Security validation of machine components

Abstract
A method of validating machine components in a self-service terminal is disclosed which comprises providing at least one machine component with a machine readable identifier and reading identity data from the machine readable identifier using a processing unit. The identity data is compared with identity data stored in the memory of the processing unit to determine if the identity of a component has changed. If the identity has changed, the processing unit compares the identity data with source data to determine if the component is from a trusted source. In one embodiment, the self service terminal is an ATM and the components are an encrypting Personal Identification Number (PIN) pad, a cash dispenser unit and a card reader.
Description

BRIEF DESCRIPTION OF THE DRAWINGS


FIG. 1 shows the fascia of a Self-service terminal;



FIG. 2 schematically shows the internal components of a Self-service terminal according to one embodiment of the present invention;



FIG. 3 shows a flowchart of the steps in ‘first ever’ start-up of an ATM; and



FIG. 4 shows a flowchart of the steps in subsequent start-ups of an ATM.





DETAILED DESCRIPTION

The Self Service Terminal shown in FIGS. 1 and 2 is an Automated Teller Machine (ATM) 100. The ATM 100 comprises a screen 102, a card slot 104, data entry devices in the form of a 16-button key pad 106 and menu selection buttons 108, and a dispensing slot 110.



FIG. 2 shows the components of the ATM 100. The components comprise an encrypting Personal Identification Number (PIN) pad 202, a cash dispenser unit 204 and a card reader 206. The ATM 100 further comprises a processing unit in the form of a PC core 208. Each of the components contain embedded therein an identity chip 212 comprising data providing a manufacturers identity. The encrypting PIN Pad 202, cash dispenser unit 204, card reader 206 and the chip 212 associated with each component 202, 204, 206 are capable of communicating with the PC core 208 via a system bus 210.


The PC core 208 comprises a memory 214 arranged to store data. The memory 214 is capable of storing persistent data, i.e. storing data in a non-volatile manner. The PC Core 208 further comprises a requesting means 216 which is arranged to request and receive data from the chips 212 and a comparing means 218 arranged to compare identity data received by the requesting means with identity data stored in the memory 214. The PC Core 208 further comprises a security means 220, arranged to carry out a security routine to verify the identity of a maintenance operator or engineer and to ensure that that person is authorized to install a replacement component 202, 204, 206.


In normal use of the ATM 100, a user inserts a card bearing a magnetic strip and/or an encrypted data chip, usually a bank card, into the card slot 104. The card reader 206 reads the magnetic strip or encrypted data chip to obtain details associated with the card, including encrypted Personal Identification Number (PIN) data. The screen 102 is then used to display a message asking the user to enter a PIN, which the user then enters using the key pad 106. The input made is supplied to the encrypting PIN pad 202, which encrypts the entered number. The result of this encryption is compared with the encrypted PIN data read from the card and, assuming that there is a match, the user can access services though the ATM 100 by using the menu selection buttons 108 to select services shown on the screen 102. If the user asks for cash, the cash dispenser unit 204 will pick the required notes from a series of stacks of currency providing different denominations and transfer the cash to the dispensing slot 110, where it can be collected by the user.


Two further examples of start-up of the ATM 100 are now described. The process on ‘first ever’ start-up of the ATM 100 is described with reference to the flow chart of FIG. 3. The validation process for components on each subsequent start-up is then described with reference to the flowchart of FIG. 4.


Prior to ‘first ever’ start up, the ATM 100 is built using known source components to provide the encrypting PIN pad 202, the cash dispenser unit 204, the card reader 206 and the PC core 208 (step 302). In this context, by a ‘known source’ it is meant that that the manufacturer of the component 202, 204, 206 may be known and has been identified as a trusted source of high-quality, reliable components 202, 204, 206. The requesting means 216 of the PC core 208 requests manufacturer identity data from the components 202, 204, 206 via the system bus 120 (step 304). Each of the components 202, 204, 206 supply the requested data, which in this example comprises a serial number in step 306. This is then stored as persistent data in the memory 214 of the PC core 208 in step 306.


