Slashdot Mirror
Windows ATMs by 2005
An anonymous reader writes "O'Reilly Developer News is running a brief on how the banking industry will be running a stripped down version of windows on 65% of its ATM machines by 2005. On a morning when I'm receiving the latest windows virus in my inbox every five minutes I feel very comfortable with this."
Same thing in the netherlands, I've seen ATM's crash and a friend of mine had his bank card swallowed when the thing BSOD'd
Here's the link I was looking for. Classic stuff!
well, the physical attack is always there.
year or two ago some estonian wiseguys pulled a nice gig here in finland(iirc they did it in sweden too, but i'm not too sure anymore). what they did was install a fake panel on top of the original atm machines panel, so that when you put in a card it recorded it(iirc it even replaced the pad and stored those numbers too). the guys who make up the ideas like this and make up the devices are no idiots, so security by obscurity would be a dead end street.
though, when reading email from public terminals is risky, i'd think a few times before doing my banking from them if i could avoid it.
i trust atm's enough to use them though, would probably even if it had a bit more complicated software in it, provided that it wasn't written by an idiot.
world was created 5 seconds before this post as it is.
Fortunately for the banking industry and unfortunately for you, most ATMs have built-in failsafes to keep that from happening.
If you completely disregard that most ATMs don't have built-in TCP/IP stacks-- even the ones that communicate via CDPD, or cellular to internet use a transmitter that works through a serial port and sends an encrypted stream of data to the processor-- Most ATMs are designed to go balls-up at the first sign of trouble and shut themselves down after sending detailed error messages to their owners via leased lines. Out of paper? Error message, shut down. Out of money? Error message, shut down. OS Crash? Error message, shut down. Damage to the ATM Case? Error message, shut down.
The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
Yeah we've had them for 6+ years (surprised this is news to others). I've seen them BSOD, ask for a login, and the one round the corner from me had a DHCP expiry/conflit alert on it for 3 months. You'd think SOMEONE would be arsed to fix it!
(Still worked though, but it put other people off using it, meaning I didn't have to queue to use it).
Lots of them are color and have shockwave flash type intro's.
The underground here in London (well, really DLR, the Docklands Light Railway) has ticket machines that run OS/2, apparently in French or German though (definately not English!). They often die at early hours of the morning (~6) until rebooted remotely.
As someone who has used and stood in line to use one of these machines, let me just say that they are a far cry from the efficiency of the current ATMs. Just on a rough estimate, it takes 3-4 times longer for your average Joe Sixpack to make a transaction.
From my own experience, and knowing what I'm doing, the OS runs a good bit slower than the tried and true green on black systems. Top that off with the annoying pointy finger and IE "click" noises, and you have an example of change for change's sake.
Of course, the only reason at all they seem to be using this new system is so they can bombard you with advertising while you're using the machine.
All and all, a bad change all around.
I actually stopped going to a particular grocery store in my city (*cough* Kroger! *ahem*) because its automated checkout system was broken so often.
They have 10 self-service checkouts running Windows, and whenever I would go there, more than half were crashed, and the rest were in other various error messages (like Mouse Not Found sort of things). That left one or two checkout people to handle a loooooong line of people trying to buy things.
Based on the success that I've seen with Windows at the grocery store, I think if my bank switches to Windows, I'll switch banks. Shame, too, since it took me a year to convince them to support Mozilla for online banking.
World's tallest building rises in the desert
You're right - this comment doesn't make any sense - ATM machines need a land line to get card validation, and, in the past at least, this land line has used 56 bit encryption (due to overseas requirements, I think). Sure, it's not connected to the Internet, but who says the machine it calls into isn't, and that machine can't pass on a virus?
Oh, wait - the machine it connects up to would be a large mainframe that runs 1/2 the speed of the slowest PC, and written entirely in COBOL - I forget these things about the stogy old banks we know and love.
I saw one crashed the other day and was so amused that I took a photo of the screen. It's poor quality: taken with a phone, at night. The sheet of paper at the bottom of the picture was taped over the screen, saying "Out of order". Of course I was curious and peeled it down.
Picture of ATM in Sweden: http://www.cs.umu.se/~c97pir/resources/images/minu t.jpg
One interesting thing is how/why it was successfuly uptated (if the bank wanted to do it I don't think the dialog would be there).
-E
[[ Lots of them are color and have shockwave flash type intro's. ]]
;-)
Reminds me of a windows taskbar that beautified the screen for an entire night after programmes had ended on a local TV station.
There was supposed to be a flash thing running.
I hear that in the US you get nothing but static instead?
Windows ATM ? It's already happening!
I was in Croatia some year ago, inserted my card, made some choice on the screen when suddenly a BSOD appeared, the card remained stuck in the ATM and I wasn't able to have it back, even if the bank was open.
I had to continue my vacation without money since the card was mailed to my bank... in Italy...
Unfortunatelly I didn't have a camera...
The usual method is to steal a JCB or Bulldozer and rip the whole machine out of the wall. Shove it in the back of a stolen van, shoot off at high speed to an abandoned warehouse, and take your time getting it open.
This happened quite a few times here in the UK about 10 years ago. Don't know why people stopped doing it; maybe they use those dye bombs now?
Using HTML in email is like putting sound effects on your phone calls. Just say <strong>no</strong>.
...use NT 4.0. Most of the original security issues with it had to do with the way it was programmed rather than the OS.
I actually though most of them had been running Windows for years. I was amused with something I saw three years ago in this regard. I was in a bank in line behind a mid-aged non-techy who just received their first ATM card. You know how non-techies can sometimes crash programs that a veteran would swear is rock solid. That's what she did. She crashed the ATM. This was inside a bank. A teller saw the whole ordeal, appeared promptly with a key, opened the ATM (from the front), pulled out a keyboard which was stashed away in the machine (!), pressed Ctrl-Alt-Del, and closed it up again as the machine booted Windows 3.1 (!). The teller was not a techie either. The "press Ctrl-Alt-Del" message was on a stick-note pasted to the keyboard(!). I swore I would never use another ATM with a touch-screen GUI. When possible, I use the text screen ATM's with blind belief that it is better(!).
I'll start working on modifying my ATM card's magnetic strip to overflow the ATMs card reader.
I think you were being funny but I actually develop ATM software and some of the code I have inherited from the previous idiots would have been succeptible to exactly that. It wouldn't get you any money unless you knew the internal protocols for dealing with the cash dispenser in addition to knowing how to exploit a buffer overflow (in which case you would likely know 10 other/better/easier ways to rip it off) but that is almost certainly a hole in more than a few machines out there.
Presumably you'd have a low-level driver or watchdog timer or something like that looking after the rest of the OS. I wouldn't be surprised if mainframes had stuff like this - my understanding is that if you go Big Blue they knock on your door asking to replace hardware before you even know there was something wrong.
All you need is an extra microprocessor in there with a simple firmware designed to keep asking the OS "are you OK?" and killing it if it doesn't respond. For all the cost of securing an ATM that can't be all that expensive.
I believe Linux possesses features like this - at least that is the impression I get when disabling all those kernel features related to watchdog interrupts...
In many european countries ATMs have a secure cryptographic device attached, which stores all cryptographic keys used to encrypt data between the ATM and the ATM server. All cryptographic computations are made in that device and it is designed to "erase it's memory" if someone tries to pull it out or do something weird.
:-) :)
:-) ). The specific drivers exist and also the engineering skills. Moreover banks are very conservative, some still have DOS or OS/2 ATM's so they stick to stuff they know (usually not your favorite free OS).
Normally, the PIN you type is directly transfered (encrypted) to the secure device and does not go through the PC memory. So your PIN is pretty safe from any virus or trojan horse.
These requirements are imposed by VISA/Mastercard, because they take PIN security very seriously.
The remaining risk comes from an insider who would put a trojan horse in the ATM such that it would dispense cash automatically for example if you type a certain key combination
This does not endager your PIN though or any transaction. It's basically a problem for the bank
This is a rather complex attack, even if you have Windows, OS/2 or linux on the ATM (Windows might just make it easier). The hard part is getting into the system (these machines don't run any standard services and there are access control policies). There are easier and less dangerous ways to get money from the credit/debit card systems than hacking into an ATM in a protected environement.
One of the reasons they use windows is because it's the cheapest alternative (YES! Shock!
I know this won't get accepted if I submit it as
s wen.reut/index.html
everything I submit gets rejected.
And because this is directly related to Windows security, well here ya go.
Also the BIG reason I submit this is the mention of the flaw. A SECURITY HOLE THAT HAS BEEN KNOWN FOR TWO YEARS and remains unrepaired..
Anyone that thinks Windows is or can be a secure enviroment lives on another planet..
http://www.cnn.com/2003/TECH/internet/09/19/worm.
New worm targets Internet Explorer
SAN FRANCISCO, California (Reuters) --Anti-virus companies warned on Thursday of a new computer worm circulating through e-mail that purports to be security software from Microsoft Corp. but actually tries to disable security programs that are already running.
The worm, dubbed "Swen" or "Gibe," takes advantage of a two-year-old hole in Internet Explorer and affects systems that have not installed a patch for that security hole, according to Internet security company Network Associates Inc..
The malicious program arrives as an attachment to an e-mail pretending to contain a patch for holes in Internet Explorer, Outlook and Outlook Express and then mails itself off to addresses located on the victim's computer.
Relay chat also vulnerable
The worm also can spread over Internet relay chat and the Kazaa peer-to-peer network, as well as copy itself over shared networks, Network Associates said.
When it infects a computer it alerts a Web site that appears to be counting the infections, according to Symantec Corp., another Internet security outfit. The number of the counter was near 760,000 by Thursday afternoon.
Network Associates rated the worm a low risk for corporate users and a medium risk for home users. The company and rival Symantec, among others, were offering anti-virus updates that detects and removes the worm.
Microsoft has cautioned customers in the past against e-mail software updates, saying it does not distribute patches that way but rather directs them to its Web site.
Some remote access software like VNC won't always let you see some system dialogs (any that don't show up as a button in the taskbar, basically) so maybe they don't even notice!
Conversion Rate Optimisation French / English consultant
I work for one of the big four hardware manufactures. All of the new terminals run on WinXP. OS/2 is supported only on the older models.
$3 a processor. Linux would probably cost much more than that because the bank would need to customize it for their needs
... boiling that down, "Windows doesn't require patches, except for the patches it requires."
But the generic Windows XP Embedded is already perfect for any situation, and would require no customization. Ok.
Windows ATM on the other hand needs no kernal patches ever time a problem is found you can just download a hotfix from their site, this requires no experts and lowers the TCO.
Microsoft are not stupid if they are making a windows version for ATMs they will *Make sure* it is 100% secure.
*cough*
Obvously their reputation would be at steak.
Obviously.
Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
After worms killed Bank of America's Windows-based ATMs and caused the greatest power outage in history you would think people would quit trying to use windows for secure environments. Windows is a desktop single user os for office workers. It is no good for any othe rpurpose (in fact being inferior even to Linux for even that purpose). For ATMs the banks should be using a secure RTOS of some sort, not a desktop OS.
Someone is going to have to put a stop to this nonsense. Our country's financial structure and infrastructure are threatened by Microsoft's predatory marketing practices and refusal to build stable secure software. The only answer is to ban their products in certain usage.
The real joke was when the Banks said that they wanted to use a more open operating sstem which is why they chose Microsoft. Yes, if you want a standard, open operating system rather than proprietary garbage use Windows. Hmm. Something wrong there. But then the Banks are using Windows for everythings else. So they find it easier to interface with Windows than anything else because that is what the MCSEs they hired know how to connect with.
Get the picture? Microsoft has made sure that their OS is a pain in the ass to connect to anything and that the more you knwo about their OS the less you know about computing in general or any other OS. Therefore the path of least resistance is to just install Windows for everything. Of course if it were me the path of least rsistance would be to tell the MS salesguy to get the fuck out of my office and tell the MS software to get the fuck off my machines. Then I would install something stable, secure, usable, and open source.
If everyone did that we would have less computing problems all around. Too bad we have idiots who still insist on using piece of shit software.
I approached an ATM machine only a couple of weeks ago (the Bank of Scotland machine in Leuchars, Fife, for anyone nearby) and was both taken aback and greatly amused to find an 'Add/Remove Programs Properties' window filling up the display!
I didn't realise until then that people were actually using Windows for bank machines. It looked like either 98 or NT4 (probably/hopefully the latter)... needless to say I couldn't take any frigging money out >:(
IBM and Diebold ended their join venture (InterBold) in 1999. The choice to use OS/2 had nothing to do with IBM, it was decided before the joint venture started. It was the only solid 32-bit OS for the Intel CPU in the early ninties. Before that, the ATMs used a unix like OS from Intel called RMX, which was used in industrial controllers. Before that, everthing was firmware.
