Академический Документы
Профессиональный Документы
Культура Документы
INTRODUCTION
The fourth phase of ATM development occurred during 1955 to 1965. A short-range air
navigation system known as the VORTAC system was developed by colocating the civilian
VOR and the US Navy developed tactical air navigation (TA – CAN) system in common
facilities. Experience with radar use during the postwar era eventually led to the development of
air route surveillance radar (ARSR). The first such system was installed at the Indianapolis
Center in 1956. In the same year, the first air traffic control computer was also installed at the
Indianapolis Center. Research and development efforts were begun by the CAA for a secondary
radar system that would use a ground interrogator to trigger transponders onboard the aircraft
and obtain replies to display the aircraft identification and altitude on the controller’s radar
screen. An experimental version of this system known as the air traffic control radar beacon
system (ATCRBS) was implemented in 1957. In 1958 the US Congress
passed the Federal Aviation Act which created the Federal Aviation Agency as the new
independent agency to succeed the CAA. Due to the acceptance of radar surveillance as the
principal tool for control of air traffic, new separation standards were needed. Other significant
changes during this period were the introduction of high-speed commercial jet aircraft and
increase in traffic volume. To accommodate these developments and to keep the task of ATM
manageable, smaller segments of airspace known as sectors were developed based on air traffic
flow patterns and controller workload considerations. To reduce the workload associated with
bookkeeping caused by sectoriza – tion, a computerized flight information system for updating
flight information and automatically printing flight progress strips was developed. By 1963
several of the flight data processing (FDP) computers were placed into operational ATM service.
The first prototype of a computerized radar system for arrival and departure control called the
automated radar terminal system (ARTS) was installed in the Atlanta, Georgia, air traffic control
tower in 1964. In addition to the steady.
Coventry, (2003) presented usability and Biometric verification at the ATM interface. Advanced
Technology and Research NCR Financial Solutions Division. The motivation of the research is
the methods for increasing security, such as regularly changing PINs and passwords, increasing
their length, ensuring they do not form words and ensuring all are different, makes them more
difficult to remember and, therefore, error-prone. The objective of the paper is to provide a
summary of the user centre aspect of the research they carried out over the last five years to
understand attitudes towards, and behavior with, biometrics verification at the Automated Teller
Machine (ATM) interface. The objectives of the above were accomplished by adopting this
methodology: With iris verification, for application at ATMs, a wide angle camera finds the head
of the person to be identified. A zoom lens then targets in on the user’s iris and takes a digital
photo. A template of concentric lines is laid on the iris image and a number of specific points
are recorded and the information converted into a digital template. This can then be compared
with others for verification and identification purposes. The general interest in iris verification
applied to public technology is centre upon its accuracy or reliability, which is much greater than
say fingerprints and the fact that the biometric itself can be acquired without the individual
having to come into physical contact with the ‘end-point. The researcher after a critical review
on the mode of authentication in ATM security, decided to bring multifactor Authentication
system into use, he explored the possibilities of having multifactor authentication system in the
user which can be adopted in other machines. The limitation of the paper is the researcher should
have used a 3-D API for a Graphical User Interface (GUI). Example is openGL in place of Java
Swing API. The JDBC architecture could have been extended to three- tier using application
server like APPLET server. There was no fingerprint matching algorithm.
Adeniran & Junaidu (2014) proposed an Empirical study of Automated Teller machine(ATM)
and user satisfaction in Nigeria: A Study of United Bank for Africa in Sokoto Metropolis: The
motivation for the research is that it provides significant relationship between service quality and
firm’s performance based on improved productivity, increased market share, enhanced
customers attraction and loyalty, improved staff morale and sustained profitability. Stress the
positive dimension of ATM based on freedom of transaction. Customer focused ATM delivery
system shall fulfills their needs and maximize operational performance is an essential dimension
for bank to achieve. Examine the factors that influence customers satisfaction on about ATM
service quality. These factors include costs involved in the use of ATM, and efficient functioning
of ATM. The objectives of this paper is to know how user perceive ease of the use of ATM. To
know how availability of money in both affect user satisfaction. To know how transaction affect
user transaction. To know how service security affect user satisfaction. The objectives of the
above where accomplished by adopting this stated methodology: This study adopt survey
research. It probes deeply into the opinion of respondents regarding their satisfaction with
automated teller machine services. However, the research focuses on users of users of United
Bank for Africa in Sokoto metropolis. The rationale for the selection of the states is that it
constitute a relatively a new area where much empirical research has not been conducted. Most
of realated researches concentrated on other zones and countries. Data will be collected on user
satisfaction through the use of questionnaire. With the above methodology led to method of data
collection. The Data of this study was collected in sokoto metropolis and was obtained through
survey method using a standard questionnaire. Data analysis investigates the extent to which
Automated Teller Machine (ATM) services in terms of their ease, availability of money,
transaction cost and services security affect the customer satisfaction in Nigeria using a sample
of customer obtained from (UBA) branches in sokoto metropolis. The researched is contribute to
knowledge in the use of ATM service satisfaction as: By increasing confidence in ATM system.
How ATM users can use the machine easily. The limitation of this research is: The researcher
did not introduce the use of Biometric fingerprint which is the uniqueness peculiar genetic code
of DNA in each person. Also, did not utilized One Time Password (OTP) as a medium of
authentication in ATM.
