Slashdot Mirror
Can Your ATM Play Beethoven?
bpiltz writes "A funk band in Harrisonburg, VA, called Midnight Spaghetti, has posted a story with photos about a newly installed Diebold Opteva 520 ATM at Carnegie Mellon University that crashed, then rebooted. The Windows XP operating system initialized without the actual ATM software. The result was a public desktop computer, with only a touch screen interface, left wide open for the amusement of the students at the most wired university in the U.S. Interestingly, Diebold is one of the leading manufacturers of e-voting machines."
You know, I've been thinking for a few years now that ATMs (in the UK at least)
;-)
seem to be getting slower and slower to use. 10 years back, you'd insert your
card, be able to key in your pin number straight away and be straight into the
menu. Now, you insert the card, stand about while it thinks about checking it,
then you eventually enter a pin and wait around a bit more before using the
sluggish interface. Now I know that these machines have media player, web browser and
all sorts of other redundant crap installed on a full version of XP, I understand the
reason the queues are growing!
I don't need 24 million colours, animations and other crap just to take money out
of my account, dammit! It's staggering to think that the software has become so
bloated and slow that machines produced 10 years ago, with only a fraction of the
computing power of today were actually far more responsive to use.
I remember seeing an ATM reboot a few years back (brief power outage). It briefly
showed the OS2 logo before resuming normal operation
Code, Hardware, stuff like that.
COME ON!!!!!!!!!! Why in the world would someone waste a computer that's capable of running Windows XP (which probably means at least a Pentium with 64 MB RAM?) on an ATM? I mean, the thing is supposed to check your card, pin and then give you a load of cash... Last time I checked, that's a job for something less than an 8080, which could do the job faster, more securely, and cheaper. The right tool for the right job, people! /me rolls eyes
If I find out this particular ATM is Windows-operated, I will hunt down Mr. Gates, roll him in tar and feathers and chase him out of town with a stick. In the meantime I will file a complaint with Ulster Bank for taking away my sole source of cash until next pay-day.
I'd rather find the execs of the bank, and roll them in tar and feathers and chase them out of town with a stick. Any one can make an offer... I can offer to run their ATM network on Linux 2.6.4-alpha1-test4-pre2 too. If they're willing to buy it, that's their stupidity, not mine.
Kjella
Live today, because you never know what tomorrow brings
Why didn't they use the on-screen keyboard instead of the character map for entering text?
This sig under construction. Please check back later.
This machine is indeed massive overkill, but the economics are that a desktop PC is about the cheapest computer out there.
An 8080 computer set up in a config with USB ports, serial, parallel, video, etc etc will probably run you something close to $3,000 US, and spares will be difficult as they'll have to be single supplier.
Also, the drivers for things like printers and card readers are only going to be available for Windows (and increasingly Linux), so if you have an embedded device, the integration costs are going to be high.
On the other hand, you can get a robust PC from a major manufacturer for something under $1,000 US and it can be replaced by any manufacturer. There are drivers for everything, and software development will be cheaper because windows programmers are more available than embedded programmers.
You were mistaken. Which is odd, since memory shouldn't be a problem for you
too honest
they had a machine that would give them money and all they did was use media player ? Diebold got off lightly!.
they [evil student] could of written a keylogger/pin reader/card cloner/data capture using the on-board vbscript/wscript language, (full access to filesystem and shell), build in a network check so as soon as the machine detects a network connection (as the students said it wasnt connected to anything presume at some point it will be connected to a network by an engineer or repairman) it trys to post the captured data to some.random.location.com, install it as a system service so it runs automatically in the background , even schedule it to run at specific times and you have one totally compromised machine
would of taken an hour max of programming time, maybe 15min if all you had to do was type it in and not compose it.
scary that not only is the software Windows but it has its own built in programming enviroment with access to every program on that machine including network access, and the only tool you need is notepad.
If they insist on using a Microsoft OS at least the could use Windows XP Embedded.
It's a componentized version of Windows XP with a set of tools to customize it, remove any unnecessary components and prepare system images. It also has tricks like running from read-only media and intercepting message boxes that end users should not see.
It's even cheaper (for a moderate number of licenses).
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
"I Wrote this without a keyboard"
Cut and past it really does work although a bit slow. say you use the integrated web browser and you can get a hand on most if not all the characters you need. Plus there is the character picker. but you probably have enough letters to choose from cutting and pasting to give you access to install a virtual keyboard or something. Now someone has access to a computer that dispenses money. I don't know about you but that seems like a security risk to me. Heck install a spy-ware program on it to record peoples ID and the next time it reboots you can use it to dispense some cash yourself. Using an OS Designed for home users (Including Standard Linux/Unix distributions) is a bad idea. For an ATM the computer OS needs to just run that ATM and thats it (well perhaps some diag software for the service people). Heck you can make a more secure system with MSDOS 3.0 after you delete all the extra files you dont need. And put the software in line 2 on of the autoexec file. Line one will need to install the touch-screen TSR.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
The problem's not so much Windows as the lack of customization.
