Next Article in Journal
The Application Status and Trends of Machine Vision in Tea Production
Next Article in Special Issue
Privacy-Preserving Solution for European Union Digital Vaccine Certificates
Previous Article in Journal
Spectral and Energy Efficiency Trade-Off in UAV-Based Olive Irrigation Systems
Previous Article in Special Issue
Privacy-Preserving Federated Singular Value Decomposition
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Applied Sciences
Volume 13
Issue 19
10.3390/app131910743
applsci-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles thumb_up
...
Endorse textsms
...
Comment
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

A Novel Robust Geolocation-Based Multi-Factor Authentication Method for Securing ATM Payment Transactions

by
Abdullah Alabdulatif
1,
Rohan Samarasinghe
2,* and
Navod Neranjan Thilakarathne
2,*
1
Department of Computer, College of Sciences and Arts in Al-Rass, Qassim University, Al-Rass 720223, Saudi Arabia
2
Department of ICT, Faculty of Technology, University of Colombo, Colombo 00700, Sri Lanka
*
Authors to whom correspondence should be addressed.
Appl. Sci. 2023, 13(19), 10743; https://doi.org/10.3390/app131910743
Submission received: 10 September 2023 / Revised: 25 September 2023 / Accepted: 26 September 2023 / Published: 27 September 2023
(This article belongs to the Special Issue Advanced Technologies for Data Privacy and Security)
Browse Figures
Review Reports Versions Notes

Abstract

:
Credit/debit cards are a ubiquitous form of payment at present. They offer a number of advantages over cash, including convenience, security, and fraud protection. In contrast, the inherent vulnerabilities of credit/debit cards and transaction methods have led many payment institutions to focus on strengthening the security of these electronic payment methods. Also, the increasing number of electronic payment transactions around the world have led to a corresponding increase in the amount of money lost due to fraud and cybercrime. This loss of money has a significant impact on businesses and consumers, and it necessitates the development of rigid and robust security designs for securing underlying electronic transaction methods. In this regard, this research introduces a novel geolocation-based multi-factor authentication method for improving the security of electronic payment transactions, especially ATM transactions. The proposed method leverages geolocation to verify the user’s identity and prevent fraudulent transactions. In addition, this research also proposes a novel design approach for further controlling the ownership of transactions in a convenient way (e.g., allowing users to deactivate/reactivate authentication at any time, block the card in case it is stolen or lost, and set up a withdrawal limit). Overall, this approach does not require any major modifications to the existing banking infrastructure, which would be an ideal solution for securing ATM transactions around the world.

1. Introduction

Even though the technology behind electronic payment transactions is becoming more complicated day by day due to the ever-increasing nature of sophisticated cyberattacks that target these ecosystems, billions of dollars continue to be lost owing to the profitable nature of executing such attacks. According to the latest research [1,2], it is evident that electronic transaction security is becoming a common problem worldwide, causing considerable financial chaos. Hence, it becomes essential to develop security mechanisms that are reliable and trustworthy that the cardholders or end users can always trust. Unauthorized access to credit/debit card data, moreover, might lead to financial loss due to fraud by unscrupulous persons [1]. Thus, to cultivate trust in the minds of cardholders, many banks/payment institutions have introduced various security schemas for authenticating authorized end users over the last few years [3]. In addition, the booming of electronic commerce, most popularly known as e-commerce, has led to online banking, where customers can pay money online for the goods they purchase online, expanding the scope of cyberattacks that target the electronic payment ecosystem.
In light of credit/debit card transactions, the main purpose is to promote cashless transactions [1,2,3], comparing user-submitted details with the user’s bank account. Often, there are a number of entities associated with and involved in this payment card authentication: the card-issuing bank, the user or the cardholder, the ATM, the bank database server, and the card affiliation or the association [3,4]. According to studies [3,4], it is evident that credit/debit card theft has evolved dramatically in recent years. In earlier times, fraudsters employed basic skimming tactics with pinhole cameras to capture the associated PIN at the ATM to harvest card credentials for card cloning [5,6,7,8], whereas attack methodologies have developed over time employing a variety of approaches, such as social engineering attacks [3,4].
Thus, in order to prevent the compromise of electronic payments that are being made, banks/financial institutions have introduced novel ways of authenticating users when they are executing ATM transactions [7,8,9]. These include both single-factor and multi-factor authentication methods such as username and password, OTP, and PIN. However, most of these methods are no longer secure and open the cardholder to risk where user credentials can be captured through interception and person-in-the-middle attacks for gaining access to the user account, especially when dealing with payment gateway mobile apps and web platforms, as PINs can be captured with card details for cloning the card. Thus, single-factor authentication is no longer deemed sufficient for user authentication and is regarded as insecure for high-risk financial transactions. This has resulted in the usage of multi-factor authentication to safeguard payment transactions and boost user confidence in making such payment transactions, which at times appears to be insufficient due to PIN harvesting and card cloning security attacks [10,11,12,13,14].
While existing electronic transaction systems provide a certain level of authentication via means such as OTPs and PINs, the underlying process leaves the current systems (banking infrastructure) in a vulnerable state, making these PINs and OTPs vulnerable [3,4,5,6,7,15,16,17,18,19,20]; therefore, it leaves a research gap that needs our thorough attention. To address this in the study, we are proposing a novel solution that would allow users to authenticate every ATM transaction via a unique smartphone app by measuring the real-time geolocation of the user when authenticating payment transactions.
Overall, geolocation can be used as an authentication factor because it confirms a user’s physical presence at a specific location, adding an extra layer of security. It helps prevent unauthorized access, works well with other factors like passwords or biometrics, and adapts to changing user behaviors. On the other hand, while geolocation offers such benefits, it is best when combined with other factors to create a more robust and more reliable authentication process. In existing systems, one of the main concerns is that they are keeping track of the user’s location on a regular basis and using vulnerable authentication mechanisms such as OTPs [5,6]. In addition, the high operating costs also prevent certain existing security mechanisms from being implemented (e.g., biometrics), endangering the ATM payment ecosystem.
In our proposed solution, we have considered all these pertinent issues, and our proposed authenticator app will only require the user’s location when it is deemed necessary, where location data will only be needed when a payment transaction needs to be authenticated. Thus, the use of the app also eliminates less secure mechanisms such as OTPs. The user would receive a push notification for each transaction based on the geolocation. Only approved transactions via the app would be valid, whereas any transactions that are not approved will be void. As per our proposed solution, our smart mobile app will be available across major app store platforms, which provides accessibility to a larger audience. Nonetheless, from the financial institution perspective, the entity itself would be able to provide a robust and unbreakable security mechanism for its credit/debit card-based ATM systems by enabling our proposed solution without making major modifications to the existing infrastructure, as the location of the cardholder is considered when authenticating the payment. Further, as per the convenience of the user, this multi-factor authentication can be deactivated and later reactivated at any given time, enabling users to continue the previous way of performing transactions.
Thus, motivated by the need to design a novel, robust geolocation-based multi-factor authentication method for securing ATM payment transactions, following the introduction, a brief literature review pertaining to the security of payment transactions is provided. Afterward, the importance of multi-factor authentication in improving the security of payment transactions is highlighted, and then the methodology is provided for designing our proposed geolocation-based multi-factor authentication solution. In this regard, the major contributions of the study are described in the following.
  • Design a novel geolocation-based multi-factor authentication method for improving the security of ATM payment transactions, where it also employs a novel design approach toward further controlling the ownership of transactions.
  • Discuss how the proposed approach does not require any major modifications to the existing banking infrastructure, which would be an ideal solution for securing ATM transactions around the world.
  • Highlight the implementation results, pros, and cons of the proposed approach, along with how the proposed approach can be further extended.
  • To validate our work and differentiate it from recent similar research in terms of security aspects, we provide a brief comparison of our work with the state of the art.
The remainder of the paper is organized in the following order. Following the introduction, the Section 2 offers a brief literature review pertaining to the security of electronic payment transactions. Following the literature review, in the next section we highlight our proposed solution and the methodology adopted, and afterward, in the next section, the implementation of our proposed solution is highlighted. Thereafter, a discussion is offered in the next section, highlighting the results and the evaluation of our proposed solution. Next, the study will conclude with recommendations for improvement of the solution and with the conclusions derived through the research. Abbreviation part presents the acronyms found in this paper.

