LITERATURE REVIEW

2.0 Introduction

In today’s world, many individual across the globe make payments electronically as oppose to in person or cash. ATM (Automated Teller Machine) provides monetary services to individuals in numerous nations. Existing ATM machines are based on PIN (Personal Identification Number) which is not highly secure as a means of authentication so there is a need for a more secure way of authentication and fingerprint biometric feature is utilized for providing such security. The system exploits biometric database of individual as password alongside PIN (Personal Identification Number). The security features of the ATM are enhanced largely for the dependability and reliability of customer recognition.

Biometrics can be defined as a measurable physiological and behavioral characteristic that can be captured and subsequently compared with another instance at the time of verification. It is an automated method of recognizing a person based on physiological or behavioral characteristic. It is a measure of an individual's unique physical or behavioral trait which can be use in validating or authenticating an individual. Common physical biometrics characteristics include fingerprint, hand or palm geometry, retina, iris and face while popular behavioral characteristics are signature and voice. Biometrics-based authentication offers several advantages over other authentication. Fingerprint technology in particular, can give a considerably more precise and reliable client validation.

2.1 Review of Related Studies

An ATM framework called Dyna-Pass was proposed by Duvey Anurag Anand. In this framework the client accesses his/her account using debit card through the ATM machine with the use of PIN. The ATM machine reads this card and checks the PIN with bank server through dedicated network. Bank server now connects to SMS (short messaging system) center with the password called the Dynamic Password i.e. randomly generated password. Then using mobile phone network SMS center send the password to Base Transceiver System (BTS). BTS then send it to the client’s cell phone. Finally, client gets this dynamic password and enters this password into the ATM machine. The ATM machine again affirms this dynamic password with bank server and afterwards responds to the client.

An ATM framework was proposed by Amurthy and Reddy in which an embedded fingerprint system was utilized for ATM security applications. In their system, bankers collect customers’ finger prints and cell phone numbers while opening accounts. The working of the ATM machine is such that when a customer places a finger on the finger print module it automatically generates every time different 4-digit code as a message to the mobile of the authorized customer through GSM modem connected to the microcontroller. The code received by the customer is entered into the ATM machine by pressing the keys on the touch screen. After entering it checks whether it is a legitimate one or not and permits the customer further access if confirmed legit. The system proposed by Amurthy and Reddy is from different in relation to the one in this project in the sense that in this project, the customer uses a fix password that the customer has set by himself/herself and not a dynamically generated one each time he or she wants to make a transaction. Amurthy and Reddy system is not flexible as it does not give room to Third party to make transactions on behalf of the real account owner but this project does.

Von Graevenitz talked about biometric verification in relation to payment systems and ATMs. A verification framework which will replace the combination of possession of ATM cards and PIN with only biometrics for more convenience. He proposed an idea in which an infrared machine scans through the finger print for approval and validation. It compares the finger print layout with the ones stored in the database and if there is a match, it allows access for transaction else it denies access. The disadvantage of this framework is the one factor authentication it provides for security purposes because it is not safe using Biometrics only as your measure of verification.

A system was likewise proposed by Sselina and Oruh in an article titled “Enhanced ATM Security System Using Biometrics” they presented the importance of Biometric methodology. They proposed that biometric is the only viable approach for ATM security and that the level of security must be understood by decision makers before using the biometric systems and they must also be well aware of that differentiability between the user perception of security and reality of sense of security. The biometric system is the only process that will assume a vital part in verification as well as authentication process, and other part of the entire process also will play comparable part in determination of its adequacy.

Adeoti (2011) expressed that the issue of ATM frauds is a worldwide phenomenon and its consequences are on bank patronage and it should be of concern to the stakeholders in the banking industry. In his paper, he identified the dimensions of ATM frauds in Nigeria and proposed possible solutions that will put ATM frauds in the Nigerian banking system under check. His paper employed both primary and secondary data to investigate the ATM frauds in Nigerian banks. The chi-square statistical technique was used to analyze the data gotten and test the hypothesis raised in the course of the analysis. The paper concludes that both bank customers and the bank have a joint role to play in bringing to an head the spread of ATM frauds in the banking industry. Card jamming, shoulder surfing and Stolen ATM cards constitute 65.2% of ATM frauds in Nigeria”.

