STAMFORD COLLEGE MALAYSIA AFFILIATED WITH THE UNIVERSITY OF EAST LONDON Project Management (MSc) Technology Management BIOMETRIC

PROJECT MANAGEMENT PLAN FOR AUTOMATED TELLER MACHINE OF DAILY BANK BERHAD 1.INTRODUCTION This project Biometric automated teller machine is developed in Visual Basic.Net. Banks today used almost in their entire ATM machine (Automated Teller Machine). Etzel et al (2004) stated that thousands of years ago transaction process were likely done manually by customers in the bank, but presently it is done very rarely because of it difficulty and long process it takes. Obviously, banks today use ATM as part of their transaction process to ease and fasten the process of transactions Gido and Clements (2003). However, the process is significant as it make transactions easier and faster for customers, even in the time of emergencies. In apparent, this process also involve certain risks, during the 90s majority of banks took advantage of the technological boom in micro-computer and communication, the use and work of ATM began to work exclusively online meaning that when an ATM losses communication with its central system, it losses service as well Gido and Clements (2003). Once ATMs were connected directly, the need arose to protect the information in the card and the clients PIN (Personal Identification Number) found in messages that had to travel across public telecommunication lines. The Biometric Automated Teller Machine project plan will provide and outline a definition of this project, including the project objectives and goals. In addition, the project plan will stand as an agreement between the following parties: that includes the project sponsor, steering committee, project manager, project team, and other personnel associated with the project. 1.1 MOTIVATION As criminals tampers with the ATM and steal users credit card and password by illegal means. Once users card is lost and password stolen, the criminal will draw all the money in shortest time, which will bring enormous financial losses to customer. How to carry on the valid identity to the customer becomes the focus in current financial circle.

1.2 THE PROJECT PLAN DEFINES THE FOLLOWING:

47

 Project purpose Business and project goals and objectives Scope and expectations
Roles and responsibilities and Human resource activities

Assumptions and constraints Project management approach Ground rules for the project Project budget Project timeline Conceptual design of new technology

1.3 PROJECT APPROACH This section provides and outlines the way the technology, including the highest level milestones of the project will be employ.

Phase 1: Phase 2: Phase 3: Phase 4: Phase 5: Phase 6:

Secure agreement with client Order Equipment (Hardware and Software) Assemble, Install and test Hardware and Software Install biometric software on ATM Conduct Hardware/Software Testing Conduct Training and provide support

1.4 BRIEF SUMMARY OF THE PROJECT The purpose of the project is to analyze the requirements of designing, installation and implementation of biometric software for both the central bank server and the ATM client machines that will support Daily-Bank ATM network; according to the requirements specified by the client.

47

1.5 PROBLEM STATEMENT Automated Teller Machines (ATMS) are electronic banking outlets which allow customers to complete their basic transactions without the aid of branch representatives or teller (Qadrei & Habib, 2009). Nowadays, using the ATMS which provide customers with the convenient banknote trading is very common. However, financial crime cases have risen repeatedly in recent years with a lot of criminal tampering ATM terminals and stealing credit cards and passwords. Once a users bank card is lost and the password stolen, criminal will draw all his or her cash in a very short time and bring enormous financial loss to the said customer. Being able to validate the identity of customers has now become the focus of the current circle (Yang &Mi, 2010)? Traditional ATM systems, in authenticating credit cards and the passwords, have some defect. The use of credit cards and passwords cannot verify the clients identities accurately. With the rapid increase in the number of break-in reports involving traditional PIN and password, there is a high demand for greater security in accessing sensitive personal data. These days, biometric technologies are typically used to analyze human characteristics for security purposes (Cavoukian & Stoianov, 2007). Biometrics based authentication is a potential candidate to replace password-based authentication (Pankanti & Jain, 2004). The technique of fingerprint recognition is being continuously updated offering new verification methods; the original password authentication method is being combined with the biometric identification technology to verify the client identity and to improve effectively the safe use of the ATM machines. 1.6 OBJECTIVES OF THE PROJECT The objectives of this project will focus on implementing biometric technology, and making sure the following are achieved:
To ensure the project is completed on the specified project due date (starts on 1st July

2011 to 31st June 2012

To ensure the project is completed within the budget which is $5,000,000.00

47

 To make sure all the requirements stated in this project are fulfilled (as in the Software

and hardware)
To purchase and install a Biometric finger print scanner into the ATM. To enhance the protection of customers information through the usage of biometric

(ATM) 1.7 PROJECT SCOPE The project will develop new Automated Teller Machine (Biometric) technology; including the following. With the use of Java, HTML and CSS, this document describes the buying and installation of a biometric ATM device, which is applicable to the regular banking transactions processes: deposit, withdrawal, transfer of funds and balance query. Any changes will be assessed in terms of impact to the project schedule, costs and resource usage. This project will be limited to the installation of the biometric finger scanner and may not discuss the manufacture of it. With more focus on the ATM functioning, this work will also cover risks associated with the ATM work and the roles and responsibilities of the project team will also be discussed. 2 PROJECT BUDGET PLAN The project is planned with the following constraints: Time: one year: once the biometric software product is installed on the ATM machines, it will take one month for the client to install the physical ATM machines in their various permanent locations. Three staff from outside of the consultants firm will be required to assist in the requirements and detail design phases of the project, so as to lend their extensive ATM experience to the project. Maintenance, the software will have to be designed such that maintenance expenses do not exceed $100, 000 per year (software maintenance portion of the total $ 600,000 budget. 2.1 Schedule and Budget Summary The project has the following high-level schedule: Delivery of baseline project plan: May 10, 2011.

47

Software products ready for operation: May 31, 2012 The project has a budget of $3, 000,000. Once the biometric software product is delivered, annual maintenance costs should be no larger than $100, 000.

