Slashdot Mirror
ATMs Susceptible to Windows Viruses
Kernkraft400 writes "First there was Windows for Warships, now the same operating system used to power millions of home PCs is likely to be used for cash machines in the UK. I can't wait for the next Windows virus or worm to take down all the cash machines."
Like the actual story: ATMs in peril from computer worms? The Register seems to believe it's partly a scare tactic to sell antivirus software, though.
I've seen an ATM at Target (big retailoer in US) reboot after a "power interruption" and it was running NT3.51 :o
-nB
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
Windows has been used on (at least) Natwest ATM's for a loooong time - several years at least. I've been in several situations where an ATM is displaying a Blue Screen Of Death. Interestingly enough, they show a trend for solidarity in these matters, when one of set is down, they're all down... Presumably the weakness is in the network layer, or some component that is attached to it.
Not that this means too much (apart from the annoyance factor) though, I've never lost any money due to an ATM crash - I'm pretty sure the system is designed so that the central machine does all the secure stuff, with the ATM being not much more than a calculator keypad.
Simon
Physicists get Hadrons!
The Slammer worm caused significant outages in Bank of America's ATMs.
-- Samir Gupta, Ph. D. Head, New Technology Research Group, Nintendo Co. Ltd., Kyoto, Japan.
Now, ATMs running Windows could very well be susceptible to viruses, but something backing that up would be nice.
There is no sig, there is only Zuul.
The title of this story is extremely misleading. It's stating something like it's a fact, although it's not even close. It's actually more of a question. But this is Slashdot, so I shouldn't expect too much.
Citibank ATMs run NT. Lots of bank ATM machines do
Don't forget the cars too. Oh well, trial by fire. If it goes horribly wrong, it won't stay that way for long. Either it'll get hardened or another OS'll get the job.
dmiessler.com -- grep understanding knowledge
yep. and I can only imagine he would say the same thing if it was hospital software or something even more important than ATMs.
wanker.
I'm an open source fan, but there's really no good done in gloating at failure of another, especially when it negatively impacts (random innocent) people's lives.
Also, I do run win2k, and keep it properly updated and configured. I've _never_ been the victim of a worm or a virus.
The title of this post says that Windows for ATMs are "Susceptible to Windows Viruses" but as far as I can tell this is just speculation... Is there actually any proof out there that these machines would be any more (or less?) susceptible to viruses? I'm suprised this made it through, no substance and just a lot of name calling at MS.
Your mammas flamebait.
Oh, believe it. For example, the Wachovia machines at Penn Station in NYC are running some custom Win 3.1 implementation. I stood from a distance and watched the ATM repair man fix them once. He had to open them up, pull out some sort of mini keyboard (a la the same types you'll see to attach to a tablet PC) and boot that sucker into Win 3.1)
That being said, a lot of those Bank of America commercials you see now lauding all those great new features (scanning bills onto the screen, no envelopes to deposit) are all running a custom Windows XP Embedded built especially for ATMs.
If I can find a link, I'll reply to this thread again.
When Hollywood gets ahold of this idea, they'll have teenagers or terrorists or someone cracking into ATMs and watching the security camera or changing the picture on the currency or some ridiculous thing.
You are in error. No-one is screaming. Thank you for your cooperation.
http://news.bbc.co.uk/1/hi/technology/3962573.stm
Up until recently, a large bulk of North America's ATM's ran OS/2, but the service contracts and support from IBM started to run out. Alas, some banks chose to pick up Microsoft for their new ATMs.
What features will be included in windows for warships? My wish list includes: -Drag and drop cruise missles -Point, click, BOOM anti-aircraft guns
Now we can have Y2K hysteria... EVERYDAY!!!!!
YAY
...and it should be known by now
Maybe it's because I'm young and new, but why would people trust a system that has a record of failing? The blue screen of death is a big joke in the world. Why would airports, banks, the military, etc. trust Windows? I'm not trolling, this is an honest question. It's not the price. Is it because they think it is more robust, easier setup, compatibility? I was in Europe and saw the blue screen on an airport terminal and thought, wow, I hope the crucial systems on my plane or in the control tower are not running Windows!
