Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows ATMs by 2005

Posted by michael on from the blue-screen-of-no-money dept.

An anonymous reader writes "O'Reilly Developer News is running a brief on how the banking industry will be running a stripped down version of windows on 65% of its ATM machines by 2005. On a morning when I'm receiving the latest windows virus in my inbox every five minutes I feel very comfortable with this."

25 of 802 comments (clear)

  1. Mo Money! Mo Money! Mo Money! by ChaoticChaos · · Score: 5, Funny

    Holy cow! Can you say, "Free cash!"

    Just stand in front of ATM the next time a worm rocks through and watch it start spitting out bills.

    ROFL!!!!!!!!!!!!!!!!!

    1. Re:Mo Money! Mo Money! Mo Money! by Bonker · · Score: 5, Interesting

      Fortunately for the banking industry and unfortunately for you, most ATMs have built-in failsafes to keep that from happening.

      If you completely disregard that most ATMs don't have built-in TCP/IP stacks-- even the ones that communicate via CDPD, or cellular to internet use a transmitter that works through a serial port and sends an encrypted stream of data to the processor-- Most ATMs are designed to go balls-up at the first sign of trouble and shut themselves down after sending detailed error messages to their owners via leased lines. Out of paper? Error message, shut down. Out of money? Error message, shut down. OS Crash? Error message, shut down. Damage to the ATM Case? Error message, shut down.

      --
      The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
    2. Re:Mo Money! Mo Money! Mo Money! by sphealey · · Score: 5, Insightful
      f you completely disregard that most ATMs don't have built-in TCP/IP stacks-- even the ones that communicate via CDPD, or cellular to internet use a transmitter that works through a serial port and sends an encrypted stream of data to the processor-- Most ATMs are designed to go balls-up at the first sign of trouble and shut themselves down after sending detailed error messages to their owners via leased line
      The problem being that once a commercial technology ("commercial off-the-shelf" or COTS in milspeak) starts to leak into a closed architecture application, it becomes almost impossible for manufactuers to resist the pressure to use all the features of the commercial technology to reduce cost.

      If Vendor A makes an ATM that uses propriatary closed architecture and its units cost $125,000, while Vendor B uses Windows but its units cost $110,000, guess who is going to win the bids? So Vendor A goes to Windows + TCP/IP and gets down to $100,000/unit. Vendor B then responds with Windows + TCP/IP + "Internet connection to eliminate costly leased line charges". Guess who will win that bid? And there we are - the security of a closed system gone in three rounds of bidding.

      Now perhaps that example is bad, because there might be regulations in the financial industry to prevent it. And such regulations might even be enforced. But then again, if Enron or Dick Cheney had bought a large ATM network...

      sPh

    3. Re:Mo Money! Mo Money! Mo Money! by Reylas · · Score: 5, Informative

      Sorry, but you obviously do not work in banking as a lot of new ATM's do have a TCPIP stack on them. That was the big push from finance institutions in order to play along with current network configurations. I am looking at a diebold ATM right now that is based on TCPIP.

      Reylas

    4. Re:Mo Money! Mo Money! Mo Money! by spruce · · Score: 5, Insightful

      You're forgetting that there are actaully some smart people in the banking industry that will realize that having your ATM's running windows hooked up to the internet is a bad idea. The people that make these kinds of decisions are not fools.

    5. Re:Mo Money! Mo Money! Mo Money! by sphealey · · Score: 5, Informative
      You're forgetting that there are actaully some smart people in the banking industry that will realize that having your ATM's running windows hooked up to the internet is a bad idea. The people that make these kinds of decisions are not fools.
      I would have said the same thing about the electric utility and railroad industries, as both have over 120 years of experience handling dangerous large-scale technology. And yet CSX operations were seriously affected by the MSBlaster worm, and there are some indications that the latest East Coast blackout may have been triggered by attacks on COTS-based systems (the CSX incident is confirmed; the First Energy incident is {so far} rumour).

      I have seen the pressure to go COTS first-hand myself in an application where it really wasn't a good engineering decision. But the price and functionality of the COTS system exerted tremendous pressure on the selection process.

      And again, Enron was a financial services company, as were the New York investement houses that served it, but that didn't make them immune from doing stupid things.

      sPh

    6. Re:Mo Money! Mo Money! Mo Money! by tetra103 · · Score: 5, Interesting

      The banking industry is one where cutting corners simply isn't allowed.

      You'ld be surprized at just how cheap banks and money institutions can be. Although it wasn't a bank, I once worked for the largest government bonds firm as a sysadmin. Their clients were banks themselves. Bonds were traded in lots of 10 million and in one day you'ld get serveral thousands of transactions. I was amazed at just how much money use to flow through the systems I was running. As a brokerage firm, they made their commision with a few pennies on every transaction. They were making tons of cash daily. Money was everywhere, but what amazed me most was the equiptment. Many of the hub servers were old SPARC 5's and if it was a bigger client, they got a spanky Ultra 5. Not even servers! For such a critical app, I suggested they buy into Netra's or something teco grade that could withstand a beating. The response I got was it was too much money. I couldn't believe it. Here's they'd pull in 20 million in one day from a single client, and they couldn't spend $1000 to upgrade the server. Then it was explained to me by another admin who's worked that arena a while. He said the cheapest companies you'll ever work for (from a sysadmin perspective) will be banking institutions and financal firms. They're filthy rich, but you can't squeeze a penny from them.

      That's been my only experience with being a sysadmin at a money institution, but from that experience, it wouldn't surprize me at all to hear how banks would opt for the lowest bidder for any project. Hell, these guys were so cheap, they'd try to avoid buying directly from Sun and go with some third party refurbish vendor. Just unbelievible how cheap they'd be....but they all wore very nice suites. And just so you know....yes....they're still in buisness and they're still the largest bonds brokerage firm in the world. Pretty scary from a tech perspective.

    7. Re:Mo Money! Mo Money! Mo Money! by KernelHappy · · Score: 5, Informative

      Ummm... You're the optimist aren't you.

      I worked in the EFT industry for about 5 years as an engineer and I can say that you are so wrong it's not even funny. The people that make decisions are worried most about how much it's going to cost. If it wasn't for cost, every bank would be processing transactions in real time rather than relying on batch processing on IBM's that are as old as I am.

      When a "new" technology comes along in the industry, it's usually applied to the old technology model. For example, when the processor I worked for started using TCP/IP as a transport between datacenters, they didn't encrypt the data end to end. Instead they just replaced some older dedicated link and relied on the same weak ass pin block encryption they always did, paying no mind to the fact that someone with a notebook and a network card could easily yeild 40-50 complete cards per second.

      And if you think because it's financial that everything has to be balanced to the penny, you're so wrong. To start with the legacy systems that some networks have to deal with ensure that reconcilliation will NEVER be 100%. Then add to it that if the money is right, a processor will further bastardize their code to accomodate someone else's improper implementation. You end up with a legacy system that often produces unexpected results when something out of the ordinary occurs (I remember one morning when people were being credited several billion dollars to their account after returning something to a store).

      As far as auditors or regulators plugging the holes, fat chance. Regulators are more concerned about transaction fees being present on the front of ATMs and the taxability of the transactions that occur. The auditors only know what the engineers tell them since they are usually not engineers or marginal ones at best. The auditors are primarily interested in the paperwork trail left behind from production code installs. If the paperwork looks good they're happy. Mind you that as far as the auditors are concerned, good looking paper work means that it exists. They do not look for proof of testing other than a signature, in other words no supporting documentation showing the before and after effects of the change are required to be documented. Furthermore no regression test is required to show that nobody piggybacked malicious code on the issue. In otherwords the auditors just smile nicely if you hand them a big stack of papers.

      Ultimately, the EFT idustry is filled with dinosaurs, people that talk about how funny it was when they used punch cards or learned some obscure language in college that hasn't been used in decades. When I left the industry 4-5 years ago, there were people that still used their PCs as dumb terminals because they didn't understand the whole personal computer thing (I'm REALLY not joking).

      So as far as Windows being used on ATMs, they are going to do as they've done in the past. They will build the machine but instead of putting OS/2 on it, they'll install windows on it. They will rely on the same security they always have, and why shouldn't they? It's served them well for 30 years.

      --
      -- Button up, your ignorance is showing
  2. Windows ATMs by elvum · · Score: 5, Informative

    We have them in the UK already - the sight of ATMs showing an NT4 logon screen is not uncommon...

    1. Re:Windows ATMs by martingunnarsson · · Score: 5, Informative

      Yep, in Sweden too. I've seen them displaying Windows error messages a couple of times. On the other hand I've seen the Unix ones reboot about as many times.

      --
      Martin
    2. Re:Windows ATMs by l-ascorbic · · Score: 5, Interesting

      I saw one crashed the other day and was so amused that I took a photo of the screen. It's poor quality: taken with a phone, at night. The sheet of paper at the bottom of the picture was taped over the screen, saying "Out of order". Of course I was curious and peeled it down.

    3. Re:Windows ATMs by Anonymous Coward · · Score: 5, Interesting

      Picture of ATM in Sweden: http://www.cs.umu.se/~c97pir/resources/images/minu t.jpg One interesting thing is how/why it was successfuly uptated (if the bank wanted to do it I don't think the dialog would be there). -E

  3. Already there by I8TheWorm · · Score: 5, Informative

    Um.... a good number of ATM's issued by a large bank I used to code for run NT 4.0. This isn't late breaking news.

    --
    Saying Android is a family of phones is akin to saying Linux is a family of PCs.
  4. Blue Screen of ... by Anonymous Coward · · Score: 5, Funny

    ... Debt.

  5. ATM Windows error picture by wherley · · Score: 5, Funny

    Windows on an ATM - already happening. Already
    getting errors.

  6. uh.. by grub · · Score: 5, Funny


    "They have tried to cut out the unnecessary rubbish that clutters up the typical PC."

    but.. but.. the article says they're running Windows.. now I'm confused.

    --
    Trolling is a art,
  7. Biggest pet peeve by sib888 · · Score: 5, Insightful
    Automated Teller Machine Machine?