2.2 Evolution of the Plan The plan is considered to be a dynamic document and will be updated monthly by default and on an unscheduled basis as necessary. Scheduled updates to the plan will occur on the last Friday of the month. Notification of scheduled and unscheduled updates to the plan were communicated via e-mail and phone contact to all project participants according to the Reporting Plan. Once the initial plan is finished, a baseline of the plan will be created. Changes to the plan will take place against this baseline. The plan will only receive further baselines if significant change in the scope of the project occurs but this is very unlikely. 3.START-UP PLAN: 3.1 Estimation Plan Schedule, Cost, and Resource Estimates: The estimation chart showing activities, estimated duration, estimated cost, and estimated resource requirements will be shown. 3.2 Estimation methods Schedule duration and work estimation for each leaf activity in the Work Breakdown Structure (WBS) will be performed using a combination of the following methods and data sources: 3.3 Resource input For the resource(s) identified as being required to complete the activities here, they will require an estimate of the amount of time required to complete the activities. A detailed estimate will be presented here and broken down into sub-activity milestones. Sub-activity milestones tied to the percentage of complete metric will force a consideration of everything that is involved in the activity.

47

When more than one resource is assigned to the activity, their estimates will be collected independently and, if substantially different, meetings will be held between the project manager and all resources so that an agreement may be reached on a final estimate.

3.4 STAFFING PLAN In terms of domain-specific knowledge as it relates to the development ATM software, we have accommodated our limited experience in this area by recognizing the need for two consultants from a company (that possess good biometric knowledge) with which we have had a good working relationship in the purchase of the biometric finger scanner. The two consultants whose services we will acquire from Banks etc. will fill our knowledge gap in this area. Human Resource Type Project Manager System Architect Work (hrs) 1193 142 Key Periods Key project phase (s) Qt Required 02/15/2011 to 06/30/2012 05/30/2011 to 07/15/2011, 11/14/2011 to 02/13/2012 05/30/2011 to 07/15/2011 05/30/2011 to 02/13/20012 All Hardware y 1 design 1

and structuring

Programmer and web 170 designer Consultants with detailed biometric ATM Knowledge 914 + 300 = 1214

Coding designing

and

web 1 and 2 the

Consultancy advice biometric implementation on

Installation/Integration Engineer

737

12/05/2011 to 04/24/2012

Install and integrate Biometric software and other softwares

47

Quality, and Engineer

Verification 532 Validation

08/15/2011 to 02/13/2012 05/30/2011 to 07/31/2011 07/01/2011 to 08/15/2011, 12/01/2011 to 12/15/2011, 03/01/2011 to 05/31/2012

Quality

Assurance, 1

Software/Hardware verification

Configuration Engineer

225

All (but most work up-front during definition) Hardware Software testing

Quality/Test Engineer

89

and 1

Training/Support Specialist

241

11/21/2011 to 12/12/2011, 04/10/2012 to 05/15/2012

Training and support

WORK PLAN Work activities must be documented. Schedule allocation, Resource allocation and Budget allocation must be recorded. 4.PROJECT ORGANIZATION Process model The project shall utilize a combination of Iterative and Waterfall development approach. Content of each build shall be determined by the Program Manager with direct input from the customer regarding need dates for required functionality. 4.1 PROJECT RESPONSIBILITIES

47

4.1.1 Organizational Management: Defines business needs, goals and objectives of the project as well as defining the policies and procedures governing the project. 4.1.2 Program manager: The Project Manager shall be responsible for defining and controlling project work activities and schedules. Other team members shall work in conjunction with the project manager to define the elements of their task assignments, establish a schedule baseline; collect metric data to assess performance against that baseline, and conduct re-base lining activities as required. The Project Manager shall submit the initial baseline and any baseline modifications to the Program Manager for verification. 4.1.3 System Architect: Hardware and software design and structuring. He is responsible the rules, and standards employed in our project system technical framework, plus customer requirements and specifications, that the system's manufacturer follows in designing the system's various components (such as hardware, software and networks). 4.1.4 Consultants with detailed biometric ATM knowledge: Consultancy and advice on the biometric implementation, our biometric consultant providers will work closely with the management and security personnel in your company to ensure that the identity solutions they provide are integrated seamlessly into existing business processes. Each company is unique and has different needs as well as each industry has different processes and requirements. These consultants will define and deliver customized services that will fit your organization and business needs. Risks can come from uncertainty in financial markets, project failures, legal liabilities, credit risks, accidents, security breaches & employee misuse of company assets. Biometrics Consultants will usually provide assistance in identifying, itemizing and assessing all threats and security risks your company may have, and suggesting the best solution for your requirements. 4.1.5 Programmer and web designer: Web Design, Software design and coding. He is responsible for the development of the software specification. He also creates and documents a conceptual and detailed design and writes a code based on a conceptual description of the project logic. 4.1.6 Installation/integration Engineer: Install and integrate Biometric software and other software into the project ATM system.

47

4.1.7 Quality, Test, Verification and Validation Engineer: He is responsible for verifying and validation of problem resolutions to confirm proper and accurate resolution. He also reapplies verification and validation to Work Products that are affected by a change that were previously verified and validate. The QA/Test Manager is responsible for verifying that the delivered product satisfies the approved requirements; is responsible for documenting the results of the requirements verification in a Test Analysis Report. 4.1.8 Training/Support Specialist: Training and Support 4.1.9 Configuration Engineer: He will analyse the impacts of problem resolution on other configuration items. He will handle the maintenance of matrix of all customer approved requirements and will oversee the requirements for change control process. The configuration manager is also in charge of recording changes to requirements matrix and is responsible for maintaining the modification history of requirements. 4.1.10 The Customer: The person(s) or organization(s) using the product of the project and who determines the acceptance criteria for the product. 4.1.11 Steering Committee: includes management representatives from the key organizations involved in the project oversight and control, and any other key stakeholder groups that have special interest in the outcome of the project. 4.1.11 Project Team Management The project manager will coordinates the project tasks assigned to team members. If there is any changes to the project team, that require approval of the Project Manager and Project Owner with the affected agency if relevant. Changes will be tracked in revisions to the project plan. 4.2 RISK ASSESSMENT The Risk Assessment in this project attempts to identify, characterize, prioritize and document a mitigation approach relative to those risks which can be identified prior to the start of the project. Assessing the probability of occurrence and potential loss of each item listed

