Lavanya Prasad – 49

Shriya Raina – 51
Aishwarya Salian – 53

Software Engineering

Project

Topic : ATM Banking System

❖ Introduction

🡺Project Description
The objective of this project is similar to ATM software installed in ATM center. It should
first validate the pin in the ATM card. Then the type of transaction is enquired and the
information from the customer is validated. If it is a withdrawal the amount is asked. After
the money is delivered the transaction just made is updated in the database where the
customer’s information is stored. The aim of this project is to design an ATM system that
will help in completely automatic banking this software is going to be designed for
withdrawal and deposit of money and register the transaction in the database where the
customer’s information is stored.

🡺 Problem Statement
A software is to be designed that will control ATM having a magnetic stripe reader for
reading an ATM card, a customer console (keyboard and display) for interaction with the
customer, a slot for depositing envelopes, a dispenser for cash (in multiples of Rs.100) and a
printer for printing customer receipts. The bank provides computer to maintain its own
accounts and process transactions against them.
● The ATM will service one customer at a time. A customer will be required to insert
an ATMcard and enter a personal identification number (PIN) - both of which will be
sent to the bank for validation as part of each transaction. The customer will then be
able to perform one or more transactions.
● The card will be retained in the machine until the customer indicates that he/she
desires no further transactions, at which point it will be retumed.
● The ATM will communicate each transaction to the bank and obtain verification that
it was allowed by the bank. If the bank determines that the customer's PIN is. invalid,
the customer will be required to re-enter the PIN before a transaction can proceed.
● If the customer is unable to successfully enter the PIN after three tries, the card will
be permanently retained by the machine, and the customer will have to contact the
bank to get it back. If a transaction fails for any reason other than an invalid PIN, the
ATM will display an explanation of the problem, and will then ask the customer
whether he/she wants to do another transaction.
● The ATM will also maintain an internal log of transactions to facilitate resolving
ambiguities arising from a hardware failure in the middle of a transaction. Entries will
be made in the log when the ATMis started up and shut down, for each message sent
to the Bank (along with the response back, if one is expected), for the dispensing of
cash, and for the receiving of an envelope. Log entries may contain card numbers and
amounts, but for security will never contain a PIN.
● To avail ATM facility, a customer is required to open/have an account in the bank and
apply for the ATM card. A customer can have one or more accounts and for each
account, only one ATM card will be provided.
● The bank also provides SMS updates for every transaction of customer's account. To
obtain SMS updates, customer is required to register his/her mobile number against
his account in the bank.

❖ Problem Statement Analysis [ Use Cases]

🡺 Use Case Diagram

🡺 Identified use cases
● Login:
Here the user enters the card and the inputs his password to enter into the main form.
If the password is incorrect, the system will display an error message.
● Transaction:
This is the important part of the ATM system, where there are two types of
transaction-withdrawal and deposit. While withdrawing the user specifies the
amount and may request for the printed output also.
● Maintaining Customer Information:
Here the administrator plays an important role, whose work is to add customer, delete
customer account, update customer account, etc.

🡺Identified Actors

● Administrator:
Administrator plays an important role. He is the system designer. All the updating
works is done by him only like adding, deleting customer accounts.
● Database:
All the transaction works-withdrawal and deposit are updated in the database.
● Customer:
He is the external user the ATM system for taking money and depositing money also.

❖ Sequence Diagram

🡺 Login
🡺Maintenance

🡺Transaction
 ❖ Definitions
🡺Account
A single account in a bank against which transactions can be applied. Accounts may
be of various types with at least checking and savings. A customer can hold more than
one account.
🡺ATM
A station that allows customers to enter their own transactions using cash cards as
identification. The ATM interacts with the customer to gather transaction information,
sends the transaction information to the central computer for validation and processing,
and dispenses cash to the customer. We assume that an ATM need not operate
independently of the network.
🡺Bank
a financial institution that holds accounts for customers and that issues cash cards
authorizing access to accounts over the ATM network. Bank computer is the computer owned
by a bank that interfaces with the ATM network and the bank's own cashier stations. A bank
may actually have its own internal network of computers to process accounts, but we are only
concerned with the one that interacts with the network.
🡺Cash Card
A card assigned to a bank customer that authorizes access to accounts using an ATM
machine. Each card contains a bank code and a card number, coded in accordance with
national standards on credit cards and cash cards. The bank code uniquely identifies the
bank within the consortium. The card number determines the accounts that the card
can access. A card does not necessarily access all of a customer's accounts. Each cash
card is owned by a single customer, but multiple copies of it may exist, so the possibility
of simultaneous use of the same card from different machines must be considered.
🡺Customer
The holder of one or more accounts in a bank. A customer can consist of one or more persons
or corporations; the correspondence is not relevant to this problem. The same person holding
an account at a different bank is considered a different customer.
🡺Transaction
A single integral request for operations on the accounts of a single customer. We only specied
that ATMs must dispense cash, but we should not preclude the possibility of printing checks
or accepting cash or checks. We may also want to provide the exibility to operate on accounts
of different customers, although it is not required yet. The different operations must balance
properly.

❖ User Characteristics
There are several users of the ATM network :
● Customer
The customer interacts with the ATM network via the ATM . It must be very easy for them to
use
● the ATM.
They should be supported by the system in every possible way.
● Maintainer
It should be easy to maintain the whole system .The maintainer should be the only
person that is allowed to connect a new ATM to the network.

❖ Specific Requirements

1. Functional Requirements
The functional requirements are organized in two sections: First requirements of the ATM
and second requirements of the bank.
1.1 Requirements of the automated teller machine
The requirements for the automated teller machine are organized in the following way:
General
requirements, requirements for authorization, requirements for a transaction.
Function Requirements
*Each Requirement will have specific-
-Description
-Input
-Processing
-Output*
● Insert atm card
● Validate atm card
● Enter product task
● Enter pin
● Validate pin
● Validate for account type if the task is banking
● Ask for amount to be withdrawn
● Amount is debited if sufficient balance is available
● Error message is displayed otherwise
● Ask for printing advice if the task is balance enquiry

2 External Interface Requirements

2.1 User Interfaces
The interface of the ATM must fulll ergonomic requirements. The following is just an
example for a possible interface .
2.2 Hardware Interfaces
The ATM network has to provide hardware interfaces to:
● various printers
● various ATM machines (There are several companies producing the ATM machines.)
● several types of networks The exact specication of the hardware interfaces is not part
of this document.
2.3 Software Interfaces
The ATM network has to provide software interfaces to:
● the software used by different banks
● different network software
The exact, detailed specifications of the software interfaces is not part of this document.
2.4 Communication Interfaces
There is no restriction of the ATM network to a specic network protocol as long as the
performance requirements are satisfied.
3. Performance Requirements (Descriptions)
Performance requirement 1
● Error message should be displayed at least 30
sec. Performance Requirement 2
● If there is no response from the bank computer after a request within 2 minutes the
card is rejected with an error message.
Performance Requirement 3
● The ATM dispenses money if and only if the withdrawal from the account is
processed and accepted by the bank.
Performance Requirement 4
● Each bank may be processing transactions from several ATMs at the same time.

4. Attributes
4.1 Availability
● The ATM network has to be available 24 hours a day.
4.2 Security
● The ATM network should provide maximal security. In order to make that much more
transparent there are the following requirements:
- It must be impossible to plug into the network.
4.3 Maintainability
● Only maintainers are allowed to connect new ATM's to the network.
4.4 Transferability/Conversions
● Not Applicable

5. Other Requirements
5.1 Data Base
● The ATM must be able to use several data formats according to the data formats that
areprovided by the data bases of different banks. A transaction should have all the
properties of a data base transaction (Atomicity, Consistency, Isolation, Durability).
Assumptions
● Hardware never fails
● ATM casing is impenetrable
● Limited number of transactions per day i.e. sufficient
● paper for receipts
● Limited amount of money withdrawn per day i.e.
● sufficient money

❖ Feasibility
The main objective of feasibility study is to test the technical, social and economic feasibility
of developing a system. Investing the existing system in the area under investigation and
generating ideas about the new system does this. Feasibility study has been done to gather
required information. Training, experience and common sense are required for collection of
the information. Data was gathered and checked for completeness and accuracy. Analyzing
the data involved identification of the components of the system and their interrelationship
and identified the strength and weakness of the system.
 The Aspects of feasibility includes:
1. Technical Feasibility study
2. Operational Feasibility study
3. Financial And Economic Feasibility study
4. Behavioral(Social) Feasibility

🡺Feasibility study.
● Technical feasibility
The technical feasibility study always focuses on the existing computer hardware, software
and personal. This also includes need for more hardware, software or personal and
possibility of procuring or installing such facilities. ATM is a system that can work on single
stand alone Pentium machine with 128 MB RAM, Hard disk drive size of 80 GB, mouse,
monitor and keyboard & it also require internet connection to corresponding computer. The
equipments are easily available in the market, so technically the system is very much
feasible.
● Social feasibility
As this system is user friendly and flexible some problems will also be solved which
employee may be facing when using existing system. So we can say that system is
socially feasible
● Economical feasibility
This feasibility is useful to find the system development cost and checks whether it is
justifiable. The cost overheads include software and hardware maintenance cost, training
costs that includes cost required for manpower, electricity, stationary etc. The proposed
system will provide the right type of information at right time, and in the required format.
This will save time required for decision-making and routine operations. Considering all
these advantages, the cost overheads of the system are negligible. So the system is
economically feasible.
● Operation feasibility
Since the system is being in user friendly way, the new customers within a few time can
master it. : It is also known as resource feasibility. The operation users of the system are
expected to have minimum knowledge of computer. The developed system is simple to use,
so that the user will be ready to operate the system. The proposed system is developed
using JAVA programming language & Mysql database which is platform independent and
user friendly. So the system is operationally feasible.

RISK ASSESSMENT

Risks must be controlled by countermeasures or safeguards. Risk management is an

important part of an organization’s security program. It provides support in managing
information security risks associated with an organization's overall mission. It results in the
identification, estimation and prioritization of IT risks based onconfidentiality, integrity and
availability.

CASE STUDY

The aim of this case study is a risk assessment to establish a baseline assessment of risks
that are faced by an ATM platform of a specific manufacturer. Thus, the risk assessment
identifies all threats, vulnerabilities and impacts that cause a risk to an ATM asset. The focus
on the ATM platform limits our investigation to software aspects. Thus, we mainly focus on
logical risks.

Logical Risk Assessment

The risk assessment conducted in this case study is based on the risk assessment. The focus
of the assessment is on the ATM platform, i.e., from the ATM manufacturer’s perspective.
The operating system and any bank applications or other ATM software have not been
considered in the evaluation (the bank’s perspective).

Threats

Threats were grouped to categories, which were derived from the primary objective of the
threat events or an important key passage in an entire scenario:

● Denial of Service, making the ATM platform unavailable to a customer by

dominating some of its resources.
● Malicious Software Injection, injecting malicious software, such as Trojan horses,
viruses or worms at the OS level or the ATM platform level.
● Sensitive Data Disclosure, gathering unprotected cardholder data.
● Configuration File Modification, changing configuration files of the ATM platform.
● Privilege Settings Modification, modifying configuration files, focusing on the change
of the user access control model to gain more privileges.
● Software Component Modification, modifying an executable or an assembly of the
ATM platform, assuming the adversary can decompile the target file.
● Test Utility Exploitation, exploiting test utilities used by service technicians, IT
specialists and ATM platform engineers for maintenance.

Monitoring controls of risk management

Case study additionally highlights security approaches and technologies, which were
identified as most appropriate for dealing with logical ATM risks.

A. Cardholder Data Protection

We have identified change control and efficient user access control as most appropriate for
protecting cardholder data and also for threat scenarios that focus on settings changes or
software components of a running ATM platform. The main purpose is to guarantee that
neither unnecessary nor unwanted changes are made. A change control system also
supports the documentation of modifications, ensures that resources are used efficiently
and services are not unnecessarily disrupted. The most efficient way of implementing a user
access control mechanism is by applying the user management that comes with the OS.

B. Host-based Firewall

Malicious use of the network interface can be mitigated through a host-based firewall. Such
a firewall has to work on the level of protocols, ports and processes, i.e., the configuration
of the firewall must specify protocols and ports that can be used by a particular process for
outgoing connections. The same applies for incoming traffic. All ports and protocols that are
not in use must be blocked by default.

C. Application Control

Protection against unauthorized software on ATMs has to focus on whitelisting, where the
execution of applications and executables is limited to a predefined set. This set includes
files that are required to run the OS and the ATM platform. All other executable files not in
the whitelist cannot be launched, even if not malicious.

D.Full Hard Disk Encryption

Hard disk encryption is a powerful countermeasure against alternatively booting the system
for malicious activities. Several threat events require access to an ATM's computer to boot
the system from an alternative medium. For sensitive data, to drop malicious files, to collect
executables and dynamic link libraries from the ATM platform or to change the privileges of
restricted objects.

E. Patch Management

A fundamental base for an effective patch management is appropriate hardening of a

system. Based on that groundwork, a continuous patch management allows a financial
institute to provide protection against known viruses, worms and vulnerabilities within an
OS.

F. Device-specific Requirements

For dealing with the potential danger arising from test tools used by ATM platform
engineers, service technicians and IT specialists, it is important that these tools function only
under certain circumstances. Especially, when the ATM is in maintenance mode, the tools
should support the activities on the ATM. But, in all other cases they must be disabled.
Device control comes into play when the USB ports of an ATM represent possible entry
points for a malicious activity.