2. Literature Review and Related Work

Overall, ATMs play a crucial role in providing convenient and secure access to banking services. As the use of ATMs continues to grow, ensuring robust authentication methods becomes paramount in preventing fraudulent activities and protecting user data [20,21,22,23,24]. According to the latest literature [1,6,7,8,9,10], some common ways of compromising the security of these electronic transaction methods are described further in the following for better understanding.
  • Stealing from the database
    • Many retailers prefer to keep debit/credit card numbers in online databases to facilitate customer purchases. According to recent reports, attackers have breached merchant websites and stolen databases containing millions of debit/credit card details [1,5], e.g., the compromising of Capital One, a US credit card issuer, which led to the exposure of 106 million customers’ credit card information in 2019 [6], and the compromising of the TJX company chain, which led to the exposure of 94 million customers’ credit card information in 2006 [6].
  • Sniffing/packet intercepting
    • During online debit/credit card payments, an attacker sniffs data packets to infer confidential payment information. In most circumstances, the attacker does not need to decrypt the presumably encrypted online payment packets (e.g., through Secure Sockets Layer) [1,3,5], but instead deceives the consumer into believing they are visiting a legitimate site while in fact, they are viewing the attacker’s spoofing site.
  • Shoulder surfing
    • An attacker stands nearby and observes a customer type in their credit/debit card number and other credentials or listens to the discussion if the consumer gives their credit/debit card information to some other party [2,6].
  • Skimming
    • Fraudsters utilize this approach to collect sensitive information from a credit or debit card’s magnetic strip [3,6].
  • Keypad overlays
    • This is a technique that is meant to fit in with the normal ATM keypad and this allows it to go unnoticed. The overlay allows the keypad beneath it to work properly, allowing the person to operate the ATM without any difficulty; when a person punches their PIN onto the fake keypad installed over the existing ATM keypad, an overlay records and captures keystrokes (e.g., customer PIN). Simultaneously, the ATM card slot overlays/records the secret data from the ATM card’s magnetic strip. Using blank cards, the fraudster combines information in their computer to clone the ATM card, and nowadays, this is becoming a significant threat [3].
Having provided a brief background to how overall electronic payment transactions are compromised by cyber criminals, the latter part of this section provides a brief review of available authentication methods for securing payment transactions.
In general, ATMs are fundamentally autonomous banking workstations that are designed to offer easy transaction services to the customers that use them [3,4,25]. The fact that the ATM can provide its users service around the clock, seven days a week, is the primary advantage it offers [26,27,28,29,30]. ATMs are used at practically every convenient location in today’s society, including busy streets, public spaces, and other areas. Despite the fact that ATMs have been an important part of our lives since the 1960s [3,4,5,6], the authentication mechanisms that are used for transactions at ATMs have changed very little over the years [31,32,33,34]. The security flaws inherent to magnetic media are the primary cause of the constraints imposed on ATMs’ ability to protect their customer transactions. Since it is neither difficult nor costly to acquire the necessary equipment to encode magnetic stripes, the data stored on them are often encoded using two or three tracks [11,12,13,14]. Later on, this weakness of magnetic stripe cards was somewhat remedied by the advent of smartcards that were compatible with EMV [11,12,13,14,35,36,37,38]. The PIN of the cardholder is often the sole way to testify to the identity of the user. However, this method is susceptible to a variety of risks, including loss, illegal access, forgetfulness, etc. [39,40,41,42]. On the other hand, many individuals, in spite of the many warnings that are sent to card users regarding the risk associated with usage, continue to choose passwords and PINs that are easy to guess, such as their social security number, birthday, etc. However, because of the constraints of this design, an intruder who obtains a user’s card and then attempts to guess the user’s PIN or predicts the user’s password may do so successfully, which is known as a brute-force attack. In spite of all of the security precautions that have been put into place, there are still instances of criminal activity involving ATMs all over the world.
As the use of ATMs continues to grow, ensuring robust authentication methods becomes paramount in preventing these fraudulent activities and protecting user data. Starting from single-factor authentication, authentication technology has evolved to the level of multi-factor authentication. The most straightforward way of authentication is known as single-factor authentication, where an individual may authenticate their identity by matching only one credential (e.g., providing a password for a username/providing a PIN for an ATM). MFA, also known as Two-Factor Authentication or Two-Step Verification, is a security process that requires users to provide two or more different forms of identification or credentials to verify their identity before gaining access to a system, application, or service. The primary goal of MFA is to add an extra layer of security beyond traditional username–password combinations, making it more difficult for unauthorized individuals to access sensitive information or perform malicious activities.
The three typical factors used in MFA are:
  • Knowledge factor (something you know)
    • This factor involves information that only the authorized user should know, such as a password, PIN, or a specific answer to a security question [10,11].
  • Possession factor (something you have)
    • This factor involves possessing a physical device or object that uniquely belongs to the user, such as a smartphone, smart card, hardware token, or an OTP generator [10,11].
  • Inherence factor (something you are)
    • This factor refers to biometric characteristics unique to each individual, such as fingerprints, facial recognition, iris patterns, voice recognition, or even behavioral biometrics (e.g., keystroke dynamics) [10,11].
To authenticate using MFA, a user needs to provide at least two of these factors. For example, after entering their username and password (something they know), the user may be prompted to enter a one-time code generated on their smartphone (something they have) or use their fingerprint on a biometric scanner (something they are) [5,10,11]. The main advantages of MFA include enhanced security by combining multiple factors and significantly reducing the risk of unauthorized access, even if one factor is compromised [5,10,11]. Other key advantages of MFA include:
  • Protection against password attacks
    • MFA provides an additional layer of protection against common password-based attacks like brute-force and phishing [14,15,16].
  • Compliance requirements
    • Many industry regulations and security standards, such as PCI DSS and GDPR, require or strongly recommend the use of MFA to protect sensitive data [16,17,18,19,20].
  • User-friendly
    • MFA can be implemented in a user-friendly manner, often through smartphones and apps, without causing significant inconvenience to users [14,15,16].
Overall, MFA is an essential security mechanism that adds an extra layer of protection to ensure the identity of users attempting to access sensitive information, systems, or services. It has become increasingly prevalent across various applications and industries as a crucial defense against cyber threats [17,18,19,20]. Further, the landscape of payment security is constantly evolving, and new methods are being introduced occasionally [21,22,23,24,25]. In the following, we discuss some of the commonly used authentication methods for securing ATM transactions as of now.
  • EMV
    • EMV is a widely adopted global standard for chip-based payment cards. EMV cards contain embedded microchips that generate dynamic authentication codes for each transaction [3,4,8]. When the card is inserted into an EMV-enabled ATM or POS terminal, the chip communicates with the terminal to verify the card’s authenticity and the cardholder’s identity. This method makes it difficult for fraudsters to clone or counterfeit cards [26,27,28,29].
  • PIN
    • For ATM transactions, PIN-based authentication is widely used. The cardholder must enter their unique PIN to complete the transaction, ensuring that only the authorized user can access the funds [5,6,7].
  • Biometric authentication
    • Some modern ATMs and POS systems are equipped with biometric authentication methods, such as fingerprint scanners or facial recognition. Biometric data provides a highly secure way to verify the cardholder’s identity [21,22,23,30,31,32]. However, the major drawback of biometric approaches is that they require large systems with very high power and processing capability with high implementation and deployment costs.
  • OTP
    • The use of OTPs as a second layer of authentication has been extensively studied. OTPs sent via SMS, email, or generated through authenticator apps add an extra security layer, protecting against unauthorized access even if the primary authentication credentials (e.g., PIN) are compromised [3,4,5]. However, concerns have been raised regarding the reliance on mobile networks and email security.
  • Voice recognition
    • Voice recognition technology has also been investigated for ATM authentication. Early studies indicate that voice-based systems can be vulnerable to voice-mimicking attacks, which raises concerns about their reliability as a standalone authentication method. However, when used in conjunction with other factors, such as location-based authentication, voice recognition can be a valuable component of a multi-layered security approach [9,21,22,23,24,33,34,35].
To provide a better understanding, Table 1 summarizes the authentication methods employed in the context of payment transactions, according to the latest state of the art we reviewed.
According to the research summarized in Table 2, only a few studies have been conducted on securing ATM transactions where most of the work focused on securing mobile and online transactions. Apart from the summarized research in Table 2, Sanyal et al. (2010) proposed a novel protocol for multi-factor authentication based on a transaction identification code and SMS to secure wireless payments., especially for securing e-commerce-related transactions. In [17], Yeh et al. (2018) discussed the design of a secure transaction system that can be used for mobile payments that are based on cryptographic smart contracts. However, their proposed authentication schema is limited to mobile payment transactions. According to the contributors to Geolocation Drives Future of Payments (2020), geolocation technology is an important part of identity verification and authentication in payment transactions, especially when it is combined with other sophisticated technologies such as biometric-based authentication and voice recognition. In [26], Hassan and Shukur (2021) presented a unique security architecture for the purpose of safeguarding e-wallet apps by making use of MFA. Overall, their suggested system will verify the user’s identity by making use of the user’s password, fingerprint, and OTP. Overall, compared to our approach, all the work we summarized contains drawbacks such as higher implementation costs, usability issues, and vulnerability to security attacks.
So far, in the literature we reviewed, it is evident that existing multi-factor authenticating methods are not guaranteeing adequate security, which leaves a gap for attackers to sneak through. With the aid of a smart mobile device and GPS technology, in this study, we are proposing a novel ATM credit/debit card authentication method, which will be explained further in the next section. The main aim of our proposed solution is to reduce the risk of credit/debit card fraud by a considerable margin. Our mechanism will also provide the maximum possible security for credit/debit cards, even if these cards are stolen, hacked, lost, or cloned, through our proposed authenticator app. It also enables the user to deactivate and reactivate MFA at any time, setting a limit on the withdrawal amount and blocking the card if it is stolen, as opposed to the other research work we reviewed. In other words, the proposed solution would aim to mitigate credit card/debit card fraud even if the user is not present. The proposed solution intends to track the user’s current location while performing the transaction through an authenticator mobile app and cross-check these data with the ATM. If the two locations match, the bank can authorize the transaction. Nonetheless, our proposed approach does not make any major modifications to the existing banking or ATM infrastructure.