Dondo, et al (2017) proposed a Fingerprint and pin Authentication to Enhance Security at the
Automated Teller Machines. The motivation for the research is that the current authentication
systems are characterized by an increasing interest in Biometric techniques. Among these
techniques are face, fingerprint, hand geometry, hand vein, iris, retinal pattern, signature and
voiceprint. All these method have different degree of uniqueness, permanence, measurability,
performance, user’s acceptability and robustness against issues like fraud and fingerprint is the
most preferred. Ability to distinguish masquerading attacker action from legitimate user
activities. Also, considering the numerous security challenges encountered by Automated Teller
Machines (ATM) and users and given that the existing security in the ATM system has not been
able to address these challenges, there is need to overcome these challenges. This research focus
on how to enhance security of transaction actions in ATM system fingerprint. The system adopt
the same measure as the current work by formulating modules for fingerprint enrolment,
enhancement, feature extraction and database and matching. The objective of this research is to
enhance the security of the existing system ATM (Automated Teller Machine) system by
integrating the existing Pin(Personal Identification Number) with fingerprint. To propose the use
of fingerprint and PIN as an authentication system in the Bank’s ATM. The objectives of the
above were accomplished by adopting this stated methodology: This research presents security
in two ways, a design that considers the fingerprint image for the client side security and also
considers the algorithm for the secured communication in between the client and server. The
Biometric authentication process adds a new dimension of security for any person sensitive to
authentication. With the above methodology led to method of data collection. Data can be
collected with two sets: The primary and secondary data collection. The primary data can be
collected using questionnaires and personal interviews while the secondary data is collected
mainly from library research. Dta analysis involved editing, coding, classification and tabulating
of the data collected. The researcher after a critical review on the mode of authentication in ATM
security, decided to bring 2 factor authentication into use, he explore the possibilities of
having multifactor authentication system in the user which can be adopted in other machines.
The limitation of the paper is the researcher does not introduce the use of OTP (One Time
Password) security.
2.3 Authentication Concept
According to Christopher, et al (2013) ‘Identification’, ‘authentication’ and ‘authorization’ are
three interrelated concepts, which form the core of a security system. Identification is the
communication of an identity to an IS. Before authentication, the claimant typically provides
the IS an identity anyway (for example, a login or an email address), and the monitor asserts the
identity by authentication (for example, using a password). An authentication is a proof given by
a claimant to assert a monitor that he/she really corresponds to the identity he/she provided. The
monitor then asserts the IS of the identity of the user. Finally, the authorization is the granted
privileges given to the user.
Authentication systems provide the answers to both questions: (i) who is the user? and (ii) is the
user really who he/she represents himself/herself to be? Hence, authentication represents one of
the most promising way concerning trust and security enhancement for commercial applications.
It also denotes a property of ensuring the identity of the previously mentioned entities. Besides,
authorization is a process of giving individuals an access to the system
objects based on their identity. Authorization systems provide the answers to the three
questions:
(i) Is user U authorized to access resource R?;
(ii) Is user U authorized to perform operation O?; and Is user U authorized to
(iii) Perform operation O on resource R?
There is often confusion between ‘identification’, ‘authentication’ and ‘authorization’. These
words/terms do not have the same meaning at all. Each of these concepts requires an enrolment
step. Enrolment is the ‘registration’ of a new user, including the emission of tokens and
credentials. Enrolment is a major concern and should also be carefully handled.
In the rest of this project, we will consider the IS has already registered the claimant having said
that, we then need to have a link between both the claimant and the monitor. This link is denoted
channel. A channel is a support of communication between the claimant and the monitor. It can
either be considered as confidential, authentic, secure or as insecure. A confidential channel is
resistant to interception; an authentic channel is resistant to tampering; a secure channel is
resistant to both; and an insecure channel is none. The authentication goal is to assert an
identity,but the scope of authentication methods is very large and it can vary in many ways.
Below is a list of some of the common authentication methods:
An ID (Identification)/password: to open a session on a computer or to authenticate on
Internet;
A PIN (Personal Identification Number) code: to unlock a smartcard;
An RFID card: for accessing a building;
A fingerprint: to unlock a door;
A facial recognition system with a webcam: to open a session on Internet;
A USB token;
A one-time password token;
Each one of the authentication methods has a specific use and inherent drawbacks.
Tokens can be stolen, facial recognition systems can be broken by presenting a photo of
the genuine user. . . It concerns the trust ability of the authentication method. In
consequence, the goal of authentication is to verify the identity of an entity with a given
level of trust. If an authentication method cannot be fully trustable, the provided
verification cannot be either. Even a good authentication technique will not be secured if
the implementation allows backdoors as shown in figure 2.1
Figure 2.1: An authentication system seen on a Wi-Fi router that clearly indicates an
attacker, which password to try first.
Figure 2.2: Left token is a challenge type OTP card with a PIN code (CRYPTOCardc ). The one
on the right is a counter synchronized OTP token (ZyXEL).
A counter synchronised OTP, sometimes also called “Mathematical hash chain OTP” or
“Mathematical key chain OTP”, often implies to a token with a button on it. Each press on the
button generates a new password that can be used to log on. Most are based on the Leslie
Lamport-scheme (Lamport, 1981). Secondly, in a time synchronized OTP, the token has an
internal clock and so as the monitor. New passwords are generated from the value of the current
timestamp, rather than on a shared secret or a previous password. The value of the generated
password usually changes every one or two minutes. Thirdly, an OTP can also be sent to the
claimant through a secure channel. The claimant has to be authenticated through an unsecured
channel, but the monitor could provide the claimant with a random OTP
through a third party channel, which is considered as secured, where the claimant is already
authenticated.
