Financial transactions are often made using secure electronic devices such as Automatic Teller Machines (ATMs) and Point Of Sale (POS) terminals. In one type of transaction, the user provides a magnetic card to the secure device and a magnetic card reader of the secure device reads information from the card. The user then uses a keypad on the secure device to enter a Personal Identification Number (PIN) or other security information. If the PIN number or other security information entered is correct for the information read from the magnetic card, then the user is allowed to engage in a financial transaction.
In one type of security attack, a thief does not interfere with the financial transaction the user is making, but rather monitors the transaction and learns the user's PIN number and its associated magnetic card information. The thief can then use this information later to steal money from the user.
In one kind of attack, a thief places a small inconspicuous auxiliary card reading device in line with the real magnetic card reader of the security device. As the user swipes a magnetic card through the magnetic card reader of the security device, the card also passes through the auxiliary reader. The thief also foils anti-tamper circuitry of the security device and gains access to the backside of the keypad within the security device. There the thieves couple wires to the row and column wires of the row line/column line matrix. These wires are made to extend to an auxiliary monitoring device that the thief places inside the security device. As keys on the keypad are pressed, the auxiliary device senses the changing signals on the row and column lines of the row line/column line matrix and decodes these signals to determine which keys the user pressed. In this way the auxiliary monitoring device determines the user's PIN number. Also wires from the auxiliary card reading device are coupled to this auxiliary device so that the auxiliary monitoring device also stores information read from the user's magnetic card. The secure device with the auxiliary monitoring device is placed back in the field for unsuspecting users to use. As the unsuspecting users use the secure device, the auxiliary device within the secure device learns and records their PIN numbers and magnetic card information. At some later time the thief returns or otherwise reads the stolen PIN and magnetic card information from the auxiliary monitoring device. The thief then uses the PIN and magnetic card information to steal money from the users.
FIG. 1 (Prior Art) is a simplified diagram of a keypad of a secure device. In this example, the keypad 1 has three horizontally extending row lines designated R0-R2, three vertically extending column lines designated C0-C2, and three pullup resistors 2-4. At each intersection where a row line crosses a column line a key switch is provided. Key switch 5, for example, is located at the intersection of row line R1 and column line C1. If the key switch is pressed, then the switch makes an electrical connection between row line R1 and column line C1. The other key switches work in a similar fashion.
FIG. 2 (Prior Art) illustrates how the secure device scans the keypad to determine when a key is pressed and which key is pressed. A key scanning circuit drives low pulses out on the row lines, one by one, in sequence. When a row line is driven with a low pulse, the key scanning circuit monitors the column lines. If a column line exhibits a low pulse, then it is determined that the switch at the intersection of the currently driven row line and the column line is being pressed. FIG. 2 illustrates an example in which a low pulse is driven out on row line R0 at time T1, in which a low pulse is driven out on row line R1 at time T3, and in which a low pulse is driven out on row line R2 at time T5. When row line R1 is driven low, the column line C1 is detected to be low. It is therefore determined that the switch 5 at the intersection of row line R1 and column line C1 is pressed.
In the example of the thief described above, the thief places auxiliary monitoring device 6 in the secure device (for example, in the ATM) and hooks the auxiliary monitoring device via tap wires 7 to the row and column lines as illustrated. The auxiliary monitoring device then monitors the voltages on the row and column lines and determines which keys are pressed in the same way, and along with, the legitimate key scanning circuitry of the secure device. Methods and structures are sought to prevent this type of attack or to make carrying out this type of attack more difficult and/or expensive.
U.S. Pat. No. 4,926,173 discloses a keyboard apparatus that scans column lines and monitors row lines. The apparatus sometimes drives one or more row lines during a key scan read operation, thereby simulating one or more key presses. These simulated key presses make it more difficult for a thief who might be monitoring the row lines and column lines as in FIG. 1 to differentiate genuine key presses from simulated key presses. In addition, the apparatus randomizes the column line scan order so that when a column is being scanned is not so apparent. Moreover, the apparatus randomizes the driving of row lines with simulated key presses during row line reading thereby further complicating an unauthorized key press decoding. The key scanning circuit of U.S. Pat. No. 4,926,173, however, has shortcomings. An alternative and/or improved key scanning circuit and technique is desired.