Slashdot Mirror
Can Your ATM Play Beethoven?
bpiltz writes "A funk band in Harrisonburg, VA, called Midnight Spaghetti, has posted a story with photos about a newly installed Diebold Opteva 520 ATM at Carnegie Mellon University that crashed, then rebooted. The Windows XP operating system initialized without the actual ATM software. The result was a public desktop computer, with only a touch screen interface, left wide open for the amusement of the students at the most wired university in the U.S. Interestingly, Diebold is one of the leading manufacturers of e-voting machines."
I got a chance to talk to one of my bank's IT people about this a few months ago, and basically, they don't know what's causing the crashes because analyzing the log files would just be too much trouble. So their SOP is to have some guy with a key come out, literally pull the plug on the machine and wait till it reboots.
He also told me that they were slowly migrating over to a "custom XP version", whatever that's supposed to mean. I probably should have told him that Windows machines can be prone to virus infections (cough cought).
Would it be possible to load data on
a swipe card so that the software reading the card
suffered some kind of buffer overrun ? (Depending
of course on how carefuly the software checked for
them).
I see "ordinary" ATMs stuck at a Phoenix BIOS boot prompt all the time. While I've never gotten to the Windows part of an ATM, it happens at information kiosks a lot.
They should have used the "On-Screen Keyboard" under Accessibility. It is a little scary that this was connected to cash.
If you want a good read for the database schemas an ATM uses, read "Principles of Transaction Processing." One interesting bit of knowledge is that the entire table of valid account names and their card hashes is replicated to each ATM! (Obviously for your bank only.) It sends out a ping that records "Joe took $50" to the main bank but it's only sort of a summary, the "full details" is kept at the ATM and sync'd at night.
One crazy thing that happened to me was I tried to withdraw $1100 from Bank A at Bank B's ATM. I got into a "Distributed Transaction Rollback" -- it got all the way through, printed out out my receipt that said I got the money, and -- never gave me my money. When I checked at a Bank A ATM, it showed the "hit" on my account. In about 15 minutes the Transaction Processor rolled back the transaction.
It's not immediately evident how Windows XP opens a security risk on an ATM, nor how this means that Diebold voting machines are somehow hackable.
ATMs not connected to the Internet and without keyboard are pretty much unhackable unless you can pry open the case and attach a keyboard and/or wireless connection. And if you could do that, I suspect pretty much any ATM would be hackable. There is a reason why ATMs are built from heavy steel and anchored in concrete.
Diebold systems raise paranoiac hackles for another reason: control and oversight. You don't need to invoke security flaws and Windows XP to realize that ballot boxes represent power and money. Whoever controls the counting process controls billions, trillions of $, and this is a temptation that few, if any, people can resist.
The argument against paperless touch-screen voting systems comes from the fact that such systems open the way to serious internal fraud, rather than hacking through any hardware or software weakness. Election fraud is done by incumbent politicians, not by hackers exploiting BSoDs.
The nightmare scenario for future US elections is where after a largely electronic and unverifiable poll, the governing party gets 55% of the vote despite exit polls showing that it got 45%. What would happen after such an event is anyone's guess, but it would not be pleasant.
Ceci n'est pas une signature
If you're tripping, we ate the same mushroom. I'm also having flashbacks to a printer that sounded like an AK-47 on full auto. And now we've got ATMs that feed you advertising for a bunch of crap that you really don't need while they make you wait for your money. Progress, eh?
If you were blocking sigs, you wouldn't have to read this.
I remember the same, when I actually trusted ATMs and banks...
After a brief five-year stint in North-Dakota, where time stood still in happy-land, I ended up in Dublin. I read an article about how Windows had made its way into the ATM-business, thinking "uh-oh-mf-cs-sob"...given my past experiences with this OS-king-of-userfriendliness.
Yesterday, I put my Norwegian super-VISA-bank-card into an Ulster Bank ATM and it stole it! It just swallowed the card, proceeding to say something like: "System down, please use another cashpoint."
So, I call Norway, to ensure there isn't a problem with the actual card. It takes me quite a bit of time before I actually managed to call Ulster bank's customer service line. When I get through, I explain the situation (I had to rephrase 'the ATM stole my card' into 'swallowed it' before I could be assisted).
So the customer service rep states that he can't help me. I ask if there's anyone with any authority that can help me get the card back (it takes me a while to get a new one from Norway). He says: "Sorry, Sir. The ATM in question not being directly attached physically to a bank, a contractor does that job for us. Your card will be destroyed when the ATM is serviced."
I state something to the extent of Ulster bank being poorly organized. The little turd on the other end of the line proceeds to tell me: "I'm sorry, but we took the network down for a few minutes. You must have inserted the card just at that moment."
If I find out this particular ATM is Windows-operated, I will hunt down Mr. Gates, roll him in tar and feathers and chase him out of town with a stick. In the meantime I will file a complaint with Ulster Bank for taking away my sole source of cash until next pay-day.
Take a look here
The moving cursor writes, and having written, blinks on.
A conversation I had with a friend:
``Alright, lets go to the bar.''
``Sure, but first I need to go to the bank on high street.''
``Why? That one is two block in the opposite direction, there's a bank the way we are going that's on the same system so it won't charge you any fees.''
``I know, but that one has one of those old black-and-green displays. You can't trust something like that. The other bank has an ATM with color and animation.''
It really upsets me to know that things like that actually matter to people.
-Colin
So the customer service rep states that he can't help me. I ask if there's anyone with any authority that can help me get the card back (it takes me a while to get a new one from Norway). He says: "Sorry, Sir. The ATM in question not being directly attached physically to a bank, a contractor does that job for us. Your card will be destroyed when the ATM is serviced."
The hardest thing in the world is returning an ATM / Credit card. I found one next to a machine from an Alaskian credit union, and I being in washington. I thought to my self, "Hey, I will do the honest thing and try to get this card back to the owner".
Well, the 800 number on the back was unwilling to co-operate... they told me to cut up the card. This was on a saturday and may have not been offical bank help. So I tracked down the bank in Alaska, or near as I could find too it, and tried to talk to them about the issue basicly, "I have this card, i'd like to return it to the owner".
They refused to do the following
1. Provide me with any contact information as to where to send the card too (totally understand)
2. Take down my contact information so in the event the owner called to get a new one, they could say just use the old one, this guy will give it to you.
3. To actually take back the fucking card so they could return it to the owner in a timely fasion.
In the end, after getting frustrated trying to do the right thing, I used it to apply puddy to my automobile, and it probally is still encased in a lump of pudddy.
The point is, banks will assume the worst when it comes to you no longer physicaly having your card. They are not equiped to handle an honest person who actually didn't charge up anything on the card dispite the fact they could verify this fact who's trying to return the card. They will try to convience you they are doing you a favor when in reality they would rather let someone else do the paperwork, which always falls on the person giving you a new damn card.
There is no sanctuary. There is no sanctuary. SHUT UP! There is no shut up. There is no shut up.
The sad thing is, you can't make a better ATM and sell it in the market. Patents and regulations force competition out. That is the classic sign of poor quality dominating our market.
I've done some work for the Royal Bank of Scotland (hence the AC) and I know for a fact that Windows is not allowed anywhere near mission critical systems. Home banking and internal user systems are Java/WebSphere/Solaris/Oracle, back-end to everything is a mainframe (can't remember the OS) that interfaces via CICS to the rest of the system. ATMs are custom coded and run a custom OS and communicate directly to the mainframe via CICS. Some of the code in the mainframe is rumoured to have been written in the 60s and even if you want to change one line of code it can take over a month to go through the testing. The whole system is locked down really tightly. No-one has access to all of the systems at the same time, no matter how high up in the company you are.