3. Proposed Solution

Overall, our proposed solution comprises three main components that need to communicate with each other, as shown in Figure 1, which depicts the high-level architecture of our proposed solution. According to Figure 1, the 1st entity represents the ATM, and the 2nd entity presents the existing banking infrastructure. The 3rd entity represents the mobile-based authenticator app, which acts as the main enabler of our solution.
To provide a clear picture of the existing ATM process, Figure 2 depicts the workflow of an existing ATM process, which is based on a PIN for authentication. Accordingly, it only requires a user to enter a PIN to authenticate the transaction.
In our proposed multi-factor authentication solution, the authenticator app would be able to authenticate any ATM transactions and keep track of them as well. Moreover, our proposed solution offers a control panel that provides administrator privileges to the users for disabling the multi-factor authentication, setting up a withdrawal limit, and blocking the card in case it is stolen. Further, it also includes a Rest API, whose main purpose is to enable better integration with existing banking systems without making any major modifications. As seen in Figure 3, our approach does not involve any modifications to the already-in-place ATM infrastructure, but it will authenticate users in a very precise manner. When a user completes a transaction by utilizing our authentication schema, the user will have a greater understanding of what occurs in the background than they have in the present environment, which is blind. Overall, our user authenticator system does not require a lot of information other than the user’s unique identifier (PIN) in order to approve a transaction. Instead, it will connect with a smart mobile-based authentication app and cross-check the user’s location. Figure 3 showcases the high-level workflow of our solution.
According to the workflow of the solution, when a customer requests a transaction at an ATM, the request will initially reach the bank with ATMID and CARDNO parameters. The bank then processes the request, and it will send an authentication request to the authentication API to authenticate the customer with the parameters BankID and BankAPIKEY. Then, the authentication API, through the authenticator app, authenticates the user’s location, matches it with the ATM location, and accordingly approves or denies the transaction. Overall, the authentication measures can be explained as follows, and according to the overall workflow, this proposed approach does not require any modifications to the already-in-place ATM infrastructure, but it will authenticate users in a very precise manner based on the geolocation. Compared to the existing workflow, which is depicted in Figure 2, instead of dispensing cash once the PIN is correct, our approach further checks whether the user has their mobile device in their possession and, if so, determines the GPS location of the device, to provide better security for ATM payments.
  • Step 1: The user makes a transaction request (ATMID, CARDNO) at the ATM.
  • Step 2: The bank receives the transaction request and fetches BankID and APIKEY.
  • Step 3: The bank sends an authentication request (Input ATMID, CARDNO, APIKEY) to an authenticator API.
  • Step 4: The authentication API fetches data from user’s authenticator mobile app.
  • Step 5: IF Authenticated? Then
    •           IF Request amount < withdrawal limit Then
    •                Go to Step 6.
    •           Else
    •                Go to step 7.
    •           Else
    •     Go to Step 7.
  • Step 6: Approve the transaction.
  • Step 7: Deny the transaction.
Overall, the design of the solution is completed in four stages: first, the design of the simulation environment; second, the implementation of geolocation-based authentication and Rest API; third, the implementation of the authenticator mobile app; and finally, the implementation of the control panel.

