Security in Automated Teller Machines(ATM)

Devashish Kamble
Nov 6 · 5 min read

An automated teller machine (ATM) is an electronic telecommunications device that enables customers of financial institutions to perform financial transactions, such as cash withdrawals, deposits, transfer funds, or obtaining account information, at any time and without the need for direct interaction with bank staff.

Security is an important aspect in terms of proper functioning of an ATM. There are various security concerns like -

  1. Physical
  2. Transactional secrecy and integrity
  3. Customer identity integrity
  4. Device Operation integrity
  5. Jackpotting

One common ATM security vulnerability involves so-called phantom withdrawals. A phantom withdrawal is a cash withdrawal from an ATM where money has been withdrawn, and neither the customer nor the bank admit liability. ATMs generate a coded message, known as an Authorization Request Cryptogram, which card issuers use to authenticate the card and card data.

Data Encryption Standard(DES)

ATMs originally used a mathematical formula, or algorithm, known as the Data Encryption Standard(DES), to encrypt personal identification numbers. DES is a block cipher, and encrypts data in blocks of size of 64 bit each, means 64 bits of plain text goes as the input to DES, which produces 64 bits of cipher text. The same algorithm and key are used for encryption and decryption, with minor differences. The key length is 56 bits. Below are the steps involved in DES on broad-level

  1. In the first step, the 64 bit plain text block is handed over to an initial Permutation (IP) function.
  2. The initial permutation performed on plain text.
  3. Next the initial permutation (IP) produces two halves of the permuted block; says Left Plain Text (LPT) and Right Plain Text (RPT).
  4. Now each LPT and RPT to go through 16 rounds of encryption process.
  5. In the end, LPT and RPT are rejoined and a Final Permutation (FP) is performed on the combined block
  6. The result of this process produces 64 bit cipher text.
DES Outline

However, increases in computing power for personal computers have rendered DES insecure for ATM applications; ATMs using DES have been breached within 24 hours.

Triple Data Encryption Standard (TDES)

Triple DES came to the rescue after the failure of DES which is a symmetric key block cipher, that applies the DES cipher algorithm three times to each data block.Before using 3TDES, user first generate and distribute a 3TDES key K, which consists of three different DES keys K1, K2 and K3. This means that the actual 3TDES key has length 3×56 = 168 bits. The encryption scheme is illustrated as follows −

3 Key Triple DES

The encryption-decryption process is as follows −

  • Encrypt the plaintext blocks using single DES with key K1.
  • Now decrypt the output of step 1 using single DES with key K2.
  • Finally, encrypt the output of step 2 using single DES with key K3.
  • The output of step 3 is the ciphertext.
  • Decryption of a ciphertext is a reverse process. User first decrypt using K3, then encrypt with K2, and finally decrypt with K1.

Triple DES is significantly more secure than DES, because it isn’t realistic to search the individual bits of the encryption key to crack the code. According to the National Credit Union Administration, all new ATM installations since 2002 were required to employ triple DES encryption.

Advanced Encryption Standard(AES)

The National Institute of Standards and Technology announced the adoption of a new encryption standard, known as the Advanced Encryption Standard(AES), intended to replace DES. AES performs all its computations on bytes rather than bits.the number of rounds in AES is variable and depends on the length of the key. AES uses 10 rounds for 128-bit keys, 12 rounds for 192-bit keys and 14 rounds for 256-bit keys. Each of these rounds uses a different 128-bit round key, which is calculated from the original AES key.

The schematic of AES structure is given in the following illustration −

AES Structure

The AES Encryption consists of following steps -

Byte Substitution (SubBytes) : The 16 input bytes are substituted by looking up a fixed table (S-box) given in design. The result is in a matrix of four rows and four columns.

Shiftrows : Each of the four rows of the matrix is shifted to the left. Any entries that ‘fall off’ are re-inserted on the right side of row. Shift is carried out as follows −

  • First row is not shifted.
  • Second row is shifted one (byte) position to the left.
  • Third row is shifted two positions to the left.
  • Fourth row is shifted three positions to the left.
  • The result is a new matrix consisting of the same 16 bytes but shifted with respect to each other.

MixColumns : Each column of four bytes is now transformed using a special mathematical function. This function takes as input the four bytes of one column and outputs four completely new bytes, which replace the original column. The result is another new matrix consisting of 16 new bytes. It should be noted that this step is not performed in the last round.

AddRoundkey : The 16 bytes of the matrix are now considered as 128 bits and are XORed to the 128 bits of the round key. If this is the last round then the output is the ciphertext. Otherwise, the resulting 128 bits are interpreted as 16 bytes and we begin another similar round.

The process of AES Decryption of an AES ciphertext is similar to the encryption process in the reverse order.

The only way for an unauthorized person to decrypt data encrypted with AES is by a so-called brute force attack, which involves testing all possible permutations of the encryption key, so AES is significantly more secure than DES or triples DES. AES was approved by the U.S. government as the commercial standard for encrypting sensitive digital information, including the financial data used by ATMs, in 2003.

Hence, until someone gets access to huge amount of computation power all the ATM data are secure!

Thanks a lot of reading:)

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade