Slashdot Mirror
ATMs Susceptible to Windows Viruses
Kernkraft400 writes "First there was Windows for Warships, now the same operating system used to power millions of home PCs is likely to be used for cash machines in the UK. I can't wait for the next Windows virus or worm to take down all the cash machines."
What an irresponsible thing to say.
http://www.busyweather.com/
Like the actual story: ATMs in peril from computer worms? The Register seems to believe it's partly a scare tactic to sell antivirus software, though.
I've seen an ATM at Target (big retailoer in US) reboot after a "power interruption" and it was running NT3.51 :o
-nB
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
Windows has been used on (at least) Natwest ATM's for a loooong time - several years at least. I've been in several situations where an ATM is displaying a Blue Screen Of Death. Interestingly enough, they show a trend for solidarity in these matters, when one of set is down, they're all down... Presumably the weakness is in the network layer, or some component that is attached to it.
Not that this means too much (apart from the annoyance factor) though, I've never lost any money due to an ATM crash - I'm pretty sure the system is designed so that the central machine does all the secure stuff, with the ATM being not much more than a calculator keypad.
Simon
Physicists get Hadrons!
The Slammer worm caused significant outages in Bank of America's ATMs.
-- Samir Gupta, Ph. D. Head, New Technology Research Group, Nintendo Co. Ltd., Kyoto, Japan.
I was planning on RTFA that showed which ATM's will be running Windows... but I couldn't find it!
"The avalanche has already started. It is too late for the pebbles to vote" -- Kosh
I really find it hard to believe that ATM's are using windows based OS'. Despite that, as long as the networks they are on are smart then they should not even be susecptible to infection... unless someone figures out a way to transfer one via their credit card o.O...
Now, ATMs running Windows could very well be susceptible to viruses, but something backing that up would be nice.
There is no sig, there is only Zuul.
Is there a story here? What is the point of this post? -m
Thas all folks
Busy aligning my non-linear thoughts.
The title of this story is extremely misleading. It's stating something like it's a fact, although it's not even close. It's actually more of a question. But this is Slashdot, so I shouldn't expect too much.
It's already happened. I put in my ATM card and chose to make a withdrawal and the ATM laughed at me and spit my ATM card back out.
Citibank ATMs run NT. Lots of bank ATM machines do
I think you know what that means.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Don't forget the cars too. Oh well, trial by fire. If it goes horribly wrong, it won't stay that way for long. Either it'll get hardened or another OS'll get the job.
dmiessler.com -- grep understanding knowledge
I like to post inflammatory articles to get page views for Slashdot. Perhaps you thought this article was about ATM worms. Well, it's not. It's about bashing Microsoft. So have at it and don't bother asking for a link to an actual story!
Halifax Bank ATM, Colchester, UK
I walk up to the machine to get some cash out, only to be confronted by a Windows 9x dialogue box. The cash machine was on a desktop screen, with a dialogue up on the screen.
It's a joke, seriously.
Gamers Europe - Gaming News. Reviews.
The title of this post says that Windows for ATMs are "Susceptible to Windows Viruses" but as far as I can tell this is just speculation... Is there actually any proof out there that these machines would be any more (or less?) susceptible to viruses? I'm suprised this made it through, no substance and just a lot of name calling at MS.
Your mammas flamebait.
What did you expect from a slashdot windows-bashfest?
When Hollywood gets ahold of this idea, they'll have teenagers or terrorists or someone cracking into ATMs and watching the security camera or changing the picture on the currency or some ridiculous thing.
You are in error. No-one is screaming. Thank you for your cooperation.
Go ahead, tell me to RTFA. No, the one about ATMs. There isn't one! What the hell?!
Okay, never mind that.
There are plenty of ATMs that have run Windows in the US of A and while I've seen some pretty embarassing bluescreens and such, I'm not aware of any reports of viruses on the ATMs or of viruses targeted towards ATMs, which you'd think would be a cool way to go...
Anyone got that article?
There was a power failure during my transaction. When the ATM rebooted, it kept my card (as it was designed to do). Fortunately, the bank was open at the time at they retrieved it for me.
It's not like the atms are hooked up to an open internet connection... I don't see a problem here
ATM's are running WIndows CE? I thought that some companies as security concious as banks would run something more stable and secure.
It all makes sance now. I have seen a few ATM's crash, that screen looked very familiar. Now i know why.
Seriously though, why Windows? I use BofA, and like 2 years ago when they changed the ATMs around, it's slower. Color screens, and asking if I want English or Spanish. There are more steps to get money in and out. And, they were doing "advertising" on them for a while. While the transaction was being "processed" I'd have to listen to some blurb about services BofA offers. That has seemed to have stopped recently, but...I can imagine it will be back soon. Along with the ATM "glitches" coming......
Back to the DOS/Text interface of old please!
It's either on the beat or off the beat, it's that easy.
I moderate therefore I rule!
--
What features will be included in windows for warships? My wish list includes: -Drag and drop cruise missles -Point, click, BOOM anti-aircraft guns
Yeah, I emailed daddypants when the story posted to the subscribers but they apparently weren't paying attention.
Everyone knows that ATMs running Windows would be susceptible to the same evil viruses that any Windows PC would be. I guess we just need to get the word out to those that don't know about the possible viruses available for even their own machines?
Now we can have Y2K hysteria... EVERYDAY!!!!!
YAY
...and it should be known by now
Maybe it's because I'm young and new, but why would people trust a system that has a record of failing? The blue screen of death is a big joke in the world. Why would airports, banks, the military, etc. trust Windows? I'm not trolling, this is an honest question. It's not the price. Is it because they think it is more robust, easier setup, compatibility? I was in Europe and saw the blue screen on an airport terminal and thought, wow, I hope the crucial systems on my plane or in the control tower are not running Windows!
