Slashdot Mirror
ATMs Susceptible to Windows Viruses
Kernkraft400 writes "First there was Windows for Warships, now the same operating system used to power millions of home PCs is likely to be used for cash machines in the UK. I can't wait for the next Windows virus or worm to take down all the cash machines."
Like the actual story: ATMs in peril from computer worms? The Register seems to believe it's partly a scare tactic to sell antivirus software, though.
I've seen an ATM at Target (big retailoer in US) reboot after a "power interruption" and it was running NT3.51 :o
-nB
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
Oh, believe it. For example, the Wachovia machines at Penn Station in NYC are running some custom Win 3.1 implementation. I stood from a distance and watched the ATM repair man fix them once. He had to open them up, pull out some sort of mini keyboard (a la the same types you'll see to attach to a tablet PC) and boot that sucker into Win 3.1)
That being said, a lot of those Bank of America commercials you see now lauding all those great new features (scanning bills onto the screen, no envelopes to deposit) are all running a custom Windows XP Embedded built especially for ATMs.
If I can find a link, I'll reply to this thread again.
http://news.bbc.co.uk/1/hi/technology/3962573.stm
Up until recently, a large bulk of North America's ATM's ran OS/2, but the service contracts and support from IBM started to run out. Alas, some banks chose to pick up Microsoft for their new ATMs.
This did already happen, two years ago I believe, to Diebold ATMs. When it did, I called Wells Fargo (my bank) and asked them what brand of ATMs they use. I got the old, "Why would you want to know that?" question edged with a fair amount of suspicion. I explained that I didn't want an ATM that I used often to be compromised by a virus. I was forwarded to the manager. He ended up giving me a runaround about how Wells Fargo guarantees all transactions on their ATMs and any fraudulent use is refunded. No straight answer on whether they used Diebold ATMs with Windows.
Of course, I went to a few of the ATMs I used and checked them out. All Diebolds. I'm not sure if they were running Windows, but I can assume so. Why would the bank give me such a hard time about who supplied their ATMs? Obviously it wasn't that difficult to just go and find out. It makes me a bit weary that they're trying to implement security through secrecy (let alone secrecy that's not that secret). Plus, being a customer I feel like I have the right to know how my money is handled and what possibilities there are for it being stolen.
Per Square Mile, a blog about density
I'm not arguing that they'd be better off installing gentoo or red hat on those machines, I'm just saying that it's the way it is.
A fine is a tax you pay for doing wrong and a tax is a fine you pay for doing all right.
The reason you're seeing banks deploy new ATM's at a rapid clips this year is because IBM is dropping support for "vintage" OS/2 releases.
Not for OS/2 Warp 4 (That's supported through 2006 at least), but for the earlier releases (3, 2.x, 1.x)...
I believe that most ATM's were based on either OS/2 1.3 or 2.0.
Why we're replacing them with something that is vulnerable to the virus-of-the-week, who knows?
When was the last time you saw an OS/2 virus?
Not that this means too much (apart from the annoyance factor) though, I've never lost any money due to an ATM crash - I'm pretty sure the system is designed so that the central machine does all the secure stuff, with the ATM being not much more than a calculator keypad.
Actually, this is why "real" databases like Oracle & DB2 are used. They have that nifty little "commit" and "rollback" functionality (part of ACID) that makes it incredibly unlikely that even in the event of a major event at the client, you're not going to be fubar'ed. That, and true fault tolerance (you can throw the power on a working Oracle database, and 9 times out of ten, it'll be just fine when it comes back).
I don't respond to AC's.
Windows-based ATM crashes happen all the time.
Windows ATMs have been everywhere for awhile -- the days of OS/2 cash machines being the only story in town are long gone.
Nothing to see here, move along.
The number of actual remote vulnerabilities that affect Windows and other Microsoft servers is damn low - as low as Linux and other Unix OSes. What most slashbots orgasmically call "viruses" are worms that require user intervention to infect the machine.
For a properly configured NT box, a BSOD is about as common as a kernel panic. And you'd be stupid to let an ATM be connected to the 'net, regardless of what OS you were using.
This is just another "OMFG WINDOZE IS TEH SUXXORZ!!!1!! HAHAHAHA!!!1!" slashbork fest. Nothing more, nothing less.