I have been responsible for locking them down, and I don't have an entirely happy feeling about it. But that's about 3000 odd ATMs to add to the statistics!
Well, this goes to prove that Microsoft's claims in court that Windows was so tightly integrated into a single monolithic system are false. Obviously if the system is still functional enough to provide the frameworks needed to run ATM software and a modern user-interface, after being stripped down, then the same is certainly possible for mainstream use. In fact, it's likely that the reason it is stripped down is because superfluous features are a risk. Internet access and DirectX can also be seen as superfluous features.
Of course, this comes after the fact. So maybe you could argue Windows has been re-architectured since the legal trouble, but I doubt anyone with a knowledge of complicated software engineering and familiarity with Microsoft's code bases could say that under oath.
The banking industry is one where cutting corners simply isn't allowed.
You'ld be surprized at just how cheap banks and money institutions can be. Although it wasn't a bank, I once worked for the largest government bonds firm as a sysadmin. Their clients were banks themselves. Bonds were traded in lots of 10 million and in one day you'ld get serveral thousands of transactions. I was amazed at just how much money use to flow through the systems I was running. As a brokerage firm, they made their commision with a few pennies on every transaction. They were making tons of cash daily. Money was everywhere, but what amazed me most was the equiptment. Many of the hub servers were old SPARC 5's and if it was a bigger client, they got a spanky Ultra 5. Not even servers! For such a critical app, I suggested they buy into Netra's or something teco grade that could withstand a beating. The response I got was it was too much money. I couldn't believe it. Here's they'd pull in 20 million in one day from a single client, and they couldn't spend $1000 to upgrade the server. Then it was explained to me by another admin who's worked that arena a while. He said the cheapest companies you'll ever work for (from a sysadmin perspective) will be banking institutions and financal firms. They're filthy rich, but you can't squeeze a penny from them.
That's been my only experience with being a sysadmin at a money institution, but from that experience, it wouldn't surprize me at all to hear how banks would opt for the lowest bidder for any project. Hell, these guys were so cheap, they'd try to avoid buying directly from Sun and go with some third party refurbish vendor. Just unbelievible how cheap they'd be....but they all wore very nice suites. And just so you know....yes....they're still in buisness and they're still the largest bonds brokerage firm in the world. Pretty scary from a tech perspective.
And Diebold bought it. Diebold is going Windows.
This is scary. It's going to be so tempting to hang the ATMs on the bank's internal Internet and save money. And you know Microsoft will screw up and leave a port open, or leave something in the OS that calls home. The DES protection may protect the ATM transaction messages, but what about Windows Update. And yes, Microsoft does suggest installing remote "upgrades" and "hotfixes".
Don't forget that the powers that be at financial institutions are shitty pants. The amount of legacy systems out there is simply amazing. The problem is that if they reimplement something on their side, there's more than a chance that some hacks added to the old system will not make the transition, thus breaking compatibility with someone elses system (even if their system is doing it wrong).
The best example of this I can give was a EFT processor that spent time and money creating and implementing a new message format for OLTP. During testing with their first large client, they discovered that the client misinterpreted the spec (aka they went the hard route rather than the easy obvious way). Rather than having the client change their code, they actually changed the interpretation of their specification. This would have been fine except that 80% of the next 100 clients to come on line interpreted the updated spec the way it was originally intended and every one of them had to make the change.
Now just think about what this says. If a company is willing to bastardize it's brand new message specification just to make one client happy, how many little hacks do you think you'll find in 15 years worth of coding?
-- Button up, your ignorance is showing
i'm in the uk. stopped off to get some cash on the way to the cinema one time and there was a Windows dialog box saying that a DHCP server could not be found! any attempts to enter a pin code would fail straight away. i wish i'd taken a photo :(
- doctea
1) You're asserting SSH is an OS now? That's pretty funny.
.dll files are never part of the OS, is that it? Guess what, sweetie? A Win32-based package will likely include the .dll files as part of the OS for "better integration" and "faster response", no matter whose encryption gets used. ( you do know what the word "likely" means, right? )
;)
Oh, you claim that
2) Microsoft has been caught in court hiding APIs, for frig sakes. APIs (esp. the ones not fully published, if at all) also have a nasty habit of creating side effects not intended by the author, many of which are too subtle to be detected until long after release.
Microsoft isn't in the business of supplying the source code for their OS without expecting a ton of cash for the privilege, and an NDA the size of Califronia's budget deficit listings.