Lets be clear here, its not viruses we worry about. Nobody is going to run Kazaa on their local ATM. Its all about possible remote exploits.
No OS is completely bug free and secure for ever. If the network the ATM's connect to is safe, the box should be safe. If they connect to the internet, I'm moving my money to another bank, no matter what OS they run!
Surur
Information is the location of things. Computation is moving things around.
Ah yes I remember fondly seeing my first ATM BSOD in the SEATAC Airport. Nothing says welcome to Redmond quite like the BSOD.
Today is a gift. Save the receipt.
I think that it is irresponsible for them to put Windows on warships and ATMs. They should use an operating system designed for that specific purpose based on something like vxWorks. They shot themselves in the foot. I wonder how long before ATMs start to spit money left and right all of a sudden. Someone might be able to use a wireless device that tells the Windows ATM to spit money.
This has been going on for a while now. I've seen BSODs, and "This program has shut down unexpectedly... Send / Don't send?" dialogue boxes. I can confirm that at least some Lloyds, Barclays, and Sainsbury's Bank machines use Windows.
Better crash than overbill. My first time through, the total was $6 over, as suspected by me, and verified by a store clerk who'd seen it enough that she kept a calculator with her.
The clearance system sounds logical. It is not. It is completely arbitrary. -- John Bolton
My plans to become rich are finally realized! All I have to do is move to the UK, and as someone said earlier...wait for a virus to plague all the ATMs =D.
28:06:42:12 - That is when the world will end...
There's lots of mentions of BSODs here, mind you that this isn't the same as a general "Windows virus". I'd rather deal with a defunct ATM than one with a Trojan installed behind the scenes.
I'm sure "SlashdotMedia" will improve on all the wonders that Dice Holdings blessed us all with
Whatever about the Windows BSOD, the virus issue has been overstated.
Any financial institution that has public-facing assets that are not secured by tight firewall rulebases or air-gap type network separation and robust backend access control procedures will be the exception rather than the rule.
In the UK, most banks, in my experience, are pretty switched on as regards network security.
I seem to post this everytime this comes up, but once again. Diebold ATMs run Windows (95,NT and XP depending on how old they are). They have been known to crash to the desktop and often run unpatched. They have been hit by several worms over the years but banks keep on buying the dang things. Here of course is a link to a Diebold ATM running as a MP3 player after it had crashed to the XP desktop (touch screen, XP, built in speakers. Makes sense to me). I will never use a Diebold product, be it ATM or voting booth.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
In case you can't tell, the submitter was being sarcastic. Additonally, please tell us how simply stating a desire is "irresponsible". It's not exactly as if someone's opinion on slashdot is going to cause computers to crash, dumbass.
This did already happen, two years ago I believe, to Diebold ATMs. When it did, I called Wells Fargo (my bank) and asked them what brand of ATMs they use. I got the old, "Why would you want to know that?" question edged with a fair amount of suspicion. I explained that I didn't want an ATM that I used often to be compromised by a virus. I was forwarded to the manager. He ended up giving me a runaround about how Wells Fargo guarantees all transactions on their ATMs and any fraudulent use is refunded. No straight answer on whether they used Diebold ATMs with Windows.
Of course, I went to a few of the ATMs I used and checked them out. All Diebolds. I'm not sure if they were running Windows, but I can assume so. Why would the bank give me such a hard time about who supplied their ATMs? Obviously it wasn't that difficult to just go and find out. It makes me a bit weary that they're trying to implement security through secrecy (let alone secrecy that's not that secret). Plus, being a customer I feel like I have the right to know how my money is handled and what possibilities there are for it being stolen.
Per Square Mile, a blog about density
spyware for atm's?
After you spent time carefully crafting it, including and checking lots of links... just remember, this got accepted.
I've witnessed something like this http://www.okay.lu.nyud.net:8090/biller/error/atm. jpg in Cambridge, UK at a Countrywide atm earlier this year.
A few months back I visited the Nationwide Building Society (in England) to use an ATM. It was working perfectly except slap bang in the middle of the screen was a Visual C++ crash messagebox. People were still using it, trying to "see round" the box (which wouldn't shift). I was killing myself laughing.
The Sainsbury's Coventry cash machine uses Windows, and has done for years now. I've seen error messages on it in the past. =P
Phht. Its not as if anyone here is going to actually read the article.
The surprise isn't how often we make bad choices; the surprise is how seldom they defeat us.
-phixxr
ungggghhhh
The one thing that MS will find different here is that if they actually cost the banks money due to some stupid vulnerability, the banks are quite likely to take it seriously, and do something. Most MS customers don't.
See what I've been reading.
What is the point of this post? ATMs in Ireland, the US and I'm pretty sure the UK have run on Windows NT for years. It's kind of funny taking a peek at them when walking past a crashed one but this is not front page slashdot news!
Dave.
out of curiosity, are cash machines and the computers they talk to acutally connected to the web?
i dont see this as an issue. unless a bank worker plugs the virus in at work. in that case it should be easy to track.
hmm, would it be possible to upload a virus to an atm via a magnetic strip on a card?
always mosh clockwise
Now uses Windows for it's everyday transactions with customers. I have to say that makes me every bit as nervous as an ATM using windows. Every time a transaction is finished I hear the classic windows "donk" sound, and it just makes me twitch...
I'd prefer a much more specific, secure system. Linux would be "OK", but actually I'd prefer something that is much more secure than that, or maybe a linux/unix flavor that aims for security above all else (inlcluding ease of use).