47

 Ranking the items (from most to least dangerous)

Making a list of all of the potential dangers that will affect the project The risk assessment will be precautionary monitored with the help of the project manager and continuous update throughout the project life cycle. Monthly assessments will be included in the status report and open to amendment by the Project Manager. The mitigation approaches will be agreed upon by project leadership (based on the assessed impact of the risk, the projects ability to accept the risk, and the feasibility of mitigating the risk), it is necessary to allocate time into each Steering Committee meeting, dedicated to identifying new risks and discussing mitigation strategies. The Project Manager will convey amendments and recommended contingencies to the Steering Committee monthly, or more frequently, as conditions may warrant on the project. PROJECT RISK ASSESSMENT TABLE RISK Project Size Person Hours RISK H/M/L H: Over 10,000 LEVEL likelihood MINTIGATION PLAN of event Certainly Assigned project manager Engaged constantly and comprehensive management

approach proper communication Estimated schedule Team Size H: 12 members Certainly project H: 12 months Certainly plan Created a comprehensive project timeline with frequent baseline reviews Comprehensive communications plan, frequent meetings, tight project management oversight

Wrong coding

H: System crashing

Certainly

Ensure the programmer is very familiar with the coding required for this ATM. Use error detection software.

PROJECT DEFINITION

47

Implementing biometric ATM Available documentation establishment baseline Project Scope

a H: Incompatibility Certainly with system M: over 75% Likely and completed ATM the

Inform the biometric scanner vendor for replacement of a compatible biometric scanner Balance of information to be gathered by the project manager

L: Scope generally Unlikely defined, subject to development

The scope defined the project plan, and it was reviewed by two team, project manager and steering committee to prevent

Consultant

project L: well defined

Unlikely

undetected scope creep Project manager and consultants will work together to fully establish a coherent and relevant deliverables. Project deliverables are subject to amendment. Re-evaluate the project estimate if discovered it is not clearly defined. Included in project plan, subject to amendment as new details regarding revealed project scope are

deliverable clear

Sponsor deliverable Cost unrealistic

project M: Estimated, not Somewhat clearly defined estimate L:Thoroughly predicted industry using by experts proven likely Unlikely

practices to 15% margin of error

47

Timeline realistic

M: assumes derailment

Timeline Somewhat likely no

Timeline

reviewed

monthly by two team Project manager and steering committee to prevent undetected timeline departures

The Number of team L:Team well versed Unlikely members business PROJECT LEADERSHIP Steering Committee L: Identified and Unlikely existence enthusiastic Understands in business by technology Unknowledgeable of operations impacted

Project Manager and consultant to identify knowledge gaps and provide training, as necessary

Frequently seek feedback to ensure continued support Frequently seek feedback to ensure continued support

Absence of the com- L: of management project

mittee level/attitude value & supports

Absence of commitement level/attitude

L: project

Understands Unlikely

Frequently seek feedback to ensure continued support

value & supports

Absence of commitement by the management

L: Most understand Unlikely value project & support

Frequently

seek

feedback to ensure continued support

PROJECT STAFFING

47

Project Availability

Team M:

Distributed

team Somewhat likely

Continuous review of project by all momentum levels.

makes availability more questionable

Consultant to identify any impacts caused by unavailability. If necessary, commitment time status Comprehensive Communications Plan increase by

participants to full Project share work experience create gaps during work Weak Participation Project Team User L: Users are part-time Unlikely on team members User Participants coordinated by full time employee Group teams M: Some have worked Somewhat likely together before

PROJECT MANAGEMENT Procurement for team Quality management procedure unclear L:Procurement team L: well defined and accepted Unlikely N/A Unlikely N/A

methodology used methodology familiar to

47

5 METHODS, TOOLS, AND TECHNIQUES (METHODOLOGY) 5.1 Development Methodology The project shall use the waterfall software development methodology to deliver the software products, with work activities organized according to a tailored version of those provided by the IEEE Standard for Developing Software Life Cycle Processes (IEEE 1074-1997). The decision to use the waterfall methodology is due to the following characteristics of the project: The product definition is stable Requirements and implementation of the product are both very well-understood Technical tools and hardware technology are familiar and well-understood

Waterfall methodology has proven successful for projects of this nature performed for Software Project Management Plans (IEEE 1058-1998).

The Software Project Management Plan (SPMP) shall be based on the IEEE Standard

5.2 DEVELOPMENT TECHNIQUES The requirement passed down to this project from the larger ATM project is that the software be based on an open architecture using a Windows 7 -based platform and Windows Open Services Architecture / eXtensions for Financial Services (WOSA/XFS). This architecture allows us to use object-oriented methods and tools for analysis, design, and implementation. We will use Object Modelling Technique (OMT) for this purpose. 5.3 TOOLS The following work categories will have their work products satisfied by the identified tools: Team member desktop foundation
Microsoft Windows 7 desktop operating system Virtual Machine Ware Workstation 4.5 [virtual machine support one VM per

active project] Microsoft Office 2010 productivity application suite MindJet MindManager X5 Pro [information organization, brainstorming] Adobe Acrobat 6.0 [creating/viewing PDF files]

47

 Project management
Microsoft Project 2007 [WBS, schedule/cost estimates, resource planning,

project control] Terametric [internally-developed metrics collection database]

Microsoft Word 2010 [document preparation and revision]

