WO2006034713A1 - Secure display for atm - Google Patents

Secure display for atm Download PDF

Info

Publication number
WO2006034713A1
WO2006034713A1 PCT/DK2005/000616 DK2005000616W WO2006034713A1 WO 2006034713 A1 WO2006034713 A1 WO 2006034713A1 DK 2005000616 W DK2005000616 W DK 2005000616W WO 2006034713 A1 WO2006034713 A1 WO 2006034713A1
Authority
WO
WIPO (PCT)
Prior art keywords
display
keypad
secure
templates
computer system
Prior art date
Application number
PCT/DK2005/000616
Other languages
French (fr)
Inventor
Per Christoffersen
Martin Wallengren-Nilsson
Original Assignee
Sagem Denmark A/S
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sagem Denmark A/S filed Critical Sagem Denmark A/S
Publication of WO2006034713A1 publication Critical patent/WO2006034713A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/82Protecting input, output or interconnection devices
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F19/00Complete banking systems; Coded card-freed arrangements adapted for dispensing or receiving monies or the like and posting such transactions to existing accounts, e.g. automatic teller machines
    • G07F19/20Automatic teller machines [ATMs]
    • G07F19/206Software aspects at ATMs
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/10Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
    • G07F7/1025Identification of user by a PIN code
    • G07F7/1091Use of an encrypted form of the PIN

