Slashdot Mirror
Windows ATMs by 2005
An anonymous reader writes "O'Reilly Developer News is running a brief on how the banking industry will be running a stripped down version of windows on 65% of its ATM machines by 2005. On a morning when I'm receiving the latest windows virus in my inbox every five minutes I feel very comfortable with this."
Holy cow! Can you say, "Free cash!"
Just stand in front of ATM the next time a worm rocks through and watch it start spitting out bills.
ROFL!!!!!!!!!!!!!!!!!
From the Wired article:
.dll that gets hacked?
But one of Anderson's colleagues, Bruce Schneier, chief technology officer at security monitoring and consulting company Counterpane Internet Security, dismissed this [money-dispensing virus] scenario. He pointed out that the machines would not operate online and therefore would not become vulnerable to a malicious Internet attack or to some virus passed around in an e-mail attachment. Because the machines have no peripherals like floppy disks, it would be difficult for a cracker to install code or steal information.
Of course, everyone knows that ATMs have no communications links of any kind. It's just a box full of money with a power plug, right?
Duh! The ATM communicates with the bank, with the ATM user, *and* with the maintenance staff.
* The bank connection is some sort of comm line. Put encryption on it and maybe it's safe. But what happens when it turns out they've used some Win-standard encryption
* The customer sticks a card in and punches buttons. This is reasonably safe now, when you have little more than a numeric keypad with "Cancel" and "Enter" buttons. But the more Windoze crap they add -- they're talking about "lottery tickets and soft drinks" -- the more robust the UI will have to be. Are you sure you checked that buffer overflow?
* Finally, the maintenance staff has "root-like" physical access to the system. Sure, you have to get past some heavy-duty locks to get to the control panel inside the machine. Big deal, lots of crooks know how to pick locks... how many, though, know OS/2? But what happens when trojan-friendly Windows is the OS? Pick the lock, load the software (because there *will* be a floppy, CD-ROM, or USB port for upgrades), and dispense free, untracable cash whenever someone inserts an ATM card with magic cardno "1111-2222-3333-4444".
Perhaps using OS/2 was a way of de facto "security by obscurity". Installing Windows is more like "security by crossing-your-fingers".
Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
We have them in the UK already - the sight of ATMs showing an NT4 logon screen is not uncommon...
You must not reboot to receive your cash.
134340: I am not a number. I am a free planet!
I've seen an ATM machine with a BSOD. Think Windows ATMs already exist.
Why would you want to do this? We have already had people complaining about the use of Windows on ATMs elsewhere...
Goto such and such a street and look at the screen, it's seriously got the BSOD!
Excuse me but why, when we already know that there are major security issues with Windows, are we going to use it on ATMs?
posted anonymously to not lose kharma for funny.
Um.... a good number of ATM's issued by a large bank I used to code for run NT 4.0. This isn't late breaking news.
Saying Android is a family of phones is akin to saying Linux is a family of PCs.
A FATAL EXCEPTION 0$ HAS OCCURRED.
Please contact your financial administrator
See the Pictures of the Flood of '08
Boy, some days the comedy just writes itself, don't it.
"Lawyers are for sucks."
- Doug McKenzie
but let's be honest, the article IS the witty comment. The other jokes on this one are just writing themselves as we speak!
Oh the humanity!
No trees were harmed in the composition of this; however, numerous electrons were inconvenienced.
Does anyone know if this will be a US-only thing, or are all the major banks around the globe planing this?
Who is John Galt?
now instead of the usual $1.50, im gonna be charged a liscence fee, and will ahve to pay extra if i want receipt support.....
xao
xao
http://TheHillforum.hopto.org
... Debt.
I know for a fact that Natwest Bank here in the U.K tried Windows NT on their machines a couple of years ago. I saw three or four NT error dialogs in the first two weeks. They changed to some other system (Possibly going back to whatever they had before, with a different user interface on it) after a couple of month.
So its not that new an idea.
...like this before...
I actually saw a BSOD displayed on the ATM and it was frustratingly annoying...
Why can't the banks simply use the not-broken current embedded, probably written in assembly system that they use for ATMs now?
Why MUST it be changed? Are they going to add every service in the world to an ATM?
Great! Just what we need, long lines at the ATM, just like at the bank, where one person chews up the teller's time performing six months of banking at one time...
If you ignore the other uses of a tool, does that make the tool less useful, or you less useful?
run Linux?
Windows on an ATM - already happening. Already
getting errors.
i think this is less of a concern than it is made out to be. an ATM OS can be tested very rigorously much more easily than an entire OS (especially a bloated one). so i am not afraid of windows ATMs, security-wise. what i AM afraid of is how this lays another layer of brick that reinforces that MS monopoly - i hope some enterprising individuals offer a cheaper, features-competitive open-source system.
smd4985
Does anyone else think it might be a bad idea to give Billy Boy more power over money than he already has?
I couldn't fail to disagree with you any less.
. . . for your deposit to take effect
is a simple little worm, that takes all the remainder fractions and adds them all up, and deposits them into the FSF legal defense fund.
Just as irrigation is the lifeblood of the Southwest, lifeblood is the soup of cannibals. -- Jack Handy
This will bring nothing but criticism.
Banks are pretty damned secure. You cant steal money from them easily. Otherwise, they wouldnt be very good banks.
The software they have is very secure. It is also very well tested and designed for the most part.
The users flaming Microsoft and its worms have a legitimate reason - for their home PC security.
It is much easier for someone to trojan your computer and steal your online banking/cc info than it is to root the gibson at an ATM.
It isnt nearly as easy as it was in T2...
[I can picture a world without war, without hate. I can picture us attacking that world, because they'd never expect it]
Most of the ATM's for my bank in Spain are already windows based. They run NT, and when they boot up, you can see them go through the whole NT boot sequence. (I've seen them blue screen a couple of times, but that's pretty rare.)
They even have the little Windows hourglass on the screen while you are waiting for the transaction to process.
Another bank nearby runs OS/2 Warp on It's ATM machine, but it seems to be out of service as often as in service..
-- -- Warning. Do not stare directly at the sun.
but Wells Fargo in California already use some form of Windows on their ATMs. I've seen a C:> prompt a couple of times on their ATM machines.
don't you just love it!
seems as though development tools quality does have something to do with os choice for dedicated systems.
The atms at my school use Win2k. How do I know? Bluescreened one day when I needed money.
Doesn't Bill Gates have enough money that he now has to go into everyone else's?
Now that that's off my chest... We should not be so quick to criticize Microsoft about this endeavor so quickly. Yes, they said a VERSION of Windows will be on there. But, due to a specialized niche industry here, odds are this will be a specialized version of Windows. There will be communication issues at stake here, the usual wariness of a MS operating system, but with the money probably being put in place to fund this project, and their recent egg on the face with the security holes, I think they will at least try with this special version of Windows to make it secure.
Yes, I like the open source movement as well and free software and would prefer to use it, but without an opensource alternative available to the companies that use the machines, they have to use what is offered to them.
Given that God is infinite, and the Universe is also infinite, would you like some toast?
"They have tried to cut out the unnecessary rubbish that clutters up the typical PC."
but.. but.. the article says they're running Windows.. now I'm confused.
Trolling is a art,
Does it happen to have a feature where if you forget your PIN 3 times, you get to reset it?
:(
I sure hope so. I forget mine all the time
We have secretly replaced these Slashdot mods' sense of humor with a rusty nail. Let's see if they notice!!
reaffirms my disappointment of being a part of the human race.
If it was running on SCO then each transaction would cost you $699 etc etc etc. It's been awfully quiet on the SCO front today...
They already run ATM machines on Win NT 4.0 for years...
Yes really, no joke...
These machines are contantly out of order making you go further from home than ever to be able to get money...
The banks really don't care, they only care about their buzzword called "profit maximalisation at ALL cost"
I'll start working on modifying my ATM card's magnetic strip to overflow the ATMs card reader.
If I get cash from an Microsoft ATM, do I have to put it in a Microsoft Wallet?
Two wrongs don't make a right, but three lefts do.
On a morning when I'm receiving the latest windows virus in my inbox every five minutes I feel very comfortable with this I respectfully disagree with the author.
__
Thou hast besquirted me, O leotarded one.
These BSOD and virus remarks are so fresh, keep 'em coming guys.
Auntie M? Toto?
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
I Hate That!!!!
I'm sib888, and I approved this comment.
Windows ATM's?
o Not worried.
o Vaguely worried.
o Sorta worried.
o Kinda worried.
o Somewhat worried.
o Fairly worried.
o Worried.
o FEAR FEAR FEAR
With the amount of local banks in my local area that are using unsecured (non-WEP) protected wireless access points on their local LAN, I wonder how long it will take for a RDC that tells the ATM to spit out money?
There are security updates that take months for companies to patch on their local servers & workstations... how will a known security vunerability be fixed on a "stripped" version of 2K or NT in an ATM, and how long do you think it will take them to impliment these updates, if they can update them at all?
Money flying out the window!
Unfortunately, I don't see a change in Microsoft as a monopoly.
Now watch, we'll see the first magnetic card buffer overflow exploit for free cash.
You walk up to an ATM at 2AM (from the side, of course-- keep out of the camera's line of sight), put a black jacket over the camera port, then swipe a magnetic card through the system that overflows a buffer and runs arbitrary code to dispense free cash.
Yeah, brilliant idea, guys. Choose the OS that's been hit most frequently with this sort of abuse in the past. Exploits are definitely going to be possible, considering the inherent issues of the underlying OS.
Just as bad, how about reliability? We're going to see tons of bluescreened ATMs. I've already seen a few Windows ATMs in the past, and I could always tell them by the bluescreens they inevitably have.
On a morning when I'm receiving the latest windows virus in my inbox every five minutes I feel very comfortable with this.
You should be safe. Perhaps "stripped down" will mean that Internet Explorer, Outlook Express and IIS are not installed.
You guys never saw a blue screen of death in a ATM? .. 'nough said !
I've seen it
I fuse with Mercer every single day...
While I have seen a number of NT4 based ATMs, and I have seen some of them stuck with an error message or a BSOD, this is nothing compared to the joke that is the "U-Scan" at my local Meijer. Everytime a big MS work goes through, the entire block of U-Scans is closed with a little message saying the U-Scan's cought a virus and they are working hard to restore them, blah blah blah. Don't forget those kiosks at stores like target for gift registries and stuff that go offline half the time for lots of windows (or crappy lexmark printer) related problems. I am damn glad my current bank's ATM has a nice happy monochrome screen that *always works* still.
Morphing Software
"Also, an armed guard will be standing by each and every ATM. You'll give him your card and your pin number and he or she will get the cash out and hand it to you. This guard is authorized to shoot anyone who mistypes their PIN, or looks funny."
"We think that these security procedures will greatly reduce the risk of a worldwide economic collapse."
Why does running Windows alwasy seem to be more trouble than it's worth?
And how can we be sure Scrooge McBill doesn't electroniclly transfer all the money to his giant underground money bin and swim through it every night at 3 am?
I just don't want Bill-stank on my twenties, see?
ok, now microsoft will know when you use Windows, *and* when you go to an ATM to get some money... And as soon as i get Windows on my car-computer, they will be able to track me wherever i go !!! way to go...
- live from Costa Rica !
I'm not sure of actual numbers, but I recall that IBM is heavily invested in Diebold, a major ATM manufacturer. I also recall that a large percentage of ATM machines run OS/2.
If this is true, I would expect IBM to be pushing a linux-based solution.
But then again, who knows what the banks want to buy? I just got a letter last week from my bank informing me that "for my security" they will be requiring online banking customers to use 128 bit encryption. Ack! 1998 called, they want their security back!
Yep... I pressed the wrong button (I think "Correction") when it was asking me for a withdrawl amount (I hadn't entered anything yet) and NT crashed and rebooted.
It took forever to reboot, but a security guard walking by told me "Yah, it does that all the time - wait a bit and it'll spit your card back out."
We have NT driven Metrocard vending machines in the subway. They seem to work ok actually... Even amidst all the worms and such. I know they are networked somehow too, as it would be impossible to keep track of the machines otherwise.
I noticed that the CoinStar coin-counting machines also run some form of NT. Back when I worked in a supermarket I found out that the coinstar would actually dialup with a modem from time to time, perhaps to give updates or state of repair.
I just hope whoever maintains the ATM's knows what they are doing... I really need my money... and I'm not sure if the FDIC will help me if the ATM starts giving it away..
Chaos is Divine *
"On a morning when I'm receiving the latest windows virus in my inbox every five minutes I feel very comfortable with this."
I have gotten about almost 100 this morning...
All that is necessary for the triumph of good is that evil men do nothing.
don't like this but what is the alternative ?
Right now most Windoze products are licensed on a per-user basis... NT can be licenced by how many people will use it, etc.
My Question is, are banks going to have to drop an insane amount of money on licensing? I.E. x dollars for every ATM card that is in circulation from that bank? Think about how much more ATM fees would be.
ATMs perform very specific functions. Wouldn't it just make more sense to develop something from scratch that doesn't do *anything* more than the ATM functions than to take something already developed for other uses and take a hatchet to it and try to make it fit?
I don't *need* Windows in my telephone or my cable box, let alone in my ATM... what's next? Windows in my refrigerator, of course. And my bathroom medicine cabinet. And then my sock drawer...
Me: "I'm sorry that I'm not wearing socks this week, but my sock drawer crashed and I haven't had time to reinstall Windows so that the drawer will open."