The only place Windows is allowed is on the desktop, and that is still NT4 hidden behind a Solaris based proxy and firewalled to the hilt. You cannot even go OUT on a port other than 80 or 443, nevermind the other way.
I work as a contractor and run my own company, so am not affiliated with RBS in any way...
The same happened to me in central England.
I just received my new card and had memorised the PIN number, and went to withdraw money. Three times I tried to enter my PIN and the amount of money I want to withdraw. Each time the machine refused to accept the transaction. After the third time, the machine swallowed my card, telling me to contact the bank. So I call them up, and am told "our machine automatically shreds any card after three unsuccessful attempts and sends an electronic notification to your bank", we can't do anything. So I call up my bank, and they tell me I can't get a new card until they written notification from the machine owners. Neither would talk to the other. In the end, I had to pretend that I had lost my card in order to get a replacement.
It seems to me to be more of dodgy protocol implementations rather than anything else.
As a grad student who has their office in this building, I got more than a little kick when I saw the tech fumbling aimlessly to try and fix the thing later. He was there literally all day long and each time I walked by he was on the phone trying to get more info. Where is a good ole OS/2 ATM when you need one?
Anyway, some people on misc.market also posted some movies that you might find interesting.
My Slashdot account is old enough to drink...
About a month ago, all of the National City ATMs in Pittsburgh (where CMU is) got switched from ancient working machines to snazzy new Diebold touch screens. Aside from the one playing Beethoven, there has been at least another one that BSOD'd.
The one on this article was funny and everything until that night when I remembered that I have my life savings in National City.
I stopped at some competing banks in the area on Thursday to get some pamphlets and I will be switching banks on Monday.
--------
It's OK to be social, just don't tell anyone about it.
But does any one know why atm's here in the states have a decimal in the amount? So if I want to take out an amount (say $15) that isn't listed, I have to type:
1-5-0-0
to let the machine know I want 15 dollars instead of 15 cents. No atm that I've seen (granted, limited experience) will dispense change. I don't think I've seen any that even dispense dollar bills, so getting $17 is impossible. So why the decimals?
I dont necessarily agree... One night I went to the local K-Mart to buy an air conditioner... while loading it into my car, I placed my wallet on the roof since my soccer shorts didn't have a pocket (this was a midnight trip made because it was SO FSKCING HOT that night)... anyway, my wallet had flown off the roof right in front of a bar on the way home. The next morning, I got a call from my credit card company saying that the local police department had my wallet. When I went to retrieve it, all of my cards, AND MY CASH, were still in my wallet. No charges were made and everything was fine. The police said that a bar patron turned the wallet in to an officer he saw stopped at the red light in front of the bar.
I treated the guy and his family to a steak dinner at a local steakhouse to show my gratitude. I've rambled on forever, but the moral of the story is that honesty should be encouraged and rewarded.
Um, there are at most 3 printers, one monitor standard, two input device types, and three network modules used by any bank. Drivers for those limited selections could easily be in firmware and selected from at setup. It really doesn't make any sense to have a general purpose OS running the thing other than to reduce cost for Diebold to develop the things. Then again it does provide a nice amount of business for us IBM field techs =)
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
You sure you didn't get your money back automatically after like 3-5 days? Because these things happen every now and then, ie the ATM fails because some local problem (software or mechanical), you don't get the money, and later you see that the amout has disappeared from your account.
But in (almost) every case, the money is not actually withdrawn, only "reserved" (that's what the banks call it) for a number of days, after which they are "unreserved" and show up on your account again.
I had a similar experience with an ATM in Romania once, the ATM software completed the transaction and then crashed before it handed out the money. Later that evening I connected to my bank account from an internet cafe, and of course - that money had disappeared from the account. I called my bank in sweden to report it, but they just told me that the money was not withdrawn, only reserved, and that it would be back on my account in a few days - which it was, to my relief.
Generally, banking systems (including ATMs and card payment terminals) have good failsafe machanisms that aborts the transaction if it encounters a problem in any little detail along the way.