3.1. Design the Simulation Environment

First, to demonstrate the proposed solution, a simulation environment was created, and requests were generated through the created simulated environment. However, real hardware was not manipulated in the form of ATMs due to legal and financial restrictions. While traditional financial transaction systems use proprietary authentication protocols, the world is increasingly moving toward universal compatibility with respect to interbank authorization. Thus, the deployment of a simulation environment was identified as a key factor for the success of our solution. The objective of the proposed environment was to mimic the behavior of financial transactions. By taking such requirements into consideration, a virtual product with comprehensive capabilities was used to develop this environment: Paragon Virtual ATM-XFS Simulation and ATM Testing Solution.

3.2. Implementation of Geolocation-Based Authentication and Rest API

As the main objective of this research was to provide an extra layer of security based on the user’s geolocation, GPS inputs were utilized with the assumption that every user has an active smartphone with location services enabled. The authentication system was linked with the existing financial transaction backends. The Rest API was built using ASP.NET Web API utilizing Visual Studio 2019 as the IDE. The procedures involved in the authentication API are further described in the following.
  • Step 1: The API receives an authentication request from the bank with the ATM location.
  • Step 4: The authentication API fetches data from the user’s authenticator mobile app regarding the user’s current location.
  • Step 5: IF ATM location and users’ current location match? Then
    •           IF Request amount < withdrawal limit Then
    •                Go to Step 6.
    •           Else
    •                Go to step 7.
    •           Else
    •        Go to Step 7.
  • Step 6: Approve the transaction.
  • Step 7: Deny the transaction.
  • Step 8: Send the status (approval or denial) of the transaction to the bank.

3.3. Mobile Application Implementation

The smart mobile authentication app holds a key place in our overall authentication solution, as the approval or denial of the transaction is based on the GPS location retrieved from the user’s mobile device. Thus, this automated geolocation-based authentication security adds another layer of security that does not involve user interaction. Further, through mobile applications, users are able to see the notifications regarding their transactions, and they also have the ability to activate/deactivate the authentication. The backend of the mobile application was linked with the Google Firebase database, which is a NoSQL database platform that assists in developing high-quality applications with very good security levels. Data stored on Firebase are encrypted with the AES-256 symmetric key algorithm, hence providing the maximum security for the rest data. Each encryption key is also encrypted with a regularly rotated set of master keys. The mobile application was developed and implemented using Android Studio IDE utilizing Firebase as a real-time database. Figure 4 showcases the overview of our mobile application. To receive the location updates, Google Maps API was used, which uses two sources to determine the accurate location: a mobile GPS chipset and information received from the cell towers. According to the official documentation of Google Maps API, this use of GPS, cell tower triangulation, and other data sources is very accurate; however, the accuracy of the location information provided by the API can vary depending on a number of factors, including the quality of the data sources used to determine the location and the type of device being used [44]. That being said, the accuracy is generally quite high up to the nearest 20 m, and it is considered to be one of the most reliable location services available.

3.4. Implementation of the Control Panel

To extend the services offered through our proposed solution, a control panel was developed to manage the bank information and customer profile information and match geolocation details affiliated with the mobile authenticator app. Further, in the case of a lost or stolen credit/debit card, the control panel enables users to deactivate or block the card immediately. On the other hand, users can set a target limit for a withdrawal amount using the control panel. Transaction requests exceeding the withdrawal amount will not be allowed. Further, there is another option for users to select the credit/debit card accessible country through the authenticator app.

4. Implementation

A simulation environment was created to demonstrate the proposed solution using Paragon Virtual ATM-XFS Simulation and ATM Testing Solution. Client software was developed using C# to demonstrate the ATM, utilizing Visual Studio 2019 as the IDE. On the other hand, the authenticator Rest API was built using ASP.NET Web API utilizing Visual Studio 2019 as the IDE. Further, the authenticator mobile application was developed and implemented using Android Studio IDE utilizing Firebase as a real-time database. Upon completing the development of all the modules, the simulation was run on a laptop computer with Intel Core i7 2.4 GHz and 16 GB RAM.
Having finalized all the features included in the proposed solution, the proposed solution was developed primarily via an agile methodology. Most agile methods attempt to minimize risk by developing software in short time boxes, called iterations, which typically last one to four weeks. Each iteration is like a miniature software project of its own and includes all the tasks necessary to release the mini-increment of new functionality: planning, requirements analysis, design, coding, testing, and documentation. While an iteration may not add enough functionality to warrant releasing the solution, an agile software project is capable of releasing new software at the end of every iteration. At the end of each iteration, the team re-evaluated project priorities. Overall, it took two months to complete the development tasks.
In the following, we briefly discuss the implementation of the prototype with its essential functions.

4.1. ATM Inquiry

Initially, the user goes to the ATM, inserts their debit/credit card, and enters the PIN as depicted in Figure 5a. Once they enter the PIN, the user will be directed to a screen that showcases the message to allow device location access to the user’s smart mobile device so the transaction can be further authenticated apart from the PIN (Figure 5b). Overall, Figure 6 showcases the procedures for ATM inquiry.

4.2. Mobile Authentication and Control

Following the ATM inquiry, Figure 6 showcases the client-side mobile authenticator app. Initially, the user has to supply the authenticator app with personal information and banking information. The app allows users to enable the multi-factor authentication feature from their side and also provides the facility to disable it at any convenient time (Figure 6a). On the other hand, users can set a target limit for a withdrawal amount using the authenticator app (Figure 6b). Transaction requests exceeding the withdrawal amount will not be allowed. Nonetheless, in the case of a lost or stolen card, the authenticator app enables users to block the card. Further, there is another option for users to select the credit/debit card accessible country through the authenticator app (Figure 6c).

4.3. Status of the ATM Inquiry

Upon the transaction request of the user, if the user is authenticated successfully and if the requested amount is within the limit and as long as it is less than the available balance, it will prompt a message saying the payment is successful, and if the user is not authenticated, it will prompt a message saying the payment has failed, as showcased in Figure 7.