Will it never end?
Quoth he
"It's all academic anyway..."
I will write a worm that will traverse through the banking/ATM networks, adding money to your accnts. Just identify yourselves w/ your Acct# and PIN and by 2005 you will be rich.
for a quick withdraw of crash... er I mean cash.
Sorry it's early, and I still have no power at home, it is the best I could come up with.
That does it, im withdrawing my money from the bank and putting it inside a wooden box outside my shed.
As someone who has used and stood in line to use one of these machines, let me just say that they are a far cry from the efficiency of the current ATMs. Just on a rough estimate, it takes 3-4 times longer for your average Joe Sixpack to make a transaction.
From my own experience, and knowing what I'm doing, the OS runs a good bit slower than the tried and true green on black systems. Top that off with the annoying pointy finger and IE "click" noises, and you have an example of change for change's sake.
Of course, the only reason at all they seem to be using this new system is so they can bombard you with advertising while you're using the machine.
All and all, a bad change all around.
that's one buffer overflow i'll want
My problem? I was perfectly gruntled, until some numbnuts came by and dissed me.
Do we need to have a licence to use WinATM ?
Oh, i can't find the ctrl+alt+cash keys !?
How do we deal with al these "Are you sure
Start->Programs->MS Money?
For the last few weeks when I visit my local Safeway, the enormous widescreen LCD displays hanging in the produce department that normally beam ads directly into our brains have had a single dialog box displayed on them about some NT service that couldn't start. First time I saw it I just stood there and laughed. To see it on each subsequent visit for almost a month (for all I know it's still there), was even funnier!
A friend of mine took these photos of a Win NT Natwest cash machine shutting down.
This is a bit worrying.
I actually stopped going to a particular grocery store in my city (*cough* Kroger! *ahem*) because its automated checkout system was broken so often.
They have 10 self-service checkouts running Windows, and whenever I would go there, more than half were crashed, and the rest were in other various error messages (like Mouse Not Found sort of things). That left one or two checkout people to handle a loooooong line of people trying to buy things.
Based on the success that I've seen with Windows at the grocery store, I think if my bank switches to Windows, I'll switch banks. Shame, too, since it took me a year to convince them to support Mozilla for online banking.
World's tallest building rises in the desert
...we Windows ATM users will be playing Half-Life II, DeusEx II, and Halo! Suckers.
Looks like it's time to pull all the cash out of the banks and go back to the Bank of Between The Matresses. Last thing we need is a stupid windows worm to have a huge impact on the finances of the United States (or any other countries that use this scheme).
Oh, and out of spite, i'll figure out a way to make my bed run FreeBSD* or something.
[*]"BSD" always makes me think of something like Bondage/Sado-Domination or something.
do() || do_not();
This is nothing new, certain banks have had NT running as for atms for a while now. Hell, the subway card dispensing machines in NYC run NT as well as the entire line of NJ Transit ticket-dispensing machines. So dont go off making silly comments of doom and destruction since guess what, they're already here and have been for a while! This is not to say that things cannot go wrong (I see the above mentioned machines being serviced fairly often and they do get errors), but lets not get too dramatic.
"What can a thoughtful man hope for mankind on Earth, given the experience of the past million years? Nothing." -Bokonon
They would prefer Windows, a platform they consider 'open' in that it is compatible with their internal corporate networks.
Or they could migrate their corporate network to a truly open system. Unfortunate that corporations (even banks!) are willing to entrust their business to such unreliable software, all in the name of familiarity.
First of all, do you really think this is that big of a security concern? Blame all the virus activity on the idiots that open attachments in their email. This is also a stripped down version of the OS. None of the typical combined driver inconsistencies (ie graphics cards, wireless, modem, etc) for hardware that usually causes the instability problems. The drivers, mentioned above, will be strictly written and tested together to run in this environment. Again, like everyone else says, 'Now, I'm not a M$ hater, I really like linux'. Does it really matter what OS the ATM uses? You have more of a security risk of Jim-Bob yanking(redneck hacking) an ATM machine out with his rusted 80's pick-up truck, than you do by having the OS run Windows.
As a funny aside, I worked with a programmer named Jules and, after he left the company and I was responsible for the code. While looking through the code one day I found many variables named... jules! If that isn't self documenting code, I don't know what it. In addition, our terminal had problems booting but Jules, being the ever resourceful programmer he is, learned that if he pressed the escape key a lot as the computer was booting then everything worked fine. After Jules left, one of the other programmers became fed up with the escape key nonsense, replaced the keyboard, and the problem was solved.
So remember, in Capitalist America, Jules programs your ATM!
Honk if you're horny.
I remember going to the mall once a couple years ago, and saw an error screen on one of the Webster Bank ATMs. It was running OS/2.
"You have requested $40. Last week, you withdrew $50. Are you sure that you don't need the extra $10?"
"You appear to be paying your credit card bill. I see that you have $2,000 credit remaining. Would you like me to order the latest quality products from Microsoft for you?"
-Stephen
Here's a pic of an ATM with a BSOD. This guy claims to have been able to get to a Windows desktop on an ATM.
The Windows ATM experience
That's coz pc hardware is so plentiful, cheap and powerful.
Trouble is, if they actually use PC class hardware those blue-screens etc could easily be because of flaky RAM, bad power, nonECC RAM bit being hit by a cosmic ray/particle.
On the slow old hardware the transistors on chips were so big even if a cosmic ray hit one of them, it'd hardly notice.
Still that's should be quite rare, but power spikes/EM could be an issue.
When the advert underneath your story is for M$ software you really should think about your priorities.
Now ATMs will be dispensing Monopoly Money!
just wait until Outlook is integrated for messaging. Log into your bank account and find a message waiting from Mr.Kerberos of Nigeria with $2M waiting for you. [press 'okay' to accept wire transfer of 2,000,000,000,000]
Of course, I'm stupid for using ATMs as often as I do, so maybe this is a good thing. It will encourage us to carry more cash or use less, because there will be a significant chance that nearby ATMs will not be working.
..... the *real* ATM Hackers will be able to crack into the ATM's OS by using buffer overflows and data encoded into the magnetic strip of home-made atm cards.
The Rebirth Of The Card Walloper!
do() || do_not();
Here in Sweden i have seen crashed/rebooting ATMs running:
* DOS
* OS/2
* Windows
Unless there is a menu option on the ATM to open the attachment on a email that promise to enlarge you AND your checking account that shouldn't be a problem.
After all the real problem is end-users who click on things they shouldn't - followed closely by those who allow end-users to do that.
No, the real question is why pay licensing fees to Micro$oft when Linux is free (SCO get real!) and IMHO better. Is it because of security certification??
Withdraw $123 wait 44 Seconds, then press Cancel+555+Enter+Bill Gate's birth date, and the ATM will get you another free 1000 bucks!
I saw an ATM crash once and... it booted up OS/2!
Oh no! Microsoft security sucks! Its the worst in the entire world! Anyone can write a better, more secure OS than Microsoft! Why, oh why, aren't they using Linux, the only secure OS in the world (tm)? Whoa is me!
Okay, now that I've exhausting the topic for 90% of the people who are going to feel the need to post - who's up for some beer and pizza? Game of darts?
I've heard of a couple of other scams involving ATMs. One took place at a mall in California(?) -- the theives put in their *own* ATM that recorded numbers and access codes, but didn't give out any cash. They then collected the ATM, retrieved the card stripe data and access codes, cloned some cards and went on a withdrawal spree.
Most recently I was at an ATM that had a FWD: FWD: FWD: -type email taped to it warning of a new scam; thieves that put a plastic sleeve into the card slot that somehow allows you to use the ATM but captures your card. They observe your access code, and when you leave, they remove the sleeve+card and then do a bunch of withdrawals (to zero) and ditch the card.
The latter scheme seemed dubious; the chain-letter like WARNING on the machine, and the insertion sensors on card slots I can't see allowing something jammed that far into them. Plus this was at a gas station deep in suburbia where hanging around the ATM would be suspicious, and where the ATM was in a corner making its use a complete screen of the keyboard.
In college (mid 80s) an ATM in the student union had its comm line (cat3, looked like a phone line) exoposed, and it was in a seldom-used corner. We thought it would have been possible to hook a PC to the line and capture a legit transaction. We'd then repeat the transaction and just replay the responses from the remote end. But I'm sure that even in the 80s the comm links were encrypted and not spoofable like this. But it was a reasonable idea.
..for burying my money in a coffee can in my back yard
I really don't think it will be that bad.
As long as they just simply use this as a platform to run the ATM software on, I think it will be reliable.
Back in the day, I setup a Windows 98 box, used 98Lite to remove all kinds of junk, got the install down to 40-50mbs I believe. That machine booted insanely fast, and it was very reliable, never saw a blue screen on it, etc.
I think if they strip it down, go as far to make certain things not executable, and close ports, etc, I think it could be just as good as what we have. Then again, why are they changing this? It works, and how many more features can you get out of it?
GeekWares - Buy and Download Today!
Wonder how long until someone manages to get knoppix onto a smart card and has bank machines booting up into tux racer..
Screw X-box hacks.. I want myth-tv on my local bank machine.. my tv could follow me EVERYWHERE!!
This is definitely another step toward world domination. How long before Bill Gates graces the front of the new $1024 bill?
Two wrongs don't make a right, but three lefts do.
Don't most run DOS now anyway?
From Microsoft on how ATM works...
...
...
ohhhhh... you mean... gotcha... nevermind.
IANAL, but IIRC in many countries money obtained through ATM malfunction is not technically yours, and you must return them.
From the Wired article: "With open technologies it is easier to run different types of hardware on the same software."
Holy shit, I can't believe the banks are so gullible. Did they actually believe what a saleman told them?!?
I thought that by handling so much money they would be more cynical by now. I guess not.
Healthcare article at Kuro5hin
I belive that problems can really happen, it actually hapened to me once. I'm at the store and I pay a ~500$ purchace with my card. First try : Network Error, transaction cancelled. Second time, the machine didn't even try to connect. So I get to an ATM, get the cash and go back to the shop to get my purchace. Later that day, I got to go to the bank, and to my surprise, my cash balance is lower than expected. ~500$ lower, actually the money was lost during the transaction. I go see a councellor telling about the problem, he tells me that I need the transaction paper, the paper is down the trash at the store, so I get to the store, searches the trashcan for the paper, I finally get it, go back to the bank and wait for the councellor. When I see him, he tells me that that wasn't thir faul, and that I'll have to wait a few months to get my money back. Since I had a nice sum there, I told him that I was better to have my money back in the week or that another bank swill get me a their customer. The money was there by night. Error, happens and its never the financial instittutions fault...
Colosse.
I appreciate and understand the slams against M$ from the anti crowd but what are the alternatives? like everyone else they are trying to cut the development costs in implimenting new services for their customers-by developing rapid-applications on a highly available product such as Microsoft Windows will allow. I love Linux so let's not get into a OS war, we're talking Windows on ATM's not Linux on ATM's...
I've haven't seen an MS based ATM in my neck of the woods, but I HAVE seen ATMs that were down for one reason or another-just because it's an M$ ATM means its by default bad?
Yes they are on a network-a closed and highly guarded network-yes the access panels can be picked by a lockpick, but easy? The whole concept of someone picking a lock, installing some trojan on there, and then walking away with the cash is good in a fantasy novel, but highly unlikely-if it does happen let the Bank be damned for not taking the needed protection to its own systems.
Are you sure you want to withdraw some cash?
You must restart your computer before your money can be dispensed
And, of course
C:\WinNT\System32\dispense.dll not found
Using HTML in email is like putting sound effects on your phone calls. Just say <strong>no</strong>.
Windows ATM ? It's already happening!
I was in Croatia some year ago, inserted my card, made some choice on the screen when suddenly a BSOD appeared, the card remained stuck in the ATM and I wasn't able to have it back, even if the bank was open.
I had to continue my vacation without money since the card was mailed to my bank... in Italy...
Unfortunatelly I didn't have a camera...
Whether large companies even *consider* something other than windows. Do these banks know about linux? Haven't they been watching current virus headlines? Maybe open-sourcedness scares them, since that means that to a certain extent, anyone can view the code the banking system is based on.
I mean, what is the justification for using windows... or even linux for that matter. Why not a for-ATM OS, I'm sure a bank could afford the dev work and in the end it'll like cut costs more than having windows-based ATM crashes.
Meanwhilst, I'm waiting for a windows hack that plays a "laugh track" WAV file when somebody checks their balance... that and I'm expecting a few windows errors due to "division by zero"
Excellent, Wire Transfers to Bill, direct payment of Microsoft Tax. Consume more resources then needed. Use M$ encryption.
Can we say Identity Theft? I new you could.
I understand the standard windows=bad theme for slashdot postings, but think about it for a minute. It's in a box that's locked up tight, many with cameras around, not connected directly to the internet... so really... is there any significant security issue to worry about any more so than with the other ATMs around?
Calling all trolls! Calling All Trolls! Masters of the NNTP Protocol, we need your trolls in the comp.sys.amiga.games newsgroup.
Goatse, Tubgirl, spin.gif, we need it all. Amiga is dying posts!
If you dont post in comp.sys.amiga.games then your a nullo! Body nullification [globalapathy.com]
Man, you guys are like Pavlov's dogs. Taco rings the Microsoft story bell and out comes the rhetoric-spouting zealots. Sure, your points are valid security concerns. But they sure as hell aren't specific to Windows. Time for rebuttals...