Definitions

  • the present invention relates to a computer system for implementation of non-trusted software for management of banking systems such as ATMs More specifically the invention relates to a security system and method for management of templates.
  • Terminals such as POS machines and ATMs are widely known and used by many people for withdrawal of money, printing receipts, payment of bills, transaction of money, purchase of products etc.
  • POS machines and ATMs are widely known and used by many people for withdrawal of money, printing receipts, payment of bills, transaction of money, purchase of products etc.
  • a credit card of some kind is used together with a PIN code in order to verify the cardholder.
  • non-secret input such as amounts or account numbers on the ATM
  • secret input such as a PIN code
  • a computer system for displaying templates the system comprises:
  • a display operable in two or more modes for displaying templates
  • a keypad operable in two or more modes
  • a secure module a computer comprising (non-trusted) program/software, the computer controlling the display and keypad, said secure module being programmed to
  • a method for management of templates in a computer system comprises: a display operable in two or more modes for displaying templates, - a keypad operable in two or more modes, a memory comprising templates, a secure module, a computer comprising a (non-trusted) program/software, the computer controlling the display and keypad, the method comprising the steps of: displaying an approved template comprising a secure window and an approved picture/message at the display, upon a signal from the computer, in the secure window display limited messages/information sent from the (non- trusted) program.
  • a method for creating a set of approved templates in a computer system the computer system comprises:
  • a secure module a computer comprising a template database
  • the method comprises the steps of: choosing a template(s) from the template database,
  • the template(s) in the second database as approved template(s).
  • the approved template(s) comprises a secure window and an approved picture/message.
  • a computer system for storage of templates the system comprises:
  • a display for displaying templates and approved templates, a keypad operable in two or more modes, - a secure module, a computer comprising (non-trusted) program/software controlling the display and keypad, and a memory for storing approved templates wherein the approved templates comprises a secure window and an approved picture/message.
  • the present invention thus allows for a company to use templates from a non-trusted software for management of a point of purchase system such as an ATM.
  • a point of purchase system such as an ATM.
  • both the display and keypad have at least two modes.
  • the display may have a controlled/restricted mode and a transparent mode while the keypad preferably has a secure mode and a non-secure mode.
  • the display may in the transparent mode show templates from a non-trusted source such as from application software provided by a company.
  • the display When the display is in the controlled/restricted mode the display preferably shows approved templates as will be described below.
  • the display and keypad may be dependent on each other's mode.
  • the mode of the display or keypad may be mutually dependent on each other, or the mode of the display may be dependent on the mode of the keypad, or the mode of the keypad may be dependent on the mode of the display
  • the computer system may be programmed to set the display in transparent mode when the keypad is in secure mode.
  • the display preferably has to be certain that the keypad is in secure mode since it is the display that will make the security critical decisions.
  • the display may receive an acknowledgement signal that the keypad is in secure mode.
  • the signal may be sent from the keypad, computer or the secure module.
  • the signal is preferably sent from the keypad using cryptographic methods so that the display can verify the authenticity of the signal.
  • the computer system may be programmed to set the display in controlled/restricted mode before the keypad switches to non-secure mode.
  • the keypad preferably has to be certain that the display is in controlled/restricted mode. In this case preferably the keypad makes the security critical decision.
  • the signal is preferably sent from the display using cryptographic methods so that the keypad can verify the authenticity of the signal.
  • Security critical decision may occur when one part of the system changes from a secure state to a less secure state, e.g. when the display changes from controlled/restricted mode to transparent mode or when the keypad changes from secure mode to non-secure mode.
  • the keypad is in secure mode and the display is in transparent mode.
  • the system may want to switch to non-secure mode, thus in this case the keypad will switch to non-secure mode.
  • the keypad may change its mode into non-secure mode.
  • both the display and keypad may be set in controlled/restricted and secure mode.
  • the computer system may be implemented to avoid interdependency between keypad and display modes.
  • the keypad may encrypt information aimed to be shown in the display by use of a first key, "display key”, while encrypting information aimed to the host computer with a second key, "host key”.
  • the display only has access to the "display key” and will decrypt the message when is set in controlled/restricted mode. When the display is set in transparent mode the message from the keypad will not be decrypted.
  • This implementation allows showing information from the keypad in the display only in the situation when the keypad is in non secure mode and the display is in a controlled/secure mode, additionally in this situation the decrypted information is also forwarded to the non-trusted application software. For example when the keypad is in non secure mode and the display is in a controlled/secure mode an amount entered by the user will shown to the user on the display and also sent to the host computer via the non-trusted application software.
  • the application software installed in the computer may control the keypad and display. However at least a part of the signals sent from the computer is preferably transmitted through the secure module.
  • the secure module may control the keypad and the display so that at least a part of the management of the templates, modes, signals and cryptography is centralised in the secure module.
  • the computer in the computer system preferably hosts a software management module.
  • the management module may be the non-secure software application that is used.
  • the computer also comprises a communication interface to a host computer outside the terminal. By communicating with the host computer, the computer in the terminal is able to access accounts and other information relating to a customer.
  • templates are used in the present invention.
  • templates there are two kinds of templates: original templates and approved templates.
  • the original templates are templates comprising information such as messages, figures, pictures movies or any other information being presentable on a display. Moreover they may also comprise windows for input/output of information.
  • the elements that constitute a template are considered the objects of the template.
  • the original templates may be created by a "non-trusted" company. Hence the software providing the original templates is non-trusted software.
  • Objects to be included in a template can be among others: a word, an image, a colour, a message, a vector based graphic, a bitmap based graphic, a movie or any other information being presentable in a display.
  • the modular creation of the templates ensures the possible adaptation of the templates for other purposes with a minimum amount of change in the structure of the template.
  • Secure objects are objects that have been approved to be included in a specific template.
  • An object to be included in a template becomes a secure object if the object when displayed alone or in composition with other secure objects of the template does not represent an un-secure meaning or threat.
  • Approved templates are templates that contain secure objects or have been approved as a whole, e.g. assigned a certain security status by a super-user or a network administrator.
  • the secure objects in a template may be chosen among the objects as presented above.
  • Preferably approved templates have been stored in a certain database. They may be encrypted or protected in any other way so as to ensure that they are not modified before, during or after use.
  • the approved templates may comprise one or more secure windows/fields, one or more approved picture/message and in general one or more secure objects.
  • a super-user or administrator may create the secure window so that it has the correct location and size in the approved template in relation to an original template that may be "behind" the approved template in the display.
  • a non-trusted program is able to display messages/information through the secure window/field.
  • the secure window may comprise one or more transparent area(s).
  • the actions may be to input secure information or non-secure information etc.
  • a user should e.g. not be mislead to input secure information when the keypad is in non-secure mode.
  • the display may display original templates from the (non-trusted) program when the display is in the transparent mode.
  • the keypad preferably has to be in secure mode in order to avoid the case when both the keypad and display is in non- secure/transparent mode. In such a case the keypad cannot keep the PIN code secret and non-trusted application software can display any message on the display.
  • the approved templates may be stored in a second database that may be located at a different location in relation to the first database comprising the original templates.
  • the second database may be stored in any of the devices in the system. Hence the second database may be located in the memory of the keypad, the display, the secure module or in the computer, depending on the architecture of the system.
  • the templates may be encrypted before storage, thus they can be stored in encrypted form. This makes it harder for a person such as a hacker to access and amend the templates in the database.
  • the keypad may encrypt the approved templates before sending them to the display.
  • the display may comprise a decryption device for decrypting the encrypted templates.
  • the secure module in the computer system may comprise a processor for encryption and decryption of data, and a memory for storage of the approved templates.
  • the computer in the computer system may comprises a memory wherein the approved templates may be stored.
  • the approved templates are preferably encrypted before storage in the memory so that no amendments may be made to them.
  • the templates may be encrypted before storage, and the decryption key may be stored in the display, secure module or keyboard. In this way, if somebody tries to modify the stored template he can only modify the stored message, and when the message later is decrypted the content of the message will be severely distorted.
  • This method saves storage space compared to using a MAC (Message Authentication Code), where both the correct message and the corresponding MAC must be stored.
  • An alternative is to use a MAC that spans the complete set of secure templates, in this case only one MAC needs to be stored regardless of the number of secure templates.
  • digital signatures may be used instead of using MAC.
  • the number of approved templates might be large because the templates have to cover both normal operations for the customers and more special operations used during service and installation. Furthermore some templates might exist in several different languages.
  • the display may not be able to verify the integrity of the message, but if it has been tampered with it will be completely distorted due to the fact that the decryption tends to spread the modifications over the complete text, this is true for some cryptographic algorithms.
  • the secure module may be integrated in either the display or the keypad. However, preferably it is located in the display.
  • the secure channel may be established by one or more of the devices in the system such as by the computer, secure module, display or, keypad.
  • the secure channel is established by cryptographic methods that can differentiate information from the keypad aimed to the display from information from the keypad aimed to a host computer.
  • An alternative solution for the implementation of the secure channel is by sending acknowledgement signals or messages in the case where display or keyboard wants to change modes; furthermore, if the templates are stored outside the display, a secure channel may be used for the transport of secure templates.
  • Another solution is to integrate the display and keypad in to one physical unit, in this case the physical connections between the two devices is harder to access. It would only be possible if someone attaches a cable to the physical connection between the two devices. Therefore the module enclosing the internal devices, is carefully designed so that it is very hard to access the internal electronic.
  • the module enclosing the sensitive parts may comprise sensors that starts an alarm and/or sets the terminal in a standby or a closed mode if some one tampers with the enclosing.
  • the standby or closed modes can only be changed by a trusted agent such as an employee having the status to do this.
  • sensors may be mechanical sensors that detect if someone opens the terminal or any of the devices inside the terminal. Furthermore the sensors may be electrical sensors that detects if cables are or contacts are interrupted or if the electrical signals changes. If any of these events occurs the terminal should go in to standby/closed mode, so that no information may be accessed by a third part.
  • the display may be a touch-display.
  • the display may have both the functions of displaying templates and receiving input from a user.
  • encryption of the data may be necessary.
  • the cryptographic techniques used in this invention may be any standard symmetric or asymmetric algorithm
  • the keypad and display can be two separate physical devices they may comprise means for encryption and decryption of data. If the templates are stored in the keypad the keypad preferably comprises means such as a processor for encryption of data and the display comprises means for decryption of data.
