Slashdot Mirror

← Back to Stories (view on slashdot.org)

ATMs Susceptible to Windows Viruses

Posted by michael on from the hide-money-under-mattress dept.

Kernkraft400 writes "First there was Windows for Warships, now the same operating system used to power millions of home PCs is likely to be used for cash machines in the UK. I can't wait for the next Windows virus or worm to take down all the cash machines."

8 of 403 comments (clear)

  1. This story is missing something by Anonymous Coward · · Score: 5, Informative

    Like the actual story: ATMs in peril from computer worms? The Register seems to believe it's partly a scare tactic to sell antivirus software, though.

    1. Re:This story is missing something by AKAImBatman · · Score: 5, Informative

      Except that it has already happened. Can anyone guess who the ATM manufacturer was? (Here's a hint: They make lousy voting machines.)

      --
      Javascript + Nintendo DSi = DSiCade
    2. Re:This story is missing something by julesh · · Score: 5, Informative

      I would hope that the lesson here has been learned: a mission-critical service (which ATMs are, these days) should be firewalled from everything that it reasonably can be, and should not be running unnecessary services.

      The ATMs should be running a custom application to drive the user interface which just pipes its data over an encrypted byte-stream protocol (maybe SSH, maybe something else, I don't know) to a central authorisation server. It should be able to accept a 'status query' request from a machine located in the branch that periodically checks that the ATMs are running and still have cash. These are the only services that are required. Everything else should be disabled. Everything else should be firewalled.

      As long as banks follow these security precautions (and I've worked at a UK bank before now -- they're pretty hot on security, as a rule) they should not be susceptible to virus/worm infection, except by a custom-written worm that exploits security flaws in the custom ATM software... and at this point it doesn't matter what OS you're using.

  2. It's bound to happen by networkBoy · · Score: 4, Informative

    I've seen an ATM at Target (big retailoer in US) reboot after a "power interruption" and it was running NT3.51 :o
    -nB

    --
    whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
    1. Re:It's bound to happen by networkBoy · · Score: 4, Informative

      " Actually, 3.51 had a reputation for being relatively bulletproof."

      Yes it did, and in fact I still used it personally for a very important server for quite a while. The point is that there are a ton of exploits available even from a user level. The best part about this ATM was the existance of a floppy drive and keyboard&mouse port behind a relatively flimsy lock and piece of sheetmetal on the service hatch (not the money side of the box). Though I never got a chance to sit down and have a chat with this machine, just think what someone could have done if they had long duration access (say working the night shift)?
      -nB

      --
      whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
  3. Wells Fargo and Diebold 2 years ago. . . by TimmyDee · · Score: 5, Informative

    This did already happen, two years ago I believe, to Diebold ATMs. When it did, I called Wells Fargo (my bank) and asked them what brand of ATMs they use. I got the old, "Why would you want to know that?" question edged with a fair amount of suspicion. I explained that I didn't want an ATM that I used often to be compromised by a virus. I was forwarded to the manager. He ended up giving me a runaround about how Wells Fargo guarantees all transactions on their ATMs and any fraudulent use is refunded. No straight answer on whether they used Diebold ATMs with Windows.

    Of course, I went to a few of the ATMs I used and checked them out. All Diebolds. I'm not sure if they were running Windows, but I can assume so. Why would the bank give me such a hard time about who supplied their ATMs? Obviously it wasn't that difficult to just go and find out. It makes me a bit weary that they're trying to implement security through secrecy (let alone secrecy that's not that secret). Plus, being a customer I feel like I have the right to know how my money is handled and what possibilities there are for it being stolen.

    --
    Per Square Mile, a blog about density
  4. Because IBM's dropping support ... by nbvb · · Score: 5, Informative

    The reason you're seeing banks deploy new ATM's at a rapid clips this year is because IBM is dropping support for "vintage" OS/2 releases.

    Not for OS/2 Warp 4 (That's supported through 2006 at least), but for the earlier releases (3, 2.x, 1.x)...

    I believe that most ATM's were based on either OS/2 1.3 or 2.0.

    Why we're replacing them with something that is vulnerable to the virus-of-the-week, who knows?

    When was the last time you saw an OS/2 virus?

  5. Re:(Very) old news by DogDude · · Score: 4, Informative

    Not that this means too much (apart from the annoyance factor) though, I've never lost any money due to an ATM crash - I'm pretty sure the system is designed so that the central machine does all the secure stuff, with the ATM being not much more than a calculator keypad.

    Actually, this is why "real" databases like Oracle & DB2 are used. They have that nifty little "commit" and "rollback" functionality (part of ACID) that makes it incredibly unlikely that even in the event of a major event at the client, you're not going to be fubar'ed. That, and true fault tolerance (you can throw the power on a working Oracle database, and 9 times out of ten, it'll be just fine when it comes back).

    --
    I don't respond to AC's.