.dll that gets hacked?
Point 1 - Comm line: But what happens when it turns out they've used some Win-standard encryption
Ah yes, God knows non-Windows communications software never has exploits (it's a link to the SSH exploit story).
Point 2 - UI: The more Windoze crap they add -- they're talking about "lottery tickets and soft drinks" -- the more robust the UI will have to be. Are you sure you checked that buffer overflow?
Uh, this is specific to Windows how? Microsoft isn't going to be writing the interface, the ATM companies are. And they'd be writing the EXACT same interface on whatver platform you want them to use.
Point 3 - Physical Access: But what happens when trojan-friendly Windows is the OS? Pick the lock, load the software (because there *will* be a floppy, CD-ROM, or USB port for upgrades)
Guess what - the best hackers out there are more familiar with non-Windows OSes than they are with Windows. TiVo runs Linux and it's had the shit hacked out of it. ReplayTV, while still hackable, hasn't had nearly the level of "unofficial" customization. It's a lot easier to muck around with software if you have the source to it.
Now, I'm not saying that Windows is more secure than other OSes. That thought is absurd. My point is that in a very tightly controlled environment, it can be just as secure as the next OS. My other point is that you guys are fucking insane with anti-MS zealotry. Why don't you try looking at the world without that chip on your shoulder.
All your cash are belong to us?
On a side note, haven't these banks been watching the news?
Mod me down with all of your hatred and your journey towards the dark side will be complete!
It simply strikes me that Windows is the wrong solution to this problem. This is not an anti-Windows or anti-Microsoft rant. Windows is a general purpose OS that started out for the desktop and has had server capabilities added over time. It has an enormous number of capabilities that simply aren't needed for an ATM. Without contact with the Internet, it is unlike that anyone can exploit vulnerabilities to cause ATMs with dispense free cash. However, it seems likely that it will be possible to create denial-of-service attacks against them.
I am being hit by spam with payloads over 150K, which I assume to be viral attachments. The spam companies usually want to conserve bandwidth and have emails of size 3-4 k, could it be that the email list holders are themselves being hit by viruses which are then sending the viruses out to all the email addresses that are on their lists, or just that bandwidth is cheap even to spamers. Am I happy, that the spamers may be hit by viruses, or am I sad, that my email is being full of junk fast? decisions decisions.
Be Free: Free Software Tuition
I work with a lot of embedded controls systems and the use of Windows with these systems (for Human Machine Interface, data gathering, etc) is increasingly common. The security concerns related to viruses and worms are also more common.
Back when more of these systems used Unix, VMS, etc, it was not a big concern. The environment was so heterogeneous that you didn't need to worry. Now that everyone is running Windows, it becomes a huge problem.
I've been helping several of my customers lock things down and better isolate their control systems. There are plenty of ways to do this effectively but it only takes one careless tech to screw the whole thing up. While I'm confident that I can develop the infrastructure and procedures to protect the systems, I'm not confident that the procedures will be adhered to.
This has become such a large concern that many of them are reevaluating their purchasing decisions and considering turning away from Windows. The problem is that nearly all of the vendors are now producing Windows only solutions.
I would like to say that there would likely be similar problems if everyone was running Linux. While you can lock things down when you start to put the systems into the hands of less sophisticated users you will have the same problems. I see this as more of a user problem than a technology problem. The reason that these worms and viruses spread so fast is that users are not taking the procautions that they should.
Anecdotal support for this argument can be found at any large LAN party. There are always a number of bozos running Red Hat infected with all kinds of crap because they have no idea what they are doing.
You can give two guys the best woodworking equipment in the world and the best wood. One will produce an heirloom and the other will be in the emergency room getting his fingers sewn back on. There are more of the latter than the former in this world.
...what a suprise another anti MS scare story.. wtf does an outlook virus have to do with how safe or not an ATM machine is?
<fnord>OBEY</fnord>
Quote from Bruce Schneier, chief technology officer at security monitoring and consulting company Counterpane Internet Security: "When you think about an ATM machine, it is basically a vault," Schneier said. "There is inherent security there." What a friggin jackass... CTO of a security company and he still says "ATM machine" He better protect his PIN number.
Here in Seattle, most ATMs are running OS/2 or Windows NT4. They seem to be running on standard x86 clones, although all you interface with is the display and a serial port for the keypad.
Windows2k/XP by itself isn't really a problem in an ATM. Attaching said ATM to a wide open network IS a problem. They'll probably stick with the dedicated leased lines, and it'll be about as secure as it was with OS/2 / NT4.
I live in the UK. Barclays bank used to use DOS based machines. Then they "upgraded". The NT machines now display all sorts of fancy pictures - and are about 100x slower than the old dos machines.
I recently noticed that all of the machines inside (that the bankers use) are Windows 2000 machines; replacing the x terminals they used to use. Clearly someone has made a bad decision in IT management inside of Barclays.
Guys... you have to realize these ATMs (unix, windows, other) are NOT on the public internet. They're not even on the same network as the workstation computers inside the bank. They may not even be using the same protocols, but I don't know about that.
The fact that they run Windows doesn't honestly mean much to me, because if the security experts in those banks are stupid enough to connect an ATM (or any number of other important machines internally) to any sort of public network... they're gonna get fucked at one point or another.
How often do you think a UNIX ATM's kernel/packages gets patched to fix that latest overflow discovered? Probably never.
no comment
can you imagine 60% of the ATMs in your city hitting windowsupdate.com all together?
what about 60% of the ATMs in the US hitting it?
Damn, we'll have to rename the slashdot effect into ATMeffect
-- There are two kind of sysadmins: Paranoids and Losers. (adapted from D. Bach)
This could make a good aprils fool joke. I was convinced they would only use decent stable software to power up atm's. Soon you could call Diebold with the following error message. GPF in cashpocket.vxd
In Sweden we have ATMs with Windows NT already. Twice I've seen an ATM with the blue screen of death...
Now this just doesn't make sense. Sure, I'd agree with a need to upgrade from OS/2 - even finding a way to put new software on OS/2 is going to get hard as time goes on. But why the decision to go to Windows rather than a sensible decision like embedded Linux, QNX, heck ANYTHING but Windows...
Windows does not provide the needed security, stability, or reliability needed for these applications. It does not provide real-time features that could allow certain security guarantees. The quoted reason, compatibility with "internal corporate networks" doesn't even make sense. Writing an interface for the functionality that ATMs provide might be an interesting project for an undergraduate intro-to-programming class. It's not like ATMs need to interoperate with the company Outlook Exchange server...
This sounds like a bunch of ignorant suits were herded into a room by MS salespeople and told the "benefits" of XP Embedded. I seriously doubt that anyone experienced who put any technical thought into the matter would decide to use Windows for ATMs.
-3Suns
~~~~
The Revolution will be Slashdotted
"They would prefer Windows, a platform they consider 'open' in that it is compatible with their internal corporate networks. Also, it's so ubiquitous that they can add features to all their ATMs without having to write multiple pieces of code for different machines." Bruce Schneier, a security company official, states that ATM do not operate online and are therefore not vulnerable to malicious viruses and internet attacks. No word on the blue screen of death."
ATM's don't currently operate online and this is a GOOD THING. However that goes out the "Window" if the whole point of going to Windows to the PHB's is that it's "compatible with their internal corporate networks"...
The article would seem to indicate that doing away with the very caveat that Bruce Schneier's quote uses to make this seem "okay" is part of the point of the exercise.
(shakes head in disbelief...)
Quoth he
"It's all academic anyway..."
...use NT 4.0. Most of the original security issues with it had to do with the way it was programmed rather than the OS.
That discloses the operating system running on ATM's so people can make informed decisions when inserting their credit/bank cards into them.
Sorry Microsoft but I'm not about to stick my card in a machine especially when nobody can prove to me who's at the wheel.
Most older machines run on home grown code and are not as hard to be cracked by hackers. If my bank switches to MS run machines I will take my money elsewhere.
They consider windows "open"??!!
"The Windows platform allows us to put even better protections in place."
Someone must be blowing crack smoke up their asses.
Or they are smoking from the same crack pipe as Darl...
I for one don't use banks, at all, in any form. I do not have any sort of bank account, anywhere.
I've had my identity stolen several times, bank accounts drained, accounts frozen and siezed because of activities of others. Screw the entire system.
As it stands now, the system in general is badly flawed, badly broken, and pretty much un-fixable.
And now they are going to run it on the number one virus delivery system on earth?
Windows is the Typhoid Mary of OS'es.
This is just another good reason to continue to stay out of the system. Live by cash alone. You can not go in debt that way, you control it 100% of the time and if you don't have it, you can't buy it. Not to mention that ID theives now have nothing to work with. Anything that shows up in my reports is fraud and theft because I dropped out of it all 10 years ago..
It seems to me this article implies that the bankers' lack of information is a form of security.
They don't know exactly what services will be removed, and hence probably are not aware of what services could be running and producing security holes.
The fact it is customizable also seems to present itself as a major security issue. How are we to know that these customized ATMs that also deal out lottery tickets or supermarket coupons were necessarily programmed (by the banker) correctly and securely? We can deploy this en masse too? So the potential for a large scale security breach would be high?
I'm also a tad confused by the statement that it will be secure since it will not be hooked up online into a network. But it will have scriptable programming and customization?
Maybe if everything goes right, it will be perfectly secure. Are ATMs basically vaults and are we still making sure that that stays the same?
I actually though most of them had been running Windows for years. I was amused with something I saw three years ago in this regard. I was in a bank in line behind a mid-aged non-techy who just received their first ATM card. You know how non-techies can sometimes crash programs that a veteran would swear is rock solid. That's what she did. She crashed the ATM. This was inside a bank. A teller saw the whole ordeal, appeared promptly with a key, opened the ATM (from the front), pulled out a keyboard which was stashed away in the machine (!), pressed Ctrl-Alt-Del, and closed it up again as the machine booted Windows 3.1 (!). The teller was not a techie either. The "press Ctrl-Alt-Del" message was on a stick-note pasted to the keyboard(!). I swore I would never use another ATM with a touch-screen GUI. When possible, I use the text screen ATM's with blind belief that it is better(!).
It's such an irony that the guy's name is "Bill Gates." (ATM == gates for bills) Finally we shall have access to the world's richest man's bank account via ATM. heh.
the less there is to break.
Shop smart, Shop S-Mart.
From a bank marketing analyst explaining the migration of ATM OS to windows:
"With open technologies it is easier to run different types of hardware on the same software."
and that's right, he's referring to Windows as 'open' technology.
Banks are merging and acquiring different machines, and tired of writing changes a half dozen times or more. yet they're going with the high cost option, instead of the obvious one.
a -security- company -CTO- exec gets a runner up prize for 'Dumbest Thing a Security Consultant Could Possibly Say' by suggesting that the ATMs wouldn't be vulnerable to the myriad MS worms and viruses because they dont work online.
this not even a year after Slammer -did- manage to shut down many ATMs which -also- were not online.
This Wired article reads like an Onion article.
// "Can't clowns and pirates just -try- to get along?"
Now when it asks for my PIN # I can just hit the "escape" key and it will still login and let me withdraw cash from the Bank's own "Administrators" account.
Ave Molech Setting
I wonder if they will change the blue screens to green?
---
Lousy rotten karmic retribution.
Here
I've actually seen this myself a couple of times.. and no, none of the ATM keys seem to be mapped to Return, so you can't do anything.
Is there some reason they cant install the nice little FREE operating system that would give the same benefits and increased stability?
AIB = Allied Irish Banks They're ATMS tend to be signposted with "AIB Bank ATM Machine" or near equivalent.
kartune85 : Incapable of reason, observation or learning. A kind of dim, drab, flightless parrot.
In Sweden, at least one major bank has used MS-DOS for their ATM:s. I saw one of these in a "funny" state (late 1999, I think) and of course took some shots...
:)
Images here
The server is a powerful Pentium 120 with a whopping 40 MB of RAM, so if it's slow, just keep banging on it..
There will probably be a $1 transaction fee for all withdrawls that will be deposited into Bill's personal account.
---
Lousy rotten karmic retribution.
yesterday when I went to my bank's ATM to withdraw some money.
after entering my PIN, the ATM asked for my birthdate.
nice to see the bank implementing an additional security identifier.
not that this would help if an ATM card was lost in a wallet containing other ID cards...
Yeah, they have built in failsafes to keep this from happening. Just like the power companies have built in failsafes to keep a massive blackout from occuring.
Most free standing ATMs I've see are plugged into a basic analog phone line (you can even hear some of them dial). How hard would it really be to cut into the line and listen for a while? Once you learn the protocols you could pretend to be the bank (Send to ATM: account balance $1,000,000 dispense as much cash as you've got when you put in a blockbuster card). If traffic is encrypted at all, it likely uses a fixed key that could be broken with time. How's that for scary.
Heck, you could also get the number for the bank server (just listen for the dial tones) and try some of the NT RAS hacks.
Note: I do not reccomend doing any of this, or large men with badges and guns will put you in federal ass-pounding prison.
SD
âoeWho knew something as harmless as willful ignorance could end up having real consequences?â
As someone said earlier, most Diebold ATMs run OS2, however, Diebold is now pushing win2k on their ATMs, _NOT_ linux. We have about 50 ATMs and at the moment, 90% are OS2.