5. Results and Discussion

To evaluate the functionality of our proposed solution, we adopted a black-box testing approach. Both functional and non-functional software testing was conducted, considering the key security aspects of our solution. Overall, software functional testing is a type of testing in software development that focuses on verifying whether the application or system functions correctly and performs its intended functions according to the specified requirements. The primary goal of functional testing is to ensure that the software meets the functional requirements and behaves as expected by the end users. While functional testing focuses on validating whether the software functions correctly and meets its specified requirements, non-functional testing evaluates how well the software performs and behaves under various conditions. Table 2 highlights the functional testing evaluation results.
Upon the completion of functional testing, the results obtained indicated that the system was able to pass all the functional test cases. This demonstrated that the system was functioning as intended, with no flaws or errors. The results of the transactions performed to test the overall functionality of the implemented system and the time taken for authentication are showcased in Table 3.
These results indicated that, on average, it took approximately 3.715 s for the user to complete the geolocation-based authentication process after submitting their PIN. According to the average time taken, it was evident that the geolocation authentication time was negligible compared to traditional PIN-based authentication, as the proposed approach provided higher security as opposed to traditional PIN-based authentication.
With regard to the non-functional testing of our solution, we mainly focused on security testing to prove that our solution can withstand most cyberattacks. The next subsection briefly discusses the security testing of our proposed solution.

Analysis of Security Testing

During the phase of black-box testing, a security analysis was conducted to ensure that the proposed solution could withstand most of the common cyberattacks that target the payment ecosystem, as discussed in the following.
  • Ensures data confidentiality and integrity
    • As per the prototype development, we employed the Google Firebase database to store confidential user information and transaction information, which are protected by Firebase’s security standards. The data stored on Firebase were encrypted with the AES-256 algorithm, and each encryption key was also encrypted with a regularly rotated set of master keys, providing better security over stored data. On the other hand, all the communication links were secured using the HTTPS protocol, making sure that the data sent between the user and the server could not be tampered with during transmission, guaranteeing confidentiality and data integrity.
  • Provides robust authentication
    • The proposed multi-factor authentication in the study used a PIN, the user’s smart mobile device, and the location of the device as the authentication factors. As all modern smartphones are equipped with GPS location services, the proposed method allowed users to authenticate in a convenient and more secure way, as once the user activated the multi-factor authentication from the mobile app, the transactions were authenticated, matching the user’s GPS location with the ATM location.
  • Ensure user privacy.
    • All the database records and the data that communicate over the entire ecosystem were encrypted, thus protecting the user and the data privacy.
  • Protection against theft or loss
    • In the case of theft or loss of the card, the authenticator app enabled users to block the card at any time, allowing them to protect their bank accounts.
Table 4 provides a brief comparison of the security functionalities of our proposed solution with the existing work (✓—yes, ✗—no).
Overall, it was evident that the implemented system was working well without any bugs and offering the intended functionality. Overall, it proved that our solution could be easily implemented without making major modifications to the existing banking infrastructure and offered convenient facilities to the users, such as allowing them to deactivate/reactivate authentication at any time, block the card in case it is stolen or lost, and set up a withdrawal limit. Moreover, in terms of the security testing carried out, it was proved that our proposed solution withstood/prevented most of the cyberattacks and provided protection when the card was lost or stolen, which was not addressed by any of the research that we reviewed. Further, our solution can also be extended to secure POS transactions, as most POS transactions do not involve any authentication, which leads to various cyberattacks. As no major modification is needed, the proposed solution can be easily integrated with authenticating POS transactions.
To obtain the exact user location via mobile, we relied on the Google Maps API, which employs a combination of GPS, cell tower triangulation, and various data sources. While this method is generally highly accurate, the precision of the location data it furnishes can fluctuate due to several factors. These factors include the quality of the data sources utilized for location determination and the specific type of device in use. Nevertheless, it is worth noting that this API generally provides a high level of accuracy, typically within a range of approximately 20 m, which does not hamper the functionality of our solution.
On the other hand, the Google Maps API is primarily a web service that provides mapping and location-based services to developers [44]. It relies on the device’s underlying location services (e.g., GPS, Wi-Fi, or cell tower data) to determine the user’s location. It does not control the GPS hardware or the device’s GPS receiver. When it comes to GPS spoofing attacks, which typically involve manipulating the GPS signals received by a device to provide false location information, these attacks target the GPS receiver hardware and are not related to the Google Maps API itself. However, any application or service that relies on GPS data, including those using the Google Maps API, can be affected by GPS spoofing if the device’s GPS receiver is compromised [44,46,47]. In such a case, Google Maps API does not have built-in protection against GPS spoofing because it assumes that the device’s location services are providing accurate data. However, with our devised MFA approach, the attackers still need to know the user PIN to totally compromise the security of payment traction. Thus, our proposed approach provides robust security against GPS spoofing attacks. Through the provided control panel, the user can still deactivate the reactive MFA, offering contingency plans for any given moment (GPS jamming and spoofing scenarios).

6. Conclusions

The ubiquitous nature of credit/debit cards as a preferred mode of payment underscores the need for enhancing their security. While these electronic payment methods offer undeniable advantages such as convenience, security, and fraud protection, they also face inherent vulnerabilities that can lead to substantial financial losses due to fraud and cybercrime. The increasing volume of electronic transactions globally amplifies this concern, necessitating the development of robust security measures. This research addresses this pressing issue by introducing a novel geolocation-based multi-factor authentication method tailored to improve the security of electronic payment transactions, particularly ATM transactions. By leveraging geolocation data, this method adds an additional layer of identity verification, helping to thwart fraudulent activities. Furthermore, the proposed design approach offers an innovative means to control transaction ownership conveniently (e.g., allowing users to deactivate/reactivate authentication at any time, block the card in case it is stolen or lost, and set up a withdrawal limit), all without necessitating major alterations to the existing banking infrastructure. The designed authenticator mobile app for the initial solution is deployed on Android, where future developments will include the app for iOS systems. The proposed solution currently functions as a value-added service in terms of a bank’s perspective. Nevertheless, this proposed solution can be implemented in other existing systems beyond banking systems to improve security, as real users need to be located nearby for authenticating, offering better security over existing authenticating solutions such as POS systems and online banking apps. As most POS transactions do not need the authentication of the cards by the cardholder and complete the payments without authentication of the cards, our proposal would be an ideal solution for enhancing the security of POS transactions without major modifications to the existing infrastructure. A probable future implementation is to test the feasibility of such a multi-factor authentication system in existing systems across other industries. The simulation results show that our proposed solution is operational as intended without any software bugs and provides better security compared to the previous research work. Nonetheless, compared to the previous work, the system can be easily integrated with the existing banking infrastructure. Overall, our proposed solution reduces the complexity of the backends of banking solutions as well as minimizes the attack surface for intruders, providing robust security for payment transactions.

Author Contributions

Conceptualization, R.S.; Methodology, R.S. and N.N.T.; Software, A.A. and N.N.T.; Validation, R.S. and N.N.T.; Investigation, R.S. and N.N.T.; Resources, A.A. and N.N.T.; Data curation, R.S. and N.N.T.; Writing—original draft, N.N.T.; Writing—review & editing, A.A. and R.S.; Visualization, N.N.T.; Supervision, R.S.; Project administration, A.A. and N.N.T.; Funding acquisition, A.A. All authors have read and agreed to the published version of the manuscript.

