ATM terminals are very widely used, and allow users to withdraw cash and to perform other banking transactions. Usually, in order to withdraw cash a user inserts a financial transaction card, for example a credit or debit card, into an ATM terminal, enters a PIN code, and performs transactions via a sequence of screens displayed on the terminal.
As ATM terminals contain large quantities of cash, they usually include various security mechanisms to discourage theft. For example, ATM terminals are usually constructed to be physically strong and heavy to make removal, or breaking open, of the ATM difficult. More sophisticated anti-tampering mechanisms are also usually provided to ensure that any tampering with the ATM is detected and may cause shut down of the ATM or generation of an alarm. Many ATMs are embedded within the fabric of a building, for example embedded in an external wall, in order to discourage theft.
ATMs often also include encrypting PIN pads (EPPs). Such EPPs usually include a key entry device, which may be an electromechanical or touch-screen device, for entry of a PIN and an encryption module comprising a processor and a storage device that is operable to encrypt the PIN entered via the key entry device. In operation, the encrypted PIN is usually transmitted, together with other information such as a user or card identifier, via a network to a server associated with a financial institution. The server decrypts the PIN and, if the PIN is correct, sends an authorisation message back to the ATM.
In some known EPPs, a symmetric encryption scheme, for example the Data Encryption Standard (DES) is used to encrypt and decrypt PIN data. According to such schemes, the same key is used at the server and at the EPP to encrypt and decrypt the PIN. In order to program the key into the EPP, a portion of the key may be provided to separate people, for example employees of the financial institution, and each separately enters the portion of the key into the EPP, where it is stored for future use in encryption and decryption of PIN data.
In other known EPPs, a private key-public key encryption scheme is used to distribute a Master Key to an EPP, rather than relying on key entry in situ by employees of the financial institution. In such EPPs, a private key of a public key-private key encryption scheme may be embedded in the EPP during manufacture. A variety of known private key-public key encryption schemes may be used.
Known EPPs usually comprise a secure housing and a tamper detection system that is operable to detect attempts to tamper with the EPP, for example via physical interference with the secure housing or via attempted interference with or monitoring of the internal operation of the device for example using electro-magnetic radiation. In response to tampering being detected a key or keys stored at the EPP are deleted automatically. The deletion of a key or keys depends on the type of EPP device
For example, in embodiments that include an embedded private key stored at manufacture, the symmetric key distributed to the EPP by the server may be deleted in response to detection of tampering, whilst the embedded private key may be retained. Once it has been determined that the EPP has survived the attempted tampering without significant alteration or impairment of operation, a further symmetric key can be encrypted by the server and distributed to the EPP, where it can be decrypted using the embedded private key. Alternatively, the private key may also be deleted, requiring subsequent replacement of the EPP.
In EPPs that rely only on a symmetric key entered, in parts, by two financial institution employees or other operatives, the detection of tampering can trigger deletion of the symmetric key from the EPP. Another symmetric key must then be provided to, and entered by, the financial institution employees or other operatives.
It is an aim of the present invention to provide an alternative tamper detection system for user terminals.