I work for a credit union which uses Diebold and IBM equipment almost exclusivly.
I know because I walked up to one and it had a blue screen of death.
It really scared me.
-David
There. Now go play some cool javascript games!
I'd love to see ATM's use Microsoft products, because Gates doesn't control enough of my money already...
Business \Busi"ness\, n.;
A scam in which all people involved perceive as beneficial...
It still has the "My Computer" and "Internet Explorer" icons on it... Stripped down, my ass. It's as full of stuff as any other default windows installation.
Why does an ATM need a web browser?
http://github.com/gbook/nidb
In early May of this year I was in the drive through ATM and the machine had a stack of twenties trapped in the slot where the money comes out. Hey, you can flame me for this but I jiggled the stack out slowly enough so only the top four bills tore. Drove away with $2320.00, bought myself a new car stereo and a pair of nikeys. I'm not a saint and neither are the Bank CEO's, Flame Away.
And we all know Diebold's renowned track record for security implementation. Just look at their voting systems.
ATMs have been running windows for quite some time, probably 4+ years. How do I know this? Every so often (rarely I must say) there i come across an ATM with a blue screen or equivalent dialog box.
I always thought it was a bit overkill to run windows on something whose function consists of dispensing money and displaying publicity in it's spare time.
Our local McDonalds has an LCD display outside at the drive-through ordering location, mounted on the box with the microphone and crackly speaker. It displays full color pictures of Big Macs, etc. when you first pull up, and then as you order, shows each item ordered with price and quantity, and a subtotal.
I can't count how many times I haved pulled up and seen "Illegal Operation" dialog boxes on top of a blue screen, and the dialog boxes identify the OS as some Windows CE variant.
While there have been occasions that I have approached an ATM to find it out of order, these have been far less often, and they normally have "This Machine is Temporarily Out of Order" displayed on the monitor, which tells me it is probably a mechanical error, or simply out of money. I have never seen the display screen in an invalid/error state.
"the universal aptitude for ineptitude makes any human accomplishment an incredible miracle" - Stapp's Law
All along Europe you can find MS NT ATMs in full color and full of ad screens while waiting to processing orders. they use NT, basic NT, and central managed by CMS. The Blue screen is very usual and even the eternal ctrl-alt-del screen.
------I can please only one person per day. Today is not your day. Tomorrow isn't looking good either.------
Outlook or other Windows hacking prone applications
What like RPC? The vast majority of root-level expliots in Windows have to do with un-checked buffers, or bad parsing on open ports that exploit SYSTEM LEVEL PROCESSES! You know what? I have never been infected by an outlook virus. I have had plenty of windows viri though, and it usually happens right between the time that I have done a fresh OS install and when I can manage to download the latest virus definitions. By the time I can apply patches and do a scan I have already caught a virus from some other idiot on my subnet (yes I know there are ways to do this so that I am not exposed before being protected...live and learn right?).
Have you been keeping up with the security updates that MS has released in the last four weeks? ALMOST ALL of them affect ALL versions of thier OS and have nothing to do with Outlook or any other third part app. On just what basis can you call 2k/xp secure? Are you confusing stability with security? I'll give you that the OS has gotten much more stable, as in doesn't crash as often and requires less reboots, but almost all security holes that are annouced affect either ALL windows versions including XP, OR affect all NT versions which includes NT, 2K, and XP.
There is not another OS on the planet that comes close to the amount of remotely exploitable holes as MS OS's, and that is based purely on an insecure model from the ground up. What does that mean? Practically everything that the user doesn't initiate runs with administrator privilages! In a secure model if an RPC buffer overflow is exploited, the worse thing that could happen is a DoS attack because you have taken over that process and can flood the network. In an IN-secure model like windows uses, if RPC gets comprimised your whole system is your toy! Why? Because it runs with adminstrator priviliges! That means that any code you run might as well been run by Bill G himself.
Sure you could argue security by obscurity and say that these machines will not be on the internet, but it has to communicate with the mothership somehow to authenticate you, and means at leas ONE open port, and that means a root-level exploit waiting to happen.
LOL...he said that Windows is secure...tee hee hee
Sigs are out of style, so I'm not going to use one...oh wait..
Have their entire ATM network shut down by the SQL Slammer worm???
So, are you posting from that ATM right now?
In many european countries ATMs have a secure cryptographic device attached, which stores all cryptographic keys used to encrypt data between the ATM and the ATM server. All cryptographic computations are made in that device and it is designed to "erase it's memory" if someone tries to pull it out or do something weird.
:-) :)
:-) ). The specific drivers exist and also the engineering skills. Moreover banks are very conservative, some still have DOS or OS/2 ATM's so they stick to stuff they know (usually not your favorite free OS).
Normally, the PIN you type is directly transfered (encrypted) to the secure device and does not go through the PC memory. So your PIN is pretty safe from any virus or trojan horse.
These requirements are imposed by VISA/Mastercard, because they take PIN security very seriously.
The remaining risk comes from an insider who would put a trojan horse in the ATM such that it would dispense cash automatically for example if you type a certain key combination
This does not endager your PIN though or any transaction. It's basically a problem for the bank
This is a rather complex attack, even if you have Windows, OS/2 or linux on the ATM (Windows might just make it easier). The hard part is getting into the system (these machines don't run any standard services and there are access control policies). There are easier and less dangerous ways to get money from the credit/debit card systems than hacking into an ATM in a protected environement.
One of the reasons they use windows is because it's the cheapest alternative (YES! Shock!
Blue Screen of Debt!
"Faith: Belief without evidence in what is told by one who speaks without knowledge, of things without parallel." - A.B.
'nuff said.
They did. It's called Congress.
This will certainly weaken the security of the banking industry. I've read through many of the slashdot comments on this horrible tale, and no matter what anyone says about safeguards to prevent FREE CASH dispensing from a virus, THIS WILL EVENYUALLY HAPPEN! M$ is notorious for is security holes and patches that introduce new holes. It won't matter that the machine comminucates with a special protocol that isn't even connected to the internet directly, Windows is flawed by design and should be dumped and completely replaced with Linux, Mac OS X, or completely re-written. The history of M$ flaws is substantial evidence enough to support my arguments.
the though of ATM-transactions being under the control of an OS as inherently insecure as Windows is enough to make me not use an ATM-card.
If banks want to upgrade to a modern OS with transparency that they can easily code for, they should upgrade to an OS that is inherently relatively secure, like OpenBSD.
social sciences can never use experience to verify their statemen
Since when did company spokesmen or the decision makers ever have a clue about security? I imagine the IT guys in these places are pulling their hair
out in frustration but the suits will make it happen anyway and then blame the IT people when it all goes t*ts up with a virus or a hack and the bank loses $$$.
Its the way of the world I'm afraid.
I know this won't get accepted if I submit it as
s wen.reut/index.html
everything I submit gets rejected.
And because this is directly related to Windows security, well here ya go.
Also the BIG reason I submit this is the mention of the flaw. A SECURITY HOLE THAT HAS BEEN KNOWN FOR TWO YEARS and remains unrepaired..
Anyone that thinks Windows is or can be a secure enviroment lives on another planet..
http://www.cnn.com/2003/TECH/internet/09/19/worm.
New worm targets Internet Explorer
SAN FRANCISCO, California (Reuters) --Anti-virus companies warned on Thursday of a new computer worm circulating through e-mail that purports to be security software from Microsoft Corp. but actually tries to disable security programs that are already running.
The worm, dubbed "Swen" or "Gibe," takes advantage of a two-year-old hole in Internet Explorer and affects systems that have not installed a patch for that security hole, according to Internet security company Network Associates Inc..
The malicious program arrives as an attachment to an e-mail pretending to contain a patch for holes in Internet Explorer, Outlook and Outlook Express and then mails itself off to addresses located on the victim's computer.
Relay chat also vulnerable
The worm also can spread over Internet relay chat and the Kazaa peer-to-peer network, as well as copy itself over shared networks, Network Associates said.
When it infects a computer it alerts a Web site that appears to be counting the infections, according to Symantec Corp., another Internet security outfit. The number of the counter was near 760,000 by Thursday afternoon.
Network Associates rated the worm a low risk for corporate users and a medium risk for home users. The company and rival Symantec, among others, were offering anti-virus updates that detects and removes the worm.
Microsoft has cautioned customers in the past against e-mail software updates, saying it does not distribute patches that way but rather directs them to its Web site.
From the Wired article: "With open technologies it is easier to run different types of hardware on the same software."
Holy shit, I can't believe the banks are so gullible. Did they actually believe what a saleman told them?!?
I think someone got confused and said "open" as opposed to "modern". Regardless of the reason given, the statement about NT being able to utilize more varied hardware than OS/2 is dead on.
Unfortunately, this is what's happening. Microsoft has done the same with banks as what they've done with most corporate entities -- 'bid' systems and training to them. The deal is that most banks store information in MS databases, most Internet bank interfaces are ASP applications (.NET will make this worse). Whether or not it's 'secure enough' is not a question...
4 1775 for a good discussion about how credit/ATM cards work and links to many resources on the subject).
Believe it or not, there are people who get paid very well to administrate Windows computers and they like Windows very much.
I'm not sure how hackable these machines will be either. ATMs use either dialup or ISDN connections to communicate centrally with banks, so they're not going to be on any public network (check out http://answers.google.com/answers/threadview?id=2
Additionally, there isn't much room for hacking an ATM... I mean, without taking the thing apart, you have 21 keys maximum (4 - 8 keys to choose options on the screen, 10 keys for numbers, an OK key, cancel transaction key and backspace key) on most machines. Without opening the thing up, you're not going to get very far.
While Windows may not be secure over a public network with all sorts of services running, on a private direct connection with solid software, there's really no vulnerability here. You should learn a little more about how these machines work... they're not on some wide-open network hole waiting to be exploited.
ATM transactions are also encrypted, and I think we all agree that Microsoft is definitely pro-encryption.
So, before we go bitching about MS getting their stuff put on ATMs, I think we should look at the online interfaces to our accounts which are much more insecure than any ATM that will have Windows (and all the posts here seem to just be whining about how insecure it will be). I guarantee that you losing your ATM card is the most insecure thing that can happen in this regard without taking the ATM apart. A UNIX-based machine would be potentially just as vulnerable if you consider this possibility.
On the other hand, I think poorly written online banking software accessible through web-browsers on any platform is more of a security threat to your banking.
On a final note, in the Netherlands, anyway, banks give you this little device that you put your card in and it generates a hash that you have to type in every transaction. Is anybody aware of what is actually being hashed? I wouldn't think it's any private data on the card, because several banks don't require you to insert the card into the device. The best I can tell it's simply a couple of hashing algorithms hashing the current time (with about a 30 second period -- i.e. two hashes within n seconds generate the same hash) and... ? The PIN? Not sure.
Anyway, food for thought for you overly-hyped cynical freaks.
www.sitetronics.com/wordpress
take the number of ATMs running Windows (N) and multiply by the cost of licensing each ATM for Windows (C), then subtract that amount from a Bank's earnings (E), and thereafter calculate how much more the ATM transaction fees will rise.
make no mistake, the cost of licensing all those ATMs with M$ Windows is going to be passed on to customers.
i remember back in the day, the implementation of ATMs was spun as a way for banks to save money spent on live bank teller salaries, and to pass on the savings to its customers, but it soon turned out so popular, that banks came to see ATMs as a low cost cashcow, and transaction fees increased from that point on.
i have therefore modified and optimised my ATM usage habits to reduce as much as possible my number of transactions.
Yay, somebody who has a sensible head on his/her shoulders.
Yeah, I can not imagine how happy AlQaeda will feel about this.
But we are running out of money to fund our Jihad. And the americans are getting harder to hit.
Do not fear, Allah will provide. And if not, then Bill gates will, by running getting W to allow windows at nuclear power plants and ATMS.
Running Yankee dogs, your capitalism does for us what we could not do
I mean, it's not as if these machines are connected to the Internet? So you can't exploit them, since they're on a Network on their own, seperated from the Internet. And I'm pretty sure banks don't use the Internet, but some sort of proprietary communication to transfer information between themselves (well, except from banks who offer online transaction, which at ATM is not), so it's not that big a deal.
Unless some crazy MSCE decides that it would be neat to had ads on the machines that are fetched on the Internet... DAOH!
"A critical flaw has been discovered in Windows ATM Edition in which customers whose PIN ends in 4 can execute arbitrary code by means of a buffer overflow."
Who doesn't like free music?
When people use the (shudder) expression "ATM machine," I usually shout "machine! machine!"
I work for one of the big four hardware manufactures. All of the new terminals run on WinXP. OS/2 is supported only on the older models.
Microsoft hasn't fixed the BSOD problems since Windows 95, how will this effect ATMs running Windows?
As far as I knew Dibold and Interbold ATMs used a form of OS/2 and were rock solid hardly ever crashing.
Nothing would bug me more that a whole batch of local ATMs that are out of service due to a BSOD or the latest Windows Worm turning them into Porn Zombies or something else.
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
Where do you want to go with someone else's cash today?
(answer: Bora Bora!)
While you're watitng for your cash, you'll see the Windows logo and "Please wait while your transaction is processed." Then out pops the crips, new #20 bills and you smile, because you just felt like you withdrew money from Microsoft instead of your own account. Then the horor sets in as you realize you are now overdrawn. Oh well.
Seriously, WHY?!?! What possibile advantage do you get from going Windows?
