Digital Watermarking for a Bank Card Authentication System

Introduction

With the use of new communication and information technologies, cybercrime has evolved hand in hand with the passage of time. This has led to sensitive information being breached in the virtual environment and possible malicious parties wishing to appropriate it. Today, only a small part of the money in circulation in the world exists in physical or minted form, i.e., coins and banknotes.

Most of the money (around 90% of the total) exists only as figures in a bank account, which is why electronic means of payment have become so important in recent years.

A bank card can be either a credit card or a debit card. Both can be useful for making payments; however, the former has a limited amount linked to a loan granted by the bank, and the latter is related to the amount in the account and without paying interest (e.g., the card on which the employer pays us for the performance of our work).

Smart card technology, developed with the aim of providing greater versatility for this type of transaction, has among its fundamental characteristics the simplicity of use, the immediacy of the transaction, and the ease of implementation in merchants.

With a bank card, it is possible to pay in affiliated establishments such as supermarkets, department stores, pharmacies, hospitals, etc., and to transfer money between bank accounts. This creates a new form of electronic payment that generates a vulnerability to the risk of these means being used for some kind of fraud.

In Mexico, the adoption and use of debit and credit cards is increasing. According to figures from the Bank of Mexico (BANXICO) [1], in the fifth month of 2023, 681 million payments were made with credit and debit cards, representing a growth of 4.6%.

In the accumulated period from January to May of the same year, around 3165 million card payments were made, as shown in the graph in Fig. 1.

Fig. 1. Behavior of bank card use and payment in Mexico 2023.

Fig. 2 shows the establishments where Mexicans made the most banking transactions in the first half of 2023 using their credit and/or debit cards.

Fig. 2. Number of bank card transactions (in millions) per establishment in Mexico in 2023.

Bank card cloning is a form of fraud that involves copying the information stored on the magnetic strip of the card to make a replica that can be used to make purchases or obtain money from bank accounts. The most common method for the illegal copying of cards is by using a technique known as skimming, which consists of installing a reader device in bank terminals and/or ATMs, which, as soon as the card is inserted, captures the card’s data.

This method has been implemented in establishments where the cardholder neglects, for a few minutes, his card when making a payment and with the complicity of some of their employees. The cloning of bank cards involves several risks that directly impact both users and merchants. Some of these risks are:

• Financial loss: Appearance of unrecognized charges on the user’s accounts.

• Identity theft: The user’s identity can be used to commit crimes such as extortion, money laundering, or fraud.

According to CONDUSEF data, possible frauds are most of the complaints they receive from users, such as unrecognized charges, unrecognized consumption, unrecognized cash withdrawals, unrecognized electronic transfers, etc. Table I shows the official figures:

The present article introduces a detailed proposal for the timely detection of bank card cloning. This proposal is based on the identification of the inherent vulnerability of the card, specifically in its magnetic stripe component, which will be thoroughly addressed in the subsequent section of the document.

Materials and Methods

First, it is pertinent to note that the design of the proposal is based on the identification of the vulnerability inherent in bank cards, specifically in their magnetic stripe component. It is crucial to underline that by referring to this vulnerability, it is not suggesting that the card itself is unusable; rather, it is emphasized that the system will take advantage of this weakness to confer both fragility and strength to the watermark embedded in the card. Card cloning is performed by using a device known as a “skimmer,” which is used in ATMs following the procedure detailed below:

1. The skimmer is installed in the ATM slot intended for card insertion.

2. The user, unaware of the alteration in the slot, inserts his card to carry out the transaction. At the moment of insertion, the device reads and records the information contained in the magnetic stripe.

3. The perpetrator then removes the device from the ATM along with all the data belonging to the victim and transfers it to a computer.

4. The information obtained is then transferred to a blank card, thus achieving the exact cloning of the original card.

This process is illustrated in Fig. 3 in how the vulnerability of the magnetic stripe is exploited to perform bank card cloning using specialized devices, underscoring the importance of implementing more robust security measures in the design and use of such cards.

Fig. 3. Example of card cloning process through ATMs.

The proposal is based on the application of the concept of digital watermarking, a widely recognized technique in the field of data security. Digital watermarks are signals discretely inserted into other data with the primary objective of authenticating and/or safeguarding the integrity of the original information.

The following is a breakdown of the specific components of the proposed scheme, as illustrated in Fig. 4.

Fig. 4. Proposed system for digital watermark embedding and its correlation with the altered signal due to cloning.

The following is a breakdown of the specific components of the proposed scheme, as illustrated in Fig. 4:

1. Each bank card holder is assigned a personalized image, which can be a photograph or an avatar. This image is used as a digital watermark and is converted into a sequence of binary digits through the binarization process. These binary digits are covertly inserted into the information signal.

