Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows ATMs by 2005

Posted by michael on from the blue-screen-of-no-money dept.

An anonymous reader writes "O'Reilly Developer News is running a brief on how the banking industry will be running a stripped down version of windows on 65% of its ATM machines by 2005. On a morning when I'm receiving the latest windows virus in my inbox every five minutes I feel very comfortable with this."

10 of 802 comments (clear)

  1. Re:Three Major Vulnerabilities by gl4ss · · Score: 4, Interesting

    well, the physical attack is always there.

    year or two ago some estonian wiseguys pulled a nice gig here in finland(iirc they did it in sweden too, but i'm not too sure anymore). what they did was install a fake panel on top of the original atm machines panel, so that when you put in a card it recorded it(iirc it even replaced the pad and stored those numbers too). the guys who make up the ideas like this and make up the devices are no idiots, so security by obscurity would be a dead end street.

    though, when reading email from public terminals is risky, i'd think a few times before doing my banking from them if i could avoid it.

    i trust atm's enough to use them though, would probably even if it had a bit more complicated software in it, provided that it wasn't written by an idiot.

    --
    world was created 5 seconds before this post as it is.
  2. Re:Mo Money! Mo Money! Mo Money! by Bonker · · Score: 5, Interesting

    Fortunately for the banking industry and unfortunately for you, most ATMs have built-in failsafes to keep that from happening.

    If you completely disregard that most ATMs don't have built-in TCP/IP stacks-- even the ones that communicate via CDPD, or cellular to internet use a transmitter that works through a serial port and sends an encrypted stream of data to the processor-- Most ATMs are designed to go balls-up at the first sign of trouble and shut themselves down after sending detailed error messages to their owners via leased lines. Out of paper? Error message, shut down. Out of money? Error message, shut down. OS Crash? Error message, shut down. Damage to the ATM Case? Error message, shut down.

    --
    The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
  3. Re:Windows ATMs by @madeus · · Score: 4, Interesting

    Yeah we've had them for 6+ years (surprised this is news to others). I've seen them BSOD, ask for a login, and the one round the corner from me had a DHCP expiry/conflit alert on it for 3 months. You'd think SOMEONE would be arsed to fix it!

    (Still worked though, but it put other people off using it, meaning I didn't have to queue to use it).

    Lots of them are color and have shockwave flash type intro's.

    The underground here in London (well, really DLR, the Docklands Light Railway) has ticket machines that run OS/2, apparently in French or German though (definately not English!). They often die at early hours of the morning (~6) until rebooted remotely.

  4. Usability by Geekenstein · · Score: 5, Interesting

    As someone who has used and stood in line to use one of these machines, let me just say that they are a far cry from the efficiency of the current ATMs. Just on a rough estimate, it takes 3-4 times longer for your average Joe Sixpack to make a transaction.

    From my own experience, and knowing what I'm doing, the OS runs a good bit slower than the tried and true green on black systems. Top that off with the annoying pointy finger and IE "click" noises, and you have an example of change for change's sake.

    Of course, the only reason at all they seem to be using this new system is so they can bombard you with advertising while you're using the machine.

    All and all, a bad change all around.

  5. Re:Windows ATMs by l-ascorbic · · Score: 5, Interesting

    I saw one crashed the other day and was so amused that I took a photo of the screen. It's poor quality: taken with a phone, at night. The sheet of paper at the bottom of the picture was taped over the screen, saying "Out of order". Of course I was curious and peeled it down.

  6. Re:Windows ATMs by Anonymous Coward · · Score: 5, Interesting

    Picture of ATM in Sweden: http://www.cs.umu.se/~c97pir/resources/images/minu t.jpg One interesting thing is how/why it was successfuly uptated (if the bank wanted to do it I don't think the dialog would be there). -E

  7. Re:Buffer Overflow? by Anonymous Coward · · Score: 5, Interesting

    I'll start working on modifying my ATM card's magnetic strip to overflow the ATMs card reader.