The claimant then sends back the OTP through the unsecure channel to prove his/her
identity to the monitor. Finally, with a shared list of password, the claimant and the monitor
share copies of the same unpredictable list of passwords. If the list is ordered, the only allowed
passwords are those following the last one used, and if it is not, each password from the list can
be used only once. Another form of an authentication method is a cryptographic challenge-
response based authentication (Syed Zulkarnain, et al 2013).
2.5 Biometrics
According to Christopher, et al (2013) state that biometrics is used as a form of identity access
management and access control. However, biometrics is an ancient Greek word and is the
combination of two words (bio) means life, (-metric) means measurement. According to
(Wikipedia, 2011a), biometrics has been around since about 29,000 BC when cavemen would
sign their drawings with handprints. However, it is said that the history of biometrics techniques
originated in China in the 14th century. It was a form of finger printing as reported by the
Portuguese historian Joao de Barros. Biometrics is a science that consists of methods for
uniquely recognizing humans based upon one or more intrinsic physical or behavioral traits. It
has become one of the popular and trustable security systems that have become an alternative to
password-based security system. Biometrics techniques have been developed for a machine-
based verification of the identity of a person. Biometrics characteristics can be divided into three
main classes namely ‘Morphological’, ‘Behavioral’ and ‘Biological’. Morphological is related to
the shape of the body such as retina, voice, prints (finger, thumb, palm), iris, hand geometry, face
recognition, ear, height, weight, skin, veins, gender. Behavioral is related to the behavior of a
person such as gait, signature, keystroke dynamics, voice, driving, gaming. . . Biological is
related to the inner part of a living organism such as heart beat, odor, DNA, blood. Voice can be
categorized in both morphological and also behavioral trait because every person has a different
vocal tract, but voice recognition is mainly based on the study of the way a person speaks, hence
commonly classified as behavioral. Some researchers have coined the term behaviometrics for
behavioral class of biometrics.
Biometric recognition is largely studied in computer science. The use of biometric techniques,
such as face, fingerprints, iris and ears is a solution for obtaining a secure
personal authentication method. Biometrics uses the authentication factors, which are methods
based on something that qualifies the user and something that he/she can do. The main advantage
of these authentication methods is that there exists a strong relationship between the individual
(user) and its authenticator (biometric data). Furthermore, it is difficult to copy the biometric
characteristics of an individual compared to most of other authentication methods. Nonetheless,
there is a drawback in biometric authentication, which
is the uncertainty of its verification result, for example, in fingerprints authentication; there could
be a possible error due to bad positioning of the finger (McQuay and Smari, 2009).
Each time a user authenticates him/her, he/she provides biometric information with its
reference. This information is generally similar at each authentication attempt. An attacker could
intercept the information and replay it. Therefore, the solutions to this predicament have to be
dynamic.
In (Simske, 2009), the author defined that dynamic biometrics is known as a dynamic means of
granting access rights that must exist. There are several ways to achieve this such as by defining
a generalization of a challenge-based password for biometrics, one-time password authentication
scheme or perhaps free text on keystroke dynamics, and hence to achieve a system with a lighter
workload and higher security. Biometric authentication can be summarized in two steps namely
enrolment and authentication. The stage of the enrolment is where the user provide his/her
biometric data. The biometric data will be captured and then, the features will be extracted and
stored into the database. During the authentication process, the stored features will be compared
with the ones currently presented for an access. If it matches, then, an access will be granted. For
example, in keystroke dynamics, during the enrolment stage, the users are asked to provide their
way of typing i.e. by typing given a password or a passphrase on a keyboard between 5 to 10
times. Because keystroke dynamics is a behavioural biometrics, hence, it has to be done
collectively i.e. several number of times because each time, the way the users type a
password/passphrase, their typing rythm may differ slightly.
As mentioned by (Simske, 2009), we are proposing keystroke dynamics as a solution,
especially for password-based authentication. Keystroke dynamics is an interesting and a low
cost biometric modality as it enables the biometric system to authenticate or identify an
individual based on a person’s way of typing a password or a passphrase on a keyboard. It
belongs to the class of behavioral biometrics, in the sense that the template of a user reflects
an aspect of his/her behaviour, as mentioned earlier. Generally speaking, the global
performances of keystroke dynamics based authentication systems are lower than those of
popular morphologic modalities based authentication systems (such as fingerprints, iris, etc. . . ).
We use the GREYC Keystroke software to capture biometric data as shown in Figure 2.5.
However, there is no single biometric modality expected to effectively satisfy the needs of all
authentication applications (usability, security, cost). Subsequently, a vast number of biometrics
has been proposed, researched, analyzed and evaluated (Jain et al., 1999). Thus, each biometric
has its strengths and limitations, therefore, the respective biometric invokes to specific
authentication applications (Jain et al., 1999; Stallings and Brown, 2008). The common problem
of personal authentication raises a number of important research issues such as “which
technologies are the most effective to achieve accurate and reliable authentication of
individuals?” Some of these problems are well-known open problems. As examples, in pattern
recognition and computer vision, it need a systematic cross disciplinary effort compared to other
authentication methods. Therefore, biometric technology alone may not be sufficient in order to
solve these issues effectively, thus the solutions to the outstanding open problems may lie in the
innovative engineering designs exploiting the constraints. Otherwise, it would be unavailable to
the applications and in harnessing the biometrics technology in combination with other allied
technologies (Jain et al., 1999).