Lets be clear here, its not viruses we worry about. Nobody is going to run Kazaa on their local ATM. Its all about possible remote exploits.
No OS is completely bug free and secure for ever. If the network the ATM's connect to is safe, the box should be safe. If they connect to the internet, I'm moving my money to another bank, no matter what OS they run!
Surur
Information is the location of things. Computation is moving things around.
Ah yes I remember fondly seeing my first ATM BSOD in the SEATAC Airport. Nothing says welcome to Redmond quite like the BSOD.
Today is a gift. Save the receipt.
The funny thing is, you had $19 in your account.
I seem to post this everytime this comes up, but once again. Diebold ATMs run Windows (95,NT and XP depending on how old they are). They have been known to crash to the desktop and often run unpatched. They have been hit by several worms over the years but banks keep on buying the dang things. Here of course is a link to a Diebold ATM running as a MP3 player after it had crashed to the XP desktop (touch screen, XP, built in speakers. Makes sense to me). I will never use a Diebold product, be it ATM or voting booth.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
This did already happen, two years ago I believe, to Diebold ATMs. When it did, I called Wells Fargo (my bank) and asked them what brand of ATMs they use. I got the old, "Why would you want to know that?" question edged with a fair amount of suspicion. I explained that I didn't want an ATM that I used often to be compromised by a virus. I was forwarded to the manager. He ended up giving me a runaround about how Wells Fargo guarantees all transactions on their ATMs and any fraudulent use is refunded. No straight answer on whether they used Diebold ATMs with Windows.
Of course, I went to a few of the ATMs I used and checked them out. All Diebolds. I'm not sure if they were running Windows, but I can assume so. Why would the bank give me such a hard time about who supplied their ATMs? Obviously it wasn't that difficult to just go and find out. It makes me a bit weary that they're trying to implement security through secrecy (let alone secrecy that's not that secret). Plus, being a customer I feel like I have the right to know how my money is handled and what possibilities there are for it being stolen.
Per Square Mile, a blog about density
spyware for atm's?
Now uses Windows for it's everyday transactions with customers. I have to say that makes me every bit as nervous as an ATM using windows. Every time a transaction is finished I hear the classic windows "donk" sound, and it just makes me twitch...
I'd prefer a much more specific, secure system. Linux would be "OK", but actually I'd prefer something that is much more secure than that, or maybe a linux/unix flavor that aims for security above all else (inlcluding ease of use).
We're talking about our money, after all.
.
If I had a real
Any bank that puts its ATMs on the internet has a moron in charge of IT.
The best way to secure these things is to make sure that the only physical connection from the ATM is to a well secured computer under controlled by the bank.
The cake is a pie
unless someone figures out a way to transfer one via their credit card o.O...
Maybe not credit card, but smart cards.... Actually, the credit card reader is just a data input device, right? Maybe it would be possible to do a buffer-overrun attack on an ATM, unless the card reader hardware specifically limits the possible output data.
- - Install Windows on ATM machines
- -
....
- - Profit
I think step two is to write a virus which moves a couple fractions of a cent into your account anytime someone makes a transaction, ala Office Space!I've discovered a remarkable proof, but this margin is too small to contain it...
I'm not arguing that they'd be better off installing gentoo or red hat on those machines, I'm just saying that it's the way it is.
A fine is a tax you pay for doing wrong and a tax is a fine you pay for doing all right.
The fact that they run Windows and are open to attack or whether or not someone has access to your money? For me it's the latter. How they implement access to my money doesn't really concern me unless my account is not protected. If someone uses their equipment to access my acount without my authorization, then they are responsible for making restitution. If I have problems accessing my account I can vote with my money and move it to another bank.
Me thinks that the average Slashdotter is a little to close to the problem in this case.
BTW, when was the last time anyone heard of someone successfully hacking an ATM to gain access to an account? Maybe it's happened but I haven't heard of it. If it has happened, I'm sure the bank and FBI has kept it pretty quiet. The bank would also be prone to make the accoount good very quickly.
The reason you're seeing banks deploy new ATM's at a rapid clips this year is because IBM is dropping support for "vintage" OS/2 releases.
