ATMs Susceptible to Windows Viruses

Kernkraft400 writes "First there was Windows for Warships, now the same operating system used to power millions of home PCs is likely to be used for cash machines in the UK. I can't wait for the next Windows virus or worm to take down all the cash machines."

This story is missing something

Like the actual story: ATMs in peril from computer worms? The Register seems to believe it's partly a scare tactic to sell antivirus software, though.

Re:This story is missing something

[AKAImBatman]

Except that it has already happened. Can anyone guess who the ATM manufacturer was? (Here's a hint: They make lousy voting machines.)

Re:This story is missing something

[julesh]

I would hope that the lesson here has been learned: a mission-critical service (which ATMs are, these days) should be firewalled from everything that it reasonably can be, and should not be running unnecessary services.

The ATMs should be running a custom application to drive the user interface which just pipes its data over an encrypted byte-stream protocol (maybe SSH, maybe something else, I don't know) to a central authorisation server. It should be able to accept a 'status query' request from a machine located in the branch that periodically checks that the ATMs are running and still have cash. These are the only services that are required. Everything else should be disabled. Everything else should be firewalled.

As long as banks follow these security precautions (and I've worked at a UK bank before now -- they're pretty hot on security, as a rule) they should not be susceptible to virus/worm infection, except by a custom-written worm that exploits security flaws in the custom ATM software... and at this point it doesn't matter what OS you're using.

It's bound to happen

[networkBoy]

I've seen an ATM at Target (big retailoer in US) reboot after a "power interruption" and it was running NT3.51 :o
-nB

Re:It's bound to happen

[networkBoy]

" Actually, 3.51 had a reputation for being relatively bulletproof."

Yes it did, and in fact I still used it personally for a very important server for quite a while. The point is that there are a ton of exploits available even from a user level. The best part about this ATM was the existance of a floppy drive and keyboard&mouse port behind a relatively flimsy lock and piece of sheetmetal on the service hatch (not the money side of the box). Though I never got a chance to sit down and have a chat with this machine, just think what someone could have done if they had long duration access (say working the night shift)?
-nB

Wells Fargo and Diebold 2 years ago. . .

[TimmyDee]

This did already happen, two years ago I believe, to Diebold ATMs. When it did, I called Wells Fargo (my bank) and asked them what brand of ATMs they use. I got the old, "Why would you want to know that?" question edged with a fair amount of suspicion. I explained that I didn't want an ATM that I used often to be compromised by a virus. I was forwarded to the manager. He ended up giving me a runaround about how Wells Fargo guarantees all transactions on their ATMs and any fraudulent use is refunded. No straight answer on whether they used Diebold ATMs with Windows.

Of course, I went to a few of the ATMs I used and checked them out. All Diebolds. I'm not sure if they were running Windows, but I can assume so. Why would the bank give me such a hard time about who supplied their ATMs? Obviously it wasn't that difficult to just go and find out. It makes me a bit weary that they're trying to implement security through secrecy (let alone secrecy that's not that secret). Plus, being a customer I feel like I have the right to know how my money is handled and what possibilities there are for it being stolen.

Because IBM's dropping support ...

[nbvb]

The reason you're seeing banks deploy new ATM's at a rapid clips this year is because IBM is dropping support for "vintage" OS/2 releases.

Not for OS/2 Warp 4 (That's supported through 2006 at least), but for the earlier releases (3, 2.x, 1.x)...

I believe that most ATM's were based on either OS/2 1.3 or 2.0.

Why we're replacing them with something that is vulnerable to the virus-of-the-week, who knows?

When was the last time you saw an OS/2 virus?

Re:(Very) old news

[DogDude]

Not that this means too much (apart from the annoyance factor) though, I've never lost any money due to an ATM crash - I'm pretty sure the system is designed so that the central machine does all the secure stuff, with the ATM being not much more than a calculator keypad.

Actually, this is why "real" databases like Oracle & DB2 are used. They have that nifty little "commit" and "rollback" functionality (part of ACID) that makes it incredibly unlikely that even in the event of a major event at the client, you're not going to be fubar'ed. That, and true fault tolerance (you can throw the power on a working Oracle database, and 9 times out of ten, it'll be just fine when it comes back).

Happens all the time.

[nazgul000]

Windows-based ATM crashes happen all the time.

Windows ATMs have been everywhere for awhile -- the days of OS/2 cash machines being the only story in town are long gone.

Nothing to see here, move along.

Re:What Virus?

[advocate_one]

well there must be something to it as it's being reported by the BBC... and windows powered ATMs have already been taken out by worms...

Already, he said, there have been four incidents in which cash machines have been unavailable for hours due to viruses affecting the network of the bank that owns them.
In January 2003 the Slammer worm knocked out 13,000 cash machines of the Bank of America and many of those operated by the Canadian Imperial Bank of Commerce.
In August of the same year, cash machines of two un-named banks were put out of action for hours following an infection by the Welchia worm.

No problem at all

[cbx_cbx]

I worked in a brazilian bank (the bigest) for years, in the development of the ATM software, and i think i can say some facts.

Yes, the ATMs run Windows software without the varrios patches (Most NT4.0 Sp6, but those are being upgraded to 2k), but some machines (30%) also run OS2 (NCR machines) but those are being upgraded to 2Kd too. The older machines (not few) still runs DOS6.22

About the virus/BSOD, i know they are anoyng, but dont represent great security risks. See, the ATM network are proprietary, closed, constantly monitored and dont have access to internet.

IF, the ATM get some virus, the virus cant do much, no virus has WOSA/XFS (CERN-MS ATM API) commands implemented to do something usefull (Money withdraw?).

There are some banks that are migrating to linux, but the lack of standard API (WOSA/FXS-like) are a trouble. And the banks like to have someone to blame in some serious problem (MSFT!)

Sorry for the poor engrish.

My 0.02c

Re:(Very) old news

Google is your friend.

Re:I don't understand

[westlake]

Here are some facts about ATMs:

About 20% of ATMs world-wide run Windows. Banks are slow to migrate because of the cost. But the OS/2 systems out there are getting really, really old. Regulators want better encryption, audio support. IT wants TCP/IP. Marketing wants check recognition, targeted adds. You get the idea.

70% of ATMS purchased by banks in 2004 will run Windows, up from 10% in 2001. Minimum specs for a new ATM, a P III or faster processor, with 256 MB RAM and an NIC. Investing in the ATM channel