This document proposes a low-cost enhanced authentication service for ATM and POS transactions. It analyzes the limitations of the current system, such as static PINs and easy-to-copy magnetic strips. The proposed solution would outsource authentication to a common hub supporting dynamic OTPs over different channels like SMS. This could help reduce fraud incidents while maintaining PCI security standards at a lower cost than existing options. However, the system would still rely on the instability of TCP/IP networks and require changes to enterprise mindsets and legal frameworks.

1. Low Cost Enhanced 3D Secure Authentication Service
For ATM and POS

2. Presented By –
Md. Shafiuddin Russel
Network and Security Specialist,
Bank Alfalah Ltd.
MSc. Eng. System Security, BUP
CISA, CEH
Ph: 01714073692
Email: engrussel@gmail.com

3. Our Team Name
Eagles IdeaEagles Idea

4. Project Objective
The objectives of our Project are:
Analysis the present Practices for ATM and POS Authentication.
Exploring the limitation.
Propose a new Technique.Propose a new Technique.
Prototype Development and live demo presentation.

5. Back Ground Analysis
It was Standard Chartered Bank (SCB) which introduced ATMs in
Bangladesh. The first booth was set up at Dhaka's Banani in 1993.
Now ATM And POS Machines are being popular in our country.
Bangladesh Central Bank has taken initiative to reduce the use of printedBangladesh Central Bank has taken initiative to reduce the use of printed
money and encouraging the financial institute on secure plastic currency.
According to the survey, the total number of credit and debit cards in the
country’s banking system stood at 80,85,834 as of August 31, 2013
while the banks set up a total of 22,224 POS and 14,000 ATM machine
around the country. The number of credit and debit card, and POS
terminals presumed to have increased much after the survey period.

6. NPS Statistic
Source : https://www.bb.org.bd/fnansys/paymentsys/natpayswitch.php

7. Jul-16, 734790
Mar-
Apr-15, 455518
NPSB Comparative Number of Transactions
Aug-
16, 865890
Mar-
15, 366410

8.  News: bdnews24.com, Date: 14/02/2016, url: http://goo.gl/kgxKOa
“Skimming devices were planted in six ATM booths of three banks to steal card
information and create duplicates, Bangladesh Bank investigators have found ”
 News: BD Business News, Date: 23/02/2016 url:http://goo.gl/zOXJQy
Some Fraud Scenario
“Four people including a foreigner allegedly involved in an ATM skimming scam
have been arrested in Bangladesh capital Dhaka ”
 News: bdnews24.com, Date: 18/05/2016 url:http://goo.gl/BwCNhQ
“After the arrest of a Chinese citizen over an ATM fraud, Prime Bank has said
two other foreigners, apparently Chinese, drew over Tk 500,000 from two other
booths in Dhaka ”

9. Number of frauds are parallely
increasing with number of
Learning:
increasing with number of
Transaction!

10. Internet of Things (IoT): number of connected devices worldwide from
2012 to 2020 (in billions)
https://www.statista.com/statistics/471264/iot-number-of-connected-devices-worldwide/

11. Where our System will work
N.B: The internet of things (IoT) is the internetworking of physical devices

12. Limitation of Present System
Core Reason of Fraud:
1. Cards pin are Static
2. Magnetic Strip are Easy to Copy.
3. EMV Chip are Expensive. Magnetic Strip Card3. EMV Chip are Expensive.
4. NPS Not yet Support EMV.
5. All POS are not Support Online Pin.
6. Lack of Awareness.
Magnetic Strip Card
Chip Card

13. And 99% card fraud Incident
either done by Insider or During
Learning
either done by Insider or During
Authentication Process!

14. How to Overcome
Dynamic OTP
#A dynamic OTP is some thing which change dynamically and varies
from customer to customer ,transaction to transaction and have a life
time.

15. But Still There are some
Problems are allies
•In Enterprise, Insider (Sys Admin) or malware can compromise the OTP
System.
•The Payment Card Industry Data Security Standard (PCI DSS) practices are•The Payment Card Industry Data Security Standard (PCI DSS) practices are
not usually Maintain in the enterprise.
•RSA token is very Expensive and difficult to maintain for enormous
customer.

16. Our Proposed Mitigation Tech./System
1. Out Source the Authentication Process.
2. A common hub that support ATM, POS ,Web or any other platform.
3. Maintaining the PCIDSS standards.
4. Reducing the cost by no service no pay model.
5. Use different channel like SMS/ E-mail for sending OTP.
6. A complete Audit Trail.

17. •No OTP sent for ATM or POS Transaction.
•OTP are randomly generate from a seed.
• Administrator have the option to change
the seed or he can regenerate OTP if he
know the algorithm.know the algorithm.

21. Our System Limitation
1. We have to depend on unstable and non secure TCP/IP.
2. Network structure of Bangladesh are not so stable.
3. Enterprise stack holders mind sight are not yet ready for out sourcing
the authentication process.the authentication process.
4. No concrete law for settle the arbitration.

22. EndEnd

23. Magnetic Strip Card Architecture