Your money is insured people! There is a better chance someone will rip one out of a wall, then one being broken into through the OS.
After worms killed Bank of America's Windows-based ATMs and caused the greatest power outage in history you would think people would quit trying to use windows for secure environments. Windows is a desktop single user os for office workers. It is no good for any othe rpurpose (in fact being inferior even to Linux for even that purpose). For ATMs the banks should be using a secure RTOS of some sort, not a desktop OS.
Someone is going to have to put a stop to this nonsense. Our country's financial structure and infrastructure are threatened by Microsoft's predatory marketing practices and refusal to build stable secure software. The only answer is to ban their products in certain usage.
The real joke was when the Banks said that they wanted to use a more open operating sstem which is why they chose Microsoft. Yes, if you want a standard, open operating system rather than proprietary garbage use Windows. Hmm. Something wrong there. But then the Banks are using Windows for everythings else. So they find it easier to interface with Windows than anything else because that is what the MCSEs they hired know how to connect with.
Get the picture? Microsoft has made sure that their OS is a pain in the ass to connect to anything and that the more you knwo about their OS the less you know about computing in general or any other OS. Therefore the path of least resistance is to just install Windows for everything. Of course if it were me the path of least rsistance would be to tell the MS salesguy to get the fuck out of my office and tell the MS software to get the fuck off my machines. Then I would install something stable, secure, usable, and open source.
If everyone did that we would have less computing problems all around. Too bad we have idiots who still insist on using piece of shit software.
I doubt very much that Outlook or any email app will be installed in an ATM. Be realistic here.
Besides, based on other posts and what I've even seen personally, many ATMs have problems from time to time. At a Wells Fargo bank some time ago, I say OS/2 Warp booting up after the 3270 emulator crapped out and forced a reboot - right there in front of me.
You've obviously no clue who Bruce Schneier is. He's the author of the (infamous) book "Applied Cryptography", invented the Blowfish and Twofish algorithms, has played a major role in analyzing (cracking/finding weaknesses in) major security algorithms. Bruce is the leader in this field. He is the president of Counterpane (http://www.counterpane.com/). If anybody has a clue about security, it's him. Get a clue before you post.
www.sitetronics.com/wordpress
It is left as an exercise to the reader to work out the risks of dynamically allocating IPs to ATMs.
I've had a picture of this ATM for the past 5 years on my website :)
<grub> Reading
I approached an ATM machine only a couple of weeks ago (the Bank of Scotland machine in Leuchars, Fife, for anyone nearby) and was both taken aback and greatly amused to find an 'Add/Remove Programs Properties' window filling up the display!
I didn't realise until then that people were actually using Windows for bank machines. It looked like either 98 or NT4 (probably/hopefully the latter)... needless to say I couldn't take any frigging money out >:(
I have been responsible for locking them down, and I don't have an entirely happy feeling about it. But that's about 3000 odd ATMs to add to the statistics!
The bank I work at just put in a new OS2 based ATM. It communicates on a TCP/IP based network consisting of the ATM and a dedicated router that then connects to an ATM servicing company. Depending on the safeguards in place at the ATM servicing company, a worm or trojan could spread to all ATMs that they process.
Also, earlier in the year quite a few Bank of America ATM's went down to Slammer congestion.
Well, this goes to prove that Microsoft's claims in court that Windows was so tightly integrated into a single monolithic system are false. Obviously if the system is still functional enough to provide the frameworks needed to run ATM software and a modern user-interface, after being stripped down, then the same is certainly possible for mainstream use. In fact, it's likely that the reason it is stripped down is because superfluous features are a risk. Internet access and DirectX can also be seen as superfluous features.
Of course, this comes after the fact. So maybe you could argue Windows has been re-architectured since the legal trouble, but I doubt anyone with a knowledge of complicated software engineering and familiarity with Microsoft's code bases could say that under oath.
No text.
SF Bay Area folks: notice the new BART ticket machines at certain stops (Montgomery and such)? I walked by one the other day and the screen was displaying a Windows NT boot screen.
Can't WAIT get BSOD'ed when I'm desperately trying to load a ticket... "My train's freakin' BOARDING come ON take the money you piece of... *** STOP: 0X0000000000A IRQL_NOT_LESS_OR_EQUAL..."
If Slashdot is where the spelling-challenged go when they die, I'm in heaven.
I don't give a damn what books or code he's written , the way his quote has been presented makes it looks as if he doesn't think VPNs can be
compromised. Well I can assure you and him that they damn well can and I've been privy to it happening and if ATMs are on a VPN they'll eventually get hacked. Or would you claim otherwise?
Hmmm - this doesn't make me want to run out and translate all of my electronic funds into cash or gold bars, that I methodically hide in deep holes around my property and under the mattress...(nudge-nudge, wink-wink!)
For the tin-hat wearers out there (and you know who you are):
Does anyone find it interesting that the leading ATM company, Diebold, is going into online voting, while Microsoft, a company known for its dirty dealings, is going into ATMs?
Lodragan Draoidh
The more you explain it, the more I don't understand it. - Mark Twain
Windows NT has been running on most ATMs in Sweden for years. It's a huge source of frustration (and of course amusement) when every ATM in town has blue-screened - and it happens often.
L-ViS
And maybe if you weren't stupid you would realize they're talking about the parent, which shows a photo of a WinNT-ish desktop with several icons, including MSIE.
I have had the recent pleasure of watching the V-Com ATM machines being installed in our local convenience stores. They are PC's controlling the system, using Internet connections over TCP/IP to communicate, running Windows NT Workstation 4.0 SP6a. They have a custom keyboard missing the CTRL, ALT, and other state keys, and a touch screen interface to boot. And they can be crashed so easily it goes beyond funny to just plain sad.
The tech doing updates opens the bay, plugs in a regular keyboard, logs on to an e-mail account, and runs the patches distributed that way.
Not something I really would trust with my money!
You can have it fast, accurate, or pretty. Pick any 2.
In my neck of the woods, a significant number of ATM's are already running a version of NT-- specifically, the WellsFargo ATM systems that are color-- I've seen them during install/maintanance at a UI that is definitely NT, and I've also seen one BSOD with an NT Kernel error on one occassion.
I'm not sure this is a good or bad thing-- it's not like ATMs are that reliable anyway, with eaten cards, "atm not in service", etc.
You don't honestly think the ATMs are connected to the same office LAN as the cashier terminals and office PCs?
"Hey, let's bridge our highly secure ATM network with an unencrypted office network!" - yeah, right.
More to the point, I don't think that'd be a factor, anyway. If they've got an ounce of sense they'll be performing all tranactions over an encrypted VPN anyway.
sig:- (wit >= sarcasm)
What's the deal with these new all-singing-all-dancing colour ATMS anyway?
I want to get cash out quickly, not watch animations advertising crap I'm not interested in while the thing chokes under the strain of running Macromedia Flash (or whatever) when it should be doing the transaction and dispensing my money in the quickest time possible.
The colour and animation adds nothing but waiting time, turning what used to be a ten second operation into a minute long wait. (This is especially bad at night, when you really don't want to hang around at an ATM any longer than necessary. I should know - I was robbed by four guys while waiting for one to dispense my money.)
The old green-screen ATMs were ten times quicker to use than these new colour ones with animation. Has the rotating logo / crappy Flash / too much JavaScript craze of many a bad Geocities site taught us nothing at all? The best user interfaces are as simple as possible with as few distractions as possible.
When an unnecessary animated interface gets in the way of usability, it's time to stick with what worked. Bring back the green-screens!
Organic free-range music... yum!
I have no idea what the source of this article is, but I work for the company that owns 80% of the world market in ATMs. I'm not in the ATM part of the business but the plant that makes many of them is in the same building where I and other developers are, and I walk through the plant to go between the employee parking lot and cube-land every day, so I see all the ATMs in production and testing etc. Guess what? They all run windows. When I started working there 3 years ago they were running NT 4 - they've just switched to 2000. Inside those things is just a stripped-down PC.
What a brilliant free advertizing scheme if rather than "This ATM is out of service" message you get the BSOD that we all know so well.
Today is a gift. Save the receipt.
There can't be a worse choice than Windows to run something like an ATM. Current versions of Windows are designed to run a wide variety of applications containing lots of active content sending information here, there, and everywhere, which is hardly desirable in an ATM. Windows is designed to be updated via a network connection which is exactly the opposite of what an ATM owner would want. 'Windows' is a very complex and relatively unstable pile of bytes that is extremely vulnerable to hardware failure, power surges, memory corruption, other applications, operator error, and just about every calamity that one can imagine. It is likely that some of those existing Windows ATMs have crashed just because the user pressed the "5" key too quickly too many times or something. The entire design of Windows is aimed at displaying a complex bitmapped windowing interface as rapidly as possible which is something that is not even required or desirable in an ATM. If someone actually did a design evaluation between current OSs, including various embedded OSs, Windows, even stripped down, would come in last by a long ways. What could possibly cause some otherwise wise engineer to select "Windows" as the operating system to run a device like an ATM machine? Temporary insanity perhaps? I predict that the reliability of the machines will turn sharply downwards as more Windows machines make their way into the mix and losses will sharply escalate. A lot of those ATMs communicate with their host over a simple dial-up connection that thieves will quickly find ways to penetrate when it is under the control of anything 'Windows'. The rest of the ATMs are connected with networks that are likely to be vulnerable to the 'virus du jour.' It's only a matter of time until someone undertakes some attack that will have the ATMs kicking out annonymous serious cash to anyone who keys in the PIN code '1234a' or something like that. Of course, the bankers will keep it quiet when it happens (for obvious reasons) so we'll never hear about it, unfortunately.
Are we going to have access to alt-ctrl-del in case we get the blue screen of death?
Pretty bloody scary, considering that Bank of
...
America's ATMs were shut down earlier this
year due to the Slammer worm.
Wonder if it's time to start keeping my money
under my mattress
If so many of these machines are currently running OS/2, I wonder why IBM is not rolling out a Linux substitute for their current customers?
http://213.112.76.62/incoming/sparbanken.jpg
it says out of virtual memory.
It could be argued that Windows, with its "always on" window system, is not appropriate from a resource usage standpoint. But if some company has put together a system that complies with all the regs and can compete on price with other systems, why should a bank care what's inside the box?
This is not a Windows-only vulnerability. Give me physical access to anything and I can be root on it. Just boot it single-user (or whatever maintenance mode is appropriate for the sytem) -- voila! If I intend to rob ATMs, you think I'm not going to do any research on what kind of system I'm going to find inside, and how to compromise it? Anyone who can break into an ATM room is not a script kiddie, this is a serious burglar.Unlimited growth == Cancer.
I've seen one bluescreened before. (It was already bluescreened when I walked past it. Honest.) This is not much of a shock. Windows should be pretty secure if you're not running much of it, and you have it on a well-protected network. It's not like they're going to be running windows 2000 datacenter edition on these things, it'll be a tiny slice of windows.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
One of the main banks in the UK, NatWest, is already using Windows for its ATMs. I remember going to get cash out from one, only to be greeted with a BSOD and the error message "General Protection Fault in atm.exe"!!!
Tubal-Cain smokes the white owl.
Windows runs most kiosks/ATMS etc. I remember having fun at Gatwick airport with a touch screen Windows XP kiosk next to a sports car stand. Me and my friend simply got up the start menu through trial and error and managed to deface the locally stored website :) (helped ofcourse by XP's onscreen keyboard) yes i know it was pointless vandalism but screw them. Ive seen plenty of Windows error messages on cashmachines, timetable displays and the Nectar system at certain shops here (Sainsburys for example) all run windows (might even be possible to get free points but i havnt tried). Im fed up with security consisting of hiding the start menu. And i dont want to find that the ATM crashes _after_ deducting money from my account but before it deals out the cash or something similarly stupid. Kiosk companies: Stop cutting corners and wasting money on Windows licenses, hire better people.
This comment does not represent the views or opinions of the user.
First: ATMs do not operate on VPNs.
Second: That nullifies your argument against his point.
Mod the parent post down.
www.sitetronics.com/wordpress
...and I've seen a few blue screens and NT error messages at a few different cinema chains... (Alright, 2. UGC and Ster-century to be exact)
ATMs mostly use OS/2 now.
OS/2 is now unsupported per IBM.
Windows NT/2K/XP/2K3 has an OS/2 subsystem, and OS/2 had WinAPI subsystems, which would greatly reduce porting.
... just without the cash dispenser on the user end.
Since when did MS provide a web server with their OSs? Or is that what they call the security holes...?
You know, my bank, Banrisul - Bank of the State of Rio Grande do Sul - have changed from windows to linux some years ago and the system is working much better since then.
But most banks in Brazil due to economic situation (high spread and taxes) are simplying trying to throw money for the window, buying windows licenses reforming agencies each 6 months....
Microsoft has made some important security ... they have replaced the traditional
... )
changes to their NT4 software for the banking
industry
BSOD (Blue Screen 0f Death) with a Green one!
(That's Service Pack 7$
I used one ATM in Bangkok last year, and it crashed while I was trying to get some money... And yes, the system was clearly Windows.
would we be seeing those small logos sayin "Designed for Windows" and i wonder what two letters they will append to the end of windows this time we already have CE XP ME and NT :)
Check out these pictures I took from an ATM of ABN-AMRO bank in Holland with the standard NT error message when it can't succesfully start all services.
Pictures
will be running a stripped down version of windows
For Christs' sake, I hope they strip out the part that causes Windows to blue-screen every 5 minutes.