Susmita Mandal “A Review on Secured Money Transaction with Fingerprint Technique in ATM System” wrote that Biometric ATM system is very secure in the light of the fact that it meets expectations of data contained within its body parts. Biometrics is uniquely bound to individuals and may offer organizations a stronger method of authentication and verification. Biometric ATM is very useful and also very difficult to implement.

The first semi-automatic face recognition system was develop by Woodrow W. B. under contract to the US government. This system requires the administrator to spot specific features such as eye, ear, nose and mouth on the photograph. This system depends exclusively on the capacity to extract useable feature point that was compare to the reference data.

The United Arab Emirates (UAE) utilizes iris recognition on foreigners entering the UAE through air, land, and sea ports. Each traveler is compared against about a million Iris Codes on a watch-list and billions of comparisons are made each day. Iris Recognition is also used for staff at Manchester Airport for access control in United kingdom. It controls the access of staff to limited zones in the airport by utilizing access-control portals combined with iris recognition cameras. The aggregated number of clients in this system is about 25,000. This has enhanced the manual checking procedures formerly utilized at the airport. IRIS ( Iris Recognition Immigration System) has been used at several air terminal in the United Kingdom to clear immigrants in a quick and secure way. Enrollment takes about 5-10 minutes and recognition takes about 20 seconds.

Chioma (2010) identified some ways by which fraudsters get Pin numbers from clueless cardholders by creating deceitful websites in which they post some fictitious prize promos e.g (www.interswitchatmcard.com) to lure greedy customers. On this site, they ask customers to submit vital information which includes their PIN number. This confirms that greed is one of the challenges that fuel the perpetration of fraud in this part of the world. It is also reported that watching of hands while a cardholder types his/her pin number is one way a fraudster gets at customers’ account and have unauthorized access. It has also been reported that handheld devices that can read card information are available and were used on a victim. She also reported that camera can actually be installed to record PINs as they are typed by the consumers.

2.2 The Automated Teller Machine (ATM)

Automated teller machine (ATMs) was introduced to automate the work of a bank cashier. The machine is designed to apportion money to bank customers and ATM in advanced countries can take deposits of cash and cheques from customers. ATM can perform other varying activities, such as paying of bills, cash transfer, and purchase recharge cards, etc. But, the on average, an ATM can dispense cash on demand and presentation of Personnel Identification Number (PIN). It is thus, an important aspect of the banking sector and very important transaction method that has come to stay and cannot be ignored.

Automated teller machine first started in 1960 by City Bank of New York on a trial basis, the purpose of the machine then was for customers to pay utility bills and get receipts without a bank clerk attending to them. ATMs are now not only located at bank sites but also at a numbers of businesses areas for the convenience of customers. Global ATM market forecast research conducted by Retail Banking Research Limited shows that 1.8 million ATMs are in use worldwide today and the figure is predicted to reach 2.5 million by 2013. In Nigeria, the first bank to use ATM was the Moribund Societe Generale (SGBN) in 1990. The trademark name for SGBN’s ATM was “Cash Point 24”. First Bank Plc., one of the first generation banks then, came on stream with their own ATM in December 1991, a year after SGBN. They also gave a trademark name “FIRST CASH” to their ATM. While that of SGBN was the drive-in-system, while that of the First Bank ATM was through-the-wall. Access to ATM in today world is through the use of Personal Identification Number (PIN) and a plastic card that contains magnetic strips with which the customer is identified. The Banks gives the PIN to the customer directly and the customer is instructed not to reveal the number to anybody or a third party. Apart from the need to ensure its safety of th ATM card, its surface strips should be well taken care of otherwise it may cause the machine to reject the card despite the fact that the pin number is entered correctly.

Peter and Sylvia (2008), stated that an ATM combines a computer terminal, recordkeeping system, and cash vault in one unit, permitting customers to enter a financial firm’s bookkeeping system with either a plastic card containing a Personal Identification Number (PIN) or by availing a special code number into a computer terminal linked to the financial firm’s computerized records 24 hours a day.