  • the keypad preferably comprises means such as a processor for cryptographically protecting data of data and the display comprises means for cryptographical verification of data.
  • the data that may be encrypted is data preferably relating to the display, data relating to commandos for the display and data relating to templates.
  • the system may comprise one or more cryptographic keys in order to be able to process encrypted templates, Pin codes etc.
  • the method for management of templates in the system may furthermore comprise any of the steps such as:
  • control signal may be the same as the acknowledgement signal described above.
  • control signal may comprise data so that the keypad and display are able to set up the secure channel. It may also relate to a template signal telling the display or keypad which template to use.
  • the system will present original information from the keypad in the display only when the display is in controlled mode and the keypad is in non-secure mode.
  • Original information from the keypad will not be displayed in any of the following other mode combinations of keypad and display; display in transparent mode and keypad in secure mode; display in controlled mode and keypad in secure mode; display in transparent mode and keypad in non-secure mode.
  • Implementation of the secure channel by encryption does not require control of the order in which display and keypad change from one mode to another.
  • the system may be controlled so that the keypad and display knows that the other device, thus the display or keypad is in a mode according to the security standards that is approved for the system, therefore the method managing the templates in the system may further comprise one or more of the steps:
  • the display may display original templates from the (non-trusted) program when the display is in the transparent mode and when the keypad preferably is in secure mode.
  • For the system to know which template to chose the method may also comprise the step of sending a (template) signal.
  • a (template) signal may be sent from the computer and/or keypad and/or secure module and/or display to the keypad and/or computer and/or display and/or secure module, for selecting an approved template.
  • the signal may at least comprise information about which template to chose. However the signals may also comprise other instructions for the keypad and/or display.
  • the approved templates are stored in the memory of the computer the approved templates are preferably encrypted or protected by other cryptographic methods such as MAC.
  • the method may then comprise the steps of: - the program in the computer chooses a template, according to the action that will take place on the display. Since the system interacts with customers the customers will provide the system with input about what template that will be displayed next. Usually the users only have a limited number of options decided by the system provider.
  • the method may comprise the following steps: - sending a template signal from the computer to the display.
  • the program in the computer may chose the template that will be displayed on the display. The decision is preferably taken according to an input from a customer using the system
  • the method may comprise the following steps:
  • the program in the computer may chose the template that will be displayed on the display.
  • the method may comprise the following steps:
  • the secure module may be integrated either in the display or keyboard. If the secure module is stored in the display it may not be necessary to establish a secure channel between the secure module and display. Thus the method may be amended accordingly.
  • the method and system described above may preferably be implemented by one ore more computer programs being programmed to perform the necessary functions.
  • Fig 1 illustrates one embodiment of the system architecture.
  • Fig 2 illustrates an implementation of the Secure Module.
  • Fig. 3 illustrates an embodiment of the system furhter comprising a printer, banknote dispenser and databases for storage of templates.
  • Fig. 4 illustrates an embodiment of the secure module.
  • Fig. 5 illustrates a second embodiment of the system wherein the display and keypad are integrated in one unit.
  • Fig. 6 illustrates the embodiment shown in figure 3 further illustrating alternative location of the second database for storage of approved templates, and an alternative location of the control module.
  • Fig. 7 illustrates the modular structure of secure objects that can be included in a template.
  • Fig. 8 illustrates an example of an approved template wherein several possible secure objects have been included.
  • the keypad is used for two types of data:
  • Pin codes, PIN codes are supposed to be confidential, and the keypad is designed to keep the pin code confidential by encrypting it inside the keypad, before it is transmitted out of the keypad. Also the PIN is not shown on the display of the ATM, usually only a string of '*' are shown, to indicate the number of digits entered.
  • the keypad preferably has two modes “Secure Mode”, for entry of PIN codes, and “Non Secure Mode” for entry of other data.
  • a customer arrives at the terminal and inserts his/her card.
  • the terminal may ask about the PIN code that is related to the card.
  • the customer will thus input secure information. Now the system must be sure that the secure information may not be revealed to a third part.
  • the keypad switches to secure mode before input may be received.
  • the normal operation of an ATM is that the Application software (App SW) in the ATM sends signals to the keypad to switch from non-secure to secure mode. At the same time it shows suitable instructions on the ATM's display, like "Enter your PIN code" when in secure mode.
  • a security problem may arise if the application SW is faulty or fraudulent.
  • the Application SW could show the message "Enter your PIN Code" on the display, while setting the keypad in Non Secure Mode.
  • the ATM User would enter his PIN on the ATM, but the PIN would be sent directly to the (fraudulent) application SW, and thus the PIN code would be exposed.
  • non-secure information the system should display the input on the screen so that the customer can verify that he/she inputs the correct numbers.
  • the keypad should preferably switch to non-secure mode.
  • the display and keypad may have two modes:
  • the display may at least have the following two modes- Transparent mode and controlled mode.
  • these modes are characterized by the following features:
  • the Display preferably only shows a few fixed and approved templates, and the application SW has very limited access to the display.
  • the application SW can only show small data like amounts, account numbers etc. through the secure windows in the template.
  • the keypad may have the following two modes: Secure mode and non-secure mode.
  • Secure mode In the case the secure channel is established by means of sending acknowledgement messages, these modes are characterized by the following features:
  • - Secure mode where the keypad receives input related to secure information such as PIN code etc.
  • the input is stored inside the keypad and is encrypted before it is sent outside the keypad.
  • Non-secure mode where the keypad receives input not related to non-secure information. In this case the information may be sent directly outside the keypad.
  • - Transparent Mode The display does not decrypt any message received from the keypad.
  • the display decrypts all messages that are received from the keypad using a first key, "display key”.
  • display key a first key
  • the secure channel is established by encryption methods the following features related to encryption may be added to the description above as features of the secure and non-secure modes of the display
  • Non-secure mode Information originated from the keypad is encrypted by using a first key, "display key”.
  • Figure 1 illustrates one embodiment of the system architecture.
  • the Secure Module is integrated with the display.
  • the transactions and actions that may occur in this embodiment of the system.
  • the keypad (4) sends a message to the Secure Module (2), instructing the Secure Module to set the display in transparent mode, - meaning that the Video Signal from the Application Sw (7) is sent unchanged to the Display ( 1).
  • the ATM Application SW (3) preferably also inform the Secure Module (2) about which of the approved templates it wants to be displayed.
  • the Secure Module (3) preferably only switches the display to transparent mode when it receives a unique, original and correct message (acknowledgement signal) from the keypad (4).
  • the keypad (4) preferably only switch to Non Secure Mode when it has received an acknowledgement signal that the Secure Module (2) has switched to Controlled Mode.
  • a security analysis shows that there are no security critical operations in this embodiment in case the secure channel is established by encryption methods.
  • connection Messages for Secure Module (8) is important for the security. This connection may be implemeted in several different ways:
  • the Keypad and Secure Module may be built together so that the Messages for Secure Module can not be tampered with.
  • the keypad and Secure Module can be two separate devices connected by a tamper resistant cable -
  • the keypad and Secure Module can be two separate devices connected by a logically secure connection, employing cryptographic methods Hence a secure channel may be established.
  • Approved templates are templates that contain secure objects or have been approved as a whole, e.g. assigned a certain security status by a super-user or a network administrator.
  • a tree structure illustrates different type of secure objects a template developer may choose from when building a template.
  • Secure objects to be included in a template can be among others: secure words, secure images, secure colors, secure messages, secure graphics or secure bitmaps.
  • the modular creation of the templates ensures the possible adaptation of the templates for other purposes with a minimum amount of change in the structure of the template.
  • An example of a template based on secure objects is shown in Fig.8.
  • the Secure module (2) and Display (1) preferably only show a finite number of approved templates. The process of approving templates is important for the security. Approval tool
  • the authority that approves templates is preferably the company who is responsible for the operation of the ATM, and who might be liable to economial losses in the case of fraud.
  • an approval tool is used that allows the appropriate authorities to issue approved messages.
  • the approval tool can take advantage of the modular creation of templates that contain secure objects. For example in the template presented in Fig.8 changes in the template involving only changes to a secure word, e.g. "US$", or a secure message, e.g. "Enter amount”, may be pre-defined and pre- approved according to a list of countries and languages where the templates are expected to be used.
  • the approved templates can either be stored inside the Secure Module, or they may be stored externally.
  • the templates is preferably protected against unauthorized modification. This may be done by encrypting the messages, and letting the Secure Module posess the decryption key.
  • the approval tool will in this case hold the corresponding encryption keys.
  • the cryptographic method used can be any standard symmetric or assymmet ⁇ c algorithm.
  • This access control may comprise different cryptographicmeans in order to authenticate a user accessing the Secure Module.
  • the computer preferably controlling the terminal further comprises a communication interface (17), so that the computer is able to communicate with a host computer outside the terminal.
  • the system may comprise an authentication device able to authenticate a user/customer by using biometrics such as fingerprint, scanning of ins etc.
  • biometrics such as fingerprint, scanning of ins etc.
  • the software architecture may be described as follows-
  • the XFS Manager has two interfaces XFS API's (application Program Interfaces) and XFS SPI's (Service Provider interfaces).
  • XFS API's application Program Interfaces
  • XFS SPI's Service Provider interfaces
  • ATM manufacturer provides the XFS interface and the Service Provider parts.
  • Application software may have many providers, such as independent software providers, the banks owning the ATM or by local sales offices of the ATM manufacturer. This may result in many different application software depending on country, bank and usage of the ATM.
  • the mechanism that triggers changes in the modes of the display/keypad may be embedded in the XFS Service Provider for the Display. In this way it is transparent to the Application SW when the approved templates are used.
  • Figure 2 illustrates an implementation of an embodiment of the Secure Module.
  • the Secure Module preferably implement transparent fields (windows), that allows parts of the original display picture to be seen through the approved template (picture) that the Secure module generates.
  • the basic operation principle is that when the keypad instructs the Secure Module to set the display in Transparent Mode, the Control Electronics ( 13) directs the video signal from the application SW ( 12) directly to the Display for Customer ( 11).
  • the Control Electronics may select one of the approved templates from the Approved Message database ( 16), and sends this template to the Display for Customer (11).
  • the approved template there are one or more transparent fields (10), that allow small parts of the Video Picture from Application SW ( 12) to be seen. This severely limits the templates that the application SW can display, and thus prevents that a fraudlent application SW may display misleading messages for the customer.
  • the Approved templates preferably contains information about the location and shape of the transparent fields (10).
  • the approved templates may be stored in digital form comprising information about the transparent fields.
  • the information about the transparent fields may be stored as numerical information either together with the stored approved template or separeted from the stored approved template.
  • the information about the transparent fields may contain data about the location, size, shape etc.
  • the location, size, shape is described as a set of coordinates (x,y, length, width).
  • some specific feature of an object or the template itself e.g. a specific colour, may be chosen to indicate that this part of the template is transparent.