We're talking about our money, after all.
.
If I had a real
I'd rather live like the Amish, its easier!
I was out shopping for electronics at Best Buy (gotta love those Christmas specials) and 1 order from the end of my 80-item list actually caused the register to crash! The system went down, BSOD-style with a slight pirouette influence to accent the annoyance. After waiting 15 minutes for the clerk AND manager to figure out how to reboot the register, I realized what their problem is: Windows NT 4.0.
To add insult to injury, they had to re-submit my order, meaning all my items had to be removed from the bags, rescanned, repackaged, and put back into my cart at the expense of all 20-some-odd people standing behind me.
-- Game Developers: Stop porting badly-textured games from crappy console systems!
Any bank that puts its ATMs on the internet has a moron in charge of IT.
The best way to secure these things is to make sure that the only physical connection from the ATM is to a well secured computer under controlled by the bank.
The cake is a pie
It was just an "oversight" to not include it in the origional post, eh?
In my line of work, those 'oversights' are called negligence.
http://news.bbc.co.uk/1/hi/technology/3962573.stm
Senior NCO in the fight against entropy. I've seen things, man. Things no one should have to see.....
An editor has slipped in a link to this story without mentioning the mistake!
http://www.daimyo.org/bsod/
Morons wasting all their mod points modding down people who posted "Where's the story?" comments.
wasn't this a story over a year ago? Nothing new here, move along.
I may be wrong, afterall I'm no expert on ATMs or bank networks, but since when are ATMs on the internet? I mean really, can you really get an IP address off an ATM? If this is the case then... isn't that a bad thing?
Missing digits in your checking balance is a feature, not a bug.
Nobody is going to run Kazaa on their local ATM.
You must be new here.
I can't wait for the next Windows virus or worm to take down all the cash machines.
You are forgetting that Linux users can't make money selling their software, so this shouldn't be an issue!!!
The fact that they run Windows and are open to attack or whether or not someone has access to your money? For me it's the latter. How they implement access to my money doesn't really concern me unless my account is not protected. If someone uses their equipment to access my acount without my authorization, then they are responsible for making restitution. If I have problems accessing my account I can vote with my money and move it to another bank.
Me thinks that the average Slashdotter is a little to close to the problem in this case.
BTW, when was the last time anyone heard of someone successfully hacking an ATM to gain access to an account? Maybe it's happened but I haven't heard of it. If it has happened, I'm sure the bank and FBI has kept it pretty quiet. The bank would also be prone to make the accoount good very quickly.
The reason you're seeing banks deploy new ATM's at a rapid clips this year is because IBM is dropping support for "vintage" OS/2 releases.
Not for OS/2 Warp 4 (That's supported through 2006 at least), but for the earlier releases (3, 2.x, 1.x)...
I believe that most ATM's were based on either OS/2 1.3 or 2.0.
Why we're replacing them with something that is vulnerable to the virus-of-the-week, who knows?
When was the last time you saw an OS/2 virus?
All I can say is that if banks are going to go the tried and true route of using Windows as their ATM operatin system despite the fact that it has been hit reapeatedly by virii through LAN/WAN/Internet access and internal mail virii, then they deserve what they end up getting as a result. Be it often crashing ATM systems or loss of money because said machines decided it was time to release some swelling belly of money thanks to some virii/worm/trojan/etc.
There really is only one good reason why the banks would do this and that is probably because of pre-existing ties with MS.
The real issue that comes to mind is whether or not the bank is liable for choosing a MS based operating system if the particular configuration used was known to be susceptible to attack?
Then again, I suppose banks are probably not too concerned since they are insured for any losses...
Winged Power Photography
Story from The Register from almost a year ago.
I can't figure out why these companies insist on using an insecure, unstable OS that requires license fees and a draconian EULA.
At least Yamaha gets it. We just got in the newest Disklavier Player Piano, and it runs Linux! So does the remote control, which is a Sharp Zaurus with a clamshell keyboard. Very cool setup, and of course very stable.
Yamaha: Smart.
Banking Industry: Stupid.
Lose Weight and Feel Great with Isagenix
From what I understand, Motorola (ahem, Freescale) and IBM are both concentrating a lot on embedded PPC chips for just the same kinds of devices.
I wonder if this could put Apple into an interesting position to sell an easy to configure, commercially guaranteed embedded OS for embedded PPC.
My Photography - http://ian-x.com
The Deathlings (comic) - http://thedeathlings.com
I can't wait for the next Windows virus or worm to take down all the cash machines.
You can't wait? So, let me get this straight. You hope that major portions of a financial infrastructure will get fucked up and make people's lives miserable just so you can say a geeky "told you so!"?
Windows in ATMs is nothing new. Here in canada, CIBC/americus ATMs use NT 3.x. At the store where i work I've seen the blue screen-o-death a few times.
PetroCanada also used it for their gas systems, including debit machines. they use windows 98(!!). Lots of tills run it too for their Debit transactions.
Looks like its back to frame relay and ISDN for me.
What kind of FUD is that?
There's nothing endemic to Linux, the GPL or most other open source licenses that restrict selling it.
Typical BillDroid FUD
Senior NCO in the fight against entropy. I've seen things, man. Things no one should have to see.....
Do you not recall when the sql worms went around.. all the xp embeded cash machines @ one institution went down..
Windows-based ATM crashes happen all the time.
Windows ATMs have been everywhere for awhile -- the days of OS/2 cash machines being the only story in town are long gone.
Nothing to see here, move along.
I've seen a number of different ATM's in all states of disrepair and it seems they have all been running some version of windows ranging from windows 3.x (even after the turn of the century) and some version of NT.