Configuration Management & Change Management

5.4 Implementation Microsoft Visual C++ [programming language, development tools and object code generation] Windows Software Development Kit (SDK) [programming support] 5.5 Testing IBM Rational Robot [automated functional and regression testing] 4.6 Training Microsoft PowerPoint 2010 [training presentations] Online Performance Reporting Microsoft Windows 7 Server Standard [server operating system] Microsoft Internet Information Services 4.0 [web server software] 6 THE PROJECT TEAM The following people and organizations are stakeholders in this project and are included in the project planning. Executive Sponsor/Owner: Advocate for project: Daily Bank Berhad Project Manager: The project manager will lead the planning and execution of the project. He will also chair the workgroup and team members
Mark Francis from Boston limited

Project Workgroup: Plan and design and gives advice to the Implementation Workgroup Mark Ikechukwu

47

 Jessica Lee Steering Committee: Abinami A. Merlin Waremate Kamaye Chimezu Teo Lee Project Team Management Mark Francis Programmer and web designer Mark Flo Installation /Integration Engineer Knong Sekibo Quality, verification and validation engineer Mark Dickson Configuration Engineer Joe Francis Quality/Test Engineer McCatty Hector Cupa Training and Support Specialist Regal Thompson 7 PROJECT SCHEDULE

47

Below are the key project tasks and the responsible teams, estimate hours and the detailed project schedule. 7.1 Schedule Management The project Schedule will be emailed to team members and updated as tasks are completed. Any changes to the schedule must be documented in a revised project schedule. Sign-off from Project Manager is required. The project activities define and will identify the specific project plan which must be performed to complete each deliverables. Activity sequencing will be used to determine the order of project plan and assign responsibilities between project activities. Project duration estimates will be used to calculate the number of work periods required to complete the project. Resource estimating will be used to assign resources to work packages in order to complete schedule development on time.

7.2 COMMUNICATION PLAN NeoTech team members will continuously monitor and maintain the schedule of monthly meetings, project manager and the sponsor. Unimportant meeting will be avoided; the team members will always communicate through email and mobile phone. The team members and project manager will report progress to the following groups at their request:
Daily Bank Coordinating Committee Daily Bank Policy Board

Spreading knowledge and ideas about the project is very important for the success of the project. The project team members likely desire the knowledge of the project plan and how they can be of positive achievement. In addition, they should be ready to participate in the project life cycle that will lead to the progress of the project. The framework for this project plan will provide the team members the necessary requirement, by informing, involving, and obtaining buy-in from the entire team members throughout the duration of this project 7.3 PROJECT ASSUMPTIONS The assumptions are identifying during the project plan:

47

Daily Bank management is willing to adopt the changes of the business operation to take advantage of the functionality offered by the new Biometric Automated Teller Machine technology. NeoTech will ensure that project team members are available as needed to complete project tasks and objectives. The Steering Committee participated in the timely execution of the Project Plan (i.e., timely approval cycles and meeting as required). Any mistake or failure to identify changes to draft deliverables within the time specified in the project timeline will result in project delays. Project team members will adhere to the Communications Plan. Also mid and upper management will foster support and buy-in of project goals and objectives, and the Central Bank will ensure the existence of a technological infrastructure that can support the Biometric Automated Teller Machine technology. However, all project team members and others involve will abide by the guidelines identified within this plan. The Project Plan may be adjust as new information and issues are revealed within the project life cycle.

7.4 POTENTIAL BENEFITS Several benefits can be obtained from ATMs equipped with biometric scanners or software: Daily Bank Berhad could reduce costs and provide a more efficient and timely service to its customers. As a financial institution, it can increase their unit costs while reducing their ATM unit transaction costs and increasing their revenues by expanding their potential customer base. Pensioners and other welfare recipients could receive their benefits faster and in a move convenient form. Security is also highly assured as only with their presence can any transaction(s) be made with their ATM cards. The public could benefit through a reduction in taxes as a result of a more efficient government. Transaction processing services companies would increase their revenues with a higher volume of transactions and from the provisioning of biometrics database and verification services.

7.5 PROJECT CONSTRAINTS The following represent known project constraints:

47

 The resources and materials for funding the Project are limited. The project may be

delayed as a result of this. Hardware and software availability may hinder the early finish of the overall project as these are very important to the success of this project. Due to the nature of law enforcement, resource availability is inconsistent.

7.6 CRITICAL PROJECT BARRIERS Different from risks, the critical barriers of projects are insurmountable events which might be destructive to a project readiness. The following can be critical possible barriers in this project.
Withdrawal of project funding. Natural disasters or acts of communal crisis. Daily Banks Berhad could reduce their ATM project unit transaction costs. If this

should happen, the Project Plan would become handicapped. There also are a number of barriers to the deployment of the system with a biometric scanner. Some people are not so familiar with computer or machine interface, and they have natural resistance to change inherent to most humans. 7.7 ISSUES ARISING IN MANAGEMENT In a project plan, there are normally changes that will be required which may affect project as it progresses. For any change is required, it is very essential to understand changes within the project plan may impact at least some critical success factors like available time, available resources like finance and personnel and the project quality. The decision by which to make modifications to the Project Plan which includes project scope and resources) will be coordinated by the following processes: As soon as a change which impacts project scope, schedule, staffing or funding is noticed, the Project Manager will document the issue as explained by any member of the project team e.g. the system architect. The Project Manager will review the change and determine the associated

47

impact to the project and will forward the issue, along with a recommendation, to the Steering Committee for review and decision.
On receiving that, the Steering Committee will try and reach an agreement on whether

to approve, reject or modify the request depending on the information contained within the project plan, the Project Managers recommendation and their personal decision.
Should the Steering Committee be unable to reach consensus on the approval or denial

of a change made by a member of the project team (tabled by the project manager), the issue will be forwarded to the Project Sponsor (Daily Banak Berhad), for ultimate resolution.
If required under the decision matrix or due to a lack of consensus or solution, the

Project Sponsor shall review the issue(s) and render a final decision on the approval or denial of the requested/required change.
Following an approval or denial (by the Steering Committee or Project Sponsor), the

Project Manager will notify the original requestor of the action. There may be no appeal process to this.

