Check out the new USENIX Web site. next up previous
Next: Web Authentication Up: Sample Applications Previous: Sample Applications

Customer Authentication at ATM

Banks face a multitude of problems concerning customer authentication at ATM's. First, many people have problems memorizing their PIN and pick either trivial PINs or write them on the ATM card. Anderson enumerates the many security problems with ATM's [And94].

The main problem for using Déjà Vu for ATM's is the portfolio creation. This is not a problem when customers pick up their card at the bank, since the portfolio selection and training can be done in a secure environment at the bank. If the client receives the ATM card in the mail, the portfolio creation is a more difficult problem. Sending all the images of the portfolio in the mail is not satisfactory, because we want to prevent people from possessing a paper copy of their secret information. Instead, we could use a one-time PIN to bootstrap the system, which the user can authenticate with initially at the ATM, which will then perform the portfolio creation and training.

The seeds of the portfolio images would be stored on a secure server. The authentication process would work as we describe previously. To achieve the same order of security as a four-digit PIN, we can use five images per portfolio and fifteen images in the decoy set. The probability of guessing the correct portfolio is 1 / {20 5} = 1 / 15504, which is lower than the 1 / 10000 for four-digit PINs.


next up previous
Next: Web Authentication Up: Sample Applications Previous: Sample Applications

Adrian Perrig
Thu Jun 15 15:16:10 PDT 2000