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Finance (AREA)
  • Storage Device Security (AREA)

Abstract

A security system and method for point of purchase terminals such as for ATMs. The system is suitable for receiving and handling both secure information and non-secure information. In order to secure that the information is treated confidentially the terminal contains a keypad operable in two modes, a display also operable in two modes and approved templates that may only be displayed according to predetermined rules granted by an administrator.

Description

SECURE DISPLAY FOR ATM
FIELD OF THE INVENTION
The present invention relates to a computer system for implementation of non-trusted software for management of banking systems such as ATMs More specifically the invention relates to a security system and method for management of templates.
BACKGROUND OF THE INVENTION
Terminals such as POS machines and ATMs are widely known and used by many people for withdrawal of money, printing receipts, payment of bills, transaction of money, purchase of products etc. Usually a credit card of some kind is used together with a PIN code in order to verify the cardholder.
The market for this kind of machines are increasing, a lot of different providers of hardware and software have entered the market. In most cases the hardware supplier and software supplier are two different entities. Thus companies wanting to improve their service to customer might have to buy hardware from one supplier and software from another supplier. Hence companies may have to install software with a non-trusted origin into its hardware system.
It is common that an ATM is used for withdrawal of cash, and also for more complex transactions like transfer of money between accounts, or for paying bills etc. In these systems there is a need to enter two types of input: non-secret input such as amounts or account numbers on the ATM, along with secret input such as a PIN code. Hence the same keypad is used for entry of non-secret and secret information. This may cause problems to existing systems. Thus there is a demand for a versatile system that can handle both types of input so that the secret information is kept secret and not revealed to a third party.
Banks and other credit card companies have very high demand regarding security systems wherein PIN codes are used. Concurrently with the increase of hacker attempts on the systems using PIN codes, the security demands increases.
SUMMARY OF THE INVENTION
Thus it is an object of the present invention to provide a solution for improving the security in banking machines such as ATMs.
It is an advantage achieved by the present invention to provide a system and method able to receive both secret and non-secret input.
It is further an advantage achieved by the present invention to implement application software from a non-trusted supplier into a system in a secure way. It is further an advantage achieved by the present invention to prevent fraudulent persons or organizations to interfere with the functionality of the system
It is further an advantage achieved by the present invention to facilitate handling of transactions and information.
BRIEF DESCRIPTION OF THE INVENTION
According to a first aspect of the invention the above object and advantages are achieved by providing a computer system for displaying templates, the system comprises:
- a display operable in two or more modes for displaying templates, a keypad operable in two or more modes, a secure module, a computer comprising (non-trusted) program/software, the computer controlling the display and keypad, said secure module being programmed to
- setting the display either in a transparent mode or in a controlled/restricted mode, wherein the display in the controlled/restricted mode displays an approved template comprising one or more secure wιndow(s) and an approved picture/message.
According to a second aspect of the invention, the above and other objects are fulfilled by a method for management of templates in a computer system, the computer system comprises: a display operable in two or more modes for displaying templates, - a keypad operable in two or more modes, a memory comprising templates, a secure module, a computer comprising a (non-trusted) program/software, the computer controlling the display and keypad, the method comprising the steps of: displaying an approved template comprising a secure window and an approved picture/message at the display, upon a signal from the computer, in the secure window display limited messages/information sent from the (non- trusted) program.
According to a third aspect of the invention, the above and other objects are fulfilled by a method for creating a set of approved templates in a computer system, the computer system comprises:
- a display operable in two or more modes, - a keypad operable in two or more modes,
- a secure module, a computer comprising a template database, and
- a second database, the method comprises the steps of: choosing a template(s) from the template database,
- store the template(s) in the second database as approved template(s). wherein the approved template(s) comprises a secure window and an approved picture/message.
According to a fourth aspect of the invention, the above and other objects are fulfilled by a computer system for storage of templates, the system comprises:
- a display for displaying templates and approved templates, a keypad operable in two or more modes, - a secure module, a computer comprising (non-trusted) program/software controlling the display and keypad, and a memory for storing approved templates wherein the approved templates comprises a secure window and an approved picture/message.
The present invention thus allows for a company to use templates from a non-trusted software for management of a point of purchase system such as an ATM. Thus obtaining improved control over the display, preferably without causing changes to the application software.
MODES
As described above both the display and keypad have at least two modes. The display may have a controlled/restricted mode and a transparent mode while the keypad preferably has a secure mode and a non-secure mode.
The display may in the transparent mode show templates from a non-trusted source such as from application software provided by a company.
When the display is in the controlled/restricted mode the display preferably shows approved templates as will be described below.
The display and keypad may be dependent on each other's mode. For example the mode of the display or keypad may be mutually dependent on each other, or the mode of the display may be dependent on the mode of the keypad, or the mode of the keypad may be dependent on the mode of the display
For example the computer system may be programmed to set the display in transparent mode when the keypad is in secure mode. In this case the display preferably has to be certain that the keypad is in secure mode since it is the display that will make the security critical decisions. Thus in this case the display may receive an acknowledgement signal that the keypad is in secure mode. The signal may be sent from the keypad, computer or the secure module. However the signal is preferably sent from the keypad using cryptographic methods so that the display can verify the authenticity of the signal. Furthermore, the computer system may be programmed to set the display in controlled/restricted mode before the keypad switches to non-secure mode. When the keypad is instructed to switch to non secure mode the keypad preferably has to be certain that the display is in controlled/restricted mode. In this case preferably the keypad makes the security critical decision.
This may be achieved by sending an acknowledgement signal either from the display, secure module or from the computer in the system to the keypad, telling the keypad that the display is in controlled/restricted mode. However the signal is preferably sent from the display using cryptographic methods so that the keypad can verify the authenticity of the signal.
Security critical decision may occur when one part of the system changes from a secure state to a less secure state, e.g. when the display changes from controlled/restricted mode to transparent mode or when the keypad changes from secure mode to non-secure mode.
For example, the case when the keypad is in secure mode and the display is in transparent mode. The system may want to switch to non-secure mode, thus in this case the keypad will switch to non-secure mode. Preferably before the keypad switches mode it has to be certain that the display is in controlled/restricted mode, when this has been verified the keypad may change its mode into non-secure mode.
Even further, both the display and keypad may be set in controlled/restricted and secure mode.
Furthermore, the computer system may be implemented to avoid interdependency between keypad and display modes. For example, the keypad may encrypt information aimed to be shown in the display by use of a first key, "display key", while encrypting information aimed to the host computer with a second key, "host key". The display only has access to the "display key" and will decrypt the message when is set in controlled/restricted mode. When the display is set in transparent mode the message from the keypad will not be decrypted. This implementation allows showing information from the keypad in the display only in the situation when the keypad is in non secure mode and the display is in a controlled/secure mode, additionally in this situation the decrypted information is also forwarded to the non-trusted application software. For example when the keypad is in non secure mode and the display is in a controlled/secure mode an amount entered by the user will shown to the user on the display and also sent to the host computer via the non-trusted application software.
The application software installed in the computer may control the keypad and display. However at least a part of the signals sent from the computer is preferably transmitted through the secure module. The secure module may control the keypad and the display so that at least a part of the management of the templates, modes, signals and cryptography is centralised in the secure module.
The computer in the computer system preferably hosts a software management module. The management module may be the non-secure software application that is used. Moreover the computer also comprises a communication interface to a host computer outside the terminal. By communicating with the host computer, the computer in the terminal is able to access accounts and other information relating to a customer.
TEMPLATES
As described above templates are used in the present invention. Preferably there are two kinds of templates: original templates and approved templates.
The original templates are templates comprising information such as messages, figures, pictures movies or any other information being presentable on a display. Moreover they may also comprise windows for input/output of information. In general the elements that constitute a template are considered the objects of the template. The original templates may be created by a "non-trusted" company. Hence the software providing the original templates is non-trusted software. Objects to be included in a template can be among others: a word, an image, a colour, a message, a vector based graphic, a bitmap based graphic, a movie or any other information being presentable in a display. The modular creation of the templates ensures the possible adaptation of the templates for other purposes with a minimum amount of change in the structure of the template.
Secure objects are objects that have been approved to be included in a specific template. An object to be included in a template becomes a secure object if the object when displayed alone or in composition with other secure objects of the template does not represent an un-secure meaning or threat.
Approved templates are templates that contain secure objects or have been approved as a whole, e.g. assigned a certain security status by a super-user or a network administrator. The secure objects in a template may be chosen among the objects as presented above. Preferably approved templates have been stored in a certain database. They may be encrypted or protected in any other way so as to ensure that they are not modified before, during or after use.
The approved templates may comprise one or more secure windows/fields, one or more approved picture/message and in general one or more secure objects. A super-user or administrator may create the secure window so that it has the correct location and size in the approved template in relation to an original template that may be "behind" the approved template in the display. A non-trusted program is able to display messages/information through the secure window/field. Hence, the secure window may comprise one or more transparent area(s).
In this way it is possible to make sure that the information/instructions presented to a user looking at the display is the correct information/instructions in relations to the actions that a user will take based on the instructions. The actions may be to input secure information or non-secure information etc. A user should e.g. not be mislead to input secure information when the keypad is in non-secure mode.
The display may display original templates from the (non-trusted) program when the display is in the transparent mode. When the display is in transparent mode it cannot assure the correctness of the template. Therefore the keypad preferably has to be in secure mode in order to avoid the case when both the keypad and display is in non- secure/transparent mode. In such a case the keypad cannot keep the PIN code secret and non-trusted application software can display any message on the display.
