FI85637B - SAETT ATT FOERHINDRA OBEHOERIG AOTKOMST AV INFORMATION. - Google Patents

Description

1 85637

A method to prevent unauthorized access to information

The present invention relates to a method for preventing unauthorized access to information which is fed to the device 5 by pressing a key on a keypad and which is transmitted from the keypad in the form of electrical signals by electrical conductors to a processing unit.

Today, in many contexts, a magnetic card is used as a "key" to obtaining money and goods. Pre-

10 signs of this are debit card machines at petrol stations R R

and ATMs of the ATMomat and Minute type for withdrawing money. In the latter case in particular, it is, of course, very important that no one other than the legitimate cardholder can use it to withdraw money and that no one prefers to be able to withdraw money with a counterfeit card. In order to prevent dishonest people who have forged, found, stolen or otherwise obtained someone else's magnetic card from being able to get out of the money, 20 combines a personal code, the so-called PIN (Personal Identification Number) that must be entered into the machine to allow the machine to be made. Namely, there is a certain connection between the PIN code and the information on the magnetic card, which is monitored and which must be correct in order for the withdrawal to be accepted. The check is performed by either the machine's computer or the mainframe.

: In the latter case, the PIN code is encrypted by the computer on the machine before it is sent to the central computer.

U.S. Patent No. 4,234,932 discloses a system that specifically makes it more difficult for a fraudster to withdraw money from an ATM without using both a magnetic card and a PIN. The system comprises a remote terminal with a card reader, * 35 a random number generator, a PIN signal generator, a security device and a banknote feeder. The system also includes a central computer that receives the card data, a signal (1f) that connects the PIN to a user file (X) in memory and a random number (w). The computer provides an acknowledgment signal consisting of the sum (Z) of the three signals mentioned above. This acceptance signal is compared in the security device with the PIN code entered by the user and a random number (w) and if there is a certain relationship between them, an output signal is given to the banknote feeder.

However, not even such a system with both card 10 and PIN is sure of fraudsters. A cheater can spy when a thoughtful victim enters his or her code to obtain one or the other card later for himself or herself.

However, espionage of the code can be made more difficult by means of the device disclosed in EP 0 147 837, which should prevent unauthorized access to the user's PIN code only by observing the user's finger movements when he enters the code. The device comprises a keyboard and a character window. The character window shows which number each of the 20 keys on the keyboard corresponds to. The meaning of each key can thus be changed at regular intervals, as a result of which the code to be entered cannot be determined solely by observing finger movements.

Furthermore, the ability of a fraudster to withdraw 25 large sums of money is limited by the limits on how much money is allowed to be taken in a given period of time: out through a vending machine and by allowing the victim to close their account.

: · .: A greater security risk for banks is the possibility that a dishonest person can connect to the wires of the ATM, with which information is transferred and in this way access both the PIN code and the mag-. information about a large number of cards. By making a set of counterfeit cards and 35 using modified PINs, such an unassuming · · · · • · 1 3 85637 honest person could be able to withdraw money from very many accounts and thus gain access to large sums of money.

In principle, there are three ways for a cheater to access important information in a hoist-5 tomato. The first possibility is that the cheater connects to the wires between the local computer in the hoist and the mainframe computer and listens to the signals transmitted between them. To make it difficult to obtain important information, all critical information sent between the local computer and the mainframe computer is encrypted. Another possibility is that a fraudster infiltrates a local computer and reads its program codes, thus gaining access to cryptographic and / or control algorithms. However, this can be prevented by using a security chip now published in the USA, which makes it impossible to read the program code. A third possibility, finally, is for the cheater to listen for signals on wires between the keypad and the local computer, and between the magnetic card reader and the local tie-20 token. The only way known so far to protect this part of the lifting machine is to physically protect it. However, this is not satisfactory from a safety point of view. Persons with access to the lifting machines can, without much difficulty, continue to attach to them 25 devices which enable listening. The physical protection of this part further includes that a keypad with any type of keypad cannot be used, but must be formed in a certain way, which makes the keypad more clumsy and expensive.