If those machines were locked down embedded Windows or something similar, then I wouldn't be so worried. But these things appear to be more like a normal Windows installation with an ATM program on top. That *is* scary.
Think of it, if so much care was taken on the design of the ATM, how do you know that your credit card number and PIN aren't in a text file that can be read directly if you manage to get to the Windows interface?
And what will happen when the virus of the week hits it because nobody bothered closing unneeded ports?
ATMs not connected to the Internet and without keyboard are pretty much unhackable unless you can pry open the case and attach a keyboard and/or wireless connection.
Ah, security through lack-of-keyboard.
Lack of a keyboard is a nuisance, but doesn't prevent people from operating the machine or breaking in. For example, Windows has an on-screen keyboard. Even if it doesn't, you can cut-and-paste text (a character at a time) from some other application. And there is probably special ATM maintenance software installed on those machines as well, which can likely be operated through the touch screen (since it is intended to be used by technicians).
Thank you for illustrating again how naive many people are about security.
Here's the problem with any argument that electronic voting can lead to truly massive voter fraud, of the kind that you suggest. All the news organizations take exit polls, and in fact they usually have a good idea as to the winner even before the polls close. If the exit polls massively disagreed with the result, there would be no question that fraud had occurred, especially if there was no paper trail to back up the votes.
Fraud can still occur. It's just that those conducting the fraud have to be extremely careful to avoid detection: only chaning a few dozen votes in areas where the vote is close to begin with, and so on. They always have to stay within statistical margins of error.
Toronto-area transit rider? Rate your ride.
ATMs not connected to the Internet and without keyboard are pretty much unhackable unless you can pry open the case and attach a keyboard and/or wireless connection.
It doesn't matter if they're connected to the Internet. Having worked on ATM banking systems in the past, they are connected to a WAN that likely has Windows workstations connected as well. Since Windows Update is probably never run on the ATMs I would think that it would be trivial for a Windows workstation to infect a Windows ATM.
We all at slashdot would like to bash MS for this. But somehow, it has a reciprocal effect that very few realize. Carnegie Mellon (CM) is highly recognized for software and quality. Now it gives me doubt over their institute for having a system that crashed. I know their not directly the cause or effect but the shadow somehow hovers over CM more than Microsoft. Years from now there may be an article about the first ATM to be hacked and it was at CM but probably no mention of MS.
> The point is, banks will assume the worst when it
> comes to you no longer physicaly having your card.
As they should. Really, it is much simpler for the bank to just issue a replacement card than to bother returning the old one. Think about it: should they print a piece of embossed plastic that costs a few cents, or have the kindhearted finder send the old card in (37 cents) and remail it to the owner (another 37 cents + 15 minutes of somebody's time [or more, if Windows crashes]) all the while ensuring that no fraudulent transactions take place in the meantime (priceless)?
Does this remind *anyone* of the movie Hackers, in which Joey makes an ATM (in "Bumsville, Idaho") spit out a certain amount of cash?
;)
Something makes me think a next RPC vulnerability will do just that
XeeRz,
Jason
THSsMCHshrtrTHN160chrs -- And I don't even like to SMS!
What is the financial regulatory authority in the States that acts as a watchdog on this sort of thing? Using Windows XP in an ATM instead of a hardened embedded system is criminal negligence, no two ways about it.
Because most moderators just scroll down the page and anything that is not to 5 yet they moderate it up, because most moderators play it safe instead of looking for that gem in the rough.
An Education is the Font of All Liberty
Actually you really dont need much of an OS on an ATM, infact i bet some of the earlier ones running on a calculator were 10 times more reliable and secure in their day!!
An ATM has only afew simple requirements
The GUI
Dont even start about "windows gui" all ATMs use a custom designed GUI! theres no need for a graphical OS behind it!
Network Connection
This aint rocket science, you dont need a big OS to send an encrypted message.
Reliability
The ideal machine would simply have a ROM for the software and a small ammount of RAM, no hard-drive is required. You should be able to do a full reset and have the machine running in seconds. Does this idea fit well with a large windows installation? no.
Infact i would go as far as to say an ATM doesnt even need multitasking! think about it, you do your stuff, it says please wait, that stays in the video buffer while it does its transaction. All this over complexity is very bad KISS.
This comment does not represent the views or opinions of the user.
From the person behind the counter? Thats a good one, and how do you propose that people who work 9-5:30 every day get to a bank? It`s simply not practical, we dont get enough lunch break as it is.. and i lost count of the amount of times i have wasted my entire lunch break standing waiting in the bank.
Perhaps if banks would open usefull hours, say evenings and weekends, like supermarkets do.. it would be more practical to go to the counter, however the banks wont do that.. since theyre trying to force people into using the machines.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!