In order to prevent information from being accessed by illegitimate or unauthorized
users, remote user authentication is certainly one of the most important service. However, a
major concern with the morphological-based biometrics is that if it can be copied by the
impostor using, say, deceit or force, the authentic user would be faced with a life-long loss of
identity. If this phenomenon ever happens, the consequences could be disastrous.
Figure 2.5 Characteristics of Biometrics.
2.6 Review of Related Works
For customers to really embrace the use of ATM for their major transactions the issue of
ATM security must be taken with all seriousness. ATM cards must be very secure even when the
owner misplaced or lost the card this will prevent any attacker from using the card on any ATM
machine. Since security measures at ATM centers play a significant role in preventing attacks on
customers money, several researches have proposed the used of fingerprint in a like manner of
this paper, to shift from PIN to biometric based security. Fingerprinting has been the most widely
used during the 20th century. The maturity of
Biometric techniques and generally the dramatic improvement of the captured devices have led
to the proposal of fingerprinting in multiple applications but in the last years, minutiae have been
the main type of algorithm used. The minutiae are relatively stable and robust to
contrast, image resolution and global distortion as compared to other fingerprint representation.
Santhi and Kumar (2012) provided a better understanding of the benefits and limitation of
integration of biometrics in a PIN-base payment authentication system. Based on their review
they proposed a biometric that can be integrated in a PIN-based authentication infrastructure by
binding a fixed binary, renewable string to a noisy biometric sample. The South African Social
Security Agency (SASSA) has introduced a new SASSA Payment Card that has a fingerprint
authenticated features. The card is a SASSA-branded smart payment MasterCard, which has an
embedded chip containing personal details, fingerprint and secret PIN, with the card the
customers can easily withdraw and make payment at point-of-sale (POS) center, purchase
airtime, pay water and electricity bill from the accounts, or open accounts.. Ibiyemi et al(2012)
proposed a fingerprint orientation model based on 2D Fourier expansions (FOMFE) in the phase
plane. Though FOMFE does not require prior knowledge of singular points, it is able to describe
the overall ridge topology seamlessly. [9] proposed a smartcard based encryption/authentication
scheme for ATM banking system. The first layer of the scheme is used to perform authentication
based on available information on the smartcard. Fingerprint based authentication via feature and
minutiae matching then followed on the second layer. [ focused on vulnerabilities and the
increasing wave of criminal activities occurring at ATMs and presented a prototype
fingerprint authentication for enhancing security. The systems adopt the same measure as the
current work by formulating modules for fingerprint enrolment, enhancement, feature extraction
and database and matching. Das, and Jhunu (2011) proposed an ATM security enhancing method
with secured Personal Identification Image (PII) process. A detailed study on various existing
biometric systems is also presented stating the strengths and limitations. Bhosale and Sawant
(2012) present ground-breaking models for biometric ATMs which replaces card system with
biometric technology. The proposed systems hybridize feature-based fingerprint, iris and PIN to
provide reliable and fool-proof ATM authentication.
Mali et al (2012) provided a network security framework for real time ATM application using a
combination of PIN, thumb scanning and face recognition to foster security. The proposed
framework is expected to register thumb and face features to be stored at a server side in
encrypted format. Authentication is done by decrypting patterns from database, and matching
with input pattern before access is granted for ATM operations. The integrated system uses
Principal Component Analysis (PCA) and Eigen algorithm for face recognition, LSB algorithm
for stenography and AES algorithm for cryptography. Though the framework looks promising,
its practicality is not supported by detailed implementation and evaluation. Abayomi-Alli et
al(2012) proposed an enhanced e-banking system where customer can access multiple accounts
over different banks institutions with a single ATM card with fingerprint authentication. A
match-on-card technique was used that relies on a one-to-one matching where the data from the
ATM fingerprint sensor is compared only to the template stored on the user’s ATM card. This
will help in privacy concern of users; the system will also help the users to have access to
multiple accounts with a single ATM card. It is secured and help in reducing ATM fraud. The
paper used the characteristic features of fingerprint to overcome the limitations of the PIN based
ATM authentication. However, the proposed method presented adequate implementation and
evaluation to back-up the performance claim. The proposed system is different from others
approaches because it makes use of the UML modeling in designing the system, used a three-tier
architectural structure and minutiae for the extraction of the fingerprint.
CHAPTER THREE
RESEARCH METHODOLOGY
3.1 Preamble
This chapter discuss details of the research methodology and analysis of the existing and the
propose system and the detail design plan for the new system. A software development
methodology or system development methodology in software engineering is a framework that is
used to structure, plan, and control the process of developing an information system.
The methodology adopted is follow:
Systems Development Life Cycle (SDLC)
The use of an ATM by a bank customer starts with an account opening process. A customer who
wishes to utilize the services provided by ATM systems must have an account with one of the
commercial banks. The customer is made to fill an account opening form by a representative of
the bank. In the process of filling the form, the customer will indicate if he/she would want to be
issued an ATM card. Although, a customer who did not indicate interest during account opening
process can always apply for an ATM card subsequently. Once the account is opened and
customer’s details saved in the bank database, the customer is issued a card for activation. To
activate a card, the customer is issued a secret code (OTP) printed on paper which will be used
for authentication. At the ATM terminal the customer
activates the card using the code to change to a preferred PIN which must not be disclosed to a
third party for subsequent transactions.