Not for OS/2 Warp 4 (That's supported through 2006 at least), but for the earlier releases (3, 2.x, 1.x)...
I believe that most ATM's were based on either OS/2 1.3 or 2.0.
Why we're replacing them with something that is vulnerable to the virus-of-the-week, who knows?
When was the last time you saw an OS/2 virus?
Looks like its back to frame relay and ISDN for me.
Windows-based ATM crashes happen all the time.
Windows ATMs have been everywhere for awhile -- the days of OS/2 cash machines being the only story in town are long gone.
Nothing to see here, move along.
I've seen a number of different ATM's in all states of disrepair and it seems they have all been running some version of windows ranging from windows 3.x (even after the turn of the century) and some version of NT.
/realistic
At one point in time i was lucky enough to be in a store where someone had dialed in and you could watch them working within windows on the screen, the technician realized this at some point and clicked a button which changed the screen on the atm to a label indicating the system was being serviced and a clever graphic of a "fix-it" man.
Anyways, if you think about it, yes these machines have always run windows, and probably will continue to do so well into the future, the thing is though, no bank is actually going to put an ATM directly onto the internet. Most all ATM's are going to be acessed over dialup.
I'm very positive that these machines are probably more vulnerable to all kinds of things than most computers on the internet, however to actually have a worm penetrate one of these machines, the affected machine would have to have a modem, the worm would have to start wardialing all kinds of numbers looking for a carrier, once a carrier is picked up, (let's say it does find an ATM machine), it would have to brute force the password (and username if there is one) and then once connected initiate the attack...
but by the time it's done all that it will have already gained access to the atm machine.
Can someone explain to me why they didn't make the hardware for the ATMs from scratch? An ATM doesn't seem that complicated sort of a device. Could use any sort of micro-controller and write the software in assembly. Sure, getting it to communicate with the main bank-server-thingy might be harder, but I'm sure a bank could afford this.
OK, I guess maybe its just cheaper to use something that already exists (windows).
A more important, but related question: Why the hell do the diebold voting machines use windows?! Surely they could have been written from scratch using assembly, for a specialised microcontroller. I mean seriously, voting is pretty damn important! (Yes I realise it would be very hard, but when you're dealing with huge sums of money, and its organised by the government speficially for the most important part of democracy, I'm sure its doable)...Hrmm.
printf("Goodbye cruel world!\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b");
When I was in Europe this summer, I crashed several ATMs (usually of the same branch) just by inserting my card, and guess what they all run some version of windows, it looked like 95/98/2000.
Aparently they dont like the way my card is encoded.
It was very annoying trying to find a bank where I could withdraw money from. At one point we we're joking around to see how many ATMs we could crash in one day.
In order to (1) catch up with a competitor or perhaps (2) get an "easier" development environment [easier being defined as one where the programmers are commodity and the system doesn't require buidling graphical components from scratch], 'easy' choices are made.
In the end, the bank isn't doing the development, but purchasing a final product... there are tons of variables to an ATM beyond the underlying OS; and honestly, not all that many large vendors to choose from (and a large bank will almost never choose a small vendor, over concerns for longevity and support). Microsoft has made a major push for Windows in many places and makes it as easy as possible for people in different markets to use their OS. It is really the responsibility of the purchasing organization (in the case of an ATM, the bank or credit union) to choose a good solution. But it's a painful balancing act.
By the way, if you really want to be disturbed by how liability for bad software isn't an issue, think about this: the US Federal Aviation Administration requires that every component put into an aircraft must not fail during the life of the aircraft. The next sentence then exempts software from this limitation.
Well, it was briefly mentioned in the prior /. article that Brazil is home to the world's first deployed OSS ATM software.
Maybe it is worth looking into for others.
Learning HOW to think is more important than learning WHAT to think.
An ATM need not be much fancier than a gas pump.
It needs:
A card reader.
A cash dispenser.
A video display.
A keyboard input.
A communications channel to HQ.
A printer.
Most run "semi-locally" rather than as completely-dumb terminals.
Most have an "administrator mode" and keep additional local state. For example, they know how much of what kinds of bills they have left.