Ogunsemore (1992) defined an ATM as “a cash dispenser which is designed to enable customer’s enjoy banking service without coming in contact with Bank Tellers (Cashiers)”.

Biometrics is a measurable physiological and behavioral characteristic that can be captured and later be compared with another instance at the time of verification. The method is automated in recognizing a person based on a physiological or behavioral characteristic (CALD3).

The common physical biometrics characteristics include the fingerprint, hand or palm geometry, retina, iris and facial scans while common behavioral characteristics are signature, handwriting, keystrokes and voice match. Biometrics technologies are a very secure way of authentication, this is because biometric data are unique, cannot be shared, cannot be copied and cannot be lost.

The importance of ATM security is of great importance. Thus, I will be working on implementing Biometric (fingerprint) as an additional security measure to the existing personal identification number (PIN) and ATM card. I would also be using pattern recognition technique. Fingerprint has two distinct features: No two fingerprints are the same and Finger prints never change. ATM crime has now become a nationwide issue that faces not only customers, but also the bank operators. Advancement and development in security measures can curtail these crimes. These measures and checking of ATM crimes are of great importance for continual usage and implementation of the E-banking system and cashless economy in Nigeria

2.3 Types of ATM Frauds

1. Skimming Attack: This is the most popular ATM fraud in which a skimmer device (card swipe device) is placed at the ATM slot. The skimmer downloads the personal data of everyone who inserts his/her card into the ATM machine and allows the fraudster to duplicate the customer’s ATM card. A single skimmer device can store information for more than 200 ATM cards before being reused.

2. Card Trapping: in this case, a trapping device is placed inside the ATM machine by an authorized person to capture or trap a customer’s card. Here, when the user leaves the ATM machine without his/her card, the card is retrieved by the criminal and used to gain access to the customer’s account illegally and probably transfer or withdraw fund from the customer’s account.

3. Phishing Attack: Phishing scams are designed to lure ATM users into providing card number and PIN of their ATM card. In this case, the scammer sends an e-mail to the user claiming that the user account information is incomplete or that the user needs to update his/her account information to prevent the account from being closed. The user is asked to click on a fraudulent link and then follow the directions provided. The site directs the user to input sensitive information such as card number and PIN. The information is collected by the scammer and then used to create the duplicate card.

5. ATM Malware: This is an attack which requires an insider such as an ATM technician who has a key to the machine to place the malware on the ATM. After this act, the attacker inserts a control card into the machine card reader that act as a malware. This gives him/her control of the ATM machine and the ATM’s keypad. Malware captures magnetic stripe data and PIN codes from the private memory space of transaction processing application installed on an ATM.

6. ATM Hacking: In this case, an attacker uses sophisticated programming technique to break into website which reside on a financial institution network. Bank systems are accessed to locate the ATM database and also to collect card information which are later used to make a clone card.

7. Physical Attack: physical attacks are attempts on the safe inside the ATM machine through mechanical means with the intention of breaking the safe to collect the money. This can also be done when ATM is being serviced.

8. Fraudulent Placement: this is a case where ATM card production request are made without any indication from the account owner. This is commonly done by the bank employees.

2.4 Categories of Biometric

Biometric characteristics of a person are unique most of such traits are impossible to copy and exactly produce. All biometric identifiers can be divided into two big groups:

Physiological

Behavioral

Physiological: Physiological systems are considered to be more reliable as individual features of a person that are used by these systems do not change by influence of psycho emotional state. Physiological systems of identification deal with statistical characteristics of a person fingerprints, iris recognition, hand geometry, DNA, face recognition, palm print.