STORAGE OF TEMPLATES
Since the preferred embodiment of the present invention uses templates made by non- trusted software and assigns a security level to some of them. The approved templates may be stored in a second database that may be located at a different location in relation to the first database comprising the original templates.
The second database may be stored in any of the devices in the system. Hence the second database may be located in the memory of the keypad, the display, the secure module or in the computer, depending on the architecture of the system.
The templates may be encrypted before storage, thus they can be stored in encrypted form. This makes it harder for a person such as a hacker to access and amend the templates in the database.
In the case the approved templates are not encrypted and are stored in the keypad. The keypad may encrypt the approved templates before sending them to the display.
Hence, the display may comprise a decryption device for decrypting the encrypted templates.
In a first embodiment of the present invention the secure module in the computer system may comprise a processor for encryption and decryption of data, and a memory for storage of the approved templates.
In an alternative embodiment of the present invention the computer in the computer system may comprises a memory wherein the approved templates may be stored. In this case the approved templates are preferably encrypted before storage in the memory so that no amendments may be made to them. The templates may be encrypted before storage, and the decryption key may be stored in the display, secure module or keyboard. In this way, if somebody tries to modify the stored template he can only modify the stored message, and when the message later is decrypted the content of the message will be severely distorted. This method saves storage space compared to using a MAC (Message Authentication Code), where both the correct message and the corresponding MAC must be stored. An alternative is to use a MAC that spans the complete set of secure templates, in this case only one MAC needs to be stored regardless of the number of secure templates.
Furthermore also digital signatures may be used instead of using MAC.
The number of approved templates might be large because the templates have to cover both normal operations for the customers and more special operations used during service and installation. Furthermore some templates might exist in several different languages.
If the message is encrypted (no MAC) the display may not be able to verify the integrity of the message, but if it has been tampered with it will be completely distorted due to the fact that the decryption tends to spread the modifications over the complete text, this is true for some cryptographic algorithms.
Furthermore, the secure module may be integrated in either the display or the keypad. However, preferably it is located in the display.
SECURE CHANNEL
If the display and keypad are two separated physical units a secure channel may be established between the two devices. The secure channel may be established by one or more of the devices in the system such as by the computer, secure module, display or, keypad.
Preferably the secure channel is established by cryptographic methods that can differentiate information from the keypad aimed to the display from information from the keypad aimed to a host computer.
An alternative solution for the implementation of the secure channel is by sending acknowledgement signals or messages in the case where display or keyboard wants to change modes; furthermore, if the templates are stored outside the display, a secure channel may be used for the transport of secure templates.
Another solution is to integrate the display and keypad in to one physical unit, in this case the physical connections between the two devices is harder to access. It would only be possible if someone attaches a cable to the physical connection between the two devices. Therefore the module enclosing the internal devices, is carefully designed so that it is very hard to access the internal electronic.
Furthermore the module enclosing the sensitive parts may comprise sensors that starts an alarm and/or sets the terminal in a standby or a closed mode if some one tampers with the enclosing. Preferably, the standby or closed modes can only be changed by a trusted agent such as an employee having the status to do this.
These sensors may be mechanical sensors that detect if someone opens the terminal or any of the devices inside the terminal. Furthermore the sensors may be electrical sensors that detects if cables are or contacts are interrupted or if the electrical signals changes. If any of these events occurs the terminal should go in to standby/closed mode, so that no information may be accessed by a third part.
Furthermore the display may be a touch-display. Hence the display may have both the functions of displaying templates and receiving input from a user.
ENCRYPTION
In order to make some of the data such as templates hard to tamper with, encryption of the data may be necessary. The cryptographic techniques used in this invention may be any standard symmetric or asymmetric algorithm
Since the keypad and display can be two separate physical devices they may comprise means for encryption and decryption of data. If the templates are stored in the keypad the keypad preferably comprises means such as a processor for encryption of data and the display comprises means for decryption of data.
If the secure channel between keypad and display is established by cryptographic methods, the keypad preferably comprises means such as a processor for cryptographically protecting data of data and the display comprises means for cryptographical verification of data.
The data that may be encrypted is data preferably relating to the display, data relating to commandos for the display and data relating to templates.
As described earlier the system may comprise one or more cryptographic keys in order to be able to process encrypted templates, Pin codes etc.
METHOD The method for management of templates in the system may furthermore comprise any of the steps such as:
- establishing the secure communication channel between the display and keypad as described above, - sending a control signal from the computer to the keypad and/or display for controlling the mode of the keypad and/or display. Preferably the control signal may be the same as the acknowledgement signal described above.
However the control signal may comprise data so that the keypad and display are able to set up the secure channel. It may also relate to a template signal telling the display or keypad which template to use.
Furthermore if the secure channel is established by encryption methods the system will present original information from the keypad in the display only when the display is in controlled mode and the keypad is in non-secure mode. Original information from the keypad will not be displayed in any of the following other mode combinations of keypad and display; display in transparent mode and keypad in secure mode; display in controlled mode and keypad in secure mode; display in transparent mode and keypad in non-secure mode. Implementation of the secure channel by encryption does not require control of the order in which display and keypad change from one mode to another.
Furthermore if the secure channel is established by means of sending acknowledgement messages the system may be controlled so that the keypad and display knows that the other device, thus the display or keypad is in a mode according to the security standards that is approved for the system, therefore the method managing the templates in the system may further comprise one or more of the steps:
- setting the display in controlled/restricted mode when/before the keypad is in non- secure mode. - switching the keypad to non-secure mode upon an acknowledgement signal that the display is in controlled/restricted mode. switching the display to transparent mode upon an acknowledgement signal that the keypad is in controlled/restricted mode.
- setting both the keypad in secure mode and the display in controlled/restricted mode.
The display may display original templates from the (non-trusted) program when the display is in the transparent mode and when the keypad preferably is in secure mode.
For the system to know which template to chose the method may also comprise the step of sending a (template) signal. Depending on where the approved templates are stored and depending on which device that controls the transaction in the system. The signal may be sent from the computer and/or keypad and/or secure module and/or display to the keypad and/or computer and/or display and/or secure module, for selecting an approved template.
The signal may at least comprise information about which template to chose. However the signals may also comprise other instructions for the keypad and/or display.
Below follows a few examples of steps that may be necessary in order to achieve this. In the case the approved templates are stored in the memory of the computer the approved templates are preferably encrypted or protected by other cryptographic methods such as MAC. The method may then comprise the steps of: - the program in the computer chooses a template, according to the action that will take place on the display. Since the system interacts with customers the customers will provide the system with input about what template that will be displayed next. Usually the users only have a limited number of options decided by the system provider.
In the case the secure channel is established by means of sending acknowledgement messages the following step will occur:
Informing the keypad that the display is in controlled/restricted mode by sending an acknowledgement signal to the keypad.
Thereafter preferably the following steps will occur: sending an encrypted template to the display from the computer.
In the case the approved templates are stored in the memory of the display, the method may comprise the following steps: - sending a template signal from the computer to the display. Here again the program in the computer may chose the template that will be displayed on the display. The decision is preferably taken according to an input from a customer using the system
Thereafter the following steps may be taken:
- informing the keypad that the display is in controlled/restricted mode by sending an acknowledgement signal, and
- at the display, based on the signal sent from the computers, choose an approved template to be displayed.
In the case the approved templates are stored in the memory of the keypad the method may comprise the following steps:
- sending a template signal from the computer to the keypad. Here again the program in the computer may chose the template that will be displayed on the display.
- establish a secure channel between the keypad and display for transaction of templates, (This step may not be necessary if the display and keypad are integrated to one unit or if the template is stored in a cryptographically protectedform) and from the keypad to the display, sending one or more templates through the secure channel.
In the case the approved templates are stored in the memory of the secure module the method may comprise the following steps:
- sending a template signal from the computer to the secure module. Here again the program in the computer may chose the template that will be displayed on the display. - establish a secure channel between the secure module and display for transaction of templates if necessary, and
- informing the keypad that the display is in controlled/restricted mode by sending an acknowledgement signal, and - from the secure module to the display, sending one or more templates through the secure channel,
However the secure module may be integrated either in the display or keyboard. If the secure module is stored in the display it may not be necessary to establish a secure channel between the secure module and display. Thus the method may be amended accordingly.
The method and system described above may preferably be implemented by one ore more computer programs being programmed to perform the necessary functions.
These and other aspects of the invention will be apparent from and elucidated with reference to the embodiments described hereinafter.
BRIEF DESCRIPTION OF FIGURES
Fig 1 illustrates one embodiment of the system architecture.
Fig 2 illustrates an implementation of the Secure Module.
Fig. 3 illustrates an embodiment of the system furhter comprising a printer, banknote dispenser and databases for storage of templates. Fig. 4 illustrates an embodiment of the secure module.
Fig. 5 illustrates a second embodiment of the system wherein the display and keypad are integrated in one unit. Fig. 6 illustrates the embodiment shown in figure 3 further illustrating alternative location of the second database for storage of approved templates, and an alternative location of the control module.
Fig. 7 illustrates the modular structure of secure objects that can be included in a template. Fig. 8 illustrates an example of an approved template wherein several possible secure objects have been included.
Figures are preferably schematically drafted in order to facilitate the understanding of the invention. Therefore other designs that could be drafted in the same schematic way are implicitly also disclosed in this document.
DESCRIPTION OF PREFERRED EMBODIMENTS
