Field of the invention The present invention relates to a user terminal that Includes a tamper detection system, for example an Automated Teller Machine or other user terminal that is able to perform financial transactions.

Background to the invention

ATM terminals are very widely used, and allow users to withdraw cash and to perform other banking transactions. Usually, in order to withdraw cash a user inserts a financial transaction card, for example a credit or debit card, into an ATM terminal, enters a PIN code, and performs transactions via a sequence of screens displayed on the terminal.

As ATM terminals contain large quantities of cash, they usually include various security mechanisms to discourage theft. For example, ATM terminals are usually constructed to be physically strong and heavy to make removal, or breaking open, of the ATM difficult. More sophisticated anti-tampering mechanisms are also usually provided to ensure that any tampering with the ATM is detected and may cause shut down of the ATM or generation of an alarm. Many ATMs are embedded within the fabric of a building, for example embedded in an external wall, in order to discourage theft.

ATMs often also include encrypting PIN pads (EPPs). Such EPPs usually include a key entry device, which may be an electromechanical or touch-screen device, for entry of a PIN and an encryption module comprising a processor and a storage device that is operable to encrypt the PIN entered via the key entry device. In operation, the encrypted PIN is usually transmitted, together with other information such as a user or card identifier, via a network to a server associated with a financial institution. The server decrypts the PIN and, if the PIN is correct, sends an authorisation message back to the ATM.

In some known EPPs, a symmetric encryption scheme, for example the Data Encryption Standard (DES) is used to encrypt and decrypt PIN data. According to such schemes, the same key is used at the server and at the EPP to encrypt and decrypt the PIN. In order to program the key into the EPP, a portion of the key may be provided to separate people, for example employees of the financial institution, and each separately enters the portion of the key into the EPP, where it is stored for future use in encryption and decryption of PIN data.

In other known EPPs, a private key-public key encryption scheme is used to distribute a Master Key to an EPP, rather than relying on key entry in situ by employees of the financial institution. In such EPPs, a private key of a public key- private key encryption scheme may be embedded in the EPP during manufacture. A variety of known private key-public key encryption schemes may be used.

Known EPPs usually comprise a secure housing and a tamper detection system that is operable to detect attempts to tamper with the EPP, for example via physical interference with the secure housing or via attempted interference with or monitoring of the internal operation of the device for example using electro-magnetic radiation. In response to tampering being detected a key or keys stored at the EPP are deleted automatically. The deletion of a key or keys depends on the type of EPP device

For example, in embodiments that include an embedded private key stored at manufacture, the symmetric key distributed to the EPP by the server may be deleted in response to detection of tampering, whilst the embedded private key may be retained. Once it has been determined that the EPP has survived the attempted tampering without significant alteration or impairment of operation, a further symmetric key can be encrypted by the server and distributed to the EPP, where it can be decrypted using the embedded private key. Alternatively, the private key may also be deleted, requiring subsequent replacement of the EPP.

In EPPs that rely only on a symmetric key entered, in parts, by two financial institution employees or other operatives, the detection of tampering can trigger deletion of the symmetric key from the EPP. Another symmetric key must then be provided to, and entered by, the financial institution employees or other operatives.

It is an aim of the present invention to provide an alternative tamper detection system for user terminals.

Summary of the invention

In a first aspect of the invention there is provided a user terminal comprising an encryption apparatus, a tamper detection system associated with the encryption apparatus and comprising means for triggering the tamper detection system in response to tampering with the encryption apparatus, at least one further component, and further means for triggering the tamper detection system, wherein the further means for triggering the tamper detection system is configured to trigger the tamper detection system in response to tampering with the at least one further component.

Thus increased security may be provided in an efficient manner by using a tamper detection system associated with a PIN encryption apparatus. Such increased security may be particularly useful in the case of user terminals that contain no or little cash, as it may enable improved security to be provided for such terminals in the absence of physically bulky and expensive cladding or other physical reinforcement.

Tampering may comprise, for example, at least one of attempting to enter, interfering with normal operation, modifying or damaging.

The encryption apparatus may comprise a PIN entry and encryption apparatus. The encryption apparatus may comprise an encrypting PIN pad (EPP). EPPs usually contain built-in anti-tampering systems and using such anti-tampering systems can provide a particularly efficient way of increasing the anti-tampering measures for the terminal or components of the terminal.

The further means for triggering the tamper detection system may comprise at least one detector for detecting tampering with the at least one further component.

