CH673163A5 - - Google Patents

Description

DESCRIPTION

The present invention relates to a method for protecting against unauthorized access to information which is entered into an apparatus by pressing the keys on a keyboard and is transmitted from the keyboard in the form of electrical signals to a processor unit via electrical lines.

Nowadays, a magnetic card is often used as a "key" to access money and goods. Examples of this technique are the outer card readers at petrol stations and the ATMs of the "ATM" type "R" and "Minute" R operated with so-called ATM cards. In the latter case, it is of course very important that only the rightful owner can use the card to withdraw cash and that no third party can withdraw money with a forged card. In order to prevent fraudsters who have copied, found or stolen a magnetic card from someone else or who have somehow got hold of such a card, the cards are provided with a personal code, a so-called PIN code (Personal Identification Number) that must be entered in the machine before a cash withdrawal is possible. For example, the PIN code has a specific relationship to the information embossed on the magnetic card, which must be checked and found to be correct before it is possible to withdraw money. The test is carried out either in the automatic computer or in a central computer. In the latter case, the PIN code is encrypted by the machine computer before it is transferred to the central computer.

US Pat. No. 4,234,932 describes a system that makes it difficult for a thief to withdraw cash from an ATM,

if he does not have the magnetic card and the PIN code at the same time. The system comprises an end station with a card reader, a random number generator, a PIN code signal generator, a security unit and an acknowledgment mechanism.

The system also includes a central computer for receiving the card data, a signal (9) that connects the PIN code with the memory location (X) of the customer in the memory, and a random number (w). The computer delivers an authorization signal, which consists of the sum (Z) of the 5 three signals mentioned above. The authorization signal is compared in the security unit with the PIN code entered by the customer and with the random number (w), and if a specific relationship between them is satisfied, a release signal is fed to the acknowledgment mechanism.

However, such a system, which uses both a card and a PIN code, is not yet theft-proof. A thief can observe a potential victim who is about to enter his code with the intention of somehow later obtaining the victim's card.

In order to make spying a code more difficult, EP-84116 154.0 proposes an arrangement by which unauthorized persons can be prevented from reading the PIN code of a customer simply by spying on the movement of the fingers when entering the code.

The arrangement comprises a keyboard and a display field which indicates which keyboard key corresponds to which number. The meaning of each key can thus be changed at regular intervals; This means that a code that has just been entered cannot be determined simply by observing the finger movements. In addition, the chances a thief has to withdraw large sums of money are limited by the rules on the maximum amount that can be withdrawn from an ATM during a certain period of time and by the possibility the victim has of his account lock.

A greater risk for banks is the possibility that a fraudster will connect to the lines of an ATM when data is being transmitted 35 in order to receive information about both the magnetic card and the PIN code of a large number of cards. By producing adulterated cards and using the intercepted codes, the unauthorized person can withdraw cash from a large number of different accounts and thus come into possession of large sums of money.

The unauthorized person has three basic options for extracting important information from the ATM. The first possibility is that the unauthorized person 4s switches on the lines that connect the local computer of the machine to the central computer and intercepts the signals transmitted thereon. In order to make access to important information more difficult, all critical data transmitted between the local computer and the central computer is encrypted. The second option is for the unauthorized person to switch on and read the program code for the local computer in order to have access to the encryption and / or control algorithms. However, this could be prevented by using a 55 security chip recently developed in the USA, which makes it impossible to read the program code. Finally, the third possibility is for the unauthorized person to tap the signals on the lines between the keyboard and the local computer and between the 60 card readers and the local computer. The only way to protect this part of the ATM is to physically protect it, which is unsatisfactory for security reasons. Persons with authorized access to the inside of the ATM can easily install spy circuits. The physical protection of this part would mean that not everyone could use a keyboard with any keys; the buttons should rather be specially designed,

673163

which would make the keyboard more cumbersome and complex.

It is therefore the purpose of the present invention to provide a new method for preventing access to devices such as an ATM. The method should be applicable to existing ATMs and not require extensive and costly installations.