/realistic
At one point in time i was lucky enough to be in a store where someone had dialed in and you could watch them working within windows on the screen, the technician realized this at some point and clicked a button which changed the screen on the atm to a label indicating the system was being serviced and a clever graphic of a "fix-it" man.
Anyways, if you think about it, yes these machines have always run windows, and probably will continue to do so well into the future, the thing is though, no bank is actually going to put an ATM directly onto the internet. Most all ATM's are going to be acessed over dialup.
I'm very positive that these machines are probably more vulnerable to all kinds of things than most computers on the internet, however to actually have a worm penetrate one of these machines, the affected machine would have to have a modem, the worm would have to start wardialing all kinds of numbers looking for a carrier, once a carrier is picked up, (let's say it does find an ATM machine), it would have to brute force the password (and username if there is one) and then once connected initiate the attack...
but by the time it's done all that it will have already gained access to the atm machine.
This sounds like the thing the Linux community would say.
I highly doubt that ATMs are hooked up to the internet, so normal worms would not apply. Maybe if someone could take out a slew of ATM from the same supplier by hacking in to their network.
Then we have to imagine that the people would use some kind of firewall to protect the machines, and that they have thought about this as any half way intelligent coder/admin would.
That said, Linux has had many a buffer overrun, and has been attached just as much. Networked computers have serious security issues, regardless of the OS.
Come on slashdot editors, be a bit more professional.
Pox! Pox I say!
DAMN YOU OCTODOG! DAMN YOU TO HELL!
Can someone explain to me why they didn't make the hardware for the ATMs from scratch? An ATM doesn't seem that complicated sort of a device. Could use any sort of micro-controller and write the software in assembly. Sure, getting it to communicate with the main bank-server-thingy might be harder, but I'm sure a bank could afford this.
OK, I guess maybe its just cheaper to use something that already exists (windows).
A more important, but related question: Why the hell do the diebold voting machines use windows?! Surely they could have been written from scratch using assembly, for a specialised microcontroller. I mean seriously, voting is pretty damn important! (Yes I realise it would be very hard, but when you're dealing with huge sums of money, and its organised by the government speficially for the most important part of democracy, I'm sure its doable)...Hrmm.
printf("Goodbye cruel world!\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b");
Actually, that "big joke" was already irrelevant several years ago when MS finally killed their DOS based OS's (95/98/ME). But that being said, I'm actually getting ready (today, maybe) to make a very big MS purchase because one of their products is much more reliable and robust than competing products. I'm using it for ease of use, excellent pricing, and reliability. In fact, I'm expecting this software package that I'm looking at will save me many $1,000's in 2005 alone.
I don't respond to AC's.
I work for a mid-sized financial instituion. Right now, our ATMs run OS/2, and the ATM server runs on AIX Unix. However, they are phasing out the AIX server for one that runs Win2k, and we have new ATMs on order that will run some flavor of Windows. I am trying to show management the error of their ways, but to little avail.
When I was in Europe this summer, I crashed several ATMs (usually of the same branch) just by inserting my card, and guess what they all run some version of windows, it looked like 95/98/2000.
Aparently they dont like the way my card is encoded.
It was very annoying trying to find a bank where I could withdraw money from. At one point we we're joking around to see how many ATMs we could crash in one day.
In order to (1) catch up with a competitor or perhaps (2) get an "easier" development environment [easier being defined as one where the programmers are commodity and the system doesn't require buidling graphical components from scratch], 'easy' choices are made.
In the end, the bank isn't doing the development, but purchasing a final product... there are tons of variables to an ATM beyond the underlying OS; and honestly, not all that many large vendors to choose from (and a large bank will almost never choose a small vendor, over concerns for longevity and support). Microsoft has made a major push for Windows in many places and makes it as easy as possible for people in different markets to use their OS. It is really the responsibility of the purchasing organization (in the case of an ATM, the bank or credit union) to choose a good solution. But it's a painful balancing act.
By the way, if you really want to be disturbed by how liability for bad software isn't an issue, think about this: the US Federal Aviation Administration requires that every component put into an aircraft must not fail during the life of the aircraft. The next sentence then exempts software from this limitation.
Okay, so ATMs in the US run windows. In fact there is one the building my office is in that managed to crash to windows a few months a go. I posted a comment about it with links to movies but I think the movies are dead now. Anyway, this is sorta a rerun of a previous slashdot story.
My Slashdot account is old enough to drink...
I wonder how long til someone injects a virus into the atm when it reads ones rfid bank card.
Thus, instead of the bank account info, it contains a virus program it buffer overflows the atm.
Let me know when you make your first million selling software for the a Linux platform.
Of course, I never go back to the same ATM again when I come across one of these. For the Manchester Slashdotters on here, check out the ATM opposite the BBC building near Spar on Oxford Road on a Friday night. It's almost always bluescreening or displaying the 9x desktop.
slainfu
"I can't be a terrorist if you're sucking my bum."
Well, it was briefly mentioned in the prior /. article that Brazil is home to the world's first deployed OSS ATM software.
Maybe it is worth looking into for others.
Learning HOW to think is more important than learning WHAT to think.
Dont worry though - most UK banks consider it more important to buy what MS sell than to offer good service to customers.
Sent from my ASR33 using ASCII
An ATM need not be much fancier than a gas pump.
It needs:
A card reader.
A cash dispenser.
A video display.
A keyboard input.
A communications channel to HQ.
A printer.
Most run "semi-locally" rather than as completely-dumb terminals.
Most have an "administrator mode" and keep additional local state. For example, they know how much of what kinds of bills they have left.
Most have security cameras, but these need not be "logically" part of the ATM, they can be standalone devices.
Banks have used full-featured ATMs for years. In the early-mid 1990s, OS/2 was the major player. These days it's MS-Windows. 10 years from now, it will probably be something else.
The key security issues with ATMs are:
1) physical security and local encryption of sensitive data in case physical security is compromised, e.g. someone steals the whole ATM.
2) network security - all communications are encrypted
3) isolated network - no direct access to or from the Internet
4) audit trail, e.g. local encrypted recording of all transactions, preferably to write-once media.
I'm sure I left out some things. Please feel free to add.
So, anyone know of any in-use Linux-based ATMs? Even better, anyone know of any totally-Free-and-open-source-software ATMs?
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
These machines are already out, although they are not yet common in America (or my part of it). I've seen pics of them blue screen, an example is here http://broken.typepad.com/b/2004/08/atm_running_wi n.htm Arcade machiens running windows aren't uncommon either, a local arcade had a tempest style game that has been blue-screened every time I have been there. I don't pretend to understand why even a die-hard windows user (and I run Windows at home) would want it in an ATM, but there you have it. Many newer ATM's are moving to high-resolution color screens to display more attractive (and annoying) multimedia interfaces.
If you are around for the nightly maintenance cycle in your local post office that has a automated shipping center machine. You'll see a "down for maintenance" screen come up, and a minimized application running.
It runs windows for sure, free postage anyone?
the little atm card and computer unit that kid from Terminator 2 had....screw sixty bucks for the arcade...I am talking a 40-50 grand a pop
I mod down so you can mod up. Your welcome.
How would a virus get in these systems in the first place?
In a well-designed network, the only applications the terminals would run would've been "pre-certified" by the banks as infection-free. Users wouldn't be reading email, visiting untrusted web sites, or otherwise able to load hostile software.
If a bank machine gets a virus, that points to a human error or error in the bank's way of doing business. The fact that it's running on Windows vs. any other particular operating system is just makes the bank's error more costly.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
We had actually looked @ deploying a similar machine @ our bank...until we saw that it was running a completely wide open OS w/ no protection. They refused to put antivirus on it, and we refused to deploy it.
I don't have the relevant article, but Bank of America had a large portion of its ATM network infected earlier this year when a Diebold tech hooked his infected laptop up to one of their machines. :D
I perform certification testing for a large transaction processor, so I have seen most of the ATMs that are in use in the US today. The first Windows based ATM that we saw arrived in 2000, and ran Win98. You had to reboot it every 3 days or it would lock up. Had cool videos running on it, though
Since then, about half the ATMs we have coming through the lab are running some version of Windows, mainly XP Embedded. The other half run proprietary software. Among the legacy ATMs, you'll find OS2 (Diebold and NCR), NT4, Win98, Win2K. There are rumors of Linux based ATMs, but they haven't made it to the market yet.
Now, for one of those things you think of, but never would do: someone needs to write a virus that will specifically target some of these Win-based ATMs. It spreads as a normal virus, but once it recognizes that it's on an ATM, it delays for ~24 hours, then kicks the cash dispenser into high gear, until the machine is empty...
--- This
I remember 2 days after on January 3rd 2000 seeing several ATMs in my area crashed.
They had Windows NT on them. So, I'm not sure where this information comes from that this is a new revelation.
Only the non interactive simple ATMs have the simple proprietary OS any more.
The new multimedia ATMs require a richer background OS.
The other thing I'm aware of is that most cable companies use Windows NT to control their broadband internet servers. Charter often has Windows NT crash screens or just the desktop rebooted on the channel they use (78 in my area) for upstream tests.
I would assume that ATMs are now utilizing broadband rather than just landlines anymore.
Yell & scream & rant & rave... it's no use... you need a shaaaave ~ Bugs Bunny
Far more likely is leaving the ATM up and transmitting the cardswipe info back to the rat cave.
How about a dual-function worm that just spreads out from regular PC's, looking for ATMs. On finding ATM hardware, it would go into data transmission mode, but not try to spread (to avoid detection).
sigs, as if you care.
I worked in a brazilian bank (the bigest) for years, in the development of the ATM software, and i think i can say some facts.
Yes, the ATMs run Windows software without the varrios patches (Most NT4.0 Sp6, but those are being upgraded to 2k), but some machines (30%) also run OS2 (NCR machines) but those are being upgraded to 2Kd too. The older machines (not few) still runs DOS6.22
About the virus/BSOD, i know they are anoyng, but dont represent great security risks. See, the ATM network are proprietary, closed, constantly monitored and dont have access to internet.
IF, the ATM get some virus, the virus cant do much, no virus has WOSA/XFS (CERN-MS ATM API) commands implemented to do something usefull (Money withdraw?).
There are some banks that are migrating to linux, but the lack of standard API (WOSA/FXS-like) are a trouble. And the banks like to have someone to blame in some serious problem (MSFT!)
Sorry for the poor engrish.
My 0.02c
Their cash machines run NT4.
Quite often seen them with a BSOD when I've gone to get money.
Good point. Novell/Suse, Redhat, Mandrake, Xandros, etc. are not really earning any many. They actually are an enron deal with texas style accounting and have not earned 1 penny.
The easy way around this is for the public to trust and use only charactor based ATM's and let the banking industry figure it out themselves.
Honestly why would there be any need to have pretty colrs and hourglass and icons and crap for these devices anyway.
Different question. My personal experiences are not what you made the blanket statement about. Though thank you for the ego boost by seeing my personal history as the history of Linux - quite an undeserved honor. And another example of simplistic thinking.
You said "... can't make money selling Linux..."
Granted many places don't make money selling linux, but that's not because they can't. Many choose not to. Instead they use a different income model to feed tehir business. Selling services being one popular flavor.