Spread the RC luvin'
All I have to say is these things had better be clearly labeled.
The thing that gets me, is how do we know that Bill G. isn't a 'terrorist'? Look at it this way:
This guy forces the biggest economy supporting industry to use his software when the ENTIRE workld knows that this one software package is THE BIGGEST TARGET for troublemakers, fraudsters, script kiddies, and everybody else in cyberspace up to 'no good'.
Do you REALLY want to trust the world's biggest target for your money?? If anyone ever told me that the bank I deal with switches to M$, that bank obviously does not manage money very well.
The program might be equivalent to a tank, but even a tank can't handle everything, especially if its everything all at once. This is one SCARY thought.
I will be looking for a nice deep hole and a really thick tinfoil hat tomorrow.
Keep your heads down folks! Bill is on the loose again!!!
Microsoft's attempt at world domination ...
..."
through "extend and control"
Borg Bill/Borg Ballmer> "...we have your money
Install whatever OS you like--it won't do you any good against my power shovel!
(The guy in that article failed, but there have been a number of successes in the last year or two. What will people think up next...)
I was talking to this chap who was working in the group that was componentizing (sp?) XP in order for it to be embedded in applications such as this.
Other (potentially) scary prospects:
Slot machines
Cash registers
Tanks
Missle systems
I also feel very comfortable about this. Whats the problem?
It's not April, 1st - or is it? huh?
Damn that's funny!
Diebold used windows in the voting machines. Granted, banks have a lot more experience and a lot more incentive to protect the infrastructure.
/ 21 40216&mode=nested&tid=103&tid=126&tid= 990 4/19 9210&mode=nested&tid=126&tid=172. org/article.pl?sid=03/08/23/142324 3&mode=nested&tid=103&tid=126&tid=172&tid= 992 1/22 26226&mode=nested&tid=103&tid=116&tid=126&tid= 991 4022 6&mode=nested&tid=126&tid=172&tid= 995 3258 &mode=nested&tid=103&tid=126&tid=128&tid=9 9
The best laid plans of mice and men sometime run awry.
http://yro.slashdot.org/article.pl?sid=03/09/05
http://yro.slashdot.org/article.pl?sid=03/09/
http://slashdot
http://ask.slashdot.org/article.pl?sid=03/08/
http://slashdot.org/article.pl?sid=03/08/11/1
http://slashdot.org/article.pl?sid=03/07/24/1
- What caused the Big Bang?
- How do women think?
- and even: Why does anyone still run Windows on the desktop instead of something easy to use, such as MacOS?
are all trivial compared to, "Why would someone use Windows for embedded work?"Windows' only strength is the legacy/compatability issue -- there's a lot of software that still only runs on Windows, and sometimes network effects require you to run some of that software. But an ATM doesn't need to be able to read someone's MS Word document, and the platform simply doesn't have anything else going for it, except disadvantages.
They say it'll be more compatable with their networks? That is the most fucked up thing I ever heard. If your protocols between your ATMs and internal services are that complex and proprietary, where compatability is even a minor issue, then you are doing something terribly wrong. Your designers are either irresponsible and incompetent, or they are insane. I smell .NET.
I don't blame them for slowly migrating away from OS/2, but Windows? For Yog-Sothoth's sake, Windows!? And in 2003?!?
Forget the underlying OS. Give us ATM machines that have half smart USER INTERFACES!
I'm 6 foot tall. I have to crouch down to line up the manual buttons with the screen prompts- basicaly because the buttons are not flush with the screen.
Every time I go to my credit union's ATM with my card, it asks me, "English or Spanish?" - FIGURE IT OUT! Remember my preferences FFS!
I mean really - they put braille on the buttons - like that helps you read the screen.
I would have thought that banks would have taken every precaution necessary to isolate their ATMs from Internet based attacks, but it seems that it is not so. Dedicated lines or not, they are still vulnerable.
Last January 3 major Canadian and 1 US banks' ATMs were disrupted disrupted by the Slammer worm
I know from personal experience that my bank (CIBC) runs NT/W2K on their ATMs. I've see it reboot, BSODS and Windows 'Start' screens on various ATMs.
A friend of mine who is a tech for Diebold tells me that virtually ALL of Diebold's ATMs are Win2k already. If it has a color LCD. It's Win2K.
And Diebold bought it. Diebold is going Windows.
This is scary. It's going to be so tempting to hang the ATMs on the bank's internal Internet and save money. And you know Microsoft will screw up and leave a port open, or leave something in the OS that calls home. The DES protection may protect the ATM transaction messages, but what about Windows Update. And yes, Microsoft does suggest installing remote "upgrades" and "hotfixes".
On a morning when I'm receiving the latest windows virus in my inbox every five minutes I feel very comfortable with this.
Am I the only one who was embaressed when they read that? As my eyes rolled back down I can't help but wonder if everytime we see comments like that, if its complete bullshit. Who in the hell gets a virus even once a day? once a week? Or even better, don't you people have virus checking on your mail servers?
There is a ATM at my local 7-11 that uses a modem to dial-out using a POTS line (you can hear it dial). I 've always wondered if you put a recording device on the line to catch the modulated traffic that you could play it back and fool the ATM into thinking it had actually dialed the bank and received authorization.
Of course, I would never actually try such shenanigans, but it always struck me as a rather unsecure way to communicate.
-TMK
All I know is that there were news reports of MS-based ATMs being down during the recent MS RPC hole fiasco. I'm talking ABC and CNN here, not News of the Weird.
Windows is an incredibly complex, monolithic app. Even stripping out whatever the heck they plan to strip out, how confident can someone who really understands software QA be with WinATMs?
Not very.
Better provide the ATMs with a way to swallow worm meds!
Device Estonian folks used was actually quite sophisticated. I saw short clip of it on YLE News on TV back then. From later news transmission that part where electronics and construction of device were shown was removed and on the one time they showed it some police came and moved device away from cameras. Guess cops said you're not allowed to show that on TV.
These are facts:
Device had card reader. It was placed on front of real card slot so when you inserted card magnetic stripe was read.
People who's cards got copied said it was difficult to get card out from ATM machine. This was because after transaction ejected card was partially blocked by extra reader device those guys installed.
Keypad had kinda sticks on bottom so when you pushed number on spying keyboard it pushed real button under it at the same time. Electronics connected to fake keyboard recorded your PIN and saved it to NVRAM among content of magnetic stripe it just read as well.
Card reader was connected to keypad module that had most of electronics using cable. Cable was covered with square plastic housing to keep it less obvious what was going on.
Since you got your money from ATM no-one suspected anything fishy until day or two later when your bank account was empty.
Crooks were waiting on nearby car. After some
time they went to ATM and removed their device.
Ok, those were facts. There were some claims that device had also WLAN or some other wireless connectivity so card numbers and PIN codes would have been transferred to crooks realtime. However I think that's just rumour.
Device had factory made looking PCB inside. Probably some SBC development thingy.
If there's someone with Helsingin Sanomat archive access you could probably find more details from there. HS is Finnish newspaper so that part was for finnish readers.
On a related note, here in San Fransicso, one of the local mass-transit groups (the subway, basically) is nearly done updating their circa-1970's fare gates and machines. The new ticket vendors are especially ATM-like, which has been a big deal, as the old machines were (from a UI standpoint) practically unusable.
Anyhow, the new machines look great, nice bright screens, clear directions... and when they go belly-up, they're running some variant of min-1990's Windows: NT, I'd guess. One of the machines was stuck on the desktop the other day ("oh look, the ticket machine's got Excel")
The new machines -- like the ones they replace -- take cash, credit and ATM cards. The credit card functionality seems to go up and down (mostly down). ATM is less flaky, seeming to operate only on days with an even number of letters in their name. I haven't dared to feed one of those guys a real card since I saw that desktop grinning at me... urk.
Sounds like I'd better stock up on $20s before our new ATM Overlords take over and SoBig my credit rating.
I've seen at least 4 ATMs over the years which have been running Windows, and made it obvious.
I had the opportunity to study one in detail, as it was installed in a hospital I was visiting at the same time as the backup generators were being tested - so the power was a bit glitchy (and there was no evidence of a UPS on the ATM).
It was made by NCR and had a fancy TFT screen. It was installed in the in-hospital branch of Barclays bank about 4 years ago. Clearly it was upset at the transition to emergency power and had locked-down.
However, when when mains power returned - it rebooted. It appeared to be a conventional industrial PC. It used a Pentium 3 450 MHz CPU and had 128 MB of RAM. (Can't remember HDD details).
It booted Windows NT4. It auto logged-in to some user account, and then started running a batch script. The conventional although rather sparse NT desktop (including such delights as internet explorer) was visible for the 10 mins that the batch script ran before the ATM software started.
This was the only one I've seen boot-up, the other 3 made their OS clear by displaying a variety of NT 'STOP' errors.
http://www.theinquirer.net/?article=11130
...why don't they just give each of their customers a shoebox full of $20s and a CD-ROM with an "ATM" app on it. Then, when the customer wanted cash, he could run the ATM app and then take some $20s out of the shoebox. I know I would much prefer using the ATM in the comfort of my home rather than standing in the rain and wind in front of an ATM downtown.
Give me an exploit and some time and I will empty your bank account :)
"Curiosity killed the cat, but for a while I was a suspect."- Steven Wright
Look, I agree with some here who sayt that Microsoft is a huge company and the ability to make lots of things work. However, I feel that a lot of Microsoft's problems with their software are due to:
1. the fact that literally thousands of different programmers have worked on it with none of the usual safeguards in place like coding standards or software reviews
2. inadequate (or no) testing before the software leaves the building.
3. a deliberate cultural influence from the top down in Microsoft that treats bugs and/or design problems as a good reason to sell the next version of software.
Now, tell me truthfully, is that really the software you want in charge of YOUR money?
Here in Munich we have, rather new, Transport-Authority automats that run Win2k. I saw one of them bluescreen a few days ago. Well, those things can change money. So maybe they are a valuable target for an overflow as well. I might get into this a bit next time I'm bored and bump into a drunken MVV employee.
Am I dumb?
And as I've stood in line at Best Buy, I've witnessed their POS machines crash twice. The OS? Windows NT. Lessons learned? Probably not.
Phil
And to think M$ used to argue you can't remove core components like IE from windows without damaging it. Does this mean A. they were lying B. their going to leave them in the machines C. Sobig.lots.of.csh will be the reason we all LOVE virii writers or D. Bill wants to be worth 100 billion dollars and will stop at nothing....clearly A is the winner M$ are lying corporate scum
Worry now... I worked at Charter One and they had NO IDEA if a given ATM machine was up or not until a guy there wrote a program to parse a log file they had (but had never used for this) to determine the ATM availabilty, this was a little over a year ago.
Worry.
As far as windows, BS I guarentee that will never happen on a wide scale. I know there is little chance of Charter One ever doing that (the chance comes from the fact that all the people I know may get fired or quit and slowly morons who would propose the solution woul begin to flood in).
Worry.
Regardless of the reason given, the statement about NT being able to utilize more varied hardware than OS/2 is dead on.
Then they should use a stripped-down NetBSD with a curses or basic GUI interface.
Healthcare article at Kuro5hin
I have seen an ATM with a blue screen. I am not making this up. My normal ATMs that I use I can her that windows click like windows makes when you hit links and things.
"If you have done 6 impossible things this morning, why not round it off with breakfast at Milliways" -- hhgg
Welcome to Wells Fargo, please insert your card. *beep* Not ready reading card A Abort, Retry, Fail?
I guess the theory that the Windows-based ATMs lack network connections, and are therefore safe, might have a few holes in it.
Several years from now we'll all be wearing Hammer-pants to support the enormous 300 pound 'Microsoft Wallet for Humans' Just you wait.
These f***ing Windows-ATMs at our local crash very frequently. Especially if you money urgently. Why don't the use UNIX or maybe BeOS ;)
http://blog.gauner.org - just a blog
"What Microsoft actually sells to the banks for ATM use is a cut-down version of Windows that doesn't contain things like Web servers," said Ross Anderson, a researcher in Cambridge, England, and author of Security Engineering. "They have tried to cut out the unnecessary rubbish that clutters up the typical PC. How good a job they've done, I just don't know.... So we definitely can't rule out the possibility that someone in the future writes a Slammer-style worm that causes thousands of ATMs to start spewing out cash."
:)
Now why cant MS do this for the home user? Strip out the unnecessary parts of windows so that its more secure. Come on Microsoft, I know you can do it
"Empathise with stupidity, and you're halfway to thinking like an idiot." - Iain M. Banks
i'm in the uk. stopped off to get some cash on the way to the cinema one time and there was a Windows dialog box saying that a DHCP server could not be found! any attempts to enter a pin code would fail straight away. i wish i'd taken a photo :(
- doctea
When I first graduated, I worked at a financial software company. I think I was the only one in the department that had a CS degree.
It was almost a daily battle with upper management, because they disliked how I was not in the product development group, but most of the modules I was writing was replacing the core modules, because my manager/clients/etc realized that my modules were more efficient and flexible. One time the development guys got pissed, because I wrote my own month-end module, that used a more efficient data structure to store all the data. The processing time got cut from 7 hours to a few minutes!
Anyways, when the economy crashed my manager had the bright idea that I would have a much easier time finding a job than my peers, so I was one of the first let go. In retrospect, leaving that dump was the best thing that ever happened to me. However, looking back, from their perspective it was probably a poor business decision, as I kept up with friend from there and such. They had a hellish time making up for my loss.