At the ATM, a customer begins a transaction by selecting from the customer screen options. The
customer inserts an ATM card into the card reader of the terminal. The card must be inserted so
that the magnetic stripe can be scanned by the card reader’s sensor. If the customer inserts the
card incorrectly, a warning message will be displayed, accompanied by several beeps to get
attention. Once the card has been read successfully, a surcharge message, if applicable, may be
displayed (the surcharge message may be displayed at the end of the customer’s transaction
selection). The customer must then enter a secret PIN code. Once the PIN has been entered, the
transaction type and account are selected, and the desired amount of the transaction, if needed.
The transaction will be processed, typically in a matter of seconds. If the transaction was
processed successfully, the customer is prompted to retrieve the requested cash (for withdrawal
transactions) and/or the applicable transaction receipt, as needed. If the transaction was declined,
a short receipt indicating the problem is printed. The architecture of a traditional ATM is
depicted in Figure 3.1
The ATM sends the customer transaction request to a processor. A processor is a financial
intermediary, such as an Independent Sales Organization (ISO), bank, or other financial
institution that provides transaction- processing services for ATMs. The ATM must be set up
with a particular processor before customer transactions can take place. The processor routes the
transaction to the appropriate ATM network. An ATM network is a regionally or nationally
organized clearing house for financial transactions that deals directly with the appropriate
financial institution, such as the customer’s bank, in order to complete the transaction. The ATM
network routes the transaction to the appropriate bank or other institution for off-bank
transaction, confirms successful completion of the transaction, and sends a confirmation message
back to the processor. If the request was for a cash withdrawal, an Electronic Funds Transfer
(EFT) takes place to debit the funds (including any surcharge
fee, if applicable) from the customer’s bank account. The processor forwards a confirmation
message to the ATM (and an authorization to dispense currency, in the case of a cash
withdrawal). The ATM dispenses the requested currency, if necessary, and provides the
customer with a printed receipt as a record of the transaction. The method of authentication is
simple and does not take much time. It is relatively cheap since no extra device is installed and
four (4) digit PIN can easily be remembered.
The system provides strong security with the use of biometric and the incorporation of
alphanumeric keypad, password becomes very difficult if not impossible to be guessed correctly
by fraudsters ATM card theft will be reduced since a person’s biometric which is not
transferrable is required before a successful authentication process.
Customers’ confidence will be restored on the use of ATM to meet their banking needs Many
Customers will be attracted to use ATM for their banking transaction
With the use of OTP the problem of replay attack is completely eliminated
The four activities performed in the analysis of the proposed system include the following:
Modeling the functions of the system.
Finding and identifying the business objects.
Organizing the objects and identifying their relationships.
Modeling the behavior of the objects.
Authenticat Transacti
<<Include >>
ion on
<<extend>> <<extend>>
<<extend>>
Customer Authentication
using password Authorizati
Authenticati ooooo0non
on
Bank
usinfingerpri Admin
nt Authenticat
ion using
OTP
Operations
Bank
Personnel
Open Account
<<extend>>
Refill ATM
Issue Card
Enroll fingerprint Modify account
Authentication use case: This use case validates the identity of the users (actors) of the
system (bank personnel and customers) to ensure that unauthorized users are not granted
access to the system.
ii) Open account use case: The open account use case allows bank personnel to perform
account opening activity.
iii) Enroll fingerprint use case: This is part of the activities performed during account
opening. It provides the platform for the fingerprint templates of customers to be stored
the in the bank database for subsequent use during authentication.
iv) Issue card use case: This use case allows the bank personnel to issue ATM cards to
customers.
v) Transaction use case: The transaction use case allows a customer to select transaction of
choice from options provided after a successful user authentication. These transaction
types include:
Withdrawal transaction: for making withdrawal
Change Password transaction: for change of password
Inquiry transaction: for making inquiry on balance
Fund transfer transaction: for transferring of fund from one account to another.
Steps involved in identifying and finding business objects for object modeling:
Find the potential objects – the best way is to review each use case to find nouns that
correspond to business entities or events,
Select the proposed objects –the list of all potential business objects must be cleaned up by
removing: synonyms, nouns outside the scope of system, nouns that are roles without unique
behavior or are external roles, unclear nouns that need focus and nouns that are really actions or
attributes.
The proposed system is an improvement on the existing card-based and PIN based ATM system.
The objects of the system were identified and represented using the object model diagram shown
in Figure 3.3
Password
Biometric (fingerprint) and
OTP
The system incorporates alphanumeric keypad (see Figure 3.4) and a fingerprint scanner to the
existing ATM.
The system consists of a car reader, keypad, cash dispenser, screen, fingerprint scanner, and bank
database. When the system is idle, a greeting message is displayed, the keys on the keypad will
remain inactive until a bank card has been inserted. To perform a transaction, a customer is
expected to undergo a registration process in order to obtain an ATM card. During the
registration process, the customer’s personal detail is taken, including the mobile phone number
with which OTP will be sent to the customer. Fingerprint enrollment of customers is also carried
out during registration and stored in the bank database server together with other personal
details. The system proposes character password and OTP of more than four (4) characters; for
the purpose of demonstration, a six (6) character password and an eight (8) digit OTP was used.
At the ATM, the customer inserts an ATM Card into the card reader slot, after card validation,
the system prompts the customer to supply his/her password which is shown on the display
(screen). This is the first level of authentication; the customer uses the keypad to input six (6)
alphanumeric characters as password. This is one of the distinguishing features of the proposed
system. The system validates the password by comparing it with the one encoded on the card, if
there is a match, the user proceeds to the second level of authentication which is the use of
biometric (fingerprint). The customer provides his/her fingerprint template using the fingerprint
scanner. The system compares the fingerprint template with the one encoded on the card, if there
is a match the user is provided with the final stage of authentication, which is the use of OTP.