In the mean time, you may want to take a look at the earnings statemnest for such places as HP, IBM, RedHat, SUSE, etc, etc, etc....
Quite a few places are gaining duckets selling linux and/or Linux services - just cuz you can't figure out how to don't mean it can't be done.
Senior NCO in the fight against entropy. I've seen things, man. Things no one should have to see.....
The problem is that private networks are expensive. A business can save a lot of money in telecommunications costs by replacing their private network with the Internet. It's hard to argue against saving massive amounts of money every month by saying it exposes new security vulnerabilities. Someone will say "We will just add a firewall, problem solved. Let's play golf!".
Mea navis aericumbens anguillis abundat
This story submission makes me long for the good old days of ATMs, when the machines ran on OS/2 2.x instead of WinNT 3.x.
I myself shed a tear for yesterday.
A very non-trivial part of the cost of living today is what I call the "evil perp tax". It's the hidden costs of things like computer viruses, spam, greedy people filing absurd and frivolous lawsuits, etc.
Even a sloppy IT shop spends 10% of its budget on spam, virus and security-related issues. A wise IT shop typically spends 20% to 30%. That cost gets passed on to the consumer. The high cost of medicine? Malpractice suits. class action suits, insane regulation, and insurance and lawyers out the wazoo. In the 80s, it was determined that something like 40% of the cost of the average motorcycle was directly or indirectly related to greed-motivated litigation. I can assure you that well in excess of 10% of internet access and use costs are related to spam and viruses, nevermind more traditional security issues.
So even if "your" money is safe, it's worth far less than it could be because of just the sorts of issues you are poopooing.
there used to be a good site out there that had bsod photos from atms etc. -- there's a few matches in google but not the page i remember -- anyone know the site?
someone wrote a virus specifically targeted to cash machines to cause one of the following effects :)
1) Steal card & pin numbers and send them to someone
2) That just made the cash machine dispense all its money randomly
I thought those $20's with Bill Gates face on it seemed rather odd.
No Nyarlathotep, No Chaos
Know Nyarlathotep, Know Chaos
A couple years ago, the hospital where I work replaced its medication dispensing machines (where the nurses get the medications for their patients) with new ones. The new machines run on Win2k -- not a stripped down, embedded version, but the full she-bang. About a week after the new machines were installed, they became infected with the latest exploit-de-jour (don't remember exactly which anymore) and became unusable. It was not pretty. Granted, this probably could have been avoided if things like IIS, Active-X, and such like had been disabled on the machines, but still it points to the danger in implementing a one-size-fits-all solution like Windows on a dedicated-purpose machine like these medication machines -- or ATMs for that matter.
See here for a funny precedent of a windows system employed in a warship.
AFAIK 2 large banks at the least, Wells Fargo, and Bank of America have a number of NT based ATM's totalling more than 540 and 2,500 relatively yet with all these I've never heard of one getting a virus.. Although the likelyhood of a big bank alerting people to the fact their ATM's are insecure may not be the best idea.. http://www.atmmarketplace.com/research_story.htm?a rticle_id=13527&pavilion=18
.02
The numbers are near the bottom of the article which is mostly focused on the move to personalize advertising to the user and how NT based systems have helped make this transition easier to implement.
The difference between your average PC on the net, and these ATM's however is how secure their network and physical environments are. Most ATM's I've seen are made by diebold and fujitsu but there are many many more, and last I checked (I'm sure you'll correct me if I'm wrong) they all used proprietary hardware crypto and private frame-relay links, or private ATM networks not connected to the internet thus limiting their availability to those who have, or could procure access to these networks.
In addition the likelyhood of commonly exploited services running on an NT box for an ATM is relatively low.. I can't imagine, or maybe just don't want to think the engineers for hundred-billion dollar a year banks are dumb enough not lock down an NT box.. Not to mention having no access to keyboard or terminal access other than a number pad the options get more and more limited. These companies have spent billions to make these boxes the most secure on the planet and they've gotten good at it.. While the software may lag behind, it's not *that* far behind..
I think the likelyhood of NT taking a sh*t, BSOD'ing, and stealing your ATM card is probably the worst an NT based ATM could deliver in terms of negative user impact.
- my
Wisest is he who knows he does not know.
Michael is succeptible to the AIDS virus.
"Hardware-based network worm filtering"
Do they mean a firewall? Yeah, that's a good start. You'd think they would have implemented that from day one.
Previously, OS/2 was the OS of choice for ATM machines, mostly because most ATMs were attached to an IBM controller and communicated with an IBM mainframe via SNA (DLSW over IP mostly).
OS/2 is a little hard to buy these days, and the back-end connections are migrating away from SNA to TCP/IP as it's a hell of a lot easier to maintain a pure IP network. Any ATM purchased within the last several years uses Windows NT, 2000, or XP as their operating system.
In other words, you've been getting cash from a Windows box for years already. The sky isn't falling.
Eagles may soar, but weasels don't get sucked into jet engines.
My Linux Command of the Day site : LCOD
I've noticed quite a few cash points at HSBC have been switched over to Windows, they look very pretty compared to the old text menus but they're also really slow, taking much more time than the previous OS/2 installed base.
:/
They also don't ask if you need a follow-up service once you've made a selection
... http://cubalan.net.nz/kiwibank/
Confidence inspiring++
I will go as far to say my very respected bank, Postbank NV, Nederland might be playing with Windows. I've never seen a BSOD or a Windows popup (the ultimate embarassment for a financial institution) it seems there may be some NT in use, all BOSD and pop-ups suppressed) They do use PCs which sadly are labeled as Windows machines.