Well, it was briefly mentioned in the prior /. article that Brazil is home to the world's first deployed OSS ATM software.
Maybe it is worth looking into for others.
Learning HOW to think is more important than learning WHAT to think.
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
I worked in a brazilian bank (the bigest) for years, in the development of the ATM software, and i think i can say some facts.
Yes, the ATMs run Windows software without the varrios patches (Most NT4.0 Sp6, but those are being upgraded to 2k), but some machines (30%) also run OS2 (NCR machines) but those are being upgraded to 2Kd too. The older machines (not few) still runs DOS6.22
About the virus/BSOD, i know they are anoyng, but dont represent great security risks. See, the ATM network are proprietary, closed, constantly monitored and dont have access to internet.
IF, the ATM get some virus, the virus cant do much, no virus has WOSA/XFS (CERN-MS ATM API) commands implemented to do something usefull (Money withdraw?).
There are some banks that are migrating to linux, but the lack of standard API (WOSA/FXS-like) are a trouble. And the banks like to have someone to blame in some serious problem (MSFT!)
Sorry for the poor engrish.
My 0.02c
" I can't wait for the next Windows virus or worm to take down all the cash machines."
What an irresponsible thing to say.
MS Blaster (I think) did actually take down all of the Bank of America ATM's in Seattle, WA a while back.
Google is your friend.
AFAIK 2 large banks at the least, Wells Fargo, and Bank of America have a number of NT based ATM's totalling more than 540 and 2,500 relatively yet with all these I've never heard of one getting a virus.. Although the likelyhood of a big bank alerting people to the fact their ATM's are insecure may not be the best idea.. http://www.atmmarketplace.com/research_story.htm?a rticle_id=13527&pavilion=18
.02
The numbers are near the bottom of the article which is mostly focused on the move to personalize advertising to the user and how NT based systems have helped make this transition easier to implement.
The difference between your average PC on the net, and these ATM's however is how secure their network and physical environments are. Most ATM's I've seen are made by diebold and fujitsu but there are many many more, and last I checked (I'm sure you'll correct me if I'm wrong) they all used proprietary hardware crypto and private frame-relay links, or private ATM networks not connected to the internet thus limiting their availability to those who have, or could procure access to these networks.
In addition the likelyhood of commonly exploited services running on an NT box for an ATM is relatively low.. I can't imagine, or maybe just don't want to think the engineers for hundred-billion dollar a year banks are dumb enough not lock down an NT box.. Not to mention having no access to keyboard or terminal access other than a number pad the options get more and more limited. These companies have spent billions to make these boxes the most secure on the planet and they've gotten good at it.. While the software may lag behind, it's not *that* far behind..
I think the likelyhood of NT taking a sh*t, BSOD'ing, and stealing your ATM card is probably the worst an NT based ATM could deliver in terms of negative user impact.
- my
Wisest is he who knows he does not know.
Previously, OS/2 was the OS of choice for ATM machines, mostly because most ATMs were attached to an IBM controller and communicated with an IBM mainframe via SNA (DLSW over IP mostly).
OS/2 is a little hard to buy these days, and the back-end connections are migrating away from SNA to TCP/IP as it's a hell of a lot easier to maintain a pure IP network. Any ATM purchased within the last several years uses Windows NT, 2000, or XP as their operating system.
In other words, you've been getting cash from a Windows box for years already. The sky isn't falling.
Eagles may soar, but weasels don't get sucked into jet engines.
... http://cubalan.net.nz/kiwibank/
Confidence inspiring++
About 20% of ATMs world-wide run Windows. Banks are slow to migrate because of the cost. But the OS/2 systems out there are getting really, really old. Regulators want better encryption, audio support. IT wants TCP/IP. Marketing wants check recognition, targeted adds. You get the idea.
70% of ATMS purchased by banks in 2004 will run Windows, up from 10% in 2001. Minimum specs for a new ATM, a P III or faster processor, with 256 MB RAM and an NIC. Investing in the ATM channel
I was also in Europe about a month ago and used my US ATM card everywhere with no problems. Only problem I had was when a Rome ATM couldn't communicate with the central Auth server. Other than that, I used my ATM card in 10 different countries with no problems at all.