The triggering of the tamper detection system of the encryption apparatus may comprise rendering the encryption apparatus temporarily or permanently unable to encrypt, for example temporarily or permanently unable to encrypt a PIN.

The triggering of the tamper detection system of the encryption apparatus may comprise modifying or deleting a key stored at the encryption apparatus. The key may comprise at least one of a session key, master key, or a private key.

The encryption apparatus may be within a housing and the at least one further component may be outside the housing.

The tamper detection system associated with the encryption apparatus may be configured to be triggered by tampering with the housing, for example the housing of the EPP.

The at least one further component may comprise a further housing, and the encryption apparatus may be located within the further housing.

The further means for triggering the tamper detection system may be configured to trigger the tamper detection system in response to at least one of opening or unlocking the further housing.

The means for triggering the tamper detection system may comprise a detector for detecting at least one of movement or pressure. The further housing may be arranged so that at least one of opening or unlocking the further housing causes the detector to detect at least one of movement or pressure thereby causing triggering of the tamper detection system.

The further housing may comprise an outer housing of the user terminal. Alternatively the further housing may be within the outer housing of the user terminal and may house selected components of the user terminal. Thus selected components of the user terminal may be subject to anti-tampering protection and other components, for example components that are desired to be accessible, for example for maintenance or replacement purposes, may not be subject to the additional anti-tampering protection.

The user terminal may comprise at least one of a motherboard, a CPU for controlling operation of the user terminal, a card reader, a touch screen and a printer located wholly or partly within the further housing.

The further housing may comprise an opening to allow access to a component within the further housing.

The user terminal may comprise a card reader located within the further housing, and the further housing may comprise an opening aligned with the card reader to allow insertion of a card through the further housing into the card reader.

The user terminal may comprise a printer located within the further housing, and the further housing may comprise an opening aligned with the printer to allow loading of paper into the printer.

The user terminal may comprise wiring connecting the EPP to a motherboard or CPU for controlling operation of the user terminal and the wiring may be located wholly within the further housing.

The at least one further component may comprise at least one of a motherboard, a CPU for controlling operation of the user terminal, a card reader, a touch screen and a printer.

The tamper detection system may comprise at least one electrical, magnetic, electromagnetic or optical detection system for detecting a change in an electrical property, a magnetic property, optical or other electromagnetic property indicative of tampering.

The at least one detection system may comprise at least one of a resistive, inductive or capacitive detector and/or at least one switch or relay.

The user terminal may comprise an activation device and/or a deactivation device for activating and/or deactivating the further tamper detection system.

The user terminal may comprise a payment terminal, an automated fuel dispenser, or a product dispensing machine. The user terminal may comprise an Automated Teller Machine (ATM).

In a further, independent aspect of the invention there is provided a method of detecting tampering with a user terminal that comprises a tamper detection system associated with an encryption apparatus of the user terminal, the method comprising triggering the tamper detection system associated with the encryption apparatus in response to tampering with at least one further component of the user terminal.

The method may comprise rendering the encryption apparatus temporarily or permanently unable to encrypt, for example temporarily or permanently unable to encrypt a PIN. The method may comprise modifying or deleting a key stored at the encryption apparatus. The key may comprise at least one of a session key, a master key, or a private key.

The method may comprises detecting a change in an electrical, magnetic, or optical or other electromagnetic property indicative of tampering.

The method may comprise activating and/or deactivating the further tamper detection system.

In a further, independent aspect of the invention there is provided an encryption apparatus comprising a housing, a tamper detection system within the housing, and an input configured so that, in operation, application of a trigger signal to the input causes triggering of the tamper detection system. The input may be accessible externally of the housing. The application of the trigger signal may occur outside the housing. The input may comprise a wired or wireless input. The input may comprise an electrical connection, for example a wire or conducting track.

In another, independent aspect of the invention there is provided a method of modifying a user terminal that comprises a housing, an encryption apparatus within the housing and a tamper detection system associated with the encryption apparatus, the method comprising adding a connection to the tamper detection system, wherein one end of the connection is accessible externally of the housing, and the connection is configured such that, in operation, application of a trigger signal to the connection causes triggering of the tamper detection system.

In another independent aspect of the invention there is provided a computer program product comprising computer readable instructions that are executable to perform a method as claimed or described herein.

There may also be provided an apparatus or method substantially as described herein with reference to the accompanying drawings.

