Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows ATMs by 2005

Posted by michael on from the blue-screen-of-no-money dept.

An anonymous reader writes "O'Reilly Developer News is running a brief on how the banking industry will be running a stripped down version of windows on 65% of its ATM machines by 2005. On a morning when I'm receiving the latest windows virus in my inbox every five minutes I feel very comfortable with this."

15 of 802 comments (clear)

  1. Windows ATMs by elvum · · Score: 5, Informative

    We have them in the UK already - the sight of ATMs showing an NT4 logon screen is not uncommon...

    1. Re:Windows ATMs by martingunnarsson · · Score: 5, Informative

      Yep, in Sweden too. I've seen them displaying Windows error messages a couple of times. On the other hand I've seen the Unix ones reboot about as many times.

      --
      Martin
  2. Already there by I8TheWorm · · Score: 5, Informative

    Um.... a good number of ATM's issued by a large bank I used to code for run NT 4.0. This isn't late breaking news.

    --
    Saying Android is a family of phones is akin to saying Linux is a family of PCs.
    1. Re:Already there by syle · · Score: 4, Informative
      You're right. I write code for the banking industry now, and this is nothing new to me. The ATMs are certainly the last line of change, but the move from OS/2 to NT/2000 has been sweeping through the industry the past few years. Most manufacturers that used the platform (like Unisys) have officially stopped supporting it within the last year, which makes all the bank execs change immediately.

      Honestly, having ATMs on NT isn't so worrisome to me, since I know the back room sorters, remmitance machines, data entry stations, and imaging apps have all been using Windows for at least a few years. Those are much more dangerous in terms of having direct access to your personal banking databases. A lot of banks don't connect them to any internal networks at all, but a lot do because remote management is a big deal amongst companies reselling the machines to banks.

      At least ATMs have security cameras and all that stuff. These machines and software in the back room is rarely half as secure as a given ATM.

      --

      /syle

  3. Re:Public BSOD by DaveV1.0 · · Score: 4, Informative

    Take your pick:

    http://zem.squidly.org/bsod/

    http://www.piemaster.co.uk/gallery/BSOD

    --
    There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
  4. Pics of a Win NT ATM shutting down. by amembleton · · Score: 3, Informative

    A friend of mine took these photos of a Win NT Natwest cash machine shutting down.

    This is a bit worrying.

  5. Re:Mo Money! Mo Money! Mo Money! by Reylas · · Score: 5, Informative

    Sorry, but you obviously do not work in banking as a lot of new ATM's do have a TCPIP stack on them. That was the big push from finance institutions in order to play along with current network configurations. I am looking at a diebold ATM right now that is based on TCPIP.

    Reylas

  6. Re:Three Major Vulnerabilities by Digital11 · · Score: 5, Informative

    Trust me when I say that you have no clue what you're talking about. I work for a bank. We communicate with our ATMs over a dedicated line. Having an extremely stripped down version of Windows on an ATM really isn't going to make it a whole lot less secure. It'll still be the same way its always been: The easiest way to get money from an ATM is just to take the ATM. (No, I'm not kidding. We've had that happen a couple of times.)

    Maintenance staff does not have 'root' access to the system. They have the ability to open the safe to place more money in, as well as to restock the paper feed for receipts. Thats it. If they're going to take money they're going to do it from the safe, then they'll get caught by doing so. We have one ATM technician and even he doesn't have 'root' access to the boxes.

    Please do a little research before opening your mouth.

    --
    I am a leaf on the wind. Watch how I soar.
  7. Re:ATM scams by Richard_at_work · · Score: 5, Informative

    The latter scheme seemed dubious; the chain-letter like WARNING on the machine, and the insertion sensors on card slots I can't see allowing something jammed that far into them. Plus this was at a gas station deep in suburbia where hanging around the ATM would be suspicious, and where the ATM was in a corner making its use a complete screen of the keyboard.

    This scam is called the lebanese loop, and involves installing a thin bit of wire into the card slot, which jams the card in there. This of course stops the ATM from actually doing anything, but a kind gentleman behind you suggests that maybe you should input your PIN a second time. While he is shoulder surfing. This of course doesnt work, and the ATM refuses to give your card back, mainly because it actually cant :)

    Then you give up, wander into the bank to complain, and he has extracted your card (easy if you know how with these things) and run off to another ATM in the locality to quickly drain your account of everything he can get.