In each subsequent start-up (step 402), the requesting means 216 of the PC core 208 again requests manufacturer identity data from the components 202, 204, 206 via the system bus 120 (step 404). Each of the components 202, 204, 206 supply the requested data to the requesting means 216 in step 406. The comparing means 218 of the PC core 208 checks each of the supplied identities against those stored in the memory in step 408. If there is no change in any of the identity data, then the ATM start-up completes in step 409. If however the identity of one or more of the components has changed, the comparing means 218 of the PC core 208 checks to see whether the new components come from a trusted source in step 410.


In this embodiment, the identity of a component from a known source is in the from of a serial number which conforms to a predetermined format which can be processed to verify its authenticity. However, in other embodiments, the PC core 208 may be arranged to verify the identity against identities stored in a database, which may be remote from the ATM 100.


If the new components 202, 204, 206 do not come from a trusted source then the ATM 100 is disabled in step 412. If however the new components do come from a trusted source then the PC core 208 requests that the engineer enters security data to ensure that the installation of the new component(s) has been made by an authorized individual (step 414). In this example, the security data is provided in the form USB security dongle known in this context as a Service Security Key.


In step 416, the security means 220 of the PC core 208 checks whether the Service Security Key belongs to an authorized engineer. If this is not the case then the ATM 100 is disabled in step 418. If the engineer is authorized, then the PC core updates its memory 214 with the new identification data in step 420. The start up of the ATM 100 then completes in step 422.


It will be understood that the above description of a preferred embodiment is given by way of example only and that various modifications may be made by those skilled in the art. For example, the chips 212 could be replaced with Radio Frequency IDentification (RFID) tags or other remotely accessible data stores such as those readable using Bluetooth® or Infrared technologies. As these devices can be read remotely, this removes the need for a system bus 214.

Claims
  • 1. A method of validating machine components in a self-service terminal comprising: providing at least one machine component with identity information in the form of a machine readable identifier;reading identity data from the machine readable identifier;comparing the identity data with stored identity data to determine if the identity of a component has changed; andif the identity has changed, comparing the identity data with source data to determine if the component is from a trusted source.
  • 2. A method according to claim 1 which is carried out on start-up of the terminal.
  • 3. A method according to claim 1, which comprises replacing the stored identity data with the identity data from a new component if the identity has changed and the component has proven to be from a trusted source.
  • 4. A method according to claim 1, which comprises the step of verifying security data before the stored identity data is replaced with changed identity data.
  • 5. A Self-service terminal processing unit comprising a memory for storing identity data, a requesting means arranged to request identity data from components of the terminal and a comparing means arranged to compare identity data received by the requesting means with identity data stored in the memory to detect any changes in identity data.
  • 6. A processing unit according to claim 5 wherein the memory of comprises component source data and the comparing means is arranged to compare changed identity data with the source data to determine if the component derives from a trusted source.
  • 7. A processing unit according to claim 5, which further comprises a security means arranged to receive security data from a maintenance operator and use the security data to determine whether a maintenance operator is an authorized operator.
  • 8. A processing unit according to claim 5, which is arranged to allow a terminal with which it is associated to operate only if the or each component is from a trusted source.
  • 9. A Self-service terminal comprising a self-service terminal processing unit comprising a memory for storing identity data, a requesting means arranged to request identity data from components of the terminal and a comparing means arranged to compare identity data received by the requesting means with identity data stored in the memory to detect any changes in identity data, further comprising at least one of the following components with associated identity data: an encrypting pin pad, a cash dispenser unit and a card reader, the terminal being arranged such that the identity data associated with the or each component can be read by the processing unit.
  • 10. A self-service terminal according to claim 9 which comprises one of each of the components and the processing unit is arranged to determine whether each of the components is from a trusted source and to allow the terminal to operate only if all the components are from a trusted source.
  • 11. A self-service terminal according to claim 9, in which the identity data associated with the or each component is provided on a chip.
  • 12. A self-service terminal according to claim 9, which is an Automated Teller Machine.