Any feature in one aspect of the invention may be applied to other aspects of the invention, in any appropriate combination. For example, apparatus features may be applied to method features and vice versa. Detailed description of embodiments

Embodiments of the invention are now described, by way of non-limiting example, and are illustrated in the following figures, in which:-

Figure 1 is a schematic illustration of a user terminal according to an embodiment; Figures 2 to 7 are illustrations of a user terminal, or components thereof, according to a further embodiment;

Figure 8 is a schematic illustration of a user terminal according to an alternative embodiment; and

Figure 9 is a schematic illustration of a housing forming part of a user terminal according to an embodiment. Embodiments of the invention can be implemented in a variety of user terminals, for example ATMs or other types of user terminals that can be used for the purchase and/or dispensing of goods and services.

Embodiments are able to provide improved security for user terminals by using a tamper detection system, for example associated with an existing EPP included in the user terminal.

A user terminal 2 in accordance with an embodiment is illustrated schematically in Figure 1. The user terminal 2 includes a processor 4 connected to a data store 6. The processor 4 is also connected to an encryption apparatus in the form of an encrypting pin pad (EPP) 8, a card reader device 10, a display 12 and a printer 14. The user terminal also includes a cash store, for example a safe, and a cash dispensing mechanism for dispensing cash from the cash store. The cash store and the cash handling mechanism are not shown in Figure 1 for clarity.

In the embodiment of Figure 1 , the processor comprises a Windows PC core. The data store 6 comprises a hard disk, the card reader device 10 is an Omron V2BF-01JS-AP1 card reader, the display 12 is a touchscreen display and the printer 14 is an Epson M-T532, MB520. The EPP 8 comprises a PCI-compliant number pad and is operable to securely receive a PIN entered by a user.

Although particular component types and models are included in the embodiment of Figure 1 , any suitable component types and models may be used in alternative embodiments.

The user terminal 2 also includes a communication interface 16 that is configured to enable the user terminal to transmit messages to and receive messages from a server 18 associated with the user terminal network operator responsible for installation and operation of the user terminal 2. The messages are transmitted and received via a secure network connection in accordance with known banking protocols.

The user terminal network operator may be a financial institution, for example a bank. The messages sent between the user terminal 2 and the server 18 may relate to a particular transaction, and may comprise for example authorisation messages or messages comprising instructions to credit or debit an account in relation to a transaction conducted by a user using user terminal 2. In addition, the server 18 can send software installation or update messages that comprise software components for automatic installation at the user terminal 2. The user terminal 2 is also able to send management information to the server 18, comprising for example data representing usage of the user terminal during a particular period, or fault monitoring data.

In operation, the processor 4 controls operation of the other components of the user terminal 2, under control of application components running on the processor. Upon power-up of the user terminal 2 a basic input-output system (BIOS) is booted from non-volatile storage {not shown) included in the processor 4, and a Windows 7 operating system and application components are installed from the data store 6 by the processor 4 to form a user terminal processing system.

The application components include various application modules 32, 34, 36 that form part of a user terminal application 30 that controls operations relating to user interaction with the user terminal.

The user terminal application 30 forms part of an application layer and is provided under an XFS-compatible application environment, which may be a hardware-agnostic application environment such as KAL Kalignite or a manufacturer- specific application environment.

The software architecture of the user terminal 2 includes various other layers, in accordance with known ATM-type device architectures, including an XFS layer that mediates between the application layer and a hardware device layer. The hardware device layer includes various hardware-specific drivers for controlling operation of the various hardware components of the user terminal 2.

In operation, the user terminal application 30 controls operation of the user terminal 2, including operations associated with performance of a financial transaction by a user such as, for example, reading of the user's card, reading of a user's PIN, receipt and processing of a user's data such as account balance, overdraft limit and withdrawal limit from server 18, and display of a sequence of display screens on the display 12.

In Figure 1 , three application modules 32, 34 and 36 forming part of the application 30 are shown. The application module 32 controls communication with the server 18, and the processing of data associated with a transaction, including user data received from the server 18. The application module 34 controls the display of transaction screens on the display 12, including selecting and outputting the appropriate transaction screen for a particular point in a transaction process. The application module 36 controls the output of cash to a user via the cash dispensing mechanism at the end of the transaction process.

Whilst particular modules 32, 34, 36 are described in relation to Figure 1 , in alternative embodiments functionality of one or more of those modules can be provided by a single module or other component, or functionality provided by a single module can be provided by two or more modules or other components in combination.