Behavioral: Behavioral methods of identification pay attention to the actions of a person, giving the user an opportunity to control his actions. Biometrics based on these methods takes into consideration high level of inner variants (mood, health condition, etc), that is why such methods are useful only in constant use. Behavior or sometimes called psycho-logical characteristics such as voice, gait, typing rhythm are influenced on psychological factors. In light of the capacity to change, such characteristics should be renewed constantly. Behavior characteristics are influenced by controlled actions and less controlled psychological factors. As behavior characteristics can be changed in time, registered biometric traits should be renewing every time of use examples of behavioral biometric features are: voice, gait e.t.c

2.5 Types of Biometric

2.5.1 Finger Print

A fingerprint is a set of skin lines named ridges and empty space between two continuous ridges named valleys. These fundamental characteristics are used in classifying the three global shapes of pattern namely: arches, loops and whorls. The normal estimation of ridge to ridge frequency is of about half a millimeter and the normal estimation of valley to ridge height is of about 0.1mm. By convention, the unique pattern which the inked finger would leave on a paper, is known as the finger print. Fingerprint recognition is based on the imaging of the fingertips. The structure of a fingerprint’s ridges and valleys is recorded as an image or digital template (a simplified data format, minutiae-based most of the time) to be further compared with other images or templates for authentication or verification. Minutiae are peculiar points of the Fingerprint where a ridge is ending or bifurcating. Tens of such points may be extracted from a fingerprint, and are enough to proceed with reliable fingerprint verification. This is the way by which authentication process can be done to check the authenticity of the user.

Fig 2.1 Types Of Finger Print

2.5.2 Voice

Voice recognition is the process by which a computer or other type of device recognizes spoken words. Fundamentally, it means conversing with your computer, and having it correctly recognize what you are saying. Voice or speech recognition is the capacity of a machine or program to receive and interpret dictation, or to comprehend and carry out spoken commands.

At first, we have to provide the user details as input in the form of voice asked by the system. The system will then create a “.wav” document and the generated file will then be saved in the database for future references at the time of log in by the user. The user needs to give the same information given at the time of registration and the system compares the recorded voice with the one saved in database. In the event that both matches, the user logs in successfully, else they are denied access. After a successful log in, the set of questions from the database shows up on the screen which is read by the system itself, and the user will speak out the answer as option A, B, C or D which goes to the database where it matches with the previously stored answer for comparison. Based on the comparison result, the system keeps record of the user’s score. For correct matching at the time of registration, the system stores the user’s voice for A, B, C and D. These files are compared for matching the questions answer later.

Comparison begins by storing two voices in .wav files. Then we plot both signal and try to match them. Direct comparison is done here by producing wav files through sampling which is carry out by ascertaining it’s Fourier transform and next is to plots it’s power spectra and afterwards truncate it to structure another power spectra with differences like noise and height of peaks which is to be normalized resulting in a new power spectra. Utilizing mathematical functions we compute and plot an average power spectrum which is also normalized to compare it with two individual voices giving us the desired results.

Fig 2.2 Sample Of A Voice Pattern

2.5.3 Facial

All through the entire history of mankind, individual utilized face in distinguishing one individual from another. A facial recognition will check the human face and authenticate the user using pre stored images of the user. There are different types of facial scan technology such as software only solution that process images through existing camera to full-fledged acquisition and processing systems including camera, workstation and back end processor. Facial Recognition Technology utilizes an advance camera to take picture of the client and analyses the facial attributes such as the separation between the eyes, mouth or nose. These information are stored in the data base and used to compare with an individual standing before the camera. There are two type of facial recognition system: The first type is called Controlled Scene in which the individual to be authenticated is located in a known environment with a negligible measure of scene variation. In this technique, the individual will stand before the camera two feet from it. The system spots the clients face and perform matches against facial samples stored in the database. Sometimes the individual may need to verify more than once if user changes his position from the picture stored in the facial database.

The second type is Random Scene. Here, the individual to be authenticated can appear anywhere within the camera scene. Facial scan technology is based on the standard biometric sequence of image acquisition, image processing, distinctive characteristic location, template creation and matching. A good picture is taking with a high resolution camera with moderate lighting and with the individual directly facing a camera. The enrollment images define the facial traits to be utilized in all future authentications. The issues in the image acquisition process include distance from user, angled acquisition and lighting. The distance from camera reduces facial size and this image resolution. In addition, user with darker skin tone is difficult to acquire. After image acquisition are worked out. The process of image processing takes place. Color images are normally reduced to a black and white and images cropped to emphasize facial characteristics. Pictures are standardized to account for orientation and distance. The principle picture can be broadened or reorientated so that the point between the eyes servers as a point of reference.