Most have security cameras, but these need not be "logically" part of the ATM, they can be standalone devices.
Banks have used full-featured ATMs for years. In the early-mid 1990s, OS/2 was the major player. These days it's MS-Windows. 10 years from now, it will probably be something else.
The key security issues with ATMs are:
1) physical security and local encryption of sensitive data in case physical security is compromised, e.g. someone steals the whole ATM.
2) network security - all communications are encrypted
3) isolated network - no direct access to or from the Internet
4) audit trail, e.g. local encrypted recording of all transactions, preferably to write-once media.
I'm sure I left out some things. Please feel free to add.
So, anyone know of any in-use Linux-based ATMs? Even better, anyone know of any totally-Free-and-open-source-software ATMs?
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
How would a virus get in these systems in the first place?
In a well-designed network, the only applications the terminals would run would've been "pre-certified" by the banks as infection-free. Users wouldn't be reading email, visiting untrusted web sites, or otherwise able to load hostile software.
If a bank machine gets a virus, that points to a human error or error in the bank's way of doing business. The fact that it's running on Windows vs. any other particular operating system is just makes the bank's error more costly.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I don't have the relevant article, but Bank of America had a large portion of its ATM network infected earlier this year when a Diebold tech hooked his infected laptop up to one of their machines. :D
I perform certification testing for a large transaction processor, so I have seen most of the ATMs that are in use in the US today. The first Windows based ATM that we saw arrived in 2000, and ran Win98. You had to reboot it every 3 days or it would lock up. Had cool videos running on it, though
Since then, about half the ATMs we have coming through the lab are running some version of Windows, mainly XP Embedded. The other half run proprietary software. Among the legacy ATMs, you'll find OS2 (Diebold and NCR), NT4, Win98, Win2K. There are rumors of Linux based ATMs, but they haven't made it to the market yet.
Now, for one of those things you think of, but never would do: someone needs to write a virus that will specifically target some of these Win-based ATMs. It spreads as a normal virus, but once it recognizes that it's on an ATM, it delays for ~24 hours, then kicks the cash dispenser into high gear, until the machine is empty...
--- This
I worked in a brazilian bank (the bigest) for years, in the development of the ATM software, and i think i can say some facts.
Yes, the ATMs run Windows software without the varrios patches (Most NT4.0 Sp6, but those are being upgraded to 2k), but some machines (30%) also run OS2 (NCR machines) but those are being upgraded to 2Kd too. The older machines (not few) still runs DOS6.22
About the virus/BSOD, i know they are anoyng, but dont represent great security risks. See, the ATM network are proprietary, closed, constantly monitored and dont have access to internet.
IF, the ATM get some virus, the virus cant do much, no virus has WOSA/XFS (CERN-MS ATM API) commands implemented to do something usefull (Money withdraw?).
There are some banks that are migrating to linux, but the lack of standard API (WOSA/FXS-like) are a trouble. And the banks like to have someone to blame in some serious problem (MSFT!)
Sorry for the poor engrish.
My 0.02c
" I can't wait for the next Windows virus or worm to take down all the cash machines."
What an irresponsible thing to say.
MS Blaster (I think) did actually take down all of the Bank of America ATM's in Seattle, WA a while back.
Exactly. Will someone please explain to me how it's irresponsible to say you expect someone to get robbed, when that person is using a product that is so insecure that their likelihood of getting robbed is very high?
Suppose there's a car with a numeric keypad on the door to unlock it (like the late 80's/early 90's Fords). Now suppose that it's common knowledge that the factory put in a backdoor code, 1357, which will unlock any such car. Despite this becoming common knowledge, and being stated all over the national news, the manufacturer refuses to remove the backdoor, saying it's so they can help the customers. Now I'm standing in my driveway talking to some friends, and my neighbor Joe pulls into his driveway, with his brand new car which has this keypad. So I say to my friends, "I can't wait until his car gets stolen. What an idiot."
Was that an irresponsible thing to say? I don't think so. Joe was stupid to buy such a car when it's common knowledge how easy it is to break into. Maybe if more people exercised peer pressure, and spoke their minds about others' stupid buying habits, people wouldn't continue to support companies that make bad or dangerous products.
If some bank gets ripped off because of their insecure ATMs, that's the bank's fault for choosing a poor piece of equipment, and they deserve to pay the price for that decision. And hopefully lots of customers will move their accounts to banks which use better ATMs.
I thought those $20's with Bill Gates face on it seemed rather odd.
No Nyarlathotep, No Chaos
Know Nyarlathotep, Know Chaos
A couple years ago, the hospital where I work replaced its medication dispensing machines (where the nurses get the medications for their patients) with new ones. The new machines run on Win2k -- not a stripped down, embedded version, but the full she-bang. About a week after the new machines were installed, they became infected with the latest exploit-de-jour (don't remember exactly which anymore) and became unusable. It was not pretty. Granted, this probably could have been avoided if things like IIS, Active-X, and such like had been disabled on the machines, but still it points to the danger in implementing a one-size-fits-all solution like Windows on a dedicated-purpose machine like these medication machines -- or ATMs for that matter.
"Yamaha: Smart.
Banking Industry: Stupid."
Let's think about that for a second....which group is holding all of your money again? So which group is smart now?
SIGFAULT
AFAIK 2 large banks at the least, Wells Fargo, and Bank of America have a number of NT based ATM's totalling more than 540 and 2,500 relatively yet with all these I've never heard of one getting a virus.. Although the likelyhood of a big bank alerting people to the fact their ATM's are insecure may not be the best idea.. http://www.atmmarketplace.com/research_story.htm?a rticle_id=13527&pavilion=18
.02
The numbers are near the bottom of the article which is mostly focused on the move to personalize advertising to the user and how NT based systems have helped make this transition easier to implement.
The difference between your average PC on the net, and these ATM's however is how secure their network and physical environments are. Most ATM's I've seen are made by diebold and fujitsu but there are many many more, and last I checked (I'm sure you'll correct me if I'm wrong) they all used proprietary hardware crypto and private frame-relay links, or private ATM networks not connected to the internet thus limiting their availability to those who have, or could procure access to these networks.
In addition the likelyhood of commonly exploited services running on an NT box for an ATM is relatively low.. I can't imagine, or maybe just don't want to think the engineers for hundred-billion dollar a year banks are dumb enough not lock down an NT box.. Not to mention having no access to keyboard or terminal access other than a number pad the options get more and more limited. These companies have spent billions to make these boxes the most secure on the planet and they've gotten good at it.. While the software may lag behind, it's not *that* far behind..
I think the likelyhood of NT taking a sh*t, BSOD'ing, and stealing your ATM card is probably the worst an NT based ATM could deliver in terms of negative user impact.
- my
Wisest is he who knows he does not know.
I call poetic justice on that. You build your system on a platform you know or should know is insecure, people get to gloat when that decision comes back to bite you.
Mind you, apparently there are already plenty of Bank Terminals that use Windows out there, so it's not particularly interesting news.
Fanatically anti-fanatical
Previously, OS/2 was the OS of choice for ATM machines, mostly because most ATMs were attached to an IBM controller and communicated with an IBM mainframe via SNA (DLSW over IP mostly).
OS/2 is a little hard to buy these days, and the back-end connections are migrating away from SNA to TCP/IP as it's a hell of a lot easier to maintain a pure IP network. Any ATM purchased within the last several years uses Windows NT, 2000, or XP as their operating system.
In other words, you've been getting cash from a Windows box for years already. The sky isn't falling.
Eagles may soar, but weasels don't get sucked into jet engines.
... http://cubalan.net.nz/kiwibank/
Confidence inspiring++
just cuz you can't figure out how to don't mean it can't be done
I'm not debating the ability of large corporations to be successful licensing Linux and related software, but I don't fully understand why the romantic aspects of becoming a skilled developer for Linux seem to outweigh the financial benefits of being a skilled developer for Windows, within this community at least.
Yes, these companies are successful, but it is much more difficult for a small business, or individual to draw success in the same way.
If an ATM is susceptible to worms, it's susceptible to direct hacking too. I don't know about the Slashdot editors, but I'm more worried about someone stealing my money than I am about them crashing my bank's ATMs.
The shareholder is always right.