Turning to security features of the user terminal 2, the terminal includes an outer housing 20, and the other components of the user terminal 2 are located within the outer housing 20. Known security measures, for example sensors, triggers or switches that operate automatically in case of unauthorised tampering with the housing 20 may be provided.

It is a feature of the embodiment of Figure 1 that in addition to the outer housing 20, there is provided a further, inner housing 40 that encloses various components of the user terminal. In this case, the processor 4, the data store 6, and the EPP 8 and wiring connecting those components are included in the inner housing 40. The display 12, the printer 14, the card reader device 10, and the communication interface 16 are located outside the inner housing 40 in the embodiment illustrated in Figure .

A detector in the form of tamper detection device 42 is also included in the inner housing 40. The tamper detection device 42 comprises tamper detection circuitry (not shown) and a power source, for example a battery, for powering the tamper detection circuitry. The tamper detection device 42 provides means for triggering a tamper detection system associated with the EPP.

In the embodiment of Figure 1, the inner housing comprises a lid portion and a body portion, the lid portion being removably attached to the body portion using screws, bolts or other suitable attachment devices. The inner housing 40 includes a tamper detection mechanism (not shown) that comprises a spring that is located such as to be under compression when the lid portion is attached to the body portion of the inner housing 40. The spring contacts, directly or indirectly, an electrical circuit element forming part of the tamper detection circuitry of the tamper detection device 42.

In operation, any attempt to remove or loosen the lid portion of the inner housing 40 causes the spring to act on the electrical circuit element and alter electrical properties of the tamper detection circuitry. In the embodiment of Figure 1 , the tamper detection device 42 includes an output (in this case an output wire) that is connected to the tamper detection circuitry, and alteration of the electrical properties of the tamper detection circuitry due to tampering with the inner housing causes a signal level on the output of the tamper detection device 42 to change.

The output of the tamper detection device 42 is connected to an input of the

EPP 8, for example an input line or input connector.

EPPs, for example the EPP used in the embodiment of Figure 1 , generally include a processing resource for receiving and encrypting PIN entry data, and outputting the encrypted data. EPPs store at least one key for encrypting the PIN entry data. In the embodiment of Figure 1, the EPP includes a private key that is embedded in the EPP during manufacture, and a further key of a symmetric encryption scheme. The further key is received from a server in encrypted form, then decrypted using the private key, and stored. The further key is used by the processing resource of the EPP to encrypt the PIN entry data.

EPPs usually include a secure housing and a tamper detection system that enables detection of tampering with the housing. In the embodiment of Figure 1 , the tamper detection system communicates with the processing resource and, if tampering with the EPP is detected by the tamper detection system, the tamper detection system is triggered. The processing resource then causes the deletion or modification of the further key from the data store in response to the tampering. Thus, tampering with the EPP causes the EPP to be rendered temporarily or permanently unable to encrypt, for example, PI entry data.

It is a feature of the embodiment of Figure 1 that the EPP 8 is configured so that tampering with the inner housing 40 causes a change in the signal level on the output of the tamper detection device 42, which in turn triggers the tamper detection system of the EPP 8, causing the deletion or modification of the further key stored at the EPP 8. Thus, additional security can provided for the user terminal 2 taking advantage of the anti-tampering measures included in the EPP 8. That can provide a simple, and cost-effective way of increasing the security of the user terminal 2 without requiring the installation of bulky and expensive additional physical reinforcement. In the embodiment of Figure 1 , the EPP 8 includes a trigger input (either wired or wireless) that can be used to trigger the tamper detection system of the EPP. Such a trigger input is, in some cases, a wire that connects to the appropriate point in the EPP circuitry such that a change in signal level on the wire by at least a predetermined threshold amount causes the triggering of the tamper detection system of the EPP.

In another embodiment, the EPP is an EPP that includes a detector in the form of a pressure sensor and associated button, and pressing (or release) of the button causes detection of pressure above (or below) a threshold level of pressure by the pressure sensor and consequently the triggering of the tamper detection system of the EPP. One such embodiment is illustrated in Figures 2 to 7.

Figure 2 shows a user terminal 100 comprising an outer housing 102. The front cover 104 of the outer housing has been unlocked and is open in Figure 2. The front cover 104 of the user terminal is shown in an unlocked and open state in Figure 2.