Funding

This research was funded by Qassim University.

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

Not applicable.

Acknowledgments

The researchers would like to thank the Deanship of Scientific Research, Qassim University, for funding the publication of this project.

Conflicts of Interest

The authors declare no conflict of interest.

Abbreviations

AcronymDescription
ATMAutomated Teller Machine
PINPersonal Identification Number
OTPOne-Time Password
EMVEuropay, Mastercard and Visa
MFAMulti-Factor Authentication
2FATwo-Factor Authentication
PCI DSSPayment Card Industry Data Security
GDPRGeneral Data Protection Regulation
POSPoint of Sale
RFIDRadio Frequency Identification
NFCNear Field Communication
APIApplication Programming Interface
GPSGlobal Positioning System
IDEIntegrated Development Environment
AESAdvanced Encryption Standard
HTTPSHypertext Transfer Protocol Secure

References

  1. Pranith, C.V.; Sujith, V.L.; Kiran, K.S.; Goutham, P.; Kiran, K.V.D. A Multifactor Security Protocol for Wireless Payment-Secure Web Authentication Using Mobile Devices. In Cybernetics, Cognition and Machine Learning Applications; Gunjan, V.K., Suganthan, P.N., Haase, J., Kumar, A., Eds.; Springer Nature: Singapore, 2023; pp. 29–38. [Google Scholar] [CrossRef]
  2. Bissada, A.; Olmsted, A. Mobile multi-factor authentication. In Proceedings of the 2017 12th International Conference for Internet Technology and Secured Transactions (ICITST), Cambridge, UK, 11–14 December 2017; pp. 210–211. [Google Scholar] [CrossRef]
  3. Sankhwar, S.; Pandey, D. A Safeguard against ATM Fraud. In Proceedings of the 2016 IEEE 6th International Conference on Advanced Computing (IACC), Bhimavaram, India, 27–28 February 2016; pp. 701–705. [Google Scholar] [CrossRef]
  4. Gold, S. The evolution of payment card fraud. Comput. Fraud. Secur. 2014, 2014, 12–17. [Google Scholar] [CrossRef]
  5. Yang, S.; Meng, J. Research on Multi-factor Bidirectional Dynamic Identification Based on SMS. In Proceedings of the 2018 IEEE 3rd Advanced Information Technology, Electronic and Automation Control Conference (IAEAC), Chongqing, China, 12–14 October 2018; pp. 1578–1582. [Google Scholar] [CrossRef]
  6. Li, Y.; Zhang, X. A security-enhanced one-time payment scheme for credit card. In Proceedings of the 14th International Workshop Research Issues on Data Engineering: Web Services for e-Commerce and e-Government Applications, 2004. Proceedings, Boston, MA, USA, 28–29 March 2004; pp. 40–47. [Google Scholar] [CrossRef]
  7. Kish, L.B.; Entesari, K.; Granqvist, C.-G.; Kwan, C. Unconditionally Secure Credit/Debit Card Chip Scheme and Physical Unclonable Function. Fluct. Noise Lett. 2017, 16, 1750002. [Google Scholar] [CrossRef]
  8. Jerry Gao, J.C. A Wireless Payment System. In Proceedings of the Second International Conference on Embedded Software and Systems (ICESS’05), Xi’an, China, 16–18 December 2005; pp. 367–374. [Google Scholar] [CrossRef]
  9. Greene, C.; Stavins, J. Did the Target Data Breach Change Consumer Assessments of Payment Card Security? Social Science Researh Network: Rochester, NY, USA, 2016; Available online: https://papers.ssrn.com/abstract=2818262 (accessed on 5 July 2023).
  10. ATM/PoS Malware ‘Recovers’ from COVID-19, with the Number of Attacks Continuing to Grow in 2022|Kaspersky. Available online: https://www.kaspersky.com/about/press-releases/2022_atmpos-malware-recovers-from-covid-19-with-the-number-of-attacks-continuing-to-grow-in-2022 (accessed on 24 July 2023).
  11. Nambiar, S.; Lu, C.-T.; Liang, L.R. Analysis of payment transaction security in mobile commerce. In Proceedings of the 2004 IEEE International Conference on Information Reuse and Integration, IRI 2004., Las Vegas, NV, USA, 8–10 November 2004; pp. 475–480. [Google Scholar] [CrossRef]
  12. Asokan, N.; Janson, P.A.; Steiner, M.; Waidner, M. The state of the art in electronic payment systems. Computer 1997, 30, 28–35. [Google Scholar] [CrossRef]
  13. Téllez Isaac, J.; Sherali, Z. Secure Mobile Payment Systems. IT Prof. 2014, 16, 36–43. [Google Scholar] [CrossRef]
  14. Herzberg, A. Payments and banking with mobile personal devices. Commun. ACM 2003, 46, 53–58. [Google Scholar] [CrossRef]
  15. Chabbi, S.; Araar, C. RFID and NFC authentication protocol for securing a payment transaction. In Proceedings of the 2022 4th International Conference on Pattern Analysis and Intelligent Systems (PAIS), Oum El Bouaghi, Algeria, 12–13 October 2022; pp. 1–8. [Google Scholar] [CrossRef]
  16. Yeh, K.-H. A Secure Transaction Scheme with Certificateless Cryptographic Primitives for IoT-Based Mobile Payments. IEEE Syst. J. 2018, 12, 2027–2038. [Google Scholar] [CrossRef]
  17. Yeh, K.-H.; Su, C.; Hou, J.-L.; Chiu, W.; Chen, C.-W. A Robust Mobile Payment Scheme With Smart Contract-Based Transaction Repository. IEEE Access 2018, 6, 59394–59404. [Google Scholar] [CrossRef]
  18. Sharma, A.; Kansal, V.; Tomar, R.P.S. Location Based Services in M-Commerce: Customer Trust and Transaction Security Issues. Int. J. Comput. Sci. Secur. 2015, 9, 11–21. [Google Scholar]
  19. Konidala, D.M.; Yeun, C.Y.; Kim, K. Enhanced protocol for location-based services in ubiquitous society. In Proceedings of the IEEE Global Telecommunications Conference, GLOBECOM ’04, Dallas, TX, USA, 29 November–3 December 2004; pp. 2164–2168. [Google Scholar] [CrossRef]
  20. Bhutta, M.N.M.; Bhattia, S.; Ali Alojail, M.; Nisar, K.; Cao, Y.; Chaudhry, S.A.; Sun, Z. Towards Secure IoT-Based Payments by Extension of Payment Card Industry Data Security Standard (PCI DSS). Wirel. Commun. Mob. Comput. 2022, 2022, 9942270. [Google Scholar] [CrossRef]
  21. Geolocation Drives Future of Payments; GeoComply: Vancouver, BC, Canada, 2020. Available online: https://www.geocomply.com/blog/geolocation-drives-future-of-payments/ (accessed on 6 July 2023).
  22. Schuman, E. Geolocation: Great for Authentication, but Far from Perfect. 2016. Available online: https://blog.sift.com/geolocation-nice-tool-authentication-far-perfect/ (accessed on 6 July 2023).
  23. Ashfield, J.; Shroyer, D.; Brown, D. Location Based Authentication of Mobile Device Transactions. U.S. Patent US8295898B2, 23 October 2012. Available online: https://patents.google.com/patent/US8295898B2/en (accessed on 6 July 2023).
