ATM Security Requirements & Specification Decomposition Team B: Martijn Christiaan Vasilis Benjamin
System-wide functionality Logging – Every event must be chronologically logged Time and date Event type and details Account number if present – A video camera may be present and recording Timeouts – Upon timeouts current process must be aborted and possibly rolled back. – All functionality that awaits user input may provoke a timeout that will eject the card. – If the user does not take his/her card after ejection, it will be confiscated. – Upon communication with central service a timeout should be handled. Upon timeout eject card and enter out-of-order mode.
Card slot Assumed functionality: – Insert Card Read contents of magnetic strip Verify chip – Eject Card Timeout – Confiscate Card Can be signaled from card verification
Verification - ATM Assumption: Central service ATM Verification – ATM machine will authorize itself to the central service with some unique id. – All communication with central service must be secure. No outsiders can listen in. – Verifications must precede all transactions Central service must also be authorized
Verification - Card Card verification – Card must be verified at central service – PIN code must be verified at central service. – A user’s PIN code can NEVER be mentioned on screen, receipt or in logs. – Upon failed entry the card may be confiscated if signaled by the central service. – Card verification must precede all actions: Withdrawal, deposit, balance etc.
Withdrawal Try to commit withdrawal using central service. – On failure: 1.Receive error message from central service (like Daily Limit Exceeded etc.) 2.Eject card – On success: 1.Eject card 2.Wait for some specified period 3.If card was ejected cash out. Otherwise rollback transaction. (2 and 3 are an example of the requirement mentioned at Timeouts)
Deposit Notes are assumed to be identified, verified and counted by note slot. After user is finished, total amount is added to account through the Central Service. On succes – Eject card On failure – Eject card – Eject money
Alarms Alarm messages send to the maintenance service Physical damage sensors – Card slot – Vault – Screen – Buttons and keyboard – Video camera Maintenance – Outgoing vault (almost) empty – Incoming vault (almost) full Network communication failure
Specification Decomposition Hardware – Card slot – Cash dispenser and outgoing vault – Cash insertion and incoming vault – Screen, keyboard, button panel etc Hardware – Card slot – Cash dispenser and outgoing vault – Cash insertion and incoming vault – Screen, keyboard, button panel etc Core System Logging Maintenance Communication – ATM Central Service Verification Withdrawal Deposit Printing UI Central Sevice
Questions