The user terminal 100 also includes a further housing 106 forming a secure box. The user terminal 100 includes various other components including a printer 108, which can be seen outside the further housing 106 in Figure 2.

Figure 3 shows further components of the user terminal 100 mounted on the rear of the front cover 104, with the further housing 106 removed. The further components include a card reader device 110, an EPP 112, a hard disk drive (HDD) 114, a mainboard 116 comprising processing circuitry for controlling operation of the user terminal 100, power circuitry 118, a speaker 120, a bar code reader 122, a camera 124, and an FID reader device 126.

Figures 4a and 4b are illustrations of the further housing 106 when not attached to the front cover 104 and thus in an open state. Figure 5 is an exploded view of the front cover 104, EPP 112 and further housing 106. The further housing 106 includes an engagement surface 130 that engages with the rear surface of the EPP 112 when the further housing 106 is attached to the front cover 104 of the user terminal. Thus, the engagement surface 130 engages with the rear surface of the EPP 112 when the further housing is in a closed state.

Figure 6 is a view of the further housing 106 (in wire-frame representation) attached to the front cover 104 of the user terminal 100 and thus in a closed state. Figure 7 is a further view of the further housing 06 attached to the front cover 104 and in a closed state. In this case the further housing 106 is locked to the front cover using a locking device 140. The user terminal 100 also includes a rear cover, with the rear cover and front cover 104 together forming an outer housing. In Figure 7 the rear cover is omitted so that the further housing 106 can be seen.

It is a feature of the EPP 112 that it includes a pushbutton on the rear surface, and a pressure sensor operatively linked to the pushbutton. In operation, the pushbutton is maintained in a depressed state, which maintains a pressure greater than a threshold at the pressure sensor. If the pushbutton is released, the pressure sensor detects the associated reduction in pressure and a tamper detection system of the EPP 112 is triggered in response to the detected reduction in pressure. The tamper detection system of the EPP 112 in this case then deletes or modifies a key stored at the EPP 112 in response to the triggering, thus preventing normal operation of the EPP 112.

It is a feature of the embodiment of Figure 5 that the further housing is arranged so that movement of the further housing 106, for example opening the further housing 106, causes the engagement surface 130 to move away from the pushbutton on the rear surface of the EPP 112, thus causing triggering of the tamper detection system of the EPP 112. Thus, an alternative means for triggering the tamper detection system of the EPP 112 is provided by the arrangement of the further housing 106, in this case in relation to the pressure sensing system, comprising the push button and pressure sensor, of the EPP 12.

In a variant of the embodiment of Figures 2 to 7 a detector is provided associated with the locking device 140, which can detect unlocking of the locking device 140 and thus unlocking of the further housing 106. The detector is linked to the tamper detection system of the EPP 112 such that unlocking of the locking device causes triggering of the tamper detection system.

In further variants of the embodiment of Figures 2 to 7, the pressure sensor is replaced with another type of detector, for example a movement sensor, which is arranged to detect one or more of opening, unlocking or other movement of the further housing 06, and which causes triggering of the tamper detection system in response to such opening, unlocking or other movement of the further housing 106.

Whilst one particular further housing 40 has been described in relation to

Figures 1 to 7, the further housing may comprise any suitable housing in alternative embodiments. For example, the housing may be of a one-piece construction, or may comprise two, three or more portions. The housing may be permanently sealed, for example using soldered or welded joints, or may comprise separate attachable and detachable portions attachable using any suitable joining means, for example screws, bolts or adhesive. The housing can be made out of any suitable material, for example plastic or metal and/or lightweight material. Any suitable tamper detection system can be used to detect tampering with the inner housing in alternative embodiments. In the embodiment of Figure 1 the tamper detection system comprises an electromechanical arrangement in which a spring physically connects the housing and tamper detection circuitry. However, any suitable arrangement of mechanical, electrical, magnetic, electromagnetic and/or optical components can be used to detect tampering with the housing, in accordance with any techniques available to the skilled person. The tamper detection system may be configured to detect tampering in dependence on measurement of one or more of movement, vibration, light or other electromagnetic radiation, or pressure.

In one embodiment, the tamper detection device 42 comprises a processor and an interface operable to communicate with one or more sensors installed on or within the housing 40.