Microsoft software (like anybody else's) has holes in it. There is no such thing as a 100% secure system, and MS is the worst in the lot. At least with OSS, you get the source code and can customize the whole shebang to suit your needs, AND find/plug all the holes you find yourself, without relying on Redmond to patch it for you.
Now dearie, was all of that easy enough for you to understand? I hope so, because I'd hate to have to post a 2MB GIF with all the info broken down into: "See Jane code. Code Jane, code. See Jane find hole in OS and there's fsck-all she can do about it..."
IOW, there are no wild assumptions or (therefore) strawman arguments in there.
I mean really, if you have to resort to simple cries of "debate tricks! debate tricks!" when your head fails you, I suggest you give up on your dreams of someday working in a real IT shop, and get back to collecting your boss' dry cleaning before he catches you messing around unauthorized on the web
--
(kindly insert your invented "*snif* but dammit I'm successful!" response and sundry haphazard sputterings here... we know it's coming.)
--
A little over a year ago, I went into my bank to get $20 for lunch or something. I put my card in, typed my pin number, selected which account to get money from, and the amount.
Then all of a sudden, the screen went blue. I stared in disbelief for a moment, then a boot sequence began to display on the screen. And what did I see on the bottom of the screen, but the Microsoft trademark. I couldn't believe it. I had been bluescreened at the bank. I had to get the bank to credit the money back to my account and to get my card back (which I couldn't get back for a couple of days). So I guess you could say that I am less than thrilled about Windows running ATM's.
IANAL... But I play one on
They already run off the shelf software and have for quite some time. At least one major national bank runs NT on their ATMs, while most other ATMs in the country run OS/2.
I saw an out-of-order ATM a while back displaying a black screen with a C:\ prompt! Now maybe we can get the BSOD instead.
I had the opportunity of watching one of the local banks put in an ATM at the mall. The machine had a full PC in it, along with a modem of some sort (DSL? ...I wasn't asking questions).
They installed and set up Windows 98 and then put a Java virtual machine on it...version 1.3.1 for that machine. The ATM software was built in Java.
So...what is the point of that? Why pay for a Windows license and deal with their BS? If you are just going to run a Java application, why not pick a free OS and use Java on that? What was the "value added" by Windows?
Indeed. Something we should all get in our minds...corporations are driven by money and everything else is a shadow of forethought. The thought that there are smart people in corporations is probably accurate. The idea that those smart people are who make the decisions in a corporation, however, is not as accurate as you'd think. The idea that there are smart people in corporations is ok but you'd be surprised how many stupid people are actually in corporations. By the way, I equate stupid with greedy as well as ignorant.
:) Anyhoo, my point is that you should NEVER assume there are smart people making the decisions for these companies. I've heard all too often that the smart people that make the suggestions and the budgets are the victims of F&A cutbacks that end up altering those decisions and causing lots of hectic problems because the smart decisions were just not in the monetary interest of the company. Lame, lame, lame.
:) /me steps off his soap-box.
I like to think of corporations as greed tanks from the top down. The greedy people are at the top. These are the people who are thinking "What can I do today to make more money?" -- translation: "Who can I screw-over today to steal more money?". I sincerely believe that that question gets answered in a three-tiered response. The first people the corporate "leaders" try to steal from are their employees IE long hours for salaried employees and no bonuses (yet they continue to lure new employees with a non-existent bonus package). Today's work-force deals with below-average salary and too few employees for the amount of work there is. So the workload is particularly heavy on the few workers that are within a department which causes those exempt employees to feel obligated in working beyond their required 40-hours-per-week fighting for that much promised bonus that will actually never be equal to the amount of extra work the employee put in IF they even get the bonus!! The second set of people they try to steal from are their customers. Ever noticed the price of things going up yet the quality AND quantity of the product is going down? Uhhh...hello! And lastly, themselves IE the other directors, presidents, VPs, etc which probably happens far less because they are all savvy to the game. Enron is a perfect example of this kind of crap. Has anyone from Enron been endicted yet!? I don't think so (last I checked anyway). Just another example of how these white-collar crimes are bureaucracies of manipulation and conspiracy.
Hmm, I got off the path there didn't I?
I still have a very low opinion of corporations large and small. I've been employed in large and small corporations and all but one of them was shady in their internal practices.
I'd love to rant some more because this topic really grinds me. But, alas, I won't.
- Jim
- J