It is therefore an object of the present invention to provide a new way of preventing access to information which is fed to devices of the lifting machine type. The method should be able to be used with existing 35 vending machines and should not require extensive, expensive installations. 1 ♦ • · »4 85637

The object is achieved as described in the introduction, characterized in that the processing unit receives signals from the conductors during separate reception periods and that the processing unit provides signals to said conductors between the reception periods simulating keystrokes.

The maximum time interval between two consecutive reception periods must, of course, be substantially shorter than the shortest duration of a key press, so that there is no risk of any key press being lost.

Thus, an irrelevant wired connection between the key table and the local computer in the machine cannot determine when the actual keystrokes occur and is thus unable to resolve the PIN associated with the card information used in the machine. To further increase security, the duration of the time periods is allowed to vary randomly between the periods as well as the duration and frequency of the simulated keystrokes.

The described method according to the invention has the advantages that it can be applied to existing lifting machines, does not require expensive or extensive installations and reduces the physical protection requirements of this part of the lifting machines, which allows the use of other keypads than those used today.

In the following, the present invention will be described by means of one exemplary embodiment with reference to the accompanying drawings. Figure 1 schematically shows the parts included in the lifting machine. Fig. 2 is a time diagram and schematically shows an example of the appearance of the signals between the computer of the hoisting machine and the keypad ____: both actual ... and simulated keystrokes when using the method according to the present invention. 1 · • · m 5 85637

The lifting machine schematically shown in Fig. 1 essentially comprises a key table 21, a card reader 22 and a computer 23. The key table 21 is of the matrix key table type and consists of four horizontal conductors α1-ag and four vertical conductors dQ-dg in the figure, which form a matrix each intersection point between the horizontal and vertical wires corresponds to a key. In the embodiment shown, the tent table 21 thus has 16 keys 1-16. The wires ag -10 ag, dg - dg are connected to a computer 23, which conventionally comprises a central processing unit, read-only memory, direct access memory, data buses, address buses and I / O units, and which may be, for example, a circuit 8751 made by Intel. connected si-15 rule input 24, output 25 not connected to the central computer shown, and address outputs AO to A3 connected to the address conductors α1-ag and data conductors dg to d3, data inputs / outputs DO to D3, respectively. Thus, at least the latter are bidirectional, i.e. they can act as both inputs and outputs depending on how they are programmed. j

A person who is to withdraw money from a withdrawal machine of the type shown will, in a well-known manner, insert his magnetic card into the card reader 22 and enter his PIN-25 code using the keys on the keypad 21. The computer * - · 23 receives the magnetically coded information on the card at its input 24 connected to the card reader 22 and registers keystrokes by alternately assigning one to the address outputs AO to A3 and reading the zeros and ones obtained for the data inputs DO to D3 for each of them.

To prevent someone from listening to the wires ____; ag - ag and dQ - dg can obtain the user's PIN codes, the computer 23 reads the information only into the data input *. 35 inputs DO-D3 during certain reception intervals.

: / ·· These reception intervals must have such a high frequency of 1 · 2 • «· 2 6 85637 that there is no risk of the computer losing a keystroke. The longest interval between two reception periods must thus be substantially shorter than the shortest conceivable keystroke. The duration of the time slots between the two reception time periods is changed randomly, and during these time slots the DO to D3 are reprogrammed as outputs. The computer 23 sends out signals simulating keystrokes on the lines dg - d ^. The duration and frequency of the simulated 10 keystrokes are randomly changed to further make it difficult for the listener to decide which keystrokes are genuine.

These randomly varying durations and frequencies are controlled by a program-15 stick stored in the computer's memory that utilizes a random number generation function.