In alternative embodiments, the triggering of the tamper detection system of the EPP can cause other actions to be performed, as well as or instead of the deletion or modification of the key stored at the EPP. For example, in the embodiment of Figure 1 the embedded key may be deleted or modified as well as the further key. That would then require the discarding or extraction and reprogramming of the EPP in order to make it operable again. The triggering of the EPP tamper detection system may also cause a message to be sent to a server or other remote device and/or the output of an alarm signal. The triggering of the EPP tamper detection system may cause the terminal to enter a shut down or suspended mode in which further user transactions are unavailable.

In the embodiment of Figure 1 , the processor 4, the data store 6, and the EPP 8 and wiring connecting those components are included in the further housing 40, and other components are provided outside the further housing 40. Any desired component or combination of components can be provided inside the further housing, and can thus be subject to anti-tamper protection, in alternative embodiments. The selection of components to include inside the further housing may depend on the nature of the terminal, and on other security measures provided in the terminal, on the environment in which it is likely to be installed, and on the need for access to the components for example for maintenance purposes.

For example, if the terminal is to be installed outside or in premises that have low security, and the terminal does not include other security measures, for example a secure outer casing, then it may be desired to include more of the user terminal components within the further housing.

Figure 8 is an illustration of an alternative embodiment in which the card reader 10, display 12 and printer 14, as well as the processor 4, the data store 6, and the EPP 8, are provided inside the further housing 40 that is subject to anti-tamper protection.

In the embodiment of Figure 8, the further housing 40 includes openings that enable access to the card reader device 10 and the printer 14. One such opening 50, which enables access to the card reader device 10, is shown in Figure 9. A corresponding opening (not shown) is provided in the outer casing of the terminal. The opening 50 enables a user to insert their card into the card reader device 10 without causing tampering to be detected.

An opening is also provided in the embodiment of Figure 8 to allow paper to be loaded or removed from the printer 14 that is located within the housing 40, again without causing tampering to be detected. Another opening, or transparent portion, can be provided in the housing to enable the display 12 to be viewed by a user.

The openings in the housing can be sized so as to ensure that access to components within the housing via the openings is limited or not possible. The card reader device 10, the printer 14 and/or the display 12 may be positioned so as to wholly or partially block the openings thereby to limit access to the interior of the housing 40. The tamper detection system may be configured so that an attempt to move the card reader device 10, the printer 14 and/or the display 12 relative to the openings causes tampering to be detected.

In alternative embodiments, the tamper detection system associated with the housing 42 is provided with an activation and/or deactivation facility, which allows the activation system to be activated or deactivated. In one embodiment, in which the tamper detection system includes a processor, the processor is connected to a key pad. An operator has a fixed time period (for example, 10 seconds) from starting to tamper with the housing in order to open the housing to enter a deactivation code using the keypad. If the correct deactivation code is not entered within the fixed time period, beginning from the time the tamper detection system first detects tampering, then the tamper detection system sends a trigger signal to the tamper detection system of the EPP to trigger the tamper detection system of the EPP.

In the embodiments of Figures 1 and 8, the further housing 40 is an inner housing within the outer housing 20 or casing of the user terminal 2. In alternative embodiments the inner housing 40 may be omitted and/or the further tamper detection system, for example comprising the tamper detection device 42, is arranged to detect tampering with the outer housing 20 or casing of the user terminal.

The described tamper detection measures can be used in ATMs operated by banks or other financial institutions or networks and that do contain large quantities of cash. The tamper detection measures can provide for enhanced security in such ATMs with relatively low cost and effort.

The described tamper detection measures can also be beneficially used in other user terminals that may contain no cash, or relatively little cash compared to standard ATM machines operated by banks or other financial institutions. By providing such tamper detection measures in such other user terminals enhanced security can be provided to protect components of the user terminals without requiring the installation of bulky enhanced outer casings or other physical shielding that is able to resist sustained physical attack. As such terminals may contain little or no cash, such enhanced outer casings or other physical shielding may therefore be omitted.

The encryption apparatus may be an EPP. In alternative embodiments, any other type of encryption apparatus may be used. The key that is deleted in response to tampering can be any suitable key, for example any key whose deletion renders the EPP temporarily or permanently inoperable, for example a session key, private key or master key.

Although the description of various embodiments have included reference to a user's financial transaction card it will be understood that in alternative embodiments any other type of user device associated with an account may be used, for example a fob or RFID device.

It will be understood that the present invention has been described above purely by way of example, and modifications of detail can be made within the scope of the invention.

Each feature disclosed in the description, and (where appropriate) the claims and drawings may be provided independently or in any appropriate combination.