1. Field of the Disclosure
Embodiments of the disclosure relate in general to the field of computers and similar technologies, and in particular to software utilized in this field. Still more particularly, it provides a system, method, and computer-usable medium for authenticating an unknown financial transaction terminal.
2. Description of the Related Art
Identity theft is an ongoing problem for both consumers and financial institutions, and its perpetrators continue to become more sophisticated in their use of technology. One such scam is Automated Teller Machine (ATM) spoofing, where identity thieves place a fake, but realistic looking, automated teller machine in a busy location. The unsuspecting account holder inserts their card and enters their personal identifier (PIN), only to have the machine tell them that the machine is either out of order or that the network is down. In reality, the fake ATM has captured their account and personal identification information, which is then used by the identity thieves at legitimate ATMs to illegally withdraw funds from the victim's financial account.
The underlying issue is that the consumer is unable to determine whether an ATM is authentic or not. If not, then they may unknowingly give away their identity information. Another, less obvious issue, is whether a financial institution can determine the authenticity of an ATM that is attached to its financial network. The spoofing of network addresses is well known, and a known network address assigned to an ATM is now insufficient to prove the authenticity of the ATM. Furthermore, ATMs are increasingly using wireless networks for connectivity. The combination of network address spoofing and wireless network connectivity presents additional challenges to authenticating an ATM.
Known approaches for proving the authenticity of a financial institution during an online session include the display of a shared secret to the account holder. In these approaches, the user's computing device is typically identifiable by the financial institution. Once the computing device is identified and authenticated, the shared secret is presented to the user and authentication information, such as a Personal Identification Number (PIN) or password is requested. However, this is currently not the case for public ATMs. A shared secret provided by a financial institution to a fake ATM can be captured in addition to the user's account number and PIN. As a result, the user's financial and online identity is subject to further compromise.