  24. Securing FinTech Apps With GPS Data. Velmie. 2020. Available online: https://www.velmie.com/post/securing-fintech-apps-with-gps-data (accessed on 6 July 2023).
  25. Twum, F.; Nti, K.; Asante, M. Improving Security Levels in Automatic Teller Machines (ATM) Using Multifactor Authentication. IJSEA 2016, 5, 126–134. [Google Scholar] [CrossRef]
  26. Hassan, M.A.; Shukur, Z. Device Identity-Based User Authentication on Electronic Payment System for Secure E-Wallet Apps. Electronics 2021, 11, 4. [Google Scholar] [CrossRef]
  27. Sanyal, S.; Tiwari, A.; Sanyal, S. A Multifactor Secure Authentication System for Wireless Payment. In Emergent Web Intelligence: Advanced Information Retrieval; Chbeir, R., Badr, Y., Abraham, A., Hassanien, A.-E., Eds.; Springer: London, UK, 2010; pp. 341–369. [Google Scholar] [CrossRef]
  28. Hassan, M.A.; Shukur, Z.; Hasan, M.K.; Al-Khaleefa, A.S. A Review on Electronic Payments Security. Symmetry 2020, 12, 1344. [Google Scholar] [CrossRef]
  29. Sahi, A.M.; Khalid, H.; Abbas, A.F.; Zedan, K.; Khatib, S.F.A.; Al Amosh, H. The Research Trend of Security and Privacy in Digital Payment. Informatics 2022, 9, 32. [Google Scholar] [CrossRef]
  30. Hassan, M.A.; Shukur, Z.; Hasan, M.K. An Efficient Secure Electronic Payment System for E-Commerce. Computers 2020, 9, 66. [Google Scholar] [CrossRef]
  31. Liu, Y.; Huang, W.; Zhuo, M.; Zhou, S.; Li, M. Mobile Payment Protocol with Deniably Authenticated Property. Sensors 2023, 23, 3927. [Google Scholar] [CrossRef]
  32. Jiang, Y.; Sun, G.; Feng, T. Research on Data Transaction Security Based on Blockchain. Information 2022, 13, 532. [Google Scholar] [CrossRef]
  33. Hwang, Y.; Park, S.; Shin, N. Sustainable Development of a Mobile Payment Security Environment Using Fintech Solutions. Sustainability 2021, 13, 8375. [Google Scholar] [CrossRef]
  34. De Luca, A.; Langheinrich, M.; Hussmann, H. Towards understanding ATM security: A field study of real world ATM use. In Proceedings of the Sixth Symposium on Usable Privacy and Security, Redmond, WA, USA, 14–16 July 2010; pp. 1–10. [Google Scholar] [CrossRef]
  35. Singh, A.; Singh, K.; Khan, M.H.; Chandra, M. A Review: Secure Payment System for Electronic Transaction. Int. J. Adv. Res. Comput. Sci. Softw. Eng. 2012, 2, 237–243. [Google Scholar]
  36. An Empirical Study of Customers’ Perceptions of Security and Trust in E-Payment Systems—ScienceDirect. Available online: https://www.sciencedirect.com/science/article/pii/S1567422309000283 (accessed on 6 August 2023).
  37. Ceipidor, U.B.; Medaglia, C.M.; Marino, A.; Sposato, S.; Moroni, A. KerNeeS: A protocol for mutual authentication between NFC phones and POS terminals for secure payment transactions. In Proceedings of the 2012 9th International ISC Conference on Information Security and Cryptology, Tabriz, Iran, 13–14 September 2012; pp. 115–120. [Google Scholar] [CrossRef]
  38. Kovács, L.; David, S. Fraud risk in electronic payment transactions. J. Money Laund. Control 2016, 19, 148–157. [Google Scholar] [CrossRef]
  39. Chaum, D. Security without identification: Transaction systems to make big brother obsolete. Commun. ACM 1985, 28, 1030–1044. [Google Scholar] [CrossRef]
  40. Tsiakis, T.; Sthephanides, G. The concept of security and trust in electronic payments. Comput. Secur. 2005, 24, 10–15. [Google Scholar] [CrossRef]
  41. Bellare, M.; Garay, J.A.; Hauser, M.; Herzberg, A.; Krawczyk, H.; Steiner, M.; Tsudik, G.; Van Herreweghen, E.; Waidner, M. Design, implementation, and deployment of the iKP secure electronic payment system. IEEE J. Sel. Areas Commun. 2000, 18, 611–627. [Google Scholar] [CrossRef]
  42. Ali, G.; Dida, M.A.; Elikana Sam, A. A Secure and Efficient Multi-Factor Authentication Algorithm for Mobile Money Applications. Future Internet 2021, 13, 12. [Google Scholar] [CrossRef]
  43. Hassan, M.A.; Shukur, Z. A Secure Multi Factor User Authentication Framework for Electronic Payment System. In Proceedings of the 2021 3rd International Cyber Resilience Conference (CRC), Langkawi Island, Malaysia, 29–31 January 2021; pp. 1–6. [Google Scholar] [CrossRef]
  44. Geolocation API Overview|Google for Developers. Available online: https://developers.google.com/maps/documentation/geolocation/overview (accessed on 9 September 2023).
  45. Keerthiwardane, S.S.; Wijethunga, I.A. ATM Detail Protection Using Geo-Fence Technology; Kotelawala Defence University: Rathmalana, Sri Lanka, 2020. [Google Scholar]
  46. How to Detect GPS Spoofing, Location & Fake GPS Spoofing in Android Apps. Available online: https://www.appdome.com/how-to/mobile-malware-prevention/android-malware-detection/detect-a-fake-gps-attack/ (accessed on 20 September 2023).
  47. Spens, N.; Lee, D.-K.; Nedelkov, F.; Akos, D. Detecting GNSS Jamming and Spoofing on Android Devices. NAVIGATION J. Inst. Navig. 2022, 69, 3. [Google Scholar] [CrossRef]
Applsci 13 10743 g001
Figure 1. High-level architecture of our proposed solution.
Figure 1. High-level architecture of our proposed solution.
Applsci 13 10743 g001
Applsci 13 10743 g002
Figure 2. The workflow of the existing ATM process.
Figure 2. The workflow of the existing ATM process.
Applsci 13 10743 g002
Applsci 13 10743 g003
Figure 3. The high-level workflow of our ATM solution.
Figure 3. The high-level workflow of our ATM solution.
Applsci 13 10743 g003
Applsci 13 10743 g004
Figure 4. Overview of the authenticator mobile app.
Figure 4. Overview of the authenticator mobile app.
Applsci 13 10743 g004
Applsci 13 10743 g005
Figure 5. The ATM inquiry process.
Figure 5. The ATM inquiry process.
Applsci 13 10743 g005
Applsci 13 10743 g006
Figure 6. Multi-factor authentication using the mobile app.
Figure 6. Multi-factor authentication using the mobile app.
Applsci 13 10743 g006
Applsci 13 10743 g007
Figure 7. Status of the ATM inquiry.
Figure 7. Status of the ATM inquiry.
Applsci 13 10743 g007
Table 1. Related recent research.
Table 1. Related recent research.
Reference Authentication MethodDiscusses Either ATM or Other Sorts of
Payments Transactions 		ScopeLimitations
Pranith et al., 2023 [1]Transaction identification code and SMS-based MFAOther The authors proposed a novel protocol based on MFA that uses transaction identification codes and SMS to enforce extra security for wireless payments.The researchers did not consider the security of communication media (mobile networks).