2. The data previously stored by the bank on the user’s card is extracted. This data must be presented in binary format and serves as the host signal in which the bits of the digital watermark are embedded.

3. The function of a multiplexer is simulated to merge both signals: the digital watermark and the host signal. This is achieved by means of an embedding algorithm specifically designed so that the resulting signal is the original one but with the watermark embedded in a practically imperceptible way.

4. A private key is used to activate the encryption and decryption functions. This key facilitates the correlation between the embedded information and the original information, which simplifies the verification of data integrity.

5. At the output of the encoder you have the original binarized signal with the embedded watermark.

6. The decoder input receives the signal incorporating the digital watermark.

7. The private key initiates the signal separation procedure.

8. Using the specific algorithm for watermark decoding, the host signal is separated from the watermark.

9. Subsequently, a bit-by-bit correlation process is executed to determine the level of divergence between the signals, which makes it possible to evaluate whether the watermark has been compromised or altered, thus identifying possible cloning attempts and reducing the incidence of false positives.

10. If cloning is confirmed, the user’s account is blocked to prevent unauthorized transactions.

11. The user, upon detecting the impossibility of making transactions, will go to his/her bank to inquire about the reason, where he/she will be informed about the attempted cloning of his/her card. This will enable the user to file a formal complaint for the crime.

This decoding and verification process ensures the protection of the user’s information and their ability to detect and respond effectively to bank card cloning attempts.

In addition to the functions provided by the system, it is imperative to follow the guidelines issued by the relevant authorities regarding crime prevention. These recommendations include keeping the bank card under observation when performing transactions in stores, keeping a detailed record of the transactions performed, and periodically checking account statements to identify any irregularities that may arise.

In conclusion, the proposed scheme uses digital watermarking as a security mechanism to authenticate and protect the data associated with bank cards, thus ensuring the integrity and confidentiality of such information during transactions. The decoding system is designed for use in cases where the integrity of the digital watermark needs to be verified after potential modification or alteration during insertion of the card into a skimming device. In this context, activation of the private key will trigger the separation process between the digital watermark and the host signal containing it.

The algorithm used for embedding the digital watermark is the least significant bit algorithm. Some points concerning this algorithm are detailed below:

1. Understanding LSB

• In digital images, each pixel is typically represented by three color values: red, green, and blue (RGB). Each of these color values is stored as an 8-bit number (ranging from 0 to 255) [2].

• The least significant bit (LSB) is the lowest bit in this 8-bit number. For example, in the binary number 11001100, the LSB is the rightmost 0.

The mathematical part of the algorithm, both for the embedding and extraction parts, is shown in detail below (1).

2. Embedding Process

• Step 1: Select the pixels in the host image where the watermark will be embedded. This can be the entire image or a selected region.

• Step 2: Convert the watermark data (which can be text, another image, etc.) into a binary format.

• Step 3: For each bit in the binary watermark data, replace the LSB of the corresponding pixel’s color value in the host image. For example, if the binary data to be embedded is 1, the LSB of the selected pixel’s color value will be set to 1.

3. Binary Representation

Each pixel in an image has color values represented in binary format. For an 8-bit image, each color value (red, green, blue) is represented by an 8-bit binary number.

4. Watermark Data

The watermark data, which can be text, another image, etc., is also converted into a binary format.

5. LSB Embedding Formula

To embed a bit of the watermark data into the LSB of a pixel’s color value, we can use the (1):

where

C – the original color value of the pixel (an integer between 0 and 255)

C’ – the new color value with the watermark bit embedded

& – the bitwise AND operation

∣ – the bitwise OR operation

b – the watermark bit (either 0 or 1)

6. Extracting Process

To extract the embedded bit from the LSB of a pixel’s color value, we use the following (2):

where

C’ – the color value of the pixel with the embedded watermark bit

b – the extracted watermark bit

7. Advantages

• Simplicity: The LSB algorithm is easy to implement and computationally efficient.

• Imperceptibility: Modifying the LSB of a pixel causes minimal changes to the original image, making the watermark invisible to the human eye.

8. Disadvantages

• Robustness: The watermark is susceptible to image processing operations like compression, cropping, and noise addition. Since the LSBs are easily altered, the watermark can be easily destroyed or tampered with.

• Capacity: The amount of data that can be embedded using LSB is limited by the number of pixels in the host image and the number of color channels used.

MATLAB functions were used to implement the embedding and watermark extraction algorithms. Functions are files that can accept input arguments and return output arguments, they operate on variables within their own work area.

7. Embedder (encoder)

Data request, which is the information we want to protect from the card is shown in Fig. 5.

Fig. 5. Data acquisition.

Data conversion to binary is shown in Fig. 6

Fig. 6. Data binarisation.