Fig 2.3 Sample Of A Facial Recognition Pattern

2.5.4 Retina

The Retina scan technology makes utilization of the client’s retina that is the surface on the back of the eye that processes light entering the eye. The vein pattern on the retina is unique i.e. no two individual has exactly the same vein pattern on the retina thus, making it to be a suitable characteristics to be use in retina scan technology as one of the authentication characteristics. Infra-Red Energy is absorbed faster by the veins in the retina than by encompassing tissues. An Analysis of the image of the enhanced veins on the retina then takes place in other to discover the unique patterns. Retina scan gadgets are utilized essentially for physical access application and are generally utilized in environment which oblige high level of security authentication. Getting blood vessel images using retina scan technology is extremely difficult because retina is small and embedded, thereby requiring special hardware and software to scan and acquire its image.

The individual to be authenticated position his eyes close to the unit embedded lens with the eye socket resting on the sight. In other to acquire retinal image, the user must look directly into the lens without moving. Movement makes it difficult for the computer to accurately captures the image of the retina resulting in several attempts for the user. Vascular pattern of the retina is filtered utilizing low power light source. Circular scan of the eye is performed and 192 reference points are taken before being converted into a digitized 96 byte template and stored in memory for subsequent verification process. The registration procedure is lengthy and registration can sometimes take more than 1 minute with some user not being able to register at all. After the image is captured, then software is utilize to convert exceptional peculiarity of the retinal blood vessel into a template.

Colored retina image Gray image of the retina pre-processed gray image

Fig 2.4 Samples of Retina Images

2.6 Biometric Accuracy Criteria

The criteria below are utilized in ascertaining the precision and performance of a biometric device:

2.6.1 False Rejection Rate (FRR)

The false rejection rate, or FRR, is the measure of the probability that the biometric security system will erroneously prevent an authorized user from accessing the system. A system’s FRR is expressed as the ratio of the number of false rejection divided by the number of identification attempts. It is good to have a low FRR however, if this low FRR is going to be achieve at a high cost then the biometric solution needs to be re-examined.

2.6.2 False Acceptance Rate (FAR)

FAR is the measure of the likelihood that the biometric system mistakenly allows a non authorize user access to the system. FAR is expressed as a ration of the number of false acceptance divided by the number of identification attempts.

2.6.3 Failure To Capture Rate (FTC)

FTC is the number of attempts for which a biometric system is not able to produce reference layout of sufficient quality. It can also be defined as, the likelihood that the system fails to capture a biometric input even when presented the right way.

2.6.4 Failure To Enroll (FTE)

FTE is the extent of the client populace for which the biometric device is not able to produce reference samples of sufficient quality. It can also be defined as the number of time at which attempts to produce a template from an input failed. This is mostly brought about by low quality inputs. This incorporates individual who for physical or behavioral reasons, are not able to present the obliged biometric trait.

2.6.5 Equal Error Rate (EER)

EER is the rates at which both acknowledge finger print and rejected finger print errors are equivalent. The lower the EER, the more precise the biometric device is considered to be.

2.7 Summary of Review

It is a known truth that the utilization of ATM for Electronic transaction has come to stay after careful study of related literature, especially with the proposed cashless economy Nigeria is setting out on. Numerous transactions will be performed using plastic money which will result in an increase purchase and utilization of ATM card. ATM renders monetary services to people in many nations. Existing ATM’s machines utilizes PIN (Personal Identification Number) which is not highly secure as a means of authentication therefore, resulting in an urgent need for more privacy and security at ATM terminals. Fingerprint biometric feature is utilized for providing such security. Fingerprint scanning gain acceptance as a reliable identification and verification process. The system exploits utilization of biometric database of individual as a password alongside PIN (Personal Identification Number). The security features are improved to a great extent the stability and dependability of customer recognition. All the technique looked into, both implemented and yet to be implemented, as well as from the issues identified with ATM machines, it can be reasoned that biometrics are great measures of checking ATM fraud.