    This scam has been ran a number of times in my town, and people keep getting caught out, even tho there are now massive warnings on the ATMs.

  8. Re:Mo Money! Mo Money! Mo Money! by sphealey · · Score: 5, Informative
    You're forgetting that there are actaully some smart people in the banking industry that will realize that having your ATM's running windows hooked up to the internet is a bad idea. The people that make these kinds of decisions are not fools.
    I would have said the same thing about the electric utility and railroad industries, as both have over 120 years of experience handling dangerous large-scale technology. And yet CSX operations were seriously affected by the MSBlaster worm, and there are some indications that the latest East Coast blackout may have been triggered by attacks on COTS-based systems (the CSX incident is confirmed; the First Energy incident is {so far} rumour).

    I have seen the pressure to go COTS first-hand myself in an application where it really wasn't a good engineering decision. But the price and functionality of the COTS system exerted tremendous pressure on the selection process.

    And again, Enron was a financial services company, as were the New York investement houses that served it, but that didn't make them immune from doing stupid things.

    sPh

  9. Re:Mo Money! Mo Money! Mo Money! by 1g$man · · Score: 4, Informative

    They already run off the shelf software and have for quite some time. At least one major national bank runs NT on their ATMs, while most other ATMs in the country run OS/2.

  10. How ATMs really work by dodell · · Score: 3, Informative

    Unfortunately, this is what's happening. Microsoft has done the same with banks as what they've done with most corporate entities -- 'bid' systems and training to them. The deal is that most banks store information in MS databases, most Internet bank interfaces are ASP applications (.NET will make this worse). Whether or not it's 'secure enough' is not a question...

    Believe it or not, there are people who get paid very well to administrate Windows computers and they like Windows very much.

    I'm not sure how hackable these machines will be either. ATMs use either dialup or ISDN connections to communicate centrally with banks, so they're not going to be on any public network (check out http://answers.google.com/answers/threadview?id=24 1775 for a good discussion about how credit/ATM cards work and links to many resources on the subject).

    Additionally, there isn't much room for hacking an ATM... I mean, without taking the thing apart, you have 21 keys maximum (4 - 8 keys to choose options on the screen, 10 keys for numbers, an OK key, cancel transaction key and backspace key) on most machines. Without opening the thing up, you're not going to get very far.

    While Windows may not be secure over a public network with all sorts of services running, on a private direct connection with solid software, there's really no vulnerability here. You should learn a little more about how these machines work... they're not on some wide-open network hole waiting to be exploited.

    ATM transactions are also encrypted, and I think we all agree that Microsoft is definitely pro-encryption.

    So, before we go bitching about MS getting their stuff put on ATMs, I think we should look at the online interfaces to our accounts which are much more insecure than any ATM that will have Windows (and all the posts here seem to just be whining about how insecure it will be). I guarantee that you losing your ATM card is the most insecure thing that can happen in this regard without taking the ATM apart. A UNIX-based machine would be potentially just as vulnerable if you consider this possibility.

    On the other hand, I think poorly written online banking software accessible through web-browsers on any platform is more of a security threat to your banking.

    On a final note, in the Netherlands, anyway, banks give you this little device that you put your card in and it generates a hash that you have to type in every transaction. Is anybody aware of what is actually being hashed? I wouldn't think it's any private data on the card, because several banks don't require you to insert the card into the device. The best I can tell it's simply a couple of hashing algorithms hashing the current time (with about a 30 second period -- i.e. two hashes within n seconds generate the same hash) and... ? The PIN? Not sure.

    Anyway, food for thought for you overly-hyped cynical freaks.

    --
    www.sitetronics.com/wordpress
  11. V-Com by Lemmeoutada+Collecti · · Score: 5, Informative

    I have had the recent pleasure of watching the V-Com ATM machines being installed in our local convenience stores. They are PC's controlling the system, using Internet connections over TCP/IP to communicate, running Windows NT Workstation 4.0 SP6a. They have a custom keyboard missing the CTRL, ALT, and other state keys, and a touch screen interface to boot. And they can be crashed so easily it goes beyond funny to just plain sad.