Data to image conversion is shown in Fig. 7.

Fig. 7. Image conversasion.

Digital watermark assignment is shown in Fig. 8.

Fig. 8. Watermark embedding.

Grayscale watermark conversion is shown in Fig. 9.

Fig. 9. Grayscale watermark conversion.

Histogram of the digital watermark is shown in Fig. 10.

Fig. 10. Histogram of the digital watermark.

Gray threshold selection to binarize the image is shown in Fig. 11.

Fig. 11. Grayscale threshold.

The selection of bit position to embed and the generation of embedding key are shown in Fig. 12.

Fig. 12. Position of watermark.

Homogenization of arrangements are shown in in Fig. 13.

Fig. 13. Homogenization of arrangements.

Extractor (decoder) is shown in Fig. 14.

Fig. 14. Decoder.

Digital Watermark Authentication is shown in Fig. 15.

Fig. 15. Authentication.

Reading authorization is shown in Fig. 16.

Fig. 16. Reading authorization.

In case the watermark is authentic, we ask the user for the embedding key (Fig. 17).

Fig. 17. Embedding key.

If the embedding key is correct, we proceed to the data reading (Fig. 18).

Fig. 18. Data reading.

If the embedding key is incorrect, a warning is given, and a new request is made. This process is repeated twice only, if both times an incorrect key is inserted, the program denies reading the data even if the watermark is authentic (Fig. 19).

Fig. 19. Watermark verification.

In case of distortion or alteration of the watermark, a warning message is displayed, and the reading of the data is denied (Fig. 20).

Fig. 20. Warning message.

The purpose of embedding a fragile watermark is to make it vulnerable to the computer attacks to which it may be subjected. To clone a card by Skimming, it is necessary to apply an electromagnetic field by means of a reader (Skimmer), this electromagnetic field will generate distortions in the watermark if it is not calibrated to the same frequency as an authorized reader (POS). To simulate the distortion of the watermark produced by a cloner, we add different types of attacks to the extracted watermark with the following function (Fig. 21).

Fig. 21. Simulated distorsions.

In order to compare the original signal with the altered signal, we verify by calculating the BER (Bit Error Rate) to show us how many erroneous bits there are with respect to the correlation of both signals under the different types of attacks and/or manipulations (Fig. 22).

Fig. 22. Bit error rate.

Results

This section shows the graphical interpretation of the system performance and the tests performed with different values. For this test we used the image in Fig. 23 as a digital watermark.

Fig. 23. Proposed digital watermark.

We run the program in step 1 of the algorithm and add the data to be protected. In this case, the data to be protected is card number: 123 (Fig. 24).

Fig. 24. Shown data.

We run the program from step 2 to step 7 of the algorithm and obtain the result shown in Fig. 25.

Fig. 25. Results obtained from the binarization and positioning of the data.

Table II illustrates the detection of the watermark visibly, with respect to the position of the bit where embedding begins. This table provides a comprehensive analysis of how the starting bit position affects the visibility and detectability of the watermark within the host signal.

By examining various bit positions, we can observe significant differences in the clarity and robustness of the watermark. For instance, embedding the watermark in the least significant bits tends to minimize perceptual distortion, making it less noticeable to the naked eye while maintaining the integrity of the host signal. Conversely, starting the embedding process in more significant bits may enhance the visibility of the watermark but at the cost of increased signal degradation.

Fig. 26 presents the graph of the original signal alongside a comparative analysis with the signal after the addition of Gaussian white noise (AWGN). This comparison highlights the impact of noise interference on the signal’s integrity and quality.

Fig. 26. Results obtained from the AWGN addition.

In Fig. 27, the application of a low-pass filter (LPF) and subsequent signal compression are depicted. The low-pass filter effectively reduces high-frequency components, thereby demonstrating the filter’s capability to smoothen the signal. Additionally, the compression process is shown to further modify the signal, potentially impacting its original characteristics.

Fig. 27. Results obtained from the filtered and compressed signal.

Lastly, Fig. 28 illustrates the effects of clipping and resizing on the signal. The clipped signal reveals the consequences of truncating the data, while the modified signal length demonstrates alterations that may occur due to resizing. This figure emphasizes the sensitivity of the signal to such manipulations and underscores the importance of maintaining its integrity in various processing scenarios.

Fig. 28. Results obtained from the clipped and scaled signal.

Conclusions

In conclusion, the fragility of the LSB watermarking algorithm presents significant advantages in applications where tamper detection and content authenticity are crucial. Due to its sensitivity to modifications, any alteration to the file, whether by compression, cropping, or editing, can be easily detected, making it an effective tool for protecting information integrity. Therefore, although fragility might seem like a disadvantage in certain contexts, in the realm of verification and security, it becomes a desirable and highly valuable feature.