PROJECT MANAGEMENT APPROACH Project Roles and Responsibilities ROLE Project Sponsor RESPONSIBILITIES Ultimate decision-maker and tie-breaker
Provide

Participant(s) Daily Bank Berhad

project oversight some project

and guidance
Review

elements e.g. what should be adopted in the project and what should not.

47

Steering Committee

Commits / utilize resources

department Waremate Kamaye

Approves major funding and Abinami A. Merlin resource allocation strategies, and significant changes to Chimezu Teo Lee funding/resource allocation Resolves conflicts and issues Provides direction to the Project Manager Project Manager Reviews project deliverables Manages project in accordance to the project plan Serves as liaison to the Steering Committee Receive guidance from Steering Committee Works with the consultants which provide consultancy and advice on the biometric implementation. The consultants also assess all threats and security related to the biometric ATM. Provide overall project direction Direct/lead team members toward project objectives Handle problem resolution Project Team Manages the project budget Understand the user needs and Mark Francis business processes of the area(Project manager) Responsible for identifying risks Omah Dick Chizehbudu that may compromise the success of the project. (Risk Manager) Mark Francis

47

Review and creates codes for project deliverables (Programmer) Creates or helps create David Obama Benson

work Kenneth Othman

products (System Architect) Analyses the impacts of problem Putri Malam resolution on other configuration items. (Configuration Engineer) Verifies that the delivered products satisfy the approved requirements (Quality/Test Engineer) Installing and integration Biometric Engineer) Helps identify and remove project McCatty Hector Cupa barriers (Quality/Test manager) Provides Training and Support (Training/Support Specialist) Regal Thompson software and of Knong Sekibo Frank MCPabulo

other

softwares (Installation/Integration

7.8 MONTHLY STEERING COMMITTEE MEETING At every month meeting are held and its been organized by the project manager. The steering committee are present in the meeting and as well all the team members, the project manager ensure that all team members get the report memo earlier before the meeting time to enable them review it. 8 BIOMETRIC ATM SECURITY It is important to mention that in parallel to the development of the industry different modes of fraud have made it necessary to reinforce the levels of security utilized in ATMs; this leads to the theme of this investigation Daily Bank to adapt biometric technology to her ATM networks.

47

Biometrics offers a technological solution to the authentication of individuals. Biometrics confirms that the actual person, rather than merely his or her token or identifier, is present. Thus, biometrics may reduce the effort of a persons trying to identify himself and in doing so potentially reduce the chances of authentication fraud. 8.1 BIOMETRIC TECHNOLOGY The term biometrics comes from the word bio (life) and metric (measurement). Biometric equipment has the capability to measure, codify, compare, store, transmit, and/or recognize a specific characteristic of a person with a high level of precision and trustworthiness. Biometric technology is based on the scientific fact that there are certain characteristics of living forms that are unique and not repetitive for each individual; these characteristics represent the only technically viable alternative to positively identify a person. Without the use of other forms of identification more susceptible to fraudulent behaviour

8.2 CARDS WITH MAGNETIC BANDS The plastic cards with magnetic bands date back to more than 30 years. The financial sector has used them as a means to making payments and to offer access to the financial services for clients. The magnetic band contains unique information for every card allowing for user identification and providing access to its products through the various electronic channels. In order to provide access to these products, cards with magnetic bands are normally associated to a personal identification number (PIN) which is initially assigned by the entity issuing the card and, in some cases, the client can then change it at his/her convenience. The card and the PIN are directly related to the user identification and allow for the utilization of electronic channels just like as is the case with the ATMs. 8.3 BIOMETRIC TYPES Two specific types of biometrics applications:
Biometrics for identification: Those that require identifying an individual from

the set of all possible users (by matching an acquired biometrics image to all possible templates)

47

 Biometrics for verification: Those that require verifying a particular identity (by

matching an acquired biometrics image against a specific template)

8.4 TRANSACTION FUNCTIONALITY We have described the various elements that intervene in an ATM transaction, the card and the ATM components. Figure 1 shows the sequence of events involved in the authorization process together with the functionality of the central authorization system to which the ATM is connected.

Source: http://www.biometric atmmarketplace.com/article.php?id=10808 8.5 TRANSACTION SECURITY Biometrics is being used to secure many different transactions, including those taking place at a single server or over a network, the Internet, or telephones, mostly in ATMs Etzel et al (2004). However, remote biometrics authentication is neither trivial nor full lproof. The assumption that anyone who can provide my fingerprint can also complete any transaction in my name is

47

risky. That is why customers require a trusted biometrics sensor, one that is sufficiently tamper resistant and provides trustworthy levelness detection. Biometric identification is utilized to verify a persons identity by measuring digitally certain human characteristics and comparing those measurements with those that have been stored in a template for that same person. Templates can be stored at the biometric device, the institutions database, a users smart card, or a Trusted Third Party (TTP) Service Providers database. Where database storage is more economic than plastic cards, the method tends to lack public acceptance; however, Polemi (1997) found that TTPs can provide the confidence that this method is missing by managing the templates in a trustful way.

8.6 Components of a Biometric System

47

The processes associated with a biometric methodology: enrolment, identification/verification, and learning.