    I Hate That!!!!

    --
    I'm sib888, and I approved this comment.
  8. Usability by Geekenstein · · Score: 5, Interesting

    As someone who has used and stood in line to use one of these machines, let me just say that they are a far cry from the efficiency of the current ATMs. Just on a rough estimate, it takes 3-4 times longer for your average Joe Sixpack to make a transaction.

    From my own experience, and knowing what I'm doing, the OS runs a good bit slower than the tried and true green on black systems. Top that off with the annoying pointy finger and IE "click" noises, and you have an example of change for change's sake.

    Of course, the only reason at all they seem to be using this new system is so they can bombard you with advertising while you're using the machine.

    All and all, a bad change all around.

  9. Re:Three Major Vulnerabilities by twisty7867 · · Score: 5, Insightful

    Your arguments are foolish on the face.

    * The bank connection includes federally mandated encryption. The FFIEC (Federal Financial Institutions Examination Council) specifies the exact standard of encryption used. by the way, have you notice that there are no "Windows standard" encryption schemes anyway? They are all industry standards.

    * Buffer overrun exploits also rely on unchecked input - if input is screened to a limited variety of characters few if any buffer overrun exploits would be possible.

    * Finally, the maintenance staff has *gasp* physical access to the cartridges of cash loaded into the machine. Why the hell would they bother with a virus when they can just take the money and wander off? The basic premise of any bank is that you can trust the employees not to take the money. As someone who has worked for financial institutions for most of his career, I can tell you without a doubt that anyone who violates this trust is detected and dealt with in a quick and harsh fashion.

  10. Re:Three Major Vulnerabilities by Digital11 · · Score: 5, Informative

    Trust me when I say that you have no clue what you're talking about. I work for a bank. We communicate with our ATMs over a dedicated line. Having an extremely stripped down version of Windows on an ATM really isn't going to make it a whole lot less secure. It'll still be the same way its always been: The easiest way to get money from an ATM is just to take the ATM. (No, I'm not kidding. We've had that happen a couple of times.)

    Maintenance staff does not have 'root' access to the system. They have the ability to open the safe to place more money in, as well as to restock the paper feed for receipts. Thats it. If they're going to take money they're going to do it from the safe, then they'll get caught by doing so. We have one ATM technician and even he doesn't have 'root' access to the boxes.

    Please do a little research before opening your mouth.

    --
    I am a leaf on the wind. Watch how I soar.
  11. Is security really an issue here? by verbatim_verbose · · Score: 5, Insightful

    I understand the standard windows=bad theme for slashdot postings, but think about it for a minute. It's in a box that's locked up tight, many with cameras around, not connected directly to the internet... so really... is there any significant security issue to worry about any more so than with the other ATMs around?

  12. Re:Buffer Overflow? by Anonymous Coward · · Score: 5, Interesting

    I'll start working on modifying my ATM card's magnetic strip to overflow the ATMs card reader.

    I think you were being funny but I actually develop ATM software and some of the code I have inherited from the previous idiots would have been succeptible to exactly that. It wouldn't get you any money unless you knew the internal protocols for dealing with the cash dispenser in addition to knowing how to exploit a buffer overflow (in which case you would likely know 10 other/better/easier ways to rip it off) but that is almost certainly a hole in more than a few machines out there.

  13. Re:ATM scams by Richard_at_work · · Score: 5, Informative

    The latter scheme seemed dubious; the chain-letter like WARNING on the machine, and the insertion sensors on card slots I can't see allowing something jammed that far into them. Plus this was at a gas station deep in suburbia where hanging around the ATM would be suspicious, and where the ATM was in a corner making its use a complete screen of the keyboard.

    This scam is called the lebanese loop, and involves installing a thin bit of wire into the card slot, which jams the card in there. This of course stops the ATM from actually doing anything, but a kind gentleman behind you suggests that maybe you should input your PIN a second time. While he is shoulder surfing. This of course doesnt work, and the ATM refuses to give your card back, mainly because it actually cant :)

    Then you give up, wander into the bank to complain, and he has extracted your card (easy if you know how with these things) and run off to another ATM in the locality to quickly drain your account of everything he can get.

    This scam has been ran a number of times in my town, and people keep getting caught out, even tho there are now massive warnings on the ATMs.

  14. Re:ATM TCP/IP Stack by hackwrench · · Score: 5, Funny

    So, are you posting from that ATM right now?

  15. V-Com by Lemmeoutada+Collecti · · Score: 5, Informative

    I have had the recent pleasure of watching the V-Com ATM machines being installed in our local convenience stores. They are PC's controlling the system, using Internet connections over TCP/IP to communicate, running Windows NT Workstation 4.0 SP6a. They have a custom keyboard missing the CTRL, ALT, and other state keys, and a touch screen interface to boot. And they can be crashed so easily it goes beyond funny to just plain sad.

    The tech doing updates opens the bay, plugs in a regular keyboard, logs on to an e-mail account, and runs the patches distributed that way.

    Not something I really would trust with my money!

    --

    You can have it fast, accurate, or pretty. Pick any 2.