Anyways, after working there, it scares the crap out of me to think that company was #1 in its particular industry, and yet they had such crappy design principles and developers.
I remember one such bug, where the idiot developer could not grasp the concept of having a development environment vs testing on a live system. Consequently one of our government customers got their system hosed by this guy, because his program royally fscked up the database. This agency ended up losing 6 years worth of data, because it also turns out this program has been miscalculating payments for the last 6 years unnoticed. (And you wonder where our govt spends our money!) I'm surprised we didn't get sued into bankruptcy.
Of course, they won't be able to run unsigned code, so I wouldn't worry about it!
(Unless an administrator doesn't lock it down properly, or the virus comes from MS. But I wouldn't worry about that since we all know what security gurus those MCSEs are!)
Perhaps you missed the item in the story about how ATMs already use COTS. The switch the O'Reilly story describes is from one COTS operating system (OS/2) to another (Windows).
Since the standard OS/2 distro has a TCP/IP stack, I don't see why a windows-based ATM is more likely than an OS/2-based one to add the stack.
1. The bill books and the allocated resources are realistic.
An error in the banking medium is almost unforgivable. The banks cannot allow it. Moreover, the banks are so profitable that the enormous cost of computerization in this sector, is not only accessible, but also profitable. It is not always the case in the software industry.
2. The systems are adapted.
All that supports the banking networks is adapted to this task, is developed, by experts, specifically for this one. All opposite of the Microsoft ideology which voluntarily wants to be insecure and accessible to the greatest number.
3. People who make the software are tested and qualified.
The programmers who work in the banks on the systems of bases are experts who were trained to do it and who have worked above for several years. They are conscious of all the repercussions that a new module can cause in the system because they knows it : they have access to each line of code. All the lines are scanned with the magnifying glass. Some know only that, but they are experts in the field. They know their tools perfectly because in this medium, the things do not evolve so quickly. Nobody of other has this expertise. Microsoft cannot offer a comparable solution. Microsoft cannot be even praised to know its code. Windows is one monolithic bloc not flexible which does not meet the needs for this industry. Not only Windows is not appropriate, but the development tools are unsuited. Microsoft philosophy is: "let us make the simple things since the majority of people cannot manage complexity". It is perhaps well for somebody who does not know large thing of computer science, but worst philosophy in this case!
4. At present, all is developed in the company or by firms which come to develop code personalized for the bank.
Microsoft sells closed code. Impossible to adapt, modify, improve, configure as it is wanted. One becomes depend on the salesman and it is the worst thing which can arrive for banking industry. In the event of bug, to wait one month for a patch means the apocalypse. Microsoft is recognized to make code full with bugs and prone to the attacks. The viruses, worms and attacks of crackers are a continual threat in the Windows environment. It is false to believe that these machines will be safe from these threats or external communications. This does not exist in reality. That it is by a misconfiguration network, a software bug, a human error or an attack of the interior or outside, these systems will be vulnerable. It is a certainty especially if it is thought that the invasion of Microsoft will not stop there.
Microsoft invaded the banks, that does not predict anything good. I hope that it does not announce the replacement of the experienced programmers by beginners in Visual Basic. Closed code is bad, especially in the case of the banks.
My opinion is that this decision is an error. To save money on systems which function well, one will waste some in a technology transfer. Let us bet that this decision does not come from somebody with real technical skills and a good vision of the future.
I guess this means we will have to start referring to it as the Blue Screen of Poverty.
In the UK, Natwest bank (owned by the Royal Bank of Scotland) is already using Windows NT 4 to power their ATMs.
You do frequently have to wait for the machine to reboot before you can use it, and you sometimes see strange error messages on the screen.
I'm not aware of any reports of it giving out the wrong amount of cash though.
I walked up to one once that had "OUT OF ORDER" stickers on it and was displaying the desktop (!). From what I could see, it may even have been Windows 95 (!!) -- couldn't tell if it was NT 4. However, it was still up, not locked or crashed: when you pressed the keys at the sides of the screen (not the keypad), you got the standard [DING] sound.
On the plus side, they seem to work much faster and more smoothly than the old machines with the one LCD display for operation and another for the card transaction handling.
"A great democracy must be progressive or it will soon cease to be a great democracy." --Theodore Roosevelt
Have you been sniffing some flour or glue?
We were looking at using embedded windows
and were told $15 for Win CE (very very slow)
and $150 for Win NT 4.0 embedded.
Embedded XP is much more than that.
What is wrong with corporate management today? Are they that clueless about winblows? This doesn't make sense.
;->
What is really bad is that so many techies actaully want microshaft servers and desktops. microshaft has brainwashed them. It like a cult!
That's it! Microsoft is a CULT!!!!! Rational logical thinking (critical thinking) doesn't apply to cults. There is no reasoning with religion. You believe or you will go to hell!
Believe in Microsoft or your computing soul will go to hell!
Bill Gates is the god.
Now I understand. Must protect myself. Oh Linus! Help me.
Grins and giggles.
No-one in charge ever seems to take a second look and ask "do we really need a multi-GHz processor and OS just to decode a PIN and dispense cash?". I know Windows is ubiquitous, and seems like the safe option. But it's overkill, and any time you install way more computing power than you need, you're being wasteful, as well as taking a risk. Of course it has been amply demonstrated that Windows is NOT SECURE no matter how much the Microsoft salespeople claim otherwise. Note, I'm not saying Linux is necessarily better. I'm questioning the need for a full-blown OS at all, in these applications. Hell, I could build a simple ATM using hardwired logic gates. Installing a known-insecure consumer OS in a mission-critical application is fscking stupid, and it will cause problems. The people that make these decisions are simply hoping that they'll be promoted far enough up the ladder before it happens that someone else takes the blame.
I know the reason this happens is that by using a standard system it's much cheaper; you just have to find some VisualBasic code-monkey and whip up an application. Fundamentally, the problem is that the cost of this kind of insecurity is a) not immediately apparent and b) not born by the company. The costs associated with a cracked ATM will just be passed on to the consumer. The cost of the blackout will similarly not hurt the stockholders of FirstEnergy.
The simple truth is that sometimes you need regulation and enforcement; if there wasn't an FAA you can bet your life that 777's would run on Windows XP by now, with a literal BSOD on a weekly basis. OK, that's a bit extreme. But let's look at that situation as an example... I know reliable flight-control software is expensive, so let's assume that if allowed, some company would be tempted to use cheap off-the shelf equipment and software, thus making a cheaper plane. Pretty soon they would outcompete other builders (the margins are pretty thin on those things). Remember, if the only planes available were ones that ran XP, you as a consumer would have no choice as to what you flew. If every airline had a crash that often, there would be no competive pressure to improve (that's "just a cost of doing business"). The point I'm trying to make is that sometimes competive price pressure results in a "race to the bottom" in terms of safety, quality, or reliability. I suspect that's what we're seeing here.
Human genome = 3 billion base pairs = 6 GBit. Windows + Office = 20 Gbit. Which is more impressive?
The people that make decisions are worried most about how much it's going to cost.
And you don't think it's conceivable that someone will decide that the cost of losing billions upon billions of dollars when the Windows+TCP/IP+internet connection machines are hacked isn't worth it?
They may not be very security-savvy, but they won't do a massive rollout that will leave them with a nationwide network of completely broken ATMs that divulge money at the drop of a hat. Insider addition of malicious code, while a pain, doesn't even begin to compare cost-wise with complete public access to machines with internet-enabled, free-for-download, no-knowledge-required exploits.
You can catch and arrest a malicious insider if the losses start adding up. You can't just arrest the entire US.
They just should not be doing this, I've already seen more ATMs with Windows error messages than makes me comfortable.
How do you make it clear to the industry, Microsoft makes bloated, buggy software that is prone to crashes, required lots of tools to program for and a large memory space to work in, wheras most of the other possibilities (Qnx, BSD, Linux etc) provide a small footprint, an open and flexible application space, simple development tools and are notorious for their inherant security.
I cant even count how many times I have seen an ATM in sweeden boot Dos and Windows 95/98. I have also seem them "Out of virtual memory" etc. etc. - Very very broken. So its not in 2005 - it was back in 95. You are 10 years to late.... or you have had a breather for 10 years.. - Well, on the other hand, some really funny pictures has ended up on peoples webpages with bluescreened ATM machines etc. etc.
- To understand recursion, we must first understand recursion -
"A Windows platform will give us more flexibility and opportunity for future enhancements," said Julie Davis, spokeswoman for Bank of America, the biggest U.S. bank. "The Windows platform allows us to put even better protections in place. However, we won't discuss the details of our security procedures."
To answer question someone asked earlier: yes, I do believe IT in banks is run by morons, as this clearly illustrates.
Do keep up, the UK's had NT4 cash machines for over 5 years.
"New Windows ATM bug allows user to withdraw from Bill Gates bank account" /me buys small carribean island
I'm curious if they're planning to use managed code. They could use either Java or
The additional bonus is that your ATM application would run on top of multiple hardware and OS platforms. In the case of
-------- -------- Support Wesley Clark for president!!!
Brazilian /.ers correct me if I am wrong. But Ive noticed that most of brazilian banks (at least Itau, BB, Banespa) already run some version of Windows (2000, 98, 95) on their ATMs.
Last month when I went to an ATM to get some cash (Itau), Ive got a popup about a service failure, and I could press a button on screen to reboot the machine. I could see a PIII rebooting and Windows 2000 loading.
About two years ago a weirder thing happended I went to Banespa Bank (which machines used to have complete keyboards like normal computers) and as I inserted my ATM card the program crashed, giving me access to a DOS prompt!!! I could browse some directories, but didnt risk to load any program...
Now I wonder: "These are the guys that are suposed to take care of my money in security. Sure...)
---
my home
No you are not going to get any money, it's just going to bluescreen on you
-- To dream a dream is grand, but to live it is divine. -- Leto ][
A little over a year ago, I went into my bank to get $20 for lunch or something. I put my card in, typed my pin number, selected which account to get money from, and the amount.
Then all of a sudden, the screen went blue. I stared in disbelief for a moment, then a boot sequence began to display on the screen. And what did I see on the bottom of the screen, but the Microsoft trademark. I couldn't believe it. I had been bluescreened at the bank. I had to get the bank to credit the money back to my account and to get my card back (which I couldn't get back for a couple of days). So I guess you could say that I am less than thrilled about Windows running ATM's.
IANAL... But I play one on
dude... for the last fucking time
It's not an ATM MACHINE
If it were an ATM MACHINE it would be called an ATMM.
And for the record it's not PIN NUMBER either... it's PIN. PIN, ATM, OMFG!!!!
How did I know they were running Windows?
The unmistakable start-bar along the bottom... it must have crashed. There is no way I'm withdrawing cash from a certain bank branch now...
I'm very much aware of who Bruce Schneier is.
1. I'm guessing that the whole "compatability with our networks" thing wasn't discussed with Schneier previous to his comment.
2. Get a clue yourself -- before you flame.
Insightful? Your comment? Informative to anyone who doesn't have a clue who Schneier is (and has obviously lived too long in a cave), but not insightful.
Quoth he
"It's all academic anyway..."
MS software to infiltrate cars, banks, phones, watches, your coffee machine.. Here's how MS will affect us eliviate our sufferings:
:)
1. Cars: auto-pilot and navigation will take off from the nearest cliff, overriding user requests -causing the liberation of the souls of the passengers. Will take you to MS sponsored hotels and refuse to startup until you have paid lodging fees.
2. Banks and ATMs: You have a LOAD of cash - well don't worry MS ATM's will lessen your burden by feeding it to the worms. You will get the benefits later, being on a higher level of the food chain - ie worms eat cash, birds eat worms.. and so on till it reaches you.
3. Washer's and dryers: Clothes will be as white as the glass on windows (hmmm). And on top of that here's the slogan- "Totally clean clothes, VIRUS FREE!".
4. Fashion: MS fashion suit will create the perfect looks for you - that is an android, looking blue, feeling blue, black and blue - the color of choice.
5. Clocks and watches: will sing MS logon chime every 1/4 hr for 14minutes. All time will be set to Redmond time. Will not wake you up in the morning if you have forgotten to pay the annual fee.
6. Phones: There will be software encryption and licencing to be renewed every week for voice encryption, else you will be made phone deaf and phone dumb. That's the cost for security - well you know how good that will be
Well dear fellow humans - here's a picture of the new MS world. Hope you enjoyed it.
Embedded Windows in ATMs will likely be highly locked-down unlike consumer versions of the OS. The notion that "windows" somehow automatically means a worm will hit and you'll get "free cash" is just plain stupid and just more FUD.
The point was that they want to use Windows because it is compatible with their networks... why would you care if it's compatible if you didn't have a whacked idea about actually doing something with it?
Yes, that's freaking crazy and no sane person would want to do that but your quibble is with the fine banking folks who think this is a good idea. The article indicates that there are PHB's out there who ARE crazy in this among other ways.
Read carefully before you break out that flamethrower, young Skywalker.
Quoth he
"It's all academic anyway..."
I had the opportunity of watching one of the local banks put in an ATM at the mall. The machine had a full PC in it, along with a modem of some sort (DSL? ...I wasn't asking questions).
They installed and set up Windows 98 and then put a Java virtual machine on it...version 1.3.1 for that machine. The ATM software was built in Java.