Source: http://www.biometric atmmarketplace.com/article.php?id=10808

47

Source: http://www.biometric atmmarketplace.com/article.php?id=10808 8.7 Enrolment: Prior to an individual being identified or verified by a biometric device, we must complete the enrolment process with the objective of creating a profile of the user. Enrolment is a relatively short process, taking only take a few minutes and consisting of the following steps: 1. Sample Capture: the user allows for a minimum of two or three biometric readings, for example: placing a finger in a fingerprint reader. The quality of the samples, together with the number of samples taken, will influence the level of accuracy at the time of validation. Not all samples are stored; the technology analyzes and measures various data points unique to each individual. The number of measured data points varies in accordance to the type of device. 2. Conversion and Encryption: the individuals measurements and data points are converted to a mathematical algorithm and encrypted. These algorithms are extremely complex and cannot be reversed engineered to obtain the original image. The algorithm may then be stored as a users template in a number of places including servers, PCs, or portable devices such as PDAs or smart cards. 3. Identification and Verification. Once the individual has been enrolled in a system, he/she can start to use biometric technology to have access to networks, computer centres, buildings, personal accounts, and to authorize transactions. Biometric technology determines when a

47

person could have access in one of the two forms be it identification or verification. Some devices have the ability to do both. 4. Identification: a one-to-many match. The user provides a biometric sample and the system looks at all user templates in the database. If there is a match, the user is granted access, otherwise, it is declined. 5. Verification: a one-to-one match requiring the user provides identification such as a PIN or a smart card in addition to the biometric sample. In other words, the user is establishing who he/she is and the system simply verifies if this is correct. The biometric sample with the provided identification is compared to the previously stored information in the data base. If there is a match, access is provided, otherwise, it is declined. Learning. Each time the user utilizes the system the template is updated through learning processes taking into account gradual changes due to age and physical growth. These are later

47

utilized

by

the

system

to

determine

whether

to

grant

or

deny

access.

Source: http://www.atmmarketplace.com/article.php?id=10883 8.8 Technical Model Development The integration of the two technologies requires the incorporation of the fingerprint sensor to the ATM, and the interaction of the biometric system with the ATMs and the authorizing system. The following steps outline in more detail the necessary modifications:

47

1. We start by connecting the biometric system to the same network utilized by the ATMs and authorization system. The biometric system needs to be compatible with the communications protocol (most likely TCP/IP) utilized by the other devices. 2. The biometric system will need software to allow it to listen to the network communications for messages directed to it, and to create messages for the other devices. 3. The fingerprint sensor is installed on the ATM; it will have the capability to connect (via the network) to the biometric system. It also needs to be protected from vandalism and be weather -resistant. 4. Through software changes, the ability to identify a customer requiring fingerprinting will be incorporated to the ATM. User screens will be created to guide the client through the process of entering the fingerprint and receiving notification of fingerprint acceptance or denial. 5. The authorizing system software needs to identify when a transaction requires fingerprinting so that it can prompt the ATM to present the screen(s) requesting the user to place his finger on the reader, at the same time in which it instructs the biometric system to read and validate the fingerprint for transaction authorization. The authorizing system will also be modified to accept the validation results from the biometric system and enter it into its log. Once the ATM, authorizing system and biometric system have been interconnected, the validation database needs to be built through the enrolment process. User information (name, address, telephone number, etc.) needs to be entered together with a key identifier such as card number, social sec unity number, voters registration number, etc. After all the information is entered, the application activates the sensor and fingerprint(s) are read; the program can make multiple readings, until it ascertains the quality of the sample meets the pre-established standards for validation. Application software can register prints for up to 10 fingers per individual. Figure: shows the sequence of events involved in a transaction validation utilizing the biometricsequipped ATM system model. 8.9 Integrated model transaction validation sequence of events Business Model Development Today, banks , other financial institutions and, increasingly, retailers are offering Automatic Teller Machines (ATMs) as a service , through the utilization of transaction processing service companies who offer the daily management of the network infrastructure, the authorization systems, and the inter -connection of ATMs to multiple credit/bank card providers. Banks, other financial institutions and retailers pay these banking

47

services a fee based on a fixed subscription cost as well as a variable cost associated with the volume and types of customers and transactions. The banks then charge their customers, typically, on a per transaction basis. ATM service is no longer seeing as a competitive advantage, but as a necessity to maintain the customer base. 9 UML Diagram of the sysyem USECASE DIAGRAM FOR NORMAL ATM TRANSACTION

Source: http://www.atmmarketplace.com/article.php?id=10883

9.1 Flows of Events for Individual Use Cases System Startup Use case The system is started up when the operator turns the operator switch to the "on" position. The operator will be asked to enter the amount of money currently in the cash dispenser, and a connection to the bank will be established. Then the servicing of customers can begin.

47

Source: http://www.atmmarketplace.com/article.php?id=10883 9.2 Transaction Use Case Note: Transaction is an abstract generalization. Each specific concrete type of transaction implements certain operations in the appropriate way. The flow of events given here describes the behavior common to all types of transaction. The flows of events for the individual types of transaction (withdrawal, deposit, transfer, inquiry) give the features that are specific to that type of transaction. A transaction use case is started within a session when the customer chooses a transaction type from a menu of options. The customer will be asked to furnish appropriate details (e.g. account(s) involved, amount). The transaction will then be sent to the bank, along with information from the customer's card and the PIN the customer entered. If the bank approves the transaction, any steps needed to complete the transaction (e.g. dispensing cash or accepting an envelope) will be performed, and then a receipt will be printed. Then the customer will be asked whether he/she wishes to do another transaction.

47

If the bank reports that the customer's PIN is invalid, the Invalid PIN extension will be performed and then an attempt will be made to continue the transaction. If the customer's card is retained due to too many invalid PINs, the transaction will be aborted, and the customer will not be offered the option of doing another. If a transaction is cancelled by the customer, or fails for any reason other than repeated entries of an invalid PIN, a screen will be displayed informing the customer of the reason for the failure of the transaction, and then the customer will be offered the opportunity to do another. The customer may cancel a transaction by pressing the Cancel key as described for each individual type of transaction below. All messages to the bank and responses are recorded in the ATM's log.