The user is required to enter eight (8) characters generated by the system and sent to his/her
mobile phone. If the OTP is correct and entered within the specified time limit, the customer is
authenticated and granted access to perform the transaction of choice which could be
withdrawal, change of password, Balance Inquiry or Transfer of Fund. The transaction goes
through a network to connect to customers’ accounts in the bank’s database. The cash dispenser
provides cash to the customer in the case of withdrawal transaction, if the customer wishes to
perform no other transaction, a transaction receipt is printed and card ejected. The behavior of
the objects and their states at any given time as described above is represented using the state
chart diagram of Figure 3.5
3.6 System Design
The design objective is to design an ATM system with three layers of authentication which is
interfaced with a fingerprint scanner for biometric authentication and a system that is capable of
generating token as one-time-password. The system design will as well introduce alphabets and
special characters to the existing numeric keypad of an ATM system. The design will depict the
different objects of the system and how they interact with external entities. The design is aimed
at providing robust security on the existing card-based ATM system by eliminating the problem
of identity theft through the introduction of password as a substitute for PIN, and the use of
fingerprint and OTP for second and third tier- authentication respectively. The Main menu
presents the primary list of the system components from which subsystems evolve as the
proposed system is a complex one, hence, the need to break the system into main menu and
submenu for easy manageability (see Figure 3.6).
3.6.1 Sub Menu/ Sub System
3.6.2 Activity Diagram
The activity diagram of the new system shows the steps involved in designing the program
intended to derive the proposed three –tier authentication model for ATM. The activity diagram
of Figure 3.8 shows how the new system will perform user authentication. The system starts by
validating the user’s card, if this process is successful, a welcome message is displayed on the
screen and the user is prompted to supply password which in this case a 6-character password. If
the correct password is entered the user progresses to fingerprint authentication otherwise a
message asking the user to input the correct password is displayed and if the user fails to enter
the correct password after three attempts the authentication process will be terminated and the
user’s card ejected.
The user’s fingerprint template captured during fingerprint authentication is compared with what
is available on the storage device, if there is a match, the user progresses to the final
stage of authentication which is the use of OTP else a repeat of fingerprint capture is carried out
twice more, if the process is unsuccessful the authentication process is terminated even if the
first level of authentication was successful. This invariably means that the three authentication
levels must be in the affirmative before access is granted otherwise access is denied should any
level turn out to be unsuccessful. At the final stage of authentication, the user will supply an OTP
sent to his/her mobile phone by the system, if the OTP entered is correct the user is granted
access to select transaction of choice. The system processes the transaction selected and
terminates if no other transaction is selected by the user.
Relationship among tables were created because a database consisting of independent and
unrelated tables serves little purpose, this can lead to data redundancy and update inconsistency.
The database used by the proposed ATM system consists of the following tables:
Table 3.1 specifies the login credentials of a bank personnel who is responsible for account
opening
Table 3.2 Account Login Table
Column Name Data Type Allow Null
ID Numeric (18,0)
Account No Varchar (50)
Table 3.2 contains the credentials of an ATM user needed for first-tier authentication
Table 3.3 Account Information Table
Column Name Data Type Allow Null
ID Numeric (18,0)
Account No Varchar (50)
Account Name Varchar (50)
Gender Varchar (50)
Date of Birth Datetime
Email Varchar (50)
Phone No Varchar (50)
Contact Address Varchar (max)
Account Type Varchar (50)
Password Varchar (50)
Fingerprint Bit
Date created Datetime
Table 3.3 contains information about customers who were issued ATM cards.
Table 3.4 OTP Table
Column Name Data Type Allow Null
ID Numeric (18,0)
Account No Varchar (50)
Token Varchar (50)
Date-Generated Datetime
Expired time Datetime
Table 3.4 specifies the OTP generated by the system
Table 3.5 Transfer Table
Column Name Data Type Allow Null
Transaction ID Numeric (18,0)
Sender’s Account No Varchar (50)
Receiver’s Account No Varchar (50)
Amount Numeric (18,2)
Date Transferred Datetime
Table 3.5 contains information about electronic fund transfer made by an ATM user
Table 3.6 contains information about the deposit made by ATM users and the corresponding
balance after withdrawal has been made.
Table 3.7 Transaction Details Table
Column Name Data Type Allow Null
ID Numeric (18,0)
Table 3.7 contains details of ATM transactions made by customers on daily basis.
IMPLEMENTAION
Administrative login: This module is for administrative login. It handles the authentication
process of a bank personnel who is responsible for account opening and issuance of ATM cards.
Password authentication: This module handles the first –tier authentication process of a
customer or an ATM user.
Change password: with is module a user is allowed to change his/her password.
OTP: This module handles the third- tier authentication process where the user is prompted to
provide a token generated by the system.
Transaction selection: this module allows a user to select transaction of choice (withdrawal,
inquiry, change of Password, and fund transfer).
New Account Registration Module: This module is used for registration of an ATM user.
Biometric authentication: This module handles the second layer of authentication which
enables an ATM user to provide his/her fingerprint template.
Fund Transfer: with this module a user is allowed to transfer fund to another customer’s
account.
Withdrawal: This module handles cash withdrawal transactions.
Inquiry: this module allows a customer to check his/her account balance.
