation attempts can be determined easily and promptly. In an alternative embodiment, also only one anti-removal switch can be provided, by means of which both the removal of the touch module from the installation position and the removal of the display unit from the installation position are detectable.
Further, it is advantageous when the security module determines whether the device is operated in a secure operating mode or in a non-secure operating mode. The device is in particular operated in the secure operating mode when data are transmitted between the security module and the touch module in an encrypted manner, the data are transmitted between the security module and the display unit in an encrypted manner, the first cable connection is not interrupted, the second cable connection is not interrupted, the display unit is arranged in the installation position and/or the touch module is arranged in the installation position.
The secure operating mode is in particular the mode which is provided for the entry of the PIN. In a particularly preferred embodiment of the invention, the PIN entry is only possible when the device is actually operated in the secure operating mode.
The security module controls the display unit in particular such that it is displayed via the display unit in which operating state the device is operated. This ensures that a user of the device can identify the operating mode and, if the non-secure operating mode is displayed, the user can refrain from entering the PIN. Thus, protection against spying out of the PIN is increased. The display unit in particular shows a red and a green area, wherein, when the device is operated in the secure operating mode, the green area is displayed in bright green and the red area is displayed in dark red, whereas the green area is displayed in dark green and the red area is displayed in bright red when the device is operated in the non-secure operating mode. In an alternative embodiment of the invention, also lamps arranged outside the display unit, in particular LEDs, can be provided via which the operating mode is displayed. Additionally or alternatively, the operating mode can also be identified via a warning sound, in particular a warning sound can be activated in the non-secure operating mode.
Further, it is advantageous when the security module controls the display unit such that it displays information by which a user of the device is requested to only enter the PIN in the secure operating mode. This prevents that the user inadvertently ignores the operating mode in which the device is operated, and thus it is prevented that the user inadvertently enters the PIN in the non-secure operating mode.
Further, it is advantageous when a privacy protection film is applied to at least a partial area of the display unit, by which film the information displayed by means of the display unit can only be read from a preset viewing distance range and/or a preset viewing angle range. The viewing distance range and the viewing angle range are in particular preset such that only a user directly in front of the display unit can read the displayed information. This makes it more difficult to spy out the PIN, as the spying person can indeed see which position of the display area is touched by the user entering the PIN, but cannot see which digit is displayed at this position of the display unit. The privacy protection film in particular forms a polarization filter.
Further, it is advantageous when at least on one side of the display unit at least one mechanical privacy protection element is arranged for preventing that the entry of the PIN is spied out. In particular, such a mechanical privacy protection element is provided at at least three sides of the display unit. The privacy protection element prevents or makes it more difficult that a spying person can see at which position the user touches the display unit.
The device can in particular comprise a control unit for controlling the security module, the control unit being connected to the security module via at least one data transmission connection, preferably a wired data transmission connection. The control unit further serves to control further units of the device, for example to control a reading unit for reading out the magnetic stripe and/or chip card. By interposing the security module between the control unit and the touch module, it is achieved that the control unit has no direct access to the display unit and the touch module so that even if a person succeeds in obtaining access to the control unit, this does not allow any access to the entered PIN, and the display unit and the touch module can likewise not be manipulated such that the PIN can be determined. Thus, the security is increased.
In the non-secure operating mode, the security module forwards data generated by the control unit for controlling the display unit to the display unit in an unchanged form so that in the case of non-security relevant entries the computing expenditure of the security module is minimized. On the other hand, in the secure operating mode the security module exclusively forwards self-generated data to the display unit. This ensures that in the secure operating mode possible manipulations of the control unit have no influence on the display of the display unit. The security module comprises in particular a DVI switch via which in the non-secure operating mode the data transmission connection from the control unit to the security module is directly connected to a data transmission connection from the security module to the display unit, in particular to the second cable connection. In the secure operating mode, the afore-described data transmission connection between the control unit and the display unit is interrupted by the DVI switch.
The control unit executes in particular program data of a first operating system and the security module executes program data of a second operating system different from the first operating system. The operating systems are in particular designed such that they are independent of each other. Thus, the degree of security is increased further. The first operating system is in particular a commercial operating system, whereas the second operating system is an operating system that is specially programmed for the tasks of the security module. This ensures that security vulnerabilities of the commercial operating system have at least in the secure operating mode no effects on the security of the PIN entry.
Further features and advantages of the invention result from the following description which, in connection with the enclosed Figures, explains the invention in more detail with reference to embodiments.