Even though the technology behind electronic payment transactions is becoming more complicated day by day due to the ever-increasing nature of sophisticated cyberattacks that target these ecosystems, billions of dollars continue to be lost owing to the profitable nature of executing such attacks. According to the latest research ^[1][2][1,2], it is evident that electronic transaction security is becoming a common problem worldwide, causing considerable financial chaos. Hence, it becomes essential to develop security mechanisms that are reliable and trustworthy that the cardholders or end users can always trust. Unauthorized access to credit/debit card data, moreover, might lead to financial loss due to fraud by unscrupulous persons [1]. Thus, to cultivate trust in the minds of cardholders, many banks/payment institutions have introduced various security schemas for authenticating authorized end users over the last few years [3]. In addition, the booming of electronic commerce, most popularly known as e-commerce, has led to online banking, where customers can pay money online for the goods they purchase online, expanding the scope of cyberattacks that target the electronic payment ecosystem.

In light of credit/debit card transactions, the main purpose is to promote cashless transactions ^[1][2][3][1,2,3], comparing user-submitted details with the user’s bank account. Often, there are a number of entities associated with and involved in this payment card authentication: the card-issuing bank, the user or the cardholder, the ATM, the bank database server, and the card affiliation or the association ^[3][4][3,4]. According to studies ^[3][4][3,4], it is evident that credit/debit card theft has evolved dramatically in recent years. In earlier times, fraudsters employed basic skimming tactics with pinhole cameras to capture the associated PIN at the ATM to harvest card credentials for card cloning ^[5][6][7][8][5,6,7,8], whereas attack methodologies have developed over time employing a variety of approaches, such as social engineering attacks ^[3][4][3,4].

Thus, in order to prevent the compromise of electronic payments that are being made, banks/financial institutions have introduced novel ways of authenticating users when they are executing ATM transactions ^[7][8][9][7,8,9]. These include both single-factor and multi-factor authentication methods such as username and password, OTP, and PIN. However, most of these methods are no longer secure and open the cardholder to risk where user credentials can be captured through interception and person-in-the-middle attacks for gaining access to the user account, especially when dealing with payment gateway mobile apps and web platforms, as PINs can be captured with card details for cloning the card. Thus, single-factor authentication is no longer deemed sufficient for user authentication and is regarded as insecure for high-risk financial transactions. This has resulted in the usage of multi-factor authentication to safeguard payment transactions and boost user confidence in making such payment transactions, which at times appears to be insufficient due to PIN harvesting and card cloning security attacks ^{[10][11][12][13][14]}[10,11,12,13,14].

2. Securing ATM Payment Transactions

Overall, ATMs play a crucial role in providing convenient and secure access to banking services. As the use of ATMs continues to grow, ensuring robust authentication methods becomes paramount in preventing fraudulent activities and protecting user data ^{[15][16][17][18][19]}[20,21,22,23,24]. According to the latest literature ^{[1][6][7][8][9][10]}[1,6,7,8,9,10], some common ways of compromising the security of these electronic transaction methods are described further in the following for better understanding.

• Stealing from the database
  • Many retailers prefer to keep debit/credit card numbers in online databases to facilitate customer purchases. According to recent reports, attackers have breached merchant websites and stolen databases containing millions of debit/credit card details ^[1][5][1,5], e.g., the compromising of Capital One, a US credit card issuer, which led to the exposure of 106 million customers’ credit card information in 2019 [6], and the compromising of the TJX company chain, which led to the exposure of 94 million customers’ credit card information in 2006 [6].
• Sniffing/packet intercepting
  • During online debit/credit card payments, an attacker sniffs data packets to infer confidential payment information. In most circumstances, the attacker does not need to decrypt the presumably encrypted online payment packets (e.g., through Secure Sockets Layer) ^[1][3][1^[5],3,5], but instead deceives the consumer into believing they are visiting a legitimate site while in fact, they are viewing the attacker’s spoofing site.
• Shoulder surfing
  • An attacker stands nearby and observes a customer type in their credit/debit card number and other credentials or listens to the discussion if the consumer gives their credit/debit card information to some other party ^[2][6][2,6].
• Skimming
  • Fraudsters utilize this approach to collect sensitive information from a credit or debit card’s magnetic strip ^[3][6][3,6].
• Keypad overlays
  • This is a technique that is meant to fit in with the normal ATM keypad and this allows it to go unnoticed. The overlay allows the keypad beneath it to work properly, allowing the person to operate the ATM without any difficulty; when a person punches their PIN onto the fake keypad installed over the existing ATM keypad, an overlay records and captures keystrokes (e.g., customer PIN). Simultaneously, the ATM card slot overlays/records the secret data from the ATM card’s magnetic strip. Using blank cards, the fraudster combines information in their computer to clone the ATM card, and nowadays, this is becoming a significant threat [3].