    I think you were being funny but I actually develop ATM software and some of the code I have inherited from the previous idiots would have been succeptible to exactly that. It wouldn't get you any money unless you knew the internal protocols for dealing with the cash dispenser in addition to knowing how to exploit a buffer overflow (in which case you would likely know 10 other/better/easier ways to rip it off) but that is almost certainly a hole in more than a few machines out there.

  8. ATM security is not really at risk... by Anonymous Coward · · Score: 4, Interesting

    In many european countries ATMs have a secure cryptographic device attached, which stores all cryptographic keys used to encrypt data between the ATM and the ATM server. All cryptographic computations are made in that device and it is designed to "erase it's memory" if someone tries to pull it out or do something weird.

    Normally, the PIN you type is directly transfered (encrypted) to the secure device and does not go through the PC memory. So your PIN is pretty safe from any virus or trojan horse.

    These requirements are imposed by VISA/Mastercard, because they take PIN security very seriously.

    The remaining risk comes from an insider who would put a trojan horse in the ATM such that it would dispense cash automatically for example if you type a certain key combination :-)
    This does not endager your PIN though or any transaction. It's basically a problem for the bank :)

    This is a rather complex attack, even if you have Windows, OS/2 or linux on the ATM (Windows might just make it easier). The hard part is getting into the system (these machines don't run any standard services and there are access control policies). There are easier and less dangerous ways to get money from the credit/debit card systems than hacking into an ATM in a protected environement.

    One of the reasons they use windows is because it's the cheapest alternative (YES! Shock! :-) ). The specific drivers exist and also the engineering skills. Moreover banks are very conservative, some still have DOS or OS/2 ATM's so they stick to stuff they know (usually not your favorite free OS).

  9. Re:Mo Money! Mo Money! Mo Money! by tetra103 · · Score: 5, Interesting

    The banking industry is one where cutting corners simply isn't allowed.

    You'ld be surprized at just how cheap banks and money institutions can be. Although it wasn't a bank, I once worked for the largest government bonds firm as a sysadmin. Their clients were banks themselves. Bonds were traded in lots of 10 million and in one day you'ld get serveral thousands of transactions. I was amazed at just how much money use to flow through the systems I was running. As a brokerage firm, they made their commision with a few pennies on every transaction. They were making tons of cash daily. Money was everywhere, but what amazed me most was the equiptment. Many of the hub servers were old SPARC 5's and if it was a bigger client, they got a spanky Ultra 5. Not even servers! For such a critical app, I suggested they buy into Netra's or something teco grade that could withstand a beating. The response I got was it was too much money. I couldn't believe it. Here's they'd pull in 20 million in one day from a single client, and they couldn't spend $1000 to upgrade the server. Then it was explained to me by another admin who's worked that arena a while. He said the cheapest companies you'll ever work for (from a sysadmin perspective) will be banking institutions and financal firms. They're filthy rich, but you can't squeeze a penny from them.

    That's been my only experience with being a sysadmin at a money institution, but from that experience, it wouldn't surprize me at all to hear how banks would opt for the lowest bidder for any project. Hell, these guys were so cheap, they'd try to avoid buying directly from Sun and go with some third party refurbish vendor. Just unbelievible how cheap they'd be....but they all wore very nice suites. And just so you know....yes....they're still in buisness and they're still the largest bonds brokerage firm in the world. Pretty scary from a tech perspective.

  10. My experience with a microsoft ATM by natet · · Score: 4, Interesting

    A little over a year ago, I went into my bank to get $20 for lunch or something. I put my card in, typed my pin number, selected which account to get money from, and the amount.

    Then all of a sudden, the screen went blue. I stared in disbelief for a moment, then a boot sequence began to display on the screen. And what did I see on the bottom of the screen, but the Microsoft trademark. I couldn't believe it. I had been bluescreened at the bank. I had to get the bank to credit the money back to my account and to get my card back (which I couldn't get back for a couple of days). So I guess you could say that I am less than thrilled about Windows running ATM's.

    --
    IANAL... But I play one on /.