Postbank is dedicated to Unix where it matters -- Solaris and more recently OpenBSD. Going offtopic a bit, a group of hackers challenged a crashed XP system for giving the times for our NS trein (wrong ofcourse, but a demand for a refund failed.)
Best advice: Emulate Windows but NEVER give in to Microsoft for 'mission critical' software. Unix is universal in Nederland and Windows is simply embarassment. Its time to see the Inferiour
Operating System see it demise. The i386 is dead and so is Microsoft.
It's funny how I can read a story and immediately determine whether it was posted by Michael without looking at the byline. Your submissions are always so slanted and filled with FUD that it takes away from anything serious that you might actually be saying.
I don't even bother reading Your Rights Online anymore, since they are nearly almost filled with gross inaccuracies.
I had hoped that this awful behavior was behind us when Sengan left. Apparently not.
just cuz you can't figure out how to don't mean it can't be done
I'm not debating the ability of large corporations to be successful licensing Linux and related software, but I don't fully understand why the romantic aspects of becoming a skilled developer for Linux seem to outweigh the financial benefits of being a skilled developer for Windows, within this community at least.
Yes, these companies are successful, but it is much more difficult for a small business, or individual to draw success in the same way.
Which was a valid concern........FOR 1998
NOW MOVING ON to 2004 things have changed. Many of you, which I expect would be at the very least a little knowledgeable about technology act the same as my manager: mention anything Microsoft to him and he'll start going about WINDOWS NT4.0 and how messed up it was. Which is very wrong to think that way about Windows NT in 2004.
I am not trying to protect Windows. I do not care, but that is the truth
UNIX has always been the choice OS for *endurance* be it uptime, runninng critical apps or keeping hackers at bay, but why shouldn't Windows get a shot at it. After all don't we love to see Linux enter as many markets as possible?
If succesful Windows share in ATMs will grow. WHY NOT? We want competition right? Then let it flow freely. If Windows fuks up then that'll be it for that market as far as Windows is concerned
I am not thrilled to see Windows in such a volatile mission. Not a bit.....but at the same time, I am not as worried as my BOSS is about Windows NT 4.0
The phaomnneil pweor of the hmuan mnid. Fcuknig amzanig eh!
Fleet ATMs use OS/2 Warp. ;) Not that it's really ... pertinent to this discussion.
"I can't wait for the next Windows virus or worm to take down all the cash machines."
People who make comments like this always amaze me because they probably don't know anything about the different versions of embedded Windows (or embedded systems in general fo that matter). They just hear the word "Windows" and automatically scream "WORMS! VIRUSES!" The sad thing is that the writer probably already has a device running embedded Windows and just doesn't know it!
Oh crap, I better go install the latest A/V update for my xbox before the next Windows worm takes it down!!
Dick Cheney's Pacemaker Runs Windows 95; "Blue Screen of Death" Now Ironic.
I'm all too aware of the issues you point out because it is part of my job to uncover these types of things. Your point is taken :-)
The cost for banks doesn't necessarily show up against my checking or savings account though. But it does have to show up in their receivables somehow. That tends to bite people who borrow from my bank. Since I'm not obligated to borrow money from the bank I have a checking account with, I am free to shop for those services from the lowest bidder. It's incumbent on the bank to drive it's costs down so that they derive the greatest profit.
The only thing I think I need to be worried about is if the government gets involved. Increased costs of laws, regulations, enforcement, prosecution and punishment, etc is where I think I get dinged.
on a Wells Fargo (i think) ATM a couple of years ago. Unfortunately, none of the ATM keys were considered an 'any key' so that i could continue.
Don't Nationwide's ATMs already run Windows? I once went up to one of their cashmachines only to see "C++ Runtime Error" in the typical Win95/98/Me/NT/2000 window decoration.
Fat people are hard to kidnap
Gives new meaning to the Blue Screen of Death, now doesn't it?
"My country, right or wrong; if right, to be kept right; and if wrong, to be set right." --Senator Carl Schurz (1872)
Slashdot's team of ms-bashers, need to learn a few things.
1) Don't make up stories.
2) Don't tell lies.
3) Offer constructive critisism.
4) If you think linux would be better, show some damned links with a PRODUCTION released application that can replace it for the same price if not lower.
5) Get off the hate-wagon and actualy read the specs of how things work before sticking your foot in mouth.
6) Any group that relies on lies and trash talk, fails due to people not being able to TRUST THE SOURCE.
7) Behaving like little babies and banning entire ip-blocks because the editors cant take the truth, will not encourage visitors to return, not will it help the "word of mouth" effect concerning your credibility.
Stop acting like politicians slinging mud because you have nothing constructive to offer!!
Show me a Linux system that can be dropped into the system to replace the current devices...or just go whine and cry in the corner over the big bad evil MS OS yet again...(while there, RTFM on how to actualy secure the OS, or is that too much to ask of a group that is more than happy to read all the MAN pages and heaps of Linux docs...)
Last one I saw at CIBC was running NT4
The point is, there is no real difference. The basis of makeing money is to sell something someone will buy. That has *nothing* to do with wether or not it'll run on Windows, *nix, Mac or your Daddy's '57 Packard.
YOU seem to see a difference, somehow, and that's what's limiting your options.
In order to be successful selling - well, anything - you just have to have something someone will buy. It dosen't even have to be WORTH buying!!
I've yet to see how the GPL, Linux or anything even slashdotish has anything to do with that one way or the other.
If you can't sell water - sell the bottle it comes in. It's sure worked for Evian.
Again, just because you can't seem to find a way to do it dosen't mean it can't be done.
Senior NCO in the fight against entropy. I've seen things, man. Things no one should have to see.....