This object is achieved with the aid of a method of the type mentioned at the outset, which is characterized in that the processor unit receives signals via the lines in separately distributed reception periods, and between the reception periods the processor unit sends signals that simulate keystrokes to them Lines.

The maximum time interval between two consecutive reception periods must of course be considerably shorter than the shortest duration of a keystroke, so that there is no risk that an attack is skipped.

An unauthorized person switching on the lines between the keyboard and the local computer of the ATM is therefore unable to decide when real keystrokes take place, and thus also unable to decide which PIN code belongs to which information on the card used in the ATM. To increase security even more, the duration of the gaps between the reception periods can be changed stochastically or unsystematically, as is the case with the duration of the simulated keystrokes and their frequency.

The advantages of the method according to the present invention, as described here, are that it can be applied to existing ATMs, that it does not require complex or costly installations, and that the physical protection requirements for this particular part of the ATM are low , which also enables the use of keyboards other than those used today.

An exemplary embodiment of the invention is explained in more detail below with reference to drawings. It shows:

1 is a schematic representation of the components of an ATM,

Fig. 2 is a timing diagram for signals, such as may occur between the keyboard and the computer of an ATM, as well as real and simulated keystrokes according to the method according to the present invention.

The ATM shown schematically in Fig. 1 consists essentially of a keyboard 21, a card reader 22 and a computer 23. The keyboard 21 is designed in a matrix and comprises four row lines ao to a3 and four column lines do to d3, one Form a matrix in which each intersection between a row and a column corresponds to a key. In the embodiment shown, the keyboard thus has sixteen keys 1 to 16. The lines ao to a3 and do to d3 are connected to the computer 23, which has a central unit, a so-called ROM memory (read-only memory), a so-called RAM memory (random-access memory), data busses, address Breasts and input-output units in a conventional design. Such a computer can be, for example, the 8751 circuit manufactured by Intel.

The computer 23 has an input 24 connected to the card reader 22, an output 25 connected to a central computer (not shown) and to the address lines ao to a3 or to the data lines do to d3 address outputs AO to A3 or Data connections DO to D3. Thus, at least the data connections DO to D3 are bidirectional, which means that depending on the programming they can work both as inputs and as outputs.

5 Someone who wants to withdraw cash from an ATM of the type described inserts his magnetic card into the card reader 22 in a known manner and enters his PIN code via the keys on the keyboard 21. The computer 23 receives the magnetically coded information xo of the card via the input 24 connected to the card reader and stores the keystrokes by sequentially emitting a signal “1” to the address outputs AO to A3 and by reading the data inputs DO to D3 received signals «0» and «1» for 15 each of these outputs.

In order to prevent anyone from misusing a customer's PIN code by tapping lines ao to a3 and do to d3, computer 23 only reads the information at data inputs DO to D3 during 20 specific reception periods. These reception periods must have such a high frequency that there is no risk of the computer skipping a keystroke. The longest time interval between two reception periods must therefore be significantly shorter than the shortest possible keystroke. The duration of the time intervals between two reception periods is changed stochastically or unsystematically; and during these intervals the connections DO to D3 are switched into outputs by the program.

30 The computer 23 emits keystroke simulating signals on lines do to d3. The duration and frequency of the simulated keystrokes are changed stochastically or unsystematically to make it even more difficult for someone who connects to the lines to find out which keystrokes are real.

These stochastic changes in duration and frequency are controlled by a program stored in a computer memory, which program uses the function of a random generator. 40 To prevent someone who connects to the lines from finding the real keystrokes by determining the current direction of the signals on the data lines do to d3, the signals that sense or simulate the keystrokes are as short as possible 45, in such a way that they also contain a minimum of energy. This means that you have to have very complicated and expensive equipment to determine the direction of flow of these signals.

