Increasingly consumers are conducting financial transactions through Self-Service Terminals (SSTs) without the assistance of a clerk. In fact, in many cases these transactions are conducted without any individual in the vicinity of the SSTs; other than, perhaps, a security camera integrated into the SSTs or in proximity to the SSTs.
The most common SST transaction occurs by a customer at an Automated Teller Machine (ATM). Contrary to what the general public believes, ATMs can be compromised and in some ways in a manner that takes advantage of inherent security holes of existing ATMs.
For example, in a typical ATM transaction a customer inserts a bank card into a card reader and then enters a Personal Identification Number (PIN) into an encrypted PIN keypad. Software on the ATM receives that encrypted information, which the ATM software cannot decrypt and sends it to an appropriate backend financial system for authentication. The financial sends returns an authorization code to the ATM software and the customer selects and account and an amount to withdraw. This is then sent to the financial system for verification. Again, the financial system returns an authentication. Next, the ATM sends a dispense command to a dispenser and the dispenser dispenses the currency amount associated with the withdrawal.
In the above scenario, if the ATM software can be replaced or modified then the amount for withdraw sent to the dispenser can be changed or can be repeated multiple times; thereby fraudulently depleting the ATM of all its currency. Such fraudulent depleting is of particular concern to the owners and operators of the ATMs because the financial system tied to a transaction may only honor the initial authorized amount for withdrawal, leaving the ATM owner and operator with no recourse to recoup the stolen funds.