Sounds like the teller person is sharing his/her terminal with the ATM or something, and once in a while he jumps into the internet and starts reading email on IE.
/I didn't rtfa
How could an ATM be infected? How would ATMs open a virus attachment?
Do ATMs use the internet to communicate to their main hub?
just because you can't seem to find a way to do it dosen't mean it can't be done
Alright, great, I understand all of your points. However, the market for *nix software is miniscule when compared to the market for Windows software; So - what's the big draw into the *nix community? I mean, I could go write some fantastic software for *nix, but there's no consumer market to sell it to. On the other hand, I can write some crappy software for Windows and sell it because the market exists to do so. What I am trying to understand, is why everybody who is very devout to *nix, is so devout.
Now, for one of those things you think of, but never would do: someone needs to write a virus that will specifically target some of these Win-based ATMs. It spreads as a normal virus, but once it recognizes that it's on an ATM, it delays for ~24 hours, then kicks the cash dispenser into high gear, until the machine is empty...
I can see that you are trying to make a point about the insecurity of windows, but given what you do for a living I would be very surprised if that comment didn't get you in serious trouble if your boss saw it.
A latent existence
Around 1998/1999 I remember seeing an ATM at my university (University of Southampton) displaying a very pretty Windows NT Blue Screen Of Death. Then it was a bad idea, it still now...
So... I suppose once someone bothers to find exploit for Windows Embedded that new postal machines run ("Automated Postal Center") there will be a rampant script-kiddies march on to print free stamps (which, perhaps would be not so successful as there is a main repository of printed stamps in the system ) :), or, even worse -- attempts to inject into software some spyware, collecting debit and credit card numbers, and giving them back once a certain combination of "screen clicks" performed (or sending them off to some chinese website, if there is a way to sneak into internet from the machine).
Hyperom.com
Why in the hell would you--and other idiots like you--wish viruses upon the property of systems?
I have been a Mac user since back in the days when it was not cool to the mainstream computer user market to use Macs (1980s), and a Linux user since the mid 1990s when Linux was not as popular as it is now. I have never liked Microsoft. But I have better sense than to side with those who destribute viruses or to wish harm upon those who do use Microsoft products. Get some sense, grow up, etc, Idiot!
By the way: There are a lot of people whose lives are affected in many unfortunate ways such that they experience constant misfortune and suffering. they are the chronically poor, they are handicapped people, they are minorities--people who often are in despair. Perhaps if you were one (which I doubt is the case), you would not think the way you do. You ass!
Yes, it's only software... But the greater issue is that you and others like you applaud crime, misfortune, and torment towards others.
I have seen them error out with the error on screen and they were W2k or NT4 depending on the bank. Also the train online pickup for tickets uses NT4 and those are constantly crashing. Go railtrack sorry network rail or whatever it is name this month.
I was thinking of the immortal words of Socrates, who said: "I drank what?" - Chris Knight (Val Kilmer)- Real Genius
Look, maybe the guy's a billionaire. It would explain why he's wasting time on /. instead of doing his actual job.
If an ATM is susceptible to worms, it's susceptible to direct hacking too. I don't know about the Slashdot editors, but I'm more worried about someone stealing my money than I am about them crashing my bank's ATMs.
The shareholder is always right.
It's not impossible to secure a Windows system for limited public use against unknown viruses and most profitable known attacks. For one, you would firewall incoming traffic.
I used to work for a company that sold and serviced ATMs of various brands and also wrote some custom (smart-card processing) software to go along with the hardware.
This was in late 90s, and at that moment Siemens used WindowsNT, Bull used DOS (!), IBM (aka Diebold) used OS/2 3.0, experimented with OS/2 4.0 and considered moving to Windows, NCR was OS/2 2.0 (!) and was actively moving onto Windows too.
The trend was very clear, I doubt it changed. 2c
3.243F6A8885A308D313
In September, while waiting for my red-eye out of the Vegas, I noticed one of the monitors behind the counter at my gate was at a console password prompt. The attached computer was running Windows. I told the attendent about it so that Joe Hacker would see the wrong thing.
-Slashdot Junky
.
Landfill Mining Co.
Managing the (Un)natural Resources of Tomorrow
I prefer the approach taken by this Kiwi ATM (Queenstown, 1999)!
http://shit.slashdot.org/article.pl?sid=04/10/29/1 711210
There was apparently a goof by the slashdot editors. I thought the same thing, but 2 minutes later the link to the second article appeared.
Malike Bamiyi wanted my assistance.
I can't wait for the next Windows virus or worm to take down all the cash machines.
Your statement assumes that the ATMs will be connected directly to the Internet instead of keeping a direct secure connection to the bank. Anyone that has their ATMs dial into AOL deserves what they get...
"I can't wait for the next Windows virus or worm to take down all the cash machines."
Who uses cash machines anymore? I can't remember the last time I used one. Checkcards are taken almost everywhere and I get cash back from the grocery store each week for small misc items.
Not only has there been a virus which infected the Dutch ATMs (Windows 9x), a quick search in Yahoo! showed me links to articles about virus attacks on US ATMs.
Come on jolly old British Empire, are you falling behind on the rest of the world? Prove you too can be a world leader again and can have virus infected ATMs.
'I am become Shiva, destroyer of worlds'
Some U.S. states run ATMs on Windows. Customers went up to bank machines one day only to see:
Press Ctrl-Alt-Del to login
I'm from slovenia and here, the atm machines are running windows NT 4. I only found this out about a half year ago when I walked up to an ATM and saw a blue screen staring at me with the windows build version on it in the upper left corner.
As a linux user, this scares me silly.