4.2 Input/output Format/Specification
Input Specification
The input format specifies the type of input to be supplied by the user. The system uses
textboxes to accept inputs from users and the inputs are entered via the keypad and fingerprint
scanner. The following input formats are available:
The form above is administrator logic form. For the admin to be able to have access to
the site he/she must provide the correct username and password. The username is admin in
capital letter while the password is admin in capital letter also. A registration page which is
managed by the bank representative for ATM registration and fingerprint enrollment. The bank
representative must be authenticated before access is granted.
The above is New account registration form. After the successful login of the Admin, the Admin
use the above form to register new ATM users and information about their account details. The
customer will have to provide his/her full names, date of birth, active phone number, gender,
email address, alternate phone number if there is any, contact address. After that, the will
proceed to the type of account the customer if it is saving account or current account. The
customer will enter any password choose by the customer that he/she can remember. The
password must be a four digit letters or characters or combination. The final process is the
Admin will have to use the fingerprint machine to capture the Biometric of the customer that he
can remember. Then finally the Admin will submit. The information gathered on this form is
stored on the bank database server.
User Authentication form
This provides an interface for an ATM user to supply input for first level of authentication. This
is shown in Figure 4.9.
The above is s second tier authentication. At the second-tier, the user uses the fingerprint reader
to capture one of his/her fingers. The fingerprint template captured is compared to the one
encoded on the card, if there is a match, the system generates an OTP and sends it to the user’s
mobile phone.
OTP Authentication Form
This generates OTP and prompts the user to enter the OTP on the textbox provided. The OTP
authentication is depicted in Figure 4.11.
The above present feedback will display when an ATM user entered an invalid account number
or password.
Incorrect OTP form
This presents feedback to the user when an incorrect OTP is entered. See Figure 4.9.
An ATM user will receive the above feedback when the wrong OTP is being entered.
A process whereby the ATM user has forgotten the particular finger that was captured during the
ATM card enrolment, when the wrong finger is being place, it will return fingerprint mismatch
form above.
4.3 System Requirement
The proposed ATM system consists of a card reader, a display screen, a cash dispenser slot, an
alphanumeric keypad, a receipt printer, a fingerprint reader and the user must be in possession of
a mobile phone for the receipt of OTP. When the machine is idle, a greeting message is
displayed, the keys on the keypad will remain inactive until a bank card has been entered. When
a bank card is inserted, the card reader attempts to read it, if the card cannot be read, the user is
informed that the card is unreadable, and the card is ejected. If the card is readable, the card
reads the account number and PIN off the card and asks the user to enter his/her password. The
user is given feedback (in the form of asterisks, but not specific character entered) as to the
number of characters entered at the alphanumeric keypad. The password entered by the user is
compared to the password on the ATM card. This is the first-tier authentication, if the password
is entered correctly; the user is prompted with the second-tier authentication.
At the second-tier, the user uses the fingerprint reader to capture one of his/her fingers. The
fingerprint template captured is compared to the one encoded on the card, if there is a match, the
system generates an OTP and sends it to the user’s mobile phone. The user is asked to enter the
OTP in a textbox provided on the display screen. The OTP has time limit, it expires if not
entered within the space of two minutes. However, if the OTP is entered correctly, the
authentication process is completed and access is granted to the main menu (described below).
Otherwise, the user is given up to two additional chances at each tier of authentication to provide
the correct parameters (password, fingerprint template or OTP). Failure to do so on the third try
causes the system to keep the user’s card.
However, because the proposed system is being simulated using a personal computer(PC), the
insertion of ATM card into the card reader slot is replaced with the input of account number by
the user. All storage is done on the PC’s hard drive instead of an ATM card and a database
server. The user interface of the proposed ATM system contains the following:
A registration page which is managed by the bank representative for ATM registration
and fingerprint enrollment. The bank representative must be authenticated before access is
granted. The information gathered on this form is stored on the bank database server.
The login page which prompts the user to enter account number and password of 10 and
6 characters respectively for first-level of authentication.
The biometric page which allows the user’s fingerprint to be captured
The OTP page which prompts the user to enter an OTP of 8 characters within a specified limit.
After a successful authentication, the user is granted access to the main menu which
contains a list of the transactions that can be performed. These transactions are as follow:
The user can select a transaction and specify all relevant information. When a transaction
has been completed, the system returns to the home page. It is worthy of note that before a
transaction is processed, all parameters (except OTP) used for authentication are verified again
against the parameters stored on the database, this is done to ensure that a robust security is
provided by the system.
At any time after reaching the main menu and before finishing a transaction, the user may
press/click the cancel key. The transaction being specified is cancelled, the user’s card is ejected
and the system once again becomes idle.
If a withdrawal transaction is selected, the user is asked to specify the amount to be withdrawn.
If the account contains sufficient fund, the funds are given to the user through the cash dispenser.
In the case of balance inquiry, the user is asked to specify the account whose balance is
requested, the balance is displayed on the screen.
In fund transfer transaction, the user is asked to specify the account and bank in which the fund
is to be transferred to and the amount to transfer. For change of password transaction, the user
specifies the old password, the new password and confirms the new one for change to be
effected. Software architecture of the new system is depicted in Figure 4.19.
Implementation is the stage where the theoretical design is turned into a working system.
The most crucial stage in achieving a new successful system and in giving confidence on the
new system to the users that the automated system will work efficiently.
The system can be implemented only after thorough testing is done and if it is found to
work according to the specification.
It involves careful planning, investigation of the current system and its constraints on
implementation, design of methods to achieve the change over and an evaluation of change over
methods a part from planning. Two major tasks of preparing the implementation are education
and training of the users and testing of the system.