In order for the listener not to be able to sort out real keystrokes by examining the current direction of the signals on the data conductors dg to d ^, the signals that 20 simulate correspondingly simulating keystrokes are made as short as possible and given the lowest possible energy content. This results in the need for very complex and expensive hardware to be able to detect the direction of flow of these signals.

In order to further illustrate how the method according to the invention works, Fig. 2 shows a schematic example of the signals on the address and data lines ag to a3. dg to d3 in the device shown in Fig. 1 / .: and the corresponding real and simulated keystrokes can be displayed. In the figure showing the keypad 10 scanning period 1 to 10, there is a time axis for each address line aQ to a3 and data line dQ to d3. Further below them is a time axis on which the actual keystrokes are shown and at the bottom of the figure there is another time axis on which the simulated keystrokes are shown. The time axes show the address for the conductors ag - a3, • · 7 85637 how the computer senses the keypad by alternately giving a high signal "1" to the address conductors aQ - a ^. For each high signal given by the computer to the conductor, it reads during the reception time periods, which in the example shown are surrounded by periods 1, 2, 7 and 10, the input signals on the data conductors, the data inputs / outputs DO to D3 being programmed as inputs. During periods 1 and 2, the first data is thus obtained for line d2 when a high signal is applied to address line 10a2 because the key 7 is depressed. During periods 3-6, the data inputs / outputs DO to D3 are reprogrammed as outputs, and in the example shown, the computer simulates pressing key 9 by providing a high signal to data line dg during periods 4 and 5 when address line α1 is up. During period 7, the data input / outputs DO to D3 are reprogrammed as inputs again. Since no key is pressed during this period, only zeros are input to inputs DO-D3. During periods 8 and 9, the pressing of the key 3 is simulated so that the computer gives one to the data line d2 during the time period when the address line α1 is high. Also, if the actual keystroke, as shown in the example, is started during period 9, this will not be visible on the data lines dg - d ^. In contrast, during the period 10 25, which is the reception period, this key press is displayed as one on the data line d2 when the address line a1 is up. For those listening to signals on the data: and address wires, it thus appears as if the key * / *) 7 was pressed during periods 1 and 2, key 9 during periods 4 and 5, key 3 during periods 8 and 9, and key 11 during period 10. It is not possible for the listener to decide which signals come from actual keystrokes.

... In order to further complicate the operation of the listener, it is of course also possible to allow the address outputs AO-A3 to be reprogrammed as inputs and during certain 8 85637 reception periods to swipe the keypad using the outputs DO-D3 as address outputs.

Of course, the scanning does not have to take place either, so that the computer gives one to the address conductors AO to A3 in the order shown in the example. This can be arbitrary and even vary from episode to episode.

Furthermore, one skilled in the art will recognize that negative logic may be used as well, i.e., zeros represent actual or simulated keystrokes. The present invention has been described with reference to a hoist, but of course the method according to the invention can be used in all devices in which secret information is entered via a keypad and transferred to some type of processing unit. The invention is also not limited to a 4x4 matrix keypad, but can be applied to different sized and different types of keypads.

Claims (5)

9 85637 A method for preventing unauthorized access to information which is entered into the device via keystrokes on the keypad 5 (21) and which is transmitted from the keypad via electrical signals by electrical conductors (aQ - a ^, dQ - d ^) to the processing unit (23), characterized in , that the processing unit (23) receives signals from the conductors during the reception time periods 10 and that the processing unit (23) during said reception periods provides signals to said conductors simulating keystrokes. A method according to claim 1, characterized in that the maximum time interval between two consecutive reception periods is substantially shorter than the duration of the shortest key press. Method according to Claim 1 or 2, characterized in that the duration of the time interval between reception time periods is changed in a random manner. Method according to Claim 1, 2 or 3, characterized in that the duration of the simulated keystrokes is changed in a random manner. Method according to one of the preceding claims, characterized in that the frequency of the simulated key presses is changed in a random manner. Λ Λ • · · 10 85637