    The tech doing updates opens the bay, plugs in a regular keyboard, logs on to an e-mail account, and runs the patches distributed that way.

    Not something I really would trust with my money!

    --

    You can have it fast, accurate, or pretty. Pick any 2.
  12. Re:Mo Money! Mo Money! Mo Money! by KernelHappy · · Score: 5, Informative

    Ummm... You're the optimist aren't you.

    I worked in the EFT industry for about 5 years as an engineer and I can say that you are so wrong it's not even funny. The people that make decisions are worried most about how much it's going to cost. If it wasn't for cost, every bank would be processing transactions in real time rather than relying on batch processing on IBM's that are as old as I am.

    When a "new" technology comes along in the industry, it's usually applied to the old technology model. For example, when the processor I worked for started using TCP/IP as a transport between datacenters, they didn't encrypt the data end to end. Instead they just replaced some older dedicated link and relied on the same weak ass pin block encryption they always did, paying no mind to the fact that someone with a notebook and a network card could easily yeild 40-50 complete cards per second.

    And if you think because it's financial that everything has to be balanced to the penny, you're so wrong. To start with the legacy systems that some networks have to deal with ensure that reconcilliation will NEVER be 100%. Then add to it that if the money is right, a processor will further bastardize their code to accomodate someone else's improper implementation. You end up with a legacy system that often produces unexpected results when something out of the ordinary occurs (I remember one morning when people were being credited several billion dollars to their account after returning something to a store).

    As far as auditors or regulators plugging the holes, fat chance. Regulators are more concerned about transaction fees being present on the front of ATMs and the taxability of the transactions that occur. The auditors only know what the engineers tell them since they are usually not engineers or marginal ones at best. The auditors are primarily interested in the paperwork trail left behind from production code installs. If the paperwork looks good they're happy. Mind you that as far as the auditors are concerned, good looking paper work means that it exists. They do not look for proof of testing other than a signature, in other words no supporting documentation showing the before and after effects of the change are required to be documented. Furthermore no regression test is required to show that nobody piggybacked malicious code on the issue. In otherwords the auditors just smile nicely if you hand them a big stack of papers.

    Ultimately, the EFT idustry is filled with dinosaurs, people that talk about how funny it was when they used punch cards or learned some obscure language in college that hasn't been used in decades. When I left the industry 4-5 years ago, there were people that still used their PCs as dumb terminals because they didn't understand the whole personal computer thing (I'm REALLY not joking).

    So as far as Windows being used on ATMs, they are going to do as they've done in the past. They will build the machine but instead of putting OS/2 on it, they'll install windows on it. They will rely on the same security they always have, and why shouldn't they? It's served them well for 30 years.

    --
    -- Button up, your ignorance is showing
  13. FACTS ABOUT ATM SCAM IN FINLAND COUPLE YEARS AGO. by johu · · Score: 4, Informative

    Device Estonian folks used was actually quite sophisticated. I saw short clip of it on YLE News on TV back then. From later news transmission that part where electronics and construction of device were shown was removed and on the one time they showed it some police came and moved device away from cameras. Guess cops said you're not allowed to show that on TV.

    These are facts:

    Device had card reader. It was placed on front of real card slot so when you inserted card magnetic stripe was read.

    People who's cards got copied said it was difficult to get card out from ATM machine. This was because after transaction ejected card was partially blocked by extra reader device those guys installed.

    Keypad had kinda sticks on bottom so when you pushed number on spying keyboard it pushed real button under it at the same time. Electronics connected to fake keyboard recorded your PIN and saved it to NVRAM among content of magnetic stripe it just read as well.

    Card reader was connected to keypad module that had most of electronics using cable. Cable was covered with square plastic housing to keep it less obvious what was going on.

    Since you got your money from ATM no-one suspected anything fishy until day or two later when your bank account was empty.

    Crooks were waiting on nearby car. After some
    time they went to ATM and removed their device.

    Ok, those were facts. There were some claims that device had also WLAN or some other wireless connectivity so card numbers and PIN codes would have been transferred to crooks realtime. However I think that's just rumour.

    Device had factory made looking PCB inside. Probably some SBC development thingy.

    If there's someone with Helsingin Sanomat archive access you could probably find more details from there. HS is Finnish newspaper so that part was for finnish readers.