Slashdot Mirror
ATMs Susceptible to Windows Viruses
Kernkraft400 writes "First there was Windows for Warships, now the same operating system used to power millions of home PCs is likely to be used for cash machines in the UK. I can't wait for the next Windows virus or worm to take down all the cash machines."
Like the actual story: ATMs in peril from computer worms? The Register seems to believe it's partly a scare tactic to sell antivirus software, though.
I've seen an ATM at Target (big retailoer in US) reboot after a "power interruption" and it was running NT3.51 :o
-nB
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
Windows has been used on (at least) Natwest ATM's for a loooong time - several years at least. I've been in several situations where an ATM is displaying a Blue Screen Of Death. Interestingly enough, they show a trend for solidarity in these matters, when one of set is down, they're all down... Presumably the weakness is in the network layer, or some component that is attached to it.
Not that this means too much (apart from the annoyance factor) though, I've never lost any money due to an ATM crash - I'm pretty sure the system is designed so that the central machine does all the secure stuff, with the ATM being not much more than a calculator keypad.
Simon
Physicists get Hadrons!
The Slammer worm caused significant outages in Bank of America's ATMs.
-- Samir Gupta, Ph. D. Head, New Technology Research Group, Nintendo Co. Ltd., Kyoto, Japan.
Now, ATMs running Windows could very well be susceptible to viruses, but something backing that up would be nice.
There is no sig, there is only Zuul.
The title of this story is extremely misleading. It's stating something like it's a fact, although it's not even close. It's actually more of a question. But this is Slashdot, so I shouldn't expect too much.
The title of this post says that Windows for ATMs are "Susceptible to Windows Viruses" but as far as I can tell this is just speculation... Is there actually any proof out there that these machines would be any more (or less?) susceptible to viruses? I'm suprised this made it through, no substance and just a lot of name calling at MS.
Your mammas flamebait.
Lets be clear here, its not viruses we worry about. Nobody is going to run Kazaa on their local ATM. Its all about possible remote exploits.
No OS is completely bug free and secure for ever. If the network the ATM's connect to is safe, the box should be safe. If they connect to the internet, I'm moving my money to another bank, no matter what OS they run!
Surur
Information is the location of things. Computation is moving things around.
Ah yes I remember fondly seeing my first ATM BSOD in the SEATAC Airport. Nothing says welcome to Redmond quite like the BSOD.
Today is a gift. Save the receipt.
I seem to post this everytime this comes up, but once again. Diebold ATMs run Windows (95,NT and XP depending on how old they are). They have been known to crash to the desktop and often run unpatched. They have been hit by several worms over the years but banks keep on buying the dang things. Here of course is a link to a Diebold ATM running as a MP3 player after it had crashed to the XP desktop (touch screen, XP, built in speakers. Makes sense to me). I will never use a Diebold product, be it ATM or voting booth.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
This did already happen, two years ago I believe, to Diebold ATMs. When it did, I called Wells Fargo (my bank) and asked them what brand of ATMs they use. I got the old, "Why would you want to know that?" question edged with a fair amount of suspicion. I explained that I didn't want an ATM that I used often to be compromised by a virus. I was forwarded to the manager. He ended up giving me a runaround about how Wells Fargo guarantees all transactions on their ATMs and any fraudulent use is refunded. No straight answer on whether they used Diebold ATMs with Windows.
Of course, I went to a few of the ATMs I used and checked them out. All Diebolds. I'm not sure if they were running Windows, but I can assume so. Why would the bank give me such a hard time about who supplied their ATMs? Obviously it wasn't that difficult to just go and find out. It makes me a bit weary that they're trying to implement security through secrecy (let alone secrecy that's not that secret). Plus, being a customer I feel like I have the right to know how my money is handled and what possibilities there are for it being stolen.
Per Square Mile, a blog about density
The reason you're seeing banks deploy new ATM's at a rapid clips this year is because IBM is dropping support for "vintage" OS/2 releases.
Not for OS/2 Warp 4 (That's supported through 2006 at least), but for the earlier releases (3, 2.x, 1.x)...
I believe that most ATM's were based on either OS/2 1.3 or 2.0.
Why we're replacing them with something that is vulnerable to the virus-of-the-week, who knows?
When was the last time you saw an OS/2 virus?
When I was in Europe this summer, I crashed several ATMs (usually of the same branch) just by inserting my card, and guess what they all run some version of windows, it looked like 95/98/2000.
Aparently they dont like the way my card is encoded.
It was very annoying trying to find a bank where I could withdraw money from. At one point we we're joking around to see how many ATMs we could crash in one day.
In order to (1) catch up with a competitor or perhaps (2) get an "easier" development environment [easier being defined as one where the programmers are commodity and the system doesn't require buidling graphical components from scratch], 'easy' choices are made.
In the end, the bank isn't doing the development, but purchasing a final product... there are tons of variables to an ATM beyond the underlying OS; and honestly, not all that many large vendors to choose from (and a large bank will almost never choose a small vendor, over concerns for longevity and support). Microsoft has made a major push for Windows in many places and makes it as easy as possible for people in different markets to use their OS. It is really the responsibility of the purchasing organization (in the case of an ATM, the bank or credit union) to choose a good solution. But it's a painful balancing act.
By the way, if you really want to be disturbed by how liability for bad software isn't an issue, think about this: the US Federal Aviation Administration requires that every component put into an aircraft must not fail during the life of the aircraft. The next sentence then exempts software from this limitation.
An ATM need not be much fancier than a gas pump.
It needs:
A card reader.
A cash dispenser.
A video display.
A keyboard input.
A communications channel to HQ.
A printer.
Most run "semi-locally" rather than as completely-dumb terminals.
Most have an "administrator mode" and keep additional local state. For example, they know how much of what kinds of bills they have left.
Most have security cameras, but these need not be "logically" part of the ATM, they can be standalone devices.
Banks have used full-featured ATMs for years. In the early-mid 1990s, OS/2 was the major player. These days it's MS-Windows. 10 years from now, it will probably be something else.
The key security issues with ATMs are:
1) physical security and local encryption of sensitive data in case physical security is compromised, e.g. someone steals the whole ATM.
2) network security - all communications are encrypted
3) isolated network - no direct access to or from the Internet
4) audit trail, e.g. local encrypted recording of all transactions, preferably to write-once media.
I'm sure I left out some things. Please feel free to add.
So, anyone know of any in-use Linux-based ATMs? Even better, anyone know of any totally-Free-and-open-source-software ATMs?
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Exactly. Will someone please explain to me how it's irresponsible to say you expect someone to get robbed, when that person is using a product that is so insecure that their likelihood of getting robbed is very high?
Suppose there's a car with a numeric keypad on the door to unlock it (like the late 80's/early 90's Fords). Now suppose that it's common knowledge that the factory put in a backdoor code, 1357, which will unlock any such car. Despite this becoming common knowledge, and being stated all over the national news, the manufacturer refuses to remove the backdoor, saying it's so they can help the customers. Now I'm standing in my driveway talking to some friends, and my neighbor Joe pulls into his driveway, with his brand new car which has this keypad. So I say to my friends, "I can't wait until his car gets stolen. What an idiot."
Was that an irresponsible thing to say? I don't think so. Joe was stupid to buy such a car when it's common knowledge how easy it is to break into. Maybe if more people exercised peer pressure, and spoke their minds about others' stupid buying habits, people wouldn't continue to support companies that make bad or dangerous products.
If some bank gets ripped off because of their insecure ATMs, that's the bank's fault for choosing a poor piece of equipment, and they deserve to pay the price for that decision. And hopefully lots of customers will move their accounts to banks which use better ATMs.