Source: http://www.atmmarketplace.com/article.php?id=10883

9.3 Withdrawal Transaction Use Case A withdrawal transaction asks the customer to choose a type of account to withdraw from (e.g. checking) from a menu of possible accounts, and to choose a dollar amount from a menu of possible amounts. The system verifies that it has sufficient money on hand to satisfy the request before sending the transaction to the bank. (If not, the customer is informed and asked to enter a different amount.) If the transaction is approved by the bank, the appropriate amount of cash

47

is dispensed by the machine before it issues a receipt. (The dispensing of cash is also recorded in the ATM's log.) A withdrawal transaction can be cancelled by the customer pressing the Cancel key any time prior to choosing the dollar amount.

Source: http://www.atmmarketplace.com/article.php?id=10883 9.4 Deposit Transaction Use Case A deposit transaction asks the customer to choose a type of account to deposit to (e.g. checking) from a menu of possible accounts, and to type in a dollar amount on the keyboard. The transaction is initially sent to the bank to verify that the ATM can accept a deposit from this customer to this account. If the transaction is approved, the machine accepts an envelope from the customer containing cash and/or checks before it issues a receipt. Once the envelope has been received, a second message is sent to the bank, to confirm that the bank can credit the customer's account 47

contingent on manual verification of the deposit envelope contents by an operator later. (The receipt of an envelope is also recorded in the ATM's log.) A deposit transaction can be cancelled by the customer pressing the Cancel key any time prior to inserting the envelope containing the deposit. The transaction is automatically cancelled if the customer fails to insert the envelope containing the deposit within a reasonable period of time after being asked to do so.

Source: http://www.atmmarketplace.com/article.php?id=10883

47

Source: http://www.atmmarketplace.com/article.php?id=10883 9.5 User Interface Design A user interface is a friendly means by which users of a system can interact with the system to process inputs and obtain outputs. It is also a means of communication between the human user and the system through the use of input/output devices with supporting software. This particular ATM application is made up of 6 interfaces, which include; Login Interface, Enroll Fingerprint Interface, Transaction Type Selection Interface, Withdrawal Interface, Deposit Interface, and View statement of Account Interface. This interface is the very first interface the bank customer interacts with on the ATM machine. This interface prompts the customer to insert ATM card and proceeds with the entire authentication processes, that is, inputting the ID (or card number) and PIN number (see figure 3). If the user enters an invalid card number or PIN number, a dialogue box appears prompting

47

an invalid PIN or invalid card number and the system returns enter a valid PIN number. A typical description of this is shown in figure 4. After validating the customers card and PIN number, the customer is directed to the next phase of the authentication process via the authentication dialogue box for inputting the fingerprint. 9.6LOGIN INTERFACE

47

Login interface response to invalid interface 9.7 Fingerprint Interface This is the final interface the customer interacts with in the authentication process. It requests from the customer the enrolment of his/her fingerprint to be placed on a Fingerprint reader. The fingerprint reader accepts the fingerprint and seeks to match the live sample with the already enrolled templates in the banks database. If match is confirmed it will finally authenticate customer else it will deny customer access to his/her bank account.

47

The fingerprint of an individual is very peculiar to that individual since no two individuals can have the same fingerprint. The fingerprint reader captures the fingerprint features of an individual and search for a match of fingerprint brought up for identification among the stored fingerprints in the database. The fingerprints stored are kept alongside the other IDs (Pin and Card Numbers) and the corresponding biometric templates are kept in the database. When the fingerprint is found correct, the customer is taken to the transaction phase where he/she will choose among the transactions (deposit or withdrawal), otherwise the customer is denied access and the system brings up a dialogue box for which the customer can choose Ok, and as soon as this done the system automatically log off the customer.

47

9.8 Invalid Fingerprint Interface

Withdrawal Interface This interface enables the customer withdraw money from his/her account. It shows the customers current balance by subtracting the amount withdrawn from the previous account balance. After the customer has completed all his/her withdrawals, a dialogue box pops up notifying the customer of his/her successful withdrawal transaction. The interface is shown below.

47

10 RISK ANALYSIS AND MITIGATION PLAN

What is Risk? Risk is defined as "The possibility of suffering harm or loss; danger." Even if we're not familiar with the formal definition, most of us have an innate sense of risk. We are aware of the potential dangers that permeate even in simple daily activities, from getting injured when cut a steal. Although we prefer not to dwell on the myriad of hazards that surround us, these risks shape many in our daily activities. Experience (our safety officer) has outline to us take precaution on everything we do whereas safety is our one priority in this project. 10.1 RISK ASSESSMENT Making a list of all of the potential dangers that will affect the project Assessing the probability of occurrence and potential loss of each item listed Ranking the items (from most to least dangerous)

47

10.2 RISK CONTROL Coming up with techniques and strategies to mitigate the highest ordered risks Implementing the strategies to resolve the high order risks factors Monitoring the effectiveness of the strategies and the changing levels of risk throughout the project 10.3 WORK BREAKDOWN STRUCTURE

WORK BREAKDOWN STRUCTURE

Project Sponsor

Project Manager

System Architect

Configuration Engineer

Programmer & Web Designer

Verification &Validation Engineer

Training & Support Specialist

Installation/integrat ion Engineer

Test Manager

47

11 COST ESTIMATES 11.1 Maintainence Cost Maintenance plays an important role in the life cycle of a software product. It is estimated that there are more than 100 billion lines of code in production in the world. As much as 80% of it is unstructured, patched and not well documented. Maintenance can alleviate these problems. As products age, it becomes more difficult to keep them updated with new user requirements. Maintenance costs developers time, effort, and money. This requires that the maintenance phase be as efficient as possible. In fact, a substantial proportion of the resources expended within the Information Technology industry goes towards the maintenance of software systems. 11.2 Training And Labour Cost The Labour costs are the core expenditure borne by employers for the purpose of employing staff. They include employee compensation, with wages and salaries in cash and in kind, employers social security contributions and employment taxes regarded as labour costs minus any subsidies received. The cost of labour includes both direct and indirect labour costs. Hourly direct labour costs may be defined as direct hourly pay: basic pay plus overtime, shift and other regularly paid premiums. In addition, there may be additional elements of direct labour costs such as holiday pay, Christmas bonus payments and irregular cash payments and bonuses. Indirect costs of labour include employer contributions to social security funds, sick pay, other social payments and vocational training costs. 11.3 Utility Cost Utility Costs includes all organization costs that can only be indirectly associated with the finished inventory, that is, all organization costs incurred in making a product other than the costs of direct materials and direct labor. In terms of cost behavior, some of these costs do not change in total even if the number of products manufactured increases or decreases from period to period; the behavior of these costs is said to be a fixed cost. For example, the monthly rent would not fluctuate based on the number of units produced during a particular month.