Yingjiu Li and Xinwen Zhang, 2004 [6]OTP-based authenticationOtherThe researchers used a hash function in the generation of one-time credit card numbers, and by comparing with similar research, they proved their approach puts less burden on credit card issuers and can be easily deployed in both online and offline scenarios.Having OTP provides only a basic level of security, and OTPs are vulnerable to SMS code theft and SIM swap attacks.
Chabbi and Araar, 2022 [15]RFID (Radio Frequency Identification) and NFC (Near Field Communication)-based authenticationATM The authors introduced a novel method for payment transactions combining RFID and NFC. Overall, they proposed a protocol to secure payment transactions using an Automated Teller Machine (ATM) and a smartphone.It is very expensive for the banking sector to adopt the NFC-enabled devices, and the NFC data can be rerouted to a device other than the one that is intended.
Twum et al., 2016 [25]PIN and fingerprint-based authenticationATM The researchers proposed a multi-factor (PIN and fingerprint)-based authentication security arrangement to enhance the security and safety of the ATM and its users. Introducing fingerprint-based authentication requires major modification of existing ATM/banking infrastructure.
Hassan et al., 2020 [30]Cryptography-based authentication Other In the study, the researchers developed an efficient and secure electronic payment protocol for e-commerce where consumers can immediately connect with the merchants.The proposed approach is only applicable to online payments.
Hassan and Shukur, 2021 [43]Password, biometric, and OTP-based MFAOtherThe authors provided an MFA-based security framework for securing payment transactions. The authors do not provide details of the implementation of their proposed method, and they are not specific about which transactions can be implemented.
Ali et al., 2021 [44] PIN, biometric, and OTP-based MFAOther The authors proposed a novel approach combining PIN, OTP, and a biometric fingerprint to enforce extra security during mobile payment transactions.OTPs are vulnerable to SMS code theft and SIM swap attacks, and not all modern smartphones are equipped with fingerprint readers.
Keerthiwardane and Wijethunga, 2020 [45]Geolocation-based authentication ATM The authors proposed a novel approach for securing ATM transactions using geolocation-based (geo-fence) authentication as a substitution for PIN-based authentication. The authors introduce their approach as a substitution for PIN-based authentication, whereas no MFA can be seen, and no implementation is provided for the proposed approach.
Our workGeolocation-based MFAATM We propose a novel geolocation-based MFA for authenticating ATM transactions without making major modifications to the existing banking infrastructure, and the proposed approach offers the facility to control the ownership of transactions in a convenient way (deactivate, reactivate MFA at any time, set the limit for withdrawal amount/block the card if it is stolen or lost, etc.).The proposed solution is made in such a way as to overcome the limitations of previous work.
Table 2. Evaluation of functional testing.
Table 2. Evaluation of functional testing.
Test CaseTest Results
Verify that the user is prompted to enter a PIN before the account data are shown.Passed
Verify to see whether the user has a certain amount of PIN tries.Passed
Verify that if the total number of incorrect PIN tries is exceeded, the user is not permitted to proceed.Passed
Verify that the PIN is presented in masked form when input. Passed
Verify that the user is authorized to view account information such as available balance.Passed
Verify to ensure that the proper amount of money has been withdrawn as specified by the user for cash withdrawal. Passed
Verify that the user’s session timeout is not exceeded.Passed
Verify that the user is not permitted to exceed the transaction limit.Passed
Verify that the user is not permitted to proceed with the expired ATM card and that the appropriate error message is provided.Passed
Table 3. Transaction results.
Table 3. Transaction results.
Transaction IDAvailable Balance (USD)Withdraw Limit (USD)Request Amount (USD)Multi-Factor Authentication ON/OFFPayment Status Authentication Time Using the App
12002000100ONSuccess4.2 s
23002000400ONFailed4.1 s
33500200050ONSuccess3.9 s
47002000500ONSuccess3.9 s
58002000600ONSuccess3.9 s
69002000900ONFailed4.0 s
7400020002500ONFailed4.1 s
8500020003000ONFailed4.0 s
912002000600ONSuccess3.9 s
105002000400OFFSuccess3.9 s
1110002000600OFFFailed3.7 s
1245002000700OFFFailed4.1 s
1332002000800OFFFailed4.1 s
1416002000300OFFFailed4.0 s
15250020003400OFFFailed3.8 s
1650020002100OFFFailed3.7 s
175002000150OFFFailed3.7 s
1875002000250OFFFailed3.8 s
194502000750OFFFailed3.7 s
2034020001500OFFFailed3.7 s
Table 4. Comparison of the proposed solution with the existing work.
Table 4. Comparison of the proposed solution with the existing work.
Security Features[1][6][15][25][30][43][44]Our Solution
Provides data confidentiality
Provides data integrity
Ensures data privacy
Ensures user privacy
Provides robust authentication
Prevention of social engineering attacks
Protection against lost or stolen card
Prevention of SMS code theft and SIM swap attacks
Prevention of PIN-guessing attacks
Prevention of brute-force attacks
Prevention of MITM attacks/packet intercepting
Prevention of Shoulder surfing
Prevention of Skimming attacks
Prevention of Keypad overlay attacks
Prevention of GPS spoofing attacks
Prevention of GPS jamming
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Alabdulatif, A.; Samarasinghe, R.; Thilakarathne, N.N. A Novel Robust Geolocation-Based Multi-Factor Authentication Method for Securing ATM Payment Transactions. Appl. Sci. 2023, 13, 10743. https://doi.org/10.3390/app131910743

AMA Style

Alabdulatif A, Samarasinghe R, Thilakarathne NN. A Novel Robust Geolocation-Based Multi-Factor Authentication Method for Securing ATM Payment Transactions. Applied Sciences. 2023; 13(19):10743. https://doi.org/10.3390/app131910743

Chicago/Turabian Style

Alabdulatif, Abdullah, Rohan Samarasinghe, and Navod Neranjan Thilakarathne. 2023. "A Novel Robust Geolocation-Based Multi-Factor Authentication Method for Securing ATM Payment Transactions" Applied Sciences 13, no. 19: 10743. https://doi.org/10.3390/app131910743

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop