Slashdot Mirror
ATMs Susceptible to Windows Viruses
Kernkraft400 writes "First there was Windows for Warships, now the same operating system used to power millions of home PCs is likely to be used for cash machines in the UK. I can't wait for the next Windows virus or worm to take down all the cash machines."
Halifax Bank ATM, Colchester, UK
I walk up to the machine to get some cash out, only to be confronted by a Windows 9x dialogue box. The cash machine was on a desktop screen, with a dialogue up on the screen.
It's a joke, seriously.
Gamers Europe - Gaming News. Reviews.
I seem to post this everytime this comes up, but once again. Diebold ATMs run Windows (95,NT and XP depending on how old they are). They have been known to crash to the desktop and often run unpatched. They have been hit by several worms over the years but banks keep on buying the dang things. Here of course is a link to a Diebold ATM running as a MP3 player after it had crashed to the XP desktop (touch screen, XP, built in speakers. Makes sense to me). I will never use a Diebold product, be it ATM or voting booth.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
spyware for atm's?
Now uses Windows for it's everyday transactions with customers. I have to say that makes me every bit as nervous as an ATM using windows. Every time a transaction is finished I hear the classic windows "donk" sound, and it just makes me twitch...
I'd prefer a much more specific, secure system. Linux would be "OK", but actually I'd prefer something that is much more secure than that, or maybe a linux/unix flavor that aims for security above all else (inlcluding ease of use).
We're talking about our money, after all.
.
If I had a real
unless someone figures out a way to transfer one via their credit card o.O...
Maybe not credit card, but smart cards.... Actually, the credit card reader is just a data input device, right? Maybe it would be possible to do a buffer-overrun attack on an ATM, unless the card reader hardware specifically limits the possible output data.
The fact that they run Windows and are open to attack or whether or not someone has access to your money? For me it's the latter. How they implement access to my money doesn't really concern me unless my account is not protected. If someone uses their equipment to access my acount without my authorization, then they are responsible for making restitution. If I have problems accessing my account I can vote with my money and move it to another bank.
Me thinks that the average Slashdotter is a little to close to the problem in this case.
BTW, when was the last time anyone heard of someone successfully hacking an ATM to gain access to an account? Maybe it's happened but I haven't heard of it. If it has happened, I'm sure the bank and FBI has kept it pretty quiet. The bank would also be prone to make the accoount good very quickly.
I can't figure out why these companies insist on using an insecure, unstable OS that requires license fees and a draconian EULA.
At least Yamaha gets it. We just got in the newest Disklavier Player Piano, and it runs Linux! So does the remote control, which is a Sharp Zaurus with a clamshell keyboard. Very cool setup, and of course very stable.
Yamaha: Smart.
Banking Industry: Stupid.
Lose Weight and Feel Great with Isagenix
I've seen a number of different ATM's in all states of disrepair and it seems they have all been running some version of windows ranging from windows 3.x (even after the turn of the century) and some version of NT.
/realistic
At one point in time i was lucky enough to be in a store where someone had dialed in and you could watch them working within windows on the screen, the technician realized this at some point and clicked a button which changed the screen on the atm to a label indicating the system was being serviced and a clever graphic of a "fix-it" man.
Anyways, if you think about it, yes these machines have always run windows, and probably will continue to do so well into the future, the thing is though, no bank is actually going to put an ATM directly onto the internet. Most all ATM's are going to be acessed over dialup.
I'm very positive that these machines are probably more vulnerable to all kinds of things than most computers on the internet, however to actually have a worm penetrate one of these machines, the affected machine would have to have a modem, the worm would have to start wardialing all kinds of numbers looking for a carrier, once a carrier is picked up, (let's say it does find an ATM machine), it would have to brute force the password (and username if there is one) and then once connected initiate the attack...
but by the time it's done all that it will have already gained access to the atm machine.
I work for a mid-sized financial instituion. Right now, our ATMs run OS/2, and the ATM server runs on AIX Unix. However, they are phasing out the AIX server for one that runs Win2k, and we have new ATMs on order that will run some flavor of Windows. I am trying to show management the error of their ways, but to little avail.
When I was in Europe this summer, I crashed several ATMs (usually of the same branch) just by inserting my card, and guess what they all run some version of windows, it looked like 95/98/2000.
Aparently they dont like the way my card is encoded.
It was very annoying trying to find a bank where I could withdraw money from. At one point we we're joking around to see how many ATMs we could crash in one day.
Thanks for your opinion.
Now, explain how it's irresponsible? It's not irresponsible to run ATMs on versions of an OS chock full of holes?
Take the morality squad elsewhere.
We have secretly replaced these Slashdot mods' sense of humor with a rusty nail. Let's see if they notice!!
How would a virus get in these systems in the first place?
In a well-designed network, the only applications the terminals would run would've been "pre-certified" by the banks as infection-free. Users wouldn't be reading email, visiting untrusted web sites, or otherwise able to load hostile software.
If a bank machine gets a virus, that points to a human error or error in the bank's way of doing business. The fact that it's running on Windows vs. any other particular operating system is just makes the bank's error more costly.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I don't have the relevant article, but Bank of America had a large portion of its ATM network infected earlier this year when a Diebold tech hooked his infected laptop up to one of their machines. :D
I perform certification testing for a large transaction processor, so I have seen most of the ATMs that are in use in the US today. The first Windows based ATM that we saw arrived in 2000, and ran Win98. You had to reboot it every 3 days or it would lock up. Had cool videos running on it, though
Since then, about half the ATMs we have coming through the lab are running some version of Windows, mainly XP Embedded. The other half run proprietary software. Among the legacy ATMs, you'll find OS2 (Diebold and NCR), NT4, Win98, Win2K. There are rumors of Linux based ATMs, but they haven't made it to the market yet.
Now, for one of those things you think of, but never would do: someone needs to write a virus that will specifically target some of these Win-based ATMs. It spreads as a normal virus, but once it recognizes that it's on an ATM, it delays for ~24 hours, then kicks the cash dispenser into high gear, until the machine is empty...
--- This
someone wrote a virus specifically targeted to cash machines to cause one of the following effects :)
1) Steal card & pin numbers and send them to someone
2) That just made the cash machine dispense all its money randomly
I work for a company that manufactures and handles processing for ATM's ( NO it's not Diebold. )
If someone calls asking me how many workstations we have and what OS they are running I refuse to answer. if they ask about our internet connection mail server, firewall, well it doesn't matter, I do not answer questions about my network, especially over the telephone.
As mentioned by someone above, providing information that could help an attacker, is not a good security policy to have, and no, we do not use Windows as the OS on our ATM's, nor do we plan to.
Exactly. Will someone please explain to me how it's irresponsible to say you expect someone to get robbed, when that person is using a product that is so insecure that their likelihood of getting robbed is very high?
Suppose there's a car with a numeric keypad on the door to unlock it (like the late 80's/early 90's Fords). Now suppose that it's common knowledge that the factory put in a backdoor code, 1357, which will unlock any such car. Despite this becoming common knowledge, and being stated all over the national news, the manufacturer refuses to remove the backdoor, saying it's so they can help the customers. Now I'm standing in my driveway talking to some friends, and my neighbor Joe pulls into his driveway, with his brand new car which has this keypad. So I say to my friends, "I can't wait until his car gets stolen. What an idiot."
Was that an irresponsible thing to say? I don't think so. Joe was stupid to buy such a car when it's common knowledge how easy it is to break into. Maybe if more people exercised peer pressure, and spoke their minds about others' stupid buying habits, people wouldn't continue to support companies that make bad or dangerous products.
If some bank gets ripped off because of their insecure ATMs, that's the bank's fault for choosing a poor piece of equipment, and they deserve to pay the price for that decision. And hopefully lots of customers will move their accounts to banks which use better ATMs.
There is a Diebold ATM at the hospital where I work. I was quite surprised to find myself at the Internet Explorer error page (i - the page cannot be displayed...) in the course of navigating through the menus.
I was not reassured.
In particular, the network has other MS systems on it.
Then the network needs to be changed. What are those systems doing on the same network as the ATMs?
If somebody brings in a MS laptop and plugs in to the network, it can then transfer.
And then you fire them for gross incompetence.
It really is that simple. At work, we have access to a secure government hosting network. There are two (2) machines in the building that can access it. They are locked in a room with swipe card and PIN access, and they are not connected to the LAN. You need to transfer files onto the secure network, you burn them to CD. (You also need security clearance to even enter the room, but that's another story) Even these machines have access only by remote desktoping to a gateway machine, and then from there to the machine you need to access (or ssh in the case of Linux boxes, of course).
I imagine that anyone who managed to get any data of any kind on any of those machines that wasn't supposed to be there would at the very least never set foot in that room again, and would quite possibly be fired.
This isn't even particularly sensitive data, or a particularly sensitive network - it hosts extranet web apps for government/local government employees. If your bank is any less thorough with its financial networks, it's time to change banks. There really is no excuse for it.
It's official. Most of you are morons.
Actually, I had a recent experience where I think somebody did something like that. I used a Bank Of America ATM at a gas station - it was one of those free-standing boxes that they just put anywhere on the store, as long as it is close to power and a DSL jack. Anyway, I withdrew $20 and left. The next day, I noticed that my account had been drained of funds. I called the bank, and they said that I had withdrawn all the money at that ATM. I had them pull the transactions, and apparently, somebody immediately after me had done mulitple pulls on my account until they got everything. (Only like $120, as it turns out, since I just use that account for petty cash). Anyway, the machine is one of the swiper kinds - it does not keep the card until you are finished, you just swipe it. Since I used a "Fast Cash" option, it should only allow that one transaction, then "log out" my account. If another transaction is attempted, it requires another swipe of my card. Obviously, it did not - either someone hacked the ATM - certainly possible if behind the crappy little cabinet with its crappy little lock the ATM monitor rests on there is a box with a mouse and a keyboard - or there was some kind of software error. I was suspicious of the former since there was a guy hanging around the area of the ATM. BofA refunded my loss and is investigating.
If an ATM is susceptible to worms, it's susceptible to direct hacking too. I don't know about the Slashdot editors, but I'm more worried about someone stealing my money than I am about them crashing my bank's ATMs.
The shareholder is always right.