So...what is the point of that? Why pay for a Windows license and deal with their BS? If you are just going to run a Java application, why not pick a free OS and use Java on that? What was the "value added" by Windows?
I was at an ATM once (Wells Fargo or BofA) several years ago, and it crashed with someone's card still in it. It autobooted, and lo and behold, it was a pared-down Microsoft boot sequence. Looked like NT to me. Given that some of the largest banks already seem to be using Windows in their ATMs, why is this news?
the banking industry will be running a stripped down version of windows ...
oh so they will be running Windows ME
Doctors do Massage in Longview WA now, who knew?
Well the xbox is a stripped down version of win2000. Look at the number of buffer overflows it has.(fonts) It's possible that the stripped down OS version for the ATM will have the same security issues.
The xbox is pretty close to the setup of a NT ATM.
Comments.,....
I'm going to have to start keeping my money in a jar under my bed
Then they should use a stripped-down NetBSD with a curses or basic GUI interface.
Why? They want to be able to run nifty multimedia marking kiosks.
I'd like to believe that, but remember Bank of America's online credit card processing was taken down by an MS worm recently. And OS advocacy aside, Windows is just not a good fit for this application. I'd have to conclude that anyone planning to use Windows in an ATM was more influenced by marketing than by objective assessment. That may not make them fools, but they are not showing good judgement.
They already use windows based ATM's and most of time to local machine always has an error on the screen. (Looks like some kind of panic message from the kernel?!?!?)...
:)
Good job the natwest machine next to it isn't using windows yet
---- There are 10 types of people in the world. Those that understand binary and those that don't
They want to be able to run nifty multimedia marking kiosks.
This certainly doesn't require Microsoft or their software. The only reason they choose Windows is because thei think that's the only choice.
The banks are a victim of the very marketing they are trying to propogate with these kiosks. How interesting.
Healthcare article at Kuro5hin
Really? What about Bank of America's ATMs
http://www.intellnet.org/news/2003/01/25/15801-1.h tml
Granted, the BoA ATMs weren't directly attacked, but it does indicate that they were online.
I'm less concerned about ATMs being connected to the network. The problem will likely arise with someone finding a buffer overflow in the interface, or some oddity like that, and then be able to withdrawl money from someone else's account, or to take money from the ATM w/o any authorization.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
"Even though Celent's Bezard said most banks would not offer advanced features on their revamped ATMs, machine manufacturers such as NCR envision a future in which the machines not only dispense cash, but also lottery tickets and soft drinks."
Can't wait til the day I withdraw $40 and the ATM says "you want fries with that?"
There are many good reasons for corporations to use Windows, as we all know. Security isn't a problem in this situation since it's neither TCP/IP nor on a public network. I fail to see your point. My point was to educate the poster of the original post that
a) Bruce Schneier has a better idea about what's secure than most people on the planet and,
b) ATMs don't work the way that the original poster thought, thus rendering his point moot.
Why don't you read the posts before you post your crap? These posts are all obviously off-topic. This is worth a -1: judging your grammar and (in)ability to express a point, you should probably stick to writing horrible gothic poetry. And watching Star Wars movies (yes, it's an incomplete sentence).
I have no problems with banking people who think this is a good idea. If banks can give me better service at a lower price using Windows than another OS, I'm all for it. I am fully aware that security isn't an issue here, so I'm 2 times more for it.
The rest of your comments indicate that you've no clue how managed systems and enterprise-level corporations work. That's perfectly okay, but don't go spouting ideas like 'why would you want compatibility with your own products'.
End of discussion. dodell 1, everyone else in the thread 0. STFU.
www.sitetronics.com/wordpress
What is the difference between a real song and a simulated song?
So I look in the paper and this morning, some cash machine in Bumsville, Idaho, spits $700 dollars into the MIDDLE of the street!
"For the tin-hat wearers out there (and you know who you are):"
No! If you realy want to get their attention you should say:
For the tin-hat wearers out there (and _I_ know who you are)
"The obvious mathematical breakthrough would be development of an easy way to factor large prime numbers." Bill Gates,
Why don't you go back and read the posts and lose your bad attitude?
It's obvious you have no problems with banking folks who think this is a good idea based on your previous posts. I disagree with what seems to me to be your blind faith in them and in Microsoft not to screw up this "hacking down of Windows" process. You're entitled to your opinion and I am entitled to mine. It happens that I worked in the technology end of the banking industry in a previous position. My comments are based on the "clue" that I gathered from that experience.
When you make statements that show you didn't really read the article or my original post (or reply to your follow-up) you show that you weren't really paying attention. You were just pushing an agenda.
When you then start getting personal about my name, or my experience level (which is greater than you seem to think) you're just being a Troll.
You really need to grow up.
Someone please MOD PARENT DOWN.
Quoth he
"It's all academic anyway..."
I live in the Netherlands. For on-line banking my bank (SNS) supplies a thing they call a 'digipas' which I think is better known as a Vasco token. AFAIK this device does not have a clock. In order to log on to your account you copy the serial number from the rear of the digipas and the bank returns an 6-digit number. You activate the Vasco token, enter your 5-digit PIN and then the 6-digit number. The device returns a different 6-digit number with which you can log in.
Different dutch banks have different systems. This one seems pretty secure to me.
They keep using that word. I do not think it means what they think it means.
-----Chaz
And if we take bank fees into consideration...
At a gas station near me, they have these nifty LCD screen displays running a windows program... I'm not sure what its really supposed to do, since if you touch any of the touchscreen "buttons" on the screen, it comes back with a nice little "fatal program exception" and some hex number.
:-P
I can just see it now... "withdraw from checking -- $100" -- blue screen "SYSTEM ERROR -- IRQ NOT LESS THAN OR EQUAL" --- BUT I WANT CASH!!!
Sorry, your $100 was deducted from your account, but windows crashed before it could dispense it. Just before the BSOD, it was deposited to the account of one William Gates. $40+ Billion isn't enough, he wants more.
Second, most are on a leased line directly to the hosting bank, so the likelihood of getting hit by a virus or worm is next to nothing.
I'd run Linux just not a full fledged OS. No rpm or grep or vi or
any of that. Just one program that replaces init that handles all
the comms and interface. A kernel module for the encrypted networking and maybe a second program that can upgrade the first one and you are all done. You could fit it on a flash chip.
set softtabstop=4 shiftwidth=4 expandtab nocp worlddomination
With all the security issues, and basic monopoly power manipulating information, you would think people would shy away from this sort of thing.
---- Booth was a patriot ----
Encryption just means that you can't listen in on the communications. It doesn't mean that those communications aren't running over TCP/IP using a stack with security holes in it. I can have all my comm's going over superSSH3 if I want but if I'm running sendmail with a root exploit it doesn't save my machine from getting broken into. If Blaster or CodeRed or some other worm breaks it's way in and creates a root exploit you're ATM machine could be at the mercy of whoever else manages to wander on to the network regardless of what encryption the ATM transactions use. Though the risk of this causing any major harm is low it is there. I could see some giddy hackor figuring out that they can walk around through Citizen's ATM network and inserting a program that makes every ATM machine periodically dump a wad of cash out the front. That would be a "bad thing" especially if you are the bank. Worse, they could install software that would log card numbers and pin numbers at the source before they are encrypted. If they cleaned up behind themselves they chould be stealing money using that information for years. It could be disasterous.
Sometimes the efficiency of using well esablished standard software and protocols is not worth the risk. I wouldn't use Windows. I wouldn't use RedHat. I would, however, build something simple on top of a Linux kernel making sure I was careful every step of the way.
set softtabstop=4 shiftwidth=4 expandtab nocp worlddomination
17 and counting, mi amigo....
e x. html#criminal
FindLaw is your friend. (The Google for Law Geeks!)
http://news.findlaw.com/legalnews/lit/enron/ind
It is amazing how vigorously slashdoters can discuss any made-up story.
The "prediction" was produced by stupid assumption that the rate of growth will be 235% each and every year.
2002 5%
2003 12%
2004 28%
2005 65%
And listen to that (oh my God!) With this rate in 2006 it will be 153%!
In other words we will have 53% more Windows installation on banking machines then total number of banking machines on the planet. Such a thing can only be achieved by a very, very powerful company.
See
m l
... winATMs. ARGH !!!
:-)
http://www.linux.org/people/banrisul_english.ht
First winmodems, then winprinters and now
Bill Gates will be more rich when winATMS transfer $ 0.01 of each account to his account...
Newer versions of OS/2 (Warp 4 and eCS) can support both Windows filesharing (CIFS) and NFS.
Mainframe/UNIX Bit Twiddler and long time Windows/Linux Hobbyist.
The Theorem Theorem: If If, Then Then.
Others have pointed out that some ATMs communicate over the internet. I agree with your second comment, however.
The company I am working for at the moment does SubHost systems and ATM software for large banks mostly in the third world market.
:-)
At the moment we have two ATM products. The first runs on OS2 systems. The code is a pig, its impossible to understand, but it works. The systems are mostly stable, and if they do go down, they just reboot and reload. (and they do go down often, we install systems in the middle of fricken nowhere, so power reliability is a joke. hell even comms is a problem when people dig up the cables to steal the copper).
We also have a win32 product that we are just starting to roll out in a big way. Biggest problem... scandisk if the machine isn't shutdown properly. Loading an atm is a PITA most of the time, but having to wait for scandisk is a real problem.
Security, not really an issue. The atms themselves are pretty stupid, they don't do much with out the subhosts say so (unless they are running offline, which only a few banks allow in our market). And getting the money out of the safe has nothing to do with the software.
Reliabilty is the biggest problem IMHO. But that said, I have an interest in staying with OS2, I would like to keep my job
What? You must not have read the O'Riely write up. They said the main driver behind this stupid transition was:
They would prefer Windows, a platform they consider 'open' in that it is compatible with their internal corporate networks.
This statement is covered in stupidity and ignorance. What good will this "compatibility" do if the silly things don't talk to the "internal" network? If they talk to the internal network and the internal network recieves email and browses the web, the dumb things are part of the internet. So, what we are left with is an ignorant big dog pushing a "standard" down because he likes his excell sheets. That's not very smart.
Banks are not realy this stupid are they?
Friends don't help friends install M$ junk.
At my supermarket, the power shut off briefly, killing the CoinStar machine and the Bank of America ATM. Both were back up within about five minutes, but I watched as the ATM rebooted. It appeared to be running some archaic version of Windows 3.11! Regardless of what it was, it was cleary an M$ product.
/.ers have seen the (Times Square?) billboard with an XP error and heard about the ATMs in the U.K. that crashed with the Blaster virus a few months back.
I feel sure most
First you have to assume that no Banking System in the world is completely secure to hacking. But...
It would seem to make more sense for banks to choose an obscure (read: not windows) operating systems.
A system that has many well publicized vulnerabilities will always be easier for an amateur to hack. It is akin to using dictionary words for your login and/or password. It siginificantly lowers the barrier of entry.
The Professional Computer Cracker will get past always be able to get past a system with a vulnerability, but at least amateurs will have to be comfortable in at least 2 OS's. That statistically eliminates a huge portion of the population right off the bat.
I would never recommend using an operating system that shares it roots with "consumer" clients for such a target rich device as an ATM.
--Ernie Dambach
Ernie Dambach
"It is no small thing to celebrate a simple life -Tolkien
I've seen a C:> prompt on an ATM, and Windows dialog boxes on a petrol pump, a departure board at a station, an electronic billboard, and a timetable at a bus terminus.
Over 90% of the banks in Malaysia already use Windoze on their ATMs.
The list includes Maybank, RHB Bank, Hong Leong Bank, Commerze Bank, Bank Islam, AM Bank, Public Bank, and Southern Bank.
Come down here and try your luck !
Muchas Gracias, Señor Edward Snowden !
Last year a Windows-based ATM appeared on the corner near my girlfriend's mum's house. Looks very pretty, colour LCD screen, landscape pictures, etc. The third time I used it there was a dialog splashed across the middle of the screen, warning me that the system was running out of virtual memory and I should close some applications...
Note that most of the London (at least, maybe England) rail status notification boards are WinNT boxes. Its often to walk in and watch these reboot, or have "Running out of virtual memory..." splashed across the route of the 16:05 the Caterham.
Testing this thing let me in what ?
I can just see it now ... Try to pull out $40 from an ATM, a BSOD, and then you call the bank. 'Well, sir, we don't show that there was a BSOD. We see that the machine dispensed your $40, and there's nothing we can do about it.'
Besides, I'm not too crazy about Microsoft having access to my banking information. I can just see that day I get my bank statement and see several ATM withdrawls that have no corresponding receipt. Of course, they will come under the guise of "Microsoft ATM Service Fee" and each 'fee' will be $100.
You know what I thought was funny about the article. Unless I read it wrong, the bank ATMs will be connected to a bank's corporate LAN. But in a few sentences down, it's stated that a virus can't hit the ATM because it won't be online. But we've all seen it a million times -- if a virus hits a corporate network, Windows just spreads it everywhere, and I can only assume that the LAN-connected, Windows-driven bank ATM would also be affected.
Between giving Microsoft access to my banking information and carrying live cash around with me, I think I'd choose to carry cash. I might get mugged, but that's why I carry a 9mm.
Seth Anderson BTW, I'm not 23 anymore -- I am TexasCowboy26 now. =)
It would be fun to see a virus infected ATM spitting out cash.