In order to facilitate the understanding of the system it may be useful to provide an example of a case wherein the present invention may be used with advantage. In this example the basic problem is that the keypad is used for two types of data:
Pin codes, PIN codes are supposed to be confidential, and the keypad is designed to keep the pin code confidential by encrypting it inside the keypad, before it is transmitted out of the keypad. Also the PIN is not shown on the display of the ATM, usually only a string of '*' are shown, to indicate the number of digits entered.
Other data, are data like amounts, account numbers etc. These data are not kept secret, they are transmitted out of the keypad when entered, and the cleartext data are shown on the display of the ATM.
Because of the above two types of data, the keypad preferably has two modes "Secure Mode", for entry of PIN codes, and "Non Secure Mode" for entry of other data.
Thus a customer arrives at the terminal and inserts his/her card. At this point the terminal may ask about the PIN code that is related to the card. The customer will thus input secure information. Now the system must be sure that the secure information may not be revealed to a third part. The keypad switches to secure mode before input may be received. The normal operation of an ATM is that the Application software (App SW) in the ATM sends signals to the keypad to switch from non-secure to secure mode. At the same time it shows suitable instructions on the ATM's display, like "Enter your PIN code" when in secure mode.
A security problem may arise if the application SW is faulty or fraudulent. In this case the Application SW could show the message "Enter your PIN Code" on the display, while setting the keypad in Non Secure Mode. In this case the ATM User would enter his PIN on the ATM, but the PIN would be sent directly to the (fraudulent) application SW, and thus the PIN code would be exposed.
Thereafter the customer may be asked to input account number (non-secure information), in this case the system should display the input on the screen so that the customer can verify that he/she inputs the correct numbers. Thus the keypad should preferably switch to non-secure mode.
In this case a security problem may arise if the application SW shows the message "Enter your PIN Code again". Thus the system must be sure that the correct message is displayed on the display.
Thus, to increase the security of such systems, there is a need for a tighter control of the display.
The problem may be summarised in this table:
Figure imgf000014_0001
DISPLAY AND KEYPAD
As described earlier the display and keypad may have two modes:
The display may at least have the following two modes- Transparent mode and controlled mode. In the case the secure channel is established by means of sending acknowledgement messages, these modes are characterized by the following features:
- Transparent Mode, where the display shows any messages the application SW requires, without restrictions.
- Controlled Mode, where the Display preferably only shows a few fixed and approved templates, and the application SW has very limited access to the display. - Preferably the application SW can only show small data like amounts, account numbers etc. through the secure windows in the template.
The keypad may have the following two modes: Secure mode and non-secure mode. In the case the secure channel is established by means of sending acknowledgement messages, these modes are characterized by the following features:
- Secure mode, where the keypad receives input related to secure information such as PIN code etc. The input is stored inside the keypad and is encrypted before it is sent outside the keypad. - Non-secure mode, where the keypad receives input not related to non-secure information. In this case the information may be sent directly outside the keypad.
In the case the secure channel is established by means of sending acknowledgement messages, the preferred relation between keypad and Display is illustrated in the table below:
Figure imgf000015_0001
In the case the secure channel is established by encryption methods the following features related to encryption may be added to the description above as features of the transparent and controlled modes of the display: - Transparent Mode: The display does not decrypt any message received from the keypad.
- Controlled Mode: The display decrypts all messages that are received from the keypad using a first key, "display key". In the case the secure channel is established by encryption methods the following features related to encryption may be added to the description above as features of the secure and non-secure modes of the display
- Secure mode: Information originated from the keypad is encrypted by using a second key, "host key".
Non-secure mode. Information originated from the keypad is encrypted by using a first key, "display key".
In the case the secure channel is established by encryption methods, the preferred relation between keypad and Display is illustrated in the table below:
Figure imgf000016_0001
SYSTEM ARCHITECTURE
Figure 1 illustrates one embodiment of the system architecture. In this embodiment the Secure Module is integrated with the display. Below follows a description of the transactions and actions that may occur in this embodiment of the system.
Basic operation of the system
When the ATM Application SW (3) instructs the keypad (4) to be in Secure Mode, the keypad (4) sends a message to the Secure Module (2), instructing the Secure Module to set the display in transparent mode, - meaning that the Video Signal from the Application Sw (7) is sent unchanged to the Display ( 1).
When the application SW instructs the keypad (4) to be in Non Secure Mode, the keypad (4) sends a message to the Secure Module (2), instructing the Secure Module to show only one of the approved templates (Display = Controlled Mode). The ATM Application SW (3) preferably also inform the Secure Module (2) about which of the approved templates it wants to be displayed.
Preferred security requirements A security analysis shows that there may be two security critical operations in this embodiment in the case the secure channel is established by means of sending acknowledgement messages: 1. The switching of the Secure Module (2) to set the display in transparent mode, - this only happens if the keypad (4) at the same time or before switches to secure mode.
2. The switching of the keypad (4) to Non Secure mode, this only happens if the Secure Module (2) at the same time or before switches to Controlled Mode.
In details:
- The Secure Module (3) preferably only switches the display to transparent mode when it receives a unique, original and correct message (acknowledgement signal) from the keypad (4).
- The keypad (4) preferably only switch to Non Secure Mode when it has received an acknowledgement signal that the Secure Module (2) has switched to Controlled Mode.
A security analysis shows that there are no security critical operations in this embodiment in case the secure channel is established by encryption methods.
Architecture of keypad and Secure Module
It follows from the security analysis that the Connection Messages for Secure Module (8) is important for the security. This connection may be implemeted in several different ways:
- The Keypad and Secure Module may be built together so that the Messages for Secure Module can not be tampered with.
The keypad and Secure Module can be two separate devices connected by a tamper resistant cable - The keypad and Secure Module can be two separate devices connected by a logically secure connection, employing cryptographic methods Hence a secure channel may be established.
Approved templates Approved templates are templates that contain secure objects or have been approved as a whole, e.g. assigned a certain security status by a super-user or a network administrator.
In Fig. 7 a tree structure illustrates different type of secure objects a template developer may choose from when building a template. Secure objects to be included in a template can be among others: secure words, secure images, secure colors, secure messages, secure graphics or secure bitmaps. The modular creation of the templates ensures the possible adaptation of the templates for other purposes with a minimum amount of change in the structure of the template. An example of a template based on secure objects is shown in Fig.8.
In the controlled Mode, the Secure module (2) and Display (1) preferably only show a finite number of approved templates. The process of approving templates is important for the security. Approval tool
The authority that approves templates is preferably the company who is responsible for the operation of the ATM, and who might be liable to economial losses in the case of fraud.
There will be a multitude of approved templates, depending on language, and the application of the ATM. Therefore preferably an approval tool is used that allows the appropriate authorities to issue approved messages. The approval tool can take advantage of the modular creation of templates that contain secure objects. For example in the template presented in Fig.8 changes in the template involving only changes to a secure word, e.g. "US$", or a secure message, e.g. "Enter amount", may be pre-defined and pre- approved according to a list of countries and languages where the templates are expected to be used.
Storage of approved templates
The approved templates can either be stored inside the Secure Module, or they may be stored externally.
If they are stored externally the templates is preferably protected against unauthorized modification. This may be done by encrypting the messages, and letting the Secure Module posess the decryption key. The approval tool will in this case hold the corresponding encryption keys. The cryptographic method used can be any standard symmetric or assymmetπc algorithm.
If the approved templates are stored in the Secure Module, there is an effective access control that allows the approved messages to be entered into the Secure Module. This access control may comprise different cryptographicmeans in order to authenticate a user accessing the Secure Module.
Computer
The computer preferably controlling the terminal further comprises a communication interface (17), so that the computer is able to communicate with a host computer outside the terminal.
To further increase the security, the system may comprise an authentication device able to authenticate a user/customer by using biometrics such as fingerprint, scanning of ins etc. SOFTWARE ARCHITECTURE
The software architecture may be described as follows-
Application XFS interface XFS Service Provider for keypad
Software (Manager) XFS Service Provider for Display
(extensions for XFS Service Provider for Dispenser
Financial Services XFS Service Provider for Printer standard)
The XFS Manager has two interfaces XFS API's (application Program Interfaces) and XFS SPI's (Service Provider interfaces). Usually the hardware provider (ATM manufacturer) provides the XFS interface and the Service Provider parts. However the part "Application software" may have many providers, such as independent software providers, the banks owning the ATM or by local sales offices of the ATM manufacturer. This may result in many different application software depending on country, bank and usage of the ATM.
The mechanism that triggers changes in the modes of the display/keypad, may be embedded in the XFS Service Provider for the Display. In this way it is transparent to the Application SW when the approved templates are used.
IMPLEMENTATION OF SECURE MODULE
Figure 2 illustrates an implementation of an embodiment of the Secure Module.
The Secure Module preferably implement transparent fields (windows), that allows parts of the original display picture to be seen through the approved template (picture) that the Secure module generates.
Operating principle
The basic operation principle is that when the keypad instructs the Secure Module to set the display in Transparent Mode, the Control Electronics ( 13) directs the video signal from the application SW ( 12) directly to the Display for Customer ( 11).
When the keypad instructs the Secure Module to set the display in Controlled Mode, the Control Electronics may select one of the approved templates from the Approved Message database ( 16), and sends this template to the Display for Customer (11). In the approved template there are one or more transparent fields (10), that allow small parts of the Video Picture from Application SW ( 12) to be seen. This severely limits the templates that the application SW can display, and thus prevents that a fraudlent application SW may display misleading messages for the customer. STORING INFORMATION ABOUT THE TRANSPARENT FIELDS
The Approved templates preferably contains information about the location and shape of the transparent fields (10). The approved templates may be stored in digital form comprising information about the transparent fields. The information about the transparent fields may be stored as numerical information either together with the stored approved template or separeted from the stored approved template.
The information about the transparent fields may contain data about the location, size, shape etc. Preferably the location, size, shape is described as a set of coordinates (x,y, length, width).
Furthermore, in an approved template, some specific feature of an object or the template itself, e.g. a specific colour, may be chosen to indicate that this part of the template is transparent.
In the above description the term "comprising" does not exclude other elements or steps and "a" or "an" does not exclude a plurality.
Furthermore the terms "include" and "contain" does not exclude other elements or steps.

Claims

1. A computer system for displaying templates, the system comprises- a display operable in two or more modes for displaying templates, 5 - a keypad operable in two or more modes,
- a secure module,
- a computer comprising (non-trusted) program/software, the computer controlling the display and keypad, said secure module being programmed to
10 - setting the display either in a transparent mode or in a controlled/restricted mode, wherein the display in the controlled/restricted mode displays an approved template comprising one or more secure wιndow(s) and an approved picture/message.
2. A computer system according to claim 1 wherein the mode of the display or keypad is 15 mutually dependent on each other.
3 A computer system according to claims 1-2, wherein the mode of the display is dependent on the mode of the keypad
20 4. A computer system according to claims 1-3, wherein the mode of the keypad is dependent on the mode of the display.
5. A computer system according to claims 1-4, further being programmed to
- set the display in transparent mode when the keypad is in secure mode. 25
6. A computer system according to claim 1-5, further being programmed to
- set the display in controlled/restricted mode when the keypad is in non-secure mode.
7. A computer system according to claim 1-6, further being programmed to:
30 - switch the keypad to non-secure mode upon an acknowledgement signal from the display that the display is in controlled/restricted mode.
8. A computer system according to claim 1-7, further being programmed to: switch the display to transparent mode upon an acknowledgement signal that the keypad is in
35 controlled/restricted mode.
9. A computer system according to any of the previous claims wherein the display displays templates from the (non-trusted) program when the display is in the transparent mode.
40 10 A computer system according to any of the previous claims wherein the secure window comprises one or more transparent area(s).
11. A computer system according to any of the previous claims wherein the secure module comprises:
- a processor for encryption and decryption of data, and
- a memory. 5
12. A computer system according to claim 11 wherein the approved templates is stored in the memory of the secure module.
13. A computer system according to any of the previous claims wherein the computer 10 further comprises a memory.
14. A computer system according to claim 13 wherein the approved templates is stored in the memory of the computer.
15 15. A computer system according to claim 13 wherein the approved templates are encrypted before storage in the memory.
16. A computer system according to any of the previous claims wherein the keypad further comprises a memory.
20
17. A computer system according to claim 16 wherein the approved templates are stored in the memory of the keypad.
18. A computer system according to any of the previous claims wherein the display further 25 comprises a memory.
19. A computer system according to claim 18 wherein the approved templates are stored in the memory of the display.
30 20. A computer system according to any of the previous claims wherein the secure module further comprises a memory.
21. A computer system according to claim 20 wherein the approved templates are stored in the memory of the secure module.
35
22. A computer system according to any of the previous claims wherein the display is set in one of the modes depending on a signal sent from the computer and/or keypad.
23. A computer system according to any of the previous claims wherein the secure module 40 controls the keypad and the display.
24. A computer system according to any of the previous claims wherein the computer system further is programmed to:
- establish a secure channel between the display and keypad.
25. A computer system according to any of the previous claims further being programmed to send the data from the keypad to the display via the secure channel
5 26 A computer system according to any of the previous claims wherein the keypad comprises the secure module.
27. A computer system according to claim 1 wherein the modes of display and/or keypad are mutually independent.
10
28. A computer system according to any of the previous claims further being programmed to cryptographically protect data at the keypad.
29. A computer system according to claim 28 wherein the cryptographically protected data 15 comprises data relating to at least one of the following: data relating to display, data relating to commandos for the display, and data relating to templates.
20 30. A computer system according to any of the previous claims further being programmed to display, limited messages/information sent from the (non-trusted) program, in the secure window.
31. A computer system according to any of the previous claims wherein the display further 25 comprises a cryptographic key in order to be able to cryptographically processdata.
32. A computer system according to any of the previous claims wherein the keypad and display is integrated in to one unit.
30 33. A computer system according to any of the previous claims wherein the templates are provided by a non-trusted program/software and wherein the templates are cryptographically protected.
34. A method for management of templates in a computer system, the computer system 35 comprises: a display operable in two or more modes for displaying templates,
- a keypad operable in two or more modes,
- a memory comprising templates,
- a secure module,
40 - a computer comprising a (non-trusted) program/software, the computer controlling the display and keypad, the method comprising the steps of: displaying an approved template comprising a secure window and an approved picture/message at the display, upon a signal from the computer, in the secure window display limited messages/information sent from the (non- trusted) program .
35. A method according to claim 34 further comprising the step of:
5 - establishing a secure communication channel between the display and keypad.
36. A method according to claim 34-35 further comprising the step of: sending a control signal from the computer to the keypad and/or display for controlling the mode of the keypad and/or display. 10
37. A method according to claim 34-36, further comprising the step of:
- setting the display in controlled/restricted mode when the keypad is in non-secure mode.
15 38. A method according to claim 34-37, further comprising the step of: switching the keypad to non-secure mode upon an acknowledgement signal that the display is in controlled/restricted mode.
39. A method according to claim 34-38, further comprising the step of:
20 - switching the display to transparent mode upon an acknowledgement signal that the keypad is in controlled/restricted mode.
40. A method according to claim 34-39 further comprising the step of:
- displaying templates from the (non-trusted) program when the display is in the 25 transparent mode.
41. A method according to claim 34-40 further comprising the step of: sending a (template) signal from the keypad and/or computer to the display, for selecting an approved template. 30
42. A method according to claim 34-41 further comprising the step of: displaying data sent from the program in the secure window.
43. A method according to claim 34-42, wherein the computer comprises the memory 35 further comprising cryptographically protected templates, the method further comprising the step of:
Informing the keypad that the display is in controlled/restricted mode by sending an acknowledgement signal to the keypad, and sending an cryptographically protected template to the display from the computer. 0
44. A method according to claim 34-43 wherein the display comprises the memory, the method further comprising the step of:
- sending a template signal from the computer to the display, - informing the keypad that the display is in controlled/restricted mode by sending an acknowledgement signal, and
- at the display, based on the signal sent from the computers, choose a template to be displayed. 5
45. A method according to claim 34-43 wherein the keypad comprises the memory, the method further comprising the step of: sending a template signal from the computer to the keypad,
- establish a secure channel between the keypad and display for transaction of 10 templates, and
- from the keypad to the display, sending one or more templates through the secure channel.
46. A method according to claim 34-43 wherein the secure module comprises the memory, 15 the method further comprising the step of:
- sending a template signal from the computer to the secure module,
- establish a secure channel between the secure module and display for transaction of templates, and
- informing the keypad that the display is in controlled/restricted mode by sending an 20 acknowledgement signal, and
- from the secure module to the display, sending one or more templates through the secure channel,
47. A method for creating a set of approved templates in a computer system, the 25 computer system comprises:
- a display operable in two or more modes, a keypad operable in two or more modes,
- a secure module,
- a computer comprising a template database, and 30 - a second database, the method comprises the steps of:
- choosing a template(s) from the template database,
- store the template(s) in the second database as approved template(s). wherein the approved template(s) comprises a secure window and an approved
35 picture/message.
48. A method according to claim 47 further comprising the step of: defining an area for a secure window in the approved template.
40 49. A method according to claim 47-48, wherein the display and/or keypad comprises a memory for storage of the second database.
50. A method according to claim 47-49 wherein the computer further comprises the second database.
51. A method according to claim 47-50 further comprising the step of: cryptographically protecting the templates before storage in the second database.
5 52 A computer system being programmed to perform the method according to claim 47- 51
53. A computer system for storage of templates, the system comprises:
- a display for displaying templates and approved templates, 10 - a keypad operable in two or more modes, a secure module,
- a computer comprising (non-trusted) program/software controlling the display and keypad, and a memory for storing approved templates
15 wherein the approved templates comprises a secure window and an approved picture/message.
54. A computer system according to claim 53, wherein the memory for storing the approved templates is located in one of the following devices:
20 - the display,
- the keypad,
- the secure module,
- the computer.
25 55. A computer system according to claims 53-54 wherein the templates are cryptographically protected before storage in the memory.
56. A computer system according to claims 53-55 further comprising a secure channel between the display and keypad for transaction of templates.
30
57. A computer system according to claims 53-56 wherein the templates are cryptographically protected before being sent to the display
58. A computer system according to claims 53-57 wherein the display comprises a 35 cryptographic device for verification or decryption of for decrypting the protected templates.
59. A template comprising one or more secure wιndow(s) and one or more message(s) wherein the template further comprises transparent areas for displaying information.
40
60. A secure module comprising a memory and a processor wherein the memory comprises at least one approved template comprising one or more secure wιndow(s) and an approved picture/message.
61. A secure module according to claim 60 further being programmed to control a display so that the display is set either in a transparent mode or in a controlled/restricted mode, wherein the display in the controlled/restricted mode displays an approved template comprising one or more secure wιndow(s) and an approved picture/message.
5
62. A method according to claims 34-35 further comprising the step of:
- encrypting data originated in the keypad when in non-secure mode and aimed to be presented in the display with a first cryptographic key, display key.
10 63. A method according to claims 34-35 further comprising the step of:
- encrypting data originated in the keypad when in secure mode and aimed to be send to an external host computer with a second cryptographic key, host key.
64. A method according to claims 34-35 further comprising the step of:
15 - decrypting data arriving at the display from the keypad when the display is in controlled mode by using a first key, display key.
65. A method according to claims 34-35 further comprising the step of: taking no action at the display relative to the data arriving from the keypad when the 20 display is in transparent mode.
66. A method according to claim 62-65, wherein the computer comprises the memory further comprising cryptographically protected templates, the method further comprising the step of:
25 - sending an cryptographically protected template template to the display from the computer.
67. A method according to claim 62-65 wherein the display comprises the memory, the method further comprising the step of:
30 - sending a template signal from the computer to the display,
- at the display, based on the signal sent from the computers, choose a template to be displayed.
68. A method according to claim 62-65 wherein the keypad comprises the memory, the 35 method further comprising the step of: sending a template signal from the computer to the keypad,
- establish a secure channel between the keypad and display for transaction of templates, and
- from the keypad to the display, sending one or more templates through the secure 40 channel.
69. A method according to claim 62-65 wherein the secure module comprises the memory, the method further comprising the step of:
- sending a template signal from the computer to the secure module, 69. A method according to claim 62-65 wherein the secure module comprises the memory, the method further comprising the step of:
- sending a template signal from the computer to the secure module, - establish a secure channel between the secure module and display for transaction of templates, and
- from the secure module to the display, sending one or more templates through the secure channel.
PCT/DK2005/000616 2004-09-29 2005-09-29 Secure display for atm WO2006034713A1 (en)