Personnel Description

Total Working Hour

Wages Hour ($)

per No personnel

of Total ($)

47

Design Engineer System Analyst Programmer Total

80 50 100

90 50 55

5 1 5

36,000.00 2,500.00 27,500.00 66,000.00

The CSMS comprises of seven major deliverables with their associated work packages.The design of the various tasks or packages can be done simultaneously by five design engineers. The system Analyst will monitor the requirements of the system for quality conformance. The programmers then develop the programs with the required technology concurrently and interface the various modules. No 1 2 3 4 5 6 7 Description Yearly maintenance cost Developement Yearly training labour cost Increase revenue Installation Reduce utility cost Total Other Project Cost Estimates General Total = 4,000,000.00 + 66,000.00 = $ 4,660,000.00 Total ($) 90,000.00 70,171.00 1,000.00 2,000*20 Employee= 40,000.00 45,000.00 1,500.00 5,000.00 4,000,000.00

CONCLUSION This project is designed to meet the requirements of Daily Bank Berhad System. It has been developed in visual basic and MicroSoft Access keeping focus on the specifications of the system. Daily Bank Berhad Systems objectives are to provide a system that can manage her

47

banking transaction services in an efficient and effective manner that will increased the security of her customers. Without biometric automation the management of Daily Bank Berhad would face difficulties and unmanageable tasks. The end users day-to-day jobs of managing Daily Bank Berhad will be simplified by a considerable amount through the Biometric automated system. The system is provided to handle numerous services that can take care of all customers transaction process in a more secured quick manner. The system is user friendly and appropriately effective and efficient, easy to use, provide easy recovery of errors and have an overall end user high subjective satisfaction.

Gantt Chart

47

ID 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

Task Name 1 Biometric ATM system 1.1 - Introduction 1.2 Brief Summary 1.3 Project Objectives 1.4 Project Scope 1.5 - Project Schedule 1.6 Schedule Management 1.7 Communication Plan 1.9 Project Manager 1.10 System Architect

Duration 133 days? 8 days? 8 days? 5 days? 4 days? 3 days? 5 days 4 days? 5 days? 3 days?

2012 E B M E B M E B M E B M E B M E B M E

1.8 - Work Breakdown Structure 14 days?

1.11 Programmer and Web Designer 4 days 1.12 Configuration engeener 4 days? 1.13 Training/Support Specialist 5 days? 1.14 Installation and intergration days 5 1.15 -Start Up Plan 1.16 Resources Input 1.17 Estimate Plan 1.18 Staff Management 1.19 Time Report 1.20 Event Schedule 1.21 Approve Schedule 1.22 -System Testing 1.23 Testing Coding 4 days? 4 days? 3 days? 3 days? 3 days? 3 days? 3 days? 2 days? 3 days?

1.24 Testing Project System 4 days?

REFERENCES

47

NetWorld Alliance, Timeline: The ATM's history, 2003, available online: http://www.atm24.com/NewsSection/Industry%20News/Timeline%20%20The%20ATM %20History.aspx R. London (2008) Global ATM Market and Forecasts to 2013, Retrieved November 1st, 2011, from online at www.rbrlondon.com ATM Market Place (2009) ATM scam nets Melbourne thieves $ 500,000, Retrieved October, 30th, 2011 from http://www.atmmarketplace.com/article.php?id=10808 ATM Market Place. (2009). Australian police suspect Romanian gang behind $ 1 million ATM scam, Retrieved November 3rd, 2011, from http://www.atmmarketplace.com/article.php?id=10883 BBC News (2009). Shoppers are targeted in ATM scam, Retrieved October 21st, 2011 from http://news.bbc.co.uk/2/hi/uk_news/england/tees/4796002.stm B., Mond (1999) Understanding security APIs. Ph.D. Thesis, Computer Laboratory, University of Cambridge, 2004. Etzel, M.J., Walker, B.J., & Stanton, W.J. (2004). Marketing, 13th edition, In Etzel, M.J., Walker, B.J., & Stanton, W.J. (Eds). Channel of distribution, Boston, Mass.: McGraw-Hill/Irwin. Frankel, R., Goldsby, T.J., & Whipple, J.M. (2002). Grocery industry collaboration in the wake of ECR. International Journal of Logistics Management, 13(1), 57-72. M. Bond and P. Zielinski (2003), Decimalisation table attacks for PIN Cracking,, Technical report (UCAM-CL-TR-560), Computer Laboratory, University of Cambridge, 2003. M. Bond and P. Zielinski (2003) Encrypted? Randomised? Compromised? (When cryptographically secured data is not secure).In Workshop on Cryptographic Algorithms and their Uses, Gold Coast, Australia, July 2004 O. Berkman and O. M. Ostrovsky. The unbearable lightness of PIN cracking. In Financial Cryptography and Data Security (FC), Scarborough, Trinidad and Tobago, Feb. 2007. SpiderLabs (2009) ATM Malware Analysis Briefing, Retrieved May 15, 2010, from https://www.trustwave.com/spiderLabspapers.php

47

47