To further explain the method according to the present invention, FIG. 2 shows a schematic representation of the signals as they occur, for example, on the address lines ao to a3 and data lines do to d3 in the arrangement according to FIG. 1 can, as well as the corresponding real and simulated keystrokes. The 55 figure, which illustrates ten cycles 1 to 10 of a scan of the keyboard, has a time axis for the individual address lines ao to a3 and the individual data lines do to d3. Below that is another time axis on which the real keystrokes are shown. At the bottom of 60 of the figure there is a further time axis in which simulated keystrokes are indicated.

The time axes assigned to the address lines ao to a3 illustrate how the 65 computers can scan the keyboard by sequentially entering a “1” signal on these address lines ao to a3. For each "1" signal sent by the computer to an address line, the computer reads the input signals of the data lines during the reception periods, which are shown in the

673 163

light execution correspond to the cycles with the circled numbers 1, 2, 7 and 10 by programming the connections DO to D3 as inputs. During cycles 1 and 2, the data line d2 thus receives a “1” signal if a “1” signal is transmitted to the address line a2 because the 7 key was pressed. During cycles 3 through 6, connections DO through D3 are again programmed as outputs, and in the illustrated embodiment, the computer simulates a stop on key 9 by entering a “1” signal on the data line do during cycles 4 and 5 if the address line ao is supplied with a signal «1». During cycle 7, the data connections DO to D3 are again programmed as inputs. Since no key is pressed during this period, inputs DO to D3 only receive «0» signals.

During cycles 8 and 9, a stroke of key 3 is simulated in that the computer sends a «1» signal to data line d2 during the period in which address line a3 is supplied with a «1» signal delivers. If a real keystroke now begins, for example, during cycle 9, it would not be perceived by the data lines do to d3. During cycle 10, which is a reception period, on the other hand, this keystroke is registered as a “1” signal on the data line d2 when the address line ai is supplied with a “1” signal. For someone who taps the signals of the data and address lines, the situation will be as if key 7 during cycles 1 and 2, key 9 during cycles 4 and 5, key 3 during Cycles 8 and 9 and the button

11 would be pressed during cycle 10. Someone who taps the lines therefore has no way of determining which signals are due to which real keystrokes.

5 In order to thwart a line tapper even more, it is of course possible to program the address outputs AO to A3 as inputs switchable and to have them scan the keyboard during certain reception periods by using outputs DO to D3 as io address Outputs are needed.

Of course, the scanning need not take place in such a way that the computer emits a “1” signal to the address lines ao to a3 in the order according to this example; rather, this order can be chosen arbitrarily 15 and even switched from one cycle to another.

The person skilled in the art will probably notice that he can also work with a negative logic, that is to say that the real or simulated keystrokes can also be indicated by “0” signals.

Although the present invention has been described with regard to an ATM in accordance with the foregoing, it can of course also be used for equipment of any type in which secret information is entered via a keyboard and transmitted to a processor unit of any type. In addition, the invention is not restricted to a keyboard with a 4 • 4 matrix; rather, it can also be used in keyboards of various sizes and types.

B

2 sheets of drawings

Claims (5)

673163 PATENT CLAIMS 1. A method of protecting against unauthorized access to information entered into an apparatus by pressing the keys of a keyboard (21) and from the keyboard in the form of electrical signals via electrical lines (ao to a3, do to d3) to a processor Unit (23) is transmitted, characterized in that the processor unit (23) receives signals via the lines in separately distributed reception periods, and that between the reception periods the processor unit outputs signals that simulate keystrokes to these lines. 2. The method according to claim 1, characterized in that the maximum time interval between two successive reception periods is significantly shorter than the shortest duration of a keystroke. 3. The method according to claim 1 or 2, characterized in that the duration of the gaps between the reception periods is changed stochastically or unsystematically. 4. The method according to any one of claims 1, 2 or 3, characterized in that the duration of the simulated keystrokes is changed stochastically or unsystematically. 5. The method according to any one of claims 1 to 4, characterized in that the frequency of the simulated keystrokes is changed stochastically or unsystematically.