Applications Claiming Priority (6)

Application Number Priority Date Filing Date Title
DKPA200401482 2004-09-29
DKPA200401482 2004-09-29
US62042604P 2004-10-21 2004-10-21
US60/620,426 2004-10-21
DKPA200500907 2005-06-21
DKPA200500907 2005-06-21

Publications (1)

Publication Number Publication Date
WO2006034713A1 true WO2006034713A1 (en) 2006-04-06

Family

ID=35453554

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/DK2005/000616 WO2006034713A1 (en) 2004-09-29 2005-09-29 Secure display for atm

Country Status (1)

Country Link
WO (1) WO2006034713A1 (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009061743A1 (en) * 2007-11-05 2009-05-14 Dresser, Inc. System and method for authenticated payment terminal display prompt control
EP2084599A2 (en) * 2006-11-21 2009-08-05 Gilbarco Inc. Remote display tamper detection using data integrity operations
EP2363824A1 (en) * 2010-02-12 2011-09-07 Maxim Integrated Products, Inc. Trusted display based on display device emulation.
WO2012006076A1 (en) * 2010-06-28 2012-01-12 Dresser, Inc. Multimode retail system
EP2884442A1 (en) * 2013-12-11 2015-06-17 VeriFone, Inc. Point of sale system
US9208489B2 (en) 2010-11-04 2015-12-08 Verifone, Inc. System for secure web-prompt processing on point sale devices
EP2313875A4 (en) * 2008-07-11 2016-04-27 Samsung Electronics Co Ltd Vending machine and control method thereof
WO2017149343A1 (en) * 2016-03-02 2017-09-08 Cryptera A/S Secure display device
EP2201475B1 (en) * 2007-10-10 2020-07-29 Gilbarco Inc. System and method for controlling secure and non-secure content at dispenser or retail device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5493613A (en) * 1992-09-11 1996-02-20 International Verifact Inc. Combination pin pad and terminal
US5822435A (en) * 1992-07-10 1998-10-13 Secure Computing Corporation Trusted path subsystem for workstations
EP1378809A2 (en) * 2002-06-24 2004-01-07 Microsoft Corporation Systems and methods for securing video card output
US20040024710A1 (en) * 2002-03-07 2004-02-05 Llavanya Fernando Secure input pad partition
FR2850772A1 (en) * 2003-01-31 2004-08-06 France Telecom Electronic transaction securing device for use in electronic commerce, has analyzing unit to retransmit intercepted signals to processing unit without modification if they are not in order of passage in secured mode

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5822435A (en) * 1992-07-10 1998-10-13 Secure Computing Corporation Trusted path subsystem for workstations
US5493613A (en) * 1992-09-11 1996-02-20 International Verifact Inc. Combination pin pad and terminal
US20040024710A1 (en) * 2002-03-07 2004-02-05 Llavanya Fernando Secure input pad partition
EP1378809A2 (en) * 2002-06-24 2004-01-07 Microsoft Corporation Systems and methods for securing video card output
FR2850772A1 (en) * 2003-01-31 2004-08-06 France Telecom Electronic transaction securing device for use in electronic commerce, has analyzing unit to retransmit intercepted signals to processing unit without modification if they are not in order of passage in secured mode

Cited By (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2084599A2 (en) * 2006-11-21 2009-08-05 Gilbarco Inc. Remote display tamper detection using data integrity operations
CN101611379A (en) * 2006-11-21 2009-12-23 吉尔巴科公司 Use the remote display tamper of data integrity operations to detect
EP2084599A4 (en) * 2006-11-21 2012-01-04 Gilbarco Inc Remote display tamper detection using data integrity operations
US8558685B2 (en) 2006-11-21 2013-10-15 Gilbarco Inc. Remote display tamper detection using data integrity operations
US11169954B2 (en) 2007-10-10 2021-11-09 Gilbarco Inc. System and method for controlling secure content and non-secure content at a fuel dispenser or other retail device
EP2201475B1 (en) * 2007-10-10 2020-07-29 Gilbarco Inc. System and method for controlling secure and non-secure content at dispenser or retail device
WO2009061743A1 (en) * 2007-11-05 2009-05-14 Dresser, Inc. System and method for authenticated payment terminal display prompt control
EP2313875A4 (en) * 2008-07-11 2016-04-27 Samsung Electronics Co Ltd Vending machine and control method thereof
US9508210B2 (en) 2008-07-11 2016-11-29 Samsung Electronics Co., Ltd. Vending machine and control method thereof
EP2363824A1 (en) * 2010-02-12 2011-09-07 Maxim Integrated Products, Inc. Trusted display based on display device emulation.
CN102194293A (en) * 2010-02-12 2011-09-21 美信集成产品公司 Trusted display based on display device emulation
CN102194293B (en) * 2010-02-12 2015-11-25 马克西姆综合产品公司 Based on the credible display that display device is imitated
WO2012006076A1 (en) * 2010-06-28 2012-01-12 Dresser, Inc. Multimode retail system
US9911266B2 (en) 2010-06-28 2018-03-06 Wayne Fueling Systems Llc Multimode retail system
US10083564B2 (en) 2010-06-28 2018-09-25 Wayne Fueling Systems Llc Multimode retail system
US8788428B2 (en) 2010-06-28 2014-07-22 Dresser, Inc. Multimode retail system
US11544988B2 (en) 2010-06-28 2023-01-03 Wayne Fueling Systems Llc Multimode retail system
US11967214B2 (en) 2010-06-28 2024-04-23 Wayne Fueling Systems Llc Multimode retail system
US9208489B2 (en) 2010-11-04 2015-12-08 Verifone, Inc. System for secure web-prompt processing on point sale devices
EP2884442A1 (en) * 2013-12-11 2015-06-17 VeriFone, Inc. Point of sale system
WO2017149343A1 (en) * 2016-03-02 2017-09-08 Cryptera A/S Secure display device
US20190073493A1 (en) * 2016-03-02 2019-03-07 Cryptera A/S Secure Display Device
CN109478224A (en) * 2016-03-02 2019-03-15 丹麦科普拉有限公司 The display equipment of safety
US10915668B2 (en) 2016-03-02 2021-02-09 Cryptera A/S Secure display device

Similar Documents

Publication Publication Date Title
US10185956B2 (en) Secure payment card transactions
EP2143028B1 (en) Secure pin management
US7526652B2 (en) Secure PIN management
US8342395B1 (en) Card activated cash dispensing automated banking machine
US7229009B1 (en) Automated banking machine component authentication system and method
US6694436B1 (en) Terminal and system for performing secure electronic transactions
US7770789B2 (en) Secure payment card transactions
US7841523B2 (en) Secure payment card transactions
US7967193B1 (en) Automated banking machine that operates responsive to data bearing records
WO2006034713A1 (en) Secure display for atm
US8621230B2 (en) System and method for secure verification of electronic transactions
US20090119221A1 (en) System and Method for Cryptographically Authenticated Display Prompt Control for Multifunctional Payment Terminals
US7922080B1 (en) Automated banking machine that operates responsive to data bearing records
EP2156397A1 (en) Secure payment card transactions
EP3413253B1 (en) Bankcard password protection method and system
WO2011064708A1 (en) Secure pin management of a user trusted device
US6606387B1 (en) Secure establishment of cryptographic keys
WO2009039600A1 (en) System and method for secure verification of electronic transactions
WO2001092982A2 (en) System and method for secure transactions via a communications network
CA2204547A1 (en) A method for providing full end to end secure transactional payment services and electronic fund transfer over any unsecured and unreliable network

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KM KP KR KZ LC LK LR LS LT LU LV LY MA MD MG MK MN MW MX MZ NA NG NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SM SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU LV MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 05786528

Country of ref document: EP

Kind code of ref document: A1