It is known for a variety of unattended PIN entry devices (PEDs) to include an encryption keyboard/keypad for a customer to enter a PIN code in a secure manner. Such a keypad is known in the art as an Encrypting PIN pad (or EPP) and may include only a secure PIN entry device and rely upon external displays and card readers of the PED. Alternatively, an EPP may include a secure PIN entry device and a built-in display and/or card reader.
Known PEDs include Self-Service Terminal (SSTs), such as Automated Teller Machines (ATMs), automated fuel dispensers, kiosks and vending machines, or the like. An ATM typically requires a customer to enter a secure PIN code via an EPP in the ATM for authorising a customer transaction at the ATM. Working cryptographic keys and master keys of the financial institution owning the ATM, for example, are also typically stored in core processing components of an EPP. People with malicious intent have been known to probe into an EPP in an attempt to capture customer PIN codes when they are entered, or even read working cryptographic keys and master keys of the financial institution, thereby placing customers' money (and the financial institution's money) at risk. Accordingly, the physical and logical design and manufacture of EPPs must adhere to increasingly strict requirements, regulations and certifications.
EPPs have a clearly defined physical and logical boundary and a tamper-resistant or tamper-evident shell. An EPP conventionally includes a keyboard panel, a lining plate, keys, a water-resistant sealing layer, a main control board and a base plate. The EPP is assembled by stacking up these components in sequence.
EPPs are also tamper responsive in that they will destroy critical information if the EPP is tampered with, thereby preventing the critical information, such as encryption keys, being disclosed to an attacker.
EPPs include different mechanisms to detect tampering. One type of tamper detection mechanism is for an EPP to include a probing detection and protection circuit which, in the event of a front side attack on the EPP (that is, an attempt to tamper with the EPP from the keypad side of the overall unit), outputs a self-destruct signal enabling a self-destruct function of the EPP to prevent the attacker from accessing confidential information stored in the EPP. However, such conventional systems can be bypassed or damaged to gain access to the main control board.
Another type of tamper detection mechanism is for an EPP to include a number of separation switches to indicate a tamper should the keypad, and other internals of the EPP, become separated from the EPP body. However, such switches are not perfectly protected from a front side attack on the EPP. Such attacks can be made to remove the EPP keys and either glue down the separation switches or inject electrically conductive ink under each switch to maintain contact when the EPP keypad and internals are separated from the EPP body.