Windows ATMs by 2005

An anonymous reader writes "O'Reilly Developer News is running a brief on how the banking industry will be running a stripped down version of windows on 65% of its ATM machines by 2005. On a morning when I'm receiving the latest windows virus in my inbox every five minutes I feel very comfortable with this."

Biggest pet peeve

[sib888]

Automated Teller Machine Machine?

I Hate That!!!!

Re:Three Major Vulnerabilities

[twisty7867]

Your arguments are foolish on the face.

* The bank connection includes federally mandated encryption. The FFIEC (Federal Financial Institutions Examination Council) specifies the exact standard of encryption used. by the way, have you notice that there are no "Windows standard" encryption schemes anyway? They are all industry standards.

* Buffer overrun exploits also rely on unchecked input - if input is screened to a limited variety of characters few if any buffer overrun exploits would be possible.

* Finally, the maintenance staff has *gasp* physical access to the cartridges of cash loaded into the machine. Why the hell would they bother with a virus when they can just take the money and wander off? The basic premise of any bank is that you can trust the employees not to take the money. As someone who has worked for financial institutions for most of his career, I can tell you without a doubt that anyone who violates this trust is detected and dealt with in a quick and harsh fashion.

Re:Mo Money! Mo Money! Mo Money!

[sphealey]

f you completely disregard that most ATMs don't have built-in TCP/IP stacks-- even the ones that communicate via CDPD, or cellular to internet use a transmitter that works through a serial port and sends an encrypted stream of data to the processor-- Most ATMs are designed to go balls-up at the first sign of trouble and shut themselves down after sending detailed error messages to their owners via leased line

The problem being that once a commercial technology ("commercial off-the-shelf" or COTS in milspeak) starts to leak into a closed architecture application, it becomes almost impossible for manufactuers to resist the pressure to use all the features of the commercial technology to reduce cost.

If Vendor A makes an ATM that uses propriatary closed architecture and its units cost $125,000, while Vendor B uses Windows but its units cost $110,000, guess who is going to win the bids? So Vendor A goes to Windows + TCP/IP and gets down to $100,000/unit. Vendor B then responds with Windows + TCP/IP + "Internet connection to eliminate costly leased line charges". Guess who will win that bid? And there we are - the security of a closed system gone in three rounds of bidding.

Now perhaps that example is bad, because there might be regulations in the financial industry to prevent it. And such regulations might even be enforced. But then again, if Enron or Dick Cheney had bought a large ATM network...

sPh

Is security really an issue here?

[verbatim_verbose]

I understand the standard windows=bad theme for slashdot postings, but think about it for a minute. It's in a box that's locked up tight, many with cameras around, not connected directly to the internet... so really... is there any significant security issue to worry about any more so than with the other ATMs around?

Re:Mo Money! Mo Money! Mo Money!

[spruce]

You're forgetting that there are actaully some smart people in the banking industry that will realize that having your ATM's running windows hooked up to the internet is a bad idea. The people that make these kinds of decisions are not fools.