The implementation phase comprises of several activities. The required hardware and
software acquisition is carried out. The system may require some software to be developed. For
this, programs are written and tested. The user then changes over to his new fully tested system
and the old system is discontinued.
The testing phase is an important part of software development. It is a process of finding errors
and missing operations and also a complete verification to determine whether the objectives are
met and the user requirements are satisfied.
Software testing is carried out in three steps:
1. The first includes unit testing, where in each module is tested to provide its correctness,
validity and also determine any missing operations and to verify whether the objectives have
been met. Errors are noted down and corrected immediately. Unit testing is the important and
major part of the project. So errors are rectified easily in particular module and program clarity is
increased. In this project entire system is divided into several modules and is developed
individually. So unit testing is conducted to individual modules.
2. The second step includes Integration testing. It need not be the case, the software whose
modules when run individually and showing perfect results, will also show perfect results when
run as a whole. The individual modules are clipped under this major module and tested again and
verified the results. This is due to poor interfacing, which may results in data being lost across an
interface. A module can have inadvertent, adverse effect on any other or on the global data
structures, causing serious problems.
3. The final step involves validation and testing which determines which the software
functions as the user expected. Here also some modifications were. In the completion of the
project.
CHAPTER FIVE
SUMMARY RECOMMENDATION AND CONCLUSION
Coventry, A.A & Johnson, J (2003). Usability and Biometric Verification at the ATM Interface.
Ibiyemi, T.S& Obaje, S.E (2012). Development of Iris and Fingerprint Biometric Authenticated
Smart ATM Device&Card.http:csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf..
Jane, N.O (2014). Three-Factor Authentication for Automated Teller Machine System:
Umuahia, Nigeria. From http://en.wikipedia.org/wiki/Authentication.
Lasisi Ma, A.R.A & Abubakar, S.J (2014). An Empirical Study of Automated Teller Machine
(ATM ) And User Satisfaction in Nigeria. United Kingdom. European Centre for Research
Training And Development. From www.eajournals.org
Olabode, J.A(2011). Automated Teller Machine (atm) frauds in Nigeria. From http://www.cse.m
Su.edu/~cse891/Sec601/textbook/18.pdf
Olatunji, K.A etal & Afolu, C.A (2016). Design and Implementation of a Multifactor
Authentication System in ATM Security
APPENDIX A
PROGRAM SOURCE CODES
Imports Neurotec.Biometrics
Imports System.Data.SqlClient
Module Functions
Public LoggedOnUserAccountNumber As String
End Sub
End Module
Imports System.IO
Imports System.Net
Imports System.Data.SqlClient
Imports System.Data
Public Class TokenManager
Public Sub TAlert(ByVal AccountNo As String)
Dim value As Long = Rnd(6777754334) * 785543322
Dim msg As String = "Your One Time Password for your Transaction is " & value
If My.Computer.Network.IsAvailable = True Then
Try
Dim client As WebClient = New WebClient
Dim baseurl As String =
"http://www.smslive247.com/http/index.aspx?cmd=login&owneremail=fegwara@yahoo.com&s
ubacct=bbi&subacctpwd=123456" '&message=A Message from VB.Net to test the functionality
of SMS API &sender=VB.Net Application &sendto=2348063806032&msgtype=0"
'Dim baseurl As String =
"http://api.clickatell.com/http/sendmsg?user=fegwara&password=XeAbgbMOFcAAIZ&api_id=
3612508&to=2348032353712&text=" & msg
data = client.OpenRead(baseurl)
reader = New StreamReader(data)
Dim a As String = reader.ReadToEnd
data.Close()
reader.Close()
Catch ex As Exception
MsgBox("Unable to Reach the SMS Gate Way, Please Click the Resend Token Link
on the Form.")
End Try
ElseIf My.Computer.Network.IsAvailable = False Then
MsgBox("There is no Network Availabe Now, Please Click on Resend Token When
Network is Available")
End If
End Sub
Public Function ValidateOTP(ByVal Code As String, ByVal AccountNo As String) As
Boolean
Dim ValidOTP As Boolean = False
Try
Dim db As New dbcodes
db.ConnectDatabase()
Dim cmd As New SqlCommand
cmd.Connection = db.cn
cmd.CommandText = "Select * from tblOTP where AccountNo=@AccountNo and
Token=@Token"
cmd.Parameters.AddWithValue("@AccountNo", AccountNo)
cmd.Parameters.AddWithValue("@Token", Code)
Dim dr As SqlDataReader = cmd.ExecuteReader
cmd.Parameters.Clear()
If dr.HasRows = True Then
dr.Close()
ValidOTP = True
Else
dr.Close()
ValidOTP = False
End If
Catch ex As Exception
End Try
Return ValidOTP
End Function
End Class
Public Class Form1
Private Sub btnCancel_Click(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles btnCancel.Click
frmStart.Show()
Me.Close()
End Sub
Dim currTextBox As TextBox
Private Sub TextBox_Focus(ByVal sender As System.Object, ByVal e As System.EventArgs)
Handles txtAccount.Enter, txtPwd.Enter
currTextBox = sender
End Sub
Private Sub btn0_Click(ByVal sender As System.Object, ByVal e As System.EventArgs)
Handles btn0.Click, btn1.Click, btn2.Click, btn3.Click, btn4.Click, btn5.Click, btn6.Click,
btn7.Click, btn8.Click, btn9.Click, btnZ.Click, btnY.Click, btnX.Click, btnW.Click, btnV.Click,