Having provided a brief background to how overall electronic payment transactions are compromised by cyber criminals, the latter part of this section provides a brief review of available authentication methods for securing payment transactions. In general, ATMs are fundamentally autonomous banking workstations that are designed to offer easy transaction services to the customers that use them ^[3][4][20][3,4,25]. The fact that the ATM can provide its users service around the clock, seven days a week, is the primary advantage it offers ^{[21][22][23][24][25]}[26,27,28,29,30]. ATMs are used at practically every convenient location in today’s society, including busy streets, public spaces, and other areas. Despite the fact that ATMs have been an important part of our lives since the 1960s ^[3][4][5][6][3,4,5,6], the authentication mechanisms that are used for transactions at ATMs have changed very little over the years ^{[26][27][28][29]}[31,32,33,34]. The security flaws inherent to magnetic media are the primary cause of the constraints imposed on ATMs’ ability to protect their customer transactions. Since it is neither difficult nor costly to acquire the necessary equipment to encode magnetic stripes, the data stored on them are often encoded using two or three tracks ^{[11][12][13][14]}[11,12,13,14]. Later on, this weakness of magnetic stripe cards was somewhat remedied by the advent of smartcards that were compatible with EMV ^{[11][12][13][14][30][31][32][33]}[11,12,13,14,35,36,37,38]. The PIN of the cardholder is often the sole way to testify to the identity of the user. However, this method is susceptible to a variety of risks, including loss, illegal access, forgetfulness, etc. ^{[34][35][36][37]}[39,40,41,42]. On the other hand, many individuals, in spite of the many warnings that are sent to card users regarding the risk associated with usage, continue to choose passwords and PINs that are easy to guess, such as their social security number, birthday, etc. However, because of the constraints of this design, an intruder who obtains a user’s card and then attempts to guess the user’s PIN or predicts the user’s password may do so successfully, which is known as a brute-force attack. In spite of all of the security precautions that have been put into place, there are still instances of criminal activity involving ATMs all over the world. As the use of ATMs continues to grow, ensuring robust authentication methods becomes paramount in preventing these fraudulent activities and protecting user data. Starting from single-factor authentication, authentication technology has evolved to the level of multi-factor authentication. The most straightforward way of authentication is known as single-factor authentication, where an individual may authenticate their identity by matching only one credential (e.g., providing a password for a username/providing a PIN for an ATM). MFA, also known as Two-Factor Authentication or Two-Step Verification, is a security process that requires users to provide two or more different forms of identification or credentials to verify their identity before gaining access to a system, application, or service. The primary goal of MFA is to add an extra layer of security beyond traditional username–password combinations, making it more difficult for unauthorized individuals to access sensitive information or perform malicious activities. The three typical factors used in MFA are:

• Knowledge factor (something you know)
  • This factor involves information that only the authorized user should know, such as a password, PIN, or a specific answer to a security question ^[10][11][10,11].
• Possession factor (something you have)
  • This factor involves possessing a physical device or object that uniquely belongs to the user, such as a smartphone, smart card, hardware token, or an OTP generator ^[10][11][10,11].
• Inherence factor (something you are)
  • This factor refers to biometric characteristics unique to each individual, such as fingerprints, facial recognition, iris patterns, voice recognition, or even behavioral biometrics (e.g., keystroke dynamics) ^[10][11][10,11].

To authenticate using MFA, a user needs to provide at least two of these factors. For example, after entering their username and password (something they know), the user may be prompted to enter a one-time code generated on their smartphone (something they have) or use their fingerprint on a biometric scanner (something they are) ^[5][10][11][5,10,11]. The main advantages of MFA include enhanced security by combining multiple factors and significantly reducing the risk of unauthorized access, even if one factor is compromised ^[5][10][11][5,10,11]. Other key advantages of MFA include:

• Protection against password attacks
  • MFA provides an additional layer of protection against common password-based attacks like brute-force and phishing ^[14][38][39][14,15,16].
• Compliance requirements
  • Many industry regulations and security standards, such as PCI DSS and GDPR, require or strongly recommend the use of MFA to protect sensitive data ^{[15][39][40][41][42]}[16,17,18,19,20].
• User-friendly
  • MFA can be implemented in a user-friendly manner, often through smartphones and apps, without causing significant inconvenience to users ^[14][38][39][14,15,16].

Overall, MFA is an essential security mechanism that adds an extra layer of protection to ensure the identity of users attempting to access sensitive information, systems, or services. It has become increasingly prevalent across various applications and industries as a crucial defense against cyber threats ^{[15][40][41][42]}[17,18,19,20]. Further, the landscape of payment security is constantly evolving, and new methods are being introduced occasionally ^{[16][17][18][19][20]}[21,22,23,24,25]. The following paragraphs discuss some of the commonly used authentication methods for securing ATM transactions as of now.

• EMV
  • EMV is a widely adopted global standard for chip-based payment cards. EMV cards contain embedded microchips that generate dynamic authentication codes for each transaction ^[3][4][8][3,4,8]. When the card is inserted into an EMV-enabled ATM or POS terminal, the chip communicates with the terminal to verify the card’s authenticity and the cardholder’s identity. This method makes it difficult for fraudsters to clone or counterfeit cards ^[21]][26^[22],27^[23][24,28,29].
• PIN
  • For ATM transactions, PIN-based authentication is widely used. The cardholder must enter their unique PIN to complete the transaction, ensuring that only the authorized user can access the funds ^[5][6][7][5,6,7].
• Biometric authentication
  • Some modern ATMs and POS systems are equipped with biometric authentication methods, such as fingerprint scanners or facial recognition. Biometric data provides a highly secure way to verify the cardholder’s identity ^{[16][17][18][25][26][27]}[21,22,23,30,31,32]. However, the major drawback of biometric approaches is that they require large systems with very high power and processing capability with high implementation and deployment costs.
• OTP
  • The use of OTPs as a second layer of authentication has been extensively studied. OTPs sent via SMS, email, or generated through authenticator apps add an extra security layer, protecting against unauthorized access even if the primary authentication credentials (e.g., PIN) are compromised ^[3][4][5][3,4,5]. However, concerns have been raised regarding the reliance on mobile networks and email security.
• Voice recognition
  • Voice recognition technology has also been investigated for ATM authentication. Early studies indicate that voice-based systems can be vulnerable to voice-mimicking attacks, which raises concerns about their reliability as a standalone authentication method. However, when used in conjunction with other factors, such as location-based authentication, voice recognition can be a valuable component of a multi-layered security approach ^{[9][16][17][18][19[28][29][30]}[9,21,22^],23,24,33,34,35].